From 57a20534aecb817337875a6180ef1f2a43a3a379 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Mon, 19 Jun 2023 18:22:53 +0200 Subject: [PATCH 1/9] Use factory to install package in asset test runner --- internal/testrunner/runners/asset/runner.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/internal/testrunner/runners/asset/runner.go b/internal/testrunner/runners/asset/runner.go index 6c4574891..1291ae3a1 100644 --- a/internal/testrunner/runners/asset/runner.go +++ b/internal/testrunner/runners/asset/runner.go @@ -82,7 +82,11 @@ func (r *runner) run() ([]testrunner.TestResult, error) { if err != nil { return result.WithError(errors.Wrap(err, "could not create kibana client")) } - packageInstaller, err := installer.CreateForManifest(kibanaClient, r.packageRootPath) + packageInstaller, err := installer.NewForPackage(installer.Options{ + Kibana: kibanaClient, + RootPath: r.packageRootPath, + SkipValidation: true, + }) if err != nil { return result.WithError(errors.Wrap(err, "can't create the package installer")) } From 454576ae854517bea59b5a76bb211ec798f157ae Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 20 Jun 2023 09:55:02 +0200 Subject: [PATCH 2/9] Fix tear down error management --- internal/testrunner/runners/asset/runner.go | 2 +- internal/testrunner/testrunner.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/testrunner/runners/asset/runner.go b/internal/testrunner/runners/asset/runner.go index 1291ae3a1..e717807a7 100644 --- a/internal/testrunner/runners/asset/runner.go +++ b/internal/testrunner/runners/asset/runner.go @@ -51,7 +51,7 @@ func (r runner) CanRunPerDataStream() bool { } // Run runs the asset loading tests -func (r runner) Run(options testrunner.TestOptions) ([]testrunner.TestResult, error) { +func (r *runner) Run(options testrunner.TestOptions) ([]testrunner.TestResult, error) { r.testFolder = options.TestFolder r.packageRootPath = options.PackageRootPath diff --git a/internal/testrunner/testrunner.go b/internal/testrunner/testrunner.go index e81fa4481..937a53c06 100644 --- a/internal/testrunner/testrunner.go +++ b/internal/testrunner/testrunner.go @@ -274,7 +274,7 @@ func Run(testType TestType, options TestOptions) ([]TestResult, error) { return nil, errors.Wrap(err, "could not complete test run") } if tdErr != nil { - return results, errors.Wrap(err, "could not teardown test runner") + return results, errors.Wrap(tdErr, "could not teardown test runner") } return results, nil } From d7fb416b3a17e022733121f48e709d3ae69fb0fa Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 20 Jun 2023 09:55:29 +0200 Subject: [PATCH 3/9] Ignore errors when uninstalling system package --- internal/testrunner/runners/asset/runner.go | 19 +++++++++++++++++-- internal/testrunner/runners/system/runner.go | 19 +++++++++++++++++-- 2 files changed, 34 insertions(+), 4 deletions(-) diff --git a/internal/testrunner/runners/asset/runner.go b/internal/testrunner/runners/asset/runner.go index e717807a7..3d287de78 100644 --- a/internal/testrunner/runners/asset/runner.go +++ b/internal/testrunner/runners/asset/runner.go @@ -96,10 +96,25 @@ func (r *runner) run() ([]testrunner.TestResult, error) { } r.removePackageHandler = func() error { + pkgManifest, err := packages.ReadPackageManifestFromPackageRoot(r.packageRootPath) + if err != nil { + return fmt.Errorf("reading package manifest failed: %w", err) + } + logger.Debug("removing package...") - if err := packageInstaller.Uninstall(); err != nil { - return errors.Wrap(err, "error cleaning up package") + err = packageInstaller.Uninstall() + if err == nil { + return nil } + // by default system package is part of an agent policy and it cannot be uninstalled + // https://github.com/elastic/elastic-package/blob/5f65dc29811c57454bc7142aaf73725b6d4dc8e6/internal/stack/_static/kibana.yml.tmpl#L62 + switch pkgManifest.Name { + case "system": + logger.Debugf("failed to uninstall package %q: %s", pkgManifest.Name, err.Error()) + default: + logger.Warnf("failed to uninstall package %q: %s", pkgManifest.Name, err.Error()) + } + return nil } diff --git a/internal/testrunner/runners/system/runner.go b/internal/testrunner/runners/system/runner.go index af26e2d82..f6b18423f 100644 --- a/internal/testrunner/runners/system/runner.go +++ b/internal/testrunner/runners/system/runner.go @@ -496,10 +496,25 @@ func (r *runner) runTest(config *testConfig, ctxt servicedeployer.ServiceContext } r.deletePackageHandler = func() error { err := installer.Uninstall() - if err != nil { - return fmt.Errorf("failed to uninstall package: %v", err) + if err == nil { + return nil } + // by default system package is part of an agent policy and it cannot be uninstalled + // https://github.com/elastic/elastic-package/blob/5f65dc29811c57454bc7142aaf73725b6d4dc8e6/internal/stack/_static/kibana.yml.tmpl#L62 + switch pkgManifest.Name { + case "system": + logger.Debugf("failed to uninstall package %q: %s", pkgManifest.Name, err.Error()) + default: + logger.Warnf("failed to uninstall package %q: %s", pkgManifest.Name, err.Error()) + } + return nil + // by default system package is part of an agent policy and it cannot be uninstalled + // https://github.com/elastic/elastic-package/blob/5f65dc29811c57454bc7142aaf73725b6d4dc8e6/internal/stack/_static/kibana.yml.tmpl#L62 + // if err != nil && pkgManifest.Name != "system" { + // logger.Warnf("failed to uninstall package %q: %s", pkgManifest.Name, err.Error()) + // } + // return nil } // Configure package (single data stream) via Ingest Manager APIs. From 2caae88b38e9c30f63936928c7a9378e3c620a3b Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 20 Jun 2023 10:06:39 +0200 Subject: [PATCH 4/9] Add system as test package --- scripts/links_table.yml | 1 + .../parallel/system/_dev/build/build.yml | 3 + .../parallel/system/_dev/build/docs/README.md | 366 + .../_dev/deploy/docker/docker-compose.yml | 18 + .../docker/sample_logs/security.json.log | 1 + test/packages/parallel/system/changelog.yml | 489 ++ .../application/agent/stream/httpjson.yml.hbs | 107 + .../application/agent/stream/winlog.yml.hbs | 24 + .../elasticsearch/ingest_pipeline/default.yml | 13 + .../data_stream/application/fields/agent.yml | 198 + .../application/fields/base-fields.yml | 20 + .../data_stream/application/fields/ecs.yml | 12 + .../data_stream/application/fields/winlog.yml | 357 + .../data_stream/application/manifest.yml | 80 + .../_dev/test/pipeline/test-auth-rhel79.log | 3 + .../test-auth-rhel79.log-expected.json | 121 + .../test/pipeline/test-auth-ubuntu1204.log | 122 + .../test-auth-ubuntu1204.log-config.yml | 5 + .../test-auth-ubuntu1204.log-expected.json | 4348 ++++++++++ .../auth/_dev/test/pipeline/test-auth.log | 11 + .../test/pipeline/test-auth.log-config.yml | 5 + .../test/pipeline/test-auth.log-expected.json | 532 ++ .../_dev/test/pipeline/test-multiline.log | 3 + .../pipeline/test-multiline.log-config.yml | 7 + .../pipeline/test-multiline.log-expected.json | 56 + .../_dev/test/pipeline/test-secure-rhel7.log | 7 + .../pipeline/test-secure-rhel7.log-config.yml | 5 + .../test-secure-rhel7.log-expected.json | 251 + .../_dev/test/pipeline/test-timestamp.log | 2 + .../pipeline/test-timestamp.log-config.yml | 4 + .../pipeline/test-timestamp.log-expected.json | 65 + .../data_stream/auth/agent/stream/log.yml.hbs | 30 + .../elasticsearch/ingest_pipeline/default.yml | 237 + .../system/data_stream/auth/fields/agent.yml | 198 + .../data_stream/auth/fields/base-fields.yml | 21 + .../system/data_stream/auth/fields/ecs.yml | 106 + .../system/data_stream/auth/fields/fields.yml | 62 + .../system/data_stream/auth/manifest.yml | 50 + .../core/agent/stream/stream.yml.hbs | 18 + .../system/data_stream/core/fields/agent.yml | 198 + .../data_stream/core/fields/base-fields.yml | 20 + .../system/data_stream/core/fields/ecs.yml | 24 + .../system/data_stream/core/fields/fields.yml | 103 + .../system/data_stream/core/manifest.yml | 39 + .../cpu/agent/stream/stream.yml.hbs | 19 + .../system/data_stream/cpu/fields/agent.yml | 205 + .../data_stream/cpu/fields/base-fields.yml | 20 + .../system/data_stream/cpu/fields/ecs.yml | 27 + .../system/data_stream/cpu/fields/fields.yml | 183 + .../system/data_stream/cpu/manifest.yml | 41 + .../diskio/agent/stream/stream.yml.hbs | 19 + .../data_stream/diskio/fields/agent.yml | 205 + .../data_stream/diskio/fields/base-fields.yml | 20 + .../system/data_stream/diskio/fields/ecs.yml | 29 + .../data_stream/diskio/fields/fields.yml | 137 + .../system/data_stream/diskio/manifest.yml | 38 + .../filesystem/agent/stream/stream.yml.hbs | 15 + .../data_stream/filesystem/fields/agent.yml | 205 + .../filesystem/fields/base-fields.yml | 20 + .../data_stream/filesystem/fields/ecs.yml | 3 + .../data_stream/filesystem/fields/fields.yml | 62 + .../data_stream/filesystem/manifest.yml | 43 + .../fsstat/agent/stream/stream.yml.hbs | 12 + .../data_stream/fsstat/fields/agent.yml | 205 + .../data_stream/fsstat/fields/base-fields.yml | 20 + .../system/data_stream/fsstat/fields/ecs.yml | 27 + .../data_stream/fsstat/fields/fields.yml | 36 + .../system/data_stream/fsstat/manifest.yml | 34 + .../load/agent/stream/stream.yml.hbs | 13 + .../system/data_stream/load/fields/agent.yml | 194 + .../data_stream/load/fields/base-fields.yml | 20 + .../system/data_stream/load/fields/ecs.yml | 27 + .../system/data_stream/load/fields/fields.yml | 38 + .../system/data_stream/load/manifest.yml | 29 + .../memory/agent/stream/stream.yml.hbs | 15 + .../data_stream/memory/fields/agent.yml | 205 + .../data_stream/memory/fields/base-fields.yml | 20 + .../system/data_stream/memory/fields/ecs.yml | 27 + .../data_stream/memory/fields/fields.yml | 200 + .../system/data_stream/memory/manifest.yml | 29 + .../network/agent/stream/stream.yml.hbs | 16 + .../data_stream/network/fields/agent.yml | 197 + .../network/fields/base-fields.yml | 17 + .../system/data_stream/network/fields/ecs.yml | 49 + .../data_stream/network/fields/fields.yml | 78 + .../system/data_stream/network/manifest.yml | 38 + .../_dev/test/system/test-default-config.yml | 3 + .../process/agent/stream/stream.yml.hbs | 30 + .../elasticsearch/ingest_pipeline/default.yml | 8 + .../data_stream/process/fields/agent.yml | 161 + .../process/fields/base-fields.yml | 20 + .../system/data_stream/process/fields/ecs.yml | 57 + .../data_stream/process/fields/fields.yml | 658 ++ .../system/data_stream/process/manifest.yml | 97 + .../agent/stream/stream.yml.hbs | 15 + .../process_summary/fields/agent.yml | 205 + .../process_summary/fields/base-fields.yml | 20 + .../process_summary/fields/ecs.yml | 49 + .../process_summary/fields/fields.yml | 44 + .../data_stream/process_summary/manifest.yml | 30 + .../_dev/test/pipeline/test-1100.json | 53 + .../pipeline/test-1100.json-expected.json | 60 + .../_dev/test/pipeline/test-1102.json | 60 + .../pipeline/test-1102.json-expected.json | 81 + .../_dev/test/pipeline/test-1104.json | 53 + .../pipeline/test-1104.json-expected.json | 60 + .../_dev/test/pipeline/test-1105.json | 58 + .../pipeline/test-1105.json-expected.json | 65 + .../_dev/test/pipeline/test-4663.json | 74 + .../pipeline/test-4663.json-expected.json | 85 + .../pipeline/test-4670-windowssrv2016.json | 67 + ...est-4670-windowssrv2016.json-expected.json | 97 + .../_dev/test/pipeline/test-4674.json | 125 + .../pipeline/test-4674.json-expected.json | 184 + .../pipeline/test-4706-windowssrv2016.json | 66 + ...est-4706-windowssrv2016.json-expected.json | 89 + .../pipeline/test-4707-windowssrv2016.json | 61 + ...est-4707-windowssrv2016.json-expected.json | 81 + .../pipeline/test-4713-windowssrv2016.json | 61 + ...est-4713-windowssrv2016.json-expected.json | 81 + .../pipeline/test-4716-windowssrv2016.json | 66 + ...est-4716-windowssrv2016.json-expected.json | 89 + .../pipeline/test-4717-windowssrv2016.json | 62 + ...est-4717-windowssrv2016.json-expected.json | 84 + .../pipeline/test-4718-windowssrv2016.json | 62 + ...est-4718-windowssrv2016.json-expected.json | 84 + .../pipeline/test-4719-windowssrv2016.json | 64 + ...est-4719-windowssrv2016.json-expected.json | 91 + .../_dev/test/pipeline/test-4719.json | 64 + .../pipeline/test-4719.json-expected.json | 92 + .../_dev/test/pipeline/test-4738.json | 72 + .../pipeline/test-4738.json-expected.json | 101 + .../pipeline/test-4739-windowssrv2016.json | 68 + ...est-4739-windowssrv2016.json-expected.json | 88 + .../_dev/test/pipeline/test-4742.json | 74 + .../pipeline/test-4742.json-expected.json | 104 + .../_dev/test/pipeline/test-4743.json | 63 + .../pipeline/test-4743.json-expected.json | 91 + .../_dev/test/pipeline/test-4744.json | 65 + .../pipeline/test-4744.json-expected.json | 91 + .../_dev/test/pipeline/test-4745.json | 65 + .../pipeline/test-4745.json-expected.json | 91 + .../_dev/test/pipeline/test-4746.json | 65 + .../pipeline/test-4746.json-expected.json | 101 + .../_dev/test/pipeline/test-4747.json | 65 + .../pipeline/test-4747.json-expected.json | 101 + .../_dev/test/pipeline/test-4748.json | 63 + .../pipeline/test-4748.json-expected.json | 89 + .../_dev/test/pipeline/test-4749.json | 65 + .../pipeline/test-4749.json-expected.json | 91 + .../_dev/test/pipeline/test-4750.json | 65 + .../pipeline/test-4750.json-expected.json | 91 + .../_dev/test/pipeline/test-4751.json | 65 + .../pipeline/test-4751.json-expected.json | 101 + .../_dev/test/pipeline/test-4752.json | 65 + .../pipeline/test-4752.json-expected.json | 101 + .../_dev/test/pipeline/test-4753.json | 63 + .../pipeline/test-4753.json-expected.json | 89 + .../_dev/test/pipeline/test-4759.json | 65 + .../pipeline/test-4759.json-expected.json | 91 + .../_dev/test/pipeline/test-4760.json | 65 + .../pipeline/test-4760.json-expected.json | 91 + .../_dev/test/pipeline/test-4761.json | 65 + .../pipeline/test-4761.json-expected.json | 101 + .../_dev/test/pipeline/test-4762.json | 65 + .../pipeline/test-4762.json-expected.json | 101 + .../_dev/test/pipeline/test-4763.json | 63 + .../pipeline/test-4763.json-expected.json | 89 + .../_dev/test/pipeline/test-4797.json | 219 + .../pipeline/test-4797.json-expected.json | 369 + .../pipeline/test-4817-windowssrv2016.json | 64 + ...est-4817-windowssrv2016.json-expected.json | 89 + .../pipeline/test-4902-windowssrv2016.json | 57 + ...est-4902-windowssrv2016.json-expected.json | 66 + .../pipeline/test-4904-windowssrv2016.json | 64 + ...est-4904-windowssrv2016.json-expected.json | 89 + .../pipeline/test-4905-windowssrv2016.json | 64 + ...est-4905-windowssrv2016.json-expected.json | 89 + .../pipeline/test-4906-windowssrv2016.json | 56 + ...est-4906-windowssrv2016.json-expected.json | 65 + .../pipeline/test-4907-windowssrv2016.json | 66 + ...est-4907-windowssrv2016.json-expected.json | 92 + .../_dev/test/pipeline/test-5379.json | 239 + .../pipeline/test-5379.json-expected.json | 364 + .../_dev/test/pipeline/test-5380.json | 229 + .../pipeline/test-5380.json-expected.json | 354 + .../_dev/test/pipeline/test-5381.json | 219 + .../pipeline/test-5381.json-expected.json | 344 + .../_dev/test/pipeline/test-5382.json | 239 + .../pipeline/test-5382.json-expected.json | 364 + .../_dev/test/pipeline/test-common-config.yml | 2 + .../pipeline/test-security-5140-5145.json | 110 + ...test-security-5140-5145.json-expected.json | 194 + .../test-security-windows2012-4673.json | 64 + ...curity-windows2012-4673.json-expected.json | 89 + .../test-security-windows2012-4697.json | 65 + ...curity-windows2012-4697.json-expected.json | 91 + .../test-security-windows2012-4768.json | 66 + ...curity-windows2012-4768.json-expected.json | 99 + .../test-security-windows2012-4769.json | 66 + ...curity-windows2012-4769.json-expected.json | 97 + .../test-security-windows2012-4770.json | 63 + ...curity-windows2012-4770.json-expected.json | 92 + .../test-security-windows2012-4771.json | 63 + ...curity-windows2012-4771.json-expected.json | 94 + .../test-security-windows2012-4776.json | 59 + ...curity-windows2012-4776.json-expected.json | 79 + .../test-security-windows2012-4778.json | 61 + ...curity-windows2012-4778.json-expected.json | 103 + .../test-security-windows2012-4779.json | 61 + ...curity-windows2012-4779.json-expected.json | 88 + .../test-security-windows2012r2-logon.json | 1303 +++ ...ity-windows2012r2-logon.json-expected.json | 1769 ++++ ...rity-windows2016-4722-account-enabled.json | 122 + ...16-4722-account-enabled.json-expected.json | 176 + ...rity-windows2016-4723-password-change.json | 124 + ...16-4723-password-change.json-expected.json | 176 + ...urity-windows2016-4724-password-reset.json | 122 + ...016-4724-password-reset.json-expected.json | 176 + ...ity-windows2016-4725-account-disabled.json | 122 + ...6-4725-account-disabled.json-expected.json | 176 + ...rity-windows2016-4726-account-deleted.json | 124 + ...16-4726-account-deleted.json-expected.json | 178 + .../test-security-windows2016-4727.json | 65 + ...curity-windows2016-4727.json-expected.json | 91 + .../test-security-windows2016-4728.json | 65 + ...curity-windows2016-4728.json-expected.json | 100 + .../test-security-windows2016-4729.json | 65 + ...curity-windows2016-4729.json-expected.json | 100 + .../test-security-windows2016-4730.json | 63 + ...curity-windows2016-4730.json-expected.json | 89 + .../test-security-windows2016-4731.json | 65 + ...curity-windows2016-4731.json-expected.json | 91 + .../test-security-windows2016-4732.json | 65 + ...curity-windows2016-4732.json-expected.json | 100 + .../test-security-windows2016-4733.json | 65 + ...curity-windows2016-4733.json-expected.json | 100 + .../test-security-windows2016-4734.json | 63 + ...curity-windows2016-4734.json-expected.json | 89 + .../test-security-windows2016-4735.json | 65 + ...curity-windows2016-4735.json-expected.json | 91 + .../test-security-windows2016-4737.json | 65 + ...curity-windows2016-4737.json-expected.json | 91 + ...rity-windows2016-4738-account-changed.json | 83 + ...16-4738-account-changed.json-expected.json | 114 + ...y-windows2016-4740-account-locked-out.json | 63 + ...4740-account-locked-out.json-expected.json | 90 + .../test-security-windows2016-4754.json | 65 + ...curity-windows2016-4754.json-expected.json | 91 + .../test-security-windows2016-4755.json | 65 + ...curity-windows2016-4755.json-expected.json | 91 + .../test-security-windows2016-4756.json | 65 + ...curity-windows2016-4756.json-expected.json | 100 + .../test-security-windows2016-4757.json | 65 + ...curity-windows2016-4757.json-expected.json | 100 + .../test-security-windows2016-4758.json | 63 + ...curity-windows2016-4758.json-expected.json | 89 + .../test-security-windows2016-4764.json | 64 + ...curity-windows2016-4764.json-expected.json | 90 + ...ity-windows2016-4767-account-unlocked.json | 63 + ...6-4767-account-unlocked.json-expected.json | 90 + ...rity-windows2016-4781-account-renamed.json | 126 + ...16-4781-account-renamed.json-expected.json | 184 + .../test-security-windows2016-4798.json | 65 + ...curity-windows2016-4798.json-expected.json | 92 + .../test-security-windows2016-4799.json | 65 + ...curity-windows2016-4799.json-expected.json | 91 + .../test-security-windows2016-logoff.json | 116 + ...rity-windows2016-logoff.json-expected.json | 158 + ...rity-windows2019-4688-process-created.json | 71 + ...19-4688-process-created.json-expected.json | 107 + ...urity-windows2019-4689-process-exited.json | 178 + ...019-4689-process-exited.json-expected.json | 247 + .../_dev/test/pipeline/test-unknown.json | 28 + .../pipeline/test-unknown.json-expected.json | 34 + .../_dev/test/system/test-default-config.yml | 11 + .../security/agent/stream/httpjson.yml.hbs | 97 + .../security/agent/stream/winlog.yml.hbs | 24 + .../elasticsearch/ingest_pipeline/default.yml | 81 + .../ingest_pipeline/standard.yml | 3461 ++++++++ .../data_stream/security/fields/agent.yml | 198 + .../security/fields/base-fields.yml | 26 + .../data_stream/security/fields/beats.yml | 3 + .../data_stream/security/fields/ecs.yml | 140 + .../data_stream/security/fields/fields.yml | 30 + .../data_stream/security/fields/winlog.yml | 662 ++ .../system/data_stream/security/manifest.yml | 80 + .../data_stream/security/sample_event.json | 75 + .../agent/stream/stream.yml.hbs | 15 + .../socket_summary/fields/agent.yml | 205 + .../socket_summary/fields/base-fields.yml | 17 + .../data_stream/socket_summary/fields/ecs.yml | 49 + .../socket_summary/fields/fields.yml | 106 + .../data_stream/socket_summary/manifest.yml | 29 + .../pipeline/test-darwin-syslog-sample.log | 21 + .../test-darwin-syslog-sample.log-config.yml | 7 + ...est-darwin-syslog-sample.log-expected.json | 60 + .../_dev/test/pipeline/test-darwin-syslog.log | 497 ++ .../test-darwin-syslog.log-config.yml | 6 + .../test-darwin-syslog.log-expected.json | 7609 +++++++++++++++++ .../_dev/test/pipeline/test-suse-syslog.log | 2 + .../pipeline/test-suse-syslog.log-config.yml | 2 + .../test-suse-syslog.log-expected.json | 44 + .../_dev/test/pipeline/test-tz-offset.log | 3 + .../pipeline/test-tz-offset.log-config.yml | 3 + .../pipeline/test-tz-offset.log-expected.json | 65 + .../syslog/agent/stream/log.yml.hbs | 22 + .../elasticsearch/ingest_pipeline/default.yml | 56 + .../data_stream/syslog/fields/agent.yml | 198 + .../data_stream/syslog/fields/base-fields.yml | 21 + .../system/data_stream/syslog/fields/ecs.yml | 56 + .../data_stream/syslog/fields/fields.yml | 2 + .../system/data_stream/syslog/manifest.yml | 42 + .../system/agent/stream/httpjson.yml.hbs | 107 + .../system/agent/stream/winlog.yml.hbs | 24 + .../elasticsearch/ingest_pipeline/default.yml | 13 + .../data_stream/system/fields/agent.yml | 198 + .../data_stream/system/fields/base-fields.yml | 20 + .../system/data_stream/system/fields/ecs.yml | 28 + .../data_stream/system/fields/winlog.yml | 357 + .../system/data_stream/system/manifest.yml | 80 + .../uptime/agent/stream/stream.yml.hbs | 12 + .../data_stream/uptime/fields/agent.yml | 205 + .../data_stream/uptime/fields/base-fields.yml | 20 + .../system/data_stream/uptime/fields/ecs.yml | 3 + .../data_stream/uptime/fields/fields.yml | 10 + .../system/data_stream/uptime/manifest.yml | 29 + test/packages/parallel/system/docs/README.md | 2249 +++++ .../parallel/system/img/kibana-system.png | Bin 0 -> 205298 bytes .../img/metricbeat_system_dashboard.png | Bin 0 -> 575772 bytes test/packages/parallel/system/img/system.svg | 1 + ...-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json | 894 ++ ...-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json | 513 ++ ...-5517a150-f9ce-11e6-8115-a7c18106d86a.json | 582 ++ ...-71f720f0-ff18-11e9-8405-516218e3d268.json | 4493 ++++++++++ ...-79ffd6e0-faa0-11e6-947f-177f697178b8.json | 4616 ++++++++++ .../system-Logs-syslog-dashboard.json | 370 + .../system-Metrics-system-overview.json | 1406 +++ .../dashboard/system-Windows-Dashboard.json | 815 ++ ...-bae11b00-9bfc-11ea-87e4-49f31ec44891.json | 1592 ++++ ...-bb858830-f412-11e9-8405-516218e3d268.json | 4431 ++++++++++ ...-d401ef40-a7d5-11e9-a422-d144027429da.json | 1832 ++++ ...-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json | 101 + ...-324686c0-fefb-11e9-8405-516218e3d268.json | 144 + ...-62439dc0-f9c9-11e6-a747-6121780e0414.json | 51 + ...-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json | 88 + ...-757510b0-a87f-11e9-a422-d144027429da.json | 116 + ...-7e178c80-fee1-11e9-8405-516218e3d268.json | 82 + ...-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json | 51 + ...-9066d5b0-fef2-11e9-8405-516218e3d268.json | 263 + .../search/system-Syslog-system-logs.json | 62 + ...-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json | 50 + ...-ce71c9a0-a25e-11e9-a422-d144027429da.json | 77 + ...-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json | 48 + test/packages/parallel/system/manifest.yml | 124 + test/packages/parallel/system/script.py | 50 + 356 files changed, 72852 insertions(+) create mode 100644 test/packages/parallel/system/_dev/build/build.yml create mode 100644 test/packages/parallel/system/_dev/build/docs/README.md create mode 100644 test/packages/parallel/system/_dev/deploy/docker/docker-compose.yml create mode 100644 test/packages/parallel/system/_dev/deploy/docker/sample_logs/security.json.log create mode 100644 test/packages/parallel/system/changelog.yml create mode 100644 test/packages/parallel/system/data_stream/application/agent/stream/httpjson.yml.hbs create mode 100644 test/packages/parallel/system/data_stream/application/agent/stream/winlog.yml.hbs create mode 100644 test/packages/parallel/system/data_stream/application/elasticsearch/ingest_pipeline/default.yml create mode 100644 test/packages/parallel/system/data_stream/application/fields/agent.yml create mode 100644 test/packages/parallel/system/data_stream/application/fields/base-fields.yml create mode 100644 test/packages/parallel/system/data_stream/application/fields/ecs.yml create mode 100644 test/packages/parallel/system/data_stream/application/fields/winlog.yml create mode 100644 test/packages/parallel/system/data_stream/application/manifest.yml create mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-rhel79.log create mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-rhel79.log-expected.json create mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log create mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-config.yml create mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-expected.json create mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth.log create mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth.log-config.yml create mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json create mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-multiline.log create mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-multiline.log-config.yml create mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-multiline.log-expected.json create mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log create mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-config.yml create mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-expected.json create mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log create mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-config.yml create mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-expected.json create mode 100644 test/packages/parallel/system/data_stream/auth/agent/stream/log.yml.hbs create mode 100644 test/packages/parallel/system/data_stream/auth/elasticsearch/ingest_pipeline/default.yml create mode 100644 test/packages/parallel/system/data_stream/auth/fields/agent.yml create mode 100644 test/packages/parallel/system/data_stream/auth/fields/base-fields.yml create mode 100644 test/packages/parallel/system/data_stream/auth/fields/ecs.yml create mode 100644 test/packages/parallel/system/data_stream/auth/fields/fields.yml create mode 100644 test/packages/parallel/system/data_stream/auth/manifest.yml create mode 100644 test/packages/parallel/system/data_stream/core/agent/stream/stream.yml.hbs create mode 100644 test/packages/parallel/system/data_stream/core/fields/agent.yml create mode 100644 test/packages/parallel/system/data_stream/core/fields/base-fields.yml create mode 100644 test/packages/parallel/system/data_stream/core/fields/ecs.yml create mode 100644 test/packages/parallel/system/data_stream/core/fields/fields.yml create mode 100644 test/packages/parallel/system/data_stream/core/manifest.yml create mode 100644 test/packages/parallel/system/data_stream/cpu/agent/stream/stream.yml.hbs create mode 100644 test/packages/parallel/system/data_stream/cpu/fields/agent.yml create mode 100644 test/packages/parallel/system/data_stream/cpu/fields/base-fields.yml create mode 100644 test/packages/parallel/system/data_stream/cpu/fields/ecs.yml create mode 100644 test/packages/parallel/system/data_stream/cpu/fields/fields.yml create mode 100644 test/packages/parallel/system/data_stream/cpu/manifest.yml create mode 100644 test/packages/parallel/system/data_stream/diskio/agent/stream/stream.yml.hbs create mode 100644 test/packages/parallel/system/data_stream/diskio/fields/agent.yml create mode 100644 test/packages/parallel/system/data_stream/diskio/fields/base-fields.yml create mode 100644 test/packages/parallel/system/data_stream/diskio/fields/ecs.yml create mode 100644 test/packages/parallel/system/data_stream/diskio/fields/fields.yml create mode 100644 test/packages/parallel/system/data_stream/diskio/manifest.yml create mode 100644 test/packages/parallel/system/data_stream/filesystem/agent/stream/stream.yml.hbs create mode 100644 test/packages/parallel/system/data_stream/filesystem/fields/agent.yml create mode 100644 test/packages/parallel/system/data_stream/filesystem/fields/base-fields.yml create mode 100644 test/packages/parallel/system/data_stream/filesystem/fields/ecs.yml create mode 100644 test/packages/parallel/system/data_stream/filesystem/fields/fields.yml create mode 100644 test/packages/parallel/system/data_stream/filesystem/manifest.yml create mode 100644 test/packages/parallel/system/data_stream/fsstat/agent/stream/stream.yml.hbs create mode 100644 test/packages/parallel/system/data_stream/fsstat/fields/agent.yml create mode 100644 test/packages/parallel/system/data_stream/fsstat/fields/base-fields.yml create mode 100644 test/packages/parallel/system/data_stream/fsstat/fields/ecs.yml create mode 100644 test/packages/parallel/system/data_stream/fsstat/fields/fields.yml create mode 100644 test/packages/parallel/system/data_stream/fsstat/manifest.yml create mode 100644 test/packages/parallel/system/data_stream/load/agent/stream/stream.yml.hbs create mode 100644 test/packages/parallel/system/data_stream/load/fields/agent.yml create mode 100644 test/packages/parallel/system/data_stream/load/fields/base-fields.yml create mode 100644 test/packages/parallel/system/data_stream/load/fields/ecs.yml create mode 100644 test/packages/parallel/system/data_stream/load/fields/fields.yml create mode 100644 test/packages/parallel/system/data_stream/load/manifest.yml create mode 100644 test/packages/parallel/system/data_stream/memory/agent/stream/stream.yml.hbs create mode 100644 test/packages/parallel/system/data_stream/memory/fields/agent.yml create mode 100644 test/packages/parallel/system/data_stream/memory/fields/base-fields.yml create mode 100644 test/packages/parallel/system/data_stream/memory/fields/ecs.yml create mode 100644 test/packages/parallel/system/data_stream/memory/fields/fields.yml create mode 100644 test/packages/parallel/system/data_stream/memory/manifest.yml create mode 100644 test/packages/parallel/system/data_stream/network/agent/stream/stream.yml.hbs create mode 100644 test/packages/parallel/system/data_stream/network/fields/agent.yml create mode 100644 test/packages/parallel/system/data_stream/network/fields/base-fields.yml create mode 100644 test/packages/parallel/system/data_stream/network/fields/ecs.yml create mode 100644 test/packages/parallel/system/data_stream/network/fields/fields.yml create mode 100644 test/packages/parallel/system/data_stream/network/manifest.yml create mode 100644 test/packages/parallel/system/data_stream/process/_dev/test/system/test-default-config.yml create mode 100644 test/packages/parallel/system/data_stream/process/agent/stream/stream.yml.hbs create mode 100644 test/packages/parallel/system/data_stream/process/elasticsearch/ingest_pipeline/default.yml create mode 100644 test/packages/parallel/system/data_stream/process/fields/agent.yml create mode 100644 test/packages/parallel/system/data_stream/process/fields/base-fields.yml create mode 100644 test/packages/parallel/system/data_stream/process/fields/ecs.yml create mode 100644 test/packages/parallel/system/data_stream/process/fields/fields.yml create mode 100644 test/packages/parallel/system/data_stream/process/manifest.yml create mode 100644 test/packages/parallel/system/data_stream/process_summary/agent/stream/stream.yml.hbs create mode 100644 test/packages/parallel/system/data_stream/process_summary/fields/agent.yml create mode 100644 test/packages/parallel/system/data_stream/process_summary/fields/base-fields.yml create mode 100644 test/packages/parallel/system/data_stream/process_summary/fields/ecs.yml create mode 100644 test/packages/parallel/system/data_stream/process_summary/fields/fields.yml create mode 100644 test/packages/parallel/system/data_stream/process_summary/manifest.yml create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1100.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1100.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1102.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1102.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1104.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1104.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1105.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1105.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4663.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4674.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4738.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4738.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4742.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4742.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4743.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4744.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4745.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4746.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4747.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4748.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4749.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4750.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4751.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4752.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4753.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4759.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4760.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4761.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4762.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4763.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4797.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4797.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5379.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5379.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5380.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5380.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5381.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5381.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5382.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5382.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-common-config.yml create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-unknown.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-unknown.json-expected.json create mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/system/test-default-config.yml create mode 100644 test/packages/parallel/system/data_stream/security/agent/stream/httpjson.yml.hbs create mode 100644 test/packages/parallel/system/data_stream/security/agent/stream/winlog.yml.hbs create mode 100644 test/packages/parallel/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml create mode 100644 test/packages/parallel/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml create mode 100644 test/packages/parallel/system/data_stream/security/fields/agent.yml create mode 100644 test/packages/parallel/system/data_stream/security/fields/base-fields.yml create mode 100644 test/packages/parallel/system/data_stream/security/fields/beats.yml create mode 100644 test/packages/parallel/system/data_stream/security/fields/ecs.yml create mode 100644 test/packages/parallel/system/data_stream/security/fields/fields.yml create mode 100644 test/packages/parallel/system/data_stream/security/fields/winlog.yml create mode 100644 test/packages/parallel/system/data_stream/security/manifest.yml create mode 100644 test/packages/parallel/system/data_stream/security/sample_event.json create mode 100644 test/packages/parallel/system/data_stream/socket_summary/agent/stream/stream.yml.hbs create mode 100644 test/packages/parallel/system/data_stream/socket_summary/fields/agent.yml create mode 100644 test/packages/parallel/system/data_stream/socket_summary/fields/base-fields.yml create mode 100644 test/packages/parallel/system/data_stream/socket_summary/fields/ecs.yml create mode 100644 test/packages/parallel/system/data_stream/socket_summary/fields/fields.yml create mode 100644 test/packages/parallel/system/data_stream/socket_summary/manifest.yml create mode 100644 test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog-sample.log create mode 100644 test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog-sample.log-config.yml create mode 100644 test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog-sample.log-expected.json create mode 100644 test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog.log create mode 100644 test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog.log-config.yml create mode 100644 test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog.log-expected.json create mode 100644 test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-suse-syslog.log create mode 100644 test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-suse-syslog.log-config.yml create mode 100644 test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-suse-syslog.log-expected.json create mode 100644 test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-tz-offset.log create mode 100644 test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-tz-offset.log-config.yml create mode 100644 test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-tz-offset.log-expected.json create mode 100644 test/packages/parallel/system/data_stream/syslog/agent/stream/log.yml.hbs create mode 100644 test/packages/parallel/system/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml create mode 100644 test/packages/parallel/system/data_stream/syslog/fields/agent.yml create mode 100644 test/packages/parallel/system/data_stream/syslog/fields/base-fields.yml create mode 100644 test/packages/parallel/system/data_stream/syslog/fields/ecs.yml create mode 100644 test/packages/parallel/system/data_stream/syslog/fields/fields.yml create mode 100644 test/packages/parallel/system/data_stream/syslog/manifest.yml create mode 100644 test/packages/parallel/system/data_stream/system/agent/stream/httpjson.yml.hbs create mode 100644 test/packages/parallel/system/data_stream/system/agent/stream/winlog.yml.hbs create mode 100644 test/packages/parallel/system/data_stream/system/elasticsearch/ingest_pipeline/default.yml create mode 100644 test/packages/parallel/system/data_stream/system/fields/agent.yml create mode 100644 test/packages/parallel/system/data_stream/system/fields/base-fields.yml create mode 100644 test/packages/parallel/system/data_stream/system/fields/ecs.yml create mode 100644 test/packages/parallel/system/data_stream/system/fields/winlog.yml create mode 100644 test/packages/parallel/system/data_stream/system/manifest.yml create mode 100644 test/packages/parallel/system/data_stream/uptime/agent/stream/stream.yml.hbs create mode 100644 test/packages/parallel/system/data_stream/uptime/fields/agent.yml create mode 100644 test/packages/parallel/system/data_stream/uptime/fields/base-fields.yml create mode 100644 test/packages/parallel/system/data_stream/uptime/fields/ecs.yml create mode 100644 test/packages/parallel/system/data_stream/uptime/fields/fields.yml create mode 100644 test/packages/parallel/system/data_stream/uptime/manifest.yml create mode 100644 test/packages/parallel/system/docs/README.md create mode 100644 test/packages/parallel/system/img/kibana-system.png create mode 100644 test/packages/parallel/system/img/metricbeat_system_dashboard.png create mode 100644 test/packages/parallel/system/img/system.svg create mode 100644 test/packages/parallel/system/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json create mode 100644 test/packages/parallel/system/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json create mode 100644 test/packages/parallel/system/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json create mode 100644 test/packages/parallel/system/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json create mode 100644 test/packages/parallel/system/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json create mode 100644 test/packages/parallel/system/kibana/dashboard/system-Logs-syslog-dashboard.json create mode 100644 test/packages/parallel/system/kibana/dashboard/system-Metrics-system-overview.json create mode 100644 test/packages/parallel/system/kibana/dashboard/system-Windows-Dashboard.json create mode 100644 test/packages/parallel/system/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json create mode 100644 test/packages/parallel/system/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json create mode 100644 test/packages/parallel/system/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json create mode 100644 test/packages/parallel/system/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json create mode 100644 test/packages/parallel/system/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json create mode 100644 test/packages/parallel/system/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json create mode 100644 test/packages/parallel/system/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json create mode 100644 test/packages/parallel/system/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json create mode 100644 test/packages/parallel/system/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json create mode 100644 test/packages/parallel/system/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json create mode 100644 test/packages/parallel/system/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json create mode 100644 test/packages/parallel/system/kibana/search/system-Syslog-system-logs.json create mode 100644 test/packages/parallel/system/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json create mode 100644 test/packages/parallel/system/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json create mode 100644 test/packages/parallel/system/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json create mode 100644 test/packages/parallel/system/manifest.yml create mode 100644 test/packages/parallel/system/script.py diff --git a/scripts/links_table.yml b/scripts/links_table.yml index 17c9fccd5..573fcebc5 100644 --- a/scripts/links_table.yml +++ b/scripts/links_table.yml @@ -1,2 +1,3 @@ links: elastic-main: "https://www.elastic.co/guide" + getting-started-observability: "https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html" diff --git a/test/packages/parallel/system/_dev/build/build.yml b/test/packages/parallel/system/_dev/build/build.yml new file mode 100644 index 000000000..47cbed9fe --- /dev/null +++ b/test/packages/parallel/system/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: git@v8.0.0 diff --git a/test/packages/parallel/system/_dev/build/docs/README.md b/test/packages/parallel/system/_dev/build/docs/README.md new file mode 100644 index 000000000..620f2a673 --- /dev/null +++ b/test/packages/parallel/system/_dev/build/docs/README.md @@ -0,0 +1,366 @@ +# System Integration + +The System integration allows you to monitor servers, personal computers, and more. + +Use the System integration to collect metrics and logs from your machines. +Then visualize that data in Kibana, create alerts to notify you if something goes wrong, +and reference data when troubleshooting an issue. + +For example, if you wanted to be notified when less than 10% of the disk space is still available, you +could install the System integration to send file system metrics to Elastic. +Then, you could view real-time updates to disk space used on your system in Kibana's _[Metrics System] Overview_ dashboard. +You could also set up a new rule in the Elastic Observability Metrics app to alert you when the percent free is +less than 10% of the total disk space. + +## Data streams + +The System integration collects two types of data: logs and metrics. + +**Logs** help you keep a record of events that happen on your machine. +Log data streams collected by the System integration include application, system, and security events on +machines running Windows and auth and syslog events on machines running macOS or Linux. +See more details in the [Logs reference](#logs-reference). + +**Metrics** give you insight into the state of the machine. +Metric data streams collected by the System integration include CPU usage, load statistics, memory usage, +information on network behavior, and more. +See more details in the [Metrics reference](#metrics-reference). + +You can enable and disable individual data streams. If _all_ data streams are disabled and the System integration +is still enabled, Fleet uses the default data streams. + +## Requirements + +You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. +You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. + +Each data stream collects different kinds of metric data, which may require dedicated permissions +to be fetched and which may vary across operating systems. +Details on the permissions needed for each data stream are available in the [Metrics reference](#metrics-reference). + +## Setup + +For step-by-step instructions on how to set up an integration, see the +{{ url "getting-started-observability" "Getting started" }} guide. + +## Troubleshooting + +Note that certain data streams may access `/proc` to gather process information, +and the resulting `ptrace_may_access()` call by the kernel to check for +permissions can be blocked by +[AppArmor and other LSM software](https://gitlab.com/apparmor/apparmor/wikis/TechnicalDoc_Proc_and_ptrace), even though the System module doesn't use `ptrace` directly. + +In addition, when running inside a container the proc filesystem directory of the host +should be set using `system.hostfs` setting to `/hostfs`. + +### Windows Event ID clause limit + +If you specify more than 22 query conditions (event IDs or event ID ranges), some +versions of Windows will prevent the integration from reading the event log due to +limits in the query system. If this occurs, a similar warning as shown below: + +``` +The specified query is invalid. +``` + +In some cases, the limit may be lower than 22 conditions. For instance, using a +mixture of ranges and single event IDs, along with an additional parameter such +as `ignore older`, results in a limit of 21 conditions. + +If you have more than 22 conditions, you can work around this Windows limitation +by using a drop_event processor to do the filtering after filebeat has received +the events from Windows. The filter shown below is equivalent to +`event_id: 903, 1024, 2000-2004, 4624` but can be expanded beyond 22 event IDs. + +```yaml +- drop_event.when.not.or: + - equals.winlog.event_id: "903" + - equals.winlog.event_id: "1024" + - equals.winlog.event_id: "4624" + - range: + winlog.event_id.gte: 2000 + winlog.event_id.lte: 2004 +``` + +## Logs reference + +### Application + +The Windows `application` data stream provides events from the Windows +`Application` event log. + +#### Supported operating systems + +- Windows + +{{fields "application"}} + +### System + +The Windows `system` data stream provides events from the Windows `System` +event log. + +#### Supported operating systems + +- Windows + +{{fields "system"}} + + +### Security + +The Windows `security` data stream provides events from the Windows +`Security` event log. + +#### Supported operating systems + +- Windows + +{{event "security"}} + +{{fields "security"}} + +### Auth + +The `auth` data stream provides auth logs. + +#### Supported operating systems + +- macOS prior to 10.8 +- Linux + +{{fields "auth"}} + +### syslog + +The `syslog` data stream provides system logs. + +#### Supported operating systems + +- macOS +- Linux + +{{fields "syslog"}} + +## Metrics reference + +### Core + +The System `core` data stream provides usage statistics for each CPU core. + +#### Supported operating systems + +- FreeBSD +- Linux +- macOS +- OpenBSD +- Windows + +#### Permissions + +This data should be available without elevated permissions. + +{{fields "core"}} + +### CPU + +The System `cpu` data stream provides CPU statistics. + +#### Supported operating systems + +- FreeBSD +- Linux +- macOS +- OpenBSD +- Windows + +#### Permissions + +This data should be available without elevated permissions. + +{{fields "cpu"}} + +### Disk IO + +The System `diskio` data stream provides disk IO metrics collected from the +operating system. One event is created for each disk mounted on the system. + +#### Supported operating systems + +- Linux +- macOS (requires 10.10+) +- Windows +- FreeBSD (amd64) + +#### Permissions + +This data should be available without elevated permissions. + +{{fields "diskio"}} + +### Filesystem + +The System `filesystem` data stream provides file system statistics. For each file +system, one document is provided. + +#### Supported operating systems + +- FreeBSD +- Linux +- macOS +- OpenBSD +- Windows + +#### Permissions + +This data should be available without elevated permissions. + +{{fields "filesystem"}} + +### Fsstat + +The System `fsstat` data stream provides overall file system statistics. + +#### Supported operating systems + +- FreeBSD +- Linux +- macOS +- OpenBSD +- Windows + +#### Permissions + +This data should be available without elevated permissions. + +{{fields "fsstat"}} + +### Load + +The System `load` data stream provides load statistics. + +#### Supported operating systems + +- FreeBSD +- Linux +- macOS +- OpenBSD + +#### Permissions + +This data should be available without elevated permissions. + +{{fields "load"}} + +### Memory + +The System `memory` data stream provides memory statistics. + +#### Supported operating systems + +- FreeBSD +- Linux +- macOS +- OpenBSD +- Windows + +#### Permissions + +This data should be available without elevated permissions. + +{{fields "memory"}} + +### Network + +The System `network` data stream provides network IO metrics collected from the +operating system. One event is created for each network interface. + +#### Supported operating systems + +- FreeBSD +- Linux +- macOS +- Windows + +#### Permissions + +This data should be available without elevated permissions. + +{{fields "network"}} + +### Process + +The System `process` data stream provides process statistics. One document is +provided for each process. + +#### Supported operating systems + +- FreeBSD +- Linux +- macOS +- Windows + +#### Permissions + +Process execution data should be available for an authorized user. +If running as less privileged user, it may not be able to read process data belonging to other users. + +{{fields "process"}} + +### Process summary + +The `process_summary` data stream collects high level statistics about the running +processes. + +#### Supported operating systems + +- FreeBSD +- Linux +- macOS +- Windows + +#### Permissions + +General process summary data should be available without elevated permissions. +If the process data belongs to the other users, it will be counted as unknown value. + +{{fields "process_summary"}} + +### Socket summary + +The System `socket_summary` data stream provides the summary of open network +sockets in the host system. + +It collects a summary of metrics with the count of existing TCP and UDP +connections and the count of listening ports. + +#### Supported operating systems + +- FreeBSD +- Linux +- macOS +- Windows + +#### Permissions + +This data should be available without elevated permissions. + +{{fields "socket_summary"}} + +### Uptime + +The System `uptime` data stream provides the uptime of the host operating system. + +#### Supported operating systems + +- Linux +- macOS +- OpenBSD +- FreeBSD +- Windows + +#### Permissions + +This data should be available without elevated permissions. + +{{fields "uptime"}} diff --git a/test/packages/parallel/system/_dev/deploy/docker/docker-compose.yml b/test/packages/parallel/system/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 000000000..f7ba732f9 --- /dev/null +++ b/test/packages/parallel/system/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,18 @@ +version: '2.3' +services: + system: + image: alpine + volumes: + - ${SERVICE_LOGS_DIR}:/service_logs + security: + image: docker.elastic.co/observability/stream:v0.4.0 + ports: + - 8080 + volumes: + - ./sample_logs:/sample_logs:ro + command: + - log + - --start-signal=SIGHUP + - --addr=:8080 + - -p=http-server + - /sample_logs/security.json.log diff --git a/test/packages/parallel/system/_dev/deploy/docker/sample_logs/security.json.log b/test/packages/parallel/system/_dev/deploy/docker/sample_logs/security.json.log new file mode 100644 index 000000000..88e56a76d --- /dev/null +++ b/test/packages/parallel/system/_dev/deploy/docker/sample_logs/security.json.log @@ -0,0 +1 @@ +{"preview": false,"offset": 194,"lastrow": true,"result": {"_bkt": "main~0~1212176D-89E1-485D-89E6-3ADC276CCA38","_cd": "0:315","_indextime": "1622471463","_raw": "11000410300x402000000000000014257SecurityWIN-41OB2LO92CR.wlbeat.local","_serial": "194","_si": ["69819b6ce1bd","main"],"_sourcetype": "XmlWinEventLog:Security","_time": "2021-05-25 13:11:45.000 UTC","host": "VAGRANT","index": "main","linecount": "1","max_indextime": "1622471606","source": "WinEventLog:Security","sourcetype": "XmlWinEventLog:Security","splunk_server": "69819b6ce1bd"}} \ No newline at end of file diff --git a/test/packages/parallel/system/changelog.yml b/test/packages/parallel/system/changelog.yml new file mode 100644 index 000000000..d6d69ce08 --- /dev/null +++ b/test/packages/parallel/system/changelog.yml @@ -0,0 +1,489 @@ +# newer versions go on top +- version: "1.33.0" + changes: + - description: Add permissions to reroute events to logs-*-* for syslog datastream + type: enhancement + link: https://github.com/elastic/integrations/pull/6340 +- version: "1.32.0-beta.2" + changes: + - description: Enable TSDS for network data_streams + type: enhancement + link: https://github.com/elastic/integrations/pull/6469 +- version: "1.32.0-beta.1" + changes: + - description: Add dimensions for the network data_stream + type: enhancement + link: https://github.com/elastic/integrations/pull/6405 +- version: "1.32.0-beta" + changes: + - description: Enable TSDS for metrics data_streams, except core, network and process data_streams for beta testing + type: enhancement + link: https://github.com/elastic/integrations/pull/6427 +- version: "1.31.1" + changes: + - description: Add missing metric_type metadata + type: enhancement + link: https://github.com/elastic/integrations/pull/6395 +- version: "1.31.0" + changes: + - description: Add dimension metadata to the process data_stream + type: enhancement + link: https://github.com/elastic/integrations/pull/6407 +- version: "1.30.0" + changes: + - description: Add dimension fields to metrics all data_streams, except core, network and process to support TSDS migration + type: enhancement + link: https://github.com/elastic/integrations/pull/6118 +- version: "1.29.0" + changes: + - description: support ip or domain in sshd messages + type: enhancement + link: https://github.com/elastic/integrations/pull/6256 +- version: "1.28.0" + changes: + - description: Add a new flag to enable request tracing + type: enhancement + link: https://github.com/elastic/integrations/pull/6163 +- version: "1.27.1" + changes: + - description: Remove managed tag. + type: bugfix + link: https://github.com/elastic/integrations/pull/6098 +- version: "1.27.0" + changes: + - description: Convert TSVB visualisations to Lens. + type: enhancement + link: https://github.com/elastic/integrations/pull/5740 +- version: "1.26.0" + changes: + - description: Adds /var/log/system* to default syslog input for macOS + type: enhancement + link: https://github.com/elastic/integrations/pull/4157 +- version: "1.25.4" + changes: + - description: Fix visualization to reference Elastic Agent integrations, not Winlogbeat + type: bugfix + link: https://github.com/elastic/integrations/pull/5828 +- version: "1.26.0-next" + changes: + - description: Clean Windows dashboards. + type: enhancement + link: https://github.com/elastic/integrations/pull/5653 +- version: "1.25.3" + changes: + - description: Document 21 Event ID clause limit under certain situations. + type: enhancement + link: https://github.com/elastic/integrations/pull/5838 +- version: "1.25.2" + changes: + - description: Remove duplicate Windows dashboards. + type: bugfix + link: https://github.com/elastic/integrations/pull/5525 +- version: "1.25.1" + changes: + - description: Added categories and/or subcategories. + type: enhancement + link: https://github.com/elastic/integrations/pull/5123 +- version: "1.25.0" + changes: + - description: Convert dashboard visualisations to storage by value. + type: enhancement + link: https://github.com/elastic/integrations/pull/5322 +- version: "1.24.3" + changes: + - description: Fix mapping for winlog.time_created by setting to date instead of keyword + type: bugfix + link: https://github.com/elastic/integrations/pull/5350 +- version: "1.24.2" + changes: + - description: Remove redundant regular expression quantifier. + type: bugfix + link: https://github.com/elastic/integrations/pull/5320 +- version: "1.24.1" + changes: + - description: Added filters on dataset for system metrics dashboards + type: enhancement + link: https://github.com/elastic/integrations/pull/5198 +- version: "1.24.0" + changes: + - description: Add basic dimension fields for cpu, load and memory + type: enhancement + link: https://github.com/elastic/integrations/pull/1234 +- version: "1.23.1" + changes: + - description: Mark datasets as ga + type: bugfix + link: https://github.com/elastic/integrations/pull/5119 +- version: "1.23.0" + changes: + - description: Add mapping for Windows events 4797, 5379, 5380, 5381, and 5382. + type: enhancement + link: https://github.com/elastic/integrations/pull/5087 +- version: "1.22.0" + changes: + - description: Improve handling of user name and event outcome in auth dataset. + type: enhancement + link: https://github.com/elastic/integrations/pull/4478 +- version: "1.21.0" + changes: + - description: Embed visualizations within dashboards (where possible) to make them self-contained and reduce Kibana saved object clutter. + type: enhancement + link: https://github.com/elastic/integrations/pull/5023 +- version: "1.20.4" + changes: + - description: Remove wrong visualization from dashboard + type: bugfix + link: https://github.com/elastic/integrations/pull/4472 +- version: "1.20.3" + changes: + - description: Allow adding multiple processors in syslog data stream + type: bugfix + link: https://github.com/elastic/integrations/pull/4437 +- version: "1.20.2" + changes: + - description: Remove incorrect tag + type: bugfix + link: https://github.com/elastic/integrations/pull/4248 +- version: "1.20.1" + changes: + - description: Fix adding processors in syslog data stream + type: bugfix + link: https://github.com/elastic/integrations/pull/4396 +- version: "1.20.0" + changes: + - description: Improve system overview and host overview dashboards + type: enhancement + link: https://github.com/elastic/integrations/pull/3562 +- version: "1.19.5" + changes: + - description: Fix duplicated processor field in syslog + type: bugfix + link: https://github.com/elastic/integrations/pull/4180 +- version: "1.19.4" + changes: + - description: Add missing field mapping for `error.code` and `error.message` + type: bugfix + link: https://github.com/elastic/integrations/pull/4084 +- version: "1.19.3" + changes: + - description: Add test cases for events 4738 and 4742. + type: bugfix + link: https://github.com/elastic/integrations/pull/3944 +- version: "1.19.2" + changes: + - description: Add mapping for event.original for auth and security data streams. + type: bugfix + link: https://github.com/elastic/integrations/pull/4012 +- version: "1.19.1" + changes: + - description: Fix handling of security events 4674, 4738 and 4742. + type: bugfix + link: https://github.com/elastic/integrations/pull/3930 +- version: "1.19.0" + changes: + - description: Add ignore_older to remaining logs + type: enhancement + link: https://github.com/elastic/integrations/pull/3691 +- version: "1.18.0" + changes: + - description: Separate grok parsing into stages and anchor the patterns in the system.auth pipeline. + type: bugfix + link: https://github.com/elastic/integrations/pull/3705 + - description: Add processors, tags, and preserve original event options to the system.auth data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/3705 +- version: "1.17.0" + changes: + - description: Add processor and tag fields + type: enhancement + link: https://github.com/elastic/integrations/pull/3563 +- version: "1.16.2" + changes: + - description: Update documentation with additional context for new users. + type: enhancement + link: https://github.com/elastic/integrations/pull/3306 +- version: "1.16.1" + changes: + - description: Fix missing key in env whitelist + type: bugfix + link: https://github.com/elastic/integrations/pull/3519 +- version: "1.16.0" + changes: + - description: Migrating from tile map to map in system log dashboard + type: enhancement + link: https://github.com/elastic/integrations/pull/3509 +- version: "1.15.1" + changes: + - description: Fix ECS schema + type: bugfix + link: https://github.com/elastic/integrations/pull/3424 +- version: "1.15.0" + changes: + - description: Enrich security data set with GeoIP data + type: enhancement + link: https://github.com/elastic/integrations/pull/3375 +- version: "1.14.0" + changes: + - description: Add support for events 5140 and 5145 to the security pipeline. + type: enhancement + link: https://github.com/elastic/integrations/pull/3299 +- version: "1.13.0" + changes: + - description: Add parent process ID to security event for new process creation. + type: enhancement + link: https://github.com/elastic/integrations/pull/2966 +- version: "1.12.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.12.0" + changes: + - description: Add system/process pipeline to rename process.ppid to process.parent.pid as per ECS 8.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/2610 +- version: "1.11.0" + changes: + - description: Add option to configure ignored filesystem types + type: enhancement + link: https://github.com/elastic/integrations/pull/2679 +- version: "1.10.0" + changes: + - description: Expose winlog input ignore_older option. + type: enhancement + link: https://github.com/elastic/integrations/pull/2542 + - description: Fix preserve original event option + type: bugfix + link: https://github.com/elastic/integrations/pull/2542 + - description: Make order of Security, Application, System options consistent with other winlog based integrations. + type: enhancement + link: https://github.com/elastic/integrations/pull/2542 +- version: "1.9.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2512 +- version: "1.8.0" + changes: + - description: Add routing pipeline to security data_stream, limit to specific providers. + type: enhancement + link: https://github.com/elastic/integrations/pull/2523 +- version: "1.7.0" + changes: + - description: Expose winlog input language option. + type: enhancement + link: https://github.com/elastic/integrations/pull/2344 +- version: "1.6.6" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.6.5" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.6.4" + changes: + - description: More consistent use of Proc Filesystem Directory settings + type: bugfix + link: https://github.com/elastic/integrations/pull/2201 + - description: Support Kibana 8 + type: enhancement + link: https://github.com/elastic/integrations/pull/2201 +- version: "1.6.3" + changes: + - description: Fix AccessList and AccessMask processing in security data_stream + type: bugfix + link: https://github.com/elastic/integrations/pull/2156 +- version: "1.6.2" + changes: + - description: Fix missing null check in security pipeline + type: bugfix + link: https://github.com/elastic/integrations/pull/2148 +- version: "1.6.1" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2082 +- version: "1.6.0" + changes: + - description: Consistently map message field in Windows integrations. + type: bugfix + link: https://github.com/elastic/integrations/pull/2008 +- version: "1.5.0" + changes: + - description: Better user mappings for security events + type: enhancement + link: https://github.com/elastic/integrations/pull/1944 +- version: "1.4.2" + changes: + - description: Prevent pipeline script error + type: bugfix + link: https://github.com/elastic/integrations/pull/1869 +- version: "1.4.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1855 +- version: "1.4.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1709 +- version: "1.3.0" + changes: + - description: Add custom processors and event_id to Application, Security & System data_streams + type: enhancement + link: https://github.com/elastic/integrations/pull/1548 +- version: "1.2.1" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1508 +- version: "1.2.0" + changes: + - description: Update fields to include new cgroups fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1539 +- version: "1.1.5" + changes: + - description: Fix Windows links + type: bugfix + link: https://github.com/elastic/integrations/pull/1525 +- version: "1.1.4" + changes: + - description: Fix issue with normalized CPU gauge + type: bugfix + link: https://github.com/elastic/integrations/pull/1458 +- version: "1.1.3" + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1429 +- version: "1.1.2" + changes: + - description: Mark integration as GA + type: bugfix + link: https://github.com/elastic/integrations/pull/1435 +- version: "1.1.1" + changes: + - description: Escape special characters in docs + type: enhancement + link: https://github.com/elastic/integrations/pull/1405 +- version: "1.1.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "1.0.1" + changes: + - description: Move visualizations to cpu.norm.pct + type: enhancement + link: https://github.com/elastic/integrations/pull/1358 +- version: "1.0.0" + changes: + - description: GA the system module + type: enhancement + link: https://github.com/elastic/integrations/pull/1282 +- version: "0.13.6" + changes: + - description: Use event.dataset and event.module + type: enhancement + link: https://github.com/elastic/integrations/pull/1211 +- version: "0.13.5" + changes: + - description: Add support for Splunk authorization tokens + type: enhancement + link: https://github.com/elastic/integrations/pull/1147 +- version: "0.13.4" + changes: + - description: Use `wildcard` type for relevant ECS fields in `security` stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/1185 +- version: "0.13.3" + changes: + - description: Fix unneeded unit and metric type for field groups + type: bugfix + link: https://github.com/elastic/integrations/pull/1114 +- version: "0.13.2" + changes: + - description: Fix security pipeline to support string event.code. + type: bugfix + link: https://github.com/elastic/integrations/pull/1089 +- version: "0.13.1" + changes: + - description: Add system tests for security data_stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/1069 +- version: "0.13.0" + changes: + - description: Render units and metric types in exported fields table + type: enhancement + link: https://github.com/elastic/integrations/pull/1028 +- version: "0.12.7" + changes: + - description: Fix security pipeline to support string event.code for 7.13. + type: bugfix + link: https://github.com/elastic/package-storage/pull/1372 +- version: "0.12.6" + changes: + - description: Report system_summary properly. + type: bugfix + link: https://github.com/elastic/integrations/pull/778 +- version: "0.12.5" + changes: + - description: Make event.original optional for application, security, and system data streams. + type: enhancement + link: https://github.com/elastic/integrations/pull/990 +- version: "0.12.4" + changes: + - description: Fix inconsistent dashboard IDs + type: bugfix + link: https://github.com/elastic/integrations/pull/987 +- version: "0.12.3" + changes: + - description: Remove edge processing for httpjson input. + type: enhancement + link: https://github.com/elastic/integrations/pull/969 +- version: "0.12.2" + changes: + - description: Add event.code mappings + type: bugfix + link: https://github.com/elastic/integrations/pull/932 +- version: "0.12.1" + changes: + - description: Convert Security processing to Ingest Node + type: enhancement + link: https://github.com/elastic/integrations/pull/917 + - description: Change Splunk input to use the decode_xml_wineventlog processor. + type: enhancement + link: https://github.com/elastic/integrations/pull/924 +- version: "0.12.0" + changes: + - description: Add Splunk input for application, system, and security data streams. + type: enhancement + link: https://github.com/elastic/integrations/pull/890 +- version: "0.11.3" + changes: + - description: Updating package owner + type: enhancement + link: https://github.com/elastic/integrations/pull/766 + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/874 +- version: "0.11.2" + changes: + - description: Update security data stream + type: bugfix # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/728 +- version: "0.11.1" # unreleased + changes: + - description: remove duplicate ingest pipeline for syslog data stream + type: bugfix + link: https://github.com/elastic/integrations/pull/725 +- version: "0.0.3" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/8 diff --git a/test/packages/parallel/system/data_stream/application/agent/stream/httpjson.yml.hbs b/test/packages/parallel/system/data_stream/application/agent/stream/httpjson.yml.hbs new file mode 100644 index 000000000..6364f1ab6 --- /dev/null +++ b/test/packages/parallel/system/data_stream/application/agent/stream/httpjson.yml.hbs @@ -0,0 +1,107 @@ +config_version: "2" +interval: {{interval}} +{{#if enable_request_tracer}} +request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson" +{{/if}} +{{#unless token}} +{{#if username}} +{{#if password}} +auth.basic.user: {{username}} +auth.basic.password: {{password}} +{{/if}} +{{/if}} +{{/unless}} +cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' +request.url: {{url}}/services/search/jobs/export +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.method: POST +request.transforms: + - set: + target: url.params.search + value: |- + {{search}} | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: "json" + - set: + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + default: '[[(now (parseDuration "-{{interval}}")).Unix]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded +{{#unless username}} +{{#unless password}} +{{#if token}} + - set: + target: header.Authorization + value: {{token}} +{{/if}} +{{/unless}} +{{/unless}} +response.decode_as: application/x-ndjson +tags: +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: + - decode_json_fields: + fields: message + target: json + add_error_key: true + - drop_event: + when: + not: + has_fields: ['json.result'] + - fingerprint: + fields: + - json.result._cd + - json.result._indextime + - json.result._raw + - json.result._time + - json.result.host + - json.result.source + target_field: "@metadata._id" + - drop_fields: + fields: message + - rename: + fields: + - from: json.result._raw + to: event.original + - from: json.result.host + to: host.name + - from: json.result.source + to: event.provider + ignore_missing: true + fail_on_error: false + - drop_fields: + fields: json + - decode_xml_wineventlog: + field: event.original + target_field: winlog + ignore_missing: true + ignore_failure: true + map_ecs_fields: true + - timestamp: + field: winlog.time_created + layouts: + - '2006-01-02T15:04:05Z' + - '2006-01-02T15:04:05.999Z' + - '2006-01-02T15:04:05.999-07:00' + test: + - '2019-06-22T16:33:51Z' + - '2019-11-18T04:59:51.123Z' + - '2020-08-03T07:10:20.123456+02:00' diff --git a/test/packages/parallel/system/data_stream/application/agent/stream/winlog.yml.hbs b/test/packages/parallel/system/data_stream/application/agent/stream/winlog.yml.hbs new file mode 100644 index 000000000..ca336f119 --- /dev/null +++ b/test/packages/parallel/system/data_stream/application/agent/stream/winlog.yml.hbs @@ -0,0 +1,24 @@ +name: Application +condition: ${host.platform} == 'windows' +{{#if event_id}} +event_id: {{event_id}} +{{/if}} +{{#if ignore_older}} +ignore_older: {{ignore_older}} +{{/if}} +{{#if language}} +language: {{language}} +{{/if}} +{{#if preserve_original_event}} +include_xml: true +{{/if}} +{{#if processors.length}} +processors: +{{processors}} +{{/if}} +{{#if tags.length}} +tags: +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{/if}} diff --git a/test/packages/parallel/system/data_stream/application/elasticsearch/ingest_pipeline/default.yml b/test/packages/parallel/system/data_stream/application/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 000000000..7d7aa4443 --- /dev/null +++ b/test/packages/parallel/system/data_stream/application/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,13 @@ +--- +description: Pipeline for Windows Application Event Logs +processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - set: + field: ecs.version + value: 8.0.0 +on_failure: + - set: + field: "error.message" + value: "{{ _ingest.on_failure_message }}" diff --git a/test/packages/parallel/system/data_stream/application/fields/agent.yml b/test/packages/parallel/system/data_stream/application/fields/agent.yml new file mode 100644 index 000000000..da4e652c5 --- /dev/null +++ b/test/packages/parallel/system/data_stream/application/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/test/packages/parallel/system/data_stream/application/fields/base-fields.yml b/test/packages/parallel/system/data_stream/application/fields/base-fields.yml new file mode 100644 index 000000000..4d2e3fc51 --- /dev/null +++ b/test/packages/parallel/system/data_stream/application/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: system +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: system.application diff --git a/test/packages/parallel/system/data_stream/application/fields/ecs.yml b/test/packages/parallel/system/data_stream/application/fields/ecs.yml new file mode 100644 index 000000000..cfbc8e8c8 --- /dev/null +++ b/test/packages/parallel/system/data_stream/application/fields/ecs.yml @@ -0,0 +1,12 @@ +- external: ecs + name: error.message +- external: ecs + name: event.code +- external: ecs + name: event.created +- external: ecs + name: event.ingested +- external: ecs + name: event.original +- external: ecs + name: message diff --git a/test/packages/parallel/system/data_stream/application/fields/winlog.yml b/test/packages/parallel/system/data_stream/application/fields/winlog.yml new file mode 100644 index 000000000..adca1bbdd --- /dev/null +++ b/test/packages/parallel/system/data_stream/application/fields/winlog.yml @@ -0,0 +1,357 @@ +- name: winlog + type: group + description: > + All fields specific to the Windows Event Log are defined here. + + fields: + - name: api + required: true + type: keyword + description: > + The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. + + - name: activity_id + type: keyword + required: false + description: > + A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. + + - name: computer_name + type: keyword + required: true + description: > + The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. + + - name: event_data + type: object + object_type: keyword + required: false + description: > + The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. + + - name: event_data + type: group + description: > + This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. + + fields: + - name: AuthenticationPackageName + type: keyword + - name: Binary + type: keyword + - name: BitlockerUserInputTime + type: keyword + - name: BootMode + type: keyword + - name: BootType + type: keyword + - name: BuildVersion + type: keyword + - name: Company + type: keyword + - name: CorruptionActionState + type: keyword + - name: CreationUtcTime + type: keyword + - name: Description + type: keyword + - name: Detail + type: keyword + - name: DeviceName + type: keyword + - name: DeviceNameLength + type: keyword + - name: DeviceTime + type: keyword + - name: DeviceVersionMajor + type: keyword + - name: DeviceVersionMinor + type: keyword + - name: DriveName + type: keyword + - name: DriverName + type: keyword + - name: DriverNameLength + type: keyword + - name: DwordVal + type: keyword + - name: EntryCount + type: keyword + - name: ExtraInfo + type: keyword + - name: FailureName + type: keyword + - name: FailureNameLength + type: keyword + - name: FileVersion + type: keyword + - name: FinalStatus + type: keyword + - name: Group + type: keyword + - name: IdleImplementation + type: keyword + - name: IdleStateCount + type: keyword + - name: ImpersonationLevel + type: keyword + - name: IntegrityLevel + type: keyword + - name: IpAddress + type: keyword + - name: IpPort + type: keyword + - name: KeyLength + type: keyword + - name: LastBootGood + type: keyword + - name: LastShutdownGood + type: keyword + - name: LmPackageName + type: keyword + - name: LogonGuid + type: keyword + - name: LogonId + type: keyword + - name: LogonProcessName + type: keyword + - name: LogonType + type: keyword + - name: MajorVersion + type: keyword + - name: MaximumPerformancePercent + type: keyword + - name: MemberName + type: keyword + - name: MemberSid + type: keyword + - name: MinimumPerformancePercent + type: keyword + - name: MinimumThrottlePercent + type: keyword + - name: MinorVersion + type: keyword + - name: NewProcessId + type: keyword + - name: NewProcessName + type: keyword + - name: NewSchemeGuid + type: keyword + - name: NewTime + type: keyword + - name: NominalFrequency + type: keyword + - name: Number + type: keyword + - name: OldSchemeGuid + type: keyword + - name: OldTime + type: keyword + - name: OriginalFileName + type: keyword + - name: Path + type: keyword + - name: PerformanceImplementation + type: keyword + - name: PreviousCreationUtcTime + type: keyword + - name: PreviousTime + type: keyword + - name: PrivilegeList + type: keyword + - name: ProcessId + type: keyword + - name: ProcessName + type: keyword + - name: ProcessPath + type: keyword + - name: ProcessPid + type: keyword + - name: Product + type: keyword + - name: PuaCount + type: keyword + - name: PuaPolicyId + type: keyword + - name: QfeVersion + type: keyword + - name: Reason + type: keyword + - name: SchemaVersion + type: keyword + - name: ScriptBlockText + type: keyword + - name: ServiceName + type: keyword + - name: ServiceVersion + type: keyword + - name: ShutdownActionType + type: keyword + - name: ShutdownEventCode + type: keyword + - name: ShutdownReason + type: keyword + - name: Signature + type: keyword + - name: SignatureStatus + type: keyword + - name: Signed + type: keyword + - name: StartTime + type: keyword + - name: State + type: keyword + - name: Status + type: keyword + - name: StopTime + type: keyword + - name: SubjectDomainName + type: keyword + - name: SubjectLogonId + type: keyword + - name: SubjectUserName + type: keyword + - name: SubjectUserSid + type: keyword + - name: TSId + type: keyword + - name: TargetDomainName + type: keyword + - name: TargetInfo + type: keyword + - name: TargetLogonGuid + type: keyword + - name: TargetLogonId + type: keyword + - name: TargetServerName + type: keyword + - name: TargetUserName + type: keyword + - name: TargetUserSid + type: keyword + - name: TerminalSessionId + type: keyword + - name: TokenElevationType + type: keyword + - name: TransmittedServices + type: keyword + - name: UserSid + type: keyword + - name: Version + type: keyword + - name: Workstation + type: keyword + - name: param1 + type: keyword + - name: param2 + type: keyword + - name: param3 + type: keyword + - name: param4 + type: keyword + - name: param5 + type: keyword + - name: param6 + type: keyword + - name: param7 + type: keyword + - name: param8 + type: keyword + - name: event_id + type: keyword + required: true + description: > + The event identifier. The value is specific to the source of the event. + + - name: keywords + type: keyword + required: false + description: > + The keywords are used to classify an event. + + - name: channel + type: keyword + required: true + description: > + The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. + + - name: record_id + type: keyword + required: true + description: > + The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. + + - name: related_activity_id + type: keyword + required: false + description: > + A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. + + - name: opcode + type: keyword + required: false + description: > + The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. + + - name: provider_guid + type: keyword + required: false + description: > + A globally unique identifier that identifies the provider that logged the event. + + - name: process.pid + type: long + required: false + description: > + The process_id of the Client Server Runtime Process. + + - name: provider_name + type: keyword + required: true + description: > + The source of the event log record (the application or service that logged the record). + + - name: task + type: keyword + required: false + description: > + The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. + + - name: process.thread.id + type: long + required: false + - name: user_data + type: object + object_type: keyword + required: false + description: > + The event specific data. This field is mutually exclusive with `event_data`. + + - name: user.identifier + type: keyword + required: false + example: S-1-5-21-3541430928-2051711210-1391384369-1001 + description: > + The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. + + - name: user.name + type: keyword + description: > + Name of the user associated with this event. + + - name: user.domain + type: keyword + required: false + description: > + The domain that the account associated with this event is a member of. + + - name: user.type + type: keyword + required: false + description: > + The type of account associated with this event. + + - name: version + type: long + required: false + description: The version number of the event's definition. diff --git a/test/packages/parallel/system/data_stream/application/manifest.yml b/test/packages/parallel/system/data_stream/application/manifest.yml new file mode 100644 index 000000000..aad38959f --- /dev/null +++ b/test/packages/parallel/system/data_stream/application/manifest.yml @@ -0,0 +1,80 @@ +type: logs +title: Windows Application Events +streams: + - input: winlog + template_path: winlog.yml.hbs + title: Application + description: 'Collect Windows application logs' + vars: + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: >- + Preserves a raw copy of the original XML event, added to the field `event.original` + type: bool + multi: false + default: false + - name: event_id + type: text + title: Event ID + multi: false + required: false + show_user: false + description: >- + A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details. + - name: ignore_older + type: text + title: Ignore events older than + default: 72h + required: false + show_user: false + description: >- + If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + - name: language + type: text + title: Language ID + description: >- + The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US + required: false + show_user: false + default: 0 + - name: tags + type: text + title: Tags + multi: true + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: httpjson + title: Windows Application Events via Splunk Enterprise REST API + description: Collect Application Events via Splunk Enterprise REST API + enabled: false + template_path: httpjson.yml.hbs + vars: + - name: interval + type: text + title: Interval to query Splunk Enterprise REST API + description: Go Duration syntax (eg. 10s) + show_user: true + required: true + default: 10s + - name: search + type: text + title: Splunk search string + show_user: false + required: true + default: "search sourcetype=\"XmlWinEventLog:Application\"" + - name: tags + type: text + title: Tags + multi: true + show_user: false + default: + - forwarded diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-rhel79.log b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-rhel79.log new file mode 100644 index 000000000..391e8c74c --- /dev/null +++ b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-rhel79.log @@ -0,0 +1,3 @@ +Oct 11 09:10:48 plinode useradd[25494]: failed adding user 'aol', exit code: 4 +Oct 14 16:49:59 dlig userdel[1619336]: delete user 'jce' +Oct 19 12:54:40 plielk0 usermod[7730]: change user 'acris' expiration from '2001-01-01' to '2243-10-16' diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-rhel79.log-expected.json b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-rhel79.log-expected.json new file mode 100644 index 000000000..514b2e5d8 --- /dev/null +++ b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-rhel79.log-expected.json @@ -0,0 +1,121 @@ +{ + "expected": [ + { + "@timestamp": "2023-10-11T09:10:48.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "iam" + ], + "kind": "event", + "outcome": "failure", + "type": [ + "user", + "creation" + ] + }, + "host": { + "hostname": "plinode" + }, + "message": "failed adding user 'aol', exit code: 4", + "process": { + "name": "useradd", + "pid": 25494 + }, + "related": { + "hosts": [ + "plinode" + ], + "user": [ + "aol" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "aol" + } + }, + { + "@timestamp": "2023-10-14T16:49:59.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "iam" + ], + "kind": "event", + "outcome": "success", + "type": [ + "user", + "deletion" + ] + }, + "host": { + "hostname": "dlig" + }, + "message": "delete user 'jce'", + "process": { + "name": "userdel", + "pid": 1619336 + }, + "related": { + "hosts": [ + "dlig" + ], + "user": [ + "jce" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "jce" + } + }, + { + "@timestamp": "2023-10-19T12:54:40.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "iam" + ], + "kind": "event", + "outcome": "success", + "type": [ + "user", + "change" + ] + }, + "host": { + "hostname": "plielk0" + }, + "message": "change user 'acris' expiration from '2001-01-01' to '2243-10-16'", + "process": { + "name": "usermod", + "pid": 7730 + }, + "related": { + "hosts": [ + "plielk0" + ], + "user": [ + "acris" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "acris" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log new file mode 100644 index 000000000..b8cdc1e52 --- /dev/null +++ b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log @@ -0,0 +1,122 @@ +Feb 9 21:19:40 precise32 sshd[8317]: subsystem request for sftp by user vagrant +Feb 9 21:19:40 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/sh -c echo BECOME-SUCCESS-lhspyyxxlfzpytwsebjoegenjxyjombo; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675177.72-26828938879074/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675177.72-26828938879074/ >/dev/null 2>&1 +Feb 9 21:19:40 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) +Feb 9 21:19:41 precise32 sudo: pam_unix(sudo:session): session closed for user root +Feb 9 21:21:02 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/sh -c echo BECOME-SUCCESS-lwzhcvorajmjyxsrqydafzapoeescwaf; rc=flag; [ -r /etc/metricbeat/metricbeat.yml ] || rc=2; [ -f /etc/metricbeat/metricbeat.yml ] || rc=1; [ -d /etc/metricbeat/metricbeat.yml ] && rc=3; python -V 2>/dev/null || rc=4; [ x"$rc" != "xflag" ] && echo "${rc} "/etc/metricbeat/metricbeat.yml && exit 0; (python -c 'import hashlib; BLOCKSIZE = 65536; hasher = hashlib.sha1();#012afile = open("'/etc/metricbeat/metricbeat.yml'", "rb")#012buf = afile.read(BLOCKSIZE)#012while len(buf) > 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2>/dev/null) || (python -c 'import sha; BLOCKSIZE = 65536; hasher = sha.sha();#012afile = open("'/etc/metricbeat/metricbeat.yml'", "rb")#012buf = afile.read(BLOCKSIZE)#012while len(buf) > 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2>/dev/null) || (echo '0 +Feb 9 21:21:02 precise32 sudo: vagrant : (command continued) '/etc/metricbeat/metricbeat.yml) +Feb 9 21:21:02 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) +Feb 9 21:21:02 precise32 sudo: pam_unix(sudo:session): session closed for user root +Feb 22 10:21:42 precise32 sshd[1332]: subsystem request for sftp by user vagrant +Feb 22 10:21:43 sshd[1332]: last message repeated 2 times +Feb 22 10:24:49 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/sh -c echo BECOME-SUCCESS-ippzqmywwjlstxlqlpyxbnzzgeigarma; rc=flag; [ -r /etc/heartbeat/heartbeat.yml ] || rc=2; [ -f /etc/heartbeat/heartbeat.yml ] || rc=1; [ -d /etc/heartbeat/heartbeat.yml ] && rc=3; python -V 2>/dev/null || rc=4; [ x"$rc" != "xflag" ] && echo "${rc} "/etc/heartbeat/heartbeat.yml && exit 0; (python -c 'import hashlib; BLOCKSIZE = 65536; hasher = hashlib.sha1();#012afile = open("'/etc/heartbeat/heartbeat.yml'", "rb")#012buf = afile.read(BLOCKSIZE)#012while len(buf) > 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2>/dev/null) || (python -c 'import sha; BLOCKSIZE = 65536; hasher = sha.sha();#012afile = open("'/etc/heartbeat/heartbeat.yml'", "rb")#012buf = afile.read(BLOCKSIZE)#012while len(buf) > 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2>/dev/null) || (echo '0 +Feb 22 10:24:49 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) +Feb 22 10:26:52 precise32 sshd[1332]: Received disconnect from 10.0.2.2: 11: disconnected by user +Feb 22 10:26:52 precise32 sshd[1317]: pam_unix(sshd:session): session closed for user vagrant +Feb 22 10:49:54 precise32 sshd[3007]: Accepted publickey for vagrant from 10.0.2.2 port 52059 ssh2 +Feb 22 10:49:54 precise32 sshd[3007]: pam_unix(sshd:session): session opened for user vagrant by (uid=0) +Feb 22 10:50:01 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/usr/bin/vi /etc/apt/sources.list.d/elastic.list +Feb 22 10:50:17 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/usr/bin/apt-get update +Feb 22 10:50:17 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) +Feb 22 10:50:28 precise32 sudo: pam_unix(sudo:session): session closed for user root +Feb 22 11:04:28 precise32 sshd[3403]: Accepted publickey for vagrant from 10.0.2.2 port 52321 ssh2 +Feb 22 11:04:28 precise32 sshd[3403]: pam_unix(sshd:session): session opened for user vagrant by (uid=0) +Feb 22 11:04:32 precise32 sshd[3418]: Received disconnect from 10.0.2.2: 11: disconnected by user +Feb 22 11:04:32 precise32 sshd[3403]: pam_unix(sshd:session): session closed for user vagrant +Feb 22 11:17:01 precise32 CRON[3448]: pam_unix(cron:session): session opened for user root by (uid=0) +Feb 22 11:17:01 precise32 CRON[3448]: pam_unix(cron:session): session closed for user root +Feb 22 11:21:21 precise32 sshd[3452]: Accepted publickey for vagrant from 10.0.2.2 port 52747 ssh2 +Feb 22 11:21:21 precise32 sshd[3452]: pam_unix(sshd:session): session opened for user vagrant by (uid=0) +Feb 22 11:21:24 precise32 sshd[3467]: Received disconnect from 10.0.2.2: 11: disconnected by user +Feb 22 11:21:24 precise32 sshd[3452]: pam_unix(sshd:session): session closed for user vagrant +Feb 22 11:24:43 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/usr/bin/vi /etc/filebeat/filebeat.full.yml +Feb 22 11:24:43 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) +Feb 22 23:17:01 precise32 CRON[3760]: pam_unix(cron:session): session opened for user root by (uid=0) +Feb 22 23:17:01 precise32 CRON[3760]: pam_unix(cron:session): session closed for user root +Feb 22 23:29:50 precise32 sudo: pam_unix(sudo:session): session closed for user root +Feb 22 23:29:50 precise32 sshd[3007]: pam_unix(sshd:session): session closed for user vagrant +Feb 23 19:17:01 precise32 CRON[3938]: pam_unix(cron:session): session opened for user root by (uid=0) +Feb 23 19:17:01 precise32 CRON[3938]: pam_unix(cron:session): session closed for user root +Feb 23 19:26:35 precise32 sshd[3945]: Accepted publickey for vagrant from 10.0.2.2 port 58363 ssh2 +Feb 23 19:26:35 precise32 sshd[3945]: pam_unix(sshd:session): session opened for user vagrant by (uid=0) +Feb 23 20:05:18 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/usr/bin/less /var/log/auth.log +Feb 23 20:05:18 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) +Feb 23 20:15:04 precise32 sudo: pam_unix(sudo:session): session closed for user root +Feb 23 20:15:09 precise32 sshd[3960]: Received disconnect from 10.0.2.2: 11: disconnected by user +Feb 23 20:15:09 precise32 sshd[3945]: pam_unix(sshd:session): session closed for user vagrant +Feb 23 23:17:01 precise32 CRON[4170]: pam_unix(cron:session): session opened for user root by (uid=0) +Feb 23 23:17:01 precise32 CRON[4170]: pam_unix(cron:session): session closed for user root +Feb 24 00:11:15 precise32 sshd[4185]: Accepted publickey for vagrant from 10.0.2.2 port 60839 ssh2 +Feb 24 00:11:15 precise32 sshd[4185]: pam_unix(sshd:session): session opened for user vagrant by (uid=0) +Feb 24 00:11:24 precise32 sshd[4302]: Accepted publickey for vagrant from 10.0.2.2 port 60840 ssh2 +Feb 24 00:11:24 precise32 sshd[4302]: pam_unix(sshd:session): session opened for user vagrant by (uid=0) +Feb 24 00:11:26 precise32 sudo: vagrant : TTY=pts/1 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/bash +Feb 24 00:11:26 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) +Feb 24 00:12:02 precise32 groupadd[4480]: group added to /etc/group: name=tsg, GID=1003 +Feb 24 00:12:02 precise32 groupadd[4480]: group added to /etc/gshadow: name=tsg +Feb 24 00:12:02 precise32 groupadd[4480]: new group: name=tsg, GID=1003 +Feb 24 00:12:02 precise32 useradd[4484]: new user: name=tsg, UID=1001, GID=1003, home=/home/tsg, shell=/bin/bash +Feb 24 00:12:07 precise32 passwd[4491]: pam_unix(passwd:chauthtok): password changed for tsg +Feb 24 00:12:10 precise32 chfn[4492]: changed user 'tsg' information +Feb 24 00:12:14 precise32 su[4496]: Successful su for tsg by root +Feb 24 00:12:14 precise32 su[4496]: + /dev/pts/1 root:tsg +Feb 24 00:12:14 precise32 su[4496]: pam_unix(su:session): session opened for user tsg by vagrant(uid=0) +Feb 24 00:12:20 precise32 sudo: pam_unix(sudo:auth): authentication failure; logname=vagrant uid=1001 euid=0 tty=/dev/pts/1 ruser=tsg rhost= user=tsg +Feb 24 00:12:37 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/cat /var/log/auth.log +Feb 24 00:12:37 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) +Feb 24 00:12:37 precise32 sudo: pam_unix(sudo:session): session closed for user root +Feb 24 00:12:42 precise32 sudo: tsg : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/ls +Feb 24 00:12:42 precise32 sudo: unable to execute /usr/sbin/sendmail: No such file or directory +Feb 24 00:12:50 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/cat /var/log/auth.log +Feb 24 00:12:50 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) +Feb 24 00:12:50 precise32 sudo: pam_unix(sudo:session): session closed for user root +Feb 24 00:13:02 precise32 sudo: tsg : user NOT in sudoers ; TTY=pts/1 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/ls +Feb 24 00:13:02 precise32 sudo: unable to execute /usr/sbin/sendmail: No such file or directory +Feb 24 00:13:06 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/cat /var/log/auth.log +Feb 24 00:13:06 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) +Feb 24 00:13:06 precise32 sudo: pam_unix(sudo:session): session closed for user root +Feb 24 00:17:01 precise32 CRON[4588]: pam_unix(cron:session): session opened for user root by (uid=0) +Feb 24 00:17:01 precise32 CRON[4588]: pam_unix(cron:session): session closed for user root +Feb 24 00:45:47 precise32 su[4496]: pam_unix(su:session): session closed for user tsg +Feb 24 00:45:48 precise32 sudo: pam_unix(sudo:session): session closed for user root +Feb 24 00:45:49 precise32 sshd[4317]: Received disconnect from 10.0.2.2: 11: disconnected by user +Feb 24 00:45:49 precise32 sshd[4302]: pam_unix(sshd:session): session closed for user vagrant +Feb 24 00:46:32 precise32 sshd[4598]: Accepted publickey for vagrant from 10.0.2.2 port 61852 ssh2 +Feb 24 00:46:32 precise32 sshd[4598]: pam_unix(sshd:session): session opened for user vagrant by (uid=0) +Feb 24 00:46:32 precise32 sshd[4613]: Received disconnect from 10.0.2.2: 11: disconnected by user +Feb 24 00:46:32 precise32 sshd[4598]: pam_unix(sshd:session): session closed for user vagrant +Feb 24 01:05:42 precise32 sshd[4185]: pam_unix(sshd:session): session closed for user vagrant +Feb 24 08:17:01 precise32 CRON[4626]: pam_unix(cron:session): session opened for user root by (uid=0) +Feb 24 08:17:01 precise32 CRON[4626]: pam_unix(cron:session): session closed for user root +Feb 24 09:17:01 precise32 CRON[4642]: pam_unix(cron:session): session opened for user root by (uid=0) +Feb 24 09:17:01 precise32 CRON[4642]: pam_unix(cron:session): session closed for user root +Feb 24 09:18:35 precise32 sshd[4645]: Accepted publickey for vagrant from 10.0.2.2 port 53513 ssh2 +Feb 24 09:18:35 precise32 sshd[4645]: pam_unix(sshd:session): session opened for user vagrant by (uid=0) +Feb 24 09:18:40 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/usr/bin/apt-get install nginx +Feb 24 09:18:40 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) +Feb 24 09:18:46 precise32 sudo: pam_unix(sudo:session): session closed for user root +Feb 24 09:18:53 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/cat /var/log/auth.log +Feb 24 09:18:53 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) +Feb 24 09:18:53 precise32 sudo: pam_unix(sudo:session): session closed for user root +Feb 24 09:19:04 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/cat /var/log/auth.log +Feb 24 09:19:04 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) +Feb 24 09:19:04 precise32 sudo: pam_unix(sudo:session): session closed for user root +Feb 24 09:19:09 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/cat /var/log/auth.log +Feb 24 09:19:09 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) +Feb 24 09:19:09 precise32 sudo: pam_unix(sudo:session): session closed for user root +Feb 24 09:19:29 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/usr/bin/apt-get install mysql-server +Feb 24 09:19:29 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) +Feb 24 09:19:55 precise32 groupadd[7996]: group added to /etc/group: name=mysql, GID=111 +Feb 24 09:19:55 precise32 groupadd[7996]: group added to /etc/gshadow: name=mysql +Feb 24 09:19:55 precise32 groupadd[7996]: new group: name=mysql, GID=111 +Feb 24 09:19:55 precise32 useradd[8002]: new user: name=mysql, UID=106, GID=111, home=/nonexistent, shell=/bin/false +Feb 24 09:19:55 precise32 chage[8007]: changed password expiry for mysql +Feb 24 09:19:55 precise32 chfn[8010]: changed user 'mysql' information +Feb 24 09:20:08 precise32 sudo: pam_unix(sudo:session): session closed for user root +Feb 24 09:20:10 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/cat /var/log/auth.log +Feb 24 09:20:10 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) +Feb 24 09:20:10 precise32 sudo: pam_unix(sudo:session): session closed for user root +Feb 24 09:26:29 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/cat /var/log/auth.log +Feb 24 09:26:29 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) +Feb 24 09:26:29 precise32 sudo: pam_unix(sudo:session): session closed for user root +Feb 24 09:26:59 precise32 sshd[10535]: Accepted publickey for vagrant from 10.0.2.2 port 58988 ssh2 +Feb 24 09:26:59 precise32 sshd[10535]: pam_unix(sshd:session): session opened for user vagrant by (uid=0) diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-config.yml b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-config.yml new file mode 100644 index 000000000..98cc18212 --- /dev/null +++ b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-config.yml @@ -0,0 +1,5 @@ +fields: + event.timezone: "+0000" +dynamic_fields: + event.ingested: "^.*$" + "@timestamp": "^[0-9]{4}(-[0-9]{2}){2}T[0-9]{2}(:[0-9]{2}){2}\\.[0-9]{3}Z$" diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-expected.json b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-expected.json new file mode 100644 index 000000000..bee9bd62b --- /dev/null +++ b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-expected.json @@ -0,0 +1,4348 @@ +{ + "expected": [ + { + "@timestamp": "2023-02-09T21:19:40.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "subsystem request for sftp by user vagrant", + "process": { + "name": "sshd", + "pid": 8317 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-09T21:19:40.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": { + "sudo": { + "command": "/bin/sh -c echo BECOME-SUCCESS-lhspyyxxlfzpytwsebjoegenjxyjombo; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675177.72-26828938879074/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675177.72-26828938879074/ \u003e/dev/null 2\u003e\u00261", + "pwd": "/home/vagrant", + "tty": "pts/0", + "user": "root" + } + } + }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-09T21:19:40.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-09T21:19:41.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2023-02-09T21:21:02.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": { + "sudo": { + "command": "/bin/sh -c echo BECOME-SUCCESS-lwzhcvorajmjyxsrqydafzapoeescwaf; rc=flag; [ -r /etc/metricbeat/metricbeat.yml ] || rc=2; [ -f /etc/metricbeat/metricbeat.yml ] || rc=1; [ -d /etc/metricbeat/metricbeat.yml ] \u0026\u0026 rc=3; python -V 2\u003e/dev/null || rc=4; [ x\"$rc\" != \"xflag\" ] \u0026\u0026 echo \"${rc} \"/etc/metricbeat/metricbeat.yml \u0026\u0026 exit 0; (python -c 'import hashlib; BLOCKSIZE = 65536; hasher = hashlib.sha1();#012afile = open(\"'/etc/metricbeat/metricbeat.yml'\", \"rb\")#012buf = afile.read(BLOCKSIZE)#012while len(buf) \u003e 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2\u003e/dev/null) || (python -c 'import sha; BLOCKSIZE = 65536; hasher = sha.sha();#012afile = open(\"'/etc/metricbeat/metricbeat.yml'\", \"rb\")#012buf = afile.read(BLOCKSIZE)#012while len(buf) \u003e 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2\u003e/dev/null) || (echo '0", + "pwd": "/home/vagrant", + "tty": "pts/0", + "user": "root" + } + } + }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-09T21:21:02.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "vagrant : (command continued) '/etc/metricbeat/metricbeat.yml)", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ] + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-02-09T21:21:02.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-09T21:21:02.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2023-02-22T10:21:42.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "subsystem request for sftp by user vagrant", + "process": { + "name": "sshd", + "pid": 1332 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-22T10:21:43.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "message": "last message repeated 2 times", + "process": { + "name": "sshd", + "pid": 1332 + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-02-22T10:24:49.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": { + "sudo": { + "command": "/bin/sh -c echo BECOME-SUCCESS-ippzqmywwjlstxlqlpyxbnzzgeigarma; rc=flag; [ -r /etc/heartbeat/heartbeat.yml ] || rc=2; [ -f /etc/heartbeat/heartbeat.yml ] || rc=1; [ -d /etc/heartbeat/heartbeat.yml ] \u0026\u0026 rc=3; python -V 2\u003e/dev/null || rc=4; [ x\"$rc\" != \"xflag\" ] \u0026\u0026 echo \"${rc} \"/etc/heartbeat/heartbeat.yml \u0026\u0026 exit 0; (python -c 'import hashlib; BLOCKSIZE = 65536; hasher = hashlib.sha1();#012afile = open(\"'/etc/heartbeat/heartbeat.yml'\", \"rb\")#012buf = afile.read(BLOCKSIZE)#012while len(buf) \u003e 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2\u003e/dev/null) || (python -c 'import sha; BLOCKSIZE = 65536; hasher = sha.sha();#012afile = open(\"'/etc/heartbeat/heartbeat.yml'\", \"rb\")#012buf = afile.read(BLOCKSIZE)#012while len(buf) \u003e 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2\u003e/dev/null) || (echo '0", + "pwd": "/home/vagrant", + "tty": "pts/0", + "user": "root" + } + } + }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-22T10:24:49.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-22T10:26:52.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "Received disconnect from 10.0.2.2: 11: disconnected by user", + "process": { + "name": "sshd", + "pid": 1332 + }, + "related": { + "hosts": [ + "precise32" + ] + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-02-22T10:26:52.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session closed for user vagrant", + "process": { + "name": "sshd", + "pid": 1317 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-22T10:49:54.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ssh_login", + "category": [ + "authentication", + "session" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "info" + ] + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sshd", + "pid": 3007 + }, + "related": { + "hosts": [ + "precise32" + ], + "ip": [ + "10.0.2.2" + ], + "user": [ + "vagrant" + ] + }, + "source": { + "address": "10.0.2.2", + "ip": "10.0.2.2", + "port": 52059 + }, + "system": { + "auth": { + "ssh": { + "event": "Accepted", + "method": "publickey" + } + } + }, + "user": { + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-22T10:49:54.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", + "process": { + "name": "sshd", + "pid": 3007 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "vagrant" + }, + "id": "0", + "name": "" + } + }, + { + "@timestamp": "2023-02-22T10:50:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": { + "sudo": { + "command": "/usr/bin/vi /etc/apt/sources.list.d/elastic.list", + "pwd": "/home/vagrant", + "tty": "pts/0", + "user": "root" + } + } + }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-22T10:50:17.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": { + "sudo": { + "command": "/usr/bin/apt-get update", + "pwd": "/home/vagrant", + "tty": "pts/0", + "user": "root" + } + } + }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-22T10:50:17.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-22T10:50:28.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2023-02-22T11:04:28.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ssh_login", + "category": [ + "authentication", + "session" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "info" + ] + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sshd", + "pid": 3403 + }, + "related": { + "hosts": [ + "precise32" + ], + "ip": [ + "10.0.2.2" + ], + "user": [ + "vagrant" + ] + }, + "source": { + "address": "10.0.2.2", + "ip": "10.0.2.2", + "port": 52321 + }, + "system": { + "auth": { + "ssh": { + "event": "Accepted", + "method": "publickey" + } + } + }, + "user": { + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-22T11:04:28.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", + "process": { + "name": "sshd", + "pid": 3403 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "vagrant" + }, + "id": "0", + "name": "" + } + }, + { + "@timestamp": "2023-02-22T11:04:32.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "Received disconnect from 10.0.2.2: 11: disconnected by user", + "process": { + "name": "sshd", + "pid": 3418 + }, + "related": { + "hosts": [ + "precise32" + ] + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-02-22T11:04:32.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session closed for user vagrant", + "process": { + "name": "sshd", + "pid": 3403 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-22T11:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session opened for user root by (uid=0)", + "process": { + "name": "CRON", + "pid": 3448 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "root" + }, + "id": "0", + "name": "" + } + }, + { + "@timestamp": "2023-02-22T11:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session closed for user root", + "process": { + "name": "CRON", + "pid": 3448 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2023-02-22T11:21:21.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ssh_login", + "category": [ + "authentication", + "session" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "info" + ] + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sshd", + "pid": 3452 + }, + "related": { + "hosts": [ + "precise32" + ], + "ip": [ + "10.0.2.2" + ], + "user": [ + "vagrant" + ] + }, + "source": { + "address": "10.0.2.2", + "ip": "10.0.2.2", + "port": 52747 + }, + "system": { + "auth": { + "ssh": { + "event": "Accepted", + "method": "publickey" + } + } + }, + "user": { + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-22T11:21:21.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", + "process": { + "name": "sshd", + "pid": 3452 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "vagrant" + }, + "id": "0", + "name": "" + } + }, + { + "@timestamp": "2023-02-22T11:21:24.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "Received disconnect from 10.0.2.2: 11: disconnected by user", + "process": { + "name": "sshd", + "pid": 3467 + }, + "related": { + "hosts": [ + "precise32" + ] + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-02-22T11:21:24.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session closed for user vagrant", + "process": { + "name": "sshd", + "pid": 3452 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-22T11:24:43.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": { + "sudo": { + "command": "/usr/bin/vi /etc/filebeat/filebeat.full.yml", + "pwd": "/home/vagrant", + "tty": "pts/0", + "user": "root" + } + } + }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-22T11:24:43.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-22T23:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session opened for user root by (uid=0)", + "process": { + "name": "CRON", + "pid": 3760 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "root" + }, + "id": "0", + "name": "" + } + }, + { + "@timestamp": "2023-02-22T23:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session closed for user root", + "process": { + "name": "CRON", + "pid": 3760 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2023-02-22T23:29:50.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2023-02-22T23:29:50.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session closed for user vagrant", + "process": { + "name": "sshd", + "pid": 3007 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-23T19:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session opened for user root by (uid=0)", + "process": { + "name": "CRON", + "pid": 3938 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "root" + }, + "id": "0", + "name": "" + } + }, + { + "@timestamp": "2023-02-23T19:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session closed for user root", + "process": { + "name": "CRON", + "pid": 3938 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2023-02-23T19:26:35.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ssh_login", + "category": [ + "authentication", + "session" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "info" + ] + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sshd", + "pid": 3945 + }, + "related": { + "hosts": [ + "precise32" + ], + "ip": [ + "10.0.2.2" + ], + "user": [ + "vagrant" + ] + }, + "source": { + "address": "10.0.2.2", + "ip": "10.0.2.2", + "port": 58363 + }, + "system": { + "auth": { + "ssh": { + "event": "Accepted", + "method": "publickey" + } + } + }, + "user": { + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-23T19:26:35.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", + "process": { + "name": "sshd", + "pid": 3945 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "vagrant" + }, + "id": "0", + "name": "" + } + }, + { + "@timestamp": "2023-02-23T20:05:18.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": { + "sudo": { + "command": "/usr/bin/less /var/log/auth.log", + "pwd": "/home/vagrant", + "tty": "pts/0", + "user": "root" + } + } + }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-23T20:05:18.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-23T20:15:04.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2023-02-23T20:15:09.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "Received disconnect from 10.0.2.2: 11: disconnected by user", + "process": { + "name": "sshd", + "pid": 3960 + }, + "related": { + "hosts": [ + "precise32" + ] + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-02-23T20:15:09.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session closed for user vagrant", + "process": { + "name": "sshd", + "pid": 3945 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-23T23:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session opened for user root by (uid=0)", + "process": { + "name": "CRON", + "pid": 4170 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "root" + }, + "id": "0", + "name": "" + } + }, + { + "@timestamp": "2023-02-23T23:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session closed for user root", + "process": { + "name": "CRON", + "pid": 4170 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2023-02-24T00:11:15.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ssh_login", + "category": [ + "authentication", + "session" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "info" + ] + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sshd", + "pid": 4185 + }, + "related": { + "hosts": [ + "precise32" + ], + "ip": [ + "10.0.2.2" + ], + "user": [ + "vagrant" + ] + }, + "source": { + "address": "10.0.2.2", + "ip": "10.0.2.2", + "port": 60839 + }, + "system": { + "auth": { + "ssh": { + "event": "Accepted", + "method": "publickey" + } + } + }, + "user": { + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T00:11:15.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", + "process": { + "name": "sshd", + "pid": 4185 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "vagrant" + }, + "id": "0", + "name": "" + } + }, + { + "@timestamp": "2023-02-24T00:11:24.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ssh_login", + "category": [ + "authentication", + "session" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "info" + ] + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sshd", + "pid": 4302 + }, + "related": { + "hosts": [ + "precise32" + ], + "ip": [ + "10.0.2.2" + ], + "user": [ + "vagrant" + ] + }, + "source": { + "address": "10.0.2.2", + "ip": "10.0.2.2", + "port": 60840 + }, + "system": { + "auth": { + "ssh": { + "event": "Accepted", + "method": "publickey" + } + } + }, + "user": { + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T00:11:24.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", + "process": { + "name": "sshd", + "pid": 4302 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "vagrant" + }, + "id": "0", + "name": "" + } + }, + { + "@timestamp": "2023-02-24T00:11:26.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": { + "sudo": { + "command": "/bin/bash", + "pwd": "/home/vagrant", + "tty": "pts/1", + "user": "root" + } + } + }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T00:11:26.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T00:12:02.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "iam" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "group", + "creation" + ] + }, + "host": { + "hostname": "precise32" + }, + "message": "group added to /etc/group: name=tsg, GID=1003", + "process": { + "name": "groupadd", + "pid": 4480 + }, + "related": { + "hosts": [ + "precise32" + ] + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-02-24T00:12:02.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "iam" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "group", + "creation" + ] + }, + "host": { + "hostname": "precise32" + }, + "message": "group added to /etc/gshadow: name=tsg", + "process": { + "name": "groupadd", + "pid": 4480 + }, + "related": { + "hosts": [ + "precise32" + ] + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-02-24T00:12:02.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "iam" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "group", + "creation" + ] + }, + "group": { + "id": "1003", + "name": "tsg" + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "groupadd", + "pid": 4480 + }, + "related": { + "hosts": [ + "precise32" + ] + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-02-24T00:12:02.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "iam" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "user", + "creation" + ] + }, + "group": { + "id": "1003" + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "useradd", + "pid": 4484 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "tsg" + ] + }, + "system": { + "auth": { + "useradd": { + "home": "/home/tsg", + "shell": "/bin/bash" + } + } + }, + "user": { + "id": "1001", + "name": "tsg" + } + }, + { + "@timestamp": "2023-02-24T00:12:07.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(passwd:chauthtok): password changed for tsg", + "process": { + "name": "passwd", + "pid": 4491 + }, + "related": { + "hosts": [ + "precise32" + ] + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-02-24T00:12:10.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "changed user 'tsg' information", + "process": { + "name": "chfn", + "pid": 4492 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "tsg" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "tsg" + } + }, + { + "@timestamp": "2023-02-24T00:12:14.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "Successful su for tsg by root", + "process": { + "name": "su", + "pid": 4496 + }, + "related": { + "hosts": [ + "precise32" + ] + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-02-24T00:12:14.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "+ /dev/pts/1 root:tsg", + "process": { + "name": "su", + "pid": 4496 + }, + "related": { + "hosts": [ + "precise32" + ] + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-02-24T00:12:14.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(su:session): session opened for user tsg by vagrant(uid=0)", + "process": { + "name": "su", + "pid": 4496 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "tsg" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "tsg" + }, + "id": "0", + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T00:12:20.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:auth): authentication failure; logname=vagrant uid=1001 euid=0 tty=/dev/pts/1 ruser=tsg rhost= user=tsg", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ] + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-02-24T00:12:37.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": { + "sudo": { + "command": "/bin/cat /var/log/auth.log", + "pwd": "/home/vagrant", + "tty": "pts/0", + "user": "root" + } + } + }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T00:12:37.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T00:12:37.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2023-02-24T00:12:42.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "tsg", + "root" + ] + }, + "system": { + "auth": { + "sudo": { + "command": "/bin/ls", + "error": "3 incorrect password attempts", + "pwd": "/home/vagrant", + "tty": "pts/1", + "user": "root" + } + } + }, + "user": { + "effective": { + "name": "root" + }, + "name": "tsg" + } + }, + { + "@timestamp": "2023-02-24T00:12:42.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "unable to execute /usr/sbin/sendmail: No such file or directory", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ] + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-02-24T00:12:50.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": { + "sudo": { + "command": "/bin/cat /var/log/auth.log", + "pwd": "/home/vagrant", + "tty": "pts/0", + "user": "root" + } + } + }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T00:12:50.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T00:12:50.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2023-02-24T00:13:02.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "tsg", + "root" + ] + }, + "system": { + "auth": { + "sudo": { + "command": "/bin/ls", + "error": "user NOT in sudoers", + "pwd": "/home/vagrant", + "tty": "pts/1", + "user": "root" + } + } + }, + "user": { + "effective": { + "name": "root" + }, + "name": "tsg" + } + }, + { + "@timestamp": "2023-02-24T00:13:02.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "unable to execute /usr/sbin/sendmail: No such file or directory", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ] + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-02-24T00:13:06.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": { + "sudo": { + "command": "/bin/cat /var/log/auth.log", + "pwd": "/home/vagrant", + "tty": "pts/0", + "user": "root" + } + } + }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T00:13:06.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T00:13:06.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2023-02-24T00:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session opened for user root by (uid=0)", + "process": { + "name": "CRON", + "pid": 4588 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "root" + }, + "id": "0", + "name": "" + } + }, + { + "@timestamp": "2023-02-24T00:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session closed for user root", + "process": { + "name": "CRON", + "pid": 4588 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2023-02-24T00:45:47.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(su:session): session closed for user tsg", + "process": { + "name": "su", + "pid": 4496 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "tsg" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "tsg" + } + }, + { + "@timestamp": "2023-02-24T00:45:48.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2023-02-24T00:45:49.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "Received disconnect from 10.0.2.2: 11: disconnected by user", + "process": { + "name": "sshd", + "pid": 4317 + }, + "related": { + "hosts": [ + "precise32" + ] + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-02-24T00:45:49.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session closed for user vagrant", + "process": { + "name": "sshd", + "pid": 4302 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T00:46:32.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ssh_login", + "category": [ + "authentication", + "session" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "info" + ] + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sshd", + "pid": 4598 + }, + "related": { + "hosts": [ + "precise32" + ], + "ip": [ + "10.0.2.2" + ], + "user": [ + "vagrant" + ] + }, + "source": { + "address": "10.0.2.2", + "ip": "10.0.2.2", + "port": 61852 + }, + "system": { + "auth": { + "ssh": { + "event": "Accepted", + "method": "publickey" + } + } + }, + "user": { + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T00:46:32.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", + "process": { + "name": "sshd", + "pid": 4598 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "vagrant" + }, + "id": "0", + "name": "" + } + }, + { + "@timestamp": "2023-02-24T00:46:32.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "Received disconnect from 10.0.2.2: 11: disconnected by user", + "process": { + "name": "sshd", + "pid": 4613 + }, + "related": { + "hosts": [ + "precise32" + ] + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-02-24T00:46:32.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session closed for user vagrant", + "process": { + "name": "sshd", + "pid": 4598 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T01:05:42.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session closed for user vagrant", + "process": { + "name": "sshd", + "pid": 4185 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T08:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session opened for user root by (uid=0)", + "process": { + "name": "CRON", + "pid": 4626 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "root" + }, + "id": "0", + "name": "" + } + }, + { + "@timestamp": "2023-02-24T08:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session closed for user root", + "process": { + "name": "CRON", + "pid": 4626 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2023-02-24T09:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session opened for user root by (uid=0)", + "process": { + "name": "CRON", + "pid": 4642 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "root" + }, + "id": "0", + "name": "" + } + }, + { + "@timestamp": "2023-02-24T09:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session closed for user root", + "process": { + "name": "CRON", + "pid": 4642 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2023-02-24T09:18:35.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ssh_login", + "category": [ + "authentication", + "session" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "info" + ] + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sshd", + "pid": 4645 + }, + "related": { + "hosts": [ + "precise32" + ], + "ip": [ + "10.0.2.2" + ], + "user": [ + "vagrant" + ] + }, + "source": { + "address": "10.0.2.2", + "ip": "10.0.2.2", + "port": 53513 + }, + "system": { + "auth": { + "ssh": { + "event": "Accepted", + "method": "publickey" + } + } + }, + "user": { + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T09:18:35.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", + "process": { + "name": "sshd", + "pid": 4645 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "vagrant" + }, + "id": "0", + "name": "" + } + }, + { + "@timestamp": "2023-02-24T09:18:40.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": { + "sudo": { + "command": "/usr/bin/apt-get install nginx", + "pwd": "/home/vagrant", + "tty": "pts/0", + "user": "root" + } + } + }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T09:18:40.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T09:18:46.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2023-02-24T09:18:53.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": { + "sudo": { + "command": "/bin/cat /var/log/auth.log", + "pwd": "/home/vagrant", + "tty": "pts/0", + "user": "root" + } + } + }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T09:18:53.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T09:18:53.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2023-02-24T09:19:04.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": { + "sudo": { + "command": "/bin/cat /var/log/auth.log", + "pwd": "/home/vagrant", + "tty": "pts/0", + "user": "root" + } + } + }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T09:19:04.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T09:19:04.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2023-02-24T09:19:09.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": { + "sudo": { + "command": "/bin/cat /var/log/auth.log", + "pwd": "/home/vagrant", + "tty": "pts/0", + "user": "root" + } + } + }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T09:19:09.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T09:19:09.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2023-02-24T09:19:29.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": { + "sudo": { + "command": "/usr/bin/apt-get install mysql-server", + "pwd": "/home/vagrant", + "tty": "pts/0", + "user": "root" + } + } + }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T09:19:29.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T09:19:55.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "iam" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "group", + "creation" + ] + }, + "host": { + "hostname": "precise32" + }, + "message": "group added to /etc/group: name=mysql, GID=111", + "process": { + "name": "groupadd", + "pid": 7996 + }, + "related": { + "hosts": [ + "precise32" + ] + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-02-24T09:19:55.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "iam" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "group", + "creation" + ] + }, + "host": { + "hostname": "precise32" + }, + "message": "group added to /etc/gshadow: name=mysql", + "process": { + "name": "groupadd", + "pid": 7996 + }, + "related": { + "hosts": [ + "precise32" + ] + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-02-24T09:19:55.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "iam" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "group", + "creation" + ] + }, + "group": { + "id": "111", + "name": "mysql" + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "groupadd", + "pid": 7996 + }, + "related": { + "hosts": [ + "precise32" + ] + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-02-24T09:19:55.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "iam" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "user", + "creation" + ] + }, + "group": { + "id": "111" + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "useradd", + "pid": 8002 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "mysql" + ] + }, + "system": { + "auth": { + "useradd": { + "home": "/nonexistent", + "shell": "/bin/false" + } + } + }, + "user": { + "id": "106", + "name": "mysql" + } + }, + { + "@timestamp": "2023-02-24T09:19:55.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "changed password expiry for mysql", + "process": { + "name": "chage", + "pid": 8007 + }, + "related": { + "hosts": [ + "precise32" + ] + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-02-24T09:19:55.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "changed user 'mysql' information", + "process": { + "name": "chfn", + "pid": 8010 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "mysql" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "mysql" + } + }, + { + "@timestamp": "2023-02-24T09:20:08.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2023-02-24T09:20:10.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": { + "sudo": { + "command": "/bin/cat /var/log/auth.log", + "pwd": "/home/vagrant", + "tty": "pts/0", + "user": "root" + } + } + }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T09:20:10.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T09:20:10.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2023-02-24T09:26:29.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": { + "sudo": { + "command": "/bin/cat /var/log/auth.log", + "pwd": "/home/vagrant", + "tty": "pts/0", + "user": "root" + } + } + }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T09:26:29.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T09:26:29.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2023-02-24T09:26:59.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ssh_login", + "category": [ + "authentication", + "session" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "info" + ] + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sshd", + "pid": 10535 + }, + "related": { + "hosts": [ + "precise32" + ], + "ip": [ + "10.0.2.2" + ], + "user": [ + "vagrant" + ] + }, + "source": { + "address": "10.0.2.2", + "ip": "10.0.2.2", + "port": 58988 + }, + "system": { + "auth": { + "ssh": { + "event": "Accepted", + "method": "publickey" + } + } + }, + "user": { + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T09:26:59.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", + "process": { + "name": "sshd", + "pid": 10535 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "vagrant" + }, + "id": "0", + "name": "" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth.log b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth.log new file mode 100644 index 000000000..1c5c96b3c --- /dev/null +++ b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth.log @@ -0,0 +1,11 @@ +Feb 21 21:54:44 localhost sshd[3402]: Accepted publickey for vagrant from 10.0.2.2 port 63673 ssh2: RSA 39:33:99:e9:a0:dc:f2:33:a3:e5:72:3b:7c:3a:56:84 +Feb 23 00:13:35 localhost sshd[7483]: Accepted password for vagrant from 192.168.33.1 port 58803 ssh2 +Feb 21 21:56:12 localhost sshd[3430]: Invalid user test from 10.0.2.2 +Feb 20 08:35:22 slave22 sshd[5774]: Failed password for root from 89.160.20.156 port 29160 ssh2 +Feb 21 23:35:33 localhost sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/ls +Feb 19 15:30:04 slave22 sshd[18406]: Did not receive identification string from 89.160.20.156 +Feb 23 00:08:48 localhost sudo: vagrant : TTY=pts/1 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/cat /var/log/secure +Feb 24 00:13:02 precise32 sudo: tsg : user NOT in sudoers ; TTY=pts/1 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/ls +Feb 22 11:47:05 localhost groupadd[6991]: new group: name=apache, GID=48 +Feb 22 11:47:05 localhost useradd[6995]: new user: name=apache, UID=48, GID=48, home=/usr/share/httpd, shell=/sbin/nologin +Feb 22 12:53:50 localhost-machine sshd[10161]: error: PAM: User not known to the underlying authentication module for illegal user test from test.example.com diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth.log-config.yml b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth.log-config.yml new file mode 100644 index 000000000..98cc18212 --- /dev/null +++ b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth.log-config.yml @@ -0,0 +1,5 @@ +fields: + event.timezone: "+0000" +dynamic_fields: + event.ingested: "^.*$" + "@timestamp": "^[0-9]{4}(-[0-9]{2}){2}T[0-9]{2}(:[0-9]{2}){2}\\.[0-9]{3}Z$" diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json new file mode 100644 index 000000000..29efbed6f --- /dev/null +++ b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json @@ -0,0 +1,532 @@ +{ + "expected": [ + { + "@timestamp": "2023-02-21T21:54:44.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ssh_login", + "category": [ + "authentication", + "session" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "process": { + "name": "sshd", + "pid": 3402 + }, + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "10.0.2.2" + ], + "user": [ + "vagrant" + ] + }, + "source": { + "address": "10.0.2.2", + "ip": "10.0.2.2", + "port": 63673 + }, + "system": { + "auth": { + "ssh": { + "event": "Accepted", + "method": "publickey", + "signature": "RSA 39:33:99:e9:a0:dc:f2:33:a3:e5:72:3b:7c:3a:56:84" + } + } + }, + "user": { + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-23T00:13:35.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ssh_login", + "category": [ + "authentication", + "session" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "process": { + "name": "sshd", + "pid": 7483 + }, + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "192.168.33.1" + ], + "user": [ + "vagrant" + ] + }, + "source": { + "address": "192.168.33.1", + "ip": "192.168.33.1", + "port": 58803 + }, + "system": { + "auth": { + "ssh": { + "event": "Accepted", + "method": "password" + } + } + }, + "user": { + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-21T21:56:12.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ssh_login", + "category": [ + "authentication" + ], + "kind": "event", + "outcome": "failure", + "timezone": "+0000", + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "process": { + "name": "sshd", + "pid": 3430 + }, + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "10.0.2.2" + ], + "user": [ + "test" + ] + }, + "source": { + "address": "10.0.2.2", + "ip": "10.0.2.2" + }, + "system": { + "auth": { + "ssh": { + "event": "Invalid" + } + } + }, + "user": { + "name": "test" + } + }, + { + "@timestamp": "2023-02-20T08:35:22.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ssh_login", + "category": [ + "authentication" + ], + "kind": "event", + "outcome": "failure", + "timezone": "+0000", + "type": [ + "info" + ] + }, + "host": { + "hostname": "slave22" + }, + "process": { + "name": "sshd", + "pid": 5774 + }, + "related": { + "hosts": [ + "slave22" + ], + "ip": [ + "89.160.20.156" + ], + "user": [ + "root" + ] + }, + "source": { + "address": "89.160.20.156", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 29160 + }, + "system": { + "auth": { + "ssh": { + "event": "Failed", + "method": "password" + } + } + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2023-02-21T23:35:33.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "localhost" + }, + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "localhost" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": { + "sudo": { + "command": "/bin/ls", + "pwd": "/home/vagrant", + "tty": "pts/0", + "user": "root" + } + } + }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-19T15:30:04.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "slave22" + }, + "process": { + "name": "sshd", + "pid": 18406 + }, + "related": { + "hosts": [ + "slave22" + ], + "ip": [ + "89.160.20.156" + ] + }, + "source": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156" + }, + "system": { + "auth": { + "ssh": { + "dropped_ip": "89.160.20.156" + } + } + } + }, + { + "@timestamp": "2023-02-23T00:08:48.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "localhost" + }, + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "localhost" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": { + "sudo": { + "command": "/bin/cat /var/log/secure", + "pwd": "/home/vagrant", + "tty": "pts/1", + "user": "root" + } + } + }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { + "@timestamp": "2023-02-24T00:13:02.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "tsg", + "root" + ] + }, + "system": { + "auth": { + "sudo": { + "command": "/bin/ls", + "error": "user NOT in sudoers", + "pwd": "/home/vagrant", + "tty": "pts/1", + "user": "root" + } + } + }, + "user": { + "effective": { + "name": "root" + }, + "name": "tsg" + } + }, + { + "@timestamp": "2023-02-22T11:47:05.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "iam" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "group", + "creation" + ] + }, + "group": { + "id": "48", + "name": "apache" + }, + "host": { + "hostname": "localhost" + }, + "process": { + "name": "groupadd", + "pid": 6991 + }, + "related": { + "hosts": [ + "localhost" + ] + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-02-22T11:47:05.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "iam" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "user", + "creation" + ] + }, + "group": { + "id": "48" + }, + "host": { + "hostname": "localhost" + }, + "process": { + "name": "useradd", + "pid": 6995 + }, + "related": { + "hosts": [ + "localhost" + ], + "user": [ + "apache" + ] + }, + "system": { + "auth": { + "useradd": { + "home": "/usr/share/httpd", + "shell": "/sbin/nologin" + } + } + }, + "user": { + "id": "48", + "name": "apache" + } + }, + { + "@timestamp": "2023-02-22T12:53:50.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "localhost-machine" + }, + "process": { + "name": "sshd", + "pid": 10161 + }, + "related": { + "hosts": [ + "localhost-machine" + ], + "user": [ + "test" + ] + }, + "source": { + "address": "test.example.com", + "domain": "test.example.com" + }, + "system": { + "auth": { + "ssh": { + "event": "error: PAM: User not known to the underlying authentication module for illegal" + } + } + }, + "user": { + "name": "test" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-multiline.log b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-multiline.log new file mode 100644 index 000000000..408cdbf8e --- /dev/null +++ b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-multiline.log @@ -0,0 +1,3 @@ +May 21 21:54:44 localhost foo[1234]: This message + spans multiple lines. +May 21 21:54:45 localhost foo[1234]: Single-line message. \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-multiline.log-config.yml b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-multiline.log-config.yml new file mode 100644 index 000000000..08132afc4 --- /dev/null +++ b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-multiline.log-config.yml @@ -0,0 +1,7 @@ +dynamic_fields: + "@timestamp": "^[0-9]{4}(-[0-9]{2}){2}T[0-9]{2}(:[0-9]{2}){2}\\.[0-9]{3}" +fields: + event.timezone: "+0000" +multiline: + # Pattern to match what is configured in log.yml.hbs. + first_line_pattern: '^[^\s]' diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-multiline.log-expected.json b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-multiline.log-expected.json new file mode 100644 index 000000000..b741b6644 --- /dev/null +++ b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-multiline.log-expected.json @@ -0,0 +1,56 @@ +{ + "expected": [ + { + "@timestamp": "2023-05-21T21:54:44.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "localhost" + }, + "message": "This message\n spans multiple lines.", + "process": { + "name": "foo", + "pid": 1234 + }, + "related": { + "hosts": [ + "localhost" + ] + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-05-21T21:54:45.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "localhost" + }, + "message": "Single-line message.", + "process": { + "name": "foo", + "pid": 1234 + }, + "related": { + "hosts": [ + "localhost" + ] + }, + "system": { + "auth": {} + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log new file mode 100644 index 000000000..f22060fef --- /dev/null +++ b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log @@ -0,0 +1,7 @@ +Feb 22 16:45:20 slave22 sshd[2738]: Failed password for root from 89.160.20.156 port 1786 ssh2 +Feb 22 16:45:20 slave22 sshd[2738]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" +Feb 22 16:45:26 slave22 sshd[2738]: fatal: Read from socket failed: Connection reset by peer [preauth] +Feb 22 16:45:26 slave22 sshd[2738]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.160.20.156 user=root +Feb 22 16:45:26 slave22 sshd[2738]: PAM service(sshd) ignoring max retries; 5 > 3 +Feb 22 16:45:32 slave22 sshd[2742]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.160.20.156 user=root +Feb 22 17:04:51 slave22 sudo: tsg : TTY=pts/0 ; PWD=/home/tsg ; USER=root ; COMMAND=/bin/cp /var/log/secure . diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-config.yml b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-config.yml new file mode 100644 index 000000000..98cc18212 --- /dev/null +++ b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-config.yml @@ -0,0 +1,5 @@ +fields: + event.timezone: "+0000" +dynamic_fields: + event.ingested: "^.*$" + "@timestamp": "^[0-9]{4}(-[0-9]{2}){2}T[0-9]{2}(:[0-9]{2}){2}\\.[0-9]{3}Z$" diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-expected.json b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-expected.json new file mode 100644 index 000000000..81a77f6f1 --- /dev/null +++ b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-expected.json @@ -0,0 +1,251 @@ +{ + "expected": [ + { + "@timestamp": "2023-02-22T16:45:20.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ssh_login", + "category": [ + "authentication" + ], + "kind": "event", + "outcome": "failure", + "timezone": "+0000", + "type": [ + "info" + ] + }, + "host": { + "hostname": "slave22" + }, + "process": { + "name": "sshd", + "pid": 2738 + }, + "related": { + "hosts": [ + "slave22" + ], + "ip": [ + "89.160.20.156" + ], + "user": [ + "root" + ] + }, + "source": { + "address": "89.160.20.156", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 1786 + }, + "system": { + "auth": { + "ssh": { + "event": "Failed", + "method": "password" + } + } + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2023-02-22T16:45:20.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "slave22" + }, + "message": "pam_succeed_if(sshd:auth): requirement \"uid \u003e= 1000\" not met by user \"root\"", + "process": { + "name": "sshd", + "pid": 2738 + }, + "related": { + "hosts": [ + "slave22" + ], + "user": [ + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2023-02-22T16:45:26.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "slave22" + }, + "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", + "process": { + "name": "sshd", + "pid": 2738 + }, + "related": { + "hosts": [ + "slave22" + ] + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-02-22T16:45:26.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "slave22" + }, + "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.160.20.156 user=root", + "process": { + "name": "sshd", + "pid": 2738 + }, + "related": { + "hosts": [ + "slave22" + ] + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-02-22T16:45:26.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "slave22" + }, + "message": "PAM service(sshd) ignoring max retries; 5 \u003e 3", + "process": { + "name": "sshd", + "pid": 2738 + }, + "related": { + "hosts": [ + "slave22" + ] + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-02-22T16:45:32.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "slave22" + }, + "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.160.20.156 user=root", + "process": { + "name": "sshd", + "pid": 2742 + }, + "related": { + "hosts": [ + "slave22" + ] + }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2023-02-22T17:04:51.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "slave22" + }, + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "slave22" + ], + "user": [ + "tsg", + "root" + ] + }, + "system": { + "auth": { + "sudo": { + "command": "/bin/cp /var/log/secure .", + "pwd": "/home/tsg", + "tty": "pts/0", + "user": "root" + } + } + }, + "user": { + "effective": { + "name": "root" + }, + "name": "tsg" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log new file mode 100644 index 000000000..f1ab57f9e --- /dev/null +++ b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log @@ -0,0 +1,2 @@ +2019-06-14T10:40:20.912134 localhost sudo: pam_unix(sudo-i:session): session opened for user root by userauth3(uid=0) +2019-06-14T13:01:15.412+01:30 localhost pam: user nobody logged out. diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-config.yml b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-config.yml new file mode 100644 index 000000000..20ac5d8e3 --- /dev/null +++ b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-config.yml @@ -0,0 +1,4 @@ +fields: + event.timezone: "+0000" +dynamic_fields: + event.ingested: ".*" diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-expected.json b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-expected.json new file mode 100644 index 000000000..c330599fb --- /dev/null +++ b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-expected.json @@ -0,0 +1,65 @@ +{ + "expected": [ + { + "@timestamp": "2019-06-14T10:40:20.912Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "localhost" + }, + "message": "pam_unix(sudo-i:session): session opened for user root by userauth3(uid=0)", + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "localhost" + ], + "user": [ + "userauth3", + "root" + ] + }, + "system": { + "auth": {} + }, + "user": { + "effective": { + "name": "root" + }, + "id": "0", + "name": "userauth3" + } + }, + { + "@timestamp": "2019-06-14T11:31:15.412Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "localhost" + }, + "message": "user nobody logged out.", + "process": { + "name": "pam" + }, + "related": { + "hosts": [ + "localhost" + ] + }, + "system": { + "auth": {} + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/auth/agent/stream/log.yml.hbs b/test/packages/parallel/system/data_stream/auth/agent/stream/log.yml.hbs new file mode 100644 index 000000000..184333c45 --- /dev/null +++ b/test/packages/parallel/system/data_stream/auth/agent/stream/log.yml.hbs @@ -0,0 +1,30 @@ +{{#if ignore_older}} +ignore_older: {{ignore_older}} +{{/if}} +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] + +multiline: + pattern: "^\\s" + match: after + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} + +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} + +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/auth/elasticsearch/ingest_pipeline/default.yml b/test/packages/parallel/system/data_stream/auth/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 000000000..35a7e44fb --- /dev/null +++ b/test/packages/parallel/system/data_stream/auth/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,237 @@ +--- +description: Pipeline for parsing system authorization and secure logs. +processors: + - rename: + if: ctx.event?.original == null + field: message + target_field: event.original + ignore_missing: true + - grok: + description: Grok the message header. + tag: grok-message-header + field: event.original + pattern_definitions: + GREEDYMULTILINE: '(.|\n)*' + TIMESTAMP: (?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP}) + patterns: + - '^%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?:%{SPACE}%{GREEDYMULTILINE:_temp.message}$' + - grok: + description: Grok specific auth messages. + tag: grok-specific-messages + field: _temp.message + ignore_missing: true + patterns: + - '^%{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user)?%{DATA:user.name} from %{IPORHOST:source.address} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?' + - '^%{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.address}' + - '^Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}' + - '^%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}' + - '^new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}' + - '^new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$' + on_failure: + - rename: + description: Leave the unmatched content in message. + field: _temp.message + target_field: message + - remove: + field: _temp + - grok: + description: Grok usernames from PAM messages. + tag: grok-pam-users + field: message + ignore_missing: true + ignore_failure: true + patterns: + - 'for user %{QUOTE}?%{DATA:_temp.foruser}%{QUOTE}? by %{QUOTE}?%{DATA:_temp.byuser}%{QUOTE}?(?:\(uid=%{NUMBER:_temp.byuid}\))?$' + - 'for user %{QUOTE}?%{DATA:_temp.foruser}%{QUOTE}?$' + - 'by user %{QUOTE}?%{DATA:_temp.byuser}%{QUOTE}?$' + - '%{BOUNDARY} user %{QUOTE}%{DATA:_temp.user}%{QUOTE}' + pattern_definitions: + QUOTE: "['\"]" + BOUNDARY: "(?- + if (ctx.system.auth.ssh.event == "Accepted") { + ctx.event.type = ["info"]; + ctx.event.category = ["authentication", "session"]; + ctx.event.action = "ssh_login"; + ctx.event.outcome = "success"; + } else if (ctx.system.auth.ssh.event == "Invalid" || ctx.system.auth.ssh.event == "Failed") { + ctx.event.type = ["info"]; + ctx.event.category = ["authentication"]; + ctx.event.action = "ssh_login"; + ctx.event.outcome = "failure"; + } + - append: + field: event.category + value: iam + if: ctx.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name) + - set: + field: event.outcome + value: success + if: ctx.process?.name != null && (ctx.message == null || !ctx.message.contains("fail")) && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name) + - set: + field: event.outcome + value: failure + if: ctx.process?.name != null && (ctx.message != null && ctx.message.contains("fail")) && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name) + - append: + field: event.type + value: user + if: ctx.process?.name != null && ['useradd', 'userdel', 'usermod'].contains(ctx.process.name) + - append: + field: event.type + value: group + if: ctx.process?.name != null && ['groupadd', 'groupdel', 'groupmod'].contains(ctx.process.name) + - append: + field: event.type + value: creation + if: ctx.process?.name != null && ['useradd', 'groupadd'].contains(ctx.process.name) + - append: + field: event.type + value: deletion + if: ctx.process?.name != null && ['userdel', 'groupdel'].contains(ctx.process.name) + - append: + field: event.type + value: change + if: ctx.process?.name != null && ['usermod', 'groupmod'].contains(ctx.process.name) + - append: + field: related.user + value: "{{{ user.name }}}" + allow_duplicates: false + if: ctx.user?.name != null && ctx.user?.name != '' + - append: + field: related.user + value: "{{{ user.effective.name }}}" + allow_duplicates: false + if: ctx.user?.effective?.name != null && ctx.user?.effective?.name != '' + - append: + field: related.ip + value: "{{{ source.ip }}}" + allow_duplicates: false + if: ctx.source?.ip != null && ctx.source?.ip != '' + - append: + field: related.hosts + value: "{{{ host.hostname }}}" + allow_duplicates: false + if: ctx.host?.hostname != null && ctx.host?.hostname != '' + - set: + field: ecs.version + value: 8.0.0 + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/test/packages/parallel/system/data_stream/auth/fields/agent.yml b/test/packages/parallel/system/data_stream/auth/fields/agent.yml new file mode 100644 index 000000000..da4e652c5 --- /dev/null +++ b/test/packages/parallel/system/data_stream/auth/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/test/packages/parallel/system/data_stream/auth/fields/base-fields.yml b/test/packages/parallel/system/data_stream/auth/fields/base-fields.yml new file mode 100644 index 000000000..516c401c7 --- /dev/null +++ b/test/packages/parallel/system/data_stream/auth/fields/base-fields.yml @@ -0,0 +1,21 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. + value: logs +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: system.auth +- name: event.module + type: constant_keyword + description: Event module + value: system diff --git a/test/packages/parallel/system/data_stream/auth/fields/ecs.yml b/test/packages/parallel/system/data_stream/auth/fields/ecs.yml new file mode 100644 index 000000000..9b336a4e3 --- /dev/null +++ b/test/packages/parallel/system/data_stream/auth/fields/ecs.yml @@ -0,0 +1,106 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: ecs.version +- external: ecs + name: error.message +- external: ecs + name: event.action +- external: ecs + name: event.category +- external: ecs + name: event.code +- external: ecs + name: event.created +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.module +- external: ecs + name: event.original +- external: ecs + name: event.outcome +- external: ecs + name: event.provider +- external: ecs + name: event.sequence +- external: ecs + name: event.type +- external: ecs + name: group.id +- external: ecs + name: group.name +- external: ecs + name: host.architecture +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.full +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: message +- external: ecs + name: process.name +- external: ecs + name: process.pid +- external: ecs + name: related.hosts +- external: ecs + name: related.ip +- external: ecs + name: related.user +- external: ecs + name: source.address +- external: ecs + name: source.as.number +- external: ecs + name: source.as.organization.name +- external: ecs + name: source.domain +- external: ecs + name: source.geo.city_name +- external: ecs + name: source.geo.continent_name +- external: ecs + name: source.geo.country_iso_code +- external: ecs + name: source.geo.country_name +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- external: ecs + name: source.geo.region_iso_code +- external: ecs + name: source.geo.region_name +- external: ecs + name: source.ip +- external: ecs + name: source.port +- external: ecs + name: user.effective.name +- external: ecs + name: user.id +- external: ecs + name: user.name diff --git a/test/packages/parallel/system/data_stream/auth/fields/fields.yml b/test/packages/parallel/system/data_stream/auth/fields/fields.yml new file mode 100644 index 000000000..827255de6 --- /dev/null +++ b/test/packages/parallel/system/data_stream/auth/fields/fields.yml @@ -0,0 +1,62 @@ +- name: system.auth + type: group + fields: + - name: ssh + type: group + fields: + - name: method + type: keyword + description: | + The SSH authentication method. Can be one of "password" or "publickey". + - name: signature + type: keyword + description: | + The signature of the client public key. + - name: dropped_ip + type: ip + description: | + The client IP from SSH connections that are open and immediately dropped. + - name: event + type: keyword + description: | + The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) + - name: geoip + type: group + - name: sudo + type: group + fields: + - name: error + type: keyword + description: | + The error message in case the sudo command failed. + - name: tty + type: keyword + description: | + The TTY where the sudo command is executed. + - name: pwd + type: keyword + description: | + The current directory where the sudo command is executed. + - name: user + type: keyword + description: | + The target user to which the sudo command is switching. + - name: command + type: keyword + description: | + The command executed via sudo. + - name: useradd + type: group + fields: + - name: home + type: keyword + description: The home folder for the new user. + - name: shell + type: keyword + description: The default shell for the new user. + - name: groupadd + type: group +- description: "Operating system version as a raw string." + ignore_above: 1024 + name: version + type: keyword diff --git a/test/packages/parallel/system/data_stream/auth/manifest.yml b/test/packages/parallel/system/data_stream/auth/manifest.yml new file mode 100644 index 000000000..aef300842 --- /dev/null +++ b/test/packages/parallel/system/data_stream/auth/manifest.yml @@ -0,0 +1,50 @@ +title: System auth logs +type: logs +streams: + - input: logfile + vars: + - name: ignore_older + type: text + title: Ignore events older than + default: 72h + required: false + show_user: false + description: >- + If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/auth.log* + - /var/log/secure* + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false + default: + - system-auth + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: log.yml.hbs + title: System auth logs (log) + description: Collect System auth logs using log input diff --git a/test/packages/parallel/system/data_stream/core/agent/stream/stream.yml.hbs b/test/packages/parallel/system/data_stream/core/agent/stream/stream.yml.hbs new file mode 100644 index 000000000..e7ef08bc7 --- /dev/null +++ b/test/packages/parallel/system/data_stream/core/agent/stream/stream.yml.hbs @@ -0,0 +1,18 @@ +metricsets: ["core"] +core.metrics: +{{#each core.metrics}} +- {{this}} +{{/each}} +{{#if system.hostfs}} +system.hostfs: {{system.hostfs}} +{{/if}} +{{#if processors.length}} +processors: +{{processors}} +{{/if}} +{{#if tags.length}} +tags: +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +{{/if}} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/core/fields/agent.yml b/test/packages/parallel/system/data_stream/core/fields/agent.yml new file mode 100644 index 000000000..da4e652c5 --- /dev/null +++ b/test/packages/parallel/system/data_stream/core/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/test/packages/parallel/system/data_stream/core/fields/base-fields.yml b/test/packages/parallel/system/data_stream/core/fields/base-fields.yml new file mode 100644 index 000000000..754551896 --- /dev/null +++ b/test/packages/parallel/system/data_stream/core/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: system +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: system.core diff --git a/test/packages/parallel/system/data_stream/core/fields/ecs.yml b/test/packages/parallel/system/data_stream/core/fields/ecs.yml new file mode 100644 index 000000000..9e69e9781 --- /dev/null +++ b/test/packages/parallel/system/data_stream/core/fields/ecs.yml @@ -0,0 +1,24 @@ +- external: ecs + name: host +- external: ecs + name: host.architecture +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.full +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.version +- external: ecs + name: host.type diff --git a/test/packages/parallel/system/data_stream/core/fields/fields.yml b/test/packages/parallel/system/data_stream/core/fields/fields.yml new file mode 100644 index 000000000..dab186321 --- /dev/null +++ b/test/packages/parallel/system/data_stream/core/fields/fields.yml @@ -0,0 +1,103 @@ +- name: system.core + type: group + fields: + - name: id + type: keyword + description: | + CPU Core number. + - name: user.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent in user space. + - name: user.ticks + type: long + metric_type: counter + description: | + The amount of CPU time spent in user space. + - name: system.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent in kernel space. + - name: system.ticks + type: long + metric_type: counter + description: | + The amount of CPU time spent in kernel space. + - name: nice.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent on low-priority processes. + - name: nice.ticks + type: long + metric_type: counter + description: | + The amount of CPU time spent on low-priority processes. + - name: idle.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent idle. + - name: idle.ticks + type: long + metric_type: counter + description: | + The amount of CPU time spent idle. + - name: iowait.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent in wait (on disk). + - name: iowait.ticks + type: long + metric_type: counter + description: | + The amount of CPU time spent in wait (on disk). + - name: irq.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent servicing and handling hardware interrupts. + - name: irq.ticks + type: long + metric_type: counter + description: | + The amount of CPU time spent servicing and handling hardware interrupts. + - name: softirq.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent servicing and handling software interrupts. + - name: softirq.ticks + type: long + metric_type: counter + description: | + The amount of CPU time spent servicing and handling software interrupts. + - name: steal.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. + - name: steal.ticks + type: long + metric_type: counter + description: | + The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. diff --git a/test/packages/parallel/system/data_stream/core/manifest.yml b/test/packages/parallel/system/data_stream/core/manifest.yml new file mode 100644 index 000000000..b37ff3f61 --- /dev/null +++ b/test/packages/parallel/system/data_stream/core/manifest.yml @@ -0,0 +1,39 @@ +title: System core metrics +type: metrics +streams: + - input: system/metrics + enabled: false + vars: + - name: period + type: text + title: Period + multi: false + required: true + show_user: true + default: 10s + - name: core.metrics + type: text + title: Core Metrics + multi: true + required: true + show_user: true + description: > + How to report core metrics. Can be "percentages" or "ticks" + + default: + - percentages + - name: tags + type: text + title: Tags + multi: true + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + title: System core metrics + description: Collect System core metrics diff --git a/test/packages/parallel/system/data_stream/cpu/agent/stream/stream.yml.hbs b/test/packages/parallel/system/data_stream/cpu/agent/stream/stream.yml.hbs new file mode 100644 index 000000000..2d52d8f73 --- /dev/null +++ b/test/packages/parallel/system/data_stream/cpu/agent/stream/stream.yml.hbs @@ -0,0 +1,19 @@ +metricsets: ["cpu"] +cpu.metrics: +{{#each cpu.metrics}} +- {{this}} +{{/each}} +period: {{period}} +{{#if system.hostfs}} +system.hostfs: {{system.hostfs}} +{{/if}} +{{#if processors.length}} +processors: +{{processors}} +{{/if}} +{{#if tags.length}} +tags: +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +{{/if}} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/cpu/fields/agent.yml b/test/packages/parallel/system/data_stream/cpu/fields/agent.yml new file mode 100644 index 000000000..4b259da80 --- /dev/null +++ b/test/packages/parallel/system/data_stream/cpu/fields/agent.yml @@ -0,0 +1,205 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + dimension: true + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + dimension: true + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + dimension: true + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + dimension: true + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + dimension: true + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + dimension: true + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + dimension: true + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/test/packages/parallel/system/data_stream/cpu/fields/base-fields.yml b/test/packages/parallel/system/data_stream/cpu/fields/base-fields.yml new file mode 100644 index 000000000..d14502e64 --- /dev/null +++ b/test/packages/parallel/system/data_stream/cpu/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: system +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: system.cpu diff --git a/test/packages/parallel/system/data_stream/cpu/fields/ecs.yml b/test/packages/parallel/system/data_stream/cpu/fields/ecs.yml new file mode 100644 index 000000000..baad5c245 --- /dev/null +++ b/test/packages/parallel/system/data_stream/cpu/fields/ecs.yml @@ -0,0 +1,27 @@ +- external: ecs + name: host +- external: ecs + name: host.architecture +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.full +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: agent.id + dimension: true diff --git a/test/packages/parallel/system/data_stream/cpu/fields/fields.yml b/test/packages/parallel/system/data_stream/cpu/fields/fields.yml new file mode 100644 index 000000000..ca46bc7e2 --- /dev/null +++ b/test/packages/parallel/system/data_stream/cpu/fields/fields.yml @@ -0,0 +1,183 @@ +- name: system.cpu + type: group + fields: + - name: cores + type: long + metric_type: gauge + description: | + The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%. + - name: user.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. + - name: system.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent in kernel space. + - name: nice.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent on low-priority processes. + - name: idle.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent idle. + - name: iowait.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent in wait (on disk). + - name: irq.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent servicing and handling hardware interrupts. + - name: softirq.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent servicing and handling software interrupts. + - name: steal.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. + - name: total.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent in states other than Idle and IOWait. + - name: user.norm.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent in user space. + - name: system.norm.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent in kernel space. + - name: nice.norm.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent on low-priority processes. + - name: idle.norm.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent idle. + - name: iowait.norm.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent in wait (on disk). + - name: irq.norm.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent servicing and handling hardware interrupts. + - name: softirq.norm.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent servicing and handling software interrupts. + - name: steal.norm.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. + - name: total.norm.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. + - name: user.ticks + type: long + metric_type: counter + description: | + The amount of CPU time spent in user space. + - name: system.ticks + type: long + metric_type: counter + description: | + The amount of CPU time spent in kernel space. + - name: nice.ticks + type: long + metric_type: counter + description: | + The amount of CPU time spent on low-priority processes. + - name: idle.ticks + type: long + metric_type: counter + description: | + The amount of CPU time spent idle. + - name: iowait.ticks + type: long + metric_type: counter + description: | + The amount of CPU time spent in wait (on disk). + - name: irq.ticks + type: long + metric_type: counter + description: | + The amount of CPU time spent servicing and handling hardware interrupts. + - name: softirq.ticks + type: long + metric_type: counter + description: | + The amount of CPU time spent servicing and handling software interrupts. + - name: steal.ticks + type: long + metric_type: counter + description: | + The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. +- name: host + type: group + fields: + - name: cpu.pct + type: scaled_float + unit: percent + metric_type: gauge + description: | + Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. diff --git a/test/packages/parallel/system/data_stream/cpu/manifest.yml b/test/packages/parallel/system/data_stream/cpu/manifest.yml new file mode 100644 index 000000000..32db486f8 --- /dev/null +++ b/test/packages/parallel/system/data_stream/cpu/manifest.yml @@ -0,0 +1,41 @@ +title: System cpu metrics +type: metrics +elasticsearch: + index_mode: "time_series" +streams: + - input: system/metrics + vars: + - name: period + type: text + title: Period + multi: false + required: true + show_user: true + default: 10s + - name: cpu.metrics + type: text + title: Cpu Metrics + multi: true + required: true + show_user: true + description: > + How to report CPU metrics. Can be "percentages", "normalized_percentages", or "ticks" + + default: + - percentages + - normalized_percentages + - name: tags + type: text + title: Tags + multi: true + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + title: System cpu metrics + description: Collect System cpu metrics diff --git a/test/packages/parallel/system/data_stream/diskio/agent/stream/stream.yml.hbs b/test/packages/parallel/system/data_stream/diskio/agent/stream/stream.yml.hbs new file mode 100644 index 000000000..d72f59250 --- /dev/null +++ b/test/packages/parallel/system/data_stream/diskio/agent/stream/stream.yml.hbs @@ -0,0 +1,19 @@ +metricsets: ["diskio"] +diskio.include_devices: +{{#each diskio.include_devices}} +- {{this}} +{{/each}} +period: {{period}} +{{#if system.hostfs}} +system.hostfs: {{system.hostfs}} +{{/if}} +{{#if processors.length}} +processors: +{{processors}} +{{/if}} +{{#if tags.length}} +tags: +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +{{/if}} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/diskio/fields/agent.yml b/test/packages/parallel/system/data_stream/diskio/fields/agent.yml new file mode 100644 index 000000000..5e2fd81c4 --- /dev/null +++ b/test/packages/parallel/system/data_stream/diskio/fields/agent.yml @@ -0,0 +1,205 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + dimension: true + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + dimension: true + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + dimension: true + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + dimension: true + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + dimension: true + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + dimension: true + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + dimension: true + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + + - name: disk.read.bytes + type: long + format: bytes + description: > + The total number of bytes read successfully in a given period of time. + + - name: disk.write.bytes + type: long + format: bytes + description: >- + The total number of bytes write successfully in a given period of time. diff --git a/test/packages/parallel/system/data_stream/diskio/fields/base-fields.yml b/test/packages/parallel/system/data_stream/diskio/fields/base-fields.yml new file mode 100644 index 000000000..4a5ecc011 --- /dev/null +++ b/test/packages/parallel/system/data_stream/diskio/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: system +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: system.diskio diff --git a/test/packages/parallel/system/data_stream/diskio/fields/ecs.yml b/test/packages/parallel/system/data_stream/diskio/fields/ecs.yml new file mode 100644 index 000000000..98cf5ad73 --- /dev/null +++ b/test/packages/parallel/system/data_stream/diskio/fields/ecs.yml @@ -0,0 +1,29 @@ +- external: ecs + name: host +- external: ecs + name: host.architecture +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.hostname +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.full +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: agent.id + dimension: true diff --git a/test/packages/parallel/system/data_stream/diskio/fields/fields.yml b/test/packages/parallel/system/data_stream/diskio/fields/fields.yml new file mode 100644 index 000000000..70913cd16 --- /dev/null +++ b/test/packages/parallel/system/data_stream/diskio/fields/fields.yml @@ -0,0 +1,137 @@ +- name: system.diskio + type: group + fields: + - name: name + type: keyword + dimension: true + description: | + The disk name. + - name: serial_number + type: keyword + description: | + The disk's serial number. This may not be provided by all operating systems. + - name: read.count + type: long + metric_type: counter + description: | + The total number of reads completed successfully. + - name: write.count + type: long + metric_type: counter + description: | + The total number of writes completed successfully. + - name: read.bytes + type: long + format: bytes + unit: byte + metric_type: counter + description: | + The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. + - name: write.bytes + type: long + format: bytes + unit: byte + metric_type: counter + description: | + The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. + - name: read.time + type: long + metric_type: counter + description: | + The total number of milliseconds spent by all reads. + - name: write.time + type: long + metric_type: counter + description: | + The total number of milliseconds spent by all writes. + - name: io.time + type: long + metric_type: counter + description: | + The total number of of milliseconds spent doing I/Os. + - name: iostat.read.request.merges_per_sec + type: float + metric_type: gauge + description: | + The number of read requests merged per second that were queued to the device. + - name: iostat.write.request.merges_per_sec + type: float + metric_type: gauge + description: | + The number of write requests merged per second that were queued to the device. + - name: iostat.read.request.per_sec + type: float + metric_type: gauge + description: | + The number of read requests that were issued to the device per second + - name: iostat.write.request.per_sec + type: float + metric_type: gauge + description: | + The number of write requests that were issued to the device per second + - name: iostat.read.per_sec.bytes + type: float + format: bytes + metric_type: gauge + description: | + The number of Bytes read from the device per second. + - name: iostat.read.await + type: float + metric_type: gauge + description: | + The average time spent for read requests issued to the device to be served. + - name: iostat.write.per_sec.bytes + type: float + format: bytes + metric_type: gauge + description: | + The number of Bytes write from the device per second. + - name: iostat.write.await + type: float + metric_type: gauge + description: | + The average time spent for write requests issued to the device to be served. + - name: iostat.request.avg_size + type: float + format: bytes + unit: byte + metric_type: gauge + description: | + The average size (in bytes) of the requests that were issued to the device. + - name: iostat.queue.avg_size + type: float + unit: byte + metric_type: gauge + description: | + The average queue length of the requests that were issued to the device. + - name: iostat.await + type: float + metric_type: gauge + description: | + The average time spent for requests issued to the device to be served. + - name: iostat.service_time + type: float + unit: ms + metric_type: gauge + description: | + The average service time (in milliseconds) for I/O requests that were issued to the device. + - name: iostat.busy + type: float + metric_type: gauge + description: | + Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. +- name: host + type: group + fields: + - name: disk.read.bytes + type: scaled_float + unit: byte + metric_type: gauge + description: | + The total number of bytes read successfully in a given period of time. + - name: disk.write.bytes + type: scaled_float + unit: byte + metric_type: gauge + description: | + The total number of bytes write successfully in a given period of time. diff --git a/test/packages/parallel/system/data_stream/diskio/manifest.yml b/test/packages/parallel/system/data_stream/diskio/manifest.yml new file mode 100644 index 000000000..f54b9094e --- /dev/null +++ b/test/packages/parallel/system/data_stream/diskio/manifest.yml @@ -0,0 +1,38 @@ +title: System diskio metrics +type: metrics +elasticsearch: + index_mode: "time_series" +streams: + - input: system/metrics + vars: + - name: period + type: text + title: Period + multi: false + required: true + show_user: true + default: 10s + - name: diskio.include_devices + type: text + title: Include Devices + multi: true + required: false + show_user: true + description: > + Provide a specific list of devices to monitor. By default, all devices are monitored. + + - name: tags + type: text + title: Tags + multi: true + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + title: System diskio metrics + description: Collect System diskio metrics diff --git a/test/packages/parallel/system/data_stream/filesystem/agent/stream/stream.yml.hbs b/test/packages/parallel/system/data_stream/filesystem/agent/stream/stream.yml.hbs new file mode 100644 index 000000000..13a98485e --- /dev/null +++ b/test/packages/parallel/system/data_stream/filesystem/agent/stream/stream.yml.hbs @@ -0,0 +1,15 @@ +metricsets: ["filesystem"] +period: {{period}} +processors: {{processors}} +{{#if filesystem.ignore_types}} +filesystem.ignore_types: {{filesystem.ignore_types}} +{{/if}} +{{#if system.hostfs}} +system.hostfs: {{system.hostfs}} +{{/if}} +{{#if tags.length}} +tags: +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +{{/if}} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/filesystem/fields/agent.yml b/test/packages/parallel/system/data_stream/filesystem/fields/agent.yml new file mode 100644 index 000000000..bcbae612b --- /dev/null +++ b/test/packages/parallel/system/data_stream/filesystem/fields/agent.yml @@ -0,0 +1,205 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + dimension: true + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + dimension: true + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + dimension: true + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + dimension: true + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + dimension: true + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + dimension: true + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + dimension: true + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/test/packages/parallel/system/data_stream/filesystem/fields/base-fields.yml b/test/packages/parallel/system/data_stream/filesystem/fields/base-fields.yml new file mode 100644 index 000000000..c83912bc9 --- /dev/null +++ b/test/packages/parallel/system/data_stream/filesystem/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: system +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: system.filesystem diff --git a/test/packages/parallel/system/data_stream/filesystem/fields/ecs.yml b/test/packages/parallel/system/data_stream/filesystem/fields/ecs.yml new file mode 100644 index 000000000..3014c8de4 --- /dev/null +++ b/test/packages/parallel/system/data_stream/filesystem/fields/ecs.yml @@ -0,0 +1,3 @@ +- external: ecs + name: agent.id + dimension: true diff --git a/test/packages/parallel/system/data_stream/filesystem/fields/fields.yml b/test/packages/parallel/system/data_stream/filesystem/fields/fields.yml new file mode 100644 index 000000000..d670be584 --- /dev/null +++ b/test/packages/parallel/system/data_stream/filesystem/fields/fields.yml @@ -0,0 +1,62 @@ +- name: system.filesystem + type: group + fields: + - name: available + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + The disk space available to an unprivileged user in bytes. + - name: device_name + type: keyword + dimension: true + description: | + The disk name. For example: `/dev/disk1` + - name: type + type: keyword + description: | + The disk type. For example: `ext4` + - name: mount_point + type: keyword + dimension: true + description: | + The mounting point. For example: `/` + - name: files + type: long + metric_type: gauge + description: | + The total number of file nodes in the file system. + - name: free + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + The disk space available in bytes. + - name: free_files + type: long + metric_type: gauge + description: | + The number of free file nodes in the file system. + - name: total + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + The total disk space in bytes. + - name: used.bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + The used disk space in bytes. + - name: used.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of used disk space. diff --git a/test/packages/parallel/system/data_stream/filesystem/manifest.yml b/test/packages/parallel/system/data_stream/filesystem/manifest.yml new file mode 100644 index 000000000..3e3b7f67b --- /dev/null +++ b/test/packages/parallel/system/data_stream/filesystem/manifest.yml @@ -0,0 +1,43 @@ +title: System filesystem metrics +type: metrics +elasticsearch: + index_mode: "time_series" +streams: + - input: system/metrics + enabled: true + vars: + - name: period + type: text + title: Period + multi: false + required: true + show_user: true + default: 1m + - name: filesystem.ignore_types + type: text + title: List of filesystem types to ignore + multi: true + required: false + show_user: true + description: > + The filesystem datastream will ignore any filesystems with a matching type as specified here. By default, this will exclude any filesystems marked as "nodev" in /proc/filesystems on linux. + + - name: tags + type: text + title: Tags + multi: true + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: true + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata. + + default: | + - drop_event.when.regexp: + system.filesystem.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) + title: System filesystem metrics + description: Collect System filesystem metrics diff --git a/test/packages/parallel/system/data_stream/fsstat/agent/stream/stream.yml.hbs b/test/packages/parallel/system/data_stream/fsstat/agent/stream/stream.yml.hbs new file mode 100644 index 000000000..5d9457402 --- /dev/null +++ b/test/packages/parallel/system/data_stream/fsstat/agent/stream/stream.yml.hbs @@ -0,0 +1,12 @@ +metricsets: ["fsstat"] +period: {{period}} +processors: {{processors}} +{{#if system.hostfs}} +system.hostfs: {{system.hostfs}} +{{/if}} +{{#if tags.length}} +tags: +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +{{/if}} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/fsstat/fields/agent.yml b/test/packages/parallel/system/data_stream/fsstat/fields/agent.yml new file mode 100644 index 000000000..48add32f2 --- /dev/null +++ b/test/packages/parallel/system/data_stream/fsstat/fields/agent.yml @@ -0,0 +1,205 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + dimension: true + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + dimension: true + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + dimension: true + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + dimension: true + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + dimension: true + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + dimension: true + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + dimension: true + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/test/packages/parallel/system/data_stream/fsstat/fields/base-fields.yml b/test/packages/parallel/system/data_stream/fsstat/fields/base-fields.yml new file mode 100644 index 000000000..b435b5d34 --- /dev/null +++ b/test/packages/parallel/system/data_stream/fsstat/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: system +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: system.fsstat diff --git a/test/packages/parallel/system/data_stream/fsstat/fields/ecs.yml b/test/packages/parallel/system/data_stream/fsstat/fields/ecs.yml new file mode 100644 index 000000000..baad5c245 --- /dev/null +++ b/test/packages/parallel/system/data_stream/fsstat/fields/ecs.yml @@ -0,0 +1,27 @@ +- external: ecs + name: host +- external: ecs + name: host.architecture +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.full +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: agent.id + dimension: true diff --git a/test/packages/parallel/system/data_stream/fsstat/fields/fields.yml b/test/packages/parallel/system/data_stream/fsstat/fields/fields.yml new file mode 100644 index 000000000..f995eaa84 --- /dev/null +++ b/test/packages/parallel/system/data_stream/fsstat/fields/fields.yml @@ -0,0 +1,36 @@ +- name: system.fsstat + type: group + fields: + - name: count + type: long + metric_type: gauge + description: Number of file systems found. + - name: total_files + type: long + metric_type: gauge + description: Total number of files. + - name: total_size + type: group + format: bytes + fields: + - name: free + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Total free space. + - name: used + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Total used space. + - name: total + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Total space (used plus free). diff --git a/test/packages/parallel/system/data_stream/fsstat/manifest.yml b/test/packages/parallel/system/data_stream/fsstat/manifest.yml new file mode 100644 index 000000000..6d602ed12 --- /dev/null +++ b/test/packages/parallel/system/data_stream/fsstat/manifest.yml @@ -0,0 +1,34 @@ +title: System fsstat metrics +type: metrics +elasticsearch: + index_mode: "time_series" +streams: + - input: system/metrics + enabled: true + vars: + - name: period + type: text + title: Period + multi: false + required: true + show_user: true + default: 1m + - name: tags + type: text + title: Tags + multi: true + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: true + show_user: true + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata. + + default: | + - drop_event.when.regexp: + system.fsstat.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) + title: System fsstat metrics + description: Collect System fsstat metrics diff --git a/test/packages/parallel/system/data_stream/load/agent/stream/stream.yml.hbs b/test/packages/parallel/system/data_stream/load/agent/stream/stream.yml.hbs new file mode 100644 index 000000000..cbb6fc7d6 --- /dev/null +++ b/test/packages/parallel/system/data_stream/load/agent/stream/stream.yml.hbs @@ -0,0 +1,13 @@ +metricsets: ["load"] +condition: ${host.platform} != 'windows' +period: {{period}} +{{#if processors.length}} +processors: +{{processors}} +{{/if}} +{{#if tags.length}} +tags: +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +{{/if}} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/load/fields/agent.yml b/test/packages/parallel/system/data_stream/load/fields/agent.yml new file mode 100644 index 000000000..f7fba4ae7 --- /dev/null +++ b/test/packages/parallel/system/data_stream/load/fields/agent.yml @@ -0,0 +1,194 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + dimension: true + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + dimension: true + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + dimension: true + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + dimension: true + - name: region + level: extended + type: keyword + dimension: true + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + dimension: true + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + dimension: true + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/test/packages/parallel/system/data_stream/load/fields/base-fields.yml b/test/packages/parallel/system/data_stream/load/fields/base-fields.yml new file mode 100644 index 000000000..492a19258 --- /dev/null +++ b/test/packages/parallel/system/data_stream/load/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: system +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: system.load diff --git a/test/packages/parallel/system/data_stream/load/fields/ecs.yml b/test/packages/parallel/system/data_stream/load/fields/ecs.yml new file mode 100644 index 000000000..baad5c245 --- /dev/null +++ b/test/packages/parallel/system/data_stream/load/fields/ecs.yml @@ -0,0 +1,27 @@ +- external: ecs + name: host +- external: ecs + name: host.architecture +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.full +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: agent.id + dimension: true diff --git a/test/packages/parallel/system/data_stream/load/fields/fields.yml b/test/packages/parallel/system/data_stream/load/fields/fields.yml new file mode 100644 index 000000000..ae0130fae --- /dev/null +++ b/test/packages/parallel/system/data_stream/load/fields/fields.yml @@ -0,0 +1,38 @@ +- name: system.load + type: group + fields: + - name: "1" + type: scaled_float + metric_type: gauge + description: | + Load average for the last minute. + - name: "5" + type: scaled_float + metric_type: gauge + description: | + Load average for the last 5 minutes. + - name: "15" + type: scaled_float + metric_type: gauge + description: | + Load average for the last 15 minutes. + - name: norm.1 + type: scaled_float + metric_type: gauge + description: | + Load for the last minute divided by the number of cores. + - name: norm.5 + type: scaled_float + metric_type: gauge + description: | + Load for the last 5 minutes divided by the number of cores. + - name: norm.15 + type: scaled_float + metric_type: gauge + description: | + Load for the last 15 minutes divided by the number of cores. + - name: cores + type: long + metric_type: gauge + description: | + The number of CPU cores present on the host. diff --git a/test/packages/parallel/system/data_stream/load/manifest.yml b/test/packages/parallel/system/data_stream/load/manifest.yml new file mode 100644 index 000000000..d5cbe4f4a --- /dev/null +++ b/test/packages/parallel/system/data_stream/load/manifest.yml @@ -0,0 +1,29 @@ +title: System load metrics +type: metrics +elasticsearch: + index_mode: "time_series" +streams: + - input: system/metrics + vars: + - name: period + type: text + title: Period + multi: false + required: true + show_user: true + default: 10s + - name: tags + type: text + title: Tags + multi: true + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + title: System load metrics + description: Collect System load metrics diff --git a/test/packages/parallel/system/data_stream/memory/agent/stream/stream.yml.hbs b/test/packages/parallel/system/data_stream/memory/agent/stream/stream.yml.hbs new file mode 100644 index 000000000..f873ce7e6 --- /dev/null +++ b/test/packages/parallel/system/data_stream/memory/agent/stream/stream.yml.hbs @@ -0,0 +1,15 @@ +metricsets: ["memory"] +period: {{period}} +{{#if system.hostfs}} +system.hostfs: {{system.hostfs}} +{{/if}} +{{#if processors.length}} +processors: +{{processors}} +{{/if}} +{{#if tags.length}} +tags: +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +{{/if}} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/memory/fields/agent.yml b/test/packages/parallel/system/data_stream/memory/fields/agent.yml new file mode 100644 index 000000000..37de0dc01 --- /dev/null +++ b/test/packages/parallel/system/data_stream/memory/fields/agent.yml @@ -0,0 +1,205 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + dimension: true + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + dimension: true + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + dimension: true + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + dimension: true + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + dimension: true + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + dimension: true + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + dimension: true + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/test/packages/parallel/system/data_stream/memory/fields/base-fields.yml b/test/packages/parallel/system/data_stream/memory/fields/base-fields.yml new file mode 100644 index 000000000..4ba8a2b65 --- /dev/null +++ b/test/packages/parallel/system/data_stream/memory/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: system +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: system.memory diff --git a/test/packages/parallel/system/data_stream/memory/fields/ecs.yml b/test/packages/parallel/system/data_stream/memory/fields/ecs.yml new file mode 100644 index 000000000..baad5c245 --- /dev/null +++ b/test/packages/parallel/system/data_stream/memory/fields/ecs.yml @@ -0,0 +1,27 @@ +- external: ecs + name: host +- external: ecs + name: host.architecture +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.full +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: agent.id + dimension: true diff --git a/test/packages/parallel/system/data_stream/memory/fields/fields.yml b/test/packages/parallel/system/data_stream/memory/fields/fields.yml new file mode 100644 index 000000000..c986aec2e --- /dev/null +++ b/test/packages/parallel/system/data_stream/memory/fields/fields.yml @@ -0,0 +1,200 @@ +- name: system.memory + type: group + fields: + - name: total + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Total memory. + - name: used.bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Used memory. + - name: free + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). + - name: used.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of used memory. + - name: actual + type: group + fields: + - name: used.bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. + - name: free + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. + - name: used.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of actual used memory. + - name: swap + type: group + fields: + - name: total + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Total swap memory. + - name: used.bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Used swap memory. + - name: free + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Available swap memory. + - name: out.pages + type: long + metric_type: counter + description: count of pages swapped out + - name: in.pages + type: long + metric_type: gauge + description: count of pages swapped in + - name: readahead.pages + type: long + metric_type: counter + description: swap readahead pages + - name: readahead.cached + type: long + metric_type: counter + description: swap readahead cache hits + - name: used.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of used swap memory. + - name: page_stats + type: group + fields: + - name: pgscan_kswapd.pages + type: long + format: number + metric_type: counter + description: pages scanned by kswapd + - name: pgscan_direct.pages + type: long + format: number + metric_type: counter + description: pages scanned directly + - name: pgfree.pages + type: long + format: number + metric_type: counter + description: pages freed by the system + - name: pgsteal_kswapd.pages + type: long + format: number + metric_type: counter + description: number of pages reclaimed by kswapd + - name: pgsteal_direct.pages + type: long + format: number + metric_type: counter + description: number of pages reclaimed directly + - name: direct_efficiency.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. + - name: kswapd_efficiency.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. + - name: hugepages + type: group + fields: + - name: total + type: long + format: number + metric_type: gauge + description: | + Number of huge pages in the pool. + - name: used.bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Memory used in allocated huge pages. + - name: used.pct + type: long + format: percent + unit: percent + metric_type: gauge + description: | + Percentage of huge pages used. + - name: free + type: long + format: number + metric_type: gauge + description: | + Number of available huge pages in the pool. + - name: reserved + type: long + format: number + metric_type: gauge + description: | + Number of reserved but not allocated huge pages in the pool. + - name: surplus + type: long + format: number + metric_type: gauge + description: | + Number of overcommited huge pages. + - name: default_size + type: long + format: bytes + metric_type: gauge + description: | + Default size for huge pages. + - name: swap.out + type: group + fields: + - name: pages + type: long + metric_type: gauge + description: pages swapped out + - name: fallback + type: long + metric_type: gauge + description: Count of huge pages that must be split before swapout diff --git a/test/packages/parallel/system/data_stream/memory/manifest.yml b/test/packages/parallel/system/data_stream/memory/manifest.yml new file mode 100644 index 000000000..785bb737d --- /dev/null +++ b/test/packages/parallel/system/data_stream/memory/manifest.yml @@ -0,0 +1,29 @@ +title: System memory metrics +type: metrics +elasticsearch: + index_mode: "time_series" +streams: + - input: system/metrics + vars: + - name: period + type: text + title: Period + multi: false + required: true + show_user: true + default: 10s + - name: tags + type: text + title: Tags + multi: true + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + title: System memory metrics + description: Collect System memory metrics diff --git a/test/packages/parallel/system/data_stream/network/agent/stream/stream.yml.hbs b/test/packages/parallel/system/data_stream/network/agent/stream/stream.yml.hbs new file mode 100644 index 000000000..63c1be47b --- /dev/null +++ b/test/packages/parallel/system/data_stream/network/agent/stream/stream.yml.hbs @@ -0,0 +1,16 @@ +metricsets: ["network"] +period: {{period}} +network.interfaces: +{{#each network.interfaces}} +- {{this}} +{{/each}} +{{#if processors.length}} +processors: +{{processors}} +{{/if}} +{{#if tags.length}} +tags: +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +{{/if}} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/network/fields/agent.yml b/test/packages/parallel/system/data_stream/network/fields/agent.yml new file mode 100644 index 000000000..c20bbf2c7 --- /dev/null +++ b/test/packages/parallel/system/data_stream/network/fields/agent.yml @@ -0,0 +1,197 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + dimension: true + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + dimension: true + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + dimension: true + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + dimension: true + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + dimension: true + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + dimension: true + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + dimension: true + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. diff --git a/test/packages/parallel/system/data_stream/network/fields/base-fields.yml b/test/packages/parallel/system/data_stream/network/fields/base-fields.yml new file mode 100644 index 000000000..4650bf6b3 --- /dev/null +++ b/test/packages/parallel/system/data_stream/network/fields/base-fields.yml @@ -0,0 +1,17 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: system +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: system.network diff --git a/test/packages/parallel/system/data_stream/network/fields/ecs.yml b/test/packages/parallel/system/data_stream/network/fields/ecs.yml new file mode 100644 index 000000000..8840ed262 --- /dev/null +++ b/test/packages/parallel/system/data_stream/network/fields/ecs.yml @@ -0,0 +1,49 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: message +- external: ecs + name: group +- external: ecs + name: group.id +- external: ecs + name: group.name +- external: ecs + name: host +- external: ecs + name: host.hostname +- external: ecs + name: process +- external: ecs + name: process.name +- external: ecs + name: process.pid +- external: ecs + name: source +- external: ecs + name: source.geo.city_name +- external: ecs + name: source.geo.continent_name +- external: ecs + name: source.geo.country_iso_code +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- external: ecs + name: source.geo.region_iso_code +- external: ecs + name: source.geo.region_name +- external: ecs + name: source.ip +- external: ecs + name: source.port +- external: ecs + name: user +- external: ecs + name: user.id +- external: ecs + name: user.name +- external: ecs + name: agent.id + dimension: true diff --git a/test/packages/parallel/system/data_stream/network/fields/fields.yml b/test/packages/parallel/system/data_stream/network/fields/fields.yml new file mode 100644 index 000000000..a8e2f2754 --- /dev/null +++ b/test/packages/parallel/system/data_stream/network/fields/fields.yml @@ -0,0 +1,78 @@ +- name: system.network + type: group + fields: + - name: name + type: keyword + dimension: true + description: | + The network interface name. + - name: out.bytes + type: long + format: bytes + unit: byte + metric_type: counter + description: | + The number of bytes sent. + - name: in.bytes + type: long + format: bytes + unit: byte + metric_type: counter + description: | + The number of bytes received. + - name: out.packets + type: long + metric_type: counter + description: | + The number of packets sent. + - name: in.packets + type: long + metric_type: counter + description: | + The number or packets received. + - name: in.errors + type: long + metric_type: counter + description: | + The number of errors while receiving. + - name: out.errors + type: long + metric_type: counter + description: | + The number of errors while sending. + - name: in.dropped + type: long + metric_type: counter + description: | + The number of incoming packets that were dropped. + - name: out.dropped + type: long + metric_type: counter + description: | + The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. +- name: host + type: group + fields: + - name: network.in.bytes + type: long + format: bytes + unit: byte + metric_type: counter + description: | + The number of bytes received on all network interfaces by the host in a given period of time. + - name: network.out.bytes + type: long + unit: byte + metric_type: counter + description: | + The number of bytes sent out on all network interfaces by the host in a given period of time. + - name: network.in.packets + type: long + metric_type: counter + description: | + The number of packets received on all network interfaces by the host in a given period of time. + - name: network.out.packets + type: long + metric_type: counter + description: | + The number of packets sent out on all network interfaces by the host in a given period of time. diff --git a/test/packages/parallel/system/data_stream/network/manifest.yml b/test/packages/parallel/system/data_stream/network/manifest.yml new file mode 100644 index 000000000..5a3f4eb03 --- /dev/null +++ b/test/packages/parallel/system/data_stream/network/manifest.yml @@ -0,0 +1,38 @@ +title: System network metrics +type: metrics +elasticsearch: + index_mode: "time_series" +streams: + - input: system/metrics + vars: + - name: period + type: text + title: Period + multi: false + required: true + show_user: true + default: 10s + - name: network.interfaces + type: text + title: Interfaces + multi: true + required: false + show_user: true + description: > + List of interfaces to monitor. Will monitor all by default. + + - name: tags + type: text + title: Tags + multi: true + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + title: System network metrics + description: Collect System network metrics diff --git a/test/packages/parallel/system/data_stream/process/_dev/test/system/test-default-config.yml b/test/packages/parallel/system/data_stream/process/_dev/test/system/test-default-config.yml new file mode 100644 index 000000000..0bb8ceb94 --- /dev/null +++ b/test/packages/parallel/system/data_stream/process/_dev/test/system/test-default-config.yml @@ -0,0 +1,3 @@ +vars: ~ +data_stream: + vars: ~ diff --git a/test/packages/parallel/system/data_stream/process/agent/stream/stream.yml.hbs b/test/packages/parallel/system/data_stream/process/agent/stream/stream.yml.hbs new file mode 100644 index 000000000..5526c1fd7 --- /dev/null +++ b/test/packages/parallel/system/data_stream/process/agent/stream/stream.yml.hbs @@ -0,0 +1,30 @@ +metricsets: ["process"] +period: {{period}} +process.include_top_n.by_cpu: {{process.include_top_n.by_cpu}} +process.include_top_n.by_memory: {{process.include_top_n.by_memory}} +process.cmdline.cache.enabled: {{process.cmdline.cache.enabled}} +process.cgroups.enabled: {{process.cgroups.enabled}} +process.include_cpu_ticks: {{process.include_cpu_ticks}} +{{#if process.env.whitelist}} +process.env.whitelist: +{{#each process.env.whitelist}} +- {{this}} +{{/each}} +{{/if}} +processes: +{{#each processes}} +- {{this}} +{{/each}} +{{#if system.hostfs}} +system.hostfs: {{system.hostfs}} +{{/if}} +{{#if processors.length}} +processors: +{{processors}} +{{/if}} +{{#if tags.length}} +tags: +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +{{/if}} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/process/elasticsearch/ingest_pipeline/default.yml b/test/packages/parallel/system/data_stream/process/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 000000000..501414e2e --- /dev/null +++ b/test/packages/parallel/system/data_stream/process/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,8 @@ +--- +description: Pipeline for system.process events. +processors: + - rename: + description: Rename process.ppid from Agent 7.x to process.parent.pid. + field: process.ppid + target_field: process.parent.pid + ignore_failure: true \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/process/fields/agent.yml b/test/packages/parallel/system/data_stream/process/fields/agent.yml new file mode 100644 index 000000000..fd07b33f0 --- /dev/null +++ b/test/packages/parallel/system/data_stream/process/fields/agent.yml @@ -0,0 +1,161 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + dimension: true + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + dimension: true + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + dimension: true + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + dimension: true + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + dimension: true + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + dimension: true + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: process + title: Process + group: 2 + description: Process metrics. + type: group + fields: + - name: state + type: keyword + description: > + The process state. For example: "running". + + - name: cpu.pct + type: scaled_float + format: percent + description: > + The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1. + + - name: cpu.start_time + type: date + description: > + The time when the process was started. + + - name: memory.pct + type: scaled_float + format: percent + description: > + The percentage of memory the process occupied in main memory (RAM). + diff --git a/test/packages/parallel/system/data_stream/process/fields/base-fields.yml b/test/packages/parallel/system/data_stream/process/fields/base-fields.yml new file mode 100644 index 000000000..1f99673b3 --- /dev/null +++ b/test/packages/parallel/system/data_stream/process/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: system +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: system.process diff --git a/test/packages/parallel/system/data_stream/process/fields/ecs.yml b/test/packages/parallel/system/data_stream/process/fields/ecs.yml new file mode 100644 index 000000000..20d1d8bde --- /dev/null +++ b/test/packages/parallel/system/data_stream/process/fields/ecs.yml @@ -0,0 +1,57 @@ +- external: ecs + name: process +- external: ecs + name: process.name +- external: ecs + name: process.pgid +- external: ecs + name: process.pid + dimension: true +- external: ecs + name: process.parent.pid +- external: ecs + name: process.working_directory +- external: ecs + name: user +- external: ecs + name: user.name +- external: ecs + name: host +- external: ecs + name: host.architecture +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name + dimension: true +- external: ecs + name: host.hostname +- external: ecs + name: host.os.family +- external: ecs + name: host.os.full +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- name: ecs.version + external: ecs +- name: process.args + external: ecs +- name: process.command_line + external: ecs +- name: process.executable + external: ecs +- name: service.type + external: ecs +- external: ecs + name: agent.id + dimension: true diff --git a/test/packages/parallel/system/data_stream/process/fields/fields.yml b/test/packages/parallel/system/data_stream/process/fields/fields.yml new file mode 100644 index 000000000..f211c8ff9 --- /dev/null +++ b/test/packages/parallel/system/data_stream/process/fields/fields.yml @@ -0,0 +1,658 @@ +- name: system.process + type: group + fields: + - name: state + type: keyword + description: | + The process state. For example: "running". + - name: cmdline + type: keyword + description: | + The full command-line used to start the process, including the arguments separated by space. + ignore_above: 2048 + - name: env + type: object + description: | + The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. + - name: cpu + type: group + fields: + - name: user.ticks + type: long + metric_type: counter + description: | + The amount of CPU time the process spent in user space. + - name: total.value + type: long + metric_type: counter + description: | + The value of CPU usage since starting the process. + - name: total.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. + - name: total.norm.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. + - name: system.ticks + type: long + metric_type: counter + description: | + The amount of CPU time the process spent in kernel space. + - name: total.ticks + type: long + metric_type: counter + description: | + The total CPU time spent by the process. + - name: start_time + type: date + description: | + The time when the process was started. + - name: memory + type: group + fields: + - name: size + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. + - name: rss.bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. + - name: rss.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + The percentage of memory the process occupied in main memory (RAM). + - name: share + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + The shared memory the process uses. + - name: fd + type: group + fields: + - name: open + type: long + metric_type: gauge + description: The number of file descriptors open by the process. + - name: limit.soft + type: long + metric_type: gauge + description: | + The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. + - name: limit.hard + type: long + metric_type: gauge + description: | + The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. + - name: cgroup + type: group + fields: + - name: id + type: keyword + description: > + The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. + + - name: path + type: keyword + description: > + The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. + + - name: cgroups_version + type: long + description: The version of cgroups reported for the process + - name: cpu + type: group + description: > + The cpu subsystem schedules CPU access for tasks in the cgroup. Access can be controlled by two separate schedulers, CFS and RT. CFS stands for completely fair scheduler which proportionally divides the CPU time between cgroups based on weight. RT stands for real time scheduler which sets a maximum amount of CPU time that processes in the cgroup can consume during a given period. In CPU under cgroups V2, the cgroup is merged with many of the metrics from cpuacct. In addition, per-scheduler metrics are gone in V2. + + fields: + - name: id + type: keyword + description: ID of the cgroup. + - name: path + type: keyword + description: > + Path to the cgroup relative to the cgroup subsystem's mountpoint. + + - name: stats + type: group + description: cgroupv2 stats + fields: + - name: usage.ns + type: long + description: cgroups v2 usage in nanoseconds + - name: usage.pct + type: float + description: cgroups v2 usage + - name: usage.norm.pct + type: float + description: cgroups v2 normalized usage + - name: user.ns + type: long + description: cgroups v2 cpu user time in nanoseconds + - name: user.pct + type: float + description: cgroups v2 cpu user time + - name: user.norm.pct + type: float + description: cgroups v2 normalized cpu user time + - name: system.ns + type: long + description: cgroups v2 system time in nanoseconds + - name: system.pct + type: float + description: cgroups v2 system time + - name: system.norm.pct + type: float + description: cgroups v2 normalized system time + - name: cfs.period.us + type: long + description: > + Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. + + - name: cfs.quota.us + type: long + description: > + Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). + + - name: cfs.shares + type: long + description: > + An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. + + - name: rt.period.us + type: long + description: > + Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. + + - name: rt.runtime.us + type: long + description: > + Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. + + - name: stats.periods + type: long + description: > + Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. + + - name: stats.throttled.periods + type: long + description: > + Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). + + - name: stats.throttled.us + type: long + description: > + The total time duration (in microseconds) for which tasks in a cgroup have been throttled, as reported by cgroupsv2 + + - name: stats.throttled.ns + type: long + description: > + The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. + + - name: pressure + type: group + description: Pressure (resource contention) stats. + fields: + - name: some + type: group + description: Share of time in which at least some tasks are stalled on a given resource + fields: + - name: 10.pct + type: float + format: percent + description: Pressure over 10 seconds + - name: 60.pct + type: float + format: percent + description: Pressure over 60 seconds + - name: 300.pct + type: float + format: percent + description: Pressure over 300 seconds + - name: total + type: long + format: percent + description: total Some pressure time + - name: full + type: group + description: Share of time in which all non-idle tasks are stalled on a given resource simultaneously + fields: + - name: 10.pct + type: float + format: percent + description: Pressure over 10 seconds + - name: 60.pct + type: float + format: percent + description: Pressure over 60 seconds + - name: 300.pct + type: float + format: percent + description: Pressure over 300 seconds + - name: total + type: long + description: total Full pressure time + - name: cpuacct + type: group + description: CPU accounting metrics. + fields: + - name: id + type: keyword + description: ID of the cgroup. + - name: path + type: keyword + description: > + Path to the cgroup relative to the cgroup subsystem's mountpoint. + + - name: total.ns + type: long + description: > + Total CPU time in nanoseconds consumed by all tasks in the cgroup. + + - name: total.pct + type: scaled_float + description: > + CPU time of the cgroup as a percentage of overall CPU time. + + - name: total.norm.pct + type: scaled_float + description: > + CPU time of the cgroup as a percentage of overall CPU time, normalized by CPU count. This is functionally an average of time spent across individual CPUs. + + - name: stats.user.ns + type: long + description: CPU time consumed by tasks in user mode. + - name: stats.user.pct + type: scaled_float + description: time the cgroup spent in user space, as a percentage of total CPU time + - name: stats.user.norm.pct + type: scaled_float + description: time the cgroup spent in user space, as a percentage of total CPU time, normalized by CPU count. + - name: stats.system.ns + type: long + description: CPU time consumed by tasks in user (kernel) mode. + - name: stats.system.pct + type: scaled_float + description: Time the cgroup spent in kernel space, as a percentage of total CPU time + - name: stats.system.norm.pct + type: scaled_float + description: Time the cgroup spent in kernel space, as a percentage of total CPU time, normalized by CPU count. + - name: percpu + type: object + object_type: long + description: > + CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. + + - name: memory + type: group + description: Memory limits and metrics. + fields: + - name: id + type: keyword + description: ID of the cgroup. + - name: path + type: keyword + description: > + Path to the cgroup relative to the cgroup subsystem's mountpoint. + + - name: mem.usage.bytes + type: long + format: bytes + description: > + Total memory usage by processes in the cgroup (in bytes). + + - name: mem.usage.max.bytes + type: long + format: bytes + description: > + The maximum memory used by processes in the cgroup (in bytes). + + - name: mem.limit.bytes + type: long + format: bytes + description: > + The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. + + - name: mem.failures + type: long + description: > + The number of times that the memory limit (mem.limit.bytes) was reached. + + - name: mem.low.bytes + type: long + format: bytes + description: memory low threshhold + - name: mem.high.bytes + type: long + format: bytes + description: memory high threshhold + - name: mem.max.bytes + type: long + format: bytes + description: memory max threshhold + - name: mem.events + type: group + description: number of times the controller tripped a given usage level + fields: + - name: low + type: long + description: low threshold + - name: high + type: long + description: high threshold + - name: max + type: long + description: max threshold + - name: oom + type: long + description: oom threshold + - name: oom_kill + type: long + description: oom killer threshold + - name: fail + type: long + description: failed threshold + - name: memsw.usage.bytes + type: long + format: bytes + description: > + The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). + + - name: memsw.usage.max.bytes + type: long + format: bytes + description: > + The maximum amount of memory and swap space used by processes in the cgroup (in bytes). + + - name: memsw.limit.bytes + type: long + format: bytes + description: > + The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. + + - name: memsw.low.bytes + type: long + format: bytes + description: memory low threshhold + - name: memsw.high.bytes + type: long + format: bytes + description: memory high threshhold + - name: memsw.max.bytes + type: long + format: bytes + description: memory max threshhold + - name: memsw.failures + type: long + description: > + The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. + + - name: memsw.events + type: group + description: number of times the controller tripped a given usage level + fields: + - name: low + type: long + description: low threshold + - name: high + type: long + description: high threshold + - name: max + type: long + description: max threshold + - name: oom + type: long + description: oom threshold + - name: oom_kill + type: long + description: oom killer threshold + - name: fail + type: long + description: failed threshold + - name: kmem.usage.bytes + type: long + format: bytes + description: > + Total kernel memory usage by processes in the cgroup (in bytes). + + - name: kmem.usage.max.bytes + type: long + format: bytes + description: > + The maximum kernel memory used by processes in the cgroup (in bytes). + + - name: kmem.limit.bytes + type: long + format: bytes + description: > + The maximum amount of kernel memory that tasks in the cgroup are allowed to use. + + - name: kmem.failures + type: long + description: > + The number of times that the memory limit (kmem.limit.bytes) was reached. + + - name: kmem_tcp.usage.bytes + type: long + format: bytes + description: > + Total memory usage for TCP buffers in bytes. + + - name: kmem_tcp.usage.max.bytes + type: long + format: bytes + description: > + The maximum memory used for TCP buffers by processes in the cgroup (in bytes). + + - name: kmem_tcp.limit.bytes + type: long + format: bytes + description: > + The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. + + - name: kmem_tcp.failures + type: long + description: > + The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. + + - name: stats.* + type: object + description: detailed memory IO stats + - name: stats.*.bytes + type: object + description: detailed memory IO stats + - name: stats.active_anon.bytes + type: long + format: bytes + description: > + Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. + + - name: stats.active_file.bytes + type: long + format: bytes + description: File-backed memory on active LRU list, in bytes. + - name: stats.cache.bytes + type: long + format: bytes + description: Page cache, including tmpfs (shmem), in bytes. + - name: stats.hierarchical_memory_limit.bytes + type: long + format: bytes + description: > + Memory limit for the hierarchy that contains the memory cgroup, in bytes. + + - name: stats.hierarchical_memsw_limit.bytes + type: long + format: bytes + description: > + Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. + + - name: stats.inactive_anon.bytes + type: long + format: bytes + description: > + Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes + + - name: stats.inactive_file.bytes + type: long + format: bytes + description: > + File-backed memory on inactive LRU list, in bytes. + + - name: stats.mapped_file.bytes + type: long + format: bytes + description: > + Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. + + - name: stats.page_faults + type: long + description: > + Number of times that a process in the cgroup triggered a page fault. + + - name: stats.major_page_faults + type: long + description: > + Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. + + - name: stats.pages_in + type: long + description: > + Number of pages paged into memory. This is a counter. + + - name: stats.pages_out + type: long + description: > + Number of pages paged out of memory. This is a counter. + + - name: stats.rss.bytes + type: long + format: bytes + description: > + Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. + + - name: stats.rss_huge.bytes + type: long + format: bytes + description: > + Number of bytes of anonymous transparent hugepages. + + - name: stats.swap.bytes + type: long + format: bytes + description: > + Swap usage, in bytes. + + - name: stats.unevictable.bytes + type: long + format: bytes + description: > + Memory that cannot be reclaimed, in bytes. + + - name: blkio + type: group + description: Block IO metrics. + fields: + - name: id + type: keyword + description: ID of the cgroup. + - name: path + type: keyword + description: > + Path to the cgroup relative to the cgroup subsystems mountpoint. + + - name: total.bytes + type: long + format: bytes + description: > + Total number of bytes transferred to and from all block devices by processes in the cgroup. + + - name: total.ios + type: long + description: > + Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. + + - name: io + type: group + description: cgroup V2 IO Metrics, replacing blkio. + fields: + - name: id + type: keyword + description: ID of the cgroup. + - name: path + type: keyword + description: > + Path to the cgroup relative to the cgroup subsystems mountpoint. + + - name: stats.* + type: object + description: per-device IO usage stats + - name: stats.*.* + type: object + - name: stats.*.*.bytes + type: object + description: per-device IO usage stats + - name: stats.*.*.ios + type: object + description: per-device IO usage stats + - name: pressure + type: group + description: Pressure (resource contention) stats. + fields: + - name: full + type: group + description: Share of time in which at least some tasks are stalled on a given resource + fields: + - name: 10.pct + type: float + format: percent + description: Pressure over 10 seconds + - name: 60.pct + type: float + format: percent + description: Pressure over 60 seconds + - name: 300.pct + type: float + format: percent + description: Pressure over 300 seconds + - name: total + type: long + description: total Some pressure time + - name: some + type: group + description: Share of time in which all tasks are stalled on a given resource + fields: + - name: 10.pct + type: float + format: percent + description: Pressure over 10 seconds + - name: 60.pct + type: float + format: percent + description: Pressure over 60 seconds + - name: 300.pct + type: float + description: Pressure over 300 seconds + - name: total + type: long + description: total Some pressure time diff --git a/test/packages/parallel/system/data_stream/process/manifest.yml b/test/packages/parallel/system/data_stream/process/manifest.yml new file mode 100644 index 000000000..1e2f70b60 --- /dev/null +++ b/test/packages/parallel/system/data_stream/process/manifest.yml @@ -0,0 +1,97 @@ +title: System process metrics +type: metrics +streams: + - input: system/metrics + vars: + - name: period + type: text + title: Period + multi: false + required: true + show_user: true + default: 10s + - name: process.include_top_n.by_cpu + type: integer + title: Process Include Top N By Cpu + multi: false + required: true + show_user: true + default: 5 + description: > + Include the top N processes by CPU usage. + + - name: process.include_top_n.by_memory + type: integer + title: Process Include Top N By Memory + multi: false + required: true + show_user: true + default: 5 + description: > + Include the top N processes by memory usage. + + - name: process.cmdline.cache.enabled + type: bool + title: Enable cmdline cache + multi: false + required: false + show_user: true + default: true + description: > + If false, cmdline of a process is not cached. + + - name: process.cgroups.enabled + type: bool + title: Enable cgroup reporting + multi: false + required: false + show_user: true + default: false + description: > + Enable collection of cgroup metrics from processes on Linux. + + - name: process.env.whitelist + type: text + title: Env whitelist + multi: true + required: false + show_user: true + description: > + A list of regular expressions used to whitelist environment variables reported with the process metricset's events. Defaults to empty. + + - name: process.include_cpu_ticks + type: bool + title: Include CPU Ticks + multi: false + required: false + show_user: true + default: false + description: > + Include the cumulative CPU tick values with the process metrics. + + - name: processes + type: text + title: Processes + multi: true + required: true + show_user: true + description: > + A glob to match reported processes. By default all processes are reported. + + default: + - .* + - name: tags + type: text + title: Tags + multi: true + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + title: System process metrics + description: Collect System process metrics diff --git a/test/packages/parallel/system/data_stream/process_summary/agent/stream/stream.yml.hbs b/test/packages/parallel/system/data_stream/process_summary/agent/stream/stream.yml.hbs new file mode 100644 index 000000000..f72228d9f --- /dev/null +++ b/test/packages/parallel/system/data_stream/process_summary/agent/stream/stream.yml.hbs @@ -0,0 +1,15 @@ +metricsets: ["process_summary"] +period: {{period}} +{{#if system.hostfs}} +system.hostfs: {{system.hostfs}} +{{/if}} +{{#if processors.length}} +processors: +{{processors}} +{{/if}} +{{#if tags.length}} +tags: +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +{{/if}} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/process_summary/fields/agent.yml b/test/packages/parallel/system/data_stream/process_summary/fields/agent.yml new file mode 100644 index 000000000..37de0dc01 --- /dev/null +++ b/test/packages/parallel/system/data_stream/process_summary/fields/agent.yml @@ -0,0 +1,205 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + dimension: true + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + dimension: true + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + dimension: true + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + dimension: true + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + dimension: true + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + dimension: true + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + dimension: true + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/test/packages/parallel/system/data_stream/process_summary/fields/base-fields.yml b/test/packages/parallel/system/data_stream/process_summary/fields/base-fields.yml new file mode 100644 index 000000000..8ba4e88da --- /dev/null +++ b/test/packages/parallel/system/data_stream/process_summary/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: system +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: system.process.summary diff --git a/test/packages/parallel/system/data_stream/process_summary/fields/ecs.yml b/test/packages/parallel/system/data_stream/process_summary/fields/ecs.yml new file mode 100644 index 000000000..8840ed262 --- /dev/null +++ b/test/packages/parallel/system/data_stream/process_summary/fields/ecs.yml @@ -0,0 +1,49 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: message +- external: ecs + name: group +- external: ecs + name: group.id +- external: ecs + name: group.name +- external: ecs + name: host +- external: ecs + name: host.hostname +- external: ecs + name: process +- external: ecs + name: process.name +- external: ecs + name: process.pid +- external: ecs + name: source +- external: ecs + name: source.geo.city_name +- external: ecs + name: source.geo.continent_name +- external: ecs + name: source.geo.country_iso_code +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- external: ecs + name: source.geo.region_iso_code +- external: ecs + name: source.geo.region_name +- external: ecs + name: source.ip +- external: ecs + name: source.port +- external: ecs + name: user +- external: ecs + name: user.id +- external: ecs + name: user.name +- external: ecs + name: agent.id + dimension: true diff --git a/test/packages/parallel/system/data_stream/process_summary/fields/fields.yml b/test/packages/parallel/system/data_stream/process_summary/fields/fields.yml new file mode 100644 index 000000000..bc9254a2a --- /dev/null +++ b/test/packages/parallel/system/data_stream/process_summary/fields/fields.yml @@ -0,0 +1,44 @@ +- name: system.process.summary + title: Process Summary + type: group + fields: + - name: total + type: long + metric_type: gauge + description: | + Total number of processes on this host. + - name: running + type: long + metric_type: gauge + description: | + Number of running processes on this host. + - name: idle + type: long + metric_type: gauge + description: | + Number of idle processes on this host. + - name: sleeping + type: long + metric_type: gauge + description: | + Number of sleeping processes on this host. + - name: stopped + type: long + metric_type: gauge + description: | + Number of stopped processes on this host. + - name: zombie + type: long + metric_type: gauge + description: | + Number of zombie processes on this host. + - name: dead + type: long + metric_type: gauge + description: | + Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. + - name: unknown + type: long + metric_type: gauge + description: | + Number of processes for which the state couldn't be retrieved or is unknown. diff --git a/test/packages/parallel/system/data_stream/process_summary/manifest.yml b/test/packages/parallel/system/data_stream/process_summary/manifest.yml new file mode 100644 index 000000000..c58d8cc8e --- /dev/null +++ b/test/packages/parallel/system/data_stream/process_summary/manifest.yml @@ -0,0 +1,30 @@ +title: System process_summary metrics +dataset: system.process.summary +type: metrics +elasticsearch: + index_mode: "time_series" +streams: + - input: system/metrics + vars: + - name: period + type: text + title: Period + multi: false + required: true + show_user: true + default: 10s + - name: tags + type: text + title: Tags + multi: true + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + title: System process_summary metrics + description: Collect System process_summary metrics diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1100.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1100.json new file mode 100644 index 000000000..874f22895 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1100.json @@ -0,0 +1,53 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:07:13.883Z", + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1100.xml" + }, + "level": "information" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "agent": { + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "bcbde3d3-6558-46d7-aaee-ed9cf67e04d3" + }, + "ecs": { + "version": "1.8.0" + }, + "winlog": { + "keywords": [ + "Audit Success" + ], + "time_created": "2019-11-07T10:37:04.226Z", + "outcome": "success", + "level": "information", + "process": { + "pid": 1144, + "thread": { + "id": 4532 + } + }, + "channel": "Security", + "event_id": 1100, + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "opcode": "Info", + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": 14257 + }, + "event": { + "code": 1100, + "provider": "Microsoft-Windows-Eventlog", + "outcome": "success", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1100.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1100.json-expected.json new file mode 100644 index 000000000..ba8907c94 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1100.json-expected.json @@ -0,0 +1,60 @@ +{ + "expected": [ + { + "@timestamp": "2019-11-07T10:37:04.226Z", + "agent": { + "ephemeral_id": "bcbde3d3-6558-46d7-aaee-ed9cf67e04d3", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logging-service-shutdown", + "category": [ + "process" + ], + "code": "1100", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Eventlog", + "type": [ + "end" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1100.xml" + }, + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": "1100", + "keywords": [ + "Audit Success" + ], + "level": "information", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 1144, + "thread": { + "id": 4532 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": "14257", + "time_created": "2019-11-07T10:37:04.226Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1102.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1102.json new file mode 100644 index 000000000..32c199221 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1102.json @@ -0,0 +1,60 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:07:33.932Z", + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1102.xml" + }, + "level": "information" + }, + "agent": { + "ephemeral_id": "737c4709-1498-44d4-b1e6-d21cac1470e5", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "winlog": { + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "opcode": "Info", + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "time_created": "2019-11-07T10:34:29.055Z", + "outcome": "success", + "level": "information", + "event_id": 1102, + "provider_name": "Microsoft-Windows-Eventlog", + "user_data": { + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectUserName": "Administrator", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x50e87", + "xml_name": "LogFileCleared" + }, + "keywords": [ + "Audit Success" + ], + "process": { + "pid": 1144, + "thread": { + "id": 1824 + } + }, + "channel": "Security", + "record_id": 14224 + }, + "event": { + "provider": "Microsoft-Windows-Eventlog", + "outcome": "success", + "kind": "event", + "code": 1102 + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1102.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1102.json-expected.json new file mode 100644 index 000000000..af2f03a72 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1102.json-expected.json @@ -0,0 +1,81 @@ +{ + "expected": [ + { + "@timestamp": "2019-11-07T10:34:29.055Z", + "agent": { + "ephemeral_id": "737c4709-1498-44d4-b1e6-d21cac1470e5", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "audit-log-cleared", + "category": [ + "iam" + ], + "code": "1102", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Eventlog", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1102.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": "1102", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x50e87" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 1144, + "thread": { + "id": 1824 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": "14224", + "time_created": "2019-11-07T10:34:29.055Z", + "user_data": { + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x50e87", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "xml_name": "LogFileCleared" + } + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1104.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1104.json new file mode 100644 index 000000000..db23db5c8 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1104.json @@ -0,0 +1,53 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:06:48.792Z", + "event": { + "code": 1104, + "provider": "Microsoft-Windows-Eventlog", + "outcome": "success", + "kind": "event" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1104.xml" + }, + "level": "error" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "agent": { + "version": "8.0.0", + "ephemeral_id": "ba338c91-ffb8-4b65-8c25-7990b1cf0e01", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat" + }, + "ecs": { + "version": "1.8.0" + }, + "winlog": { + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 1096, + "thread": { + "id": 1444 + } + }, + "channel": "Security", + "event_id": 1104, + "record_id": 19352, + "time_created": "2019-11-08T07:56:17.321Z", + "level": "error", + "provider_name": "Microsoft-Windows-Eventlog", + "keywords": [ + "Audit Success" + ], + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1104.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1104.json-expected.json new file mode 100644 index 000000000..eb9a575b6 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1104.json-expected.json @@ -0,0 +1,60 @@ +{ + "expected": [ + { + "@timestamp": "2019-11-08T07:56:17.321Z", + "agent": { + "ephemeral_id": "ba338c91-ffb8-4b65-8c25-7990b1cf0e01", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logging-full", + "category": [ + "iam" + ], + "code": "1104", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Eventlog", + "type": [ + "admin" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1104.xml" + }, + "level": "error" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": "1104", + "keywords": [ + "Audit Success" + ], + "level": "error", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 1096, + "thread": { + "id": 1444 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": "19352", + "time_created": "2019-11-08T07:56:17.321Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1105.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1105.json new file mode 100644 index 000000000..e66a080f5 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1105.json @@ -0,0 +1,58 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:06:53.816Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "winlog": { + "time_created": "2019-11-07T16:22:14.842Z", + "outcome": "success", + "user_data": { + "xml_name": "AutoBackup", + "Channel": "Security", + "BackupPath": "C:\\Windows\\System32\\Winevt\\Logs\\Archive-Security-2019-11-07-16-22-14-780.evtx" + }, + "process": { + "pid": 1156, + "thread": { + "id": 1484 + } + }, + "channel": "Security", + "event_id": 1105, + "provider_name": "Microsoft-Windows-Eventlog", + "opcode": "Info", + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "level": "information", + "record_id": 18197, + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "keywords": [ + "Audit Success" + ] + }, + "event": { + "provider": "Microsoft-Windows-Eventlog", + "outcome": "success", + "kind": "event", + "code": 1105 + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1105.xml" + }, + "level": "information" + }, + "agent": { + "version": "8.0.0", + "ephemeral_id": "1b3ec690-31c3-4062-acdc-2afa56638178", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1105.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1105.json-expected.json new file mode 100644 index 000000000..9d3b8c773 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1105.json-expected.json @@ -0,0 +1,65 @@ +{ + "expected": [ + { + "@timestamp": "2019-11-07T16:22:14.842Z", + "agent": { + "ephemeral_id": "1b3ec690-31c3-4062-acdc-2afa56638178", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "auditlog-archieved", + "category": [ + "iam" + ], + "code": "1105", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Eventlog", + "type": [ + "admin" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1105.xml" + }, + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": "1105", + "keywords": [ + "Audit Success" + ], + "level": "information", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 1156, + "thread": { + "id": 1484 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": "18197", + "time_created": "2019-11-07T16:22:14.842Z", + "user_data": { + "BackupPath": "C:\\Windows\\System32\\Winevt\\Logs\\Archive-Security-2019-11-07-16-22-14-780.evtx", + "Channel": "Security", + "xml_name": "AutoBackup" + } + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4663.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4663.json new file mode 100644 index 000000000..6eba23512 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4663.json @@ -0,0 +1,74 @@ +{ + "events": [ + { + "@timestamp": "2021-11-11T04:51:32.660Z", + "ecs": { + "version": "1.11.0" + }, + "host": { + "name": "DC01.contoso.local" + }, + "agent": { + "version": "7.15.2", + "hostname": "hostname", + "ephemeral_id": "1e53eccd-9d5b-4001-9e6b-13b66625bb16", + "id": "7d1ef343-9372-428d-bd10-0a78e6894797", + "name": "AgentName", + "type": "filebeat" + }, + "winlog": { + "event_id": "4663", + "opcode": "Info", + "time_created": "2015-09-18T22:13:54.770Z", + "level": "information", + "process": { + "pid": 516, + "thread": { + "id": 524 + } + }, + "keywords": [ + "Audit Success" + ], + "outcome": "success", + "event_data": { + "AccessMask": "0x6", + "ProcessName": "C:\\\\Windows\\\\System32\\\\notepad.exe", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x4367b", + "ObjectType": "File", + "ObjectName": "C:\\\\Documents\\\\HBI Data.txt", + "AccessList": "%%4417 %%4418", + "ProcessId": "0x458", + "ResourceAttributes": "S:AI(RA;ID;;;;WD;(\"Impact\\_MS\",TI,0x10020,3000))", + "SubjectUserSid": "S-1-5-21-3457937927-2839227994-823803824-1104", + "SubjectUserName": "dadmin", + "ObjectServer": "Security", + "HandleId": "0x1bc" + }, + "computer_name": "DC01.contoso.local", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "version": 1, + "channel": "Security", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 273866 + }, + "event": { + "code": "4663", + "kind": "event", + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/file/path/4663.xml" + }, + "level": "information" + }, + "message": "\u003cEvent xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"\u003e\u003cSystem\u003e \u003cProvider Name=\"Microsoft-Windows-Security-Auditing\" Guid=\"{54849625-5478-4994-A5BA-3E3B0328C30D}\" /\u003e\u003cEventID\u003e4663\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e0\u003c/Level\u003e\u003cTask\u003e12800\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8020000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime=\"2015-09-18T22:13:54.770429700Z\" /\u003e\u003cEventRecordID\u003e273866\u003c/EventRecordID\u003e\u003cCorrelation /\u003e\u003cExecution ProcessID=\"516\" ThreadID=\"524\" /\u003e\u003cChannel\u003eSecurity\u003c/Channel\u003e\u003cComputer\u003eDC01.contoso.local\u003c/Computer\u003e\u003cSecurity /\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name=\"SubjectUserSid\"\u003eS-1-5-21-3457937927-2839227994-823803824-1104\u003c/Data\u003e\u003cData Name=\"SubjectUserName\"\u003edadmin\u003c/Data\u003e\u003cData Name=\"SubjectDomainName\"\u003eCONTOSO\u003c/Data\u003e\u003cData Name=\"SubjectLogonId\"\u003e0x4367b\u003c/Data\u003e\u003cData Name=\"ObjectServer\"\u003eSecurity\u003c/Data\u003e\u003cData Name=\"ObjectType\"\u003eFile\u003c/Data\u003e\u003cData Name=\"ObjectName\"\u003eC:\\\\Documents\\\\HBI Data.txt\u003c/Data\u003e\u003cData Name=\"HandleId\"\u003e0x1bc\u003c/Data\u003e\u003cData Name=\"AccessList\"\u003e%%4417 %%4418\u003c/Data\u003e\u003cData Name=\"AccessMask\"\u003e0x6\u003c/Data\u003e\u003cData Name=\"ProcessId\"\u003e0x458\u003c/Data\u003e\u003cData Name=\"ProcessName\"\u003eC:\\\\Windows\\\\System32\\\\notepad.exe\u003c/Data\u003e\u003cData Name=\"ResourceAttributes\"\u003eS:AI(RA;ID;;;;WD;(\"Impact\\_MS\",TI,0x10020,3000))\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "input": { + "type": "log" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json new file mode 100644 index 000000000..7b99c5d76 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json @@ -0,0 +1,85 @@ +{ + "expected": [ + { + "@timestamp": "2015-09-18T22:13:54.770Z", + "agent": { + "ephemeral_id": "1e53eccd-9d5b-4001-9e6b-13b66625bb16", + "hostname": "hostname", + "id": "7d1ef343-9372-428d-bd10-0a78e6894797", + "name": "AgentName", + "type": "filebeat", + "version": "7.15.2" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "code": "4663", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "DC01.contoso.local" + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/file/path/4663.xml" + }, + "level": "information" + }, + "message": "\u003cEvent xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"\u003e\u003cSystem\u003e \u003cProvider Name=\"Microsoft-Windows-Security-Auditing\" Guid=\"{54849625-5478-4994-A5BA-3E3B0328C30D}\" /\u003e\u003cEventID\u003e4663\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e0\u003c/Level\u003e\u003cTask\u003e12800\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8020000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime=\"2015-09-18T22:13:54.770429700Z\" /\u003e\u003cEventRecordID\u003e273866\u003c/EventRecordID\u003e\u003cCorrelation /\u003e\u003cExecution ProcessID=\"516\" ThreadID=\"524\" /\u003e\u003cChannel\u003eSecurity\u003c/Channel\u003e\u003cComputer\u003eDC01.contoso.local\u003c/Computer\u003e\u003cSecurity /\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name=\"SubjectUserSid\"\u003eS-1-5-21-3457937927-2839227994-823803824-1104\u003c/Data\u003e\u003cData Name=\"SubjectUserName\"\u003edadmin\u003c/Data\u003e\u003cData Name=\"SubjectDomainName\"\u003eCONTOSO\u003c/Data\u003e\u003cData Name=\"SubjectLogonId\"\u003e0x4367b\u003c/Data\u003e\u003cData Name=\"ObjectServer\"\u003eSecurity\u003c/Data\u003e\u003cData Name=\"ObjectType\"\u003eFile\u003c/Data\u003e\u003cData Name=\"ObjectName\"\u003eC:\\\\Documents\\\\HBI Data.txt\u003c/Data\u003e\u003cData Name=\"HandleId\"\u003e0x1bc\u003c/Data\u003e\u003cData Name=\"AccessList\"\u003e%%4417 %%4418\u003c/Data\u003e\u003cData Name=\"AccessMask\"\u003e0x6\u003c/Data\u003e\u003cData Name=\"ProcessId\"\u003e0x458\u003c/Data\u003e\u003cData Name=\"ProcessName\"\u003eC:\\\\Windows\\\\System32\\\\notepad.exe\u003c/Data\u003e\u003cData Name=\"ResourceAttributes\"\u003eS:AI(RA;ID;;;;WD;(\"Impact\\_MS\",TI,0x10020,3000))\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "winlog": { + "channel": "Security", + "computer_name": "DC01.contoso.local", + "event_data": { + "AccessList": "%%4417 %%4418", + "AccessListDescription": [ + "WriteData (or AddFile)", + "AppendData (or AddSubdirectory or CreatePipeInstance)" + ], + "AccessMask": "0x6", + "AccessMaskDescription": [ + "Delete Child", + "List Contents" + ], + "HandleId": "0x1bc", + "ObjectName": "C:\\\\Documents\\\\HBI Data.txt", + "ObjectServer": "Security", + "ObjectType": "File", + "ProcessId": "0x458", + "ProcessName": "C:\\\\Windows\\\\System32\\\\notepad.exe", + "ResourceAttributes": "S:AI(RA;ID;;;;WD;(\"Impact\\_MS\",TI,0x10020,3000))", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x4367b", + "SubjectUserName": "dadmin", + "SubjectUserSid": "S-1-5-21-3457937927-2839227994-823803824-1104" + }, + "event_id": "4663", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4367b" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 524 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "273866", + "time_created": "2015-09-18T22:13:54.770Z", + "version": 1 + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json new file mode 100644 index 000000000..5e3a49302 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json @@ -0,0 +1,67 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:09:09.111Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "agent": { + "ephemeral_id": "3d760cf7-94ed-4415-85cd-588f6adf9376", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "winlog": { + "provider_name": "Microsoft-Windows-Security-Auditing", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "level": "information", + "time_created": "2020-07-28T13:22:18.799Z", + "outcome": "success", + "channel": "Security", + "event_id": 4670, + "record_id": 31932, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "event_data": { + "HandleId": "0x56c", + "OldSd": "D:(A;;GA;;;SY)(A;;GA;;;NS)", + "NewSd": "D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)", + "ProcessId": "0x2fc", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "ObjectName": "-", + "ProcessName": "C:\\Windows\\System32\\services.exe", + "SubjectUserSid": "S-1-5-18", + "ObjectServer": "Security", + "ObjectType": "Token" + }, + "process": { + "pid": 4, + "thread": { + "id": 4604 + } + } + }, + "event": { + "kind": "event", + "code": 4670, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.xml" + } + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json-expected.json new file mode 100644 index 000000000..ab0423443 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json-expected.json @@ -0,0 +1,97 @@ +{ + "expected": [ + { + "@timestamp": "2020-07-28T13:22:18.799Z", + "agent": { + "ephemeral_id": "3d760cf7-94ed-4415-85cd-588f6adf9376", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "permissions-changed", + "category": [ + "iam", + "configuration" + ], + "code": "4670", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.xml" + }, + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 764 + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "HandleId": "0x56c", + "NewSd": "D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)", + "NewSdDacl0": "Local system :Access Allowed ([Generic All])", + "NewSdDacl1": "OW :Access Allowed ([Read Permissions])", + "NewSdDacl2": "S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628 :Access Allowed ([Generic All])", + "ObjectName": "-", + "ObjectServer": "Security", + "ObjectType": "Token", + "OldSd": "D:(A;;GA;;;SY)(A;;GA;;;NS)", + "OldSdDacl0": "Local system :Access Allowed ([Generic All])", + "OldSdDacl1": "Network service account :Access Allowed ([Generic All])", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "4670", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 4, + "thread": { + "id": 4604 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "31932", + "time_created": "2020-07-28T13:22:18.799Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4674.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4674.json new file mode 100644 index 000000000..dc8434259 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4674.json @@ -0,0 +1,125 @@ +{ + "events": [ + { + "@timestamp": "2021-11-11T17:14:52.001Z", + "agent": { + "name": "AgentName", + "type": "filebeat", + "version": "7.15.2", + "hostname": "hostname", + "ephemeral_id": "8c285603-b2ba-4891-8f1a-862ca3388614", + "id": "7d1ef343-9372-428d-bd10-0a78e6894797" + }, + "winlog": { + "time_created": "2015-10-09T00:22:36.237Z", + "event_id": "4674", + "provider_name": "Microsoft-Windows-Security-Auditing", + "keywords": [ + "Audit Failure" + ], + "opcode": "Info", + "outcome": "failure", + "level": "information", + "event_data": { + "ProcessId": "0x1f0", + "SubjectDomainName": "NT AUTHORITY", + "SubjectLogonId": "0x3e5", + "ObjectType": "-", + "ObjectName": "-", + "AccessMask": "16777216", + "PrivilegeList": "SeSecurityPrivilege", + "ProcessName": "C:\\\\Windows\\\\System32\\\\lsass.exe", + "SubjectUserSid": "S-1-5-19", + "SubjectUserName": "LOCAL SERVICE", + "ObjectServer": "LSA", + "HandleId": "0x0" + }, + "process": { + "pid": 496, + "thread": { + "id": 504 + } + }, + "channel": "Security", + "record_id": 1099680, + "computer_name": "DC01.contoso.local", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}" + }, + "event": { + "code": "4674", + "kind": "event", + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "failure" + }, + "log": { + "file": { + "path": "/file/path/4674.xml" + }, + "level": "information" + }, + "message": "\u003cEvent xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"\u003e\u003cSystem\u003e\u003cProvider Name=\"Microsoft-Windows-Security-Auditing\" Guid=\"{54849625-5478-4994-A5BA-3E3B0328C30D}\" /\u003e\u003cEventID\u003e4674\u003c/EventID\u003e\u003cVersion\u003e0\u003c/Version\u003e\u003cLevel\u003e0\u003c/Level\u003e\u003cTask\u003e13056\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8010000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime=\"2015-10-09T00:22:36.237816000Z\" /\u003e\u003cEventRecordID\u003e1099680\u003c/EventRecordID\u003e\u003cCorrelation /\u003e\u003cExecution ProcessID=\"496\" ThreadID=\"504\" /\u003e\u003cChannel\u003eSecurity\u003c/Channel\u003e\u003cComputer\u003eDC01.contoso.local\u003c/Computer\u003e\u003cSecurity /\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name=\"SubjectUserSid\"\u003eS-1-5-19\u003c/Data\u003e\u003cData Name=\"SubjectUserName\"\u003eLOCAL SERVICE\u003c/Data\u003e\u003cData Name=\"SubjectDomainName\"\u003eNT AUTHORITY\u003c/Data\u003e\u003cData Name=\"SubjectLogonId\"\u003e0x3e5\u003c/Data\u003e\u003cData Name=\"ObjectServer\"\u003eLSA\u003c/Data\u003e\u003cData Name=\"ObjectType\"\u003e-\u003c/Data\u003e\u003cData Name=\"ObjectName\"\u003e-\u003c/Data\u003e\u003cData Name=\"HandleId\"\u003e0x0\u003c/Data\u003e\u003cData Name=\"AccessMask\"\u003e16777216\u003c/Data\u003e\u003cData Name=\"PrivilegeList\"\u003eSeSecurityPrivilege\u003c/Data\u003e\u003cData Name=\"ProcessId\"\u003e0x1f0\u003c/Data\u003e\u003cData Name=\"ProcessName\"\u003eC:\\\\Windows\\\\System32\\\\lsass.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "input": { + "type": "log" + }, + "ecs": { + "version": "1.11.0" + }, + "host": { + "name": "DC01.contoso.local" + } + }, + { + "@timestamp": "2021-11-11T17:14:53.001Z", + "event": { + "action": "Sensitive Privilege Use", + "code": "4674", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "An operation was attempted on a privileged object.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x5E2887\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tFile\n\tObject Name:\tC:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor\n\tObject Handle:\t0x1684\n\nProcess Information:\n\tProcess ID:\t0x3e4\n\tProcess Name:\tC:\\Windows\\System32\\svchost.exe\n\nRequested Operation:\n\tDesired Access:\tREAD_CONTROL\n\t\t\t\tACCESS_SYS_SEC\n\n\tPrivileges:\t\tSeSecurityPrivilege", + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "AccessMask": "%%1538\n\t\t\t\t%%1542\n\t\t\t\t", + "HandleId": "0x1684", + "ObjectName": "C:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor", + "ObjectServer": "Security", + "ObjectType": "File", + "PrivilegeList": "SeSecurityPrivilege", + "ProcessId": "0x3e4", + "ProcessName": "C:\\Windows\\System32\\svchost.exe", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x5e2887", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" + }, + "event_id": "4674", + "keywords": [ + "Audit Success" + ], + "level": "information", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 604, + "thread": { + "id": 612 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 18232147, + "task": "Sensitive Privilege Use", + "time_created": "2022-08-01T08:53:50.3336583Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json new file mode 100644 index 000000000..6e388d03e --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json @@ -0,0 +1,184 @@ +{ + "expected": [ + { + "@timestamp": "2015-10-09T00:22:36.237Z", + "agent": { + "ephemeral_id": "8c285603-b2ba-4891-8f1a-862ca3388614", + "hostname": "hostname", + "id": "7d1ef343-9372-428d-bd10-0a78e6894797", + "name": "AgentName", + "type": "filebeat", + "version": "7.15.2" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "privileged-operation", + "category": [ + "iam" + ], + "code": "4674", + "kind": "event", + "outcome": "failure", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin" + ] + }, + "host": { + "name": "DC01.contoso.local" + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/file/path/4674.xml" + }, + "level": "information" + }, + "message": "\u003cEvent xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"\u003e\u003cSystem\u003e\u003cProvider Name=\"Microsoft-Windows-Security-Auditing\" Guid=\"{54849625-5478-4994-A5BA-3E3B0328C30D}\" /\u003e\u003cEventID\u003e4674\u003c/EventID\u003e\u003cVersion\u003e0\u003c/Version\u003e\u003cLevel\u003e0\u003c/Level\u003e\u003cTask\u003e13056\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8010000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime=\"2015-10-09T00:22:36.237816000Z\" /\u003e\u003cEventRecordID\u003e1099680\u003c/EventRecordID\u003e\u003cCorrelation /\u003e\u003cExecution ProcessID=\"496\" ThreadID=\"504\" /\u003e\u003cChannel\u003eSecurity\u003c/Channel\u003e\u003cComputer\u003eDC01.contoso.local\u003c/Computer\u003e\u003cSecurity /\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name=\"SubjectUserSid\"\u003eS-1-5-19\u003c/Data\u003e\u003cData Name=\"SubjectUserName\"\u003eLOCAL SERVICE\u003c/Data\u003e\u003cData Name=\"SubjectDomainName\"\u003eNT AUTHORITY\u003c/Data\u003e\u003cData Name=\"SubjectLogonId\"\u003e0x3e5\u003c/Data\u003e\u003cData Name=\"ObjectServer\"\u003eLSA\u003c/Data\u003e\u003cData Name=\"ObjectType\"\u003e-\u003c/Data\u003e\u003cData Name=\"ObjectName\"\u003e-\u003c/Data\u003e\u003cData Name=\"HandleId\"\u003e0x0\u003c/Data\u003e\u003cData Name=\"AccessMask\"\u003e16777216\u003c/Data\u003e\u003cData Name=\"PrivilegeList\"\u003eSeSecurityPrivilege\u003c/Data\u003e\u003cData Name=\"ProcessId\"\u003e0x1f0\u003c/Data\u003e\u003cData Name=\"ProcessName\"\u003eC:\\\\Windows\\\\System32\\\\lsass.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "process": { + "executable": "C:\\\\Windows\\\\System32\\\\lsass.exe", + "name": "lsass.exe", + "pid": 496 + }, + "related": { + "user": [ + "LOCAL SERVICE" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-19", + "name": "LOCAL SERVICE" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC01.contoso.local", + "event_data": { + "AccessMask": "16777216", + "AccessMaskDescription": [ + "ADS_RIGHT_ACCESS_SYSTEM_SECURITY" + ], + "HandleId": "0x0", + "ObjectName": "-", + "ObjectServer": "LSA", + "ObjectType": "-", + "PrivilegeList": [ + "SeSecurityPrivilege" + ], + "SubjectDomainName": "NT AUTHORITY", + "SubjectLogonId": "0x3e5", + "SubjectUserName": "LOCAL SERVICE", + "SubjectUserSid": "S-1-5-19" + }, + "event_id": "4674", + "keywords": [ + "Audit Failure" + ], + "level": "information", + "logon": { + "id": "0x3e5" + }, + "opcode": "Info", + "outcome": "failure", + "process": { + "pid": 496, + "thread": { + "id": 504 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1099680", + "time_created": "2015-10-09T00:22:36.237Z" + } + }, + { + "@timestamp": "2022-08-01T08:53:50.333Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "privileged-operation", + "category": [ + "iam" + ], + "code": "4674", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "An operation was attempted on a privileged object.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x5E2887\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tFile\n\tObject Name:\tC:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor\n\tObject Handle:\t0x1684\n\nProcess Information:\n\tProcess ID:\t0x3e4\n\tProcess Name:\tC:\\Windows\\System32\\svchost.exe\n\nRequested Operation:\n\tDesired Access:\tREAD_CONTROL\n\t\t\t\tACCESS_SYS_SEC\n\n\tPrivileges:\t\tSeSecurityPrivilege", + "process": { + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 996 + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "AccessMask": "%%1538\n\t\t\t\t%%1542\n\t\t\t\t", + "AccessMaskDescription": [ + "Delete Child", + "List Contents" + ], + "HandleId": "0x1684", + "ObjectName": "C:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor", + "ObjectServer": "Security", + "ObjectType": "File", + "PrivilegeList": [ + "SeSecurityPrivilege" + ], + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x5e2887", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" + }, + "event_id": "4674", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x5e2887" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 604, + "thread": { + "id": 612 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "18232147", + "task": "Sensitive Privilege Use", + "time_created": "2022-08-01T08:53:50.3336583Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json new file mode 100644 index 000000000..71b628dde --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json @@ -0,0 +1,66 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:08:19.021Z", + "event": { + "kind": "event", + "code": 4706, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.xml" + }, + "level": "information" + }, + "agent": { + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "9e4d57e6-8caa-43f7-aa64-6b78dc45ae4d", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "winlog": { + "event_id": 4706, + "provider_name": "Microsoft-Windows-Security-Auditing", + "keywords": [ + "Audit Success" + ], + "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", + "process": { + "pid": 776, + "thread": { + "id": 3056 + } + }, + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "outcome": "success", + "event_data": { + "DomainName": "192.168.230.153", + "SubjectUserName": "Administrator", + "SubjectLogonId": "0x6a868", + "TdoType": "3", + "DomainSid": "S-1-0-0", + "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500", + "SubjectDomainName": "TEST", + "TdoDirection": "3", + "TdoAttributes": "1", + "SidFilteringEnabled": "%%1796" + }, + "time_created": "2020-07-27T09:42:48.369Z", + "channel": "Security", + "record_id": 6017, + "opcode": "Info", + "level": "information" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json-expected.json new file mode 100644 index 000000000..8fb08637e --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json-expected.json @@ -0,0 +1,89 @@ +{ + "expected": [ + { + "@timestamp": "2020-07-27T09:42:48.369Z", + "agent": { + "ephemeral_id": "9e4d57e6-8caa-43f7-aa64-6b78dc45ae4d", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "domain-trust-added", + "category": [ + "configuration" + ], + "code": "4706", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "creation" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-2024912787-2692429404-2351956786-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "DomainName": "192.168.230.153", + "DomainSid": "S-1-0-0", + "SidFilteringEnabled": "%%1796", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x6a868", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500", + "TdoAttributes": "1", + "TdoDirection": "3", + "TdoType": "3" + }, + "event_id": "4706", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x6a868" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 3056 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "6017", + "time_created": "2020-07-27T09:42:48.369Z", + "trustAttribute": "TRUST_ATTRIBUTE_NON_TRANSITIVE", + "trustDirection": "TRUST_DIRECTION_BIDIRECTIONAL", + "trustType": "TRUST_TYPE_MIT" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json new file mode 100644 index 000000000..ada3ae0d3 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json @@ -0,0 +1,61 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:04:18.060Z", + "agent": { + "version": "8.0.0", + "ephemeral_id": "3d917dba-6707-4ee1-be70-ba855a9e5b1c", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "winlog": { + "channel": "Security", + "event_id": 4707, + "provider_name": "Microsoft-Windows-Security-Auditing", + "time_created": "2020-07-28T06:18:04.600Z", + "level": "information", + "process": { + "pid": 776, + "thread": { + "id": 2012 + } + }, + "record_id": 13679, + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "outcome": "success", + "event_data": { + "SubjectLogonId": "0x6a868", + "DomainName": "192.168.230.153", + "DomainSid": "S-1-0-0", + "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500", + "SubjectUserName": "Administrator", + "SubjectDomainName": "TEST" + } + }, + "event": { + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event", + "code": 4707 + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.xml" + }, + "level": "information" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json-expected.json new file mode 100644 index 000000000..d258bfedc --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json-expected.json @@ -0,0 +1,81 @@ +{ + "expected": [ + { + "@timestamp": "2020-07-28T06:18:04.600Z", + "agent": { + "ephemeral_id": "3d917dba-6707-4ee1-be70-ba855a9e5b1c", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "domain-trust-removed", + "category": [ + "configuration" + ], + "code": "4707", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "deletion" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-2024912787-2692429404-2351956786-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "DomainName": "192.168.230.153", + "DomainSid": "S-1-0-0", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x6a868", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500" + }, + "event_id": "4707", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x6a868" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 2012 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "13679", + "time_created": "2020-07-28T06:18:04.600Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json new file mode 100644 index 000000000..b2cea0250 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json @@ -0,0 +1,61 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:05:43.545Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "winlog": { + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 2012 + } + }, + "channel": "Security", + "event_id": 4713, + "provider_name": "Microsoft-Windows-Security-Auditing", + "time_created": "2020-07-28T10:15:43.495Z", + "level": "information", + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "record_id": 21265, + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "SubjectUserSid": "S-1-5-18", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "KerberosPolicyChange": "KerMinT: 0x53d1ac1000 (0x53ade8ca00); KerMaxR: 0x649534e0000 (0x58028e44000); KerProxy: 0xd693a400 (0xb2d05e00); " + }, + "activity_id": "{be129571-63f8-0000-a795-12bef863d601}" + }, + "event": { + "kind": "event", + "code": 4713, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.xml" + }, + "level": "information" + }, + "agent": { + "version": "8.0.0", + "ephemeral_id": "00d05603-1d0f-476c-99f7-059a70f43625", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json-expected.json new file mode 100644 index 000000000..7f197a8b7 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json-expected.json @@ -0,0 +1,81 @@ +{ + "expected": [ + { + "@timestamp": "2020-07-28T10:15:43.495Z", + "agent": { + "ephemeral_id": "00d05603-1d0f-476c-99f7-059a70f43625", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "kerberos-policy-changed", + "category": [ + "configuration" + ], + "code": "4713", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "KerberosPolicyChange": "KerMinT: 0x53d1ac1000 (0x53ade8ca00); KerMaxR: 0x649534e0000 (0x58028e44000); KerProxy: 0xd693a400 (0xb2d05e00); ", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "4713", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 2012 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "21265", + "time_created": "2020-07-28T10:15:43.495Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json new file mode 100644 index 000000000..9959d2738 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json @@ -0,0 +1,66 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:08:54.080Z", + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.xml" + }, + "level": "information" + }, + "agent": { + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "73327973-22b1-49d2-ba3c-f467e39c81a0", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "winlog": { + "event_id": 4716, + "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", + "channel": "Security", + "time_created": "2020-07-28T08:17:00.470Z", + "record_id": 14929, + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "outcome": "success", + "event_data": { + "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500", + "DomainSid": "S-1-0-0", + "TdoAttributes": "1", + "SidFilteringEnabled": "-", + "SubjectUserName": "Administrator", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x6a868", + "DomainName": "-", + "TdoType": "3", + "TdoDirection": "3" + }, + "provider_name": "Microsoft-Windows-Security-Auditing", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "opcode": "Info", + "level": "information", + "process": { + "pid": 776, + "thread": { + "id": 3776 + } + } + }, + "event": { + "kind": "event", + "code": 4716, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json-expected.json new file mode 100644 index 000000000..58b0730cf --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json-expected.json @@ -0,0 +1,89 @@ +{ + "expected": [ + { + "@timestamp": "2020-07-28T08:17:00.470Z", + "agent": { + "ephemeral_id": "73327973-22b1-49d2-ba3c-f467e39c81a0", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "trusted-domain-information-changed", + "category": [ + "configuration" + ], + "code": "4716", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-2024912787-2692429404-2351956786-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "DomainName": "-", + "DomainSid": "S-1-0-0", + "SidFilteringEnabled": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x6a868", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500", + "TdoAttributes": "1", + "TdoDirection": "3", + "TdoType": "3" + }, + "event_id": "4716", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x6a868" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 3776 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "14929", + "time_created": "2020-07-28T08:17:00.470Z", + "trustAttribute": "TRUST_ATTRIBUTE_NON_TRANSITIVE", + "trustDirection": "TRUST_DIRECTION_BIDIRECTIONAL", + "trustType": "TRUST_TYPE_MIT" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json new file mode 100644 index 000000000..50d6b908d --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json @@ -0,0 +1,62 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:04:08.002Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-BVM4LI1L1Q6" + }, + "agent": { + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "1271c200-5f2f-42c7-bc2f-abbdc1211f37" + }, + "winlog": { + "computer_name": "WIN-BVM4LI1L1Q6", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2020-07-27T09:30:41.903Z", + "channel": "Security", + "event_id": 4717, + "outcome": "success", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1571, + "level": "information", + "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}", + "process": { + "pid": 776, + "thread": { + "id": 820 + } + }, + "event_data": { + "SubjectUserSid": "S-1-5-18", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "TargetSid": "S-1-5-9", + "AccessGranted": "SeNetworkLogonRight" + } + }, + "event": { + "kind": "event", + "code": 4717, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4717_WindowsSrv2016.xml" + }, + "level": "information" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json-expected.json new file mode 100644 index 000000000..02be43b6a --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json-expected.json @@ -0,0 +1,84 @@ +{ + "expected": [ + { + "@timestamp": "2020-07-27T09:30:41.903Z", + "agent": { + "ephemeral_id": "1271c200-5f2f-42c7-bc2f-abbdc1211f37", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "system-security-access-granted", + "category": [ + "iam", + "configuration" + ], + "code": "4717", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4717_WindowsSrv2016.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] + }, + "user": { + "domain": "WORKGROUP", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6", + "event_data": { + "AccessGranted": "SeNetworkLogonRight", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18", + "TargetSid": "S-1-5-9" + }, + "event_id": "4717", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1571", + "time_created": "2020-07-27T09:30:41.903Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json new file mode 100644 index 000000000..240edb06f --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json @@ -0,0 +1,62 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:09:59.181Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-BVM4LI1L1Q6" + }, + "agent": { + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "2ab86036-bb3b-4131-a797-34f5dca7b048" + }, + "winlog": { + "time_created": "2020-07-27T09:30:41.877Z", + "provider_name": "Microsoft-Windows-Security-Auditing", + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "outcome": "success", + "event_data": { + "SubjectUserSid": "S-1-5-18", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "TargetSid": "S-1-5-32-545", + "AccessRemoved": "SeNetworkLogonRight" + }, + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6", + "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}", + "record_id": 1565, + "opcode": "Info", + "level": "information", + "process": { + "pid": 776, + "thread": { + "id": 820 + } + }, + "event_id": 4718 + }, + "event": { + "kind": "event", + "code": 4718, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4718_WindowsSrv2016.xml" + }, + "level": "information" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json-expected.json new file mode 100644 index 000000000..b35c42e93 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json-expected.json @@ -0,0 +1,84 @@ +{ + "expected": [ + { + "@timestamp": "2020-07-27T09:30:41.877Z", + "agent": { + "ephemeral_id": "2ab86036-bb3b-4131-a797-34f5dca7b048", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "system-security-access-removed", + "category": [ + "iam", + "configuration" + ], + "code": "4718", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "deletion" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4718_WindowsSrv2016.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] + }, + "user": { + "domain": "WORKGROUP", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6", + "event_data": { + "AccessRemoved": "SeNetworkLogonRight", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18", + "TargetSid": "S-1-5-32-545" + }, + "event_id": "4718", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1565", + "time_created": "2020-07-27T09:30:41.877Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json new file mode 100644 index 000000000..11b58fcaf --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json @@ -0,0 +1,64 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:03:47.877Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "agent": { + "version": "8.0.0", + "ephemeral_id": "615d6dcc-ad38-494d-a4d6-bc35a1bcb7fe", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat" + }, + "winlog": { + "channel": "Security", + "outcome": "success", + "event_id": 4719, + "provider_name": "Microsoft-Windows-Security-Auditing", + "opcode": "Info", + "record_id": 123879, + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "level": "information", + "activity_id": "{65461d39-753f-0000-731d-46653f75d601}", + "process": { + "pid": 780, + "thread": { + "id": 2764 + } + }, + "keywords": [ + "Audit Success" + ], + "time_created": "2020-08-18T13:45:57.480Z", + "event_data": { + "SubcategoryGuid": "{0cce9227-69ae-11d9-bed3-505054503030}", + "AuditPolicyChanges": "%%8448", + "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500", + "SubjectUserName": "Administrator", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x44d7d", + "CategoryId": "%%8274", + "SubcategoryId": "%%12804" + } + }, + "event": { + "kind": "event", + "code": 4719, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4719_WindowsSrv2016.xml" + } + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json-expected.json new file mode 100644 index 000000000..51c28011e --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json-expected.json @@ -0,0 +1,91 @@ +{ + "expected": [ + { + "@timestamp": "2020-08-18T13:45:57.480Z", + "agent": { + "ephemeral_id": "615d6dcc-ad38-494d-a4d6-bc35a1bcb7fe", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "changed-audit-config", + "category": [ + "iam", + "configuration" + ], + "code": "4719", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4719_WindowsSrv2016.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-2024912787-2692429404-2351956786-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{65461d39-753f-0000-731d-46653f75d601}", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "AuditPolicyChanges": "%%8448", + "AuditPolicyChangesDescription": [ + "Success removed" + ], + "Category": "Object Access", + "CategoryId": "%%8274", + "SubCategory": "Other Object Access Events", + "SubcategoryGuid": "{0cce9227-69ae-11d9-bed3-505054503030}", + "SubcategoryId": "%%12804", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x44d7d", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500" + }, + "event_id": "4719", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x44d7d" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 2764 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "123879", + "time_created": "2020-08-18T13:45:57.480Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719.json new file mode 100644 index 000000000..4731be62d --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719.json @@ -0,0 +1,64 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:05:53.569Z", + "agent": { + "ephemeral_id": "a5d5ef8c-c4b4-402a-9d5d-a3643947e76a", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "winlog": { + "provider_name": "Microsoft-Windows-Security-Auditing", + "level": "information", + "time_created": "2019-11-07T15:22:57.655Z", + "event_data": { + "SubjectLogonId": "0x3e7", + "CategoryId": "%%8273", + "SubcategoryId": "%%12552", + "SubcategoryGuid": "{0cce9243-69ae-11d9-bed3-505054503030}", + "AuditPolicyChanges": "%%8449, %%8451", + "SubjectUserSid": "S-1-5-18", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectDomainName": "WLBEAT" + }, + "activity_id": "{3eef0a0d-9551-0000-140c-ef3e5195d501}", + "process": { + "thread": { + "id": 2944 + }, + "pid": 772 + }, + "channel": "Security", + "event_id": 4719, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "record_id": 17154, + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "outcome": "success" + }, + "event": { + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event", + "code": 4719 + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4719.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719.json-expected.json new file mode 100644 index 000000000..c23e65ecc --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719.json-expected.json @@ -0,0 +1,92 @@ +{ + "expected": [ + { + "@timestamp": "2019-11-07T15:22:57.655Z", + "agent": { + "ephemeral_id": "a5d5ef8c-c4b4-402a-9d5d-a3643947e76a", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "changed-audit-config", + "category": [ + "iam", + "configuration" + ], + "code": "4719", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4719.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-41OB2LO92CR$" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-18", + "name": "WIN-41OB2LO92CR$" + }, + "winlog": { + "activity_id": "{3eef0a0d-9551-0000-140c-ef3e5195d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "AuditPolicyChanges": "%%8449, %%8451", + "AuditPolicyChangesDescription": [ + "Success Added", + "Failure Added" + ], + "Category": "Logon/Logoff", + "CategoryId": "%%8273", + "SubCategory": "Network Policy Server", + "SubcategoryGuid": "{0cce9243-69ae-11d9-bed3-505054503030}", + "SubcategoryId": "%%12552", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "4719", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 2944 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "17154", + "time_created": "2019-11-07T15:22:57.655Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4738.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4738.json new file mode 100644 index 000000000..e23bd7817 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4738.json @@ -0,0 +1,72 @@ +{ + "events": [ + { + "@timestamp": "2021-11-11T17:14:52.001Z", + "event": { + "action": "User Account Management", + "code": "4738", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "DC_TEST2k12" + }, + "log": { + "level": "information" + }, + "message": "A user account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x5E2887\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-8884\n\tAccount Name:\t\tanatest1\n\tAccount Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tDisplay Name:\t\t-\n\tUser Principal Name:\tanatest12@TEST\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t-\n\tAccount Expires:\t\t-\n\tPrimary Group ID:\t-\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t-\n\tNew UAC Value:\t\t-\n\tUser Account Control:\t-\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12", + "event_data": { + "AccountExpires": "-", + "AllowedToDelegateTo": "-", + "DisplayName": "-", + "Dummy": "-", + "HomeDirectory": "-", + "HomePath": "-", + "LogonHours": "-", + "NewUacValue": "-", + "OldUacValue": "-", + "PasswordLastSet": "-", + "PrimaryGroupId": "-", + "PrivilegeList": "-", + "ProfilePath": "-", + "SamAccountName": "-", + "ScriptPath": "-", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x5e2887", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-8884", + "TargetUserName": "anatest1", + "UserAccountControl": "-", + "UserParameters": "-", + "UserPrincipalName": "anatest12@TEST", + "UserWorkstations": "-" + }, + "event_id": "4738", + "keywords": [ + "Audit Success" + ], + "level": "information", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 604, + "thread": { + "id": 864 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 18232108, + "task": "User Account Management", + "time_created": "2022-08-01T08:49:58.8259888Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4738.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4738.json-expected.json new file mode 100644 index 000000000..0c6f66fc8 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4738.json-expected.json @@ -0,0 +1,101 @@ +{ + "expected": [ + { + "@timestamp": "2022-08-01T08:49:58.825Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "modified-user-account", + "category": [ + "iam" + ], + "code": "4738", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "change" + ] + }, + "host": { + "name": "DC_TEST2k12" + }, + "log": { + "level": "information" + }, + "message": "A user account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x5E2887\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-8884\n\tAccount Name:\t\tanatest1\n\tAccount Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tDisplay Name:\t\t-\n\tUser Principal Name:\tanatest12@TEST\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t-\n\tAccount Expires:\t\t-\n\tPrimary Group ID:\t-\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t-\n\tNew UAC Value:\t\t-\n\tUser Account Control:\t-\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "at_adm", + "anatest1" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm", + "target": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-8884", + "name": "anatest1" + } + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12", + "event_data": { + "AccountExpires": "-", + "AllowedToDelegateTo": "-", + "DisplayName": "-", + "Dummy": "-", + "HomeDirectory": "-", + "HomePath": "-", + "LogonHours": "-", + "NewUacValue": "-", + "OldUacValue": "-", + "PasswordLastSet": "-", + "PrimaryGroupId": "-", + "PrivilegeList": "-", + "ProfilePath": "-", + "SamAccountName": "-", + "ScriptPath": "-", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x5e2887", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-8884", + "TargetUserName": "anatest1", + "UserAccountControl": "-", + "UserParameters": "-", + "UserPrincipalName": "anatest12@TEST", + "UserWorkstations": "-" + }, + "event_id": "4738", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x5e2887" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 604, + "thread": { + "id": 864 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "18232108", + "task": "User Account Management", + "time_created": "2022-08-01T08:49:58.8259888Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json new file mode 100644 index 000000000..c4235d797 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json @@ -0,0 +1,68 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:03:12.598Z", + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4739_WindowsSrv2016.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "agent": { + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "bd63c19a-cad0-4833-9b84-5ed4e7e27cc5" + }, + "winlog": { + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "event_data": { + "DomainBehaviorVersion": "-", + "DomainName": "TEST", + "SubjectUserSid": "S-1-5-18", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "MixedDomainMode": "-", + "DomainPolicyChanged": "Password Policy", + "DomainSid": "S-1-5-21-2024912787-2692429404-2351956786", + "SubjectLogonId": "0x3e7", + "PrivilegeList": "-", + "OemInformation": "-", + "SubjectDomainName": "TEST", + "PasswordHistoryLength": "-", + "MachineAccountQuota": "-" + }, + "provider_name": "Microsoft-Windows-Security-Auditing", + "event_id": 4739, + "record_id": 3532, + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "keywords": [ + "Audit Success" + ], + "time_created": "2020-07-27T09:34:50.157Z", + "outcome": "success", + "level": "information", + "channel": "Security", + "process": { + "pid": 776, + "thread": { + "id": 812 + } + } + }, + "event": { + "kind": "event", + "code": 4739, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json-expected.json new file mode 100644 index 000000000..e661faa33 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json-expected.json @@ -0,0 +1,88 @@ +{ + "expected": [ + { + "@timestamp": "2020-07-27T09:34:50.157Z", + "agent": { + "ephemeral_id": "bd63c19a-cad0-4833-9b84-5ed4e7e27cc5", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "domain-policy-changed", + "category": [ + "configuration" + ], + "code": "4739", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4739_WindowsSrv2016.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "DomainBehaviorVersion": "-", + "DomainName": "TEST", + "DomainPolicyChanged": "Password Policy", + "DomainSid": "S-1-5-21-2024912787-2692429404-2351956786", + "MachineAccountQuota": "-", + "MixedDomainMode": "-", + "OemInformation": "-", + "PasswordHistoryLength": "-", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "4739", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 812 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3532", + "time_created": "2020-07-27T09:34:50.157Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4742.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4742.json new file mode 100644 index 000000000..524720e31 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4742.json @@ -0,0 +1,74 @@ +{ + "events": [ + { + "@timestamp": "2021-11-11T17:14:52.001Z", + "event": { + "action": "Computer Account Management", + "code": "4742", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "DC_TEST2k12.TEST." + }, + "log": { + "level": "information" + }, + "message": "A computer account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-7\n\tAccount Name:\t\tANONYMOUS LOGON\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E6\n\nComputer Account That Was Changed:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-11556\n\tAccount Name:\t\tTEST4642$\n\tAccount Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tDisplay Name:\t\t-\n\tUser Principal Name:\t-\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t01/08/2022 10:56:47\n\tAccount Expires:\t\t-\n\tPrimary Group ID:\t-\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t-\n\tNew UAC Value:\t\t-\n\tUser Account Control:\t-\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t-\n\tDNS Host Name:\t\t-\n\tService Principal Names:\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.", + "event_data": { + "AccountExpires": "-", + "AllowedToDelegateTo": "-", + "ComputerAccountChange": "-", + "DisplayName": "-", + "DnsHostName": "-", + "HomeDirectory": "-", + "HomePath": "-", + "LogonHours": "-", + "NewUacValue": "-", + "OldUacValue": "-", + "PasswordLastSet": "01/08/2022 10:56:47", + "PrimaryGroupId": "-", + "PrivilegeList": "-", + "ProfilePath": "-", + "SamAccountName": "-", + "ScriptPath": "-", + "ServicePrincipalNames": "-", + "SidHistory": "-", + "SubjectDomainName": "NT AUTHORITY", + "SubjectLogonId": "0x3e6", + "SubjectUserName": "ANONYMOUS LOGON", + "SubjectUserSid": "S-1-5-7", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-11556", + "TargetUserName": "TEST4642$", + "UserAccountControl": "-", + "UserParameters": "-", + "UserPrincipalName": "-", + "UserWorkstations": "-" + }, + "event_id": "4742", + "keywords": [ + "Audit Success" + ], + "level": "information", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 604, + "thread": { + "id": 864 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 18232202, + "task": "Computer Account Management", + "time_created": "2022-08-01T08:56:47.9740262Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4742.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4742.json-expected.json new file mode 100644 index 000000000..77d449f58 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4742.json-expected.json @@ -0,0 +1,104 @@ +{ + "expected": [ + { + "@timestamp": "2022-08-01T08:56:47.974Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "changed-computer-account", + "category": [ + "iam" + ], + "code": "4742", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "admin" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST." + }, + "log": { + "level": "information" + }, + "message": "A computer account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-7\n\tAccount Name:\t\tANONYMOUS LOGON\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E6\n\nComputer Account That Was Changed:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-11556\n\tAccount Name:\t\tTEST4642$\n\tAccount Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tDisplay Name:\t\t-\n\tUser Principal Name:\t-\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t01/08/2022 10:56:47\n\tAccount Expires:\t\t-\n\tPrimary Group ID:\t-\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t-\n\tNew UAC Value:\t\t-\n\tUser Account Control:\t-\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t-\n\tDNS Host Name:\t\t-\n\tService Principal Names:\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "ANONYMOUS LOGON" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-7", + "name": "ANONYMOUS LOGON" + }, + "winlog": { + "channel": "Security", + "computerObject": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-11556", + "name": "TEST4642$" + }, + "computer_name": "DC_TEST2k12.TEST.", + "event_data": { + "AccountExpires": "-", + "AllowedToDelegateTo": "-", + "ComputerAccountChange": "-", + "DisplayName": "-", + "DnsHostName": "-", + "HomeDirectory": "-", + "HomePath": "-", + "LogonHours": "-", + "NewUacValue": "-", + "OldUacValue": "-", + "PasswordLastSet": "01/08/2022 10:56:47", + "PrimaryGroupId": "-", + "PrivilegeList": [ + "-" + ], + "ProfilePath": "-", + "SamAccountName": "-", + "ScriptPath": "-", + "ServicePrincipalNames": "-", + "SidHistory": "-", + "SubjectDomainName": "NT AUTHORITY", + "SubjectLogonId": "0x3e6", + "SubjectUserName": "ANONYMOUS LOGON", + "SubjectUserSid": "S-1-5-7", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-11556", + "TargetUserName": "TEST4642$", + "UserAccountControl": "-", + "UserParameters": "-", + "UserPrincipalName": "-", + "UserWorkstations": "-" + }, + "event_id": "4742", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e6" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 604, + "thread": { + "id": 864 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "18232202", + "task": "Computer Account Management", + "time_created": "2022-08-01T08:56:47.9740262Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4743.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4743.json new file mode 100644 index 000000000..d9faf0bd6 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4743.json @@ -0,0 +1,63 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:09:49.144Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "agent": { + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "851a38b2-b036-44b2-9c64-2ee2c4567d73", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain" + }, + "winlog": { + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "outcome": "success", + "level": "information", + "event_data": { + "TargetUserName": "TESTCOMPUTEROBJ$", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2902", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "SubjectUserName": "at_adm", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "PrivilegeList": "-" + }, + "event_id": 4743, + "record_id": 3699966, + "computer_name": "DC_TEST2k12.TEST.SAAS", + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "channel": "Security", + "provider_name": "Microsoft-Windows-Security-Auditing", + "keywords": [ + "Audit Success" + ], + "time_created": "2019-12-18T16:25:21.578Z" + }, + "event": { + "kind": "event", + "code": 4743, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4743.xml" + } + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json new file mode 100644 index 000000000..f2ad8d323 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json @@ -0,0 +1,91 @@ +{ + "expected": [ + { + "@timestamp": "2019-12-18T16:25:21.578Z", + "agent": { + "ephemeral_id": "851a38b2-b036-44b2-9c64-2ee2c4567d73", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "deleted-computer-account", + "category": [ + "iam" + ], + "code": "4743", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "deletion", + "admin" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4743.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computerObject": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2902", + "name": "TESTCOMPUTEROBJ$" + }, + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": [ + "-" + ], + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2902", + "TargetUserName": "TESTCOMPUTEROBJ$" + }, + "event_id": "4743", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3699966", + "time_created": "2019-12-18T16:25:21.578Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4744.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4744.json new file mode 100644 index 000000000..522996830 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4744.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:09:19.113Z", + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "agent": { + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "8110911f-6b3a-4c77-9d29-41319d5bfa08", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" + }, + "ecs": { + "version": "1.8.0" + }, + "winlog": { + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "outcome": "success", + "record_id": 3699973, + "computer_name": "DC_TEST2k12.TEST.SAAS", + "keywords": [ + "Audit Success" + ], + "time_created": "2019-12-18T16:26:46.874Z", + "level": "information", + "channel": "Security", + "event_id": 4744, + "provider_name": "Microsoft-Windows-Security-Auditing", + "event_data": { + "TargetUserName": "testdistlocal", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "SubjectUserName": "at_adm", + "SubjectDomainName": "TEST", + "SamAccountName": "testdistlocal", + "TargetDomainName": "TEST", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "SubjectLogonId": "0x2e67800", + "PrivilegeList": "-", + "SidHistory": "-" + } + }, + "event": { + "kind": "event", + "code": 4744, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4744.xml" + }, + "level": "information" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json new file mode 100644 index 000000000..633a3e5ca --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json @@ -0,0 +1,91 @@ +{ + "expected": [ + { + "@timestamp": "2019-12-18T16:26:46.874Z", + "agent": { + "ephemeral_id": "8110911f-6b3a-4c77-9d29-41319d5bfa08", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "added-distribution-group-account", + "category": [ + "iam" + ], + "code": "4744", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "creation" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4744.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testdistlocal", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal" + }, + "event_id": "4744", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3699973", + "time_created": "2019-12-18T16:26:46.874Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4745.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4745.json new file mode 100644 index 000000000..a1a517277 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4745.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:08:59.093Z", + "agent": { + "version": "8.0.0", + "ephemeral_id": "cd7f1761-3be1-4d56-bcc6-c0d761791c5c", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat" + }, + "winlog": { + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "outcome": "success", + "event_data": { + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SamAccountName": "testdistlocal1", + "TargetUserName": "testdistlocal1", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "SubjectUserName": "at_adm", + "PrivilegeList": "-", + "SidHistory": "-" + }, + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "channel": "Security", + "event_id": 4745, + "computer_name": "DC_TEST2k12.TEST.SAAS", + "time_created": "2019-12-18T16:29:05.017Z", + "level": "information", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3700000, + "opcode": "Info" + }, + "event": { + "kind": "event", + "code": 4745, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4745.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json new file mode 100644 index 000000000..0bdc88273 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json @@ -0,0 +1,91 @@ +{ + "expected": [ + { + "@timestamp": "2019-12-18T16:29:05.017Z", + "agent": { + "ephemeral_id": "cd7f1761-3be1-4d56-bcc6-c0d761791c5c", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "changed-distribution-group-account", + "category": [ + "iam" + ], + "code": "4745", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4745.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testdistlocal1", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal1" + }, + "event_id": "4745", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3700000", + "time_created": "2019-12-18T16:29:05.017Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4746.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4746.json new file mode 100644 index 000000000..155999dc6 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4746.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:08:14.021Z", + "winlog": { + "event_id": 4746, + "computer_name": "DC_TEST2k12.TEST.SAAS", + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "event_data": { + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "TargetUserName": "testdistlocal1", + "SubjectDomainName": "TEST", + "PrivilegeList": "-", + "SubjectLogonId": "0x2e67800", + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "SubjectUserName": "at_adm" + }, + "channel": "Security", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3700022, + "keywords": [ + "Audit Success" + ], + "time_created": "2019-12-18T16:31:01.611Z", + "outcome": "success", + "level": "information" + }, + "event": { + "kind": "event", + "code": 4746, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4746.xml" + }, + "level": "information" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "agent": { + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "fc9e565f-bcec-4532-805f-3f5b942b5642" + }, + "ecs": { + "version": "1.8.0" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json new file mode 100644 index 000000000..706c7be48 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json @@ -0,0 +1,101 @@ +{ + "expected": [ + { + "@timestamp": "2019-12-18T16:31:01.611Z", + "agent": { + "ephemeral_id": "fc9e565f-bcec-4532-805f-3f5b942b5642", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "added-member-to-distribution-group", + "category": [ + "iam" + ], + "code": "4746", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4746.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm", + "target": { + "domain": "SAAS", + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" + }, + "name": "Administrator" + } + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal1" + }, + "event_id": "4746", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3700022", + "time_created": "2019-12-18T16:31:01.611Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4747.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4747.json new file mode 100644 index 000000000..7fb4ed4ce --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4747.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:08:34.042Z", + "agent": { + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "0475a24c-6c58-4fe5-bcca-e508c2ba84a2", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "winlog": { + "computer_name": "DC_TEST2k12.TEST.SAAS", + "outcome": "success", + "level": "information", + "event_id": 4747, + "provider_name": "Microsoft-Windows-Security-Auditing", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2019-12-18T16:35:16.681Z", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "TargetUserName": "testdistlocal1", + "TargetDomainName": "TEST", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "SubjectUserName": "at_adm", + "SubjectDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "SubjectLogonId": "0x2e67800", + "PrivilegeList": "-" + }, + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "channel": "Security", + "record_id": 3700064 + }, + "event": { + "kind": "event", + "code": 4747, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4747.xml" + }, + "level": "information" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json new file mode 100644 index 000000000..b2062c4a3 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json @@ -0,0 +1,101 @@ +{ + "expected": [ + { + "@timestamp": "2019-12-18T16:35:16.681Z", + "agent": { + "ephemeral_id": "0475a24c-6c58-4fe5-bcca-e508c2ba84a2", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "removed-member-from-distribution-group", + "category": [ + "iam" + ], + "code": "4747", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4747.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm", + "target": { + "domain": "SAAS", + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" + }, + "name": "Administrator" + } + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal1" + }, + "event_id": "4747", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3700064", + "time_created": "2019-12-18T16:35:16.681Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4748.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4748.json new file mode 100644 index 000000000..097ca310e --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4748.json @@ -0,0 +1,63 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:04:23.086Z", + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "agent": { + "ephemeral_id": "92ff57cc-8a87-45ee-a407-525b380b8b06", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "1.8.0" + }, + "winlog": { + "keywords": [ + "Audit Success" + ], + "level": "information", + "event_data": { + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "PrivilegeList": "-", + "TargetUserName": "testdistlocal1", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "SubjectUserName": "at_adm" + }, + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "channel": "Security", + "event_id": 4748, + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3707490, + "computer_name": "DC_TEST2k12.TEST.SAAS", + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2019-12-19T08:01:45.982Z", + "outcome": "success" + }, + "event": { + "code": 4748, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event" + }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4748.xml" + } + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json new file mode 100644 index 000000000..dc0a383cf --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json @@ -0,0 +1,89 @@ +{ + "expected": [ + { + "@timestamp": "2019-12-19T08:01:45.982Z", + "agent": { + "ephemeral_id": "92ff57cc-8a87-45ee-a407-525b380b8b06", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "deleted-distribution-group-account", + "category": [ + "iam" + ], + "code": "4748", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "deletion" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4748.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal1" + }, + "event_id": "4748", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707490", + "time_created": "2019-12-19T08:01:45.982Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4749.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4749.json new file mode 100644 index 000000000..bb2024815 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4749.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:04:02.974Z", + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "agent": { + "ephemeral_id": "45230148-94bf-45cf-8eb1-339760e041d3", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "winlog": { + "computer_name": "DC_TEST2k12.TEST.SAAS", + "keywords": [ + "Audit Success" + ], + "outcome": "success", + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2019-12-19T08:03:42.723Z", + "level": "information", + "channel": "Security", + "event_id": 4749, + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3707497, + "event_data": { + "TargetUserName": "testglobal", + "SubjectUserName": "at_adm", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "PrivilegeList": "-", + "SamAccountName": "testglobal", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "SidHistory": "-" + }, + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + } + }, + "event": { + "kind": "event", + "code": 4749, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4749.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json new file mode 100644 index 000000000..c33b185fe --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json @@ -0,0 +1,91 @@ +{ + "expected": [ + { + "@timestamp": "2019-12-19T08:03:42.723Z", + "agent": { + "ephemeral_id": "45230148-94bf-45cf-8eb1-339760e041d3", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "added-distribution-group-account", + "category": [ + "iam" + ], + "code": "4749", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "creation" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4749.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testglobal", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal" + }, + "event_id": "4749", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707497", + "time_created": "2019-12-19T08:03:42.723Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4750.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4750.json new file mode 100644 index 000000000..db997bfc6 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4750.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:09:14.108Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "winlog": { + "channel": "Security", + "record_id": 3707550, + "opcode": "Info", + "event_data": { + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetDomainName": "TEST", + "SubjectUserName": "at_adm", + "PrivilegeList": "-", + "SamAccountName": "testglobal1", + "SidHistory": "-", + "TargetUserName": "testglobal1" + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2019-12-19T08:10:57.473Z", + "outcome": "success", + "level": "information", + "event_id": 4750, + "provider_name": "Microsoft-Windows-Security-Auditing", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "keywords": [ + "Audit Success" + ], + "process": { + "pid": 492, + "thread": { + "id": 664 + } + } + }, + "event": { + "kind": "event", + "code": 4750, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4750.xml" + } + }, + "agent": { + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "764fe6a7-38ac-43f0-b125-6388fd0c33e6", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json new file mode 100644 index 000000000..97d6c3127 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json @@ -0,0 +1,91 @@ +{ + "expected": [ + { + "@timestamp": "2019-12-19T08:10:57.473Z", + "agent": { + "ephemeral_id": "764fe6a7-38ac-43f0-b125-6388fd0c33e6", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "changed-distribution-group-account", + "category": [ + "iam" + ], + "code": "4750", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4750.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testglobal1", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal1" + }, + "event_id": "4750", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707550", + "time_created": "2019-12-19T08:10:57.473Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4751.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4751.json new file mode 100644 index 000000000..995f5ebaa --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4751.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:09:04.095Z", + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "agent": { + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "217ae042-3cca-46d1-bfa9-e65a2044307b" + }, + "ecs": { + "version": "1.8.0" + }, + "winlog": { + "record_id": 3707667, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "channel": "Security", + "provider_name": "Microsoft-Windows-Security-Auditing", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "time_created": "2019-12-19T08:20:29.088Z", + "outcome": "success", + "level": "information", + "event_id": 4751, + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "event_data": { + "PrivilegeList": "-", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "TargetUserName": "testglobal1", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "SubjectUserName": "at_adm" + } + }, + "event": { + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event", + "code": 4751 + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4751.xml" + }, + "level": "information" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json new file mode 100644 index 000000000..ec431cdf4 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json @@ -0,0 +1,101 @@ +{ + "expected": [ + { + "@timestamp": "2019-12-19T08:20:29.088Z", + "agent": { + "ephemeral_id": "217ae042-3cca-46d1-bfa9-e65a2044307b", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "added-member-to-distribution-group", + "category": [ + "iam" + ], + "code": "4751", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4751.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm", + "target": { + "domain": "SAAS", + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, + "name": "Administrator" + } + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal1" + }, + "event_id": "4751", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707667", + "time_created": "2019-12-19T08:20:29.088Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4752.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4752.json new file mode 100644 index 000000000..bed53cfb8 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4752.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:08:09.007Z", + "ecs": { + "version": "1.8.0" + }, + "winlog": { + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "channel": "Security", + "provider_name": "Microsoft-Windows-Security-Auditing", + "keywords": [ + "Audit Success" + ], + "time_created": "2019-12-19T08:21:23.644Z", + "outcome": "success", + "level": "information", + "event_data": { + "TargetUserName": "testglobal1", + "SubjectUserName": "at_adm", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "PrivilegeList": "-" + }, + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "event_id": 4752, + "record_id": 3707686, + "computer_name": "DC_TEST2k12.TEST.SAAS" + }, + "event": { + "code": 4752, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4752.xml" + }, + "level": "information" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "agent": { + "version": "8.0.0", + "ephemeral_id": "60028370-f07b-4e9d-a025-de2a73da6d62", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json new file mode 100644 index 000000000..4cce57269 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json @@ -0,0 +1,101 @@ +{ + "expected": [ + { + "@timestamp": "2019-12-19T08:21:23.644Z", + "agent": { + "ephemeral_id": "60028370-f07b-4e9d-a025-de2a73da6d62", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "removed-member-from-distribution-group", + "category": [ + "iam" + ], + "code": "4752", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4752.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm", + "target": { + "domain": "SAAS", + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, + "name": "Administrator" + } + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal1" + }, + "event_id": "4752", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707686", + "time_created": "2019-12-19T08:21:23.644Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4753.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4753.json new file mode 100644 index 000000000..4d2d181c1 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4753.json @@ -0,0 +1,63 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:08:44.066Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "agent": { + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "35c58767-a921-4503-a9ea-086fb7326910" + }, + "winlog": { + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2019-12-19T08:24:36.595Z", + "channel": "Security", + "event_id": 4753, + "record_id": 3707709, + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "SubjectUserName": "at_adm", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "PrivilegeList": "-", + "TargetUserName": "testglobal1" + }, + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_name": "Microsoft-Windows-Security-Auditing", + "opcode": "Info", + "outcome": "success", + "level": "information" + }, + "event": { + "code": 4753, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event" + }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4753.xml" + } + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json new file mode 100644 index 000000000..7a07ac8e1 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json @@ -0,0 +1,89 @@ +{ + "expected": [ + { + "@timestamp": "2019-12-19T08:24:36.595Z", + "agent": { + "ephemeral_id": "35c58767-a921-4503-a9ea-086fb7326910", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "deleted-distribution-group-account", + "category": [ + "iam" + ], + "code": "4753", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "deletion" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4753.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal1" + }, + "event_id": "4753", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707709", + "time_created": "2019-12-19T08:24:36.595Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4759.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4759.json new file mode 100644 index 000000000..218699029 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4759.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:03:32.738Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "agent": { + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "c67ac17a-6afd-4a2e-a1e9-5177024c937c", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain" + }, + "winlog": { + "level": "information", + "event_data": { + "TargetDomainName": "TEST", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "PrivilegeList": "-", + "SidHistory": "-", + "TargetUserName": "testuni", + "SubjectUserName": "at_adm", + "SamAccountName": "testuni", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905" + }, + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3707737, + "computer_name": "DC_TEST2k12.TEST.SAAS", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "time_created": "2019-12-19T08:26:26.143Z", + "channel": "Security", + "event_id": 4759, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + } + }, + "event": { + "kind": "event", + "code": 4759, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4759.xml" + }, + "level": "information" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json new file mode 100644 index 000000000..878534a97 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json @@ -0,0 +1,91 @@ +{ + "expected": [ + { + "@timestamp": "2019-12-19T08:26:26.143Z", + "agent": { + "ephemeral_id": "c67ac17a-6afd-4a2e-a1e9-5177024c937c", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "added-distribution-group-account", + "category": [ + "iam" + ], + "code": "4759", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "creation" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4759.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testuni", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni" + }, + "event_id": "4759", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707737", + "time_created": "2019-12-19T08:26:26.143Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4760.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4760.json new file mode 100644 index 000000000..bc7196376 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4760.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:04:28.122Z", + "event": { + "kind": "event", + "code": 4760, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4760.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "agent": { + "ephemeral_id": "9bad4bd9-375e-474f-b410-74962cfaccd0", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "winlog": { + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "channel": "Security", + "record_id": 3707745, + "computer_name": "DC_TEST2k12.TEST.SAAS", + "opcode": "Info", + "event_data": { + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "PrivilegeList": "-", + "SamAccountName": "testuni2", + "SidHistory": "-", + "TargetUserName": "testuni2", + "TargetDomainName": "TEST", + "SubjectUserName": "at_adm" + }, + "outcome": "success", + "level": "information", + "event_id": 4760, + "provider_name": "Microsoft-Windows-Security-Auditing", + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2019-12-19T08:28:21.030Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json new file mode 100644 index 000000000..7ee77583c --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json @@ -0,0 +1,91 @@ +{ + "expected": [ + { + "@timestamp": "2019-12-19T08:28:21.030Z", + "agent": { + "ephemeral_id": "9bad4bd9-375e-474f-b410-74962cfaccd0", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "changed-distribution-group-account", + "category": [ + "iam" + ], + "code": "4760", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4760.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testuni2", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni2" + }, + "event_id": "4760", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707745", + "time_created": "2019-12-19T08:28:21.030Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4761.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4761.json new file mode 100644 index 000000000..ed62f8fa1 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4761.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:03:57.937Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "agent": { + "ephemeral_id": "cae437da-c042-490f-95a6-c9e54a2d15db", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "winlog": { + "channel": "Security", + "provider_name": "Microsoft-Windows-Security-Auditing", + "keywords": [ + "Audit Success" + ], + "time_created": "2019-12-19T08:29:38.448Z", + "level": "information", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "TargetUserName": "testuni2", + "SubjectUserName": "at_adm", + "SubjectLogonId": "0x2e67800", + "PrivilegeList": "-", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "SubjectDomainName": "TEST" + }, + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "event_id": 4761, + "record_id": 3707755, + "computer_name": "DC_TEST2k12.TEST.SAAS", + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "outcome": "success" + }, + "event": { + "outcome": "success", + "kind": "event", + "code": 4761, + "provider": "Microsoft-Windows-Security-Auditing" + }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4761.xml" + } + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json new file mode 100644 index 000000000..7a0d92843 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json @@ -0,0 +1,101 @@ +{ + "expected": [ + { + "@timestamp": "2019-12-19T08:29:38.448Z", + "agent": { + "ephemeral_id": "cae437da-c042-490f-95a6-c9e54a2d15db", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "added-member-to-distribution-group", + "category": [ + "iam" + ], + "code": "4761", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4761.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm", + "target": { + "domain": "SAAS", + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" + }, + "name": "Administrator" + } + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni2" + }, + "event_id": "4761", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707755", + "time_created": "2019-12-19T08:29:38.448Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4762.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4762.json new file mode 100644 index 000000000..a5c8712d4 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4762.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:04:38.185Z", + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "agent": { + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "41db62b1-ba4b-4ca5-b44a-41d30f14b154", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" + }, + "winlog": { + "time_created": "2019-12-19T08:33:25.967Z", + "event_data": { + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "SubjectUserName": "at_adm", + "PrivilegeList": "-", + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "TargetUserName": "testuni2", + "SubjectLogonId": "0x2e67800", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "SubjectDomainName": "TEST" + }, + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_name": "Microsoft-Windows-Security-Auditing", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "outcome": "success", + "level": "information", + "channel": "Security", + "event_id": 4762, + "record_id": 3707841 + }, + "event": { + "code": 4762, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4762.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json new file mode 100644 index 000000000..ee41c5f4c --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json @@ -0,0 +1,101 @@ +{ + "expected": [ + { + "@timestamp": "2019-12-19T08:33:25.967Z", + "agent": { + "ephemeral_id": "41db62b1-ba4b-4ca5-b44a-41d30f14b154", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "removed-member-from-distribution-group", + "category": [ + "iam" + ], + "code": "4762", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4762.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm", + "target": { + "domain": "SAAS", + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" + }, + "name": "Administrator" + } + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni2" + }, + "event_id": "4762", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707841", + "time_created": "2019-12-19T08:33:25.967Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4763.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4763.json new file mode 100644 index 000000000..891b7dd63 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4763.json @@ -0,0 +1,63 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:04:48.224Z", + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4763.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "agent": { + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "34714bdd-4b69-48f1-a4c6-c02799139342", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain" + }, + "winlog": { + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3707847, + "computer_name": "DC_TEST2k12.TEST.SAAS", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "level": "information", + "channel": "Security", + "event_id": 4763, + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "outcome": "success", + "event_data": { + "TargetUserName": "testuni2", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "SubjectUserName": "at_adm", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "PrivilegeList": "-" + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2019-12-19T08:34:23.162Z" + }, + "event": { + "kind": "event", + "code": 4763, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json new file mode 100644 index 000000000..1c0b9338d --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json @@ -0,0 +1,89 @@ +{ + "expected": [ + { + "@timestamp": "2019-12-19T08:34:23.162Z", + "agent": { + "ephemeral_id": "34714bdd-4b69-48f1-a4c6-c02799139342", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "deleted-distribution-group-account", + "category": [ + "iam" + ], + "code": "4763", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "deletion" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4763.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni2" + }, + "event_id": "4763", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707847", + "time_created": "2019-12-19T08:34:23.162Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4797.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4797.json new file mode 100644 index 000000000..479b72e55 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4797.json @@ -0,0 +1,219 @@ +{ + "events": [ + { + "event": { + "code": "4797", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "HOSTNAME.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "activity_id": "{a895d499-2626-0001-2ad5-95a82626d901}", + "channel": "Security", + "computer_name": "HOSTNAME.contoso.com", + "event_data": { + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x61ccd940", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", + "TargetDomainName": "HOSTNAME", + "TargetUserName": "Guest", + "Workstation": "HOSTNAME" + }, + "event_id": "4797", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 868, + "thread": { + "id": 12248 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 39956816, + "time_created": "2023-01-17T22:10:41.5550438Z" + } + }, + { + "event": { + "code": "4797", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "HOSTNAME.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "activity_id": "{a895d499-2626-0001-2ad5-95a82626d901}", + "channel": "Security", + "computer_name": "HOSTNAME.contoso.com", + "event_data": { + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x61ccd940", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", + "TargetDomainName": "HOSTNAME", + "TargetUserName": "WDAGUtilityAccount", + "Workstation": "HOSTNAME" + }, + "event_id": "4797", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 868, + "thread": { + "id": 12248 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 39956815, + "time_created": "2023-01-17T22:10:41.5328919Z" + } + }, + { + "event": { + "code": "4797", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "HOSTNAME.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "activity_id": "{a895d499-2626-0001-2ad5-95a82626d901}", + "channel": "Security", + "computer_name": "HOSTNAME.contoso.com", + "event_data": { + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x61ccd940", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", + "TargetDomainName": "HOSTNAME", + "TargetUserName": "DefaultAccount", + "Workstation": "HOSTNAME" + }, + "event_id": "4797", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 868, + "thread": { + "id": 65356 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 39956814, + "time_created": "2023-01-17T22:10:41.5127873Z" + } + }, + { + "event": { + "code": "4797", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "HOSTNAME.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "activity_id": "{a895d499-2626-0001-2ad5-95a82626d901}", + "channel": "Security", + "computer_name": "HOSTNAME.contoso.com", + "event_data": { + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x61ccd940", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", + "TargetDomainName": "HOSTNAME", + "TargetUserName": "contoso", + "Workstation": "HOSTNAME" + }, + "event_id": "4797", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 868, + "thread": { + "id": 12248 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 39956813, + "time_created": "2023-01-17T22:10:41.4905578Z" + } + }, + { + "event": { + "code": "4797", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "HOSTNAME.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "activity_id": "{a895d499-2626-0001-2ad5-95a82626d901}", + "channel": "Security", + "computer_name": "HOSTNAME.contoso.com", + "event_data": { + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x61ccd940", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", + "TargetDomainName": "HOSTNAME", + "TargetUserName": "Administrator", + "Workstation": "HOSTNAME" + }, + "event_id": "4797", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 868, + "thread": { + "id": 12248 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 39956812, + "time_created": "2023-01-17T22:10:41.4680297Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4797.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4797.json-expected.json new file mode 100644 index 000000000..fe6bc0bc2 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4797.json-expected.json @@ -0,0 +1,369 @@ +{ + "expected": [ + { + "@timestamp": "2023-01-17T22:10:41.555Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "query-existence-of-blank-password", + "category": [ + "iam" + ], + "code": "4797", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "HOSTNAME.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "user1", + "Guest" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-21-000000000-000000000-000000000-00000", + "name": "user1", + "target": { + "domain": "HOSTNAME", + "name": "Guest" + } + }, + "winlog": { + "activity_id": "{a895d499-2626-0001-2ad5-95a82626d901}", + "channel": "Security", + "computer_name": "HOSTNAME.contoso.com", + "event_data": { + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x61ccd940", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", + "TargetDomainName": "HOSTNAME", + "TargetUserName": "Guest", + "Workstation": "HOSTNAME" + }, + "event_id": "4797", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x61ccd940" + }, + "opcode": "Info", + "process": { + "pid": 868, + "thread": { + "id": 12248 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "39956816", + "time_created": "2023-01-17T22:10:41.5550438Z" + } + }, + { + "@timestamp": "2023-01-17T22:10:41.532Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "query-existence-of-blank-password", + "category": [ + "iam" + ], + "code": "4797", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "HOSTNAME.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "user1", + "WDAGUtilityAccount" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-21-000000000-000000000-000000000-00000", + "name": "user1", + "target": { + "domain": "HOSTNAME", + "name": "WDAGUtilityAccount" + } + }, + "winlog": { + "activity_id": "{a895d499-2626-0001-2ad5-95a82626d901}", + "channel": "Security", + "computer_name": "HOSTNAME.contoso.com", + "event_data": { + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x61ccd940", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", + "TargetDomainName": "HOSTNAME", + "TargetUserName": "WDAGUtilityAccount", + "Workstation": "HOSTNAME" + }, + "event_id": "4797", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x61ccd940" + }, + "opcode": "Info", + "process": { + "pid": 868, + "thread": { + "id": 12248 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "39956815", + "time_created": "2023-01-17T22:10:41.5328919Z" + } + }, + { + "@timestamp": "2023-01-17T22:10:41.512Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "query-existence-of-blank-password", + "category": [ + "iam" + ], + "code": "4797", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "HOSTNAME.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "user1", + "DefaultAccount" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-21-000000000-000000000-000000000-00000", + "name": "user1", + "target": { + "domain": "HOSTNAME", + "name": "DefaultAccount" + } + }, + "winlog": { + "activity_id": "{a895d499-2626-0001-2ad5-95a82626d901}", + "channel": "Security", + "computer_name": "HOSTNAME.contoso.com", + "event_data": { + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x61ccd940", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", + "TargetDomainName": "HOSTNAME", + "TargetUserName": "DefaultAccount", + "Workstation": "HOSTNAME" + }, + "event_id": "4797", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x61ccd940" + }, + "opcode": "Info", + "process": { + "pid": 868, + "thread": { + "id": 65356 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "39956814", + "time_created": "2023-01-17T22:10:41.5127873Z" + } + }, + { + "@timestamp": "2023-01-17T22:10:41.490Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "query-existence-of-blank-password", + "category": [ + "iam" + ], + "code": "4797", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "HOSTNAME.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "user1", + "contoso" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-21-000000000-000000000-000000000-00000", + "name": "user1", + "target": { + "domain": "HOSTNAME", + "name": "contoso" + } + }, + "winlog": { + "activity_id": "{a895d499-2626-0001-2ad5-95a82626d901}", + "channel": "Security", + "computer_name": "HOSTNAME.contoso.com", + "event_data": { + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x61ccd940", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", + "TargetDomainName": "HOSTNAME", + "TargetUserName": "contoso", + "Workstation": "HOSTNAME" + }, + "event_id": "4797", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x61ccd940" + }, + "opcode": "Info", + "process": { + "pid": 868, + "thread": { + "id": 12248 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "39956813", + "time_created": "2023-01-17T22:10:41.4905578Z" + } + }, + { + "@timestamp": "2023-01-17T22:10:41.468Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "query-existence-of-blank-password", + "category": [ + "iam" + ], + "code": "4797", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "HOSTNAME.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "user1", + "Administrator" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-21-000000000-000000000-000000000-00000", + "name": "user1", + "target": { + "domain": "HOSTNAME", + "name": "Administrator" + } + }, + "winlog": { + "activity_id": "{a895d499-2626-0001-2ad5-95a82626d901}", + "channel": "Security", + "computer_name": "HOSTNAME.contoso.com", + "event_data": { + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x61ccd940", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", + "TargetDomainName": "HOSTNAME", + "TargetUserName": "Administrator", + "Workstation": "HOSTNAME" + }, + "event_id": "4797", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x61ccd940" + }, + "opcode": "Info", + "process": { + "pid": 868, + "thread": { + "id": 12248 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "39956812", + "time_created": "2023-01-17T22:10:41.4680297Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json new file mode 100644 index 000000000..b3950a765 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json @@ -0,0 +1,64 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:04:43.216Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "winlog": { + "channel": "Security", + "level": "information", + "event_data": { + "SubjectLogonId": "0x3e7", + "ObjectServer": "LSA", + "ObjectType": "Global SACL", + "ObjectName": "File", + "NewSd": "S:(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-500)(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-1000)", + "SubjectUserSid": "S-1-5-18", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectDomainName": "TEST" + }, + "provider_name": "Microsoft-Windows-Security-Auditing", + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "activity_id": "{dfcd2c2a-7481-0000-682c-cddf8174d601}", + "process": { + "thread": { + "id": 3052 + }, + "pid": 776 + }, + "record_id": 114278, + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "time_created": "2020-08-17T12:49:09.494Z", + "outcome": "success", + "event_id": 4817, + "opcode": "Info" + }, + "event": { + "kind": "event", + "code": 4817, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4817_WindowsSrv2016.xml" + }, + "level": "information" + }, + "agent": { + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "c7c0a49b-a78b-4dd9-8928-44e2fc4322a9", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json-expected.json new file mode 100644 index 000000000..d62f0f64d --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json-expected.json @@ -0,0 +1,89 @@ +{ + "expected": [ + { + "@timestamp": "2020-08-17T12:49:09.494Z", + "agent": { + "ephemeral_id": "c7c0a49b-a78b-4dd9-8928-44e2fc4322a9", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "object-audit-changed", + "category": [ + "iam", + "configuration" + ], + "code": "4817", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4817_WindowsSrv2016.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$", + "Administrator" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "activity_id": "{dfcd2c2a-7481-0000-682c-cddf8174d601}", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "NewSd": "S:(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-500)(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-1000)", + "NewSdSacl0": "Administrator :System Audit ([Create All Child Objects, Delete All Child Objects, List Contents, All Validated, Read All Properties, Write All Properties, Delete Subtree, List Object, All Extended Rights, Delete, Read Permissions, Modify Permissions, Modify Owner])", + "NewSdSacl1": "null :System Audit ([Create All Child Objects, Delete All Child Objects, List Contents, All Validated, Read All Properties, Write All Properties, Delete Subtree, List Object, All Extended Rights, Delete, Read Permissions, Modify Permissions, Modify Owner])", + "ObjectName": "File", + "ObjectServer": "LSA", + "ObjectType": "Global SACL", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "4817", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 3052 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "114278", + "time_created": "2020-08-17T12:49:09.494Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json new file mode 100644 index 000000000..e73bf02dd --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json @@ -0,0 +1,57 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:04:13.030Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "agent": { + "version": "8.0.0", + "ephemeral_id": "fc71c55d-e66b-404f-933a-7bf02109440e", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "PuaCount": "0", + "PuaPolicyId": "0x9fd2" + }, + "process": { + "pid": 784, + "thread": { + "id": 832 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2020-08-19T06:07:08.801Z", + "outcome": "success", + "event_id": 4902, + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 140273, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "level": "information" + }, + "event": { + "kind": "event", + "code": 4902, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4902_WindowsSrv2016.xml" + }, + "level": "information" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json-expected.json new file mode 100644 index 000000000..90ff128ff --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json-expected.json @@ -0,0 +1,66 @@ +{ + "expected": [ + { + "@timestamp": "2020-08-19T06:07:08.801Z", + "agent": { + "ephemeral_id": "fc71c55d-e66b-404f-933a-7bf02109440e", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "user-audit-policy-created", + "category": [ + "iam", + "configuration" + ], + "code": "4902", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "creation" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4902_WindowsSrv2016.xml" + }, + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "PuaCount": "0", + "PuaPolicyId": "0x9fd2" + }, + "event_id": "4902", + "keywords": [ + "Audit Success" + ], + "level": "information", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 784, + "thread": { + "id": 832 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "140273", + "time_created": "2020-08-19T06:07:08.801Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json new file mode 100644 index 000000000..b41340b17 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json @@ -0,0 +1,64 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:05:08.356Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "agent": { + "version": "8.0.0", + "ephemeral_id": "14ac41cb-35f1-42cd-abe2-03f4a8a6a47c", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat" + }, + "winlog": { + "record_id": 146939, + "outcome": "success", + "process": { + "pid": 784, + "thread": { + "id": 824 + } + }, + "time_created": "2020-08-19T07:56:52.019Z", + "channel": "Security", + "event_id": 4904, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "level": "information", + "event_data": { + "SubjectLogonId": "0x3e7", + "AuditSourceName": "IIS-METABASE", + "EventSourceId": "0x460422", + "ProcessId": "0xe18", + "ProcessName": "C:\\Windows\\System32\\inetsrv\\inetinfo.exe", + "SubjectUserSid": "S-1-5-18", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectDomainName": "TEST" + }, + "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "keywords": [ + "Audit Success" + ], + "opcode": "Info" + }, + "event": { + "kind": "event", + "code": 4904, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.xml" + }, + "level": "information" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json-expected.json new file mode 100644 index 000000000..0cff5cf19 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json-expected.json @@ -0,0 +1,89 @@ +{ + "expected": [ + { + "@timestamp": "2020-08-19T07:56:52.019Z", + "agent": { + "ephemeral_id": "14ac41cb-35f1-42cd-abe2-03f4a8a6a47c", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "security-event-source-added", + "category": [ + "iam", + "configuration" + ], + "code": "4904", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.xml" + }, + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\inetsrv\\inetinfo.exe", + "name": "inetinfo.exe", + "pid": 3608 + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "AuditSourceName": "IIS-METABASE", + "EventSourceId": "0x460422", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "4904", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 784, + "thread": { + "id": 824 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "146939", + "time_created": "2020-08-19T07:56:52.019Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json new file mode 100644 index 000000000..f9e3a5d8d --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json @@ -0,0 +1,64 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:07:38.937Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "agent": { + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "5006f11d-fa2c-4238-810b-aa5e25ec5399", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" + }, + "winlog": { + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2020-08-19T07:56:51.579Z", + "event_id": 4905, + "keywords": [ + "Audit Success" + ], + "level": "information", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 146938, + "opcode": "Info", + "channel": "Security", + "event_data": { + "SubjectUserSid": "S-1-5-18", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "AuditSourceName": "IIS-METABASE", + "EventSourceId": "0x457b22", + "ProcessId": "0x1364", + "ProcessName": "-" + }, + "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}", + "process": { + "pid": 784, + "thread": { + "id": 824 + } + }, + "outcome": "success" + }, + "event": { + "kind": "event", + "code": 4905, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.xml" + }, + "level": "information" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json-expected.json new file mode 100644 index 000000000..d82389c57 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json-expected.json @@ -0,0 +1,89 @@ +{ + "expected": [ + { + "@timestamp": "2020-08-19T07:56:51.579Z", + "agent": { + "ephemeral_id": "5006f11d-fa2c-4238-810b-aa5e25ec5399", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "security-event-source-removed", + "category": [ + "iam", + "configuration" + ], + "code": "4905", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "deletion" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.xml" + }, + "level": "information" + }, + "process": { + "executable": "-", + "name": "-", + "pid": 4964 + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "AuditSourceName": "IIS-METABASE", + "EventSourceId": "0x457b22", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "4905", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 784, + "thread": { + "id": 824 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "146938", + "time_created": "2020-08-19T07:56:51.579Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json new file mode 100644 index 000000000..e07c7b600 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json @@ -0,0 +1,56 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:06:33.772Z", + "winlog": { + "record_id": 123786, + "time_created": "2020-08-18T09:19:00.237Z", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 804 + } + }, + "channel": "Security", + "event_id": 4906, + "provider_name": "Microsoft-Windows-Security-Auditing", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "level": "information", + "event_data": { + "CrashOnAuditFailValue": "1" + }, + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "keywords": [ + "Audit Success" + ], + "opcode": "Info" + }, + "event": { + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event", + "code": 4906 + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4906_WindowsSrv2016.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "agent": { + "ephemeral_id": "00431590-51a2-47a6-a2bf-f0ceaed9fa0f", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json-expected.json new file mode 100644 index 000000000..799d71df1 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json-expected.json @@ -0,0 +1,65 @@ +{ + "expected": [ + { + "@timestamp": "2020-08-18T09:19:00.237Z", + "agent": { + "ephemeral_id": "00431590-51a2-47a6-a2bf-f0ceaed9fa0f", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "crash-on-audit-changed", + "category": [ + "iam", + "configuration" + ], + "code": "4906", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4906_WindowsSrv2016.xml" + }, + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "CrashOnAuditFailValue": "1" + }, + "event_id": "4906", + "keywords": [ + "Audit Success" + ], + "level": "information", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 804 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "123786", + "time_created": "2020-08-18T09:19:00.237Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json new file mode 100644 index 000000000..fba2f0422 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json @@ -0,0 +1,66 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:05:13.376Z", + "event": { + "kind": "event", + "code": 4907, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "agent": { + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "d42932a5-9237-4c88-b833-60e3b66915d8", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" + }, + "winlog": { + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "opcode": "Info", + "time_created": "2020-08-19T07:56:17.112Z", + "process": { + "pid": 4, + "thread": { + "id": 408 + } + }, + "channel": "Security", + "event_id": 4907, + "provider_name": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "level": "information", + "event_data": { + "ObjectType": "File", + "HandleId": "0x93c", + "NewSd": "S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)", + "ProcessId": "0x10cc", + "ObjectServer": "Security", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "ObjectName": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\RemoteAccess\\RemoteAccess.psd1", + "ProcessName": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\\TiWorker.exe", + "SubjectUserSid": "S-1-5-18" + }, + "record_id": 146933, + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json-expected.json new file mode 100644 index 000000000..5b929d394 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json-expected.json @@ -0,0 +1,92 @@ +{ + "expected": [ + { + "@timestamp": "2020-08-19T07:56:17.112Z", + "agent": { + "ephemeral_id": "d42932a5-9237-4c88-b833-60e3b66915d8", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "audit-setting-changed", + "category": [ + "iam", + "configuration" + ], + "code": "4907", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.xml" + }, + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\\TiWorker.exe", + "name": "TiWorker.exe", + "pid": 4300 + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "HandleId": "0x93c", + "NewSd": "S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)", + "NewSdSacl0": "Everyone :System Audit ([Delete All Child Objects, List Contents, Read All Properties, All Extended Rights, Delete, Modify Permissions, Modify Owner])", + "ObjectName": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\RemoteAccess\\RemoteAccess.psd1", + "ObjectServer": "Security", + "ObjectType": "File", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "4907", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 4, + "thread": { + "id": 408 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "146933", + "time_created": "2020-08-19T07:56:17.112Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5379.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5379.json new file mode 100644 index 000000000..71d2b8864 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5379.json @@ -0,0 +1,239 @@ +{ + "events": [ + { + "event": { + "code": "5379", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "activity_id": "{1cd3afa7-265d-0001-54b0-d31c5d26d901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "10428", + "CountOfCredentialsReturned": "1", + "ProcessCreationTime": "2023-01-17T22:17:36.2114738Z", + "ReadOperation": "%%8099", + "ReturnCode": "3221226021", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x278a6ed9", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", + "TargetName": "MicrosoftOffice16_Data:ADAL:d2462c77-a0fd-467e-857f-2b0d3cc6f451@@@8.000000", + "Type": "1" + }, + "event_id": "5379", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 924, + "thread": { + "id": 12672 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 7959006, + "time_created": "2023-01-17T22:18:03.5577972Z" + } + }, + { + "event": { + "code": "5379", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "activity_id": "{1cd3afa7-265d-0001-54b0-d31c5d26d901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "10428", + "CountOfCredentialsReturned": "1", + "ProcessCreationTime": "2023-01-17T22:17:36.2114738Z", + "ReadOperation": "%%8099", + "ReturnCode": "0", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x278a6ed9", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", + "TargetName": "MicrosoftOffice16_Data:ADAL:d2462c77-a0fd-467e-857f-2b0d3cc6f451@@@7.000000", + "Type": "1" + }, + "event_id": "5379", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 924, + "thread": { + "id": 12672 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 7959005, + "time_created": "2023-01-17T22:18:03.5530981Z" + } + }, + { + "event": { + "code": "5379", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "activity_id": "{1cd3afa7-265d-0001-54b0-d31c5d26d901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "10428", + "CountOfCredentialsReturned": "1", + "ProcessCreationTime": "2023-01-17T22:17:36.2114738Z", + "ReadOperation": "%%8099", + "ReturnCode": "0", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x278a6ed9", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", + "TargetName": "MicrosoftOffice16_Data:ADAL:d2462c77-a0fd-467e-857f-2b0d3cc6f451@@@6.000000", + "Type": "1" + }, + "event_id": "5379", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 924, + "thread": { + "id": 12672 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 7959004, + "time_created": "2023-01-17T22:18:03.5480672Z" + } + }, + { + "event": { + "code": "5379", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "activity_id": "{1cd3afa7-265d-0001-54b0-d31c5d26d901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "10428", + "CountOfCredentialsReturned": "1", + "ProcessCreationTime": "2023-01-17T22:17:36.2114738Z", + "ReadOperation": "%%8099", + "ReturnCode": "0", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x278a6ed9", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", + "TargetName": "MicrosoftOffice16_Data:ADAL:d2462c77-a0fd-467e-857f-2b0d3cc6f451@@@5.000000", + "Type": "1" + }, + "event_id": "5379", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 924, + "thread": { + "id": 12672 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 7959003, + "time_created": "2023-01-17T22:18:03.5437073Z" + } + }, + { + "event": { + "code": "5379", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "activity_id": "{1cd3afa7-265d-0001-54b0-d31c5d26d901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "10428", + "CountOfCredentialsReturned": "1", + "ProcessCreationTime": "2023-01-17T22:17:36.2114738Z", + "ReadOperation": "%%8099", + "ReturnCode": "0", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x278a6ed9", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", + "TargetName": "MicrosoftOffice16_Data:ADAL:d2462c77-a0fd-467e-857f-2b0d3cc6f451@@@4.000000", + "Type": "1" + }, + "event_id": "5379", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 924, + "thread": { + "id": 12672 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 7959002, + "time_created": "2023-01-17T22:18:03.5397904Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5379.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5379.json-expected.json new file mode 100644 index 000000000..e89379f94 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5379.json-expected.json @@ -0,0 +1,364 @@ +{ + "expected": [ + { + "@timestamp": "2023-01-17T22:18:03.557Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "credential-manager-credentials-were-read", + "category": [ + "iam" + ], + "code": "5379", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "user1" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-21-000000000-000000000-000000000-00000", + "name": "user1" + }, + "winlog": { + "activity_id": "{1cd3afa7-265d-0001-54b0-d31c5d26d901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "10428", + "CountOfCredentialsReturned": "1", + "ProcessCreationTime": "2023-01-17T22:17:36.2114738Z", + "ReadOperation": "%%8099", + "ReturnCode": "3221226021", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x278a6ed9", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", + "TargetName": "MicrosoftOffice16_Data:ADAL:d2462c77-a0fd-467e-857f-2b0d3cc6f451@@@8.000000", + "Type": "1" + }, + "event_id": "5379", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x278a6ed9" + }, + "opcode": "Info", + "process": { + "pid": 924, + "thread": { + "id": 12672 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "7959006", + "time_created": "2023-01-17T22:18:03.5577972Z" + } + }, + { + "@timestamp": "2023-01-17T22:18:03.553Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "credential-manager-credentials-were-read", + "category": [ + "iam" + ], + "code": "5379", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "user1" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-21-000000000-000000000-000000000-00000", + "name": "user1" + }, + "winlog": { + "activity_id": "{1cd3afa7-265d-0001-54b0-d31c5d26d901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "10428", + "CountOfCredentialsReturned": "1", + "ProcessCreationTime": "2023-01-17T22:17:36.2114738Z", + "ReadOperation": "%%8099", + "ReturnCode": "0", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x278a6ed9", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", + "TargetName": "MicrosoftOffice16_Data:ADAL:d2462c77-a0fd-467e-857f-2b0d3cc6f451@@@7.000000", + "Type": "1" + }, + "event_id": "5379", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x278a6ed9" + }, + "opcode": "Info", + "process": { + "pid": 924, + "thread": { + "id": 12672 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "7959005", + "time_created": "2023-01-17T22:18:03.5530981Z" + } + }, + { + "@timestamp": "2023-01-17T22:18:03.548Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "credential-manager-credentials-were-read", + "category": [ + "iam" + ], + "code": "5379", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "user1" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-21-000000000-000000000-000000000-00000", + "name": "user1" + }, + "winlog": { + "activity_id": "{1cd3afa7-265d-0001-54b0-d31c5d26d901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "10428", + "CountOfCredentialsReturned": "1", + "ProcessCreationTime": "2023-01-17T22:17:36.2114738Z", + "ReadOperation": "%%8099", + "ReturnCode": "0", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x278a6ed9", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", + "TargetName": "MicrosoftOffice16_Data:ADAL:d2462c77-a0fd-467e-857f-2b0d3cc6f451@@@6.000000", + "Type": "1" + }, + "event_id": "5379", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x278a6ed9" + }, + "opcode": "Info", + "process": { + "pid": 924, + "thread": { + "id": 12672 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "7959004", + "time_created": "2023-01-17T22:18:03.5480672Z" + } + }, + { + "@timestamp": "2023-01-17T22:18:03.543Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "credential-manager-credentials-were-read", + "category": [ + "iam" + ], + "code": "5379", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "user1" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-21-000000000-000000000-000000000-00000", + "name": "user1" + }, + "winlog": { + "activity_id": "{1cd3afa7-265d-0001-54b0-d31c5d26d901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "10428", + "CountOfCredentialsReturned": "1", + "ProcessCreationTime": "2023-01-17T22:17:36.2114738Z", + "ReadOperation": "%%8099", + "ReturnCode": "0", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x278a6ed9", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", + "TargetName": "MicrosoftOffice16_Data:ADAL:d2462c77-a0fd-467e-857f-2b0d3cc6f451@@@5.000000", + "Type": "1" + }, + "event_id": "5379", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x278a6ed9" + }, + "opcode": "Info", + "process": { + "pid": 924, + "thread": { + "id": 12672 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "7959003", + "time_created": "2023-01-17T22:18:03.5437073Z" + } + }, + { + "@timestamp": "2023-01-17T22:18:03.539Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "credential-manager-credentials-were-read", + "category": [ + "iam" + ], + "code": "5379", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "user1" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-21-000000000-000000000-000000000-00000", + "name": "user1" + }, + "winlog": { + "activity_id": "{1cd3afa7-265d-0001-54b0-d31c5d26d901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "10428", + "CountOfCredentialsReturned": "1", + "ProcessCreationTime": "2023-01-17T22:17:36.2114738Z", + "ReadOperation": "%%8099", + "ReturnCode": "0", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x278a6ed9", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", + "TargetName": "MicrosoftOffice16_Data:ADAL:d2462c77-a0fd-467e-857f-2b0d3cc6f451@@@4.000000", + "Type": "1" + }, + "event_id": "5379", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x278a6ed9" + }, + "opcode": "Info", + "process": { + "pid": 924, + "thread": { + "id": 12672 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "7959002", + "time_created": "2023-01-17T22:18:03.5397904Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5380.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5380.json new file mode 100644 index 000000000..e9658bba1 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5380.json @@ -0,0 +1,229 @@ +{ + "events": [ + { + "event": { + "code": "5380", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "21196", + "CountOfCredentialsReturned": "16", + "ProcessCreationTime": "2023-01-17T10:11:06.2991958Z", + "Schema": "{3ccd5499-87a8-4b10-a215-608888dd3b55}", + "SchemaFriendlyName": "Windows Web Password Credential", + "SearchString": "eqIbCZfcLIdQZ7KOF0olDjCeH3Ex8xHgPVIq5ufbYzI", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x1771180", + "SubjectUserName": "USER1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" + }, + "event_id": "5380", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 664, + "thread": { + "id": 3284 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2254401, + "time_created": "2023-01-17T10:11:25.5570183Z" + } + }, + { + "event": { + "code": "5380", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "21196", + "CountOfCredentialsReturned": "16", + "ProcessCreationTime": "2023-01-17T10:11:06.2991958Z", + "Schema": "{3ccd5499-87a8-4b10-a215-608888dd3b55}", + "SchemaFriendlyName": "Windows Web Password Credential", + "SearchString": "eqIbCZfcLIdQZ7KOF0olDjCeH3Ex8xHgPVIq5ufbYzI", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x1771180", + "SubjectUserName": "USER1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" + }, + "event_id": "5380", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 664, + "thread": { + "id": 3284 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2254384, + "time_created": "2023-01-17T10:11:25.532896Z" + } + }, + { + "event": { + "code": "5380", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "21196", + "CountOfCredentialsReturned": "16", + "ProcessCreationTime": "2023-01-17T10:11:06.2991958Z", + "Schema": "{3ccd5499-87a8-4b10-a215-608888dd3b55}", + "SchemaFriendlyName": "Windows Web Password Credential", + "SearchString": "eqIbCZfcLIdQZ7KOF0olDjCeH3Ex8xHgPVIq5ufbYzI", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x1771180", + "SubjectUserName": "USER1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" + }, + "event_id": "5380", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 664, + "thread": { + "id": 3284 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2254367, + "time_created": "2023-01-17T10:11:25.4987379Z" + } + }, + { + "event": { + "code": "5380", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "21196", + "CountOfCredentialsReturned": "16", + "ProcessCreationTime": "2023-01-17T10:11:06.2991958Z", + "Schema": "{3ccd5499-87a8-4b10-a215-608888dd3b55}", + "SchemaFriendlyName": "Windows Web Password Credential", + "SearchString": "eqIbCZfcLIdQZ7KOF0olDjCeH3Ex8xHgPVIq5ufbYzI", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x1771180", + "SubjectUserName": "USER1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" + }, + "event_id": "5380", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 664, + "thread": { + "id": 9312 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2254350, + "time_created": "2023-01-17T10:11:24.7759283Z" + } + }, + { + "event": { + "code": "5380", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "21196", + "CountOfCredentialsReturned": "16", + "ProcessCreationTime": "2023-01-17T10:11:06.2991958Z", + "Schema": "{3ccd5499-87a8-4b10-a215-608888dd3b55}", + "SchemaFriendlyName": "Windows Web Password Credential", + "SearchString": "eqIbCZfcLIdQZ7KOF0olDjCeH3Ex8xHgPVIq5ufbYzI", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x1771180", + "SubjectUserName": "USER1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" + }, + "event_id": "5380", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 664, + "thread": { + "id": 9312 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2254333, + "time_created": "2023-01-17T10:11:24.5421935Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5380.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5380.json-expected.json new file mode 100644 index 000000000..d72f615b9 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5380.json-expected.json @@ -0,0 +1,354 @@ +{ + "expected": [ + { + "@timestamp": "2023-01-17T10:11:25.557Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "vault-credential-find", + "category": [ + "iam" + ], + "code": "5380", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "USER1" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-21-000000000-000000000-000000000-00000", + "name": "USER1" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "21196", + "CountOfCredentialsReturned": "16", + "ProcessCreationTime": "2023-01-17T10:11:06.2991958Z", + "Schema": "{3ccd5499-87a8-4b10-a215-608888dd3b55}", + "SchemaFriendlyName": "Windows Web Password Credential", + "SearchString": "eqIbCZfcLIdQZ7KOF0olDjCeH3Ex8xHgPVIq5ufbYzI", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x1771180", + "SubjectUserName": "USER1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" + }, + "event_id": "5380", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x1771180" + }, + "opcode": "Info", + "process": { + "pid": 664, + "thread": { + "id": 3284 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2254401", + "time_created": "2023-01-17T10:11:25.5570183Z" + } + }, + { + "@timestamp": "2023-01-17T10:11:25.532Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "vault-credential-find", + "category": [ + "iam" + ], + "code": "5380", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "USER1" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-21-000000000-000000000-000000000-00000", + "name": "USER1" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "21196", + "CountOfCredentialsReturned": "16", + "ProcessCreationTime": "2023-01-17T10:11:06.2991958Z", + "Schema": "{3ccd5499-87a8-4b10-a215-608888dd3b55}", + "SchemaFriendlyName": "Windows Web Password Credential", + "SearchString": "eqIbCZfcLIdQZ7KOF0olDjCeH3Ex8xHgPVIq5ufbYzI", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x1771180", + "SubjectUserName": "USER1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" + }, + "event_id": "5380", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x1771180" + }, + "opcode": "Info", + "process": { + "pid": 664, + "thread": { + "id": 3284 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2254384", + "time_created": "2023-01-17T10:11:25.532896Z" + } + }, + { + "@timestamp": "2023-01-17T10:11:25.498Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "vault-credential-find", + "category": [ + "iam" + ], + "code": "5380", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "USER1" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-21-000000000-000000000-000000000-00000", + "name": "USER1" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "21196", + "CountOfCredentialsReturned": "16", + "ProcessCreationTime": "2023-01-17T10:11:06.2991958Z", + "Schema": "{3ccd5499-87a8-4b10-a215-608888dd3b55}", + "SchemaFriendlyName": "Windows Web Password Credential", + "SearchString": "eqIbCZfcLIdQZ7KOF0olDjCeH3Ex8xHgPVIq5ufbYzI", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x1771180", + "SubjectUserName": "USER1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" + }, + "event_id": "5380", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x1771180" + }, + "opcode": "Info", + "process": { + "pid": 664, + "thread": { + "id": 3284 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2254367", + "time_created": "2023-01-17T10:11:25.4987379Z" + } + }, + { + "@timestamp": "2023-01-17T10:11:24.775Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "vault-credential-find", + "category": [ + "iam" + ], + "code": "5380", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "USER1" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-21-000000000-000000000-000000000-00000", + "name": "USER1" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "21196", + "CountOfCredentialsReturned": "16", + "ProcessCreationTime": "2023-01-17T10:11:06.2991958Z", + "Schema": "{3ccd5499-87a8-4b10-a215-608888dd3b55}", + "SchemaFriendlyName": "Windows Web Password Credential", + "SearchString": "eqIbCZfcLIdQZ7KOF0olDjCeH3Ex8xHgPVIq5ufbYzI", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x1771180", + "SubjectUserName": "USER1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" + }, + "event_id": "5380", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x1771180" + }, + "opcode": "Info", + "process": { + "pid": 664, + "thread": { + "id": 9312 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2254350", + "time_created": "2023-01-17T10:11:24.7759283Z" + } + }, + { + "@timestamp": "2023-01-17T10:11:24.542Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "vault-credential-find", + "category": [ + "iam" + ], + "code": "5380", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "USER1" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-21-000000000-000000000-000000000-00000", + "name": "USER1" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "21196", + "CountOfCredentialsReturned": "16", + "ProcessCreationTime": "2023-01-17T10:11:06.2991958Z", + "Schema": "{3ccd5499-87a8-4b10-a215-608888dd3b55}", + "SchemaFriendlyName": "Windows Web Password Credential", + "SearchString": "eqIbCZfcLIdQZ7KOF0olDjCeH3Ex8xHgPVIq5ufbYzI", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x1771180", + "SubjectUserName": "USER1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" + }, + "event_id": "5380", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x1771180" + }, + "opcode": "Info", + "process": { + "pid": 664, + "thread": { + "id": 9312 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2254333", + "time_created": "2023-01-17T10:11:24.5421935Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5381.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5381.json new file mode 100644 index 000000000..e6bf5b18f --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5381.json @@ -0,0 +1,219 @@ +{ + "events": [ + { + "event": { + "code": "5381", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "5048", + "CountOfCredentialsReturned": "0", + "Flags": "0", + "ProcessCreationTime": "2023-01-17T21:15:02.4069136Z", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "COMPUTER1$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "5381", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 772, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 13342699, + "time_created": "2023-01-17T21:15:02.5490822Z" + } + }, + { + "event": { + "code": "5381", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "4920", + "CountOfCredentialsReturned": "0", + "Flags": "0", + "ProcessCreationTime": "2023-01-17T17:52:51.3438795Z", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "COMPUTER1$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "5381", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 640, + "thread": { + "id": 1036 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 13334924, + "time_created": "2023-01-17T17:52:51.4882586Z" + } + }, + { + "event": { + "code": "5381", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "4960", + "CountOfCredentialsReturned": "0", + "Flags": "0", + "ProcessCreationTime": "2023-01-17T15:34:59.6524351Z", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "COMPUTER1$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "5381", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 632, + "thread": { + "id": 8 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 13333282, + "time_created": "2023-01-17T15:35:00.493786Z" + } + }, + { + "event": { + "code": "5381", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "4604", + "CountOfCredentialsReturned": "0", + "Flags": "0", + "ProcessCreationTime": "2023-01-17T15:06:27.3440799Z", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "COMPUTER1$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "5381", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 1020, + "thread": { + "id": 784 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 13332174, + "time_created": "2023-01-17T15:06:28.1323896Z" + } + }, + { + "event": { + "code": "5381", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "4772", + "CountOfCredentialsReturned": "0", + "Flags": "0", + "ProcessCreationTime": "2023-01-17T14:55:55.9592157Z", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "COMPUTER1$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "5381", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 640, + "thread": { + "id": 876 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 13331466, + "time_created": "2023-01-17T14:55:56.2978479Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5381.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5381.json-expected.json new file mode 100644 index 000000000..0c05e53db --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5381.json-expected.json @@ -0,0 +1,344 @@ +{ + "expected": [ + { + "@timestamp": "2023-01-17T21:15:02.549Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "vault-credentials-were-read", + "category": [ + "iam" + ], + "code": "5381", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "COMPUTER1$" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-18", + "name": "COMPUTER1$" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "5048", + "CountOfCredentialsReturned": "0", + "Flags": "0", + "ProcessCreationTime": "2023-01-17T21:15:02.4069136Z", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "COMPUTER1$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "5381", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 772, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "13342699", + "time_created": "2023-01-17T21:15:02.5490822Z" + } + }, + { + "@timestamp": "2023-01-17T17:52:51.488Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "vault-credentials-were-read", + "category": [ + "iam" + ], + "code": "5381", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "COMPUTER1$" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-18", + "name": "COMPUTER1$" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "4920", + "CountOfCredentialsReturned": "0", + "Flags": "0", + "ProcessCreationTime": "2023-01-17T17:52:51.3438795Z", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "COMPUTER1$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "5381", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 640, + "thread": { + "id": 1036 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "13334924", + "time_created": "2023-01-17T17:52:51.4882586Z" + } + }, + { + "@timestamp": "2023-01-17T15:35:00.493Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "vault-credentials-were-read", + "category": [ + "iam" + ], + "code": "5381", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "COMPUTER1$" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-18", + "name": "COMPUTER1$" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "4960", + "CountOfCredentialsReturned": "0", + "Flags": "0", + "ProcessCreationTime": "2023-01-17T15:34:59.6524351Z", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "COMPUTER1$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "5381", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 632, + "thread": { + "id": 8 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "13333282", + "time_created": "2023-01-17T15:35:00.493786Z" + } + }, + { + "@timestamp": "2023-01-17T15:06:28.132Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "vault-credentials-were-read", + "category": [ + "iam" + ], + "code": "5381", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "COMPUTER1$" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-18", + "name": "COMPUTER1$" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "4604", + "CountOfCredentialsReturned": "0", + "Flags": "0", + "ProcessCreationTime": "2023-01-17T15:06:27.3440799Z", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "COMPUTER1$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "5381", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 1020, + "thread": { + "id": 784 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "13332174", + "time_created": "2023-01-17T15:06:28.1323896Z" + } + }, + { + "@timestamp": "2023-01-17T14:55:56.297Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "vault-credentials-were-read", + "category": [ + "iam" + ], + "code": "5381", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "COMPUTER1$" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-18", + "name": "COMPUTER1$" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "4772", + "CountOfCredentialsReturned": "0", + "Flags": "0", + "ProcessCreationTime": "2023-01-17T14:55:55.9592157Z", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "COMPUTER1$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "5381", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 640, + "thread": { + "id": 876 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "13331466", + "time_created": "2023-01-17T14:55:56.2978479Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5382.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5382.json new file mode 100644 index 000000000..a7999a1ed --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5382.json @@ -0,0 +1,239 @@ +{ + "events": [ + { + "event": { + "code": "5382", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "10992", + "Flags": "0", + "Identity": "010500000000000515000000135E3A229957100F0052CF12FC9C0000", + "ProcessCreationTime": "2023-01-17T22:25:52.5801675Z", + "Resource": "NGC Local Accoount Logon Vault Resource", + "ReturnCode": "1168", + "Schema": "{1d4350a3-330d-4af9-b3ff-a927a45998ac}", + "SchemaFriendlyName": "NGC Local Accoount Logon Vault Resource Schema", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "COMPUTER1$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "5382", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 964, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 5474106, + "time_created": "2023-01-17T22:25:53.1638862Z" + } + }, + { + "event": { + "code": "5382", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "18228", + "Flags": "0", + "Identity": "ActiveSyncCredentialDefaultUser", + "ProcessCreationTime": "2023-01-17T21:33:15.0527484Z", + "Resource": "SYNC_POLICY{000000000-0000-0000-00000-000000000000}", + "ReturnCode": "0", + "Schema": "{a8fb7545-9029-4cb4-bc2c-7640bfaa234e}", + "SchemaFriendlyName": "ActiveSyncCredentialSchema", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x12a119b2", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" + }, + "event_id": "5382", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 1008, + "thread": { + "id": 11604 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 5472528, + "time_created": "2023-01-17T21:53:44.4175183Z" + } + }, + { + "event": { + "code": "5382", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "18228", + "Flags": "0", + "Identity": "ActiveSyncCredentialDefaultUser", + "ProcessCreationTime": "2023-01-17T21:33:15.0527484Z", + "Resource": "SyncPassword{000000000-0000-0000-00000-000000000000}Exchange", + "ReturnCode": "0", + "Schema": "{a8fb7545-9029-4cb4-bc2c-7640bfaa234e}", + "SchemaFriendlyName": "ActiveSyncCredentialSchema", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x12a119b2", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" + }, + "event_id": "5382", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 1008, + "thread": { + "id": 11604 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 5472527, + "time_created": "2023-01-17T21:53:44.4122464Z" + } + }, + { + "event": { + "code": "5382", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "18228", + "Flags": "0", + "Identity": "ActiveSyncCredentialDefaultUser", + "ProcessCreationTime": "2023-01-17T21:33:15.0527484Z", + "Resource": "SyncUseSSL{000000000-0000-0000-00000-000000000000}Exchange", + "ReturnCode": "0", + "Schema": "{a8fb7545-9029-4cb4-bc2c-7640bfaa234e}", + "SchemaFriendlyName": "ActiveSyncCredentialSchema", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x12a119b2", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" + }, + "event_id": "5382", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 1008, + "thread": { + "id": 11604 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 5472526, + "time_created": "2023-01-17T21:53:44.4119963Z" + } + }, + { + "event": { + "code": "5382", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "18228", + "Flags": "0", + "Identity": "ActiveSyncCredentialDefaultUser", + "ProcessCreationTime": "2023-01-17T21:33:15.0527484Z", + "Resource": "SyncServer{000000000-0000-0000-00000-000000000000}Exchange", + "ReturnCode": "0", + "Schema": "{a8fb7545-9029-4cb4-bc2c-7640bfaa234e}", + "SchemaFriendlyName": "ActiveSyncCredentialSchema", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x12a119b2", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" + }, + "event_id": "5382", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 1008, + "thread": { + "id": 9708 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 5472525, + "time_created": "2023-01-17T21:53:44.4117359Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5382.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5382.json-expected.json new file mode 100644 index 000000000..1de868541 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5382.json-expected.json @@ -0,0 +1,364 @@ +{ + "expected": [ + { + "@timestamp": "2023-01-17T22:25:53.163Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "vault-credentials-were-read", + "category": [ + "iam" + ], + "code": "5382", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "COMPUTER1$" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-18", + "name": "COMPUTER1$" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "10992", + "Flags": "0", + "Identity": "010500000000000515000000135E3A229957100F0052CF12FC9C0000", + "ProcessCreationTime": "2023-01-17T22:25:52.5801675Z", + "Resource": "NGC Local Accoount Logon Vault Resource", + "ReturnCode": "1168", + "Schema": "{1d4350a3-330d-4af9-b3ff-a927a45998ac}", + "SchemaFriendlyName": "NGC Local Accoount Logon Vault Resource Schema", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "COMPUTER1$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "5382", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 964, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5474106", + "time_created": "2023-01-17T22:25:53.1638862Z" + } + }, + { + "@timestamp": "2023-01-17T21:53:44.417Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "vault-credentials-were-read", + "category": [ + "iam" + ], + "code": "5382", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "user1" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-21-000000000-000000000-000000000-00000", + "name": "user1" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "18228", + "Flags": "0", + "Identity": "ActiveSyncCredentialDefaultUser", + "ProcessCreationTime": "2023-01-17T21:33:15.0527484Z", + "Resource": "SYNC_POLICY{000000000-0000-0000-00000-000000000000}", + "ReturnCode": "0", + "Schema": "{a8fb7545-9029-4cb4-bc2c-7640bfaa234e}", + "SchemaFriendlyName": "ActiveSyncCredentialSchema", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x12a119b2", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" + }, + "event_id": "5382", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x12a119b2" + }, + "opcode": "Info", + "process": { + "pid": 1008, + "thread": { + "id": 11604 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5472528", + "time_created": "2023-01-17T21:53:44.4175183Z" + } + }, + { + "@timestamp": "2023-01-17T21:53:44.412Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "vault-credentials-were-read", + "category": [ + "iam" + ], + "code": "5382", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "user1" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-21-000000000-000000000-000000000-00000", + "name": "user1" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "18228", + "Flags": "0", + "Identity": "ActiveSyncCredentialDefaultUser", + "ProcessCreationTime": "2023-01-17T21:33:15.0527484Z", + "Resource": "SyncPassword{000000000-0000-0000-00000-000000000000}Exchange", + "ReturnCode": "0", + "Schema": "{a8fb7545-9029-4cb4-bc2c-7640bfaa234e}", + "SchemaFriendlyName": "ActiveSyncCredentialSchema", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x12a119b2", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" + }, + "event_id": "5382", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x12a119b2" + }, + "opcode": "Info", + "process": { + "pid": 1008, + "thread": { + "id": 11604 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5472527", + "time_created": "2023-01-17T21:53:44.4122464Z" + } + }, + { + "@timestamp": "2023-01-17T21:53:44.411Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "vault-credentials-were-read", + "category": [ + "iam" + ], + "code": "5382", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "user1" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-21-000000000-000000000-000000000-00000", + "name": "user1" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "18228", + "Flags": "0", + "Identity": "ActiveSyncCredentialDefaultUser", + "ProcessCreationTime": "2023-01-17T21:33:15.0527484Z", + "Resource": "SyncUseSSL{000000000-0000-0000-00000-000000000000}Exchange", + "ReturnCode": "0", + "Schema": "{a8fb7545-9029-4cb4-bc2c-7640bfaa234e}", + "SchemaFriendlyName": "ActiveSyncCredentialSchema", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x12a119b2", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" + }, + "event_id": "5382", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x12a119b2" + }, + "opcode": "Info", + "process": { + "pid": 1008, + "thread": { + "id": 11604 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5472526", + "time_created": "2023-01-17T21:53:44.4119963Z" + } + }, + { + "@timestamp": "2023-01-17T21:53:44.411Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "vault-credentials-were-read", + "category": [ + "iam" + ], + "code": "5382", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "user1" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-21-000000000-000000000-000000000-00000", + "name": "user1" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "ClientProcessId": "18228", + "Flags": "0", + "Identity": "ActiveSyncCredentialDefaultUser", + "ProcessCreationTime": "2023-01-17T21:33:15.0527484Z", + "Resource": "SyncServer{000000000-0000-0000-00000-000000000000}Exchange", + "ReturnCode": "0", + "Schema": "{a8fb7545-9029-4cb4-bc2c-7640bfaa234e}", + "SchemaFriendlyName": "ActiveSyncCredentialSchema", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x12a119b2", + "SubjectUserName": "user1", + "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" + }, + "event_id": "5382", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x12a119b2" + }, + "opcode": "Info", + "process": { + "pid": 1008, + "thread": { + "id": 9708 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5472525", + "time_created": "2023-01-17T21:53:44.4117359Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-common-config.yml b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 000000000..c39dc3861 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,2 @@ +dynamic_fields: + event.ingested: ".*" diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json new file mode 100644 index 000000000..6752b73fd --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json @@ -0,0 +1,110 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:06:03.636Z", + "winlog": { + "version": 1, + "process": { + "pid": 4, + "thread": { + "id": 772 + } + }, + "api": "wineventlog", + "channel": "Security", + "record_id": 268495, + "computer_name": "DC01.contoso.local", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2015-09-18T02:45:13.581231400Z", + "event_id": 5140, + "provider_name": "Microsoft-Windows-Security-Auditing", + "opcode": "Info", + "keywords": [ + "Audit Success" + ], + "task": "File Share", + "event_data": { + "SubjectUserSid": "S-1-5-21-3457937927-2839227994-823803824-1104", + "SubjectUserName": "dadmin", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x541f35", + "ObjectType": "File", + "IpAddress": "10.0.0.100", + "IpPort": "49212", + "ShareName": "\\\\\\*\\Documents", + "ShareLocalPath": "\\??\\C:\\Documents", + "AccessMask": "0x1", + "AccessList": "%%4416" + } + }, + "event": { + "action": "File Share", + "created": "2022-02-03T18:51:05.143Z", + "outcome": "success", + "kind": "event", + "code": 5140, + "provider": "Microsoft-Windows-Security-Auditing" + }, + "log": { + "level": "information" + }, + "host": { + "name": "DC01.contoso.local" + } + }, + { + "@timestamp": "2021-04-15T19:06:03.636Z", + "winlog": { + "version": 0, + "process": { + "pid": 4, + "thread": { + "id": 772 + } + }, + "api": "wineventlog", + "channel": "Security", + "record_id": 268495, + "computer_name": "DC01.contoso.local", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2015-09-18T02:45:13.581231400Z", + "event_id": 5145, + "provider_name": "Microsoft-Windows-Security-Auditing", + "opcode": "Info", + "task": "Detailed File Share", + "keywords": [ + "Audit Success" + ], + "event_data": { + "SubjectUserSid": "S-1-5-21-3457937927-2839227994-823803824-1104", + "SubjectUserName": "dadmin", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x541f35", + "ObjectType": "File", + "IpAddress": "fe80::31ea:6c3c:f40d:1973", + "IpPort": "49212", + "ShareName": "\\\\\\*\\Documents", + "ShareLocalPath": "\\??\\C:\\Documents", + "RelativeTargetName": "Bginfo.exe", + "AccessMask": "0x100081", + "AccessList": "%%1541 %%4416 %%4423", + "AccessReason": "%%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:(A;;FA;;;WD)" + } + }, + "event": { + "action": "Detailed File Share", + "created": "2022-02-03T18:51:05.143Z", + "outcome": "success", + "kind": "event", + "code": 5145, + "provider": "Microsoft-Windows-Security-Auditing" + }, + "log": { + "level": "information" + }, + "host": { + "name": "DC01.contoso.local" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json-expected.json new file mode 100644 index 000000000..e49f103d8 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json-expected.json @@ -0,0 +1,194 @@ +{ + "expected": [ + { + "@timestamp": "2015-09-18T02:45:13.581Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "network-share-object-accessed", + "category": [ + "network", + "file" + ], + "code": "5140", + "created": "2022-02-03T18:51:05.143Z", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "info", + "access" + ] + }, + "file": { + "directory": "\\??\\C:\\Documents" + }, + "host": { + "name": "DC01.contoso.local" + }, + "log": { + "level": "information" + }, + "related": { + "ip": [ + "10.0.0.100" + ], + "user": [ + "dadmin" + ] + }, + "source": { + "ip": "10.0.0.100", + "port": 49212 + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-21-3457937927-2839227994-823803824-1104", + "name": "dadmin" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC01.contoso.local", + "event_data": { + "AccessList": "%%4416", + "AccessListDescription": [ + "ReadData (or ListDirectory)" + ], + "AccessMask": "0x1", + "AccessMaskDescription": [ + "Create Child" + ], + "ObjectType": "File", + "ShareLocalPath": "\\??\\C:\\Documents", + "ShareName": "\\\\\\*\\Documents", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x541f35", + "SubjectUserName": "dadmin", + "SubjectUserSid": "S-1-5-21-3457937927-2839227994-823803824-1104" + }, + "event_id": "5140", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x541f35" + }, + "opcode": "Info", + "process": { + "pid": 4, + "thread": { + "id": 772 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "268495", + "task": "File Share", + "time_created": "2015-09-18T02:45:13.581231400Z", + "version": 1 + } + }, + { + "@timestamp": "2015-09-18T02:45:13.581Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "network-share-object-access-checked", + "category": [ + "network", + "file" + ], + "code": "5145", + "created": "2022-02-03T18:51:05.143Z", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "info", + "access" + ] + }, + "file": { + "directory": "\\??\\C:\\Documents", + "extension": "exe", + "name": "Bginfo.exe", + "path": "\\\\??\\\\C:\\\\Documents\\Bginfo.exe", + "target_path": "\\\\\\\\\\\\*\\\\Documents\\Bginfo.exe" + }, + "host": { + "name": "DC01.contoso.local" + }, + "log": { + "level": "information" + }, + "related": { + "ip": [ + "fe80::31ea:6c3c:f40d:1973" + ], + "user": [ + "dadmin" + ] + }, + "source": { + "ip": "fe80::31ea:6c3c:f40d:1973", + "port": 49212 + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-21-3457937927-2839227994-823803824-1104", + "name": "dadmin" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC01.contoso.local", + "event_data": { + "AccessList": "%%1541 %%4416 %%4423", + "AccessListDescription": [ + "SYNCHRONIZE", + "ReadData (or ListDirectory)", + "ReadAttributes" + ], + "AccessMask": "0x100081", + "AccessMaskDescription": [ + "List Object", + "Create Child", + "SYNCHRONIZE" + ], + "AccessReason": "%%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:(A;;FA;;;WD)", + "ObjectType": "File", + "RelativeTargetName": "Bginfo.exe", + "ShareLocalPath": "\\??\\C:\\Documents", + "ShareName": "\\\\\\*\\Documents", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x541f35", + "SubjectUserName": "dadmin", + "SubjectUserSid": "S-1-5-21-3457937927-2839227994-823803824-1104" + }, + "event_id": "5145", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x541f35" + }, + "opcode": "Info", + "process": { + "pid": 4, + "thread": { + "id": 772 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "268495", + "task": "Detailed File Share", + "time_created": "2015-09-18T02:45:13.581231400Z", + "version": 0 + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json new file mode 100644 index 000000000..75b582297 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json @@ -0,0 +1,64 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:06:03.636Z", + "winlog": { + "level": "information", + "process": { + "pid": 496, + "thread": { + "id": 504 + } + }, + "channel": "Security", + "record_id": 5109160, + "computer_name": "DC_TEST2k12.TEST.SAAS", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2020-04-06T06:39:04.549Z", + "outcome": "success", + "event_id": 4673, + "provider_name": "Microsoft-Windows-Security-Auditing", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "event_data": { + "ProcessId": "0x1f0", + "ProcessName": "C:\\Windows\\System32\\lsass.exe", + "SubjectUserName": "DC_TEST2K12$", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "PrivilegeList": "SeTcbPrivilege", + "SubjectUserSid": "S-1-5-18", + "ObjectServer": "NT Local Security Authority / Authentication Service", + "Service": "LsaRegisterLogonProcess()" + } + }, + "event": { + "kind": "event", + "code": 4673, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4673.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "agent": { + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "f86f8f87-0401-4d4d-a9b3-d3a9a524dde2" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json new file mode 100644 index 000000000..a50b4fc2e --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json @@ -0,0 +1,89 @@ +{ + "expected": [ + { + "@timestamp": "2020-04-06T06:39:04.549Z", + "agent": { + "ephemeral_id": "f86f8f87-0401-4d4d-a9b3-d3a9a524dde2", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "privileged-service-called", + "category": [ + "iam" + ], + "code": "4673", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4673.xml" + }, + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\lsass.exe", + "name": "lsass.exe", + "pid": 496 + }, + "related": { + "user": [ + "DC_TEST2K12$" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "DC_TEST2K12$" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "ObjectServer": "NT Local Security Authority / Authentication Service", + "PrivilegeList": [ + "SeTcbPrivilege" + ], + "Service": "LsaRegisterLogonProcess()", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "DC_TEST2K12$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "4673", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 496, + "thread": { + "id": 504 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5109160", + "time_created": "2020-04-06T06:39:04.549Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json new file mode 100644 index 000000000..2cc659dcb --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:05:18.399Z", + "agent": { + "ephemeral_id": "961c8568-c795-47e6-8d9f-661cdab1fac0", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "winlog": { + "time_created": "2020-04-02T14:34:08.889Z", + "level": "information", + "process": { + "pid": 792, + "thread": { + "id": 2492 + } + }, + "channel": "Security", + "record_id": 90108, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "outcome": "success", + "activity_id": "{74b64d41-08ce-0000-454f-b674ce08d601}", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "ServiceStartType": "2", + "ServiceAccount": "LocalSystem", + "SubjectLogonId": "0x4c323", + "ServiceName": "winlogbeat", + "ServiceFileName": "\"C:\\Program Files\\Winlogbeat\\winlogbeat.exe\" -c \"C:\\Program Files\\Winlogbeat\\winlogbeat.yml\" -path.home \"C:\\Program Files\\Winlogbeat\" -path.data \"C:\\ProgramData\\winlogbeat\" -path.logs \"C:\\ProgramData\\winlogbeat\\logs\" -E logging.files.redirect_stderr=true", + "ServiceType": "0x10", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectUserName": "Administrator", + "SubjectDomainName": "WLBEAT" + }, + "event_id": 4697, + "provider_name": "Microsoft-Windows-Security-Auditing" + }, + "event": { + "kind": "event", + "code": 4697, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4697.xml" + }, + "level": "information" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json new file mode 100644 index 000000000..073bab476 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json @@ -0,0 +1,91 @@ +{ + "expected": [ + { + "@timestamp": "2020-04-02T14:34:08.889Z", + "agent": { + "ephemeral_id": "961c8568-c795-47e6-8d9f-661cdab1fac0", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "service-installed", + "category": [ + "iam", + "configuration" + ], + "code": "4697", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4697.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "service": { + "name": "winlogbeat", + "type": "Win32 Own Process" + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{74b64d41-08ce-0000-454f-b674ce08d601}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "ServiceAccount": "LocalSystem", + "ServiceFileName": "\"C:\\Program Files\\Winlogbeat\\winlogbeat.exe\" -c \"C:\\Program Files\\Winlogbeat\\winlogbeat.yml\" -path.home \"C:\\Program Files\\Winlogbeat\" -path.data \"C:\\ProgramData\\winlogbeat\" -path.logs \"C:\\ProgramData\\winlogbeat\\logs\" -E logging.files.redirect_stderr=true", + "ServiceName": "winlogbeat", + "ServiceStartType": "2", + "ServiceType": "0x10", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4c323", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" + }, + "event_id": "4697", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4c323" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 792, + "thread": { + "id": 2492 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "90108", + "time_created": "2020-04-02T14:34:08.889Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json new file mode 100644 index 000000000..24d8e5dea --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json @@ -0,0 +1,66 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:04:58.290Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "agent": { + "version": "8.0.0", + "ephemeral_id": "2e71c92e-5c70-4ea4-aad7-d3a2174f2a6d", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat" + }, + "winlog": { + "computer_name": "DC_TEST2k12.TEST.SAAS", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "outcome": "success", + "level": "information", + "event_data": { + "ServiceName": "krbtgt", + "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-502", + "TicketEncryptionType": "0x12", + "PreAuthType": "2", + "TargetUserName": "at_adm", + "Status": "0x0", + "IpAddress": "::1", + "TicketOptions": "0x40810010", + "TargetDomainName": "TEST.SAAS", + "IpPort": "0", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2794" + }, + "channel": "Security", + "record_id": 5040235, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "time_created": "2020-04-01T08:45:44.171Z", + "process": { + "pid": 496, + "thread": { + "id": 2868 + } + }, + "event_id": 4768, + "provider_name": "Microsoft-Windows-Security-Auditing" + }, + "event": { + "outcome": "success", + "kind": "event", + "code": 4768, + "provider": "Microsoft-Windows-Security-Auditing" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.xml" + }, + "level": "information" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json new file mode 100644 index 000000000..8762189d3 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json @@ -0,0 +1,99 @@ +{ + "expected": [ + { + "@timestamp": "2020-04-01T08:45:44.171Z", + "agent": { + "ephemeral_id": "2e71c92e-5c70-4ea4-aad7-d3a2174f2a6d", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "kerberos-authentication-ticket-requested", + "category": [ + "authentication" + ], + "code": "4768", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.xml" + }, + "level": "information" + }, + "related": { + "ip": [ + "::1" + ], + "user": [ + "at_adm" + ] + }, + "service": { + "name": "krbtgt" + }, + "source": { + "ip": "::1", + "port": 0 + }, + "user": { + "domain": "TEST.SAAS", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PreAuthType": "2", + "ServiceName": "krbtgt", + "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-502", + "Status": "0x0", + "StatusDescription": "KDC_ERR_NONE", + "TargetDomainName": "TEST.SAAS", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetUserName": "at_adm", + "TicketEncryptionType": "0x12", + "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96", + "TicketOptions": "0x40810010", + "TicketOptionsDescription": [ + "Forwardable", + "Renewable-ok", + "Name-canonicalize", + "Renewable" + ] + }, + "event_id": "4768", + "keywords": [ + "Audit Success" + ], + "level": "information", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 496, + "thread": { + "id": 2868 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5040235", + "time_created": "2020-04-01T08:45:44.171Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json new file mode 100644 index 000000000..f80653aaf --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json @@ -0,0 +1,66 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:04:33.160Z", + "agent": { + "ephemeral_id": "d417a772-3290-465f-97d4-7e1221f76934", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "winlog": { + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2020-04-01T08:45:44.171Z", + "event_data": { + "TargetUserName": "at_adm@TEST.SAAS", + "TargetDomainName": "TEST.SAAS", + "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-1110", + "TicketEncryptionType": "0x12", + "TransmittedServices": "-", + "ServiceName": "DC_TEST2K12$", + "TicketOptions": "0x40810000", + "IpAddress": "::1", + "IpPort": "0", + "Status": "0x0", + "LogonGuid": "{46f85809-d26e-96f5-fbf2-73bd761a2d68}" + }, + "channel": "Security", + "event_id": 4769, + "record_id": 5040236, + "process": { + "pid": 496, + "thread": { + "id": 2868 + } + }, + "level": "information", + "provider_name": "Microsoft-Windows-Security-Auditing", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "outcome": "success" + }, + "event": { + "kind": "event", + "code": 4769, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4769.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json new file mode 100644 index 000000000..ac8d7d2cc --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json @@ -0,0 +1,97 @@ +{ + "expected": [ + { + "@timestamp": "2020-04-01T08:45:44.171Z", + "agent": { + "ephemeral_id": "d417a772-3290-465f-97d4-7e1221f76934", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "kerberos-service-ticket-requested", + "category": [ + "authentication" + ], + "code": "4769", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4769.xml" + }, + "level": "information" + }, + "related": { + "ip": [ + "::1" + ], + "user": [ + "at_adm" + ] + }, + "service": { + "name": "DC_TEST2K12$" + }, + "source": { + "ip": "::1", + "port": 0 + }, + "user": { + "domain": "TEST.SAAS", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "LogonGuid": "{46f85809-d26e-96f5-fbf2-73bd761a2d68}", + "ServiceName": "DC_TEST2K12$", + "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-1110", + "Status": "0x0", + "StatusDescription": "KDC_ERR_NONE", + "TargetDomainName": "TEST.SAAS", + "TargetUserName": "at_adm@TEST.SAAS", + "TicketEncryptionType": "0x12", + "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96", + "TicketOptions": "0x40810000", + "TicketOptionsDescription": [ + "Forwardable", + "Name-canonicalize", + "Renewable" + ], + "TransmittedServices": "-" + }, + "event_id": "4769", + "keywords": [ + "Audit Success" + ], + "level": "information", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 496, + "thread": { + "id": 2868 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5040236", + "time_created": "2020-04-01T08:45:44.171Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json new file mode 100644 index 000000000..2b4c2a2c3 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json @@ -0,0 +1,63 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:08:49.077Z", + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "agent": { + "version": "8.0.0", + "ephemeral_id": "ecb4944b-a4a6-4a12-be3c-2aa7175c6f7c", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat" + }, + "ecs": { + "version": "1.8.0" + }, + "winlog": { + "computer_name": "DC_TEST2k12.TEST.SAAS", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2020-04-01T07:32:55.010Z", + "channel": "Security", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 5039598, + "event_data": { + "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-502", + "TicketOptions": "0x10002", + "TicketEncryptionType": "0x12", + "IpAddress": "::1", + "IpPort": "0", + "TargetUserName": "DC_TEST2K12$@TEST.SAAS", + "TargetDomainName": "TEST.SAAS", + "ServiceName": "krbtgt" + }, + "process": { + "pid": 496, + "thread": { + "id": 4468 + } + }, + "event_id": 4770, + "outcome": "success", + "level": "information" + }, + "event": { + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event", + "code": 4770 + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4770.xml" + }, + "level": "information" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json new file mode 100644 index 000000000..9bf1289ff --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json @@ -0,0 +1,92 @@ +{ + "expected": [ + { + "@timestamp": "2020-04-01T07:32:55.010Z", + "agent": { + "ephemeral_id": "ecb4944b-a4a6-4a12-be3c-2aa7175c6f7c", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "kerberos-service-ticket-renewed", + "category": [ + "authentication" + ], + "code": "4770", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4770.xml" + }, + "level": "information" + }, + "related": { + "ip": [ + "::1" + ], + "user": [ + "DC_TEST2K12$" + ] + }, + "service": { + "name": "krbtgt" + }, + "source": { + "ip": "::1", + "port": 0 + }, + "user": { + "domain": "TEST.SAAS", + "name": "DC_TEST2K12$" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "ServiceName": "krbtgt", + "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-502", + "TargetDomainName": "TEST.SAAS", + "TargetUserName": "DC_TEST2K12$@TEST.SAAS", + "TicketEncryptionType": "0x12", + "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96", + "TicketOptions": "0x10002", + "TicketOptionsDescription": [ + "Name-canonicalize", + "Renew" + ] + }, + "event_id": "4770", + "keywords": [ + "Audit Success" + ], + "level": "information", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 496, + "thread": { + "id": 4468 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5039598", + "time_created": "2020-04-01T07:32:55.010Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json new file mode 100644 index 000000000..4c57b533f --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json @@ -0,0 +1,63 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:08:03.991Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "agent": { + "ephemeral_id": "ac571f8c-8d98-4d24-8463-f0e5d0a13bdd", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "winlog": { + "event_data": { + "TicketOptions": "0x40810010", + "Status": "0x12", + "PreAuthType": "0", + "IpAddress": "::ffff:192.168.5.44", + "IpPort": "53366", + "TargetUserName": "MPUIG", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-3057", + "ServiceName": "krbtgt/test.saas" + }, + "channel": "Security", + "event_id": 4771, + "record_id": 5027836, + "outcome": "failure", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2020-03-31T07:50:27.168Z", + "level": "information", + "process": { + "pid": 496, + "thread": { + "id": 4552 + } + }, + "provider_name": "Microsoft-Windows-Security-Auditing", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "keywords": [ + "Audit Failure" + ], + "opcode": "Info" + }, + "event": { + "code": 4771, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "failure", + "kind": "event" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.xml" + }, + "level": "information" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json new file mode 100644 index 000000000..3b8265c25 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json @@ -0,0 +1,94 @@ +{ + "expected": [ + { + "@timestamp": "2020-03-31T07:50:27.168Z", + "agent": { + "ephemeral_id": "ac571f8c-8d98-4d24-8463-f0e5d0a13bdd", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "kerberos-preauth-failed", + "category": [ + "authentication" + ], + "code": "4771", + "kind": "event", + "outcome": "failure", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.xml" + }, + "level": "information" + }, + "related": { + "ip": [ + "192.168.5.44" + ], + "user": [ + "MPUIG" + ] + }, + "service": { + "name": "krbtgt/test.saas" + }, + "source": { + "ip": "192.168.5.44", + "port": 53366 + }, + "user": { + "id": "S-1-5-21-1717121054-434620538-60925301-3057", + "name": "MPUIG" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PreAuthType": "0", + "ServiceName": "krbtgt/test.saas", + "Status": "0x12", + "StatusDescription": "KDC_ERR_CLIENT_REVOKED", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-3057", + "TargetUserName": "MPUIG", + "TicketOptions": "0x40810010", + "TicketOptionsDescription": [ + "Forwardable", + "Renewable-ok", + "Name-canonicalize", + "Renewable" + ] + }, + "event_id": "4771", + "keywords": [ + "Audit Failure" + ], + "level": "information", + "opcode": "Info", + "outcome": "failure", + "process": { + "pid": 496, + "thread": { + "id": 4552 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5027836", + "time_created": "2020-03-31T07:50:27.168Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json new file mode 100644 index 000000000..55d04a038 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json @@ -0,0 +1,59 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:09:39.132Z", + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "agent": { + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "e3bf3bc5-3815-4ca8-ad10-d40daaa047fc" + }, + "winlog": { + "channel": "Security", + "provider_name": "Microsoft-Windows-Security-Auditing", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "process": { + "pid": 496, + "thread": { + "id": 1864 + } + }, + "event_id": 4776, + "record_id": 5040222, + "computer_name": "DC_TEST2k12.TEST.SAAS", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "time_created": "2020-04-01T08:45:42.187Z", + "outcome": "success", + "level": "information", + "event_data": { + "PackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", + "TargetUserName": "at_adm", + "Workstation": "EQP01777", + "Status": "0x0" + } + }, + "event": { + "kind": "event", + "code": 4776, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4776.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json new file mode 100644 index 000000000..c2482777b --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json @@ -0,0 +1,79 @@ +{ + "expected": [ + { + "@timestamp": "2020-04-01T08:45:42.187Z", + "agent": { + "ephemeral_id": "e3bf3bc5-3815-4ca8-ad10-d40daaa047fc", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "credential-validated", + "category": [ + "authentication" + ], + "code": "4776", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4776.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", + "Status": "0x0", + "TargetUserName": "at_adm", + "Workstation": "EQP01777" + }, + "event_id": "4776", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "failure": { + "status": "Status OK." + } + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 496, + "thread": { + "id": 1864 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5040222", + "time_created": "2020-04-01T08:45:42.187Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json new file mode 100644 index 000000000..c03ef805d --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json @@ -0,0 +1,61 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:03:02.655Z", + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "agent": { + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "f305e9f9-96b1-4f18-a864-144e6a3fc46d" + }, + "winlog": { + "event_id": 4778, + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 5101675, + "keywords": [ + "Audit Success" + ], + "time_created": "2020-04-05T16:33:32.388Z", + "outcome": "success", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "level": "information", + "event_data": { + "SessionName": "RDP-Tcp#127", + "ClientName": "EQP01777", + "ClientAddress": "216.160.83.57", + "AccountName": "at_adm", + "AccountDomain": "TEST", + "LogonID": "0x76fea87" + }, + "process": { + "pid": 496, + "thread": { + "id": 4184 + } + } + }, + "event": { + "kind": "event", + "code": 4778, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json new file mode 100644 index 000000000..eba663813 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json @@ -0,0 +1,103 @@ +{ + "expected": [ + { + "@timestamp": "2020-04-05T16:33:32.388Z", + "agent": { + "ephemeral_id": "f305e9f9-96b1-4f18-a864-144e6a3fc46d", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "session-reconnected", + "category": [ + "authentication", + "session" + ], + "code": "4778", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.xml" + }, + "level": "information" + }, + "related": { + "ip": [ + "216.160.83.57" + ], + "user": [ + "at_adm" + ] + }, + "source": { + "as": { + "number": 209 + }, + "domain": "EQP01777", + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.57" + }, + "user": { + "domain": "TEST", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "AccountDomain": "TEST", + "AccountName": "at_adm", + "ClientAddress": "216.160.83.57", + "ClientName": "EQP01777", + "LogonID": "0x76fea87", + "SessionName": "RDP-Tcp#127" + }, + "event_id": "4778", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x76fea87" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 496, + "thread": { + "id": 4184 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5101675", + "time_created": "2020-04-05T16:33:32.388Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json new file mode 100644 index 000000000..23983ce6e --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json @@ -0,0 +1,61 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:03:22.673Z", + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.xml" + } + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "agent": { + "ephemeral_id": "d9d93a3d-3242-4f55-a4de-4ded8ae26301", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "winlog": { + "channel": "Security", + "provider_name": "Microsoft-Windows-Security-Auditing", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "time_created": "2020-04-03T10:18:01.882Z", + "level": "information", + "event_data": { + "AccountDomain": "TEST", + "LogonID": "0x60d1ccb", + "SessionName": "RDP-Tcp#116", + "ClientName": "EQP01777", + "ClientAddress": "10.100.150.17", + "AccountName": "at_adm" + }, + "event_id": 4779, + "record_id": 5069070, + "computer_name": "DC_TEST2k12.TEST.SAAS", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "outcome": "success", + "process": { + "pid": 496, + "thread": { + "id": 3852 + } + } + }, + "event": { + "kind": "event", + "code": 4779, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json new file mode 100644 index 000000000..bc3cf0630 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json @@ -0,0 +1,88 @@ +{ + "expected": [ + { + "@timestamp": "2020-04-03T10:18:01.882Z", + "agent": { + "ephemeral_id": "d9d93a3d-3242-4f55-a4de-4ded8ae26301", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "session-disconnected", + "category": [ + "authentication", + "session" + ], + "code": "4779", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "end" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.xml" + }, + "level": "information" + }, + "related": { + "ip": [ + "10.100.150.17" + ], + "user": [ + "at_adm" + ] + }, + "source": { + "domain": "EQP01777", + "ip": "10.100.150.17" + }, + "user": { + "domain": "TEST", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "AccountDomain": "TEST", + "AccountName": "at_adm", + "ClientAddress": "10.100.150.17", + "ClientName": "EQP01777", + "LogonID": "0x60d1ccb", + "SessionName": "RDP-Tcp#116" + }, + "event_id": "4779", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x60d1ccb" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 496, + "thread": { + "id": 3852 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5069070", + "time_created": "2020-04-03T10:18:01.882Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json new file mode 100644 index 000000000..1dae9ccfc --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json @@ -0,0 +1,1303 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:10:09.188Z", + "event": { + "kind": "event", + "code": 4624, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "vagrant-2012-r2" + }, + "agent": { + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain" + }, + "winlog": { + "version": 1, + "outcome": "success", + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "level": "information", + "event_data": { + "SubjectUserSid": "S-1-5-18", + "AuthenticationPackageName": "Negotiate", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectDomainName": "WORKGROUP", + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "LogonType": "5", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "ProcessName": "C:\\Windows\\System32\\services.exe", + "IpPort": "-", + "SubjectLogonId": "0x3e7", + "LogonProcessName": "Advapi ", + "LmPackageName": "-", + "IpAddress": "-", + "TargetUserSid": "S-1-5-18", + "TargetUserName": "SYSTEM", + "TransmittedServices": "-", + "KeyLength": "0", + "ProcessId": "0x1fc", + "ImpersonationLevel": "%%1833" + }, + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "provider_name": "Microsoft-Windows-Security-Auditing", + "keywords": [ + "Audit Success" + ], + "time_created": "2019-03-29T21:10:39.786Z", + "process": { + "pid": 516, + "thread": { + "id": 536 + } + }, + "event_id": 4624, + "record_id": 1535 + } + }, + { + "@timestamp": "2021-04-15T19:10:09.188Z", + "agent": { + "version": "8.0.0", + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat" + }, + "winlog": { + "channel": "Security", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, + "computer_name": "vagrant-2012-r2", + "opcode": "Info", + "version": 1, + "time_created": "2019-03-29T21:10:40.255Z", + "event_id": 4624, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "keywords": [ + "Audit Success" + ], + "level": "information", + "event_data": { + "ImpersonationLevel": "%%1833", + "TransmittedServices": "-", + "LmPackageName": "-", + "ProcessId": "0x1fc", + "ProcessName": "C:\\Windows\\System32\\services.exe", + "IpAddress": "-", + "SubjectUserName": "VAGRANT-2012-R2$", + "LogonType": "5", + "AuthenticationPackageName": "Negotiate", + "KeyLength": "0", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "TargetUserSid": "S-1-5-18", + "TargetUserName": "SYSTEM", + "TargetDomainName": "NT AUTHORITY", + "SubjectUserSid": "S-1-5-18", + "TargetLogonId": "0x3e7", + "LogonProcessName": "Advapi ", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "IpPort": "-" + }, + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1538 + }, + "event": { + "kind": "event", + "code": 4624, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "vagrant-2012-r2" + } + }, + { + "@timestamp": "2021-04-15T19:10:09.188Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "vagrant-2012-r2" + }, + "winlog": { + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "keywords": [ + "Audit Success" + ], + "provider_name": "Microsoft-Windows-Security-Auditing", + "channel": "Security", + "opcode": "Info", + "version": 1, + "time_created": "2019-03-29T21:10:40.380Z", + "level": "information", + "computer_name": "vagrant-2012-r2", + "record_id": 1542, + "outcome": "success", + "event_data": { + "LogonProcessName": "User32 ", + "WorkstationName": "VAGRANT-2012-R2", + "LmPackageName": "-", + "KeyLength": "0", + "TransmittedServices": "-", + "ImpersonationLevel": "%%1833", + "SubjectUserName": "VAGRANT-2012-R2$", + "TargetDomainName": "VAGRANT-2012-R2", + "LogonType": "2", + "AuthenticationPackageName": "Negotiate", + "IpAddress": "127.0.0.1", + "IpPort": "0", + "SubjectLogonId": "0x3e7", + "TargetLogonId": "0x1008e", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "ProcessName": "C:\\Windows\\System32\\winlogon.exe", + "ProcessId": "0x1c0", + "SubjectUserSid": "S-1-5-18", + "SubjectDomainName": "WORKGROUP", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TargetUserName": "vagrant" + }, + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, + "event_id": 4624 + }, + "event": { + "kind": "event", + "code": 4624, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "agent": { + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain" + } + }, + { + "@timestamp": "2021-04-15T19:10:09.189Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "vagrant-2012-r2" + }, + "agent": { + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" + }, + "winlog": { + "channel": "Security", + "provider_name": "Microsoft-Windows-Security-Auditing", + "computer_name": "vagrant-2012-r2", + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "level": "information", + "record_id": 1545, + "keywords": [ + "Audit Success" + ], + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, + "event_id": 4624, + "time_created": "2019-03-29T21:10:40.505Z", + "event_data": { + "LogonProcessName": "Advapi ", + "TransmittedServices": "-", + "IpAddress": "-", + "ProcessName": "C:\\Windows\\System32\\services.exe", + "SubjectUserSid": "S-1-5-18", + "SubjectDomainName": "WORKGROUP", + "AuthenticationPackageName": "Negotiate", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LmPackageName": "-", + "KeyLength": "0", + "ProcessId": "0x1fc", + "TargetUserSid": "S-1-5-18", + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "LogonType": "5", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "IpPort": "-", + "ImpersonationLevel": "%%1833" + }, + "version": 1, + "outcome": "success" + }, + "event": { + "kind": "event", + "code": 4624, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + } + }, + { + "@timestamp": "2021-04-15T19:10:09.189Z", + "host": { + "name": "vagrant-2012-r2" + }, + "agent": { + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50" + }, + "winlog": { + "outcome": "success", + "level": "information", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1547, + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "version": 1, + "time_created": "2019-03-29T21:10:40.630Z", + "event_id": 4624, + "opcode": "Info", + "event_data": { + "LogonType": "3", + "KeyLength": "0", + "ProcessId": "0x0", + "ProcessName": "-", + "SubjectUserSid": "S-1-0-0", + "SubjectLogonId": "0x0", + "TargetUserName": "ANONYMOUS LOGON", + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x129f1", + "LmPackageName": "NTLM V1", + "SubjectUserName": "-", + "LogonProcessName": "NtLmSsp ", + "AuthenticationPackageName": "NTLM", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "TransmittedServices": "-", + "SubjectDomainName": "-", + "TargetUserSid": "S-1-5-7", + "IpAddress": "-", + "IpPort": "-", + "ImpersonationLevel": "%%1833" + }, + "computer_name": "vagrant-2012-r2", + "channel": "Security" + }, + "event": { + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event", + "code": 4624 + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + } + }, + { + "@timestamp": "2021-04-15T19:10:09.189Z", + "winlog": { + "version": 1, + "event_data": { + "TargetDomainName": "VAGRANT-2012-R2", + "LogonType": "3", + "IpAddress": "-", + "SubjectLogonId": "0x0", + "LogonProcessName": "NtLmSsp ", + "LmPackageName": "NTLM V2", + "KeyLength": "128", + "ProcessId": "0x0", + "ProcessName": "-", + "SubjectUserName": "-", + "TargetLogonId": "0x28d31", + "TransmittedServices": "-", + "IpPort": "-", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "SubjectDomainName": "-", + "TargetUserName": "vagrant", + "AuthenticationPackageName": "NTLM", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "ImpersonationLevel": "%%1833", + "SubjectUserSid": "S-1-0-0" + }, + "event_id": 4624, + "keywords": [ + "Audit Success" + ], + "record_id": 1550, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2019-03-29T21:10:53.661Z", + "level": "information", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, + "provider_name": "Microsoft-Windows-Security-Auditing" + }, + "event": { + "kind": "event", + "code": 4624, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "host": { + "name": "vagrant-2012-r2" + }, + "agent": { + "version": "8.0.0", + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat" + }, + "ecs": { + "version": "1.8.0" + } + }, + { + "@timestamp": "2021-04-15T19:10:09.189Z", + "agent": { + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "vagrant-2012-r2" + }, + "winlog": { + "provider_name": "Microsoft-Windows-Security-Auditing", + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "computer_name": "vagrant-2012-r2", + "event_data": { + "SubjectUserSid": "S-1-0-0", + "SubjectUserName": "-", + "SubjectLogonId": "0x0", + "KeyLength": "128", + "IpAddress": "-", + "ProcessName": "-", + "SubjectDomainName": "-", + "TargetUserName": "vagrant", + "TargetLogonId": "0x29f0f", + "LogonProcessName": "NtLmSsp ", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LmPackageName": "NTLM V2", + "ProcessId": "0x0", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "IpPort": "-", + "ImpersonationLevel": "%%1833", + "TargetDomainName": "VAGRANT-2012-R2", + "LogonType": "3", + "AuthenticationPackageName": "NTLM", + "TransmittedServices": "-" + }, + "record_id": 1553, + "keywords": [ + "Audit Success" + ], + "version": 1, + "outcome": "success", + "level": "information", + "channel": "Security", + "event_id": 4624, + "time_created": "2019-03-29T21:10:54.661Z", + "process": { + "pid": 516, + "thread": { + "id": 548 + } + } + }, + "event": { + "kind": "event", + "code": 4624, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + } + }, + { + "@timestamp": "2021-04-15T19:10:09.189Z", + "ecs": { + "version": "1.8.0" + }, + "winlog": { + "event_data": { + "SubjectUserSid": "S-1-0-0", + "TargetUserName": "vagrant", + "TransmittedServices": "-", + "KeyLength": "128", + "ProcessId": "0x0", + "IpPort": "-", + "LogonProcessName": "NtLmSsp ", + "ImpersonationLevel": "%%1833", + "SubjectUserName": "-", + "TargetDomainName": "VAGRANT-2012-R2", + "LogonType": "3", + "AuthenticationPackageName": "NTLM", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "IpAddress": "-", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TargetLogonId": "0x2a362", + "LmPackageName": "NTLM V2", + "ProcessName": "-" + }, + "computer_name": "vagrant-2012-r2", + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2019-03-29T21:10:55.458Z", + "outcome": "success", + "event_id": 4624, + "record_id": 1556, + "version": 1, + "provider_name": "Microsoft-Windows-Security-Auditing", + "channel": "Security", + "opcode": "Info", + "level": "information", + "process": { + "pid": 516, + "thread": { + "id": 548 + } + } + }, + "event": { + "kind": "event", + "code": 4624, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "host": { + "name": "vagrant-2012-r2" + }, + "agent": { + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50" + } + }, + { + "@timestamp": "2021-04-15T19:10:09.189Z", + "host": { + "name": "vagrant-2012-r2" + }, + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "1.8.0" + }, + "winlog": { + "process": { + "pid": 516, + "thread": { + "id": 808 + } + }, + "computer_name": "vagrant-2012-r2", + "keywords": [ + "Audit Success" + ], + "time_created": "2019-03-29T21:13:17.302Z", + "record_id": 1561, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "event_id": 4624, + "opcode": "Info", + "outcome": "success", + "level": "information", + "event_data": { + "IpPort": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LmPackageName": "NTLM V2", + "IpAddress": "-", + "ImpersonationLevel": "%%1833", + "SubjectUserSid": "S-1-0-0", + "SubjectUserName": "-", + "SubjectDomainName": "-", + "AuthenticationPackageName": "NTLM", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "LogonProcessName": "NtLmSsp ", + "WorkstationName": "127.0.0.1", + "ProcessName": "-", + "LogonType": "3", + "TransmittedServices": "-", + "KeyLength": "128", + "ProcessId": "0x0", + "SubjectLogonId": "0x0", + "TargetUserName": "vagrant", + "TargetDomainName": "VAGRANT-2012-R2", + "TargetLogonId": "0x324f8" + }, + "channel": "Security", + "provider_name": "Microsoft-Windows-Security-Auditing", + "version": 1 + }, + "event": { + "kind": "event", + "code": 4624, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + } + }, + { + "@timestamp": "2021-04-15T19:10:09.189Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "vagrant-2012-r2" + }, + "agent": { + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" + }, + "winlog": { + "event_data": { + "SubjectUserSid": "S-1-5-18", + "LogonType": "2", + "TransmittedServices": "-", + "LmPackageName": "-", + "ImpersonationLevel": "%%1833", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectLogonId": "0x3e7", + "LogonProcessName": "Advapi ", + "AuthenticationPackageName": "Negotiate", + "KeyLength": "0", + "IpPort": "-", + "TargetUserSid": "S-1-5-90-2", + "TargetDomainName": "Window Manager", + "TargetLogonId": "0x33444", + "IpAddress": "-", + "SubjectDomainName": "WORKGROUP", + "TargetUserName": "DWM-2", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "ProcessId": "0xafc", + "ProcessName": "C:\\Windows\\System32\\winlogon.exe" + }, + "record_id": 1563, + "opcode": "Info", + "version": 1, + "time_created": "2019-03-29T21:13:17.521Z", + "level": "information", + "process": { + "pid": 516, + "thread": { + "id": 548 + } + }, + "event_id": 4624, + "computer_name": "vagrant-2012-r2", + "keywords": [ + "Audit Success" + ], + "outcome": "success", + "channel": "Security", + "provider_name": "Microsoft-Windows-Security-Auditing", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}" + }, + "event": { + "kind": "event", + "code": 4624, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + } + }, + { + "@timestamp": "2021-04-15T19:10:09.189Z", + "event": { + "kind": "event", + "code": 4624, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "agent": { + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "vagrant-2012-r2" + }, + "winlog": { + "provider_name": "Microsoft-Windows-Security-Auditing", + "keywords": [ + "Audit Success" + ], + "time_created": "2019-03-29T21:13:17.614Z", + "level": "information", + "event_data": { + "SubjectLogonId": "0x3e7", + "TargetUserName": "vagrant", + "TargetDomainName": "VAGRANT-2012-R2", + "LmPackageName": "-", + "ProcessName": "C:\\Windows\\System32\\winlogon.exe", + "SubjectDomainName": "WORKGROUP", + "SubjectUserName": "VAGRANT-2012-R2$", + "AuthenticationPackageName": "Negotiate", + "TransmittedServices": "-", + "IpPort": "0", + "ImpersonationLevel": "%%1833", + "SubjectUserSid": "S-1-5-18", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "KeyLength": "0", + "LogonProcessName": "User32 ", + "TargetLogonId": "0x3444f", + "LogonType": "10", + "WorkstationName": "VAGRANT-2012-R2", + "ProcessId": "0xafc", + "IpAddress": "10.0.2.2", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001" + }, + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "version": 1, + "process": { + "pid": 516, + "thread": { + "id": 808 + } + }, + "record_id": 1567, + "outcome": "success", + "event_id": 4624 + } + }, + { + "@timestamp": "2021-04-15T19:10:09.190Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "winlog": { + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "event_data": { + "SubjectDomainName": "WORKGROUP", + "KeyLength": "0", + "ProcessId": "0x88c", + "SubjectUserSid": "S-1-5-18", + "TargetUserName": "DWM-3", + "TargetDomainName": "Window Manager", + "TargetLogonId": "0x357fd", + "LogonType": "2", + "AuthenticationPackageName": "Negotiate", + "TransmittedServices": "-", + "IpPort": "-", + "SubjectLogonId": "0x3e7", + "ImpersonationLevel": "%%1833", + "SubjectUserName": "VAGRANT-2012-R2$", + "TargetUserSid": "S-1-5-90-3", + "LogonProcessName": "Advapi ", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LmPackageName": "-", + "ProcessName": "C:\\Windows\\System32\\winlogon.exe", + "IpAddress": "-" + }, + "channel": "Security", + "provider_name": "Microsoft-Windows-Security-Auditing", + "opcode": "Info", + "process": { + "thread": { + "id": 556 + }, + "pid": 516 + }, + "computer_name": "vagrant-2012-r2", + "keywords": [ + "Audit Success" + ], + "version": 1, + "time_created": "2019-03-29T21:13:18.786Z", + "outcome": "success", + "level": "information", + "event_id": 4624, + "record_id": 1570 + }, + "event": { + "code": 4624, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "vagrant-2012-r2" + } + }, + { + "@timestamp": "2021-04-15T19:10:09.190Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "vagrant-2012-r2" + }, + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "winlog": { + "time_created": "2019-03-29T21:20:48.740Z", + "level": "information", + "computer_name": "vagrant-2012-r2", + "outcome": "success", + "event_data": { + "SubjectDomainName": "WORKGROUP", + "TargetUserSid": "S-1-5-18", + "TargetLogonId": "0x3e7", + "LogonProcessName": "Advapi ", + "IpAddress": "-", + "ImpersonationLevel": "%%1833", + "SubjectUserName": "VAGRANT-2012-R2$", + "LogonType": "5", + "AuthenticationPackageName": "Negotiate", + "SubjectUserSid": "S-1-5-18", + "TargetUserName": "SYSTEM", + "TransmittedServices": "-", + "LmPackageName": "-", + "KeyLength": "0", + "ProcessId": "0x1fc", + "IpPort": "-", + "SubjectLogonId": "0x3e7", + "TargetDomainName": "NT AUTHORITY", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "ProcessName": "C:\\Windows\\System32\\services.exe" + }, + "process": { + "pid": 516, + "thread": { + "id": 1132 + } + }, + "event_id": 4624, + "keywords": [ + "Audit Success" + ], + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1574, + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "version": 1, + "channel": "Security" + }, + "event": { + "kind": "event", + "code": 4624, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + } + }, + { + "@timestamp": "2021-04-15T19:10:09.190Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "vagrant-2012-r2" + }, + "agent": { + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50" + }, + "winlog": { + "event_id": 4624, + "record_id": 1576, + "computer_name": "vagrant-2012-r2", + "channel": "Security", + "provider_name": "Microsoft-Windows-Security-Auditing", + "level": "information", + "event_data": { + "IpAddress": "-", + "TargetUserSid": "S-1-5-18", + "TargetUserName": "SYSTEM", + "KeyLength": "0", + "ProcessId": "0x1fc", + "LogonType": "5", + "ProcessName": "C:\\Windows\\System32\\services.exe", + "IpPort": "-", + "ImpersonationLevel": "%%1833", + "SubjectUserSid": "S-1-5-18", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectDomainName": "WORKGROUP", + "TargetLogonId": "0x3e7", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "TransmittedServices": "-", + "LmPackageName": "-", + "SubjectLogonId": "0x3e7", + "TargetDomainName": "NT AUTHORITY", + "LogonProcessName": "Advapi ", + "AuthenticationPackageName": "Negotiate" + }, + "process": { + "pid": 516, + "thread": { + "id": 1132 + } + }, + "keywords": [ + "Audit Success" + ], + "time_created": "2019-03-29T21:20:48.740Z", + "outcome": "success", + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "version": 1 + }, + "event": { + "code": 4624, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + } + }, + { + "@timestamp": "2021-04-15T19:10:09.190Z", + "agent": { + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50" + }, + "winlog": { + "version": 1, + "outcome": "success", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1578, + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "level": "information", + "event_data": { + "TargetUserName": "SYSTEM", + "AuthenticationPackageName": "Negotiate", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LmPackageName": "-", + "ProcessId": "0x1fc", + "SubjectUserSid": "S-1-5-18", + "SubjectLogonId": "0x3e7", + "LogonType": "5", + "LogonProcessName": "Advapi ", + "IpAddress": "-", + "SubjectUserName": "VAGRANT-2012-R2$", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-", + "KeyLength": "0", + "ProcessName": "C:\\Windows\\System32\\services.exe", + "IpPort": "-", + "ImpersonationLevel": "%%1833", + "SubjectDomainName": "WORKGROUP", + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7" + }, + "channel": "Security", + "event_id": 4624, + "process": { + "pid": 516, + "thread": { + "id": 504 + } + }, + "computer_name": "vagrant-2012-r2", + "opcode": "Info", + "time_created": "2019-03-29T21:20:50.584Z" + }, + "event": { + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event", + "code": 4624 + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "vagrant-2012-r2" + } + }, + { + "@timestamp": "2021-04-15T19:10:09.190Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "vagrant-2012-r2" + }, + "winlog": { + "channel": "Security", + "level": "information", + "process": { + "pid": 516, + "thread": { + "id": 1132 + } + }, + "time_created": "2019-03-29T21:23:42.520Z", + "event_id": 4624, + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "version": 1, + "event_data": { + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectDomainName": "WORKGROUP", + "TargetUserName": "SYSTEM", + "AuthenticationPackageName": "Negotiate", + "ProcessName": "C:\\Windows\\System32\\services.exe", + "ImpersonationLevel": "%%1833", + "SubjectLogonId": "0x3e7", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LmPackageName": "-", + "KeyLength": "0", + "ProcessId": "0x1fc", + "TargetUserSid": "S-1-5-18", + "IpAddress": "-", + "IpPort": "-", + "TransmittedServices": "-", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "LogonType": "5", + "LogonProcessName": "Advapi " + }, + "record_id": 1581, + "computer_name": "vagrant-2012-r2", + "opcode": "Info", + "provider_name": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "event": { + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event", + "code": 4624 + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + } + }, + { + "@timestamp": "2021-04-15T19:10:09.191Z", + "host": { + "name": "vagrant-2012-r2" + }, + "agent": { + "version": "8.0.0", + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat" + }, + "winlog": { + "outcome": "success", + "level": "information", + "event_data": { + "TargetUserName": "SYSTEM", + "LogonProcessName": "Advapi ", + "IpPort": "-", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectLogonId": "0x3e7", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "IpAddress": "-", + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "LmPackageName": "-", + "SubjectUserSid": "S-1-5-18", + "TargetUserSid": "S-1-5-18", + "AuthenticationPackageName": "Negotiate", + "TransmittedServices": "-", + "KeyLength": "0", + "ProcessId": "0x1fc", + "ProcessName": "C:\\Windows\\System32\\services.exe", + "ImpersonationLevel": "%%1833", + "SubjectDomainName": "WORKGROUP", + "LogonType": "5" + }, + "channel": "Security", + "opcode": "Info", + "computer_name": "vagrant-2012-r2", + "keywords": [ + "Audit Success" + ], + "time_created": "2019-03-29T21:26:24.176Z", + "process": { + "pid": 516, + "thread": { + "id": 344 + } + }, + "event_id": 4624, + "provider_name": "Microsoft-Windows-Security-Auditing", + "version": 1, + "record_id": 1583, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}" + }, + "event": { + "kind": "event", + "code": 4624, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + } + }, + { + "@timestamp": "2021-04-15T19:10:09.191Z", + "event": { + "kind": "event", + "code": 4625, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "failure" + }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "vagrant-2012-r2" + }, + "agent": { + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain" + }, + "winlog": { + "event_id": 4625, + "computer_name": "vagrant-2012-r2", + "opcode": "Info", + "time_created": "2019-03-29T21:45:35.177Z", + "event_data": { + "SubjectDomainName": "VAGRANT-2012-R2", + "TargetUserSid": "S-1-0-0", + "TargetDomainName": "VAGRANT-2012-R2", + "FailureReason": "%%2313", + "ProcessId": "0x344", + "IpAddress": "::1", + "TargetUserName": "bosch", + "AuthenticationPackageName": "Negotiate", + "WorkstationName": "VAGRANT-2012-R2", + "LmPackageName": "-", + "SubStatus": "0xc0000064", + "LogonProcessName": "seclogo", + "TransmittedServices": "-", + "KeyLength": "0", + "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "SubjectUserName": "vagrant", + "SubjectLogonId": "0x1008e", + "Status": "0xc000006d", + "LogonType": "2", + "ProcessName": "C:\\Windows\\System32\\svchost.exe", + "IpPort": "0" + }, + "channel": "Security", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1585, + "keywords": [ + "Audit Failure" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "outcome": "failure", + "level": "information", + "process": { + "thread": { + "id": 2756 + }, + "pid": 516 + } + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json new file mode 100644 index 000000000..2dc52b95f --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json @@ -0,0 +1,1769 @@ +{ + "expected": [ + { + "@timestamp": "2019-03-29T21:10:39.786Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 536 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1535", + "time_created": "2019-03-29T21:10:39.786Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:40.255Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1538", + "time_created": "2019-03-29T21:10:40.255Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:40.380Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\winlogon.exe", + "name": "winlogon.exe", + "pid": 448 + }, + "related": { + "ip": [ + "127.0.0.1" + ], + "user": [ + "vagrant", + "VAGRANT-2012-R2$" + ] + }, + "source": { + "domain": "VAGRANT-2012-R2", + "ip": "127.0.0.1", + "port": 0 + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" + }, + "winlog": { + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "User32 ", + "LogonType": "2", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "VAGRANT-2012-R2", + "TargetLogonId": "0x1008e", + "TargetUserName": "vagrant", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Interactive" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1542", + "time_created": "2019-03-29T21:10:40.380Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:40.505Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1545", + "time_created": "2019-03-29T21:10:40.505Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:40.630Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "process": { + "executable": "-", + "name": "-", + "pid": 0 + }, + "related": { + "user": [ + "ANONYMOUS LOGON" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-7", + "name": "ANONYMOUS LOGON" + }, + "winlog": { + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "NTLM", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "NTLM V1", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "NtLmSsp ", + "LogonType": "3", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", + "SubjectUserSid": "S-1-0-0", + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x129f1", + "TargetUserName": "ANONYMOUS LOGON", + "TargetUserSid": "S-1-5-7", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x0", + "type": "Network" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1547", + "time_created": "2019-03-29T21:10:40.630Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:53.661Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "process": { + "executable": "-", + "name": "-", + "pid": 0 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" + }, + "winlog": { + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "NTLM", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "128", + "LmPackageName": "NTLM V2", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "NtLmSsp ", + "LogonType": "3", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", + "SubjectUserSid": "S-1-0-0", + "TargetDomainName": "VAGRANT-2012-R2", + "TargetLogonId": "0x28d31", + "TargetUserName": "vagrant", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x0", + "type": "Network" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1550", + "time_created": "2019-03-29T21:10:53.661Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:54.661Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "process": { + "executable": "-", + "name": "-", + "pid": 0 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" + }, + "winlog": { + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "NTLM", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "128", + "LmPackageName": "NTLM V2", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "NtLmSsp ", + "LogonType": "3", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", + "SubjectUserSid": "S-1-0-0", + "TargetDomainName": "VAGRANT-2012-R2", + "TargetLogonId": "0x29f0f", + "TargetUserName": "vagrant", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x0", + "type": "Network" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 548 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1553", + "time_created": "2019-03-29T21:10:54.661Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:55.458Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "process": { + "executable": "-", + "name": "-", + "pid": 0 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" + }, + "winlog": { + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "NTLM", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "128", + "LmPackageName": "NTLM V2", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "NtLmSsp ", + "LogonType": "3", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", + "SubjectUserSid": "S-1-0-0", + "TargetDomainName": "VAGRANT-2012-R2", + "TargetLogonId": "0x2a362", + "TargetUserName": "vagrant", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x0", + "type": "Network" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 548 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1556", + "time_created": "2019-03-29T21:10:55.458Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:13:17.302Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "process": { + "executable": "-", + "name": "-", + "pid": 0 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "source": { + "domain": "127.0.0.1" + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" + }, + "winlog": { + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "NTLM", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "128", + "LmPackageName": "NTLM V2", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "NtLmSsp ", + "LogonType": "3", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", + "SubjectUserSid": "S-1-0-0", + "TargetDomainName": "VAGRANT-2012-R2", + "TargetLogonId": "0x324f8", + "TargetUserName": "vagrant", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x0", + "type": "Network" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 808 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1561", + "time_created": "2019-03-29T21:13:17.302Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:13:17.521Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\winlogon.exe", + "name": "winlogon.exe", + "pid": 2812 + }, + "related": { + "user": [ + "DWM-2", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "Window Manager", + "id": "S-1-5-90-2", + "name": "DWM-2" + }, + "winlog": { + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "2", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "Window Manager", + "TargetLogonId": "0x33444", + "TargetUserName": "DWM-2", + "TargetUserSid": "S-1-5-90-2", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Interactive" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 548 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1563", + "time_created": "2019-03-29T21:13:17.521Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:13:17.614Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\winlogon.exe", + "name": "winlogon.exe", + "pid": 2812 + }, + "related": { + "ip": [ + "10.0.2.2" + ], + "user": [ + "vagrant", + "VAGRANT-2012-R2$" + ] + }, + "source": { + "domain": "VAGRANT-2012-R2", + "ip": "10.0.2.2", + "port": 0 + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" + }, + "winlog": { + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "User32 ", + "LogonType": "10", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "VAGRANT-2012-R2", + "TargetLogonId": "0x3444f", + "TargetUserName": "vagrant", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "RemoteInteractive" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 808 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1567", + "time_created": "2019-03-29T21:13:17.614Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:13:18.786Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\winlogon.exe", + "name": "winlogon.exe", + "pid": 2188 + }, + "related": { + "user": [ + "DWM-3", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "Window Manager", + "id": "S-1-5-90-3", + "name": "DWM-3" + }, + "winlog": { + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "2", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "Window Manager", + "TargetLogonId": "0x357fd", + "TargetUserName": "DWM-3", + "TargetUserSid": "S-1-5-90-3", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Interactive" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1570", + "time_created": "2019-03-29T21:13:18.786Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:20:48.740Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 1132 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1574", + "time_created": "2019-03-29T21:20:48.740Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:20:48.740Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 1132 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1576", + "time_created": "2019-03-29T21:20:48.740Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:20:50.584Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 504 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1578", + "time_created": "2019-03-29T21:20:50.584Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:23:42.520Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 1132 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1581", + "time_created": "2019-03-29T21:23:42.520Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:26:24.176Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 344 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1583", + "time_created": "2019-03-29T21:26:24.176Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:45:35.177Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logon-failed", + "category": [ + "authentication" + ], + "code": "4625", + "kind": "event", + "outcome": "failure", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 836 + }, + "related": { + "ip": [ + "::1" + ], + "user": [ + "bosch" + ] + }, + "source": { + "domain": "VAGRANT-2012-R2", + "ip": "::1", + "port": 0 + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-0-0", + "name": "bosch" + }, + "winlog": { + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "FailureReason": "%%2313", + "KeyLength": "0", + "LmPackageName": "-", + "LogonProcessName": "seclogo", + "LogonType": "2", + "Status": "0xc000006d", + "SubStatus": "0xc0000064", + "SubjectDomainName": "VAGRANT-2012-R2", + "SubjectLogonId": "0x1008e", + "SubjectUserName": "vagrant", + "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TargetDomainName": "VAGRANT-2012-R2", + "TargetUserName": "bosch", + "TargetUserSid": "S-1-0-0", + "TransmittedServices": "-" + }, + "event_id": "4625", + "keywords": [ + "Audit Failure" + ], + "level": "information", + "logon": { + "failure": { + "reason": "Unknown user name or bad password.", + "status": "This is either due to a bad username or authentication information", + "sub_status": "User logon with misspelled or bad user account" + }, + "id": "0x1008e", + "type": "Interactive" + }, + "opcode": "Info", + "outcome": "failure", + "process": { + "pid": 516, + "thread": { + "id": 2756 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1585", + "time_created": "2019-03-29T21:45:35.177Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json new file mode 100644 index 000000000..bb7f664ec --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json @@ -0,0 +1,122 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:03:27.709Z", + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.xml" + } + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "agent": { + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "bf2b0592-35a2-427c-bece-18d57f7881b9" + }, + "ecs": { + "version": "1.8.0" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "computer_name": "WIN-41OB2LO92CR", + "time_created": "2019-09-06T13:28:46.163Z", + "outcome": "success", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2815, + "process": { + "thread": { + "id": 820 + }, + "pid": 780 + }, + "event_id": 4722, + "opcode": "Info", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "TargetUserName": "audittest", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectUserName": "Administrator" + }, + "keywords": [ + "Audit Success" + ], + "level": "information" + }, + "event": { + "kind": "event", + "code": 4722, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + } + }, + { + "@timestamp": "2021-04-15T19:03:27.709Z", + "event": { + "kind": "event", + "code": 4722, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.xml" + } + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "agent": { + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "bf2b0592-35a2-427c-bece-18d57f7881b9", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain" + }, + "winlog": { + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "record_id": 2826, + "computer_name": "WIN-41OB2LO92CR", + "opcode": "Info", + "time_created": "2019-09-06T13:29:08.573Z", + "event_data": { + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectUserName": "Administrator", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "TargetUserName": "audittest0609", + "TargetDomainName": "WIN-41OB2LO92CR" + }, + "channel": "Security", + "provider_name": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "event_id": 4722, + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "level": "information" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json new file mode 100644 index 000000000..4119c3b22 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json @@ -0,0 +1,176 @@ +{ + "expected": [ + { + "@timestamp": "2019-09-06T13:28:46.163Z", + "agent": { + "ephemeral_id": "bf2b0592-35a2-427c-bece-18d57f7881b9", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "enabled-user-account", + "category": [ + "iam" + ], + "code": "4722", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1000", + "name": "audittest" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000", + "TargetUserName": "audittest" + }, + "event_id": "4722", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2815", + "time_created": "2019-09-06T13:28:46.163Z" + } + }, + { + "@timestamp": "2019-09-06T13:29:08.573Z", + "agent": { + "ephemeral_id": "bf2b0592-35a2-427c-bece-18d57f7881b9", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "enabled-user-account", + "category": [ + "iam" + ], + "code": "4722", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest0609" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1006", + "name": "audittest0609" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", + "TargetUserName": "audittest0609" + }, + "event_id": "4722", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2826", + "time_created": "2019-09-06T13:29:08.573Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json new file mode 100644 index 000000000..3fb6a55d8 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json @@ -0,0 +1,124 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:06:23.720Z", + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "agent": { + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "183bfef0-27fc-4fc0-b569-2d42d6e33862", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain" + }, + "winlog": { + "channel": "Security", + "provider_name": "Microsoft-Windows-Security-Auditing", + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "computer_name": "WIN-41OB2LO92CR", + "keywords": [ + "Audit Failure" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "outcome": "failure", + "event_data": { + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectUserName": "Administrator", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "PrivilegeList": "-", + "TargetUserName": "Administrator", + "TargetDomainName": "WIN-41OB2LO92CR" + }, + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "event_id": 4723, + "opcode": "Info", + "level": "information", + "record_id": 2838, + "time_created": "2019-09-06T13:32:13.855Z" + }, + "event": { + "code": 4723, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "failure", + "kind": "event" + } + }, + { + "@timestamp": "2021-04-15T19:06:23.721Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "agent": { + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "183bfef0-27fc-4fc0-b569-2d42d6e33862" + }, + "winlog": { + "computer_name": "WIN-41OB2LO92CR", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "event_data": { + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectUserName": "Administrator", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "PrivilegeList": "-", + "TargetUserName": "Administrator" + }, + "record_id": 2839, + "time_created": "2019-09-06T13:32:23.885Z", + "outcome": "success", + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "level": "information", + "channel": "Security", + "event_id": 4723 + }, + "event": { + "kind": "event", + "code": 4723, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.xml" + }, + "level": "information" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json new file mode 100644 index 000000000..44e7b1b5f --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json @@ -0,0 +1,176 @@ +{ + "expected": [ + { + "@timestamp": "2019-09-06T13:32:13.855Z", + "agent": { + "ephemeral_id": "183bfef0-27fc-4fc0-b569-2d42d6e33862", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "changed-password", + "category": [ + "iam" + ], + "code": "4723", + "kind": "event", + "outcome": "failure", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetUserName": "Administrator" + }, + "event_id": "4723", + "keywords": [ + "Audit Failure" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "failure", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2838", + "time_created": "2019-09-06T13:32:13.855Z" + } + }, + { + "@timestamp": "2019-09-06T13:32:23.885Z", + "agent": { + "ephemeral_id": "183bfef0-27fc-4fc0-b569-2d42d6e33862", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "changed-password", + "category": [ + "iam" + ], + "code": "4723", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetUserName": "Administrator" + }, + "event_id": "4723", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2839", + "time_created": "2019-09-06T13:32:23.885Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json new file mode 100644 index 000000000..40b5ddd05 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json @@ -0,0 +1,122 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:06:13.672Z", + "host": { + "name": "WIN-41OB2LO92CR" + }, + "agent": { + "version": "8.0.0", + "ephemeral_id": "bada69aa-9ce0-403f-9c89-ab8217732fb4", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat" + }, + "ecs": { + "version": "1.8.0" + }, + "winlog": { + "channel": "Security", + "record_id": 2762, + "computer_name": "WIN-41OB2LO92CR", + "event_id": 4724, + "provider_name": "Microsoft-Windows-Security-Auditing", + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "outcome": "success", + "level": "information", + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "process": { + "pid": 780, + "thread": { + "id": 816 + } + }, + "opcode": "Info", + "time_created": "2019-09-06T13:24:39.339Z", + "event_data": { + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectUserName": "Administrator", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "TargetUserName": "elastictest1", + "TargetDomainName": "WIN-41OB2LO92CR" + } + }, + "event": { + "kind": "event", + "code": 4724, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.xml" + }, + "level": "information" + } + }, + { + "@timestamp": "2021-04-15T19:06:13.672Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "agent": { + "ephemeral_id": "bada69aa-9ce0-403f-9c89-ab8217732fb4", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "winlog": { + "computer_name": "WIN-41OB2LO92CR", + "time_created": "2019-09-06T13:25:21.900Z", + "outcome": "success", + "event_data": { + "TargetUserName": "audittest0609", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectUserName": "Administrator", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2" + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "level": "information", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2787, + "opcode": "Info", + "channel": "Security", + "event_id": 4724, + "keywords": [ + "Audit Success" + ], + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}" + }, + "event": { + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event", + "code": 4724 + }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.xml" + } + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json new file mode 100644 index 000000000..6c15e791d --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json @@ -0,0 +1,176 @@ +{ + "expected": [ + { + "@timestamp": "2019-09-06T13:24:39.339Z", + "agent": { + "ephemeral_id": "bada69aa-9ce0-403f-9c89-ab8217732fb4", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "reset-password", + "category": [ + "iam" + ], + "code": "4724", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "elastictest1" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1005", + "name": "elastictest1" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "TargetUserName": "elastictest1" + }, + "event_id": "4724", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 816 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2762", + "time_created": "2019-09-06T13:24:39.339Z" + } + }, + { + "@timestamp": "2019-09-06T13:25:21.900Z", + "agent": { + "ephemeral_id": "bada69aa-9ce0-403f-9c89-ab8217732fb4", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "reset-password", + "category": [ + "iam" + ], + "code": "4724", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest0609" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1006", + "name": "audittest0609" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", + "TargetUserName": "audittest0609" + }, + "event_id": "4724", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2787", + "time_created": "2019-09-06T13:25:21.900Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json new file mode 100644 index 000000000..c139186c7 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json @@ -0,0 +1,122 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:09:54.157Z", + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "agent": { + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "1bccb9d3-7ebc-4789-bfc0-9b920f756ba5", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain" + }, + "winlog": { + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "outcome": "success", + "channel": "Security", + "event_id": 4725, + "level": "information", + "event_data": { + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectUserName": "Administrator", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "TargetUserName": "audittest" + }, + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "process": { + "thread": { + "id": 532 + }, + "pid": 780 + }, + "computer_name": "WIN-41OB2LO92CR", + "time_created": "2019-09-06T13:28:40.001Z", + "record_id": 2810, + "opcode": "Info", + "provider_name": "Microsoft-Windows-Security-Auditing", + "keywords": [ + "Audit Success" + ] + }, + "event": { + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event", + "code": 4725 + } + }, + { + "@timestamp": "2021-04-15T19:09:54.157Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "agent": { + "version": "8.0.0", + "ephemeral_id": "1bccb9d3-7ebc-4789-bfc0-9b920f756ba5", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat" + }, + "winlog": { + "channel": "Security", + "record_id": 2820, + "outcome": "success", + "level": "information", + "event_data": { + "TargetUserName": "audittest0609", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectUserName": "Administrator", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2" + }, + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "event_id": 4725, + "computer_name": "WIN-41OB2LO92CR", + "keywords": [ + "Audit Success" + ], + "time_created": "2019-09-06T13:28:55.264Z", + "opcode": "Info", + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}" + }, + "event": { + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event", + "code": 4725 + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.xml" + }, + "level": "information" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json new file mode 100644 index 000000000..093f0e6a9 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json @@ -0,0 +1,176 @@ +{ + "expected": [ + { + "@timestamp": "2019-09-06T13:28:40.001Z", + "agent": { + "ephemeral_id": "1bccb9d3-7ebc-4789-bfc0-9b920f756ba5", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "disabled-user-account", + "category": [ + "iam" + ], + "code": "4725", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "deletion" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1000", + "name": "audittest" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000", + "TargetUserName": "audittest" + }, + "event_id": "4725", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2810", + "time_created": "2019-09-06T13:28:40.001Z" + } + }, + { + "@timestamp": "2019-09-06T13:28:55.264Z", + "agent": { + "ephemeral_id": "1bccb9d3-7ebc-4789-bfc0-9b920f756ba5", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "disabled-user-account", + "category": [ + "iam" + ], + "code": "4725", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "deletion" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest0609" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1006", + "name": "audittest0609" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", + "TargetUserName": "audittest0609" + }, + "event_id": "4725", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2820", + "time_created": "2019-09-06T13:28:55.264Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json new file mode 100644 index 000000000..58bd492bf --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json @@ -0,0 +1,124 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:04:53.251Z", + "event": { + "kind": "event", + "code": 4726, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "agent": { + "ephemeral_id": "0576ed73-5ee1-437f-bd1a-cf8dae0a9e24", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "winlog": { + "event_id": 4726, + "provider_name": "Microsoft-Windows-Security-Auditing", + "computer_name": "WIN-41OB2LO92CR", + "keywords": [ + "Audit Success" + ], + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "record_id": 2851, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "level": "information", + "channel": "Security", + "opcode": "Info", + "time_created": "2019-09-06T13:35:25.515Z", + "outcome": "success", + "event_data": { + "TargetUserName": "audittest23", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1001", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectUserName": "Administrator", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "PrivilegeList": "-" + }, + "process": { + "pid": 780, + "thread": { + "id": 1980 + } + } + } + }, + { + "@timestamp": "2021-04-15T19:04:53.252Z", + "event": { + "kind": "event", + "code": 4726, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.xml" + }, + "level": "information" + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "agent": { + "ephemeral_id": "0576ed73-5ee1-437f-bd1a-cf8dae0a9e24", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "1.8.0" + }, + "winlog": { + "level": "information", + "channel": "Security", + "keywords": [ + "Audit Success" + ], + "event_id": 4726, + "computer_name": "WIN-41OB2LO92CR", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2019-09-06T13:35:29.690Z", + "outcome": "success", + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "opcode": "Info", + "event_data": { + "SubjectLogonId": "0x264b2", + "PrivilegeList": "-", + "TargetUserName": "audittest", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectUserName": "Administrator", + "SubjectDomainName": "WIN-41OB2LO92CR" + }, + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "record_id": 2857 + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json new file mode 100644 index 000000000..95340ef62 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json @@ -0,0 +1,178 @@ +{ + "expected": [ + { + "@timestamp": "2019-09-06T13:35:25.515Z", + "agent": { + "ephemeral_id": "0576ed73-5ee1-437f-bd1a-cf8dae0a9e24", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "deleted-user-account", + "category": [ + "iam" + ], + "code": "4726", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "deletion" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest23" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1001", + "name": "audittest23" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1001", + "TargetUserName": "audittest23" + }, + "event_id": "4726", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 1980 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2851", + "time_created": "2019-09-06T13:35:25.515Z" + } + }, + { + "@timestamp": "2019-09-06T13:35:29.690Z", + "agent": { + "ephemeral_id": "0576ed73-5ee1-437f-bd1a-cf8dae0a9e24", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "deleted-user-account", + "category": [ + "iam" + ], + "code": "4726", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "deletion" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1000", + "name": "audittest" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000", + "TargetUserName": "audittest" + }, + "event_id": "4726", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2857", + "time_created": "2019-09-06T13:35:29.690Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json new file mode 100644 index 000000000..290dd41ef --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:06:38.787Z", + "agent": { + "version": "8.0.0", + "ephemeral_id": "a6c7bf33-4c58-473a-b21e-ff14cfa0876c", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat" + }, + "ecs": { + "version": "1.8.0" + }, + "winlog": { + "time_created": "2019-10-22T11:26:12.495Z", + "channel": "Security", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 4105, + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "event_data": { + "SubjectDomainName": "WLBEAT", + "SidHistory": "-", + "TargetUserName": "DnsUpdateProxy", + "TargetDomainName": "WLBEAT", + "SubjectUserSid": "S-1-5-18", + "SubjectUserName": "WIN-41OB2LO92CR$", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1110", + "SubjectLogonId": "0x27438", + "PrivilegeList": "-", + "SamAccountName": "DnsUpdateProxy" + }, + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "event_id": 4727, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "outcome": "success", + "level": "information" + }, + "event": { + "kind": "event", + "code": 4727, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.xml" + }, + "level": "information" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json new file mode 100644 index 000000000..2f4c95483 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json @@ -0,0 +1,91 @@ +{ + "expected": [ + { + "@timestamp": "2019-10-22T11:26:12.495Z", + "agent": { + "ephemeral_id": "a6c7bf33-4c58-473a-b21e-ff14cfa0876c", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "added-group-account", + "category": [ + "iam" + ], + "code": "4727", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "creation" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1110", + "name": "DnsUpdateProxy" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-41OB2LO92CR$" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-18", + "name": "WIN-41OB2LO92CR$" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "DnsUpdateProxy", + "SidHistory": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x27438", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1110", + "TargetUserName": "DnsUpdateProxy" + }, + "event_id": "4727", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x27438" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4105", + "time_created": "2019-10-22T11:26:12.495Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json new file mode 100644 index 000000000..f229c7297 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:05:33.475Z", + "winlog": { + "channel": "Security", + "event_id": 4728, + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "level": "information", + "event_data": { + "TargetUserName": "test_group2", + "TargetDomainName": "WLBEAT", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectUserName": "Administrator", + "SubjectLogonId": "0x4a727", + "PrivilegeList": "-", + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", + "SubjectDomainName": "WLBEAT" + }, + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 4657, + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "opcode": "Info", + "time_created": "2019-10-22T11:33:26.861Z", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + } + }, + "event": { + "kind": "event", + "code": 4728, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "agent": { + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "20391a81-820a-4b74-9022-d7e336c7a6a5" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json new file mode 100644 index 000000000..5dd8b6c92 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json @@ -0,0 +1,100 @@ +{ + "expected": [ + { + "@timestamp": "2019-10-22T11:33:26.861Z", + "agent": { + "ephemeral_id": "20391a81-820a-4b74-9022-d7e336c7a6a5", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "added-member-to-group", + "category": [ + "iam" + ], + "code": "4728", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "local", + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2" + }, + "name": "Administrator" + } + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", + "TargetUserName": "test_group2" + }, + "event_id": "4728", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4657", + "time_created": "2019-10-22T11:33:26.861Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json new file mode 100644 index 000000000..b099bec10 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:05:38.499Z", + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.xml" + }, + "level": "information" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "agent": { + "ephemeral_id": "7634b57b-f6ad-4530-9332-efe87a928e1e", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "1.8.0" + }, + "winlog": { + "channel": "Security", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 4665, + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "opcode": "Info", + "time_created": "2019-10-22T11:33:45.543Z", + "outcome": "success", + "event_id": 4729, + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "level": "information", + "event_data": { + "SubjectUserName": "Administrator", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "PrivilegeList": "-", + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetUserName": "test_group2v2", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" + }, + "process": { + "thread": { + "id": 1664 + }, + "pid": 772 + } + }, + "event": { + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event", + "code": 4729 + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json new file mode 100644 index 000000000..776df6ccd --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json @@ -0,0 +1,100 @@ +{ + "expected": [ + { + "@timestamp": "2019-10-22T11:33:45.543Z", + "agent": { + "ephemeral_id": "7634b57b-f6ad-4530-9332-efe87a928e1e", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "removed-member-from-group", + "category": [ + "iam" + ], + "code": "4729", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2v2" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "local", + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2v2" + }, + "name": "Administrator" + } + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", + "TargetUserName": "test_group2v2" + }, + "event_id": "4729", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4665", + "time_created": "2019-10-22T11:33:45.543Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json new file mode 100644 index 000000000..96d467893 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json @@ -0,0 +1,63 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:05:48.555Z", + "winlog": { + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2019-10-22T11:34:01.610Z", + "level": "information", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 4670, + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "event_data": { + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectUserName": "Administrator", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "PrivilegeList": "-", + "TargetUserName": "test_group2v2", + "TargetDomainName": "WLBEAT" + }, + "channel": "Security", + "event_id": 4730, + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + } + }, + "event": { + "kind": "event", + "code": 4730, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.xml" + } + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "agent": { + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "b88ce36d-4f81-470b-8142-61f8152521db", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json new file mode 100644 index 000000000..108a37ed1 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json @@ -0,0 +1,89 @@ +{ + "expected": [ + { + "@timestamp": "2019-10-22T11:34:01.610Z", + "agent": { + "ephemeral_id": "b88ce36d-4f81-470b-8142-61f8152521db", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "deleted-group-account", + "category": [ + "iam" + ], + "code": "4730", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "deletion" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2v2" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", + "TargetUserName": "test_group2v2" + }, + "event_id": "4730", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4670", + "time_created": "2019-10-22T11:34:01.610Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json new file mode 100644 index 000000000..27001f880 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:06:18.693Z", + "agent": { + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "e2d64d83-2a92-4e42-be65-f582b54806c0", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "winlog": { + "channel": "Security", + "event_id": 4731, + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 4569, + "level": "information", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2019-10-22T11:29:49.358Z", + "outcome": "success", + "event_data": { + "SubjectUserName": "Administrator", + "PrivilegeList": "-", + "TargetUserName": "test_group1", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", + "SamAccountName": "test_group1", + "SidHistory": "-", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727" + } + }, + "event": { + "kind": "event", + "code": 4731, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.xml" + }, + "level": "information" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json new file mode 100644 index 000000000..25ee03f04 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json @@ -0,0 +1,91 @@ +{ + "expected": [ + { + "@timestamp": "2019-10-22T11:29:49.358Z", + "agent": { + "ephemeral_id": "e2d64d83-2a92-4e42-be65-f582b54806c0", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "added-group-account", + "category": [ + "iam" + ], + "code": "4731", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "creation" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "test_group1", + "SidHistory": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", + "TargetUserName": "test_group1" + }, + "event_id": "4731", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4569", + "time_created": "2019-10-22T11:29:49.358Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json new file mode 100644 index 000000000..fc88e96d1 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:06:58.824Z", + "agent": { + "version": "8.0.0", + "ephemeral_id": "55e8e30a-98a5-48de-86a3-772d01e6cb34", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "winlog": { + "event_data": { + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectUserName": "Administrator", + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "PrivilegeList": "-", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetUserName": "test_group1" + }, + "process": { + "thread": { + "id": 1664 + }, + "pid": 772 + }, + "event_id": 4732, + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "level": "information", + "outcome": "success", + "channel": "Security", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 4625, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2019-10-22T11:31:58.039Z" + }, + "event": { + "kind": "event", + "code": 4732, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.xml" + }, + "level": "information" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json new file mode 100644 index 000000000..98874d39a --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json @@ -0,0 +1,100 @@ +{ + "expected": [ + { + "@timestamp": "2019-10-22T11:31:58.039Z", + "agent": { + "ephemeral_id": "55e8e30a-98a5-48de-86a3-772d01e6cb34", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "added-member-to-group", + "category": [ + "iam" + ], + "code": "4732", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "local", + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1" + }, + "name": "Administrator" + } + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", + "TargetUserName": "test_group1" + }, + "event_id": "4732", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4625", + "time_created": "2019-10-22T11:31:58.039Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json new file mode 100644 index 000000000..56153d7f5 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:06:43.790Z", + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.xml" + }, + "level": "information" + }, + "agent": { + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "f4bfea9b-4505-4540-a5d6-ff3d901ddab0", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "winlog": { + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", + "PrivilegeList": "-", + "TargetUserName": "test_group1", + "TargetDomainName": "WLBEAT", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectUserName": "Administrator", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727" + }, + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "keywords": [ + "Audit Success" + ], + "outcome": "success", + "level": "information", + "record_id": 4627, + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2019-10-22T11:32:14.894Z", + "channel": "Security", + "event_id": 4733, + "provider_name": "Microsoft-Windows-Security-Auditing" + }, + "event": { + "code": 4733, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json new file mode 100644 index 000000000..68b986619 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json @@ -0,0 +1,100 @@ +{ + "expected": [ + { + "@timestamp": "2019-10-22T11:32:14.894Z", + "agent": { + "ephemeral_id": "f4bfea9b-4505-4540-a5d6-ff3d901ddab0", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "removed-member-from-group", + "category": [ + "iam" + ], + "code": "4733", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "local", + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1" + }, + "name": "Administrator" + } + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", + "TargetUserName": "test_group1" + }, + "event_id": "4733", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4627", + "time_created": "2019-10-22T11:32:14.894Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json new file mode 100644 index 000000000..e5c993a12 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json @@ -0,0 +1,63 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:07:48.945Z", + "ecs": { + "version": "1.8.0" + }, + "winlog": { + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 4630, + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "level": "information", + "event_id": 4734, + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "opcode": "Info", + "time_created": "2019-10-22T11:32:35.127Z", + "outcome": "success", + "event_data": { + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectUserName": "Administrator", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "PrivilegeList": "-", + "TargetUserName": "test_group1v1", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111" + }, + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "channel": "Security" + }, + "event": { + "outcome": "success", + "kind": "event", + "code": 4734, + "provider": "Microsoft-Windows-Security-Auditing" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.xml" + }, + "level": "information" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "agent": { + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "932fe4f8-6220-47bc-8713-250d259a8d06", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json new file mode 100644 index 000000000..f4b6a57e4 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json @@ -0,0 +1,89 @@ +{ + "expected": [ + { + "@timestamp": "2019-10-22T11:32:35.127Z", + "agent": { + "ephemeral_id": "932fe4f8-6220-47bc-8713-250d259a8d06", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "deleted-group-account", + "category": [ + "iam" + ], + "code": "4734", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "deletion" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1v1" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", + "TargetUserName": "test_group1v1" + }, + "event_id": "4734", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4630", + "time_created": "2019-10-22T11:32:35.127Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json new file mode 100644 index 000000000..9acf41ce4 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:07:28.919Z", + "agent": { + "version": "8.0.0", + "ephemeral_id": "302d5f9e-c923-4bd9-8747-1fe456a97546", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "winlog": { + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "event_data": { + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectLogonId": "0x4a727", + "PrivilegeList": "-", + "SidHistory": "-", + "TargetUserName": "test_group1v1", + "TargetDomainName": "WLBEAT", + "SubjectUserName": "Administrator", + "SubjectDomainName": "WLBEAT", + "SamAccountName": "test_group1v1" + }, + "level": "information", + "channel": "Security", + "event_id": 4735, + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 4628, + "keywords": [ + "Audit Success" + ], + "time_created": "2019-10-22T11:32:30.425Z", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + } + }, + "event": { + "kind": "event", + "code": 4735, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.xml" + }, + "level": "information" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json new file mode 100644 index 000000000..d0bb16cb4 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json @@ -0,0 +1,91 @@ +{ + "expected": [ + { + "@timestamp": "2019-10-22T11:32:30.425Z", + "agent": { + "ephemeral_id": "302d5f9e-c923-4bd9-8747-1fe456a97546", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "modified-group-account", + "category": [ + "iam" + ], + "code": "4735", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1v1" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "test_group1v1", + "SidHistory": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", + "TargetUserName": "test_group1v1" + }, + "event_id": "4735", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4628", + "time_created": "2019-10-22T11:32:30.425Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json new file mode 100644 index 000000000..ab0a42cce --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:07:18.907Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "agent": { + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "751eaf5d-fe35-4c8f-9712-3ad2a1fbccc4", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain" + }, + "winlog": { + "event_id": 4737, + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 4668, + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "level": "information", + "channel": "Security", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "event_data": { + "TargetUserName": "test_group2v2", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SamAccountName": "-", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", + "SubjectUserName": "Administrator", + "PrivilegeList": "-", + "SidHistory": "-" + }, + "time_created": "2019-10-22T11:33:57.271Z", + "outcome": "success", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}" + }, + "event": { + "kind": "event", + "code": 4737, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.xml" + } + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json new file mode 100644 index 000000000..8ed0e2acb --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json @@ -0,0 +1,91 @@ +{ + "expected": [ + { + "@timestamp": "2019-10-22T11:33:57.271Z", + "agent": { + "ephemeral_id": "751eaf5d-fe35-4c8f-9712-3ad2a1fbccc4", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "modified-group-account", + "category": [ + "iam" + ], + "code": "4737", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2v2" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "-", + "SidHistory": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", + "TargetUserName": "test_group2v2" + }, + "event_id": "4737", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4668", + "time_created": "2019-10-22T11:33:57.271Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json new file mode 100644 index 000000000..8b12f4c9b --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json @@ -0,0 +1,83 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:08:39.068Z", + "event": { + "kind": "event", + "code": 4738, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.xml" + }, + "level": "information" + }, + "agent": { + "ephemeral_id": "8233890e-f67f-456f-833c-9695ee1564d6", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "winlog": { + "event_id": 4738, + "record_id": 2862, + "outcome": "success", + "level": "information", + "provider_name": "Microsoft-Windows-Security-Auditing", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "AccountExpires": "%%1794", + "PrimaryGroupId": "513", + "AllowedToDelegateTo": "-", + "OldUacValue": "0x210", + "UserAccountControl": "-", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectUserName": "Administrator", + "SamAccountName": "elastictest1", + "PrivilegeList": "-", + "PasswordLastSet": "6/9/2019 10:30:28", + "TargetUserName": "elastictest1", + "HomeDirectory": "%%1793", + "UserParameters": "%%1793", + "LogonHours": "%%1797", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "UserPrincipalName": "-", + "ScriptPath": "%%1793", + "Dummy": "-", + "DisplayName": "elastictest1", + "SidHistory": "-", + "UserWorkstations": "%%1793", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "ProfilePath": "%%1793", + "TargetDomainName": "WIN-41OB2LO92CR", + "HomePath": "%%1793", + "NewUacValue": "0x210" + }, + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "keywords": [ + "Audit Success" + ], + "time_created": "2019-09-06T13:36:17.566Z", + "process": { + "pid": 780, + "thread": { + "id": 1980 + } + }, + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json new file mode 100644 index 000000000..d36c9aaa9 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json @@ -0,0 +1,114 @@ +{ + "expected": [ + { + "@timestamp": "2019-09-06T13:36:17.566Z", + "agent": { + "ephemeral_id": "8233890e-f67f-456f-833c-9695ee1564d6", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "modified-user-account", + "category": [ + "iam" + ], + "code": "4738", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "elastictest1" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1005", + "name": "elastictest1" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "AccountExpires": "%%1794", + "AllowedToDelegateTo": "-", + "DisplayName": "elastictest1", + "Dummy": "-", + "HomeDirectory": "%%1793", + "HomePath": "%%1793", + "LogonHours": "%%1797", + "NewUACList": [ + "LOCKOUT", + "NORMAL_ACCOUNT" + ], + "NewUacValue": "0x210", + "OldUacValue": "0x210", + "PasswordLastSet": "6/9/2019 10:30:28", + "PrimaryGroupId": "513", + "PrivilegeList": "-", + "ProfilePath": "%%1793", + "SamAccountName": "elastictest1", + "ScriptPath": "%%1793", + "SidHistory": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "TargetUserName": "elastictest1", + "UserAccountControl": "-", + "UserParameters": "%%1793", + "UserPrincipalName": "-", + "UserWorkstations": "%%1793" + }, + "event_id": "4738", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 1980 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2862", + "time_created": "2019-09-06T13:36:17.566Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json new file mode 100644 index 000000000..464d7367e --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json @@ -0,0 +1,63 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:05:28.445Z", + "event": { + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event", + "code": 4740 + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "agent": { + "version": "8.0.0", + "ephemeral_id": "8caa1f31-d548-434d-ac5b-f3725137fe68", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat" + }, + "winlog": { + "record_id": 2883, + "computer_name": "WIN-41OB2LO92CR", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "event_id": 4740, + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2019-09-06T13:39:43.085Z", + "outcome": "success", + "provider_name": "Microsoft-Windows-Security-Auditing", + "opcode": "Info", + "level": "information", + "event_data": { + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "SubjectUserSid": "S-1-5-18", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "TargetUserName": "elastictest1", + "TargetDomainName": "WIN-41OB2LO92CR" + } + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json new file mode 100644 index 000000000..411f20733 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json @@ -0,0 +1,90 @@ +{ + "expected": [ + { + "@timestamp": "2019-09-06T13:39:43.085Z", + "agent": { + "ephemeral_id": "8caa1f31-d548-434d-ac5b-f3725137fe68", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "locked-out-user-account", + "category": [ + "iam" + ], + "code": "4740", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-41OB2LO92CR$", + "elastictest1" + ] + }, + "user": { + "domain": "WORKGROUP", + "id": "S-1-5-18", + "name": "WIN-41OB2LO92CR$", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1005", + "name": "elastictest1" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "TargetUserName": "elastictest1" + }, + "event_id": "4740", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2883", + "time_created": "2019-09-06T13:39:43.085Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json new file mode 100644 index 000000000..242cf8851 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:09:34.141Z", + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "agent": { + "version": "8.0.0", + "ephemeral_id": "fea32ff4-794a-4eb4-bd70-9683cab0491a", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat" + }, + "ecs": { + "version": "1.8.0" + }, + "winlog": { + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "channel": "Security", + "event_id": 4754, + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 4676, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "outcome": "success", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2019-10-22T11:34:33.783Z", + "level": "information", + "event_data": { + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", + "SubjectUserName": "Administrator", + "SamAccountName": "Test_group3", + "SubjectLogonId": "0x4a727", + "PrivilegeList": "-", + "SidHistory": "-", + "TargetUserName": "Test_group3", + "TargetDomainName": "WLBEAT", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectDomainName": "WLBEAT" + } + }, + "event": { + "kind": "event", + "code": 4754, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.xml" + }, + "level": "information" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json new file mode 100644 index 000000000..4ef6c222c --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json @@ -0,0 +1,91 @@ +{ + "expected": [ + { + "@timestamp": "2019-10-22T11:34:33.783Z", + "agent": { + "ephemeral_id": "fea32ff4-794a-4eb4-bd70-9683cab0491a", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "added-group-account", + "category": [ + "iam" + ], + "code": "4754", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "creation" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "Test_group3", + "SidHistory": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", + "TargetUserName": "Test_group3" + }, + "event_id": "4754", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4676", + "time_created": "2019-10-22T11:34:33.783Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json new file mode 100644 index 000000000..1f6fe5a1f --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:09:24.116Z", + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "agent": { + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "bf0291c9-a8c8-4380-8767-3edd8e19e7e0" + }, + "winlog": { + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "channel": "Security", + "record_id": 4685, + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2019-10-22T11:35:09.070Z", + "event_id": 4755, + "provider_name": "Microsoft-Windows-Security-Auditing", + "keywords": [ + "Audit Success" + ], + "level": "information", + "event_data": { + "SubjectLogonId": "0x4a727", + "PrivilegeList": "-", + "SamAccountName": "-", + "SidHistory": "-", + "TargetUserName": "Test_group3v2", + "TargetDomainName": "WLBEAT", + "SubjectUserName": "Administrator", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectDomainName": "WLBEAT" + } + }, + "event": { + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event", + "code": 4755 + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json new file mode 100644 index 000000000..21356aea0 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json @@ -0,0 +1,91 @@ +{ + "expected": [ + { + "@timestamp": "2019-10-22T11:35:09.070Z", + "agent": { + "ephemeral_id": "bf0291c9-a8c8-4380-8767-3edd8e19e7e0", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "modified-group-account", + "category": [ + "iam" + ], + "code": "4755", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "-", + "SidHistory": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", + "TargetUserName": "Test_group3v2" + }, + "event_id": "4755", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4685", + "time_created": "2019-10-22T11:35:09.070Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json new file mode 100644 index 000000000..df6ad1b6a --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:09:44.157Z", + "event": { + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event", + "code": 4756 + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "agent": { + "ephemeral_id": "bb4b02fe-1669-4fc2-9334-59658aa314bd", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "winlog": { + "record_id": 4684, + "keywords": [ + "Audit Success" + ], + "level": "information", + "event_data": { + "TargetDomainName": "WLBEAT", + "SubjectDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectUserName": "Administrator", + "SubjectLogonId": "0x4a727", + "PrivilegeList": "-", + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetUserName": "Test_group3v2" + }, + "channel": "Security", + "event_id": 4756, + "provider_name": "Microsoft-Windows-Security-Auditing", + "time_created": "2019-10-22T11:34:58.413Z", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json new file mode 100644 index 000000000..4bf17583b --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json @@ -0,0 +1,100 @@ +{ + "expected": [ + { + "@timestamp": "2019-10-22T11:34:58.413Z", + "agent": { + "ephemeral_id": "bb4b02fe-1669-4fc2-9334-59658aa314bd", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "added-member-to-group", + "category": [ + "iam" + ], + "code": "4756", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "local", + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" + }, + "name": "Administrator" + } + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", + "TargetUserName": "Test_group3v2" + }, + "event_id": "4756", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4684", + "time_created": "2019-10-22T11:34:58.413Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json new file mode 100644 index 000000000..7984036f3 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:10:19.245Z", + "winlog": { + "event_data": { + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectUserName": "Administrator", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", + "PrivilegeList": "-", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetUserName": "Test_group3v2" + }, + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "channel": "Security", + "event_id": 4757, + "provider_name": "Microsoft-Windows-Security-Auditing", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "keywords": [ + "Audit Success" + ], + "time_created": "2019-10-22T11:35:09.070Z", + "record_id": 4686, + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "outcome": "success", + "level": "information" + }, + "event": { + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event", + "code": 4757 + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "agent": { + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "108404d6-5e5a-4fc8-af1c-882b4a9e776a", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json new file mode 100644 index 000000000..6ecfc0c43 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json @@ -0,0 +1,100 @@ +{ + "expected": [ + { + "@timestamp": "2019-10-22T11:35:09.070Z", + "agent": { + "ephemeral_id": "108404d6-5e5a-4fc8-af1c-882b4a9e776a", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "removed-member-from-group", + "category": [ + "iam" + ], + "code": "4757", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "local", + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" + }, + "name": "Administrator" + } + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", + "TargetUserName": "Test_group3v2" + }, + "event_id": "4757", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4686", + "time_created": "2019-10-22T11:35:09.070Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json new file mode 100644 index 000000000..b2f8b0809 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json @@ -0,0 +1,63 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:03:42.861Z", + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "agent": { + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "a8b7cf01-1874-48ac-9ba5-359576812e03", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" + }, + "ecs": { + "version": "1.8.0" + }, + "winlog": { + "event_data": { + "SubjectUserName": "Administrator", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "PrivilegeList": "-", + "TargetUserName": "Test_group3v2", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" + }, + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "record_id": 4687, + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "outcome": "success", + "level": "information", + "channel": "Security", + "event_id": 4758, + "provider_name": "Microsoft-Windows-Security-Auditing", + "keywords": [ + "Audit Success" + ], + "time_created": "2019-10-22T11:35:13.550Z" + }, + "event": { + "kind": "event", + "code": 4758, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.xml" + }, + "level": "information" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json new file mode 100644 index 000000000..54e7ff49a --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json @@ -0,0 +1,89 @@ +{ + "expected": [ + { + "@timestamp": "2019-10-22T11:35:13.550Z", + "agent": { + "ephemeral_id": "a8b7cf01-1874-48ac-9ba5-359576812e03", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "deleted-group-account", + "category": [ + "iam" + ], + "code": "4758", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "deletion" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", + "TargetUserName": "Test_group3v2" + }, + "event_id": "4758", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4687", + "time_created": "2019-10-22T11:35:13.550Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json new file mode 100644 index 000000000..cc968e389 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json @@ -0,0 +1,64 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:03:37.772Z", + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "agent": { + "ephemeral_id": "5d24bfd7-c07c-4458-8a1d-8742d5cb6166", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "winlog": { + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "channel": "Security", + "record_id": 4669, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "time_created": "2019-10-22T11:33:57.271Z", + "outcome": "success", + "level": "information", + "event_data": { + "GroupTypeChange": "Security Enabled Universal Group Changed to Security Enabled Global Group.", + "TargetDomainName": "WLBEAT", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectUserName": "Administrator", + "SubjectLogonId": "0x4a727", + "TargetUserName": "test_group2v2", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", + "SubjectDomainName": "WLBEAT", + "PrivilegeList": "-" + }, + "event_id": 4764, + "provider_name": "Microsoft-Windows-Security-Auditing", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "event": { + "kind": "event", + "code": 4764, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json new file mode 100644 index 000000000..b9536acbb --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json @@ -0,0 +1,90 @@ +{ + "expected": [ + { + "@timestamp": "2019-10-22T11:33:57.271Z", + "agent": { + "ephemeral_id": "5d24bfd7-c07c-4458-8a1d-8742d5cb6166", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "type-changed-group-account", + "category": [ + "iam" + ], + "code": "4764", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2v2" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "GroupTypeChange": "Security Enabled Universal Group Changed to Security Enabled Global Group.", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", + "TargetUserName": "test_group2v2" + }, + "event_id": "4764", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4669", + "time_created": "2019-10-22T11:33:57.271Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json new file mode 100644 index 000000000..7396bdcdd --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json @@ -0,0 +1,63 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:05:23.416Z", + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "agent": { + "ephemeral_id": "7ab867f5-fdb6-44f7-8d6a-15aa3b0a5d7d", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "winlog": { + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2892, + "time_created": "2019-09-06T13:40:52.314Z", + "level": "information", + "process": { + "pid": 780, + "thread": { + "id": 808 + } + }, + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "event_id": 4767, + "computer_name": "WIN-41OB2LO92CR", + "opcode": "Info", + "outcome": "success", + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "event_data": { + "TargetUserName": "elastictest1", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectUserName": "Administrator", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2" + } + }, + "event": { + "outcome": "success", + "kind": "event", + "code": 4767, + "provider": "Microsoft-Windows-Security-Auditing" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json new file mode 100644 index 000000000..bcb1f1f98 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json @@ -0,0 +1,90 @@ +{ + "expected": [ + { + "@timestamp": "2019-09-06T13:40:52.314Z", + "agent": { + "ephemeral_id": "7ab867f5-fdb6-44f7-8d6a-15aa3b0a5d7d", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "unlocked-user-account", + "category": [ + "iam" + ], + "code": "4767", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "elastictest1" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1005", + "name": "elastictest1" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "TargetUserName": "elastictest1" + }, + "event_id": "4767", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 808 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2892", + "time_created": "2019-09-06T13:40:52.314Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json new file mode 100644 index 000000000..10af170bf --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json @@ -0,0 +1,126 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:08:29.043Z", + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.xml" + } + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "agent": { + "ephemeral_id": "e3cf97cd-7154-4089-afea-1b754fd47391", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "winlog": { + "provider_name": "Microsoft-Windows-Security-Auditing", + "computer_name": "WIN-41OB2LO92CR", + "keywords": [ + "Audit Success" + ], + "time_created": "2019-09-06T13:38:17.556Z", + "channel": "Security", + "event_id": 4781, + "record_id": 2873, + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "process": { + "pid": 780, + "thread": { + "id": 808 + } + }, + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "outcome": "success", + "level": "information", + "event_data": { + "NewTargetUserName": "audittest06", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectUserName": "Administrator", + "OldTargetUserName": "audittest0609", + "TargetDomainName": "WIN-41OB2LO92CR", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "PrivilegeList": "-" + } + }, + "event": { + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event", + "code": 4781 + } + }, + { + "@timestamp": "2021-04-15T19:08:29.044Z", + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "agent": { + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "e3cf97cd-7154-4089-afea-1b754fd47391" + }, + "winlog": { + "computer_name": "WIN-41OB2LO92CR", + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "level": "information", + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "event_id": 4781, + "keywords": [ + "Audit Success" + ], + "time_created": "2019-09-06T13:38:23.516Z", + "process": { + "pid": 780, + "thread": { + "id": 808 + } + }, + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2875, + "outcome": "success", + "channel": "Security", + "event_data": { + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "SubjectUserName": "Administrator", + "SubjectLogonId": "0x264b2", + "PrivilegeList": "-", + "OldTargetUserName": "audittest06", + "NewTargetUserName": "audittest0609", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", + "SubjectDomainName": "WIN-41OB2LO92CR" + } + }, + "event": { + "code": 4781, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json new file mode 100644 index 000000000..9fc26d48b --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json @@ -0,0 +1,184 @@ +{ + "expected": [ + { + "@timestamp": "2019-09-06T13:38:17.556Z", + "agent": { + "ephemeral_id": "e3cf97cd-7154-4089-afea-1b754fd47391", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "renamed-user-account", + "category": [ + "iam" + ], + "code": "4781", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest06", + "audittest0609" + ] + }, + "user": { + "changes": { + "name": "audittest06" + }, + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "name": "audittest0609" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "NewTargetUserName": "audittest06", + "OldTargetUserName": "audittest0609", + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006" + }, + "event_id": "4781", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 808 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2873", + "time_created": "2019-09-06T13:38:17.556Z" + } + }, + { + "@timestamp": "2019-09-06T13:38:23.516Z", + "agent": { + "ephemeral_id": "e3cf97cd-7154-4089-afea-1b754fd47391", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "renamed-user-account", + "category": [ + "iam" + ], + "code": "4781", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest0609", + "audittest06" + ] + }, + "user": { + "changes": { + "name": "audittest0609" + }, + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "name": "audittest06" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "NewTargetUserName": "audittest0609", + "OldTargetUserName": "audittest06", + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006" + }, + "event_id": "4781", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 808 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2875", + "time_created": "2019-09-06T13:38:23.516Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json new file mode 100644 index 000000000..20bdbb24c --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:03:17.623Z", + "event": { + "kind": "event", + "code": 4798, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.xml" + }, + "level": "information" + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "agent": { + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "d7c725da-6710-4bcf-b920-15c37a8b1d86" + }, + "ecs": { + "version": "1.8.0" + }, + "winlog": { + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2996, + "computer_name": "WIN-41OB2LO92CR", + "outcome": "success", + "channel": "Security", + "level": "information", + "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}", + "event_id": 4798, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "process": { + "pid": 780, + "thread": { + "id": 1740 + } + }, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "time_created": "2019-10-08T10:20:34.053Z", + "event_data": { + "SubjectUserSid": "S-1-5-18", + "SubjectLogonId": "0x3e7", + "TargetUserName": "elastictest1", + "TargetDomainName": "WIN-41OB2LO92CR", + "SubjectDomainName": "WORKGROUP", + "CallerProcessId": "0x3f0", + "CallerProcessName": "C:\\Windows\\System32\\LogonUI.exe", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "SubjectUserName": "WIN-41OB2LO92CR$" + } + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json new file mode 100644 index 000000000..241bd74fe --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json @@ -0,0 +1,92 @@ +{ + "expected": [ + { + "@timestamp": "2019-10-08T10:20:34.053Z", + "agent": { + "ephemeral_id": "d7c725da-6710-4bcf-b920-15c37a8b1d86", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "group-membership-enumerated", + "category": [ + "iam" + ], + "code": "4798", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-41OB2LO92CR$", + "elastictest1" + ] + }, + "user": { + "domain": "WORKGROUP", + "id": "S-1-5-18", + "name": "WIN-41OB2LO92CR$", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1005", + "name": "elastictest1" + } + }, + "winlog": { + "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "CallerProcessId": "0x3f0", + "CallerProcessName": "C:\\Windows\\System32\\LogonUI.exe", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "TargetUserName": "elastictest1" + }, + "event_id": "4798", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 1740 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2996", + "time_created": "2019-10-08T10:20:34.053Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json new file mode 100644 index 000000000..da6e8c590 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json @@ -0,0 +1,65 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:03:07.571Z", + "agent": { + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "3e299efc-a8d9-4a33-9acf-dbf6c4cd8ba4", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "winlog": { + "channel": "Security", + "provider_name": "Microsoft-Windows-Security-Auditing", + "computer_name": "WIN-41OB2LO92CR", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "outcome": "success", + "level": "information", + "time_created": "2019-10-08T10:20:44.472Z", + "event_data": { + "TargetUserName": "Administrators", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "CallerProcessId": "0x494", + "CallerProcessName": "C:\\Windows\\System32\\svchost.exe", + "TargetDomainName": "Builtin", + "TargetSid": "S-1-5-32-544", + "SubjectUserSid": "S-1-5-18", + "SubjectUserName": "WIN-41OB2LO92CR$" + }, + "event_id": 4799, + "record_id": 3002, + "keywords": [ + "Audit Success" + ], + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "opcode": "Info", + "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}" + }, + "event": { + "kind": "event", + "code": 4799, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.xml" + }, + "level": "information" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json new file mode 100644 index 000000000..d741c0b47 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json @@ -0,0 +1,91 @@ +{ + "expected": [ + { + "@timestamp": "2019-10-08T10:20:44.472Z", + "agent": { + "ephemeral_id": "3e299efc-a8d9-4a33-9acf-dbf6c4cd8ba4", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "user-member-enumerated", + "category": [ + "iam" + ], + "code": "4799", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "info" + ] + }, + "group": { + "domain": "Builtin", + "id": "S-1-5-32-544", + "name": "Administrators" + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-41OB2LO92CR$" + ] + }, + "user": { + "domain": "WORKGROUP", + "id": "S-1-5-18", + "name": "WIN-41OB2LO92CR$" + }, + "winlog": { + "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "CallerProcessId": "0x494", + "CallerProcessName": "C:\\Windows\\System32\\svchost.exe", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "Builtin", + "TargetSid": "S-1-5-32-544", + "TargetUserName": "Administrators" + }, + "event_id": "4799", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3002", + "time_created": "2019-10-08T10:20:44.472Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json new file mode 100644 index 000000000..433a6d735 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json @@ -0,0 +1,116 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:05:03.307Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "agent": { + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "3b9c486d-b279-48cc-bee6-45548541f490" + }, + "winlog": { + "channel": "Security", + "event_id": 4634, + "provider_name": "Microsoft-Windows-Security-Auditing", + "opcode": "Info", + "time_created": "2019-05-17T11:06:58.210Z", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 540 + } + }, + "record_id": 485, + "computer_name": "WIN-41OB2LO92CR", + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "level": "information", + "event_data": { + "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-1000", + "TargetUserName": "audittest", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetLogonId": "0x767a77", + "LogonType": "3" + } + }, + "event": { + "kind": "event", + "code": 4634, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.xml" + }, + "level": "information" + } + }, + { + "@timestamp": "2021-04-15T19:05:03.307Z", + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "agent": { + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "3b9c486d-b279-48cc-bee6-45548541f490", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" + }, + "winlog": { + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "channel": "Security", + "event_id": 4634, + "record_id": 747, + "computer_name": "WIN-41OB2LO92CR", + "level": "information", + "event_data": { + "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetUserName": "Administrator", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetLogonId": "0x104a4a6", + "LogonType": "3" + }, + "provider_name": "Microsoft-Windows-Security-Auditing", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2019-05-19T16:15:38.542Z", + "outcome": "success" + }, + "event": { + "kind": "event", + "code": 4634, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json new file mode 100644 index 000000000..599cf204d --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json @@ -0,0 +1,158 @@ +{ + "expected": [ + { + "@timestamp": "2019-05-17T11:06:58.210Z", + "agent": { + "ephemeral_id": "3b9c486d-b279-48cc-bee6-45548541f490", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logged-out", + "category": [ + "authentication" + ], + "code": "4634", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "end" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "audittest" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1000", + "name": "audittest" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "LogonType": "3", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetLogonId": "0x767a77", + "TargetUserName": "audittest", + "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-1000" + }, + "event_id": "4634", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x767a77", + "type": "Network" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 540 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "485", + "time_created": "2019-05-17T11:06:58.210Z" + } + }, + { + "@timestamp": "2019-05-19T16:15:38.542Z", + "agent": { + "ephemeral_id": "3b9c486d-b279-48cc-bee6-45548541f490", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logged-out", + "category": [ + "authentication" + ], + "code": "4634", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "end" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "LogonType": "3", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetLogonId": "0x104a4a6", + "TargetUserName": "Administrator", + "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" + }, + "event_id": "4634", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x104a4a6", + "type": "Network" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "747", + "time_created": "2019-05-19T16:15:38.542Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json new file mode 100644 index 000000000..4609e0076 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json @@ -0,0 +1,71 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:03:52.909Z", + "winlog": { + "process": { + "pid": 4, + "thread": { + "id": 5076 + } + }, + "record_id": 5010, + "level": "information", + "provider_name": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "computer_name": "vagrant", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "version": 2, + "time_created": "2019-11-14T17:10:15.151Z", + "channel": "Security", + "event_id": 4688, + "event_data": { + "SubjectDomainName": "VAGRANT", + "SubjectLogonId": "0x274a2", + "TargetDomainName": "-", + "MandatoryLabel": "S-1-16-12288", + "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "NewProcessId": "0x11cc", + "TokenElevationType": "%%1937", + "ProcessId": "0x122c", + "CommandLine": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security", + "TargetUserName": "-", + "SubjectUserName": "vagrant", + "TargetUserSid": "S-1-0-0", + "TargetLogonId": "0x0", + "ParentProcessName": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "NewProcessName": "C:\\Windows\\System32\\wevtutil.exe" + } + }, + "event": { + "kind": "event", + "code": 4688, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "vagrant" + }, + "agent": { + "ephemeral_id": "533cc04e-1719-48a1-ac94-731ac0fffcb7", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json new file mode 100644 index 000000000..d69d247ab --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json @@ -0,0 +1,107 @@ +{ + "expected": [ + { + "@timestamp": "2019-11-14T17:10:15.151Z", + "agent": { + "ephemeral_id": "533cc04e-1719-48a1-ac94-731ac0fffcb7", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "created-process", + "category": [ + "process" + ], + "code": "4688", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.xml" + }, + "level": "information" + }, + "process": { + "args": [ + "\"C:\\Windows\\system32\\wevtutil.exe\"", + "cl", + "Security" + ], + "command_line": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security", + "executable": "C:\\Windows\\System32\\wevtutil.exe", + "name": "wevtutil.exe", + "parent": { + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "name": "powershell.exe", + "pid": 4652 + }, + "pid": 4556 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT", + "effective": { + "id": "S-1-0-0" + }, + "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "name": "vagrant" + }, + "winlog": { + "channel": "Security", + "computer_name": "vagrant", + "event_data": { + "CommandLine": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security", + "MandatoryLabel": "S-1-16-12288", + "ProcessId": "0x122c", + "SubjectDomainName": "VAGRANT", + "SubjectLogonId": "0x274a2", + "SubjectUserName": "vagrant", + "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "TargetDomainName": "-", + "TargetLogonId": "0x0", + "TargetUserName": "-", + "TargetUserSid": "S-1-0-0", + "TokenElevationType": "%%1937" + }, + "event_id": "4688", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x274a2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 4, + "thread": { + "id": 5076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5010", + "time_created": "2019-11-14T17:10:15.151Z", + "version": 2 + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json new file mode 100644 index 000000000..a1e6f6799 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json @@ -0,0 +1,178 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:07:58.995Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "vagrant" + }, + "agent": { + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "fb28c8e2-a7cd-49c5-8765-83f5037ec4f6" + }, + "winlog": { + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2019-11-14T21:26:49.496Z", + "event_data": { + "Status": "0x0", + "ProcessId": "0x1524", + "ProcessName": "C:\\Windows\\System32\\wevtutil.exe", + "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "SubjectUserName": "vagrant", + "SubjectDomainName": "VAGRANT", + "SubjectLogonId": "0x274a2" + }, + "channel": "Security", + "provider_name": "Microsoft-Windows-Security-Auditing", + "computer_name": "vagrant", + "opcode": "Info", + "outcome": "success", + "level": "information", + "process": { + "pid": 4, + "thread": { + "id": 1168 + } + }, + "event_id": 4689, + "record_id": 7538, + "keywords": [ + "Audit Success" + ] + }, + "event": { + "code": 4689, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" + }, + "level": "information" + } + }, + { + "@timestamp": "2021-04-15T19:07:58.995Z", + "host": { + "name": "vagrant" + }, + "agent": { + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "fb28c8e2-a7cd-49c5-8765-83f5037ec4f6", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" + }, + "ecs": { + "version": "1.8.0" + }, + "winlog": { + "channel": "Security", + "event_id": 4689, + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 7542, + "computer_name": "vagrant", + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "outcome": "success", + "level": "information", + "event_data": { + "ProcessName": "C:\\Windows\\System32\\taskhostw.exe", + "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "SubjectUserName": "vagrant", + "SubjectDomainName": "VAGRANT", + "SubjectLogonId": "0x274f1", + "Status": "0x0", + "ProcessId": "0xf94" + }, + "process": { + "pid": 4, + "thread": { + "id": 500 + } + }, + "opcode": "Info", + "time_created": "2019-11-14T21:27:46.960Z" + }, + "event": { + "code": 4689, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "kind": "event" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" + }, + "level": "information" + } + }, + { + "@timestamp": "2021-04-15T19:07:58.995Z", + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" + }, + "level": "information" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "vagrant" + }, + "agent": { + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "fb28c8e2-a7cd-49c5-8765-83f5037ec4f6", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain" + }, + "winlog": { + "keywords": [ + "Audit Success" + ], + "level": "information", + "channel": "Security", + "record_id": 7544, + "computer_name": "vagrant", + "opcode": "Info", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "time_created": "2019-11-14T21:28:18.460Z", + "outcome": "success", + "event_data": { + "ProcessName": "C:\\Windows\\System32\\wevtutil.exe", + "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "SubjectUserName": "vagrant", + "SubjectDomainName": "VAGRANT", + "SubjectLogonId": "0x274a2", + "Status": "0x0", + "ProcessId": "0xac8" + }, + "event_id": 4689, + "provider_name": "Microsoft-Windows-Security-Auditing", + "process": { + "pid": 4, + "thread": { + "id": 5636 + } + } + }, + "event": { + "kind": "event", + "code": 4689, + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json new file mode 100644 index 000000000..037053f39 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json @@ -0,0 +1,247 @@ +{ + "expected": [ + { + "@timestamp": "2019-11-14T21:26:49.496Z", + "agent": { + "ephemeral_id": "fb28c8e2-a7cd-49c5-8765-83f5037ec4f6", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "exited-process", + "category": [ + "process" + ], + "code": "4689", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "end" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" + }, + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\wevtutil.exe", + "name": "wevtutil.exe", + "pid": 5412 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "name": "vagrant" + }, + "winlog": { + "channel": "Security", + "computer_name": "vagrant", + "event_data": { + "Status": "0x0", + "SubjectDomainName": "VAGRANT", + "SubjectLogonId": "0x274a2", + "SubjectUserName": "vagrant", + "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000" + }, + "event_id": "4689", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x274a2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 4, + "thread": { + "id": 1168 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "7538", + "time_created": "2019-11-14T21:26:49.496Z" + } + }, + { + "@timestamp": "2019-11-14T21:27:46.960Z", + "agent": { + "ephemeral_id": "fb28c8e2-a7cd-49c5-8765-83f5037ec4f6", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "exited-process", + "category": [ + "process" + ], + "code": "4689", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "end" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" + }, + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\taskhostw.exe", + "name": "taskhostw.exe", + "pid": 3988 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "name": "vagrant" + }, + "winlog": { + "channel": "Security", + "computer_name": "vagrant", + "event_data": { + "Status": "0x0", + "SubjectDomainName": "VAGRANT", + "SubjectLogonId": "0x274f1", + "SubjectUserName": "vagrant", + "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000" + }, + "event_id": "4689", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x274f1" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 4, + "thread": { + "id": 500 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "7542", + "time_created": "2019-11-14T21:27:46.960Z" + } + }, + { + "@timestamp": "2019-11-14T21:28:18.460Z", + "agent": { + "ephemeral_id": "fb28c8e2-a7cd-49c5-8765-83f5037ec4f6", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "exited-process", + "category": [ + "process" + ], + "code": "4689", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "end" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" + }, + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\wevtutil.exe", + "name": "wevtutil.exe", + "pid": 2760 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "name": "vagrant" + }, + "winlog": { + "channel": "Security", + "computer_name": "vagrant", + "event_data": { + "Status": "0x0", + "SubjectDomainName": "VAGRANT", + "SubjectLogonId": "0x274a2", + "SubjectUserName": "vagrant", + "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000" + }, + "event_id": "4689", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x274a2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 4, + "thread": { + "id": 5636 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "7544", + "time_created": "2019-11-14T21:28:18.460Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-unknown.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-unknown.json new file mode 100644 index 000000000..5f9005013 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-unknown.json @@ -0,0 +1,28 @@ +{ + "events": [ + { + "@timestamp": "2021-04-15T19:07:13.883Z", + "winlog": { + "keywords": [ + "Unknown Event ID" + ], + "time_created": "2019-11-07T10:37:04.226Z", + "outcome": "success", + "level": "information", + "channel": "Security", + "event_id": 65536, + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "opcode": "Info", + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": 65536 + }, + "event": { + "code": 65536, + "provider": "Microsoft-Windows-Eventlog", + "outcome": "success", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-unknown.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-unknown.json-expected.json new file mode 100644 index 000000000..bc2f80493 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-unknown.json-expected.json @@ -0,0 +1,34 @@ +{ + "expected": [ + { + "@timestamp": "2019-11-07T10:37:04.226Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "code": "65536", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Eventlog" + }, + "log": { + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": "65536", + "keywords": [ + "Unknown Event ID" + ], + "level": "information", + "opcode": "Info", + "outcome": "success", + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": "65536", + "time_created": "2019-11-07T10:37:04.226Z" + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/system/test-default-config.yml b/test/packages/parallel/system/data_stream/security/_dev/test/system/test-default-config.yml new file mode 100644 index 000000000..53e0095b6 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/_dev/test/system/test-default-config.yml @@ -0,0 +1,11 @@ +input: httpjson +service: security +service_notify_signal: SIGHUP +vars: + url: http://{{Hostname}}:{{Port}}/api/v1/logs + username: test + password: test + preserve_original_event: true + enable_request_tracer: true +data_stream: + vars: ~ diff --git a/test/packages/parallel/system/data_stream/security/agent/stream/httpjson.yml.hbs b/test/packages/parallel/system/data_stream/security/agent/stream/httpjson.yml.hbs new file mode 100644 index 000000000..7423be6f1 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/agent/stream/httpjson.yml.hbs @@ -0,0 +1,97 @@ +config_version: "2" +interval: {{interval}} +{{#if enable_request_tracer}} +request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson" +{{/if}} +{{#unless token}} +{{#if username}} +{{#if password}} +auth.basic.user: {{username}} +auth.basic.password: {{password}} +{{/if}} +{{/if}} +{{/unless}} +cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' +request.url: {{url}}/services/search/jobs/export +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.method: POST +request.transforms: + - set: + target: url.params.search + value: |- + {{search}} | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: "json" + - set: + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + default: '[[(now (parseDuration "-{{interval}}")).Unix]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded +{{#unless username}} +{{#unless password}} +{{#if token}} + - set: + target: header.Authorization + value: {{token}} +{{/if}} +{{/unless}} +{{/unless}} +response.decode_as: application/x-ndjson +tags: +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: + - decode_json_fields: + fields: message + target: json + add_error_key: true + - drop_event: + when: + not: + has_fields: ['json.result'] + - fingerprint: + fields: + - json.result._cd + - json.result._indextime + - json.result._raw + - json.result._time + - json.result.host + - json.result.source + target_field: "@metadata._id" + - drop_fields: + fields: message + - rename: + fields: + - from: json.result._raw + to: event.original + - from: json.result.host + to: host.name + - from: json.result.source + to: event.provider + ignore_missing: true + fail_on_error: false + - drop_fields: + fields: json + - decode_xml_wineventlog: + field: event.original + target_field: winlog + ignore_missing: true + ignore_failure: true + map_ecs_fields: true diff --git a/test/packages/parallel/system/data_stream/security/agent/stream/winlog.yml.hbs b/test/packages/parallel/system/data_stream/security/agent/stream/winlog.yml.hbs new file mode 100644 index 000000000..0b2f99c8e --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/agent/stream/winlog.yml.hbs @@ -0,0 +1,24 @@ +name: Security +condition: ${host.platform} == 'windows' +{{#if event_id}} +event_id: {{event_id}} +{{/if}} +{{#if ignore_older}} +ignore_older: {{ignore_older}} +{{/if}} +{{#if language}} +language: {{language}} +{{/if}} +{{#if tags.length}} +tags: +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{/if}} +{{#if preserve_original_event}} +include_xml: true +{{/if}} +{{#if processors.length}} +processors: +{{processors}} +{{/if}} diff --git a/test/packages/parallel/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml b/test/packages/parallel/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 000000000..7d6cf336f --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,81 @@ +--- +description: Pipeline for Security events +processors: + - convert: + field: event.code + type: string + ignore_missing: true + - pipeline: + name: '{{ IngestPipeline "standard" }}' + if: 'ctx?.winlog?.provider_name != null && ["Microsoft-Windows-Eventlog", "Microsoft-Windows-Security-Auditing"].contains(ctx.winlog.provider_name)' + - gsub: + field: source.ip + pattern: "::ffff:" + replacement: "" + ignore_missing: true + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - append: + field: related.ip + value: '{{source.ip}}' + allow_duplicates: false + if: |- + ctx?.source?.ip != null && + ctx.source.ip != "-" + - convert: + field: winlog.record_id + type: string + ignore_missing: true + - convert: + field: winlog.event_id + type: string + ignore_missing: true + - set: + field: ecs.version + value: '8.0.0' + - set: + field: log.level + copy_from: winlog.level + ignore_empty_value: true + ignore_failure: true + if: ctx?.winlog?.level != "" + - date: + field: winlog.time_created + tag: "time_created_date" + formats: + - ISO8601 + if: ctx.winlog?.time_created != null + on_failure: + - remove: + field: winlog.time_created + ignore_failure: true + - append: + field: error.message + value: "fail-{{{ _ingest.on_failure_processor_tag }}}" + - fail: + message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/test/packages/parallel/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml b/test/packages/parallel/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml new file mode 100644 index 000000000..12da0566c --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml @@ -0,0 +1,3461 @@ +--- +description: Pipeline for Windows Security events +processors: + - script: + lang: painless + ignore_failure: false + tag: Set ECS categorization fields + description: Set ECS categorization fields + params: + "1100": + category: + - process + type: + - end + action: logging-service-shutdown + "1102": + category: + - iam + type: + - admin + - change + action: audit-log-cleared + "1104": + category: + - iam + type: + - admin + action: logging-full + "1105": + category: + - iam + type: + - admin + action: auditlog-archieved + "1108": + category: + - iam + type: + - admin + action: logging-processing-error + "4610": + category: + - configuration + type: + - access + action: authentication-package-loaded + "4611": + category: + - configuration + type: + - change + action: trusted-logon-process-registered + "4614": + category: + - configuration + type: + - access + action: notification-package-loaded + "4616": + category: + - configuration + type: + - change + action: system-time-changed + "4622": + category: + - configuration + type: + - access + action: security-package-loaded + "4624": + category: + - authentication + type: + - start + action: logged-in + "4625": + category: + - authentication + type: + - start + action: logon-failed + "4634": + category: + - authentication + type: + - end + action: logged-out + "4647": + category: + - authentication + type: + - end + action: logged-out + "4648": + category: + - authentication + type: + - start + action: logged-in-explicit + "4657": + category: + - registry + - configuration + type: + - change + action: registry-value-modified + "4670": + category: + - iam + - configuration + type: + - admin + - change + action: permissions-changed + "4672": + category: + - iam + type: + - admin + action: logged-in-special + "4673": + category: + - iam + type: + - admin + action: privileged-service-called + "4674": + category: + - iam + type: + - admin + action: privileged-operation + "4688": + category: + - process + type: + - start + action: created-process + "4689": + category: + - process + type: + - end + action: exited-process + "4697": + category: + - iam + - configuration + type: + - admin + - change + action: service-installed + "4698": + category: + - iam + - configuration + type: + - creation + - admin + action: scheduled-task-created + "4699": + category: + - iam + - configuration + type: + - deletion + - admin + action: scheduled-task-deleted + "4700": + category: + - iam + - configuration + type: + - change + - admin + action: scheduled-task-enabled + "4701": + category: + - iam + - configuration + type: + - change + - admin + action: scheduled-task-disabled + "4702": + category: + - iam + - configuration + type: + - change + - admin + action: scheduled-task-updated + "4706": + category: + - configuration + type: + - creation + action: domain-trust-added + "4707": + category: + - configuration + type: + - deletion + action: domain-trust-removed + "4713": + category: + - configuration + type: + - change + action: kerberos-policy-changed + "4714": + category: + - configuration + type: + - change + action: encrypted-data-recovery-policy-changed + "4715": + category: + - configuration + type: + - change + action: object-audit-policy-changed + "4716": + category: + - configuration + type: + - change + action: trusted-domain-information-changed + "4717": + category: + - iam + - configuration + type: + - admin + - change + action: system-security-access-granted + "4718": + category: + - iam + - configuration + type: + - admin + - deletion + action: system-security-access-removed + "4719": + category: + - iam + - configuration + type: + - admin + - change + action: changed-audit-config + "4720": + category: + - iam + type: + - user + - creation + action: added-user-account + "4722": + category: + - iam + type: + - user + - change + action: enabled-user-account + "4723": + category: + - iam + type: + - user + - change + action: changed-password + "4724": + category: + - iam + type: + - user + - change + action: reset-password + "4725": + category: + - iam + type: + - user + - deletion + action: disabled-user-account + "4726": + category: + - iam + type: + - user + - deletion + action: deleted-user-account + "4727": + category: + - iam + type: + - group + - creation + action: added-group-account + "4728": + category: + - iam + type: + - group + - change + action: added-member-to-group + "4729": + category: + - iam + type: + - group + - change + action: removed-member-from-group + "4730": + category: + - iam + type: + - group + - deletion + action: deleted-group-account + "4731": + category: + - iam + type: + - group + - creation + action: added-group-account + "4732": + category: + - iam + type: + - group + - change + action: added-member-to-group + "4733": + category: + - iam + type: + - group + - change + action: removed-member-from-group + "4734": + category: + - iam + type: + - group + - deletion + action: deleted-group-account + "4735": + category: + - iam + type: + - group + - change + action: modified-group-account + "4737": + category: + - iam + type: + - group + - change + action: modified-group-account + "4738": + category: + - iam + type: + - user + - change + action: modified-user-account + "4739": + category: + - configuration + type: + - change + action: domain-policy-changed + "4740": + category: + - iam + type: + - user + - change + action: locked-out-user-account + "4741": + category: + - iam + type: + - creation + - admin + action: added-computer-account + "4742": + category: + - iam + type: + - change + - admin + action: changed-computer-account + "4743": + category: + - iam + type: + - deletion + - admin + action: deleted-computer-account + "4744": + category: + - iam + type: + - group + - creation + action: added-distribution-group-account + "4745": + category: + - iam + type: + - group + - change + action: changed-distribution-group-account + "4746": + category: + - iam + type: + - group + - change + action: added-member-to-distribution-group + "4747": + category: + - iam + type: + - group + - change + action: removed-member-from-distribution-group + "4748": + category: + - iam + type: + - group + - deletion + action: deleted-distribution-group-account + "4749": + category: + - iam + type: + - group + - creation + action: added-distribution-group-account + "4750": + category: + - iam + type: + - group + - change + action: changed-distribution-group-account + "4751": + category: + - iam + type: + - group + - change + action: added-member-to-distribution-group + "4752": + category: + - iam + type: + - group + - change + action: removed-member-from-distribution-group + "4753": + category: + - iam + type: + - group + - deletion + action: deleted-distribution-group-account + "4754": + category: + - iam + type: + - group + - creation + action: added-group-account + "4755": + category: + - iam + type: + - group + - change + action: modified-group-account + "4756": + category: + - iam + type: + - group + - change + action: added-member-to-group + "4757": + category: + - iam + type: + - group + - change + action: removed-member-from-group + "4758": + category: + - iam + type: + - group + - deletion + action: deleted-group-account + "4759": + category: + - iam + type: + - group + - creation + action: added-distribution-group-account + "4760": + category: + - iam + type: + - group + - change + action: changed-distribution-group-account + "4761": + category: + - iam + type: + - group + - change + action: added-member-to-distribution-group + "4762": + category: + - iam + type: + - group + - change + action: removed-member-from-distribution-group + "4763": + category: + - iam + type: + - group + - deletion + action: deleted-distribution-group-account + "4764": + category: + - iam + type: + - group + - change + action: type-changed-group-account + "4767": + category: + - iam + type: + - user + - change + action: unlocked-user-account + "4768": + category: + - authentication + type: + - start + action: kerberos-authentication-ticket-requested + "4769": + category: + - authentication + type: + - start + action: kerberos-service-ticket-requested + "4770": + category: + - authentication + type: + - start + action: kerberos-service-ticket-renewed + "4771": + category: + - authentication + type: + - start + action: kerberos-preauth-failed + "4776": + category: + - authentication + type: + - start + action: credential-validated + "4778": + category: + - authentication + - session + type: + - start + action: session-reconnected + "4779": + category: + - authentication + - session + type: + - end + action: session-disconnected + "4781": + category: + - iam + type: + - user + - change + action: renamed-user-account + "4797": + category: + - iam + type: + - user + - info + action: query-existence-of-blank-password + "4798": + category: + - iam + type: + - user + - info + action: group-membership-enumerated + "4799": + category: + - iam + type: + - group + - info + action: user-member-enumerated + "4817": + category: + - iam + - configuration + type: + - admin + - change + action: object-audit-changed + "4902": + category: + - iam + - configuration + type: + - admin + - creation + action: user-audit-policy-created + "4904": + category: + - iam + - configuration + type: + - admin + - change + action: security-event-source-added + "4905": + category: + - iam + - configuration + type: + - admin + - deletion + action: security-event-source-removed + "4906": + category: + - iam + - configuration + type: + - admin + - change + action: crash-on-audit-changed + "4907": + category: + - iam + - configuration + type: + - admin + - change + action: audit-setting-changed + "4908": + category: + - iam + - configuration + type: + - admin + - change + action: special-group-table-changed + "4912": + category: + - iam + - configuration + type: + - admin + - change + action: per-user-audit-policy-changed + "4950": + category: + - configuration + type: + - change + action: windows-firewall-setting-changed + "4954": + category: + - configuration + type: + - change + action: windows-firewall-group-policy-changed + "4964": + category: + - iam + type: + - admin + - group + action: logged-in-special + "5024": + category: + - process + type: + - start + action: windows-firewall-service-started + "5025": + category: + - process + type: + - end + action: windows-firewall-service-stopped + "5033": + category: + - driver + type: + - start + action: windows-firewall-driver-started + "5034": + category: + - driver + type: + - end + action: windows-firewall-driver-stopped + "5037": + category: + - driver + type: + - end + action: windows-firewall-driver-error + "5379": + category: + - iam + type: + - user + - info + action: credential-manager-credentials-were-read + "5380": + category: + - iam + type: + - user + - info + action: vault-credential-find + "5381": + category: + - iam + type: + - user + - info + action: vault-credentials-were-read + "5382": + category: + - iam + type: + - user + - info + action: vault-credentials-were-read + "5140": + category: + - network + - file + type: + - info + - access + action: network-share-object-accessed + "5145": + category: + - network + - file + type: + - info + - access + action: network-share-object-access-checked + source: |- + if (ctx?.event?.code == null || params.get(ctx.event.code) == null) { + return; + } + def hm = new HashMap(params.get(ctx.event.code)); + hm.forEach((k, v) -> ctx.event[k] = v); + - script: + lang: painless + ignore_failure: false + tag: Set Logon Type + description: Set Logon Type +# Logon Types +# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events + params: + "2": Interactive + "3": Network + "4": Batch + "5": Service + "7": Unlock + "8": NetworkCleartext + "9": NewCredentials + "10": RemoteInteractive + "11": CachedInteractive + source: |- + if (ctx?.winlog?.event_data?.LogonType == null) { + return; + } + def t = params.get(ctx.winlog.event_data.LogonType); + if (t == null) { + return; + } + if (ctx?.winlog?.logon == null ) { + Map map = new HashMap(); + ctx.winlog.put("logon", map); + } + ctx.winlog.logon.put("type", t) + - script: + lang: painless + ignore_failure: false + tag: Set User Account Control + description: Set User Account Control + # User Account Control Attributes Table + # https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties + params: + "0x00000001": SCRIPT + "0x00000002": ACCOUNTDISABLE + "0x00000008": HOMEDIR_REQUIRED + "0x00000010": LOCKOUT + "0x00000020": PASSWD_NOTREQD + "0x00000040": PASSWD_CANT_CHANGE + "0x00000080": ENCRYPTED_TEXT_PWD_ALLOWED + "0x00000100": TEMP_DUPLICATE_ACCOUNT + "0x00000200": NORMAL_ACCOUNT + "0x00000800": INTERDOMAIN_TRUST_ACCOUNT + "0x00001000": WORKSTATION_TRUST_ACCOUNT + "0x00002000": SERVER_TRUST_ACCOUNT + "0x00010000": DONT_EXPIRE_PASSWORD + "0x00020000": MNS_LOGON_ACCOUNT + "0x00040000": SMARTCARD_REQUIRED + "0x00080000": TRUSTED_FOR_DELEGATION + "0x00100000": NOT_DELEGATED + "0x00200000": USE_DES_KEY_ONLY + "0x00400000": DONT_REQ_PREAUTH + "0x00800000": PASSWORD_EXPIRED + "0x01000000": TRUSTED_TO_AUTH_FOR_DELEGATION + "0x04000000": PARTIAL_SECRETS_ACCOUNT + source: |- + if (ctx.winlog?.event_data == null) { + return; + } + if (ctx.winlog.event_data.NewUacValue == null || ctx.winlog.event_data.NewUacValue == "-") { + return; + } + Long newUacValue = Long.decode(ctx.winlog.event_data.NewUacValue); + ArrayList uacResult = new ArrayList(); + for (entry in params.entrySet()) { + Long flag = Long.decode(entry.getKey()); + if ((newUacValue.longValue() & flag.longValue()) == flag.longValue()) { + uacResult.add(entry.getValue()); + } + } + if (uacResult.length == 0) { + return; + } + ctx.winlog.event_data.put("NewUACList", uacResult); + if (ctx.winlog.event_data.UserAccountControl == null || ctx.winlog.event_data.UserAccountControl == "-") { + return; + } + ArrayList uac_array = new ArrayList(); + for (elem in ctx.winlog.event_data.UserAccountControl.splitOnToken("%%")) { + if (elem.trim().length() > 0) { + uac_array.add(elem.trim()); + } + } + ctx.winlog.event_data.UserAccountControl = uac_array; + - script: + lang: painless + ignore_failure: false + tag: Set Kerberos Ticket Options + description: Set Kerberos Ticket Options +# Kerberos TGT and TGS Ticket Options +# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 +# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 + params: + "0x40000000": Forwardable + "0x20000000": Forwarded + "0x10000000": Proxiable + "0x08000000": Proxy + "0x04000000": Allow-postdate + "0x02000000": Postdated + "0x01000000": Invalid + "0x00800000": Renewable + "0x00400000": Initial + "0x00200000": Pre-authent + "0x00100000": Opt-hardware-auth + "0x00080000": Transited-policy-checked + "0x00040000": Ok-as-delegate + "0x00020000": Request-anonymous + "0x00010000": Name-canonicalize + "0x00000020": Disable-transited-check + "0x00000010": Renewable-ok + "0x00000008": Enc-tkt-in-skey + "0x00000002": Renew + "0x00000001": Validate + source: |- + if (ctx?.winlog?.event_data?.TicketOptions == null) { + return; + } + Long tOpts = Long.decode(ctx.winlog.event_data.TicketOptions); + ArrayList tDescs = new ArrayList(); + for (entry in params.entrySet()) { + Long flag = Long.decode(entry.getKey()); + if ((tOpts.longValue() & flag.longValue()) == flag.longValue()) { + tDescs.add(entry.getValue()); + } + } + if (tDescs.length == 0) { + return; + } + ctx.winlog.event_data.put("TicketOptionsDescription", tDescs); + - script: + lang: painless + ignore_failure: false + tag: Set Kerberos Encryption Types + description: Set Kerberos Encryption Types + # Kerberos Encryption Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + params: + "0x1": DES-CBC-CRC + "0x3": DES-CBC-MD5 + "0x11": AES128-CTS-HMAC-SHA1-96 + "0x12": AES256-CTS-HMAC-SHA1-96 + "0x17": RC4-HMAC + "0x18": RC4-HMAC-EXP + "0xffffffff": FAIL + source: |- + if (ctx?.winlog?.event_data?.TicketEncryptionType == null) { + return; + } + ctx.winlog.event_data.put("TicketEncryptionTypeDescription", + params[ctx.winlog.event_data.TicketEncryptionType.toLowerCase()]) + - script: + lang: painless + ignore_failure: false + tag: Set Kerberos Ticket Status Codes + # Kerberos Result Status Codes + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + description: Set Kerberos Ticket Status Codes + params: + "0x0": KDC_ERR_NONE + "0x1": KDC_ERR_NAME_EXP + "0x2": KDC_ERR_SERVICE_EXP + "0x3": KDC_ERR_BAD_PVNO + "0x4": KDC_ERR_C_OLD_MAST_KVNO + "0x5": KDC_ERR_S_OLD_MAST_KVNO + "0x6": KDC_ERR_C_PRINCIPAL_UNKNOWN + "0x7": KDC_ERR_S_PRINCIPAL_UNKNOWN + "0x8": KDC_ERR_PRINCIPAL_NOT_UNIQUE + "0x9": KDC_ERR_NULL_KEY + "0xA": KDC_ERR_CANNOT_POSTDATE + "0xB": KDC_ERR_NEVER_VALID + "0xC": KDC_ERR_POLICY + "0xD": KDC_ERR_BADOPTION + "0xE": KDC_ERR_ETYPE_NOTSUPP + "0xF": KDC_ERR_SUMTYPE_NOSUPP + "0x10": KDC_ERR_PADATA_TYPE_NOSUPP + "0x11": KDC_ERR_TRTYPE_NO_SUPP + "0x12": KDC_ERR_CLIENT_REVOKED + "0x13": KDC_ERR_SERVICE_REVOKED + "0x14": KDC_ERR_TGT_REVOKED + "0x15": KDC_ERR_CLIENT_NOTYET + "0x16": KDC_ERR_SERVICE_NOTYET + "0x17": KDC_ERR_KEY_EXPIRED + "0x18": KDC_ERR_PREAUTH_FAILED + "0x19": KDC_ERR_PREAUTH_REQUIRED + "0x1A": KDC_ERR_SERVER_NOMATCH + "0x1B": KDC_ERR_MUST_USE_USER2USER + "0x1F": KRB_AP_ERR_BAD_INTEGRITY + "0x20": KRB_AP_ERR_TKT_EXPIRED + "0x21": KRB_AP_ERR_TKT_NYV + "0x22": KRB_AP_ERR_REPEAT + "0x23": KRB_AP_ERR_NOT_US + "0x24": KRB_AP_ERR_BADMATCH + "0x25": KRB_AP_ERR_SKEW + "0x26": KRB_AP_ERR_BADADDR + "0x27": KRB_AP_ERR_BADVERSION + "0x28": KRB_AP_ERR_MSG_TYPE + "0x29": KRB_AP_ERR_MODIFIED + "0x2A": KRB_AP_ERR_BADORDER + "0x2C": KRB_AP_ERR_BADKEYVER + "0x2D": KRB_AP_ERR_NOKEY + "0x2E": KRB_AP_ERR_MUT_FAIL + "0x2F": KRB_AP_ERR_BADDIRECTION + "0x30": KRB_AP_ERR_METHOD + "0x31": KRB_AP_ERR_BADSEQ + "0x32": KRB_AP_ERR_INAPP_CKSUM + "0x33": KRB_AP_PATH_NOT_ACCEPTED + "0x34": KRB_ERR_RESPONSE_TOO_BIG + "0x3C": KRB_ERR_GENERIC + "0x3D": KRB_ERR_FIELD_TOOLONG + "0x3E": KDC_ERR_CLIENT_NOT_TRUSTED + "0x3F": KDC_ERR_KDC_NOT_TRUSTED + "0x40": KDC_ERR_INVALID_SIG + "0x41": KDC_ERR_KEY_TOO_WEAK + "0x42": KRB_AP_ERR_USER_TO_USER_REQUIRED + "0x43": KRB_AP_ERR_NO_TGT + "0x44": KDC_ERR_WRONG_REALM + source: |- + if (ctx?.winlog?.event_data?.Status == null || + ctx?.event?.code == null || + !["4768", "4769", "4770", "4771"].contains(ctx.event.code)) { + return; + } + ctx.winlog.event_data.put("StatusDescription", params[ctx.winlog.event_data.Status]); + - script: + lang: painless + ignore_failure: false + tag: Set Service Type and Name + description: Set Service Type and Name + # Services Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 + params: + "0x1": Kernel Driver + "0x2": File System Driver + "0x8": Recognizer Driver + "0x10": Win32 Own Process + "0x20": Win32 Share Process + "0x110": Interactive Own Process + "0x120": Interactive Share Process + source: |- + if (ctx?.winlog?.event_data?.ServiceName != null) { + if (ctx?.service == null) { + HashMap hm = new HashMap(); + ctx.put("service", hm); + } + ctx.service.put("name", ctx.winlog.event_data.ServiceName); + } + if (ctx?.winlog.event_data?.ServiceType != null) { + if (ctx?.service == null) { + HashMap hm = new HashMap(); + ctx.put("service", hm); + } + ctx.service.put("type", params[ctx.winlog.event_data.ServiceType]); + } + - script: + lang: painless + ignore_failure: false + tag: Set Audit Information + description: Set Audit Information + # Audit Categories Description + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d + params: + "0CCE9210-69AE-11D9-BED3-505054503030": ["Security State Change", "System"] + "0CCE9211-69AE-11D9-BED3-505054503030": ["Security System Extension", "System"] + "0CCE9212-69AE-11D9-BED3-505054503030": ["System Integrity", "System"] + "0CCE9213-69AE-11D9-BED3-505054503030": ["IPsec Driver", "System"] + "0CCE9214-69AE-11D9-BED3-505054503030": ["Other System Events", "System"] + "0CCE9215-69AE-11D9-BED3-505054503030": ["Logon", "Logon/Logoff"] + "0CCE9216-69AE-11D9-BED3-505054503030": ["Logoff","Logon/Logoff"] + "0CCE9217-69AE-11D9-BED3-505054503030": ["Account Lockout","Logon/Logoff"] + "0CCE9218-69AE-11D9-BED3-505054503030": ["IPsec Main Mode","Logon/Logoff"] + "0CCE9219-69AE-11D9-BED3-505054503030": ["IPsec Quick Mode","Logon/Logoff"] + "0CCE921A-69AE-11D9-BED3-505054503030": ["IPsec Extended Mode","Logon/Logoff"] + "0CCE921B-69AE-11D9-BED3-505054503030": ["Special Logon","Logon/Logoff"] + "0CCE921C-69AE-11D9-BED3-505054503030": ["Other Logon/Logoff Events","Logon/Logoff"] + "0CCE9243-69AE-11D9-BED3-505054503030": ["Network Policy Server","Logon/Logoff"] + "0CCE9247-69AE-11D9-BED3-505054503030": ["User / Device Claims","Logon/Logoff"] + "0CCE921D-69AE-11D9-BED3-505054503030": ["File System","Object Access"] + "0CCE921E-69AE-11D9-BED3-505054503030": ["Registry","Object Access"] + "0CCE921F-69AE-11D9-BED3-505054503030": ["Kernel Object","Object Access"] + "0CCE9220-69AE-11D9-BED3-505054503030": ["SAM","Object Access"] + "0CCE9221-69AE-11D9-BED3-505054503030": ["Certification Services","Object Access"] + "0CCE9222-69AE-11D9-BED3-505054503030": ["Application Generated","Object Access"] + "0CCE9223-69AE-11D9-BED3-505054503030": ["Handle Manipulation","Object Access"] + "0CCE9224-69AE-11D9-BED3-505054503030": ["File Share","Object Access"] + "0CCE9225-69AE-11D9-BED3-505054503030": ["Filtering Platform Packet Drop","Object Access"] + "0CCE9226-69AE-11D9-BED3-505054503030": ["Filtering Platform Connection ","Object Access"] + "0CCE9227-69AE-11D9-BED3-505054503030": ["Other Object Access Events","Object Access"] + "0CCE9244-69AE-11D9-BED3-505054503030": ["Detailed File Share","Object Access"] + "0CCE9245-69AE-11D9-BED3-505054503030": ["Removable Storage","Object Access"] + "0CCE9246-69AE-11D9-BED3-505054503030": ["Central Policy Staging","Object Access"] + "0CCE9228-69AE-11D9-BED3-505054503030": ["Sensitive Privilege Use","Privilege Use"] + "0CCE9229-69AE-11D9-BED3-505054503030": ["Non Sensitive Privilege Use","Privilege Use"] + "0CCE922A-69AE-11D9-BED3-505054503030": ["Other Privilege Use Events","Privilege Use"] + "0CCE922B-69AE-11D9-BED3-505054503030": ["Process Creation","Detailed Tracking"] + "0CCE922C-69AE-11D9-BED3-505054503030": ["Process Termination","Detailed Tracking"] + "0CCE922D-69AE-11D9-BED3-505054503030": ["DPAPI Activity","Detailed Tracking"] + "0CCE922E-69AE-11D9-BED3-505054503030": ["RPC Events","Detailed Tracking"] + "0CCE9248-69AE-11D9-BED3-505054503030": ["Plug and Play Events","Detailed Tracking"] + "0CCE922F-69AE-11D9-BED3-505054503030": ["Audit Policy Change","Policy Change"] + "0CCE9230-69AE-11D9-BED3-505054503030": ["Authentication Policy Change","Policy Change"] + "0CCE9231-69AE-11D9-BED3-505054503030": ["Authorization Policy Change","Policy Change"] + "0CCE9232-69AE-11D9-BED3-505054503030": ["MPSSVC Rule-Level Policy Change","Policy Change"] + "0CCE9233-69AE-11D9-BED3-505054503030": ["Filtering Platform Policy Change","Policy Change"] + "0CCE9234-69AE-11D9-BED3-505054503030": ["Other Policy Change Events","Policy Change"] + "0CCE9235-69AE-11D9-BED3-505054503030": ["User Account Management","Account Management"] + "0CCE9236-69AE-11D9-BED3-505054503030": ["Computer Account Management","Account Management"] + "0CCE9237-69AE-11D9-BED3-505054503030": ["Security Group Management","Account Management"] + "0CCE9238-69AE-11D9-BED3-505054503030": ["Distribution Group Management","Account Management"] + "0CCE9239-69AE-11D9-BED3-505054503030": ["Application Group Management","Account Management"] + "0CCE923A-69AE-11D9-BED3-505054503030": ["Other Account Management Events","Account Management"] + "0CCE923B-69AE-11D9-BED3-505054503030": ["Directory Service Access","Account Management"] + "0CCE923C-69AE-11D9-BED3-505054503030": ["Directory Service Changes","Account Management"] + "0CCE923D-69AE-11D9-BED3-505054503030": ["Directory Service Replication","Account Management"] + "0CCE923E-69AE-11D9-BED3-505054503030": ["Detailed Directory Service Replication","Account Management"] + "0CCE923F-69AE-11D9-BED3-505054503030": ["Credential Validation","Account Logon"] + "0CCE9240-69AE-11D9-BED3-505054503030": ["Kerberos Service Ticket Operations","Account Logon"] + "0CCE9241-69AE-11D9-BED3-505054503030": ["Other Account Logon Events","Account Logon"] + "0CCE9242-69AE-11D9-BED3-505054503030": ["Kerberos Authentication Service","Account Logon"] + source: |- + if (ctx?.winlog?.event_data?.SubcategoryGuid == null) { + return; + } + def subCatGuid = ctx.winlog.event_data.SubcategoryGuid.replace("{","").replace("}","").toUpperCase(); + if (!params.containsKey(subCatGuid)) { + return; + } + ctx.winlog.event_data.put("Category", params[subCatGuid][1]); + ctx.winlog.event_data.put("SubCategory", params[subCatGuid][0]); + - script: + lang: painless + ignore_failure: false + tag: Decode message table + description: Decode message table + # Message table extracted from msobjs.dll on Windows 2019. + # https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 + # https://docs.microsoft.com/en-us/windows/win32/secauthz/access-rights-and-access-masks + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b + params: + descriptions: + "279": "Undefined Access (no effect) Bit 7" + "1536": "Unused message ID" + "1537": "DELETE" + "1538": "READ_CONTROL" + "1539": "WRITE_DAC" + "1540": "WRITE_OWNER" + "1541": "SYNCHRONIZE" + "1542": "ACCESS_SYS_SEC" + "1543": "MAX_ALLOWED" + "1552": "Unknown specific access (bit 0)" + "1553": "Unknown specific access (bit 1)" + "1554": "Unknown specific access (bit 2)" + "1555": "Unknown specific access (bit 3)" + "1556": "Unknown specific access (bit 4)" + "1557": "Unknown specific access (bit 5)" + "1558": "Unknown specific access (bit 6)" + "1559": "Unknown specific access (bit 7)" + "1560": "Unknown specific access (bit 8)" + "1561": "Unknown specific access (bit 9)" + "1562": "Unknown specific access (bit 10)" + "1563": "Unknown specific access (bit 11)" + "1564": "Unknown specific access (bit 12)" + "1565": "Unknown specific access (bit 13)" + "1566": "Unknown specific access (bit 14)" + "1567": "Unknown specific access (bit 15)" + "1601": "Not used" + "1603": "Assign Primary Token Privilege" + "1604": "Lock Memory Privilege" + "1605": "Increase Memory Quota Privilege" + "1606": "Unsolicited Input Privilege" + "1607": "Trusted Computer Base Privilege" + "1608": "Security Privilege" + "1609": "Take Ownership Privilege" + "1610": "Load/Unload Driver Privilege" + "1611": "Profile System Privilege" + "1612": "Set System Time Privilege" + "1613": "Profile Single Process Privilege" + "1614": "Increment Base Priority Privilege" + "1615": "Create Pagefile Privilege" + "1616": "Create Permanent Object Privilege" + "1617": "Backup Privilege" + "1618": "Restore From Backup Privilege" + "1619": "Shutdown System Privilege" + "1620": "Debug Privilege" + "1621": "View or Change Audit Log Privilege" + "1622": "Change Hardware Environment Privilege" + "1623": "Change Notify (and Traverse) Privilege" + "1624": "Remotely Shut System Down Privilege" + "1792": "" + "1794": "" + "1795": "Enabled" + "1796": "Disabled" + "1797": "All" + "1798": "None" + "1799": "Audit Policy query/set API Operation" + "1800": "" + "1801": "Granted by" + "1802": "Denied by" + "1803": "Denied by Integrity Policy check" + "1804": "Granted by Ownership" + "1805": "Not granted" + "1806": "Granted by NULL DACL" + "1807": "Denied by Empty DACL" + "1808": "Granted by NULL Security Descriptor" + "1809": "Unknown or unchecked" + "1810": "Not granted due to missing" + "1811": "Granted by ACE on parent folder" + "1812": "Denied by ACE on parent folder" + "1813": "Granted by Central Access Rule" + "1814": "NOT Granted by Central Access Rule" + "1815": "Granted by parent folder's Central Access Rule" + "1816": "NOT Granted by parent folder's Central Access Rule" + "1817": "Unknown Type" + "1818": "String" + "1819": "Unsigned 64-bit Integer" + "1820": "64-bit Integer" + "1821": "FQBN" + "1822": "Blob" + "1823": "Sid" + "1824": "Boolean" + "1825": "TRUE" + "1826": "FALSE" + "1827": "Invalid" + "1828": "an ACE too long to display" + "1829": "a Security Descriptor too long to display" + "1830": "Not granted to AppContainers" + "1831": "..." + "1832": "Identification" + "1833": "Impersonation" + "1840": "Delegation" + "1841": "Denied by Process Trust Label ACE" + "1842": "Yes" + "1843": "No" + "1844": "System" + "1845": "Not Available" + "1846": "Default" + "1847": "DisallowMmConfig" + "1848": "Off" + "1849": "Auto" + "1872": "REG_NONE" + "1873": "REG_SZ" + "1874": "REG_EXPAND_SZ" + "1875": "REG_BINARY" + "1876": "REG_DWORD" + "1877": "REG_DWORD_BIG_ENDIAN" + "1878": "REG_LINK" + "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)" + "1880": "REG_RESOURCE_LIST" + "1881": "REG_FULL_RESOURCE_DESCRIPTOR" + "1882": "REG_RESOURCE_REQUIREMENTS_LIST" + "1883": "REG_QWORD" + "1904": "New registry value created" + "1905": "Existing registry value modified" + "1906": "Registry value deleted" + "1920": "Sunday" + "1921": "Monday" + "1922": "Tuesday" + "1923": "Wednesday" + "1924": "Thursday" + "1925": "Friday" + "1926": "Saturday" + "1936": "TokenElevationTypeDefault (1)" + "1937": "TokenElevationTypeFull (2)" + "1938": "TokenElevationTypeLimited (3)" + "2048": "Account Enabled" + "2049": "Home Directory Required' - Disabled" + "2050": "Password Not Required' - Disabled" + "2051": "Temp Duplicate Account' - Disabled" + "2052": "Normal Account' - Disabled" + "2053": "MNS Logon Account' - Disabled" + "2054": "Interdomain Trust Account' - Disabled" + "2055": "Workstation Trust Account' - Disabled" + "2056": "Server Trust Account' - Disabled" + "2057": "Don't Expire Password' - Disabled" + "2058": "Account Unlocked" + "2059": "Encrypted Text Password Allowed' - Disabled" + "2060": "Smartcard Required' - Disabled" + "2061": "Trusted For Delegation' - Disabled" + "2062": "Not Delegated' - Disabled" + "2063": "Use DES Key Only' - Disabled" + "2064": "Don't Require Preauth' - Disabled" + "2065": "Password Expired' - Disabled" + "2066": "Trusted To Authenticate For Delegation' - Disabled" + "2067": "Exclude Authorization Information' - Disabled" + "2068": "Undefined UserAccountControl Bit 20' - Disabled" + "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled" + "2070": "Undefined UserAccountControl Bit 22' - Disabled" + "2071": "Undefined UserAccountControl Bit 23' - Disabled" + "2072": "Undefined UserAccountControl Bit 24' - Disabled" + "2073": "Undefined UserAccountControl Bit 25' - Disabled" + "2074": "Undefined UserAccountControl Bit 26' - Disabled" + "2075": "Undefined UserAccountControl Bit 27' - Disabled" + "2076": "Undefined UserAccountControl Bit 28' - Disabled" + "2077": "Undefined UserAccountControl Bit 29' - Disabled" + "2078": "Undefined UserAccountControl Bit 30' - Disabled" + "2079": "Undefined UserAccountControl Bit 31' - Disabled" + "2080": "Account Disabled" + "2081": "Home Directory Required' - Enabled" + "2082": "Password Not Required' - Enabled" + "2083": "Temp Duplicate Account' - Enabled" + "2084": "Normal Account' - Enabled" + "2085": "MNS Logon Account' - Enabled" + "2086": "Interdomain Trust Account' - Enabled" + "2087": "Workstation Trust Account' - Enabled" + "2088": "Server Trust Account' - Enabled" + "2089": "Don't Expire Password' - Enabled" + "2090": "Account Locked" + "2091": "Encrypted Text Password Allowed' - Enabled" + "2092": "Smartcard Required' - Enabled" + "2093": "Trusted For Delegation' - Enabled" + "2094": "Not Delegated' - Enabled" + "2095": "Use DES Key Only' - Enabled" + "2096": "Don't Require Preauth' - Enabled" + "2097": "Password Expired' - Enabled" + "2098": "Trusted To Authenticate For Delegation' - Enabled" + "2099": "Exclude Authorization Information' - Enabled" + "2100": "Undefined UserAccountControl Bit 20' - Enabled" + "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled" + "2102": "Undefined UserAccountControl Bit 22' - Enabled" + "2103": "Undefined UserAccountControl Bit 23' - Enabled" + "2104": "Undefined UserAccountControl Bit 24' - Enabled" + "2105": "Undefined UserAccountControl Bit 25' - Enabled" + "2106": "Undefined UserAccountControl Bit 26' - Enabled" + "2107": "Undefined UserAccountControl Bit 27' - Enabled" + "2108": "Undefined UserAccountControl Bit 28' - Enabled" + "2109": "Undefined UserAccountControl Bit 29' - Enabled" + "2110": "Undefined UserAccountControl Bit 30' - Enabled" + "2111": "Undefined UserAccountControl Bit 31' - Enabled" + "2304": "An Error occured during Logon." + "2305": "The specified user account has expired." + "2306": "The NetLogon component is not active." + "2307": "Account locked out." + "2308": "The user has not been granted the requested logon type at this machine." + "2309": "The specified account's password has expired." + "2310": "Account currently disabled." + "2311": "Account logon time restriction violation." + "2312": "User not allowed to logon at this computer." + "2313": "Unknown user name or bad password." + "2314": "Domain sid inconsistent." + "2315": "Smartcard logon is required and was not used." + "2432": "Not Available." + "2436": "Random number generator failure." + "2437": "Random number generation failed FIPS-140 pre-hash check." + "2438": "Failed to zero secret data." + "2439": "Key failed pair wise consistency check." + "2448": "Failed to unprotect persistent cryptographic key." + "2449": "Key export checks failed." + "2450": "Validation of public key failed." + "2451": "Signature verification failed." + "2456": "Open key file." + "2457": "Delete key file." + "2458": "Read persisted key from file." + "2459": "Write persisted key to file." + "2464": "Export of persistent cryptographic key." + "2465": "Import of persistent cryptographic key." + "2480": "Open Key." + "2481": "Create Key." + "2482": "Delete Key." + "2483": "Encrypt." + "2484": "Decrypt." + "2485": "Sign hash." + "2486": "Secret agreement." + "2487": "Domain settings" + "2488": "Local settings" + "2489": "Add provider." + "2490": "Remove provider." + "2491": "Add context." + "2492": "Remove context." + "2493": "Add function." + "2494": "Remove function." + "2495": "Add function provider." + "2496": "Remove function provider." + "2497": "Add function property." + "2498": "Remove function property." + "2499": "Machine key." + "2500": "User key." + "2501": "Key Derivation." + "4352": "Device Access Bit 0" + "4353": "Device Access Bit 1" + "4354": "Device Access Bit 2" + "4355": "Device Access Bit 3" + "4356": "Device Access Bit 4" + "4357": "Device Access Bit 5" + "4358": "Device Access Bit 6" + "4359": "Device Access Bit 7" + "4360": "Device Access Bit 8" + "4361": "Undefined Access (no effect) Bit 9" + "4362": "Undefined Access (no effect) Bit 10" + "4363": "Undefined Access (no effect) Bit 11" + "4364": "Undefined Access (no effect) Bit 12" + "4365": "Undefined Access (no effect) Bit 13" + "4366": "Undefined Access (no effect) Bit 14" + "4367": "Undefined Access (no effect) Bit 15" + "4368": "Query directory" + "4369": "Traverse" + "4370": "Create object in directory" + "4371": "Create sub-directory" + "4372": "Undefined Access (no effect) Bit 4" + "4373": "Undefined Access (no effect) Bit 5" + "4374": "Undefined Access (no effect) Bit 6" + "4375": "Undefined Access (no effect) Bit 7" + "4376": "Undefined Access (no effect) Bit 8" + "4377": "Undefined Access (no effect) Bit 9" + "4378": "Undefined Access (no effect) Bit 10" + "4379": "Undefined Access (no effect) Bit 11" + "4380": "Undefined Access (no effect) Bit 12" + "4381": "Undefined Access (no effect) Bit 13" + "4382": "Undefined Access (no effect) Bit 14" + "4383": "Undefined Access (no effect) Bit 15" + "4384": "Query event state" + "4385": "Modify event state" + "4386": "Undefined Access (no effect) Bit 2" + "4387": "Undefined Access (no effect) Bit 3" + "4388": "Undefined Access (no effect) Bit 4" + "4389": "Undefined Access (no effect) Bit 5" + "4390": "Undefined Access (no effect) Bit 6" + "4391": "Undefined Access (no effect) Bit 7" + "4392": "Undefined Access (no effect) Bit 8" + "4393": "Undefined Access (no effect) Bit 9" + "4394": "Undefined Access (no effect) Bit 10" + "4395": "Undefined Access (no effect) Bit 11" + "4396": "Undefined Access (no effect) Bit 12" + "4397": "Undefined Access (no effect) Bit 13" + "4398": "Undefined Access (no effect) Bit 14" + "4399": "Undefined Access (no effect) Bit 15" + "4416": "ReadData (or ListDirectory)" + "4417": "WriteData (or AddFile)" + "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)" + "4419": "ReadEA" + "4420": "WriteEA" + "4421": "Execute/Traverse" + "4422": "DeleteChild" + "4423": "ReadAttributes" + "4424": "WriteAttributes" + "4425": "Undefined Access (no effect) Bit 9" + "4426": "Undefined Access (no effect) Bit 10" + "4427": "Undefined Access (no effect) Bit 11" + "4428": "Undefined Access (no effect) Bit 12" + "4429": "Undefined Access (no effect) Bit 13" + "4430": "Undefined Access (no effect) Bit 14" + "4431": "Undefined Access (no effect) Bit 15" + "4432": "Query key value" + "4433": "Set key value" + "4434": "Create sub-key" + "4435": "Enumerate sub-keys" + "4436": "Notify about changes to keys" + "4437": "Create Link" + "4438": "Undefined Access (no effect) Bit 6" + "4439": "Undefined Access (no effect) Bit 7" + "4440": "Enable 64(or 32) bit application to open 64 bit key" + "4441": "Enable 64(or 32) bit application to open 32 bit key" + "4442": "Undefined Access (no effect) Bit 10" + "4443": "Undefined Access (no effect) Bit 11" + "4444": "Undefined Access (no effect) Bit 12" + "4445": "Undefined Access (no effect) Bit 13" + "4446": "Undefined Access (no effect) Bit 14" + "4447": "Undefined Access (no effect) Bit 15" + "4448": "Query mutant state" + "4449": "Undefined Access (no effect) Bit 1" + "4450": "Undefined Access (no effect) Bit 2" + "4451": "Undefined Access (no effect) Bit 3" + "4452": "Undefined Access (no effect) Bit 4" + "4453": "Undefined Access (no effect) Bit 5" + "4454": "Undefined Access (no effect) Bit 6" + "4455": "Undefined Access (no effect) Bit 7" + "4456": "Undefined Access (no effect) Bit 8" + "4457": "Undefined Access (no effect) Bit 9" + "4458": "Undefined Access (no effect) Bit 10" + "4459": "Undefined Access (no effect) Bit 11" + "4460": "Undefined Access (no effect) Bit 12" + "4461": "Undefined Access (no effect) Bit 13" + "4462": "Undefined Access (no effect) Bit 14" + "4463": "Undefined Access (no effect) Bit 15" + "4464": "Communicate using port" + "4465": "Undefined Access (no effect) Bit 1" + "4466": "Undefined Access (no effect) Bit 2" + "4467": "Undefined Access (no effect) Bit 3" + "4468": "Undefined Access (no effect) Bit 4" + "4469": "Undefined Access (no effect) Bit 5" + "4470": "Undefined Access (no effect) Bit 6" + "4471": "Undefined Access (no effect) Bit 7" + "4472": "Undefined Access (no effect) Bit 8" + "4473": "Undefined Access (no effect) Bit 9" + "4474": "Undefined Access (no effect) Bit 10" + "4475": "Undefined Access (no effect) Bit 11" + "4476": "Undefined Access (no effect) Bit 12" + "4477": "Undefined Access (no effect) Bit 13" + "4478": "Undefined Access (no effect) Bit 14" + "4479": "Undefined Access (no effect) Bit 15" + "4480": "Force process termination" + "4481": "Create new thread in process" + "4482": "Set process session ID" + "4483": "Perform virtual memory operation" + "4484": "Read from process memory" + "4485": "Write to process memory" + "4486": "Duplicate handle into or out of process" + "4487": "Create a subprocess of process" + "4488": "Set process quotas" + "4489": "Set process information" + "4490": "Query process information" + "4491": "Set process termination port" + "4492": "Undefined Access (no effect) Bit 12" + "4493": "Undefined Access (no effect) Bit 13" + "4494": "Undefined Access (no effect) Bit 14" + "4495": "Undefined Access (no effect) Bit 15" + "4496": "Control profile" + "4497": "Undefined Access (no effect) Bit 1" + "4498": "Undefined Access (no effect) Bit 2" + "4499": "Undefined Access (no effect) Bit 3" + "4500": "Undefined Access (no effect) Bit 4" + "4501": "Undefined Access (no effect) Bit 5" + "4502": "Undefined Access (no effect) Bit 6" + "4503": "Undefined Access (no effect) Bit 7" + "4504": "Undefined Access (no effect) Bit 8" + "4505": "Undefined Access (no effect) Bit 9" + "4506": "Undefined Access (no effect) Bit 10" + "4507": "Undefined Access (no effect) Bit 11" + "4508": "Undefined Access (no effect) Bit 12" + "4509": "Undefined Access (no effect) Bit 13" + "4510": "Undefined Access (no effect) Bit 14" + "4511": "Undefined Access (no effect) Bit 15" + "4512": "Query section state" + "4513": "Map section for write" + "4514": "Map section for read" + "4515": "Map section for execute" + "4516": "Extend size" + "4517": "Undefined Access (no effect) Bit 5" + "4518": "Undefined Access (no effect) Bit 6" + "4519": "Undefined Access (no effect) Bit 7" + "4520": "Undefined Access (no effect) Bit 8" + "4521": "Undefined Access (no effect) Bit 9" + "4522": "Undefined Access (no effect) Bit 10" + "4523": "Undefined Access (no effect) Bit 11" + "4524": "Undefined Access (no effect) Bit 12" + "4525": "Undefined Access (no effect) Bit 13" + "4526": "Undefined Access (no effect) Bit 14" + "4527": "Undefined Access (no effect) Bit 15" + "4528": "Query semaphore state" + "4529": "Modify semaphore state" + "4530": "Undefined Access (no effect) Bit 2" + "4531": "Undefined Access (no effect) Bit 3" + "4532": "Undefined Access (no effect) Bit 4" + "4533": "Undefined Access (no effect) Bit 5" + "4534": "Undefined Access (no effect) Bit 6" + "4535": "Undefined Access (no effect) Bit 7" + "4536": "Undefined Access (no effect) Bit 8" + "4537": "Undefined Access (no effect) Bit 9" + "4538": "Undefined Access (no effect) Bit 10" + "4539": "Undefined Access (no effect) Bit 11" + "4540": "Undefined Access (no effect) Bit 12" + "4541": "Undefined Access (no effect) Bit 13" + "4542": "Undefined Access (no effect) Bit 14" + "4543": "Undefined Access (no effect) Bit 15" + "4544": "Use symbolic link" + "4545": "Undefined Access (no effect) Bit 1" + "4546": "Undefined Access (no effect) Bit 2" + "4547": "Undefined Access (no effect) Bit 3" + "4548": "Undefined Access (no effect) Bit 4" + "4549": "Undefined Access (no effect) Bit 5" + "4550": "Undefined Access (no effect) Bit 6" + "4551": "Undefined Access (no effect) Bit 7" + "4552": "Undefined Access (no effect) Bit 8" + "4553": "Undefined Access (no effect) Bit 9" + "4554": "Undefined Access (no effect) Bit 10" + "4555": "Undefined Access (no effect) Bit 11" + "4556": "Undefined Access (no effect) Bit 12" + "4557": "Undefined Access (no effect) Bit 13" + "4558": "Undefined Access (no effect) Bit 14" + "4559": "Undefined Access (no effect) Bit 15" + "4560": "Force thread termination" + "4561": "Suspend or resume thread" + "4562": "Send an alert to thread" + "4563": "Get thread context" + "4564": "Set thread context" + "4565": "Set thread information" + "4566": "Query thread information" + "4567": "Assign a token to the thread" + "4568": "Cause thread to directly impersonate another thread" + "4569": "Directly impersonate this thread" + "4570": "Undefined Access (no effect) Bit 10" + "4571": "Undefined Access (no effect) Bit 11" + "4572": "Undefined Access (no effect) Bit 12" + "4573": "Undefined Access (no effect) Bit 13" + "4574": "Undefined Access (no effect) Bit 14" + "4575": "Undefined Access (no effect) Bit 15" + "4576": "Query timer state" + "4577": "Modify timer state" + "4578": "Undefined Access (no effect) Bit 2" + "4579": "Undefined Access (no effect) Bit 3" + "4580": "Undefined Access (no effect) Bit 4" + "4581": "Undefined Access (no effect) Bit 5" + "4582": "Undefined Access (no effect) Bit 6" + "4584": "Undefined Access (no effect) Bit 8" + "4585": "Undefined Access (no effect) Bit 9" + "4586": "Undefined Access (no effect) Bit 10" + "4587": "Undefined Access (no effect) Bit 11" + "4588": "Undefined Access (no effect) Bit 12" + "4589": "Undefined Access (no effect) Bit 13" + "4590": "Undefined Access (no effect) Bit 14" + "4591": "Undefined Access (no effect) Bit 15" + "4592": "AssignAsPrimary" + "4593": "Duplicate" + "4594": "Impersonate" + "4595": "Query" + "4596": "QuerySource" + "4597": "AdjustPrivileges" + "4598": "AdjustGroups" + "4599": "AdjustDefaultDacl" + "4600": "AdjustSessionID" + "4601": "Undefined Access (no effect) Bit 9" + "4602": "Undefined Access (no effect) Bit 10" + "4603": "Undefined Access (no effect) Bit 11" + "4604": "Undefined Access (no effect) Bit 12" + "4605": "Undefined Access (no effect) Bit 13" + "4606": "Undefined Access (no effect) Bit 14" + "4607": "Undefined Access (no effect) Bit 15" + "4608": "Create instance of object type" + "4609": "Undefined Access (no effect) Bit 1" + "4610": "Undefined Access (no effect) Bit 2" + "4611": "Undefined Access (no effect) Bit 3" + "4612": "Undefined Access (no effect) Bit 4" + "4613": "Undefined Access (no effect) Bit 5" + "4614": "Undefined Access (no effect) Bit 6" + "4615": "Undefined Access (no effect) Bit 7" + "4616": "Undefined Access (no effect) Bit 8" + "4617": "Undefined Access (no effect) Bit 9" + "4618": "Undefined Access (no effect) Bit 10" + "4619": "Undefined Access (no effect) Bit 11" + "4620": "Undefined Access (no effect) Bit 12" + "4621": "Undefined Access (no effect) Bit 13" + "4622": "Undefined Access (no effect) Bit 14" + "4623": "Undefined Access (no effect) Bit 15" + "4864": "Query State" + "4865": "Modify State" + "5120": "Channel read message" + "5121": "Channel write message" + "5122": "Channel query information" + "5123": "Channel set information" + "5124": "Undefined Access (no effect) Bit 4" + "5125": "Undefined Access (no effect) Bit 5" + "5126": "Undefined Access (no effect) Bit 6" + "5127": "Undefined Access (no effect) Bit 7" + "5128": "Undefined Access (no effect) Bit 8" + "5129": "Undefined Access (no effect) Bit 9" + "5130": "Undefined Access (no effect) Bit 10" + "5131": "Undefined Access (no effect) Bit 11" + "5132": "Undefined Access (no effect) Bit 12" + "5133": "Undefined Access (no effect) Bit 13" + "5134": "Undefined Access (no effect) Bit 14" + "5135": "Undefined Access (no effect) Bit 15" + "5136": "Assign process" + "5137": "Set Attributes" + "5138": "Query Attributes" + "5139": "Terminate Job" + "5140": "Set Security Attributes" + "5141": "Undefined Access (no effect) Bit 5" + "5142": "Undefined Access (no effect) Bit 6" + "5143": "Undefined Access (no effect) Bit 7" + "5144": "Undefined Access (no effect) Bit 8" + "5145": "Undefined Access (no effect) Bit 9" + "5146": "Undefined Access (no effect) Bit 10" + "5147": "Undefined Access (no effect) Bit 11" + "5148": "Undefined Access (no effect) Bit 12" + "5149": "Undefined Access (no effect) Bit 13" + "5150": "Undefined Access (no effect) Bit 14" + "5151": "Undefined Access (no effect) Bit 15" + "5376": "ConnectToServer" + "5377": "ShutdownServer" + "5378": "InitializeServer" + "5379": "CreateDomain" + "5380": "EnumerateDomains" + "5381": "LookupDomain" + "5382": "Undefined Access (no effect) Bit 6" + "5383": "Undefined Access (no effect) Bit 7" + "5384": "Undefined Access (no effect) Bit 8" + "5385": "Undefined Access (no effect) Bit 9" + "5386": "Undefined Access (no effect) Bit 10" + "5387": "Undefined Access (no effect) Bit 11" + "5388": "Undefined Access (no effect) Bit 12" + "5389": "Undefined Access (no effect) Bit 13" + "5390": "Undefined Access (no effect) Bit 14" + "5391": "Undefined Access (no effect) Bit 15" + "5392": "ReadPasswordParameters" + "5393": "WritePasswordParameters" + "5394": "ReadOtherParameters" + "5395": "WriteOtherParameters" + "5396": "CreateUser" + "5397": "CreateGlobalGroup" + "5398": "CreateLocalGroup" + "5399": "GetLocalGroupMembership" + "5400": "ListAccounts" + "5401": "LookupIDs" + "5402": "AdministerServer" + "5403": "Undefined Access (no effect) Bit 11" + "5404": "Undefined Access (no effect) Bit 12" + "5405": "Undefined Access (no effect) Bit 13" + "5406": "Undefined Access (no effect) Bit 14" + "5407": "Undefined Access (no effect) Bit 15" + "5408": "ReadInformation" + "5409": "WriteAccount" + "5410": "AddMember" + "5411": "RemoveMember" + "5412": "ListMembers" + "5413": "Undefined Access (no effect) Bit 5" + "5414": "Undefined Access (no effect) Bit 6" + "5415": "Undefined Access (no effect) Bit 7" + "5416": "Undefined Access (no effect) Bit 8" + "5417": "Undefined Access (no effect) Bit 9" + "5418": "Undefined Access (no effect) Bit 10" + "5419": "Undefined Access (no effect) Bit 11" + "5420": "Undefined Access (no effect) Bit 12" + "5421": "Undefined Access (no effect) Bit 13" + "5422": "Undefined Access (no effect) Bit 14" + "5423": "Undefined Access (no effect) Bit 15" + "5424": "AddMember" + "5425": "RemoveMember" + "5426": "ListMembers" + "5427": "ReadInformation" + "5428": "WriteAccount" + "5429": "Undefined Access (no effect) Bit 5" + "5430": "Undefined Access (no effect) Bit 6" + "5431": "Undefined Access (no effect) Bit 7" + "5432": "Undefined Access (no effect) Bit 8" + "5433": "Undefined Access (no effect) Bit 9" + "5434": "Undefined Access (no effect) Bit 10" + "5435": "Undefined Access (no effect) Bit 11" + "5436": "Undefined Access (no effect) Bit 12" + "5437": "Undefined Access (no effect) Bit 13" + "5438": "Undefined Access (no effect) Bit 14" + "5439": "Undefined Access (no effect) Bit 15" + "5440": "ReadGeneralInformation" + "5441": "ReadPreferences" + "5442": "WritePreferences" + "5443": "ReadLogon" + "5444": "ReadAccount" + "5445": "WriteAccount" + "5446": "ChangePassword (with knowledge of old password)" + "5447": "SetPassword (without knowledge of old password)" + "5448": "ListGroups" + "5449": "ReadGroupMembership" + "5450": "ChangeGroupMembership" + "5451": "Undefined Access (no effect) Bit 11" + "5452": "Undefined Access (no effect) Bit 12" + "5453": "Undefined Access (no effect) Bit 13" + "5454": "Undefined Access (no effect) Bit 14" + "5455": "Undefined Access (no effect) Bit 15" + "5632": "View non-sensitive policy information" + "5633": "View system audit requirements" + "5634": "Get sensitive policy information" + "5635": "Modify domain trust relationships" + "5636": "Create special accounts (for assignment of user rights)" + "5637": "Create a secret object" + "5638": "Create a privilege" + "5639": "Set default quota limits" + "5640": "Change system audit requirements" + "5641": "Administer audit log attributes" + "5642": "Enable/Disable LSA" + "5643": "Lookup Names/SIDs" + "5648": "Change secret value" + "5649": "Query secret value" + "5650": "Undefined Access (no effect) Bit 2" + "5651": "Undefined Access (no effect) Bit 3" + "5652": "Undefined Access (no effect) Bit 4" + "5653": "Undefined Access (no effect) Bit 5" + "5654": "Undefined Access (no effect) Bit 6" + "5655": "Undefined Access (no effect) Bit 7" + "5656": "Undefined Access (no effect) Bit 8" + "5657": "Undefined Access (no effect) Bit 9" + "5658": "Undefined Access (no effect) Bit 10" + "5659": "Undefined Access (no effect) Bit 11" + "5660": "Undefined Access (no effect) Bit 12" + "5661": "Undefined Access (no effect) Bit 13" + "5662": "Undefined Access (no effect) Bit 14" + "5663": "Undefined Access (no effect) Bit 15" + "5664": "Query trusted domain name/SID" + "5665": "Retrieve the controllers in the trusted domain" + "5666": "Change the controllers in the trusted domain" + "5667": "Query the Posix ID offset assigned to the trusted domain" + "5668": "Change the Posix ID offset assigned to the trusted domain" + "5669": "Undefined Access (no effect) Bit 5" + "5670": "Undefined Access (no effect) Bit 6" + "5671": "Undefined Access (no effect) Bit 7" + "5672": "Undefined Access (no effect) Bit 8" + "5673": "Undefined Access (no effect) Bit 9" + "5674": "Undefined Access (no effect) Bit 10" + "5675": "Undefined Access (no effect) Bit 11" + "5676": "Undefined Access (no effect) Bit 12" + "5677": "Undefined Access (no effect) Bit 13" + "5678": "Undefined Access (no effect) Bit 14" + "5679": "Undefined Access (no effect) Bit 15" + "5680": "Query account information" + "5681": "Change privileges assigned to account" + "5682": "Change quotas assigned to account" + "5683": "Change logon capabilities assigned to account" + "5684": "Change the Posix ID offset assigned to the accounted domain" + "5685": "Undefined Access (no effect) Bit 5" + "5686": "Undefined Access (no effect) Bit 6" + "5687": "Undefined Access (no effect) Bit 7" + "5688": "Undefined Access (no effect) Bit 8" + "5689": "Undefined Access (no effect) Bit 9" + "5690": "Undefined Access (no effect) Bit 10" + "5691": "Undefined Access (no effect) Bit 11" + "5692": "Undefined Access (no effect) Bit 12" + "5693": "Undefined Access (no effect) Bit 13" + "5694": "Undefined Access (no effect) Bit 14" + "5695": "Undefined Access (no effect) Bit 15" + "5696": "KeyedEvent Wait" + "5697": "KeyedEvent Wake" + "5698": "Undefined Access (no effect) Bit 2" + "5699": "Undefined Access (no effect) Bit 3" + "5700": "Undefined Access (no effect) Bit 4" + "5701": "Undefined Access (no effect) Bit 5" + "5702": "Undefined Access (no effect) Bit 6" + "5703": "Undefined Access (no effect) Bit 7" + "5704": "Undefined Access (no effect) Bit 8" + "5705": "Undefined Access (no effect) Bit 9" + "5706": "Undefined Access (no effect) Bit 10" + "5707": "Undefined Access (no effect) Bit 11" + "5708": "Undefined Access (no effect) Bit 12" + "5709": "Undefined Access (no effect) Bit 13" + "5710": "Undefined Access (no effect) Bit 14" + "5711": "Undefined Access (no effect) Bit 15" + "6656": "Enumerate desktops" + "6657": "Read attributes" + "6658": "Access Clipboard" + "6659": "Create desktop" + "6660": "Write attributes" + "6661": "Access global atoms" + "6662": "Exit windows" + "6663": "Unused Access Flag" + "6664": "Include this windowstation in enumerations" + "6665": "Read screen" + "6672": "Read Objects" + "6673": "Create window" + "6674": "Create menu" + "6675": "Hook control" + "6676": "Journal (record)" + "6677": "Journal (playback)" + "6678": "Include this desktop in enumerations" + "6679": "Write objects" + "6680": "Switch to this desktop" + "6912": "Administer print server" + "6913": "Enumerate printers" + "6930": "Full Control" + "6931": "Print" + "6948": "Administer Document" + "7168": "Connect to service controller" + "7169": "Create a new service" + "7170": "Enumerate services" + "7171": "Lock service database for exclusive access" + "7172": "Query service database lock state" + "7173": "Set last-known-good state of service database" + "7184": "Query service configuration information" + "7185": "Set service configuration information" + "7186": "Query status of service" + "7187": "Enumerate dependencies of service" + "7188": "Start the service" + "7189": "Stop the service" + "7190": "Pause or continue the service" + "7191": "Query information from service" + "7192": "Issue service-specific control commands" + "7424": "DDE Share Read" + "7425": "DDE Share Write" + "7426": "DDE Share Initiate Static" + "7427": "DDE Share Initiate Link" + "7428": "DDE Share Request" + "7429": "DDE Share Advise" + "7430": "DDE Share Poke" + "7431": "DDE Share Execute" + "7432": "DDE Share Add Items" + "7433": "DDE Share List Items" + "7680": "Create Child" + "7681": "Delete Child" + "7682": "List Contents" + "7683": "Write Self" + "7684": "Read Property" + "7685": "Write Property" + "7686": "Delete Tree" + "7687": "List Object" + "7688": "Control Access" + "7689": "Undefined Access (no effect) Bit 9" + "7690": "Undefined Access (no effect) Bit 10" + "7691": "Undefined Access (no effect) Bit 11" + "7692": "Undefined Access (no effect) Bit 12" + "7693": "Undefined Access (no effect) Bit 13" + "7694": "Undefined Access (no effect) Bit 14" + "7695": "Undefined Access (no effect) Bit 15" + "7936": "Audit Set System Policy" + "7937": "Audit Query System Policy" + "7938": "Audit Set Per User Policy" + "7939": "Audit Query Per User Policy" + "7940": "Audit Enumerate Users" + "7941": "Audit Set Options" + "7942": "Audit Query Options" + "8064": "Port sharing (read)" + "8065": "Port sharing (write)" + "8096": "Default credentials" + "8097": "Credentials manager" + "8098": "Fresh credentials" + "8192": "Kerberos" + "8193": "Preshared key" + "8194": "Unknown authentication" + "8195": "DES" + "8196": "3DES" + "8197": "MD5" + "8198": "SHA1" + "8199": "Local computer" + "8200": "Remote computer" + "8201": "No state" + "8202": "Sent first (SA) payload" + "8203": "Sent second (KE) payload" + "8204": "Sent third (ID) payload" + "8205": "Initiator" + "8206": "Responder" + "8207": "No state" + "8208": "Sent first (SA) payload" + "8209": "Sent final payload" + "8210": "Complete" + "8211": "Unknown" + "8212": "Transport" + "8213": "Tunnel" + "8214": "IKE/AuthIP DoS prevention mode started" + "8215": "IKE/AuthIP DoS prevention mode stopped" + "8216": "Enabled" + "8217": "Not enabled" + "8218": "No state" + "8219": "Sent first (EM attributes) payload" + "8220": "Sent second (SSPI) payload" + "8221": "Sent third (hash) payload" + "8222": "IKEv1" + "8223": "AuthIP" + "8224": "Anonymous" + "8225": "NTLM V2" + "8226": "CGA" + "8227": "Certificate" + "8228": "SSL" + "8229": "None" + "8230": "DH group 1" + "8231": "DH group 2" + "8232": "DH group 14" + "8233": "DH group ECP 256" + "8234": "DH group ECP 384" + "8235": "AES-128" + "8236": "AES-192" + "8237": "AES-256" + "8238": "Certificate ECDSA P256" + "8239": "Certificate ECDSA P384" + "8240": "SSL ECDSA P256" + "8241": "SSL ECDSA P384" + "8242": "SHA 256" + "8243": "SHA 384" + "8244": "IKEv2" + "8245": "EAP payload sent" + "8246": "Authentication payload sent" + "8247": "EAP" + "8248": "DH group 24" + "8272": "System" + "8273": "Logon/Logoff" + "8274": "Object Access" + "8275": "Privilege Use" + "8276": "Detailed Tracking" + "8277": "Policy Change" + "8278": "Account Management" + "8279": "DS Access" + "8280": "Account Logon" + "8448": "Success removed" + "8449": "Success Added" + "8450": "Failure removed" + "8451": "Failure Added" + "8452": "Success include removed" + "8453": "Success include added" + "8454": "Success exclude removed" + "8455": "Success exclude added" + "8456": "Failure include removed" + "8457": "Failure include added" + "8458": "Failure exclude removed" + "8459": "Failure exclude added" + "12288": "Security State Change" + "12289": "Security System Extension" + "12290": "System Integrity" + "12291": "IPsec Driver" + "12292": "Other System Events" + "12544": "Logon" + "12545": "Logoff" + "12546": "Account Lockout" + "12547": "IPsec Main Mode" + "12548": "Special Logon" + "12549": "IPsec Quick Mode" + "12550": "IPsec Extended Mode" + "12551": "Other Logon/Logoff Events" + "12552": "Network Policy Server" + "12553": "User / Device Claims" + "12554": "Group Membership" + "12800": "File System" + "12801": "Registry" + "12802": "Kernel Object" + "12803": "SAM" + "12804": "Other Object Access Events" + "12805": "Certification Services" + "12806": "Application Generated" + "12807": "Handle Manipulation" + "12808": "File Share" + "12809": "Filtering Platform Packet Drop" + "12810": "Filtering Platform Connection" + "12811": "Detailed File Share" + "12812": "Removable Storage" + "12813": "Central Policy Staging" + "13056": "Sensitive Privilege Use" + "13057": "Non Sensitive Privilege Use" + "13058": "Other Privilege Use Events" + "13312": "Process Creation" + "13313": "Process Termination" + "13314": "DPAPI Activity" + "13315": "RPC Events" + "13316": "Plug and Play Events" + "13317": "Token Right Adjusted Events" + "13568": "Audit Policy Change" + "13569": "Authentication Policy Change" + "13570": "Authorization Policy Change" + "13571": "MPSSVC Rule-Level Policy Change" + "13572": "Filtering Platform Policy Change" + "13573": "Other Policy Change Events" + "13824": "User Account Management" + "13825": "Computer Account Management" + "13826": "Security Group Management" + "13827": "Distribution Group Management" + "13828": "Application Group Management" + "13829": "Other Account Management Events" + "14080": "Directory Service Access" + "14081": "Directory Service Changes" + "14082": "Directory Service Replication" + "14083": "Detailed Directory Service Replication" + "14336": "Credential Validation" + "14337": "Kerberos Service Ticket Operations" + "14338": "Other Account Logon Events" + "14339": "Kerberos Authentication Service" + "14592": "Inbound" + "14593": "Outbound" + "14594": "Forward" + "14595": "Bidirectional" + "14596": "IP Packet" + "14597": "Transport" + "14598": "Forward" + "14599": "Stream" + "14600": "Datagram Data" + "14601": "ICMP Error" + "14602": "MAC 802.3" + "14603": "MAC Native" + "14604": "vSwitch" + "14608": "Resource Assignment" + "14609": "Listen" + "14610": "Receive/Accept" + "14611": "Connect" + "14612": "Flow Established" + "14614": "Resource Release" + "14615": "Endpoint Closure" + "14616": "Connect Redirect" + "14617": "Bind Redirect" + "14624": "Stream Packet" + "14640": "ICMP Echo-Request" + "14641": "vSwitch Ingress" + "14642": "vSwitch Egress" + "14672": "" + "14673": "[NULL]" + "14674": "Value Added" + "14675": "Value Deleted" + "14676": "Active Directory Domain Services" + "14677": "Active Directory Lightweight Directory Services" + "14678": "Yes" + "14679": "No" + "14680": "Value Added With Expiration Time" + "14681": "Value Deleted With Expiration Time" + "14688": "Value Auto Deleted With Expiration Time" + "16384": "Add" + "16385": "Delete" + "16386": "Boot-time" + "16387": "Persistent" + "16388": "Not persistent" + "16389": "Block" + "16390": "Permit" + "16391": "Callout" + "16392": "MD5" + "16393": "SHA-1" + "16394": "SHA-256" + "16395": "AES-GCM 128" + "16396": "AES-GCM 192" + "16397": "AES-GCM 256" + "16398": "DES" + "16399": "3DES" + "16400": "AES-128" + "16401": "AES-192" + "16402": "AES-256" + "16403": "Transport" + "16404": "Tunnel" + "16405": "Responder" + "16406": "Initiator" + "16407": "AES-GMAC 128" + "16408": "AES-GMAC 192" + "16409": "AES-GMAC 256" + "16416": "AuthNoEncap Transport" + "16896": "Enable WMI Account" + "16897": "Execute Method" + "16898": "Full Write" + "16899": "Partial Write" + "16900": "Provider Write" + "16901": "Remote Access" + "16902": "Subscribe" + "16903": "Publish" + AccessMaskDescriptions: + "0x00000001": Create Child + "0x00000002": Delete Child + "0x00000004": List Contents + "0x00000008": SELF + "0x00000010": Read Property + "0x00000020": Write Property + "0x00000040": Delete Treee + "0x00000080": List Object + "0x00000100": Control Access + "0x00010000": DELETE + "0x00020000": READ_CONTROL + "0x00040000": WRITE_DAC + "0x00080000": WRITE_OWNER + "0x00100000": SYNCHRONIZE + "0x00F00000": STANDARD_RIGHTS_REQUIRED + "0x001F0000": STANDARD_RIGHTS_ALL + "0x0000FFFF": SPECIFIC_RIGHTS_ALL + "0x01000000": ADS_RIGHT_ACCESS_SYSTEM_SECURITY + "0x10000000": ADS_RIGHT_GENERIC_ALL + "0x20000000": ADS_RIGHT_GENERIC_EXECUTE + "0x40000000": ADS_RIGHT_GENERIC_WRITE + "0x80000000": ADS_RIGHT_GENERIC_READ + source: |- + def split(String s) { + def f = new ArrayList(); + int last = 0; + for (; last < s.length() && Character.isWhitespace(s.charAt(last)); last++) {} + for (def i = last; i < s.length(); i++) { + if (!Character.isWhitespace(s.charAt(i))) { + continue; + } + f.add(s.substring(last, i)); + for (; i < s.length() && Character.isWhitespace(s.charAt(i)); i++) {} + last = i; + } + f.add(s.substring(last)); + return f; + } + if (ctx?.winlog?.event_data?.FailureReason != null) { + def code = ctx.winlog.event_data.FailureReason.replace("%%",""); + if (params.descriptions.containsKey(code)) { + if (ctx?.winlog?.logon == null ) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + if (ctx?.winlog?.logon?.failure == null) { + HashMap hm = new HashMap(); + ctx.winlog.logon.put("failure", hm); + } + ctx.winlog.logon.failure.put("reason", params.descriptions[code]); + } + } + if (ctx?.winlog?.event_data?.AuditPolicyChanges != null) { + ArrayList results = new ArrayList(); + for (elem in ctx.winlog.event_data.AuditPolicyChanges.splitOnToken(",")) { + def code = elem.replace("%%","").trim(); + if (params.descriptions.containsKey(code)) { + results.add(params.descriptions[code]); + } + } + if (results.length > 0) { + ctx.winlog.event_data.put("AuditPolicyChangesDescription", results); + } + } + if (ctx?.winlog?.event_data?.AccessList != null) { + ArrayList results = new ArrayList(); + for (elem in ctx.winlog.event_data.AccessList.splitOnToken(" ")) { + def code = elem.replace("%%","").trim(); + if (params.descriptions.containsKey(code)) { + results.add(params.descriptions[code]); + } + } + if (results.length > 0) { + ctx.winlog.event_data.put("AccessListDescription", results); + } + } + if (ctx?.winlog?.event_data?.AccessMask != null) { + ArrayList results = new ArrayList(); + for (elem in split(ctx.winlog.event_data.AccessMask)) { + def mask = elem.replace("%%","").trim(); + if (mask == "") { + continue; + } + Long accessMask = Long.decode(mask); + for (entry in params.AccessMaskDescriptions.entrySet()) { + Long accessFlag = Long.decode(entry.getKey()); + if ((accessMask.longValue() & accessFlag.longValue()) == accessFlag.longValue()) { + results.add(entry.getValue()); + } + } + } + if (results.length > 0) { + ctx.winlog.event_data.put("_AccessMaskDescription", results); + } + } + - foreach: + field: winlog.event_data._AccessMaskDescription + processor: + append: + field: winlog.event_data.AccessMaskDescription + value: '{{{_ingest._value}}}' + allow_duplicates: false + ignore_failure: true + ignore_failure: true + if: ctx.winlog?.event_data?._AccessMaskDescription != null && ctx.winlog.event_data._AccessMaskDescription instanceof List + - remove: + field: winlog.event_data._AccessMaskDescription + ignore_failure: true + - script: + lang: painless + ignore_failure: false + tag: 4625 and 4776 Set Status and SubStatus + description: 4625 and 4776 Set Status and SubStatus + # Descriptions of failure status codes. + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 + params: + "0xc000005e": "There are currently no logon servers available to service the logon request." + "0xc0000064": "User logon with misspelled or bad user account" + "0xc000006a": "User logon with misspelled or bad password" + "0xc000006d": "This is either due to a bad username or authentication information" + "0xc000006e": "Unknown user name or bad password." + "0xc000006f": "User logon outside authorized hours" + "0xc0000070": "User logon from unauthorized workstation" + "0xc0000071": "User logon with expired password" + "0xc0000072": "User logon to account disabled by administrator" + "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation." + "0xc0000133": "Clocks between DC and other computer too far out of sync" + "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine" + "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed." + "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started." + "0xc0000193": "User logon with expired account" + "0xc0000224": "User is required to change password at next logon" + "0xc0000225": "Evidently a bug in Windows and not a risk" + "0xc0000234": "User logon with account locked" + "0xc00002ee": "Failure Reason: An Error occurred during Logon" + "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine." + "0xc0000371": "The local account store does not contain secret material for the specified account" + "0x0": "Status OK." + source: |- + if (ctx?.winlog?.event_data?.Status == null || + ctx?.event?.code == null || + !["4625", "4776"].contains(ctx.event.code)) { + return; + } + if (params.containsKey(ctx.winlog.event_data.Status)) { + if (ctx?.winlog?.logon == null ) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + if (ctx?.winlog?.logon?.failure == null) { + HashMap hm = new HashMap(); + ctx.winlog.logon.put("failure", hm); + } + ctx.winlog.logon.failure.put("status", params[ctx.winlog.event_data.Status]); + } + if (ctx?.winlog?.event_data?.SubStatus == null || !params.containsKey(ctx.winlog.event_data.SubStatus)) { + return; + } + if (ctx?.winlog?.logon == null ) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + if (ctx?.winlog?.logon?.failure == null) { + HashMap hm = new HashMap(); + ctx.winlog.logon.put("failure", hm); + } + ctx.winlog.logon.failure.put("sub_status", params[ctx.winlog.event_data.SubStatus]); + - script: + lang: painless + ignore_failure: false + tag: Set Trust Type + description: Set Trust Type + # Trust Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 + params: + "1": "TRUST_TYPE_DOWNLEVEL" + "2": "TRUST_TYPE_UPLEVEL" + "3": "TRUST_TYPE_MIT" + "4": "TRUST_TYPE_DCE" + source: |- + if (ctx?.winlog?.event_data?.TdoType == null) { + return; + } + if (!params.containsKey(ctx.winlog.event_data.TdoType)) { + return; + } + ctx.winlog.put("trustType", params[ctx.winlog.event_data.TdoType]); + - script: + lang: painless + ignore_failure: false + tag: Set Trust Direction + description: Set Trust Direction + # Trust Direction + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 + params: + "0": "TRUST_DIRECTION_DISABLED" + "1": "TRUST_DIRECTION_INBOUND" + "2": "TRUST_DIRECTION_OUTBOUND" + "3": "TRUST_DIRECTION_BIDIRECTIONAL" + source: |- + if (ctx?.winlog?.event_data?.TdoDirection == null) { + return; + } + if (!params.containsKey(ctx.winlog.event_data.TdoDirection)) { + return; + } + ctx.winlog.put("trustDirection", params[ctx.winlog.event_data.TdoDirection]); + - script: + lang: painless + ignore_failure: false + tag: Set Trust Attributes + description: Set Trust Attributes + # Trust Attributes + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 + params: + "0": "UNDEFINED" + "1": "TRUST_ATTRIBUTE_NON_TRANSITIVE" + "2": "TRUST_ATTRIBUTE_UPLEVEL_ONLY" + "4": "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN" + "8": "TRUST_ATTRIBUTE_FOREST_TRANSITIVE" + "16": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION" + "32": "TRUST_ATTRIBUTE_WITHIN_FOREST" + "64": "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL" + "128": "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION" + "512": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION" + "1024": "TRUST_ATTRIBUTE_PIM_TRUST" + source: |- + if (ctx?.winlog?.event_data?.TdoAttributes == null) { + return; + } + if (!params.containsKey(ctx.winlog.event_data.TdoAttributes)) { + return; + } + ctx.winlog.put("trustAttribute", params[ctx.winlog.event_data.TdoAttributes]); + - script: + lang: painless + ignore_failure: false + tag: Add Session Events + description: Add Session Events + source: |- + if (ctx?.event?.code == null || + !["4778", "4779"].contains(ctx.event.code)) { + return; + } + //AccountName to user.name and related.user + if (ctx?.winlog?.event_data?.AccountName != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + ctx.user.put("name", ctx.winlog.event_data.AccountName); + if (!ctx.related.user.contains(ctx.winlog.event_data.AccountName)) { + ctx.related.user.add(ctx.winlog.event_data.AccountName); + } + } + + //AccountDomain to user.domain + if (ctx?.winlog?.event_data?.AccountDomain != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("domain", ctx.winlog.event_data.AccountDomain); + } + + //ClientAddress to source.ip and related.ip + if (ctx?.winlog?.event_data?.ClientAddress != null && + ctx.winlog.event_data.ClientAddress != "-") { + if (ctx?.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.ip == null) { + ArrayList al = new ArrayList(); + ctx.related.put("ip", al); + } + ctx.source.put("ip", ctx.winlog.event_data.ClientAddress); + if (!ctx.related.ip.contains(ctx.winlog.event_data.ClientAddress)) { + ctx.related.ip.add(ctx.winlog.event_data.ClientAddress); + } + } + + //ClientName to source.domain + if (ctx?.winlog?.event_data?.ClientName != null) { + if (ctx?.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("domain", ctx.winlog.event_data.ClientName); + } + + //LogonID to winlog.logon.id + if (ctx?.winlog?.event_data?.LogonID != null) { + if (ctx?.winlog?.logon == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + ctx.winlog.logon.put("id", ctx.winlog.event_data.LogonID); + } + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User + description: Copy Target User + source: |- + if (ctx?.event?.code == null || + !["4624", "4625", "4634", "4647", "4648", "4768", "4769", "4770", + "4771", "4776", "4964"].contains(ctx.event.code)) { + return; + } + + def targetUserId = ctx?.winlog?.event_data?.TargetUserSid; + if (targetUserId == null) { + targetUserId = ctx?.winlog?.event_data?.TargetSid; + } + + //TargetUserSid to user.id or user.target.id + if (targetUserId != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.id == null) { + ctx.user.put("id", targetUserId); + } else { + if (ctx?.user?.target == null) { + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("id", targetUserId); + } + } + + //TargetUserName to related.user and user.name or user.target.name + if (ctx?.winlog?.event_data?.TargetUserName != null) { + def tun = ctx.winlog.event_data.TargetUserName.splitOnToken("@"); + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.name == null) { + ctx.user.put("name", tun[0]); + } else { + if (ctx?.user?.target == null) { + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("name", tun[0]); + } + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(tun[0])) { + ctx.related.user.add(tun[0]); + } + } + //TargetUserDomain to user.domain or user.target.domain + if (ctx?.winlog?.event_data?.TargetDomainName != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.domain == null) { + ctx.user.put("domain", ctx.winlog.event_data.TargetDomainName); + } else { + if (ctx?.user?.target == null){ + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("domain", ctx.winlog.event_data.TargetDomainName); + } + } + - script: + lang: painless + ignore_failure: false + tag: Copy MemberName to User and User to Group + description: Copy MemberName to User and User to Group + source: |- + if (ctx?.event?.code == null || + !["4727", "4728", "4729", "4730", "4731", "4732", "4733", "4734", "4735", + "4737", "4744", "4745", "4746", "4747", "4748", "4749", "4750", "4751", + "4752", "4753", "4754", "4755", "4756", "4757", "4758", "4759", "4760", + "4761", "4762", "4763", "4764", "4799"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.event_data?.MemberName != null) { + def memberNameParts = ctx.winlog.event_data.MemberName.splitOnToken(","); + def memberName = memberNameParts[0].replace("CN=","").replace("cn=",""); + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.target == null){ + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("name", memberName); + if (!ctx.related.user.contains(memberName)) { + ctx.related.user.add(memberName); + } + if (memberNameParts.length >= 4) { + def domain = memberNameParts[3].replace("DC=", "").replace("dc=", ""); + ctx.user.target.put("domain", domain); + } + } + if (ctx?.winlog?.event_data?.TargetUserSid != null) { + if (ctx?.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + ctx.group.put("id", ctx.winlog.event_data.TargetUserSid); + } + if (ctx?.winlog?.event_data?.TargetSid != null) { + if (ctx?.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + ctx.group.put("id", ctx.winlog.event_data.TargetSid); + } + if (ctx?.winlog?.event_data?.TargetUserName != null) { + if (ctx?.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + ctx.group.put("name", ctx.winlog.event_data.TargetUserName); + } + if (ctx?.winlog?.event_data?.TargetDomainName != null) { + if (ctx?.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + def domain = ctx.winlog.event_data.TargetDomainName.replace("DC=", "").replace("dc=", ""); + ctx.group.put("domain", domain); + } + if (ctx?.user?.target != null) { + if (ctx?.user?.target?.group == null) { + HashMap hm = new HashMap(); + ctx.user.target.put("group", hm); + } + if (ctx?.group?.id != null) { + ctx.user.target.group.put("id", ctx.group.id); + } + if (ctx?.group?.name != null) { + ctx.user.target.group.put("name", ctx.group.name); + } + if (ctx?.group?.domain != null) { + ctx.user.target.group.put("domain", ctx.group.domain); + } + } + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User to Computer Object + description: Copy Target User to Computer Object + source: |- + if (ctx?.event?.code == null || + !["4741", "4742", "4743"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.event_data?.TargetSid != null) { + if (ctx?.winlog?.computerObject == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("computerObject", hm); + } + ctx.winlog.computerObject.put("id", ctx.winlog.event_data.TargetSid); + } + if (ctx?.winlog?.event_data?.TargetUserName != null) { + if (ctx?.winlog?.computerObject == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("computerObject", hm); + } + ctx.winlog.computerObject.put("name", ctx.winlog.event_data.TargetUserName); + } + if (ctx?.winlog?.event_data?.TargetDomainName != null) { + if (ctx?.winlog?.computerObject == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("computerObject", hm); + } + ctx.winlog.computerObject.put("domain", ctx.winlog.event_data.TargetDomainName); + } + + - set: + field: winlog.logon.id + copy_from: winlog.event_data.TargetLogonId + ignore_failure: false + if: ctx?.event?.code != null && ["4634", "4647", "4964"].contains(ctx.event.code) + + - script: + lang: painless + ignore_failure: false + tag: Copy Subject User from Event Data + description: Copy Subject User from Event Data + source: |- + if (ctx?.event?.code == null || + !["4657", "4670", "4672", "4673", "4674", "4688", "4689", "4697", + "4698", "4699", "4700", "4701", "4702", "4706", "4707", "4713", + "4716", "4717", "4718", "4719", "4720", "4722", "4723", "4724", + "4725", "4726", "4727", "4728", "4729", "4730", "4731", "4732", + "4733", "4734", "4735", "4737", "4738", "4739", "4740", "4741", + "4742", "4743", "4744", "4745", "4746", "4747", "4748", "4749", + "4750", "4751", "4752", "4753", "4754", "4755", "4756", "4757", + "4758", "4759", "4760", "4761", "4762", "4763", "4764", "4767", + "4781", "4798", "4799", "4817", "4904", "4905", "4907", "4912", + "4648", "4797", "5140", "5145", "5379", "5380", "5381", "5382"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.event_data?.SubjectUserSid != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("id", ctx.winlog.event_data.SubjectUserSid); + } + if (ctx?.winlog?.event_data?.SubjectUserName != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + ctx.user.put("name", ctx.winlog.event_data.SubjectUserName); + if (!ctx.related.user.contains(ctx.winlog.event_data.SubjectUserName)) { + ctx.related.user.add(ctx.winlog.event_data.SubjectUserName); + } + } + if (ctx?.winlog?.event_data?.SubjectDomainName != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("domain", ctx.winlog.event_data.SubjectDomainName); + } + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User to Target + description: Copy Target User to Target + source: |- + if (ctx?.event?.code == null || + !["4670", "4720", "4722", "4723", "4724", "4725", + "4726", "4738", "4740", "4767", "4798", "4817", + "4907", "4797"].contains(ctx.event.code)) { + return; + } + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.target == null) { + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + def userId = ctx?.winlog?.event_data?.TargetSid; + if (userId != null && userId != "" && userId != "-") ctx.user.target.id = userId; + def userName = ctx?.winlog?.event_data?.TargetUserName; + if (userName != null && userName != "" && userName != "-") { + ctx.user.target.name = userName; + def parts = userName.splitOnToken("@"); + if (parts.length > 1) { + ctx.user.target.name = parts[0]; + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(ctx.user.target.name)) { + ctx.related.user.add(ctx.user.target.name); + } + } + def userDomain = ctx?.winlog?.event_data?.TargetDomainName; + if (userDomain != null && userDomain != "" && userDomain != "-") ctx.user.target.domain = userDomain; + if (ctx.user?.target != null && ctx.user.target.size() == 0) ctx.user.remove("target"); + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User to Effective + description: Copy Target User to Effective + source: |- + if (ctx?.event?.code == null || + !["4648", "4688"].contains(ctx.event.code)) { + return; + } + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.effective == null) { + HashMap hm = new HashMap(); + ctx.user.put("effective", hm); + } + def userId = ctx?.winlog?.event_data?.TargetUserSid; + if (userId != null && userId != "" && userId != "-") ctx.user.effective.id = userId; + def userName = ctx?.winlog?.event_data?.TargetUserName; + if (userName != null && userName != "" && userName != "-") { + ctx.user.effective.name = userName; + def parts = userName.splitOnToken("@"); + if (parts.length > 1) { + ctx.user.effective.name = parts[0]; + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(ctx.user.effective.name)) { + ctx.related.user.add(ctx.user.effective.name); + } + } + def userDomain = ctx?.winlog?.event_data?.TargetDomainName; + if (userDomain != null && userDomain != "" && userDomain != "-") ctx.user.effective.domain = userDomain; + if (ctx.user?.effective != null && ctx.user.effective.size() == 0) ctx.user.remove("effective"); + + - script: + lang: painless + ignore_failure: false + tag: Copy Subject User from user_data + description: Copy Subject User from user_data + source: |- + if (ctx?.event?.code == null || + !["1102"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.user_data?.SubjectUserSid != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("id", ctx.winlog.user_data.SubjectUserSid); + } + if (ctx?.winlog?.user_data?.SubjectUserName != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + ctx.user.put("name", ctx.winlog.user_data.SubjectUserName); + if (!ctx.related.user.contains(ctx.winlog.user_data.SubjectUserName)) { + ctx.related.user.add(ctx.winlog.user_data.SubjectUserName); + } + } + if (ctx?.winlog?.user_data?.SubjectDomainName != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("domain", ctx.winlog.user_data.SubjectDomainName); + } + + - set: + field: winlog.logon.id + copy_from: winlog.event_data.SubjectLogonId + ignore_failure: true + + - set: + field: winlog.logon.id + copy_from: winlog.user_data.SubjectLogonId + ignore_failure: true + if: |- + ctx?.event?.code != null && + ["1102"].contains(ctx.event.code) + + - script: + lang: painless + ignore_failure: false + tag: Rename Common Auth Fields + description: Rename Common Auth Fields + source: |- + if (ctx?.event?.code == null || + !["1100", "1102", "1104", "1105", "1108", "4624", "4648", "4625", + "4670", "4673", "4674", "4689", "4697", "4719", "4720", "4722", + "4723", "4724", "4725", "4726", "4727", "4728", "4729", "4730", + "4731", "4732", "4733", "4734", "4735", "4737", "4738", "4740", + "4741", "4742", "4743", "4744", "4745", "4746", "4747", "4748", + "4749", "4750", "4751", "4752", "4753", "4754", "4755", "4756", + "4757", "4758", "4759", "4760", "4761", "4762", "4763", "4764", + "4767", "4768", "4769", "4770", "4771", "4798", "4799", "4817", + "4904", "4905", "4907", "4912", "5140", "5145"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.event_data?.ProcessId != null) { + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx.winlog.event_data.ProcessId instanceof String) { + Long pid = Long.decode(ctx.winlog.event_data.ProcessId); + ctx.process.put("pid", pid.longValue()); + } else { + ctx.process.put("pid", ctx.winlog.event_data.ProcessId); + } + ctx.winlog.event_data.remove("ProcessId"); + } + if (ctx?.winlog?.event_data?.ProcessName != null) { + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + ctx.process.put("executable", ctx.winlog.event_data.ProcessName); + ctx.winlog.event_data.remove("ProcessName"); + } + if (ctx?.winlog?.event_data?.IpAddress != null && + ctx.winlog.event_data.IpAddress != "-") { + if (ctx?.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("ip", ctx.winlog.event_data.IpAddress); + ctx.winlog.event_data.remove("IpAddress"); + } + if (ctx?.winlog?.event_data?.IpPort != null && ctx.winlog.event_data.IpPort != "-") { + if (ctx?.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("port", Long.decode(ctx.winlog.event_data.IpPort)); + ctx.winlog.event_data.remove("IpPort"); + } + if (ctx?.winlog?.event_data?.WorkstationName != null) { + if (ctx?.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("domain", ctx.winlog.event_data.WorkstationName); + ctx.winlog.event_data.remove("WorkstationName"); + } + if (ctx?.winlog?.event_data?.ClientAddress != null && + ctx.winlog.event_data.ClientAddress != "-") { + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + ctx.related.put("ip", ctx.winlog.event_data.ClientAddress); + ctx.winlog.event_data.remove("ClientAddress"); + } + if (ctx?.process?.name == null && ctx?.process?.executable != null) { + def parts = ctx.process.executable.splitOnToken("\\"); + ctx.process.put("name", parts[-1]); + } + + - script: + lang: painless + ignore_failure: false + tag: Process Event 4688 + description: Process Event 4688 + source: |- + if (ctx?.event?.code == null || + !["4688"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.event_data?.NewProcessId != null) { + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx.winlog.event_data.NewProcessId instanceof String) { + Long pid = Long.decode(ctx.winlog.event_data.NewProcessId); + ctx.process.put("pid", pid.longValue()); + } else { + ctx.process.put("pid", ctx.winlog.event_data.NewProcessId); + } + ctx.winlog.event_data.remove("NewProcessId"); + } + if (ctx?.winlog?.event_data?.NewProcessName != null) { + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + ctx.process.put("executable", ctx.winlog.event_data.NewProcessName); + ctx.winlog.event_data.remove("NewProcessName"); + } + if (ctx?.winlog?.event_data?.ParentProcessName != null) { + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx?.process?.parent == null) { + HashMap hm = new HashMap(); + ctx.process.put("parent", hm); + } + ctx.process.parent.put("executable", ctx.winlog.event_data.ParentProcessName); + ctx.winlog.event_data.remove("ParentProcessName"); + } + if (ctx?.process?.name == null && ctx?.process?.executable != null) { + def parts = ctx.process.executable.splitOnToken("\\"); + ctx.process.put("name", parts[-1]); + } + if (ctx?.process?.parent?.name == null && ctx?.process?.parent?.executable != null) { + def parts = ctx.process.parent.executable.splitOnToken("\\"); + ctx.process.parent.put("name", parts[-1]); + } + if (ctx?.winlog?.event_data?.ProcessId != null) { + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx?.process?.parent == null) { + HashMap hm = new HashMap(); + ctx.process.put("parent", hm); + } + if (ctx.winlog.event_data.ProcessId instanceof String) { + Long pid = Long.decode(ctx.winlog.event_data.ProcessId); + ctx.process.parent.put("pid", pid.longValue()); + } else { + ctx.process.parent.put("pid", ctx.winlog.event_data.ProcessId); + } + } + if (ctx?.winlog?.event_data?.CommandLine != null) { + int start = 0; + int end = 0; + boolean in_quote = false; + ArrayList al = new ArrayList(); + for (int i = 0; i < ctx.winlog.event_data.CommandLine.length(); i++) { + end = i; + if (Character.compare(ctx.winlog.event_data.CommandLine.charAt(i), "\"".charAt(0)) == 0) { + if (in_quote) { + in_quote = false; + } else { + in_quote = true; + } + } + if (Character.isWhitespace(ctx.winlog.event_data.CommandLine.charAt(i)) && !in_quote) { + al.add(ctx.winlog.event_data.CommandLine.substring(start, end)); + start = i + 1; + } + if (i == ctx.winlog.event_data.CommandLine.length() - 1) { + al.add(ctx.winlog.event_data.CommandLine.substring(start, end + 1)); + } + } + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + ctx.process.put("args", al); + ctx.process.put("command_line", ctx.winlog.event_data.CommandLine); + } + if ((ctx?.winlog?.event_data?.TargetUserName != null) && + (!ctx.winlog.event_data.TargetUserName.equals("-"))) { + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(ctx.winlog.event_data.TargetUserName)) { + ctx.related.user.add(ctx.winlog.event_data.TargetUserName); + } + } + + - append: + field: related.user + value: '{{winlog.event_data.SubjectUserName}}' + allow_duplicates: false + if: |- + ctx?.event?.code != null && + ["4624", "4648", "4797", "5379", "5380", "5381", "5382"].contains(ctx.event.code) && + ctx?.winlog?.event_data?.SubjectUserName != null && + ctx.winlog.event_data.SubjectUserName != "-" + + - append: + field: related.user + value: '{{winlog.event_data.TargetUserName}}' + allow_duplicates: false + if: |- + ctx?.event?.code != null && + ["4688", "4720", "4722", "4723", "4724", "4725", "4726", "4738", + "4740", "4767", "4797", "4798"].contains(ctx.event.code) && + ctx?.winlog?.event_data?.TargetUserName != null && + ctx.winlog.event_data.TargetUserName != "-" + + - split: + field: winlog.event_data.PrivilegeList + separator: "\\s+" + if: |- + ctx?.event?.code != null && + ["4672", "4673", "4674", "4741", "4742", "4743"].contains(ctx.event.code) && + ctx?.winlog?.event_data?.PrivilegeList != null + + - set: + field: user.target.name + copy_from: winlog.event_data.OldTargetUserName + ignore_empty_value: true + + - set: + field: user.changes.name + copy_from: winlog.event_data.NewTargetUserName + ignore_empty_value: true + + - append: + field: related.user + value: '{{winlog.event_data.NewTargetUserName}}' + allow_duplicates: false + if: |- + ctx?.winlog?.event_data?.NewTargetUserName != null && + ctx.winlog.event_data.NewTargetUserName != "-" + + - append: + field: related.user + value: '{{winlog.event_data.OldTargetUserName}}' + allow_duplicates: false + if: |- + ctx?.winlog?.event_data?.OldTargetUserName != null && + ctx.winlog.event_data.OldTargetUserName != "-" + + + - script: + lang: painless + ignore_failure: false + tag: Object Policy Change and SidListDesc + description: Object Policy Change and SidListDesc + # SDDL Ace Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 + # https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 + # SDDL Permissions + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 + # Known SIDs + # https://support.microsoft.com/en-au/help/243330/well-known-security-identifier"S-in-window"S-operating-systems + # https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings + # Domain-specific SIDs + # https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems + # Object Permission Flags + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b + params: + AccountSIDDescription: + AO: Account operators + RU: Alias to allow previous Windows 2000 + AN: Anonymous logon + AU: Authenticated users + BA: Built-in administrators + BG: Built-in guests + BO: Backup operators + BU: Built-in users + CA: Certificate server administrators + CG: Creator group + CO: Creator owner + DA: Domain administrators + DC: Domain computers + DD: Domain controllers + DG: Domain guests + DU: Domain users + EA: Enterprise administrators + ED: Enterprise domain controllers + WD: Everyone + PA: Group Policy administrators + IU: Interactively logged-on user + LA: Local administrator + LG: Local guest + LS: Local service account + SY: Local system + NU: Network logon user + NO: Network configuration operators + NS: Network service account + PO: Printer operators + PS: Personal self + PU: Power users + RS: RAS servers group + RD: Terminal server users + RE: Replicator + RC: Restricted code + SA: Schema administrators + SO: Server operators + SU: Service logon user + S-1-0: Null Authority + S-1-0-0: Nobody + S-1-1: World Authority + S-1-1-0: Everyone + S-1-16-0: Untrusted Mandatory Level + S-1-16-12288: High Mandatory Level + S-1-16-16384: System Mandatory Level + S-1-16-20480: Protected Process Mandatory Level + S-1-16-28672: Secure Process Mandatory Level + S-1-16-4096: Low Mandatory Level + S-1-16-8192: Medium Mandatory Level + S-1-16-8448: Medium Plus Mandatory Level + S-1-2: Local Authority + S-1-2-0: Local + S-1-2-1: Console Logon + S-1-3: Creator Authority + S-1-3-0: Creator Owner + S-1-3-1: Creator Group + S-1-3-2: Creator Owner Server + S-1-3-3: Creator Group Server + S-1-3-4: Owner Rights + S-1-4: Non-unique Authority + S-1-5: NT Authority + S-1-5-1: Dialup + S-1-5-10: Principal Self + S-1-5-11: Authenticated Users + S-1-5-12: Restricted Code + S-1-5-13: Terminal Server Users + S-1-5-14: Remote Interactive Logon + S-1-5-15: This Organization + S-1-5-17: This Organization + S-1-5-18: Local System + S-1-5-19: NT Authority + S-1-5-2: Network + S-1-5-20: NT Authority + S-1-5-3: Batch + S-1-5-32-544: Administrators + S-1-5-32-545: Users + S-1-5-32-546: Guests + S-1-5-32-547: Power Users + S-1-5-32-548: Account Operators + S-1-5-32-549: Server Operators + S-1-5-32-550: Print Operators + S-1-5-32-551: Backup Operators + S-1-5-32-552: Replicators + S-1-5-32-554: Builtin\Pre-Windows 2000 Compatible Access + S-1-5-32-555: Builtin\Remote Desktop Users + S-1-5-32-556: Builtin\Network Configuration Operators + S-1-5-32-557: Builtin\Incoming Forest Trust Builders + S-1-5-32-558: Builtin\Performance Monitor Users + S-1-5-32-559: Builtin\Performance Log Users + S-1-5-32-560: Builtin\Windows Authorization Access Group + S-1-5-32-561: Builtin\Terminal Server License Servers + S-1-5-32-562: Builtin\Distributed COM Users + S-1-5-32-569: Builtin\Cryptographic Operators + S-1-5-32-573: Builtin\Event Log Readers + S-1-5-32-574: Builtin\Certificate Service DCOM Access + S-1-5-32-575: Builtin\RDS Remote Access Servers + S-1-5-32-576: Builtin\RDS Endpoint Servers + S-1-5-32-577: Builtin\RDS Management Servers + S-1-5-32-578: Builtin\Hyper-V Administrators + S-1-5-32-579: Builtin\Access Control Assistance Operators + S-1-5-32-580: Builtin\Remote Management Users + S-1-5-32-582: Storage Replica Administrators + S-1-5-4: Interactive + S-1-5-5-X-Y: Logon Session + S-1-5-6: Service + S-1-5-64-10: NTLM Authentication + S-1-5-64-14: SChannel Authentication + S-1-5-64-21: Digest Authentication + S-1-5-7: Anonymous + S-1-5-8: Proxy + S-1-5-80: NT Service + S-1-5-80-0: All Services + S-1-5-83-0: NT Virtual Machine\Virtual Machines + S-1-5-9: Enterprise Domain Controllers + S-1-5-90-0: Windows Manager\Windows Manager Group + AceTypes: + A: Access Allowed + D: Access Denied + OA: Object Access Allowed + OD: Object Access Denied + AU: System Audit + AL: System Alarm + OU: System Object Audit + OL: System Object Alarm + ML: System Mandatory Label + SP: Central Policy ID + DomainSpecificSID: + "498": Enterprise Read-only Domain Controllers + "500": Administrator + "501": Guest + "502": KRBTGT + "512": Domain Admins + "513": Domain Users + "514": Domain Guests + "515": Domain Computers + "516": Domain Controllers + "517": Cert Publishers + "518": Schema Admins + "519": Enterprise Admins + "520": Group Policy Creator Owners + "521": Read-only Domain Controllers + "522": Cloneable Domain Controllers + "526": Key Admins + "527": Enterprise Key Admins + "553": RAS and IAS Servers + "571": Allowed RODC Password Replication Group + "572": Denied RODC Password Replication Group + PermissionDescription: + GA: Generic All + GR: Generic Read + GW: Generic Write + GX: Generic Execute + RC: Read Permissions + SD: Delete + WD: Modify Permissions + WO: Modify Owner + RP: Read All Properties + WP: Write All Properties + CC: Create All Child Objects + DC: Delete All Child Objects + LC: List Contents + SW: All Validated + LO: List Object + DT: Delete Subtree + CR: All Extended Rights + FA: File All Access + FR: File Generic Read + FX: FILE GENERIC EXECUTE + FW: FILE GENERIC WRITE + KA: KEY ALL ACCESS + KR: KEY READ + KW: KEY WRITE + KX: KEY EXECUTE + PermsFlags: + "0x80000000": 'Generic Read' + "0x4000000": 'Generic Write' + "0x20000000": 'Generic Execute' + "0x10000000": 'Generic All' + "0x02000000": 'Maximum Allowed' + "0x01000000": 'Access System Security' + "0x00100000": 'Syncronize' + "0x00080000": 'Write Owner' + "0x00040000": 'Write DACL' + "0x00020000": 'Read Control' + "0x00010000": 'Delete' + source: |- + ArrayList translatePermissionMask(def mask, def params) { + ArrayList al = new ArrayList(); + Long permCode = Long.decode(mask); + for (entry in params.PermsFlags.entrySet()) { + Long permFlag = Long.decode(entry.getKey()); + if ((permCode.longValue() & permFlag.longValue()) == permFlag.longValue()) { + al.add(entry.getValue()); + } + } + if (al.length == 0) { + al.add(mask); + } + return al; + } + + HashMap translateACL(def dacl, def params) { + def aceArray = dacl.splitOnToken(";"); + HashMap hm = new HashMap(); + + if (aceArray.length >= 6 ) { + hm.put("grantee", translateSID(aceArray[5], params)); + } + + if (aceArray.length >= 1) { + hm.put("type", params.AceTypes[aceArray[0]]); + } + + if (aceArray.length >= 3) { + if (aceArray[2].startsWith("0x")) { + hm.put("perms", translatePermissionMask(aceArray[2], params)); + } else { + ArrayList al = new ArrayList(); + Pattern permPattern = /.{1,2}/; + Matcher permMatcher = permPattern.matcher(aceArray[2]); + while (permMatcher.find()) { + al.add(params.PermissionDescription[permMatcher.group(0)]); + } + hm.put("perms", al); + } + } + return hm; + } + String translateSID(def sid, def params) { + if (!params.AccountSIDDescription.containsKey(sid)) { + if (sid.startsWith("S-1-5-21")) { + Pattern uidPattern = /[0-9]{1,5}$/; + Matcher uidMatcher = uidPattern.matcher(sid); + if (uidMatcher.find()) { + return params.DomainSpecificSID[uidMatcher.group(0)]; + } + return sid; + } + return sid; + } + return params.AccountSIDDescription[sid]; + } + + + void enrichSDDL(def sddlStr, def Sd, def params, def ctx) { + Pattern sdOwnerPattern = /^O\:[A-Z]{2}/; + Matcher sdOwnerMatcher = sdOwnerPattern.matcher(sddlStr); + if (sdOwnerMatcher.find()) { + ctx.winlog.event_data.put(Sd + "Owner", translateSID(sdOwnerMatcher.group(0), params)); + } + + Pattern sdGroupPattern = /^G\:[A-Z]{2}/; + Matcher sdGroupMatcher = sdGroupPattern.matcher(sddlStr); + if (sdGroupMatcher.find()) { + ctx.winlog.event_data.put(Sd + "Group", translateSID(sdGroupMatcher.group(0), params)); + } + + Pattern sdDaclPattern = /(D:([A-Z]*(\(.*\))*))/; + Matcher sdDaclMatcher = sdDaclPattern.matcher(sddlStr); + if (sdDaclMatcher.find()) { + Pattern dacListPattern = /\([^*\)]*\)/; + Matcher dacListMatcher = dacListPattern.matcher(sdDaclMatcher.group(1)); + for (def i = 0; dacListMatcher.find(); i++) { + def newDacl = translateACL(dacListMatcher.group(0).replace("(","").replace(")",""), params); + ctx.winlog.event_data.put(Sd + "Dacl" + i.toString(), newDacl['grantee'] + " :" + newDacl['type'] + " (" + newDacl['perms'] + ")"); + if (["Administrator", "Guest", "KRBTGT"].contains(newDacl['grantee'])) { + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(newDacl['grantee'])) { + ctx.related.user.add(newDacl['grantee']); + } + } + } + } + + Pattern sdSaclPattern = /(S:([A-Z]*(\(.*\))*))?$/; + Matcher sdSaclMatcher = sdSaclPattern.matcher(sddlStr); + if (sdSaclMatcher.find()) { + Pattern sacListPattern = /\([^*\)]*\)/; + Matcher sacListMatcher = sacListPattern.matcher(sdSaclMatcher.group(0)); + for (def i = 0; sacListMatcher.find(); i++) { + def newSacl = translateACL(sacListMatcher.group(0).replace("(","").replace(")",""), params); + ctx.winlog.event_data.put(Sd + "Sacl" + i.toString(), newSacl['grantee'] + " :" + newSacl['type'] + " (" + newSacl['perms'] + ")"); + if (["Administrator", "Guest", "KRBTGT"].contains(newSacl['grantee'])) { + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(newSacl['grantee'])) { + ctx.related.user.add(newSacl['grantee']); + } + } + } + } + } + + void splitSidList(def sids, def params, def ctx) { + ArrayList al = new ArrayList(); + def sidList = sids.splitOnToken(" "); + ctx.winlog.event_data.put("SidList", sidList); + for (def i = 0; i < sidList.length; i++ ) { + al.add(translateSID(sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""), params)); + } + ctx.winlog.event_data.put("SidListDesc", al); + } + + if (ctx?.event?.code == null || + !["4670", "4817", "4907", "4908"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.event_data?.OldSd != null) { + enrichSDDL(ctx.winlog.event_data.OldSd, "OldSd", params, ctx); + } + if (ctx?.winlog?.event_data?.NewSd != null) { + enrichSDDL(ctx.winlog.event_data.NewSd, "NewSd", params, ctx); + } + if (ctx?.winlog?.event_data?.SidList != null) { + splitSidList(ctx.winlog.event_data.SidList, params, ctx); + } + + - set: + field: file.name + copy_from: winlog.event_data.RelativeTargetName + if: |- + ctx.event?.code != null && + ["5140", "5145"].contains(ctx.event.code) && + ctx.winlog?.event_data?.RelativeTargetName != null && + ctx.winlog?.event_data?.RelativeTargetName != "" + - set: + field: file.directory + copy_from: winlog.event_data.ShareLocalPath + if: |- + ctx.event?.code != null && + ["5140", "5145"].contains(ctx.event.code) && + ctx.winlog?.event_data?.ShareLocalPath != null && + ctx.winlog?.event_data?.ShareLocalPath != "" + - set: + field: file.path + value: "{{file.directory}}\\{{file.name}}" + if: ctx.file?.name != null && ctx.file?.directory != null + - set: + field: file.directory + copy_from: winlog.event_data.ShareLocalPath + if: |- + ctx.event?.code != null && + ["5140", "5145"].contains(ctx.event.code) && + ctx.winlog?.event_data?.ShareLocalPath != null && + ctx.winlog?.event_data?.ShareLocalPath != "" + - set: + field: file.target_path + value: "{{winlog.event_data.ShareName}}\\{{file.name}}" + if: |- + ctx.event?.code != null && + ["5140", "5145"].contains(ctx.event.code) && + ctx.winlog?.event_data?.ShareName != null && + ctx.winlog?.event_data?.ShareName != "" && + ctx.file?.name != null + - script: + description: Adds file information. + lang: painless + if: ctx.file?.name != null + source: |- + def extIdx = ctx.file.name.lastIndexOf("."); + if (extIdx > -1) { + ctx.file.extension = ctx.file.name.substring(extIdx+1); + } +on_failure: + - set: + field: error.message + value: |- + Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" diff --git a/test/packages/parallel/system/data_stream/security/fields/agent.yml b/test/packages/parallel/system/data_stream/security/fields/agent.yml new file mode 100644 index 000000000..da4e652c5 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/test/packages/parallel/system/data_stream/security/fields/base-fields.yml b/test/packages/parallel/system/data_stream/security/fields/base-fields.yml new file mode 100644 index 000000000..8c57a260b --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/fields/base-fields.yml @@ -0,0 +1,26 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. + value: logs +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: system +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: system.security +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/test/packages/parallel/system/data_stream/security/fields/beats.yml b/test/packages/parallel/system/data_stream/security/fields/beats.yml new file mode 100644 index 000000000..3c48f1f22 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/fields/beats.yml @@ -0,0 +1,3 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. diff --git a/test/packages/parallel/system/data_stream/security/fields/ecs.yml b/test/packages/parallel/system/data_stream/security/fields/ecs.yml new file mode 100644 index 000000000..db2b6257c --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/fields/ecs.yml @@ -0,0 +1,140 @@ +- external: ecs + name: ecs.version +- external: ecs + name: event.action +- external: ecs + name: event.category +- external: ecs + name: event.code +- external: ecs + name: event.created +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.module +- external: ecs + name: event.original +- external: ecs + name: event.outcome +- external: ecs + name: event.provider +- external: ecs + name: event.sequence +- external: ecs + name: event.type +- external: ecs + name: group.domain +- external: ecs + name: group.id +- external: ecs + name: group.name +- external: ecs + name: host.name +- external: ecs + name: log.file.path +- external: ecs + name: log.level +- external: ecs + name: message +- external: ecs + name: process.args +- external: ecs + name: process.args_count +- external: ecs + name: process.command_line +- external: ecs + name: process.entity_id +- external: ecs + name: process.executable +- external: ecs + name: process.name +- external: ecs + name: process.parent.executable +- external: ecs + name: process.parent.name +- external: ecs + name: process.parent.pid +- external: ecs + name: process.pid +- external: ecs + name: process.title +- external: ecs + name: related.hash +- external: ecs + name: related.hosts +- external: ecs + name: related.ip +- external: ecs + name: related.user +- external: ecs + name: service.name +- external: ecs + name: service.type +- external: ecs + name: source.domain +- external: ecs + name: source.as.number +- external: ecs + name: source.as.organization.name +- external: ecs + name: source.geo.city_name +- external: ecs + name: source.geo.continent_name +- external: ecs + name: source.geo.country_iso_code +- external: ecs + name: source.geo.country_name +- external: ecs + name: source.geo.location +- external: ecs + name: source.geo.name +- external: ecs + name: source.geo.region_iso_code +- external: ecs + name: source.geo.region_name +- external: ecs + name: source.ip +- external: ecs + name: source.port +- external: ecs + name: user.domain +- external: ecs + name: user.id +- external: ecs + name: user.name +- external: ecs + name: user.effective.domain +- external: ecs + name: user.effective.id +- external: ecs + name: user.effective.name +- external: ecs + name: user.target.group.domain +- external: ecs + name: user.target.group.id +- external: ecs + name: user.target.group.name +- external: ecs + name: user.target.name +- external: ecs + name: user.target.domain +- external: ecs + name: user.target.id +- external: ecs + name: user.changes.name +- external: ecs + name: file.name +- external: ecs + name: file.path +- external: ecs + name: file.target_path +- external: ecs + name: file.directory +- external: ecs + name: file.extension +- external: ecs + name: error.code +- external: ecs + name: error.message diff --git a/test/packages/parallel/system/data_stream/security/fields/fields.yml b/test/packages/parallel/system/data_stream/security/fields/fields.yml new file mode 100644 index 000000000..48deb4f52 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/fields/fields.yml @@ -0,0 +1,30 @@ +- name: winlog.logon + type: group + description: Data related to a Windows logon. + fields: + - name: type + type: keyword + description: > + Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. + + example: RemoteInteractive + - name: id + type: keyword + description: > + Logon ID that can be used to associate this logon with other events related to the same logon session. + + - name: failure.reason + type: keyword + description: > + The reason the logon failed. + + - name: failure.status + type: keyword + description: > + The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. + + - name: failure.sub_status + type: keyword + description: > + Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. + diff --git a/test/packages/parallel/system/data_stream/security/fields/winlog.yml b/test/packages/parallel/system/data_stream/security/fields/winlog.yml new file mode 100644 index 000000000..e2fe86136 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/fields/winlog.yml @@ -0,0 +1,662 @@ +- name: winlog + type: group + description: > + All fields specific to the Windows Event Log are defined here. + + fields: + - name: api + required: true + type: keyword + description: > + The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. + + The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. + + - name: activity_id + type: keyword + required: false + description: > + A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. + + - name: channel + type: keyword + required: true + description: > + The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. + + - name: computer_name + type: keyword + required: true + description: > + The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. + + - name: computerObject + type: group + description: > + computer Object data + + fields: + - name: domain + type: keyword + - name: id + type: keyword + - name: name + type: keyword + - name: event_data + type: object + object_type: keyword + required: false + description: > + The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. + + - name: event_data + type: group + description: > + This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. + + fields: + - name: AccessGranted + type: keyword + - name: AccessList + type: keyword + - name: AccessListDescription + type: keyword + - name: AccessMask + type: keyword + - name: AccessMaskDescription + type: keyword + - name: AccessReason + type: keyword + - name: AccessRemoved + type: keyword + - name: AccountDomain + type: keyword + - name: AccountExpires + type: keyword + - name: AccountName + type: keyword + - name: AllowedToDelegateTo + type: keyword + - name: AuditPolicyChanges + type: keyword + - name: AuditPolicyChangesDescription + type: keyword + - name: AuditSourceName + type: keyword + - name: AuthenticationPackageName + type: keyword + - name: Binary + type: keyword + - name: BitlockerUserInputTime + type: keyword + - name: BootMode + type: keyword + - name: BootType + type: keyword + - name: BuildVersion + type: keyword + - name: CallerProcessId + type: keyword + - name: CallerProcessName + type: keyword + - name: Category + type: keyword + - name: CategoryId + type: keyword + - name: ClientAddress + type: keyword + - name: ClientName + type: keyword + - name: ClientProcessId + type: keyword + - name: CommandLine + type: keyword + - name: Company + type: keyword + - name: ComputerAccountChange + type: keyword + - name: CorruptionActionState + type: keyword + - name: CountOfCredentialsReturned + type: keyword + - name: CrashOnAuditFailValue + type: keyword + - name: CreationUtcTime + type: keyword + - name: Description + type: keyword + - name: Detail + type: keyword + - name: DeviceName + type: keyword + - name: DeviceNameLength + type: keyword + - name: DeviceTime + type: keyword + - name: DeviceVersionMajor + type: keyword + - name: DeviceVersionMinor + type: keyword + - name: DisplayName + type: keyword + - name: DnsHostName + type: keyword + - name: DomainBehaviorVersion + type: keyword + - name: DomainName + type: keyword + - name: DomainPolicyChanged + type: keyword + - name: DomainSid + type: keyword + - name: DriveName + type: keyword + - name: DriverName + type: keyword + - name: DriverNameLength + type: keyword + - name: Dummy + type: keyword + - name: DwordVal + type: keyword + - name: EntryCount + type: keyword + - name: EventSourceId + type: keyword + - name: ExtraInfo + type: keyword + - name: FailureName + type: keyword + - name: FailureNameLength + type: keyword + - name: FailureReason + type: keyword + - name: FileVersion + type: keyword + - name: FinalStatus + type: keyword + - name: Flags + type: keyword + - name: Group + type: keyword + - name: GroupTypeChange + type: keyword + - name: HandleId + type: keyword + - name: HomeDirectory + type: keyword + - name: HomePath + type: keyword + - name: Identity + type: keyword + - name: IdleImplementation + type: keyword + - name: IdleStateCount + type: keyword + - name: ImpersonationLevel + type: keyword + - name: IntegrityLevel + type: keyword + - name: IpAddress + type: keyword + - name: IpPort + type: keyword + - name: KerberosPolicyChange + type: keyword + - name: KeyLength + type: keyword + - name: LastBootGood + type: keyword + - name: LastShutdownGood + type: keyword + - name: LmPackageName + type: keyword + - name: LogonGuid + type: keyword + - name: LogonHours + type: keyword + - name: LogonId + type: keyword + - name: LogonID + type: keyword + - name: LogonProcessName + type: keyword + - name: LogonType + type: keyword + - name: MachineAccountQuota + type: keyword + - name: MajorVersion + type: keyword + - name: MandatoryLabel + type: keyword + - name: MaximumPerformancePercent + type: keyword + - name: MemberName + type: keyword + - name: MemberSid + type: keyword + - name: MinimumPerformancePercent + type: keyword + - name: MinimumThrottlePercent + type: keyword + - name: MinorVersion + type: keyword + - name: MixedDomainMode + type: keyword + - name: NewProcessId + type: keyword + - name: NewProcessName + type: keyword + - name: NewSchemeGuid + type: keyword + - name: NewSd + type: keyword + - name: NewSdDacl0 + type: keyword + - name: NewSdDacl1 + type: keyword + - name: NewSdDacl2 + type: keyword + - name: NewSdSacl0 + type: keyword + - name: NewSdSacl1 + type: keyword + - name: NewSdSacl2 + type: keyword + - name: NewTargetUserName + type: keyword + - name: NewTime + type: keyword + - name: NewUACList + type: keyword + - name: NewUacValue + type: keyword + - name: NominalFrequency + type: keyword + - name: Number + type: keyword + - name: ObjectName + type: keyword + - name: ObjectServer + type: keyword + - name: ObjectType + type: keyword + - name: OemInformation + type: keyword + - name: OldSchemeGuid + type: keyword + - name: OldSd + type: keyword + - name: OldSdDacl0 + type: keyword + - name: OldSdDacl1 + type: keyword + - name: OldSdDacl2 + type: keyword + - name: OldSdSacl0 + type: keyword + - name: OldSdSacl1 + type: keyword + - name: OldSdSacl2 + type: keyword + - name: OldTargetUserName + type: keyword + - name: OldTime + type: keyword + - name: OldUacValue + type: keyword + - name: OriginalFileName + type: keyword + - name: PackageName + type: keyword + - name: PasswordLastSet + type: keyword + - name: PasswordHistoryLength + type: keyword + - name: Path + type: keyword + - name: ParentProcessName + type: keyword + - name: PerformanceImplementation + type: keyword + - name: PreviousCreationUtcTime + type: keyword + - name: PreAuthType + type: keyword + - name: PreviousTime + type: keyword + - name: PrimaryGroupId + type: keyword + - name: PrivilegeList + type: keyword + - name: ProcessCreationTime + type: keyword + - name: ProcessId + type: keyword + - name: ProcessName + type: keyword + - name: ProcessPath + type: keyword + - name: ProcessPid + type: keyword + - name: Product + type: keyword + - name: ProfilePath + type: keyword + - name: PuaCount + type: keyword + - name: PuaPolicyId + type: keyword + - name: QfeVersion + type: keyword + - name: ReadOperation + type: keyword + - name: Reason + type: keyword + - name: RelativeTargetName + type: keyword + - name: Resource + type: keyword + - name: ResourceAttributes + type: keyword + - name: ReturnCode + type: keyword + - name: SamAccountName + type: keyword + - name: Schema + type: keyword + - name: SchemaFriendlyName + type: keyword + - name: SchemaVersion + type: keyword + - name: ScriptPath + type: keyword + - name: SearchString + type: keyword + - name: SidHistory + type: keyword + - name: ScriptBlockText + type: keyword + - name: Service + type: keyword + - name: ServiceAccount + type: keyword + - name: ServiceFileName + type: keyword + - name: ServiceName + type: keyword + - name: ServicePrincipalNames + type: keyword + - name: ServiceSid + type: keyword + - name: ServiceStartType + type: keyword + - name: ServiceType + type: keyword + - name: ServiceVersion + type: keyword + - name: SessionName + type: keyword + - name: ShareLocalPath + type: keyword + - name: ShareName + type: keyword + - name: ShutdownActionType + type: keyword + - name: ShutdownEventCode + type: keyword + - name: ShutdownReason + type: keyword + - name: SidFilteringEnabled + type: keyword + - name: Signature + type: keyword + - name: SignatureStatus + type: keyword + - name: Signed + type: keyword + - name: StartTime + type: keyword + - name: State + type: keyword + - name: Status + type: keyword + - name: StatusDescription + type: keyword + - name: StopTime + type: keyword + - name: SubCategory + type: keyword + - name: SubCategoryGuid + type: keyword + - name: SubcategoryGuid + type: keyword + - name: SubCategoryId + type: keyword + - name: SubcategoryId + type: keyword + - name: SubjectDomainName + type: keyword + - name: SubjectLogonId + type: keyword + - name: SubjectUserName + type: keyword + - name: SubjectUserSid + type: keyword + - name: SubStatus + type: keyword + - name: TSId + type: keyword + - name: TargetDomainName + type: keyword + - name: TargetInfo + type: keyword + - name: TargetLogonGuid + type: keyword + - name: TargetLogonId + type: keyword + - name: TargetName + type: keyword + - name: TargetServerName + type: keyword + - name: TargetSid + type: keyword + - name: TargetUserName + type: keyword + - name: TargetUserSid + type: keyword + - name: TdoAttributes + type: keyword + - name: TdoDirection + type: keyword + - name: TdoType + type: keyword + - name: TerminalSessionId + type: keyword + - name: TicketEncryptionType + type: keyword + - name: TicketEncryptionTypeDescription + type: keyword + - name: TicketOptions + type: keyword + - name: TicketOptionsDescription + type: keyword + - name: TokenElevationType + type: keyword + - name: TransmittedServices + type: keyword + - name: Type + type: keyword + - name: UserAccountControl + type: keyword + - name: UserParameters + type: keyword + - name: UserPrincipalName + type: keyword + - name: UserSid + type: keyword + - name: UserWorkstations + type: keyword + - name: Version + type: keyword + - name: Workstation + type: keyword + - name: WorkstationName + type: keyword + - name: param1 + type: keyword + - name: param2 + type: keyword + - name: param3 + type: keyword + - name: param4 + type: keyword + - name: param5 + type: keyword + - name: param6 + type: keyword + - name: param7 + type: keyword + - name: param8 + type: keyword + - name: event_id + type: keyword + required: true + description: > + The event identifier. The value is specific to the source of the event. + + - name: keywords + type: keyword + required: false + description: > + The keywords are used to classify an event. + + - name: level + type: keyword + required: false + description: > + The event severity. Levels are Critical, Error, Warning and Information, Verbose + + - name: outcome + type: keyword + required: false + description: > + Success or Failure of the event. + + - name: record_id + type: keyword + required: true + description: > + The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. + + - name: related_activity_id + type: keyword + required: false + description: > + A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. + + - name: opcode + type: keyword + required: false + description: > + The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. + + - name: provider_guid + type: keyword + required: false + description: > + A globally unique identifier that identifies the provider that logged the event. + + - name: process.pid + type: long + required: false + description: > + The process_id of the Client Server Runtime Process. + + - name: provider_name + type: keyword + required: true + description: > + The source of the event log record (the application or service that logged the record). + + - name: task + type: keyword + required: false + description: > + The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. + + - name: time_created + type: date + required: false + description: > + Time event was created + + - name: trustAttribute + type: keyword + required: false + - name: trustDirection + type: keyword + required: false + - name: trustType + type: keyword + required: false + - name: process.thread.id + type: long + required: false + - name: user_data + type: object + object_type: keyword + required: false + description: > + The event specific data. This field is mutually exclusive with `event_data`. + + - name: user_data + type: group + description: > + The event specific data. This field is mutually exclusive with `event_data`. + + fields: + - name: BackupPath + type: keyword + - name: Channel + type: keyword + - name: SubjectDomainName + type: keyword + - name: SubjectLogonId + type: keyword + - name: SubjectUserName + type: keyword + - name: SubjectUserSid + type: keyword + - name: xml_name + type: keyword + - name: user.identifier + type: keyword + required: false + example: S-1-5-21-3541430928-2051711210-1391384369-1001 + description: > + The Windows security identifier (SID) of the account associated with this event. + + If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. + + - name: user.name + type: keyword + description: > + Name of the user associated with this event. + + - name: user.domain + type: keyword + required: false + description: > + The domain that the account associated with this event is a member of. + + - name: user.type + type: keyword + required: false + description: > + The type of account associated with this event. + + - name: version + type: long + required: false + description: The version number of the event's definition. diff --git a/test/packages/parallel/system/data_stream/security/manifest.yml b/test/packages/parallel/system/data_stream/security/manifest.yml new file mode 100644 index 000000000..02ae7a6d6 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/manifest.yml @@ -0,0 +1,80 @@ +type: logs +title: Security logs +streams: + - input: winlog + template_path: winlog.yml.hbs + title: Security + description: 'Security channel' + vars: + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: >- + Preserves a raw copy of the original XML event, added to the field `event.original` + type: bool + multi: false + default: false + - name: event_id + type: text + title: Event ID + multi: false + required: false + show_user: false + description: >- + A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details. + - name: ignore_older + type: text + title: Ignore events older than + default: 72h + required: false + show_user: false + description: >- + If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + - name: language + type: text + title: Language ID + description: >- + The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US + required: false + show_user: false + default: 0 + - name: tags + type: text + title: Tags + multi: true + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: httpjson + title: Windows Security Events via Splunk Enterprise REST API + description: Collect Security Events via Splunk Enterprise REST API + enabled: false + template_path: httpjson.yml.hbs + vars: + - name: interval + type: text + title: Interval to query Splunk Enterprise REST API + description: Go Duration syntax (eg. 10s) + show_user: true + required: true + default: 10s + - name: search + type: text + title: Splunk search string + show_user: false + required: true + default: "search sourcetype=\"XmlWinEventLog:Security\"" + - name: tags + type: text + title: Tags + multi: true + show_user: false + default: + - forwarded diff --git a/test/packages/parallel/system/data_stream/security/sample_event.json b/test/packages/parallel/system/data_stream/security/sample_event.json new file mode 100644 index 000000000..3f8e10d48 --- /dev/null +++ b/test/packages/parallel/system/data_stream/security/sample_event.json @@ -0,0 +1,75 @@ +{ + "@timestamp": "2019-11-07T10:37:04.226Z", + "agent": { + "ephemeral_id": "aa973fb6-b8fe-427e-a9e9-51c411926db8", + "id": "dbc761fd-dec4-4bc7-acec-8e5cb02a0cb6", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.1" + }, + "data_stream": { + "dataset": "system.security", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "dbc761fd-dec4-4bc7-acec-8e5cb02a0cb6", + "snapshot": true, + "version": "8.2.1" + }, + "event": { + "action": "logging-service-shutdown", + "agent_id_status": "verified", + "category": [ + "process" + ], + "code": "1100", + "created": "2022-05-18T06:07:07.204Z", + "dataset": "system.security", + "ingested": "2022-05-18T06:07:08Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Eventlog' Guid='{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}'/\u003e\u003cEventID\u003e1100\u003c/EventID\u003e\u003cVersion\u003e0\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e103\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x4020000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-11-07T10:37:04.226092500Z'/\u003e\u003cEventRecordID\u003e14257\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='1144' ThreadID='4532'/\u003e\u003cChannel\u003eSecurity\u003c/Channel\u003e\u003cComputer\u003eWIN-41OB2LO92CR.wlbeat.local\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cUserData\u003e\u003cServiceShutdown xmlns='http://manifests.microsoft.com/win/2004/08/windows/eventlog'\u003e\u003c/ServiceShutdown\u003e\u003c/UserData\u003e\u003c/Event\u003e", + "outcome": "success", + "provider": "Microsoft-Windows-Eventlog", + "type": [ + "end" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "information" + }, + "tags": [ + "forwarded", + "preserve_original_event" + ], + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": "1100", + "keywords": [ + "Audit Success" + ], + "level": "information", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 1144, + "thread": { + "id": 4532 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": "14257", + "time_created": "2019-11-07T10:37:04.226Z" + } +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/socket_summary/agent/stream/stream.yml.hbs b/test/packages/parallel/system/data_stream/socket_summary/agent/stream/stream.yml.hbs new file mode 100644 index 000000000..e7da2422b --- /dev/null +++ b/test/packages/parallel/system/data_stream/socket_summary/agent/stream/stream.yml.hbs @@ -0,0 +1,15 @@ +metricsets: ["socket_summary"] +period: {{period}} +{{#if system.hostfs}} +system.hostfs: {{system.hostfs}} +{{/if}} +{{#if processors.length}} +processors: +{{processors}} +{{/if}} +{{#if tags.length}} +tags: +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +{{/if}} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/socket_summary/fields/agent.yml b/test/packages/parallel/system/data_stream/socket_summary/fields/agent.yml new file mode 100644 index 000000000..dc30327e9 --- /dev/null +++ b/test/packages/parallel/system/data_stream/socket_summary/fields/agent.yml @@ -0,0 +1,205 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + dimension: true + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + dimension: true + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + dimension: true + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + dimension: true + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + dimension: true + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + dimension: true + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + dimension: true + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/test/packages/parallel/system/data_stream/socket_summary/fields/base-fields.yml b/test/packages/parallel/system/data_stream/socket_summary/fields/base-fields.yml new file mode 100644 index 000000000..0e1c05609 --- /dev/null +++ b/test/packages/parallel/system/data_stream/socket_summary/fields/base-fields.yml @@ -0,0 +1,17 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: system +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: system.socket_summary diff --git a/test/packages/parallel/system/data_stream/socket_summary/fields/ecs.yml b/test/packages/parallel/system/data_stream/socket_summary/fields/ecs.yml new file mode 100644 index 000000000..8840ed262 --- /dev/null +++ b/test/packages/parallel/system/data_stream/socket_summary/fields/ecs.yml @@ -0,0 +1,49 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: message +- external: ecs + name: group +- external: ecs + name: group.id +- external: ecs + name: group.name +- external: ecs + name: host +- external: ecs + name: host.hostname +- external: ecs + name: process +- external: ecs + name: process.name +- external: ecs + name: process.pid +- external: ecs + name: source +- external: ecs + name: source.geo.city_name +- external: ecs + name: source.geo.continent_name +- external: ecs + name: source.geo.country_iso_code +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- external: ecs + name: source.geo.region_iso_code +- external: ecs + name: source.geo.region_name +- external: ecs + name: source.ip +- external: ecs + name: source.port +- external: ecs + name: user +- external: ecs + name: user.id +- external: ecs + name: user.name +- external: ecs + name: agent.id + dimension: true diff --git a/test/packages/parallel/system/data_stream/socket_summary/fields/fields.yml b/test/packages/parallel/system/data_stream/socket_summary/fields/fields.yml new file mode 100644 index 000000000..fca58be0c --- /dev/null +++ b/test/packages/parallel/system/data_stream/socket_summary/fields/fields.yml @@ -0,0 +1,106 @@ +- name: system.socket.summary + title: Socket summary + type: group + fields: + - name: all + type: group + fields: + - name: count + type: integer + metric_type: gauge + description: | + All open connections + - name: listening + type: integer + metric_type: gauge + description: | + All listening ports + - name: tcp + type: group + fields: + - name: memory + type: integer + format: bytes + unit: byte + metric_type: gauge + description: "Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. \n" + - name: all + type: group + fields: + - name: orphan + type: integer + metric_type: gauge + description: | + A count of all orphaned tcp sockets. Only available on Linux. + - name: count + type: integer + metric_type: gauge + description: | + All open TCP connections + - name: listening + type: integer + metric_type: gauge + description: | + All TCP listening ports + - name: established + type: integer + metric_type: gauge + description: | + Number of established TCP connections + - name: close_wait + type: integer + metric_type: gauge + description: | + Number of TCP connections in _close_wait_ state + - name: time_wait + type: integer + metric_type: gauge + description: | + Number of TCP connections in _time_wait_ state + - name: syn_sent + type: integer + metric_type: gauge + description: | + Number of TCP connections in _syn_sent_ state + - name: syn_recv + type: integer + metric_type: gauge + description: | + Number of TCP connections in _syn_recv_ state + - name: fin_wait1 + type: integer + metric_type: gauge + description: | + Number of TCP connections in _fin_wait1_ state + - name: fin_wait2 + type: integer + metric_type: gauge + description: | + Number of TCP connections in _fin_wait2_ state + - name: last_ack + type: integer + metric_type: gauge + description: | + Number of TCP connections in _last_ack_ state + - name: closing + type: integer + metric_type: gauge + description: | + Number of TCP connections in _closing_ state + - name: udp + type: group + fields: + - name: memory + type: integer + format: bytes + unit: byte + metric_type: gauge + description: "Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. \n" + - name: all + type: group + fields: + - name: count + type: integer + metric_type: gauge + description: | + All open UDP connections diff --git a/test/packages/parallel/system/data_stream/socket_summary/manifest.yml b/test/packages/parallel/system/data_stream/socket_summary/manifest.yml new file mode 100644 index 000000000..b4fc6fcf4 --- /dev/null +++ b/test/packages/parallel/system/data_stream/socket_summary/manifest.yml @@ -0,0 +1,29 @@ +title: System socket_summary metrics +type: metrics +elasticsearch: + index_mode: "time_series" +streams: + - input: system/metrics + vars: + - name: period + type: text + title: Period + multi: false + required: true + show_user: true + default: 10s + - name: tags + type: text + title: Tags + multi: true + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + title: System socket_summary metrics + description: Collect System socket_summary metrics diff --git a/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog-sample.log b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog-sample.log new file mode 100644 index 000000000..ec5b4bd66 --- /dev/null +++ b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog-sample.log @@ -0,0 +1,21 @@ +Dec 13 11:35:28 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:28.420 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Checking for updates for "All Products" using engine + >> + processor= + isProcessing=NO actionsCompleted=0 progress=0.00 + errors=0 currentActionErrors=0 + events=0 currentActionEvents=0 + actionQueue=( ) + > + delegate=(null) + serverInfoStore=(null) + errors=0 + > +Dec 13 11:35:28 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:28.421 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine updateAllExceptProduct:] KSUpdateEngine updating all installed products, except:'com.google.Keystone'. +Apr 4 03:39:57 --- last message repeated 1 time --- diff --git a/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog-sample.log-config.yml b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog-sample.log-config.yml new file mode 100644 index 000000000..29de1b5c8 --- /dev/null +++ b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog-sample.log-config.yml @@ -0,0 +1,7 @@ +dynamic_fields: + "@timestamp": "^[0-9]{4}(-[0-9]{2}){2}T[0-9]{2}(:[0-9]{2}){2}\\.[0-9]{3}-[0-9]{2}:[0-9]{2}$" +multiline: + first_line_pattern: "^\\w+ \\d+ " +fields: + event.kind: "event" + event.timezone: "GMT-0200" diff --git a/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog-sample.log-expected.json b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog-sample.log-expected.json new file mode 100644 index 000000000..2275efb22 --- /dev/null +++ b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog-sample.log-expected.json @@ -0,0 +1,60 @@ +{ + "expected": [ + { + "@timestamp": "2022-12-13T11:35:28.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:28.420 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Checking for updates for \"All Products\" using engine \u003cKSUpdateEngine:0x100341a00\n\t\tticketStore=\u003cKSPersistentTicketStore:0x100204520 store=\u003cKSKeyedPersistentStore:0x100213290\n\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore\"\n\t\t\tlockFile=\u003cKSLockFile:0x1002160e0\n\t\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore.lock\"\n\t\t\t\tlocked=NO\n\t\t\t\u003e\n\t\t\u003e\u003e\n\t\tprocessor=\u003cKSActionProcessor:0x1003bb5f0\n\t\t\tdelegate=\u003cKSUpdateEngine:0x100341a00\u003e\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t\u003e\n\t\tdelegate=(null)\n\t\tserverInfoStore=(null)\n\t\terrors=0\n\t\u003e", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:28.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:28.421 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine updateAllExceptProduct:] KSUpdateEngine updating all installed products, except:'com.google.Keystone'.", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-04-04T03:39:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "GMT-0200" + }, + "message": "--- last message repeated 1 time ---", + "system": { + "syslog": {} + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog.log b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog.log new file mode 100644 index 000000000..f0329c33c --- /dev/null +++ b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog.log @@ -0,0 +1,497 @@ +Dec 13 11:35:28 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:28.419 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp performSelfUpdateWithEngine:] Finished self update check. +Dec 13 11:35:28 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:28.420 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Checking for updates for "All Products" using engine + >> + processor= + isProcessing=NO actionsCompleted=0 progress=0.00 + errors=0 currentActionErrors=0 + events=0 currentActionEvents=0 + actionQueue=( ) + > + delegate=(null) + serverInfoStore=(null) + errors=0 + > +Dec 13 11:35:28 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:28.421 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine updateAllExceptProduct:] KSUpdateEngine updating all installed products, except:'com.google.Keystone'. +Dec 13 11:35:28 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:28.422 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSCheckAction performAction] KSCheckAction checking 2 ticket(s). +Dec 13 11:35:28 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:28.428 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction performAction] KSUpdateCheckAction starting update check for ticket(s): {( + + serverType=Omaha + url=https://tools.google.com/service/update2 + creationDate=2015-06-25 15:40:23 + tagPath=/Applications/Google Chrome.app/Contents/Info.plist + tagKey=KSChannelID + brandPath=/Users/tsg/Library/Google/Google Chrome Brand.plist + brandKey=KSBrandID + versionPath=/Applications/Google Chrome.app/Contents/Info.plist + versionKey=KSVersion + cohort=1:1y5:gy3@0.05 + cohortName=Stable + ticketVersion=1 + >, + + serverType=Omaha + url=https://tools.google.com/service/update2 + creationDate=2015-09-11 20:38:12 + ticketVersion=1 + > + )} + Using server: + > +Dec 13 11:35:28 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:28.446 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] +[KSCodeSigningVerification verifyBundle:applicationId:error:] KSCodeSigningVerification verifying code signing for '/Applications/Google Chrome.app' with the requirement 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU]="EQHXZ8M8AV" and (identifier="com.google.Chrome")' +Dec 13 11:35:29 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:29.430 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] +[KSCodeSigningVerification verifyBundle:applicationId:error:] KSCodeSigningVerification verifying code signing for '/Applications/Google Drive.app' with the requirement 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU]="EQHXZ8M8AV" and (identifier="com.google.GoogleDrive")' +Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.115 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction performAction] KSUpdateCheckAction running KSServerUpdateRequest: + url="https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822" + fallbackURLs=( + http://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1617080069 + ) + runningFetchers=0 + tickets=2 + body= + + + + + + + + + + + + + headers={ + "X-GoogleUpdate-Interactivity" = bg; + } + > +Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.116 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher start fetch from URL: "https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822" +Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.117 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) launchedHelperTaskForToolPath:error:] KSOutOfProcessFetcher launched '/Users/tsg/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/ksfetch' with process id: 21414 +Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher sending both request and download file location to the helper. +Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] KSSendAllDataToHelper() KSHelperTool wrote 2383 bytes to the helper input. +Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] Closing the file handle. +Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher fetching from URL: "https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822" +Dec 13 11:35:30 a-mac-with-esc-key ksfetch[21414]: 2016-12-13 11:35:30.149 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] KSHelperReceiveAllData() KSHelperTool read 2383 bytes from stdin. +Dec 13 11:35:30 a-mac-with-esc-key ksfetch[21414]: 2016-12-13 11:35:30.151 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher received a request: { URL: https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822 } +Dec 13 11:35:30 a-mac-with-esc-key ksfetch[21414]: 2016-12-13 11:35:30.151 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher received a download path: /tmp/KSOutOfProcessFetcher.QTqOLkktQz/download +Dec 13 11:35:30 a-mac-with-esc-key ksfetch[21414]: 2016-12-13 11:35:30.152 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() ksfetch fetching URL ( { URL: https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822 }) to folder:/tmp/KSOutOfProcessFetcher.QTqOLkktQz/download +Dec 13 11:35:30 a-mac-with-esc-key ksfetch[21414]: 2016-12-13 11:35:30.152 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Setting up download file handles... +Dec 13 11:35:30 a-mac-with-esc-key ksfetch[21414]: 2016-12-13 11:35:30.348 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] -[FetchDelegate fetcher:finishedWithData:] Fetcher downloaded successfully data of length: 0 +Dec 13 11:35:30 a-mac-with-esc-key ksfetch[21414]: 2016-12-13 11:35:30.348 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() ksfetch done fetching. +Dec 13 11:35:30 a-mac-with-esc-key ksfetch[21414]: 2016-12-13 11:35:30.351 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher is exiting. +Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.354 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) helperErrorAvailable:] KSOutOfProcessFetcher helper tool raw STDERR: + : <> +Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.354 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) helperDidTerminate:] KSOutOfProcessFetcher fetch ended for URL: "https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822" +Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.355 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction(KSServerUpdateRequestDelegate) serverRequest:fetchedWithResponse:] KSUpdateCheckAction received KSServerUpdateResponse: + url="https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822" + tickets=2 + status=200 + data= + + + + + + + + + + + + + > +Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.356 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOmahaServer updateInfosForUpdateResponse:updateRequest:infoStore:upToDateTickets:updatedTickets:events:errors:] Response passed CUP validation. +Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.381 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction(PrivateMethods) finishAction] KSUpdateCheckAction found updates: {( )} +Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSPrefetchAction performAction] KSPrefetchAction no updates to prefetch. +Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSMultiUpdateAction performAction] KSSilentUpdateAction had no updates to apply. +Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSMultiUpdateAction performAction] KSPromptAction had no updates to apply. +Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp(KeystoneDelegate) updateEngineFinishedWithErrors:] Keystone finished: errors=0 +Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.385 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine(PrivateMethods) updateFinish] KSUpdateEngine update processing complete. +Dec 13 11:35:31 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:31.142 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Done checking for updates for '"All Products"' using engine + >> + processor= + isProcessing=NO actionsCompleted=0 progress=0.00 + errors=0 currentActionErrors=0 + events=0 currentActionEvents=0 + actionQueue=( ) + > + delegate= + serverInfoStore= + errors=0 + > +Dec 13 11:35:31 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:31.302 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentUploader fetcher:finishedWithData:] Successfully uploaded stats to { URL: https://tools.google.com/service/update2 } +Dec 13 11:35:31 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:31.431 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp uploadStats:] Successfully uploaded stats +Dec 13 11:35:32 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:32.508 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp(KeystoneThread) runKeystonesInThreadWithArg:] Finished with engine thread +Dec 13 11:35:32 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:32.825 GoogleSoftwareUpdateAgent[21412/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp checkForUpdates] Finished update check. +Dec 13 11:35:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000a8499d0 holds 0x2121212121212121 instead of 0x600006a22fa0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 11:37:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800f047240 holds 0x2121212121212121 instead of 0x608002231220. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 11:38:45 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[21498]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 11:39:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000a256990 holds 0x2121212121212121 instead of 0x600006a22420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 11:41:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x6080096475d0 holds 0x2121212121212121 instead of 0x608004e21280. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 11:41:57 a-mac-with-esc-key syslogd[46]: ASL Sender Statistics +Dec 13 11:42:55 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[21556]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 11:45:18 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): Unknown key for integer: _DirtyJetsamMemoryLimit +Dec 13 11:45:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000a85a860 holds 0x2121212121212121 instead of 0x600004a3b9a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 11:47:06 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[21581]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 11:47:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x608009840580 holds 0x2121212121212121 instead of 0x608004a22940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 11:49:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x608009c5b700 holds 0x2121212121212121 instead of 0x608005830020. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 11:51:17 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[21586]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 11:51:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800ee592d0 holds 0x2121212121212121 instead of 0x608005627220. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 11:51:57 a-mac-with-esc-key syslogd[46]: ASL Sender Statistics +Dec 13 11:53:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000c648290 holds 0x2121212121212121 instead of 0x6000050242a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 11:55:28 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[21589]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 11:55:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x600009840460 holds 0x2121212121212121 instead of 0x60000122e940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 11:56:30 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): Unknown key for integer: _DirtyJetsamMemoryLimit +Dec 13 11:57:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000ee5b730 holds 0x2121212121212121 instead of 0x600007821c20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 11:59:40 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[21946]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 12:01:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x600006a49940 holds 0x2121212121212121 instead of 0x6000078202e0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 12:01:57 a-mac-with-esc-key syslogd[46]: ASL Sender Statistics +Dec 13 12:03:04 a-mac-with-esc-key Slack Helper[55199]: Invoked notification with id: d63743fb-f17b-4e9e-97d0-88e0e7304682 +Dec 13 12:03:51 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[21966]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 12:05:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800f043dc0 holds 0x2121212121212121 instead of 0x6080026228c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 12:08:02 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[21981]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 12:09:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x608009a53600 holds 0x2121212121212121 instead of 0x608000629420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 12:11:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800f259c30 holds 0x2121212121212121 instead of 0x608004a21c20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 12:11:57 a-mac-with-esc-key syslogd[46]: ASL Sender Statistics +Dec 13 12:12:13 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[22226]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 12:13:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000c647d80 holds 0x2121212121212121 instead of 0x600006e3ee80. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 12:15:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800f053a80 holds 0x2121212121212121 instead of 0x608007227ce0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 12:16:24 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[22241]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 12:17:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000a64ce80 holds 0x2121212121212121 instead of 0x600006629940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 12:19:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000a843580 holds 0x2121212121212121 instead of 0x600006629540. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 12:20:35 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[22254]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 12:21:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800f45b910 holds 0x2121212121212121 instead of 0x608005822c40. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 12:21:57 a-mac-with-esc-key syslogd[46]: ASL Sender Statistics +Dec 13 12:23:13 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): Unknown key for integer: _DirtyJetsamMemoryLimit +Dec 13 12:23:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000ea5edf0 holds 0x2121212121212121 instead of 0x600003a35a60. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 12:24:46 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[22265]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 12:28:43 a-mac-with-esc-key Slack Helper[55199]: Invoked notification with id: 52bf37d9-0c4e-4276-8789-9fc7704bdf5b +Dec 13 12:28:57 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[22292]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 12:29:06 a-mac-with-esc-key Slack Helper[55199]: Invoked notification with id: c6c7e356-60a7-4b9e-a9b1-ecc2b8ad09f2 +Dec 13 12:29:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800f246430 holds 0x2121212121212121 instead of 0x608001c26d00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 12:31:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800c85fd80 holds 0x2121212121212121 instead of 0x608005a3a420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 12:31:57 a-mac-with-esc-key syslogd[46]: ASL Sender Statistics +Dec 13 12:33:08 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[22305]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 12:33:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x600006452400 holds 0x2121212121212121 instead of 0x60000763bac0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 12:35:56 a-mac-with-esc-key GoogleSoftwareUpdateAgent[22318]: 2016-12-13 12:35:56.416 GoogleSoftwareUpdateAgent[22318/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp setupLoggerOutput] Agent settings: +Dec 13 12:37:20 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[22324]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 12:37:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800f24d0f0 holds 0x2121212121212121 instead of 0x608007423ee0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 12:39:28 a-mac-with-esc-key Slack Helper[55199]: Invoked notification with id: aa608788-d049-4d1a-9112-521c71702371 +Dec 13 12:41:06 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): Unknown key for integer: _DirtyJetsamMemoryLimit +Dec 13 12:41:26 a-mac-with-esc-key Slack Helper[55199]: Invoked notification with id: d75f9ec1-a8fd-41c2-a45e-6df2952f0702 +Dec 13 12:41:30 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[22336]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 12:41:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800a2535a0 holds 0x2121212121212121 instead of 0x608003828e20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 12:41:57 a-mac-with-esc-key syslogd[46]: ASL Sender Statistics +Dec 13 12:43:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800f241d50 holds 0x2121212121212121 instead of 0x60800562f380. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 12:45:41 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[22348]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 12:45:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000c444450 holds 0x2121212121212121 instead of 0x600007237f00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 12:47:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000c4424a0 holds 0x2121212121212121 instead of 0x600007026520. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 12:49:13 a-mac-with-esc-key logd[63]: _handle_cache_delete_with_urgency(0x7fc55c429b40, 0, 1) +Dec 13 12:49:13 a-mac-with-esc-key logd[63]: _volume_contains_cached_data(is /private/var/db/diagnostics/ in /) - YES +Dec 13 12:49:13 a-mac-with-esc-key logd[63]: Purged 0 bytes from log files. +Dec 13 12:49:13 a-mac-with-esc-key logd[63]: _purge_uuidtext enter - 1 +Dec 13 12:49:14 a-mac-with-esc-key logd[63]: _purge_uuidtext got 1023 UUIDs and 3 slibs from inflight logs +Dec 13 12:49:14 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): Unknown key for integer: _DirtyJetsamMemoryLimit +Dec 13 12:49:24 a-mac-with-esc-key logd[63]: _purge_uuidtext got 1303 UUIDs and 3 slibs from inflight and persistent logs +Dec 13 12:49:24 a-mac-with-esc-key logd[63]: _purge_uuidtext processing shared lib uuid 00000000-0000-0000-0000-000000000000 +Dec 13 12:49:24 a-mac-with-esc-key logd[63]: _purge_uuidtext processing shared lib uuid 519BE6A1-940A-3142-975F-4EF4F41A89B3 +Dec 13 12:49:24 a-mac-with-esc-key logd[63]: _purge_uuidtext processing shared lib uuid C43133F6-64A3-3F65-997F-0E985A66E971 +Dec 13 12:49:24 a-mac-with-esc-key logd[63]: _purge_uuidtext got 2260 UUIDs and 3 slibs from inflight and persistent logs and slibs +Dec 13 12:49:24 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 00000000-0000-0000-0000-000000000000 mentioned but not found +Dec 13 12:49:27 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 1BD0C00C-0885-4C02-B522-D1E9CBDE84E7 mentioned but not found +Dec 13 12:49:29 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 40E9BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 60E9BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 66A56E12-C69B-4249-BC49-760C03F3700A mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 700F0308-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 700F190B-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 700F3C07-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 700F6107-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 700F800A-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 700F8102-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 700F9401-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 700FD70E-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 700FD900-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 700FEE0B-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 700FF904-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 701F1C0F-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 701F2F0E-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 701F4C02-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 701FAE07-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 701FBD0F-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 701FE80B-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 701FEF07-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 701FF700-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 701FF90D-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 702F5E0E-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 702F6503-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 702F6B06-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 702FEB0B-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 702FFC01-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 703F0E06-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 703F4A0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 703F8C07-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 703F9405-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 703FA300-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 703FC709-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 703FD007-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 703FED05-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 704F0003-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 704F550C-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 704F750A-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 704F8102-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 704F8C0C-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 704F8D09-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 704FB402-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 704FBB01-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 705F030E-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 705F2D10-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 705F3B01-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 705F4E0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 705FA30D-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 705FDA05-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 705FDF03-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 706F5101-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 706F6300-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 706F6E05-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 706FE207-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 706FEC00-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 706FFB07-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 707F0907-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 707F6A04-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 707F7B00-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 707F9B0D-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 707FAD09-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 707FB80A-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 707FD809-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 707FE404-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 708F3207-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 708F3402-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 708F3809-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 708F470F-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 708F8A00-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 708F9F0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 708FB403-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 708FC507-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 708FDC07-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 708FEA0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 708FFC08-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709F1005-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709F1E0D-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709F4C0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709F5F08-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709F6306-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709F6903-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709F980E-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709FA80C-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709FE302-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709FE808-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709FE809-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709FED00-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709FEF02-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709FEF0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70AF070C-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70AF2108-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70AF270C-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70AF390B-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70AF4A0D-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70AF6D06-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70AF700E-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70AF810D-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70AF9D02-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70AFA200-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70AFBE07-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70AFCC02-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70BF210E-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70BF4C0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70BF9000-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70BF9302-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70BFC302-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70BFD507-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70BFD605-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70BFE302-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70BFFF03-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CF0210-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CF0603-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CF0802-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CF180F-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CF1902-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CF4A07-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CF530D-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CF590D-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CF770D-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CFA700-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CFC804-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CFE00C-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CFEA09-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CFED0B-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70DF4B07-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70DF7301-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70DFA303-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70DFCB0E-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70DFDD01-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70DFE504-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70E9BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70EF2F0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70EF4609-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70EF5D05-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70EF7F07-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70EF8606-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70EFA406-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70EFA60F-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70EFC606-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70EFD407-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70FF0207-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70FF1E04-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70FF6F01-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70FF7703-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70FF9708-0070-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:32 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 80E8BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:32 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for A0E8BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:32 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for A0E9BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found +Dec 13 12:49:32 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for B22412E8-3691-4FA9-95EA-C5B9E2A3C572 mentioned but not found +Dec 13 12:49:33 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for F011D7E8-7633-3668-9455-53893C4F4B33 mentioned but not found +Dec 13 12:49:33 a-mac-with-esc-key logd[63]: _purge_uuidtext tree walked +Dec 13 12:49:33 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/00/0E757A4E2C3108A74D6C5A996AAAAB +Dec 13 12:49:33 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/00/F2131643943190B32FE35236EA4864 +Dec 13 12:49:33 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/06/608E438FDA3E28B9A262F575FE0E75 +Dec 13 12:49:33 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/09/35918C5C783B8AB2E6B75B12056F3C +Dec 13 12:49:33 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/11/DD409E112F373398E6DA86BF046EC9 +Dec 13 12:49:33 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/14/65FB07456D36EC9EC80462D86BB21B +Dec 13 12:49:33 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/18/A779EC17953910996D134A28F5C564 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/19/57E846B04C32FBAD78821B285B0D18 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/1E/79F11C7D5333F1BD0630540535F725 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/1E/9811DDA51A3BE9A4A748AD394DBE73 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/23/099C5F0A853312A9BD5694C15D228C +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/27/FBA267162735F8B5A6BF29E3A7670E +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/39/2980D3CAF73E2A94ED57F74979F1D9 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/3E/67870101A7359F88CCB9BD6681FC93 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/41/C51F4A33E03ACF86603802C9E6FFDE +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/42/BF3535B92C3272BA41F8A9BC267F3B +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/42/C18E8D6CEE37FF8DCD1390244CF38E +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/53/4B25B3C583361EADD5CB938678868C +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/54/090A60831C3233A4F0022DB86FF8B8 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/56/8EBEC4BC8230848898534D17830BB6 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/57/58C9F966E631669B74E6625D40C806 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/5E/F7315AF27B31A6A38D6364704D4FFC +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/5F/2B940389D136F2817A41C784D530CB +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/62/196B2A409236898AAD3A1520C53191 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/65/2D3DB29CBA32E297A65465CBA36B01 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/67/58A21E3D2B3620952A68EC384CC1AF +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/69/ADA53CBD3A3E31B08CFD85B12D52E1 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/72/FB1BBBCA3E30E89802A68B8B2B07F1 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/74/702F7027E834ACB0057983649FFB29 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/75/B25BA663DB34EC9AAC6971BBE817EB +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/75/B88148A6E233F8AFF323294DE561E0 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/76/2702DC49823F9E8292BB022D6BAF84 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/76/73D347C0F834879F9438D542975A23 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/78/397DF6C0253FD383E4AFAE3DD2E49C +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/7F/BCC184181A3913ADC50E38F950D098 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/81/12B328744938E1ACF2846B35CD83B4 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/82/3CB803D77334D0B5C759685022D876 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/8A/860FB569623B81B0511956EC82CEA3 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/90/9D581D35E7358AA75371D3A038142D +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/99/AC7E971E8C3319AD0514626D763823 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/9A/53817F2101396598311DB81D851FBA +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/9B/2EB7A3E93A3641B38EAD32B1CBE412 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/9F/E64976D7223E7F992BB3287AF23301 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/A7/8C02A56C0F3A9D90CAD8C92842B9A9 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/A9/733CC25E7239F98BC0812C5D7AF135 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/AB/450D449D5432C9B30A439A35B29931 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/B0/AF101031AA3188A08CF1517F800B2C +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/B4/77C958888B3AB092FD097D2C9A1B13 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/B4/BDFB4CAE49386B963E2C7A296B7D20 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/B5/0CBF2789673C6AB67F80F199CFD499 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/B6/41F64AD9923AD19AED8A35325FB04E +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/B6/566C8F2EA7349EB2C02647D2F69F97 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/BA/2A57BB4346303EA1E87862E6752057 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/C0/2D31E981553F31B0E9C36C232EE607 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/C0/E060E4E9373D4D9B4A930D3291F052 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/C2/531C46380A3DA489F7752C2FE6AEA0 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/C9/17C064F3903260A7DC304FABDDC3FD +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/CD/E2995BDA593F96B16EF1AE92AF31D8 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/CE/EE9ADE6F813CD78A1308F14010F463 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/D1/7E3015AC923AFE89BAFE6411B96431 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/D3/AE090906EC3F058A04EE77A574C8B3 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/DA/BAD1584258317A8483FE9CF10547BD +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/DD/CCB6FD639830F39A5D87247D54F616 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/E1/05E61475463784975FC5278723D08C +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/E1/B515E0321E3B85B90F01D623DC9047 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/E2/8DBEF43A0A37008A26AE9F016435F3 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/E3/55D24FAC0838679583537F319C7B72 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/EF/8522BAF9393808A2E6018507233133 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/FC/F7262CC2703E32BD3808B2D50C74F0 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext total: 2209, in_use:2104, marked:23, recent:13, deleted 69 +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext slib tree cleaned up (0) +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext uuid tree cleaned up (3) +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext cleaned up (0) +Dec 13 12:49:34 a-mac-with-esc-key logd[63]: Purged 5816519 bytes from uuidtext. +Dec 13 12:49:52 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[22360]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 12:49:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x600011443d90 holds 0x2121212121212121 instead of 0x600006e206c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 12:51:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800ac568a0 holds 0x2121212121212121 instead of 0x608003630680. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 12:51:58 a-mac-with-esc-key syslogd[46]: ASL Sender Statistics +Dec 13 12:53:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000664ad50 holds 0x2121212121212121 instead of 0x600006c31140. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 12:54:03 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[22370]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 12:55:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x6000060446c0 holds 0x2121212121212121 instead of 0x600006c34d60. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 12:57:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000c645c20 holds 0x2121212121212121 instead of 0x600002e295c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 12:58:14 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[22382]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 12:59:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800fe59330 holds 0x2121212121212121 instead of 0x608004030e80. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 13:01:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000ec41a20 holds 0x2121212121212121 instead of 0x600002e2d920. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 13:01:58 a-mac-with-esc-key syslogd[46]: ASL Sender Statistics +Dec 13 13:03:19 a-mac-with-esc-key Preview[24046]: BUG in libdispatch client: kevent[EVFILT_MACHPORT] monitored resource vanished before the source cancel handler was invoked +Dec 13 13:03:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x608007645da0 holds 0x2121212121212121 instead of 0x6080044252a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 13:05:26 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[25276]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 13:05:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000c643b20 holds 0x2121212121212121 instead of 0x6000036340a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 13:07:26 a-mac-with-esc-key Slack Helper[55199]: Invoked notification with id: 7cc1869b-ba48-4307-8474-0bc68cd9c71d +Dec 13 13:07:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x600007852ee0 holds 0x2121212121212121 instead of 0x600006a22780. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 13:09:37 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[25878]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 13:09:49 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): Unknown key for integer: _DirtyJetsamMemoryLimit +Dec 13 13:13:48 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[25888]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 13:13:48 a-mac-with-esc-key syslogd[46]: ASL Sender Statistics +Dec 13 13:13:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60001125b6a0 holds 0x2121212121212121 instead of 0x600007234ce0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 13:15:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x600006a41480 holds 0x2121212121212121 instead of 0x600003a2e920. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 13:17:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x600005a46cd0 holds 0x2121212121212121 instead of 0x60000582bd00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 13:17:59 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[25896]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 13:19:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800ee5b730 holds 0x2121212121212121 instead of 0x6080072264c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 13:21:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800f65cb10 holds 0x2121212121212121 instead of 0x6080046351c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 13:22:10 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[25914]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 13:23:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x600008c56780 holds 0x2121212121212121 instead of 0x600006624600. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 13:23:58 a-mac-with-esc-key syslogd[46]: ASL Sender Statistics +Dec 13 13:25:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800f65d7a0 holds 0x2121212121212121 instead of 0x608003a3d9a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 13:26:21 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[25923]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 13:27:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000785e8e0 holds 0x2121212121212121 instead of 0x600006622ba0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 13:29:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60801005a980 holds 0x2121212121212121 instead of 0x608001a3f8a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 13:30:33 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[25940]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 13:31:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000d6588b0 holds 0x2121212121212121 instead of 0x600002a3dd60. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 13:32:28 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): Unknown key for integer: _DirtyJetsamMemoryLimit +Dec 13 13:33:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800f459990 holds 0x2121212121212121 instead of 0x60800463e7e0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 13:33:58 a-mac-with-esc-key syslogd[46]: ASL Sender Statistics +Dec 13 13:34:44 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[26381]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook +Dec 13 13:35:59 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000be429b0 holds 0x2121212121212121 instead of 0x600003c325e0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug. +Dec 13 13:36:19 a-mac-with-esc-key GoogleSoftwareUpdateAgent[27321]: 2016-12-13 13:36:19.906 GoogleSoftwareUpdateAgent[27321/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp setupLoggerOutput] Agent settings: diff --git a/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog.log-config.yml b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog.log-config.yml new file mode 100644 index 000000000..eb4e9090a --- /dev/null +++ b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog.log-config.yml @@ -0,0 +1,6 @@ +dynamic_fields: + "@timestamp": "^[0-9]{4}(-[0-9]{2}){2}T[0-9]{2}(:[0-9]{2}){2}\\.[0-9]{3}-[0-9]{2}:[0-9]{2}$" +multiline: + first_line_pattern: "^Dec 13 " +fields: + event.timezone: "GMT-0200" diff --git a/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog.log-expected.json b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog.log-expected.json new file mode 100644 index 000000000..c8cd42936 --- /dev/null +++ b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog.log-expected.json @@ -0,0 +1,7609 @@ +{ + "expected": [ + { + "@timestamp": "2022-12-13T11:35:28.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:28.419 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp performSelfUpdateWithEngine:] Finished self update check.", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:28.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:28.420 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Checking for updates for \"All Products\" using engine \u003cKSUpdateEngine:0x100341a00\n\t\tticketStore=\u003cKSPersistentTicketStore:0x100204520 store=\u003cKSKeyedPersistentStore:0x100213290\n\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore\"\n\t\t\tlockFile=\u003cKSLockFile:0x1002160e0\n\t\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore.lock\"\n\t\t\t\tlocked=NO\n\t\t\t\u003e\n\t\t\u003e\u003e\n\t\tprocessor=\u003cKSActionProcessor:0x1003bb5f0\n\t\t\tdelegate=\u003cKSUpdateEngine:0x100341a00\u003e\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t\u003e\n\t\tdelegate=(null)\n\t\tserverInfoStore=(null)\n\t\terrors=0\n\t\u003e", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:28.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:28.421 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine updateAllExceptProduct:] KSUpdateEngine updating all installed products, except:'com.google.Keystone'.", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:28.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:28.422 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSCheckAction performAction] KSCheckAction checking 2 ticket(s).", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:28.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:28.428 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction performAction] KSUpdateCheckAction starting update check for ticket(s): {(\n\t\t\u003cKSTicket:0x100550bd0\n\t\t\tproductID=com.google.Chrome\n\t\t\tversion=54.0.2840.98\n\t\t\txc=\u003cKSPathExistenceChecker:0x1005507d0 path=/Applications/Google Chrome.app\u003e\n\t\t\tserverType=Omaha\n\t\t\turl=https://tools.google.com/service/update2\n\t\t\tcreationDate=2015-06-25 15:40:23\n\t\t\ttagPath=/Applications/Google Chrome.app/Contents/Info.plist\n\t\t\ttagKey=KSChannelID\n\t\t\tbrandPath=/Users/tsg/Library/Google/Google Chrome Brand.plist\n\t\t\tbrandKey=KSBrandID\n\t\t\tversionPath=/Applications/Google Chrome.app/Contents/Info.plist\n\t\t\tversionKey=KSVersion\n\t\t\tcohort=1:1y5:gy3@0.05\n\t\t\tcohortName=Stable\n\t\t\tticketVersion=1\n\t\t\u003e,\n\t\t\u003cKSTicket:0x100555140\n\t\t\tproductID=com.google.GoogleDrive\n\t\t\tversion=1.32.3889.0961\n\t\t\txc=\u003cKSPathExistenceChecker:0x100554490 path=/Applications/Google Drive.app\u003e\n\t\t\tserverType=Omaha\n\t\t\turl=https://tools.google.com/service/update2\n\t\t\tcreationDate=2015-09-11 20:38:12\n\t\t\tticketVersion=1\n\t\t\u003e\n\t)}\n\tUsing server: \u003cKSOmahaServer:0x100555120\n\t\tengine=\u003cKSUpdateEngine:0x100341a00\u003e\n\t\u003e", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:28.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:28.446 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] +[KSCodeSigningVerification verifyBundle:applicationId:error:] KSCodeSigningVerification verifying code signing for '/Applications/Google Chrome.app' with the requirement 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU]=\"EQHXZ8M8AV\" and (identifier=\"com.google.Chrome\")'", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:29.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:29.430 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] +[KSCodeSigningVerification verifyBundle:applicationId:error:] KSCodeSigningVerification verifying code signing for '/Applications/Google Drive.app' with the requirement 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU]=\"EQHXZ8M8AV\" and (identifier=\"com.google.GoogleDrive\")'", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.115 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction performAction] KSUpdateCheckAction running KSServerUpdateRequest: \u003cKSOmahaServerUpdateRequest:0x100480470\n\t\tserver=\u003cKSOmahaServer:0x100555120\u003e\n\t\turl=\"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822\"\n\t\tfallbackURLs=(\n\t\t\thttp://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1617080069\n\t\t)\n\t\trunningFetchers=0\n\t\ttickets=2\n\t\tbody=\n\t\t\t\u003c?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?\u003e\n\t\t\t\u003crequest protocol=\"3.0\" version=\"KeystoneAgent-1.2.6.1370\" ismachine=\"0\" requestid=\"{8F3B41E7-420E-4526-887D-C40439FD9A8E}\" dedup=\"cr\" sessionid=\"{3BD434BD-06BC-40C7-9A27-EFE887A149E3}\"\u003e\n\t\t\t \u003cos platform=\"mac\" version=\"10.12\" arch=\"x86_64h\" sp=\"10.12.0_x86_64h\"\u003e\u003c/os\u003e\n\t\t\t \u003capp appid=\"com.google.Chrome\" version=\"54.0.2840.98\" cohort=\"1:1y5:gy3@0.05\" cohortname=\"Stable\" lang=\"en-us\" installage=\"536\" installdate=\"3479\" brand=\"GGRO\" _numaccounts=\"1\" _numsignedin=\"1\" signed=\"1\"\u003e\n\t\t\t \u003cping r=\"1\" rd=\"3633\" a=\"1\" ad=\"3633\" ping_freshness=\"{6001AB3C-5253-44A9-94A9-CD4493ED14F9}\"\u003e\u003c/ping\u003e\n\t\t\t \u003cupdatecheck\u003e\u003c/updatecheck\u003e\n\t\t\t \u003c/app\u003e\n\t\t\t \u003capp appid=\"com.google.GoogleDrive\" version=\"1.32.3889.0961\" lang=\"en-us\" installage=\"458\" installdate=\"3479\" brand=\"GGLG\" signed=\"1\"\u003e\n\t\t\t \u003cping r=\"1\" rd=\"3633\" a=\"1\" ad=\"3633\" ping_freshness=\"{1BFFDCCA-5966-4598-819C-C1D075E480C5}\"\u003e\u003c/ping\u003e\n\t\t\t \u003cupdatecheck\u003e\u003c/updatecheck\u003e\n\t\t\t \u003c/app\u003e\n\t\t\t\u003c/request\u003e\n\t\theaders={\n\t\t\t\"X-GoogleUpdate-Interactivity\" = bg;\n\t\t}\n\t\u003e", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.116 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher start fetch from URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822\"", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.117 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) launchedHelperTaskForToolPath:error:] KSOutOfProcessFetcher launched '/Users/tsg/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/ksfetch' with process id: 21414", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher sending both request and download file location to the helper.", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] KSSendAllDataToHelper() KSHelperTool wrote 2383 bytes to the helper input.", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] Closing the file handle.", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher fetching from URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822\"", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.149 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] KSHelperReceiveAllData() KSHelperTool read 2383 bytes from stdin.", + "process": { + "name": "ksfetch", + "pid": 21414 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.151 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher received a request: \u003cNSMutableURLRequest: 0x100119140\u003e { URL: https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822 }", + "process": { + "name": "ksfetch", + "pid": 21414 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.151 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher received a download path: /tmp/KSOutOfProcessFetcher.QTqOLkktQz/download", + "process": { + "name": "ksfetch", + "pid": 21414 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.152 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() ksfetch fetching URL (\u003cNSMutableURLRequest: 0x100119140\u003e { URL: https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822 }) to folder:/tmp/KSOutOfProcessFetcher.QTqOLkktQz/download", + "process": { + "name": "ksfetch", + "pid": 21414 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.152 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Setting up download file handles...", + "process": { + "name": "ksfetch", + "pid": 21414 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.348 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] -[FetchDelegate fetcher:finishedWithData:] Fetcher downloaded successfully data of length: 0", + "process": { + "name": "ksfetch", + "pid": 21414 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.348 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() ksfetch done fetching.", + "process": { + "name": "ksfetch", + "pid": 21414 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.351 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher is exiting.", + "process": { + "name": "ksfetch", + "pid": 21414 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.354 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) helperErrorAvailable:] KSOutOfProcessFetcher helper tool raw STDERR:\n\t:\t\u003c\u003e", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.354 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) helperDidTerminate:] KSOutOfProcessFetcher fetch ended for URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822\"", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.355 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction(KSServerUpdateRequestDelegate) serverRequest:fetchedWithResponse:] KSUpdateCheckAction received KSServerUpdateResponse: \u003cKSOmahaServerUpdateResponse:0x100559060\n\t\tserver=\u003cKSOmahaServer:0x100555120\u003e\n\t\turl=\"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822\"\n\t\ttickets=2\n\t\tstatus=200\n\t\tdata=\n\t\t\t\u003c?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?\u003e\n\t\t\t\u003cresponse protocol=\"3.0\" server=\"prod\"\u003e\n\t\t\t \u003cdaystart elapsed_days=\"3634\" elapsed_seconds=\"9330\"\u003e\u003c/daystart\u003e\n\t\t\t \u003capp appid=\"com.google.Chrome\" cohort=\"1:1y5:gy3@0.05\" cohortname=\"Stable\" status=\"ok\"\u003e\n\t\t\t \u003cping status=\"ok\"\u003e\u003c/ping\u003e\n\t\t\t \u003cupdatecheck status=\"noupdate\"\u003e\u003c/updatecheck\u003e\n\t\t\t \u003c/app\u003e\n\t\t\t \u003capp appid=\"com.google.GoogleDrive\" cohort=\"\" cohortname=\"\" status=\"ok\"\u003e\n\t\t\t \u003cping status=\"ok\"\u003e\u003c/ping\u003e\n\t\t\t \u003cupdatecheck status=\"noupdate\"\u003e\u003c/updatecheck\u003e\n\t\t\t \u003c/app\u003e\n\t\t\t\u003c/response\u003e\n\t\u003e", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.356 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOmahaServer updateInfosForUpdateResponse:updateRequest:infoStore:upToDateTickets:updatedTickets:events:errors:] Response passed CUP validation.", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.381 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction(PrivateMethods) finishAction] KSUpdateCheckAction found updates: {( )}", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSPrefetchAction performAction] KSPrefetchAction no updates to prefetch.", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSMultiUpdateAction performAction] KSSilentUpdateAction had no updates to apply.", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSMultiUpdateAction performAction] KSPromptAction had no updates to apply.", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp(KeystoneDelegate) updateEngineFinishedWithErrors:] Keystone finished: errors=0", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.385 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine(PrivateMethods) updateFinish] KSUpdateEngine update processing complete.", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:31.142 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Done checking for updates for '\"All Products\"' using engine \u003cKSUpdateEngine:0x100341a00\n\t\tticketStore=\u003cKSPersistentTicketStore:0x100204520 store=\u003cKSKeyedPersistentStore:0x100213290\n\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore\"\n\t\t\tlockFile=\u003cKSLockFile:0x1002160e0\n\t\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore.lock\"\n\t\t\t\tlocked=NO\n\t\t\t\u003e\n\t\t\u003e\u003e\n\t\tprocessor=\u003cKSActionProcessor:0x1002769e0\n\t\t\tdelegate=\u003cKSUpdateEngine:0x100341a00\u003e\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t\u003e\n\t\tdelegate=\u003cKSAgentApp: 0x10052a250\u003e\n\t\tserverInfoStore=\u003cKSServerPrivateInfoStore:0x100317b40 path=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/Servers\"\u003e\n\t\terrors=0\n\t\u003e", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:31.302 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentUploader fetcher:finishedWithData:] Successfully uploaded stats to \u003cNSMutableURLRequest: 0x1003cbcd0\u003e { URL: https://tools.google.com/service/update2 }", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:31.431 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp uploadStats:] Successfully uploaded stats \u003cKSStatsCollection:0x100212570 path=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/Stats/Keystone.stats\", count=5, stats={\n\t checks = 2;\n\t tickets = 2;\n\t usertickets = 3;\n\t validtickets = 2;\n\t validusertickets = 3;\n\t}\u003e", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:32.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:32.508 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp(KeystoneThread) runKeystonesInThreadWithArg:] Finished with engine thread", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:32.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:32.825 GoogleSoftwareUpdateAgent[21412/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp checkForUpdates] Finished update check.", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:35:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000a8499d0 holds 0x2121212121212121 instead of 0x600006a22fa0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:37:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800f047240 holds 0x2121212121212121 instead of 0x608002231220. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:38:45.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21498])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:39:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000a256990 holds 0x2121212121212121 instead of 0x600006a22420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:41:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x6080096475d0 holds 0x2121212121212121 instead of 0x608004e21280. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:41:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "ASL Sender Statistics", + "process": { + "name": "syslogd", + "pid": 46 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:42:55.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21556])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:45:18.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:45:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000a85a860 holds 0x2121212121212121 instead of 0x600004a3b9a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:47:06.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21581])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:47:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x608009840580 holds 0x2121212121212121 instead of 0x608004a22940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:49:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x608009c5b700 holds 0x2121212121212121 instead of 0x608005830020. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:51:17.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21586])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:51:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800ee592d0 holds 0x2121212121212121 instead of 0x608005627220. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:51:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "ASL Sender Statistics", + "process": { + "name": "syslogd", + "pid": 46 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:53:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000c648290 holds 0x2121212121212121 instead of 0x6000050242a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:55:28.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21589])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:55:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x600009840460 holds 0x2121212121212121 instead of 0x60000122e940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:56:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:57:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000ee5b730 holds 0x2121212121212121 instead of 0x600007821c20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T11:59:40.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21946])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:01:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x600006a49940 holds 0x2121212121212121 instead of 0x6000078202e0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:01:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "ASL Sender Statistics", + "process": { + "name": "syslogd", + "pid": 46 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:03:04.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Invoked notification with id: d63743fb-f17b-4e9e-97d0-88e0e7304682", + "process": { + "name": "Slack Helper", + "pid": 55199 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:03:51.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21966])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:05:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800f043dc0 holds 0x2121212121212121 instead of 0x6080026228c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:08:02.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21981])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:09:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x608009a53600 holds 0x2121212121212121 instead of 0x608000629420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:11:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800f259c30 holds 0x2121212121212121 instead of 0x608004a21c20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:11:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "ASL Sender Statistics", + "process": { + "name": "syslogd", + "pid": 46 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:12:13.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22226])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:13:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000c647d80 holds 0x2121212121212121 instead of 0x600006e3ee80. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:15:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800f053a80 holds 0x2121212121212121 instead of 0x608007227ce0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:16:24.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22241])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:17:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000a64ce80 holds 0x2121212121212121 instead of 0x600006629940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:19:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000a843580 holds 0x2121212121212121 instead of 0x600006629540. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:20:35.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22254])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:21:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800f45b910 holds 0x2121212121212121 instead of 0x608005822c40. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:21:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "ASL Sender Statistics", + "process": { + "name": "syslogd", + "pid": 46 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:23:13.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:23:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000ea5edf0 holds 0x2121212121212121 instead of 0x600003a35a60. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:24:46.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22265])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:28:43.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Invoked notification with id: 52bf37d9-0c4e-4276-8789-9fc7704bdf5b", + "process": { + "name": "Slack Helper", + "pid": 55199 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:28:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22292])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:29:06.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Invoked notification with id: c6c7e356-60a7-4b9e-a9b1-ecc2b8ad09f2", + "process": { + "name": "Slack Helper", + "pid": 55199 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:29:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800f246430 holds 0x2121212121212121 instead of 0x608001c26d00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:31:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800c85fd80 holds 0x2121212121212121 instead of 0x608005a3a420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:31:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "ASL Sender Statistics", + "process": { + "name": "syslogd", + "pid": 46 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:33:08.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22305])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:33:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x600006452400 holds 0x2121212121212121 instead of 0x60000763bac0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:35:56.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 12:35:56.416 GoogleSoftwareUpdateAgent[22318/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp setupLoggerOutput] Agent settings: \u003cKSAgentSettings:0x100505750 bundleID=com.google.Keystone.Agent lastCheck=2016-12-13 10:35:32 +0000 checkInterval=18000.000000 uiDisplayInterval=604800.000000 sleepInterval=1800.000000 jitterInterval=900 maxRunInterval=0.000000 isConsoleUser=1 ticketStorePath=/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore runMode=3 daemonUpdateEngineBrokerServiceName=com.google.Keystone.Daemon.UpdateEngine daemonAdministrationServiceName=com.google.Keystone.Daemon.Administration logEverything=0 logBufferSize=2048 alwaysPromptForUpdates=0 productIDToUpdate=(null) lastUIDisplayed=(null) alwaysShowStatusItem=0 updateCheckTag=(null) printResults=NO userInitiated=NO\u003e", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 22318 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:37:20.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22324])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:37:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800f24d0f0 holds 0x2121212121212121 instead of 0x608007423ee0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:39:28.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Invoked notification with id: aa608788-d049-4d1a-9112-521c71702371", + "process": { + "name": "Slack Helper", + "pid": 55199 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:41:06.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:41:26.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Invoked notification with id: d75f9ec1-a8fd-41c2-a45e-6df2952f0702", + "process": { + "name": "Slack Helper", + "pid": 55199 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:41:30.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22336])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:41:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800a2535a0 holds 0x2121212121212121 instead of 0x608003828e20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:41:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "ASL Sender Statistics", + "process": { + "name": "syslogd", + "pid": 46 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:43:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800f241d50 holds 0x2121212121212121 instead of 0x60800562f380. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:45:41.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22348])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:45:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000c444450 holds 0x2121212121212121 instead of 0x600007237f00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:47:58.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000c4424a0 holds 0x2121212121212121 instead of 0x600007026520. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:13.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_handle_cache_delete_with_urgency(0x7fc55c429b40, 0, 1)", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:13.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_volume_contains_cached_data(is /private/var/db/diagnostics/ in /) - YES", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:13.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Purged 0 bytes from log files.", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:13.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext enter - 1", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:14.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext got 1023 UUIDs and 3 slibs from inflight logs", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:14.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:24.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext got 1303 UUIDs and 3 slibs from inflight and persistent logs", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:24.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext processing shared lib uuid 00000000-0000-0000-0000-000000000000", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:24.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext processing shared lib uuid 519BE6A1-940A-3142-975F-4EF4F41A89B3", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:24.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext processing shared lib uuid C43133F6-64A3-3F65-997F-0E985A66E971", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:24.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext got 2260 UUIDs and 3 slibs from inflight and persistent logs and slibs", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:24.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 00000000-0000-0000-0000-000000000000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:27.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 1BD0C00C-0885-4C02-B522-D1E9CBDE84E7 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:29.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 40E9BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 60E9BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 66A56E12-C69B-4249-BC49-760C03F3700A mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 700F0308-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 700F190B-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 700F3C07-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 700F6107-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 700F800A-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 700F8102-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 700F9401-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 700FD70E-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 700FD900-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 700FEE0B-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 700FF904-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 701F1C0F-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 701F2F0E-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 701F4C02-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 701FAE07-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 701FBD0F-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 701FE80B-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 701FEF07-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 701FF700-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 701FF90D-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 702F5E0E-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 702F6503-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 702F6B06-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 702FEB0B-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 702FFC01-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 703F0E06-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 703F4A0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 703F8C07-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 703F9405-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 703FA300-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 703FC709-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 703FD007-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 703FED05-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 704F0003-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 704F550C-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 704F750A-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 704F8102-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 704F8C0C-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 704F8D09-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 704FB402-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 704FBB01-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 705F030E-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 705F2D10-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 705F3B01-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 705F4E0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 705FA30D-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 705FDA05-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 705FDF03-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 706F5101-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 706F6300-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 706F6E05-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 706FE207-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 706FEC00-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 706FFB07-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 707F0907-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 707F6A04-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 707F7B00-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 707F9B0D-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 707FAD09-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 707FB80A-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 707FD809-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 707FE404-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 708F3207-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 708F3402-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 708F3809-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 708F470F-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 708F8A00-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 708F9F0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 708FB403-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 708FC507-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 708FDC07-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 708FEA0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 708FFC08-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709F1005-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709F1E0D-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709F4C0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709F5F08-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709F6306-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709F6903-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709F980E-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709FA80C-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709FE302-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709FE808-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709FE809-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709FED00-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709FEF02-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709FEF0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70AF070C-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70AF2108-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70AF270C-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70AF390B-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70AF4A0D-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70AF6D06-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70AF700E-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70AF810D-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70AF9D02-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70AFA200-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70AFBE07-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70AFCC02-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70BF210E-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70BF4C0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70BF9000-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70BF9302-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70BFC302-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70BFD507-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70BFD605-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70BFE302-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70BFFF03-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CF0210-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CF0603-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CF0802-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CF180F-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CF1902-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CF4A07-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CF530D-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CF590D-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CF770D-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CFA700-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CFC804-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CFE00C-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CFEA09-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CFED0B-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70DF4B07-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70DF7301-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70DFA303-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70DFCB0E-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70DFDD01-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70DFE504-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70E9BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70EF2F0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70EF4609-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70EF5D05-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70EF7F07-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70EF8606-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70EFA406-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70EFA60F-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70EFC606-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70EFD407-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70FF0207-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70FF1E04-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70FF6F01-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70FF7703-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70FF9708-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:32.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 80E8BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:32.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for A0E8BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:32.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for A0E9BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:32.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for B22412E8-3691-4FA9-95EA-C5B9E2A3C572 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:33.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for F011D7E8-7633-3668-9455-53893C4F4B33 mentioned but not found", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:33.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext tree walked", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:33.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/00/0E757A4E2C3108A74D6C5A996AAAAB", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:33.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/00/F2131643943190B32FE35236EA4864", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:33.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/06/608E438FDA3E28B9A262F575FE0E75", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:33.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/09/35918C5C783B8AB2E6B75B12056F3C", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:33.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/11/DD409E112F373398E6DA86BF046EC9", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:33.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/14/65FB07456D36EC9EC80462D86BB21B", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:33.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/18/A779EC17953910996D134A28F5C564", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/19/57E846B04C32FBAD78821B285B0D18", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/1E/79F11C7D5333F1BD0630540535F725", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/1E/9811DDA51A3BE9A4A748AD394DBE73", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/23/099C5F0A853312A9BD5694C15D228C", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/27/FBA267162735F8B5A6BF29E3A7670E", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/39/2980D3CAF73E2A94ED57F74979F1D9", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/3E/67870101A7359F88CCB9BD6681FC93", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/41/C51F4A33E03ACF86603802C9E6FFDE", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/42/BF3535B92C3272BA41F8A9BC267F3B", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/42/C18E8D6CEE37FF8DCD1390244CF38E", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/53/4B25B3C583361EADD5CB938678868C", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/54/090A60831C3233A4F0022DB86FF8B8", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/56/8EBEC4BC8230848898534D17830BB6", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/57/58C9F966E631669B74E6625D40C806", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/5E/F7315AF27B31A6A38D6364704D4FFC", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/5F/2B940389D136F2817A41C784D530CB", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/62/196B2A409236898AAD3A1520C53191", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/65/2D3DB29CBA32E297A65465CBA36B01", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/67/58A21E3D2B3620952A68EC384CC1AF", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/69/ADA53CBD3A3E31B08CFD85B12D52E1", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/72/FB1BBBCA3E30E89802A68B8B2B07F1", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/74/702F7027E834ACB0057983649FFB29", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/75/B25BA663DB34EC9AAC6971BBE817EB", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/75/B88148A6E233F8AFF323294DE561E0", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/76/2702DC49823F9E8292BB022D6BAF84", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/76/73D347C0F834879F9438D542975A23", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/78/397DF6C0253FD383E4AFAE3DD2E49C", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/7F/BCC184181A3913ADC50E38F950D098", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/81/12B328744938E1ACF2846B35CD83B4", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/82/3CB803D77334D0B5C759685022D876", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/8A/860FB569623B81B0511956EC82CEA3", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/90/9D581D35E7358AA75371D3A038142D", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/99/AC7E971E8C3319AD0514626D763823", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/9A/53817F2101396598311DB81D851FBA", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/9B/2EB7A3E93A3641B38EAD32B1CBE412", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/9F/E64976D7223E7F992BB3287AF23301", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/A7/8C02A56C0F3A9D90CAD8C92842B9A9", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/A9/733CC25E7239F98BC0812C5D7AF135", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/AB/450D449D5432C9B30A439A35B29931", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/B0/AF101031AA3188A08CF1517F800B2C", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/B4/77C958888B3AB092FD097D2C9A1B13", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/B4/BDFB4CAE49386B963E2C7A296B7D20", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/B5/0CBF2789673C6AB67F80F199CFD499", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/B6/41F64AD9923AD19AED8A35325FB04E", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/B6/566C8F2EA7349EB2C02647D2F69F97", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/BA/2A57BB4346303EA1E87862E6752057", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/C0/2D31E981553F31B0E9C36C232EE607", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/C0/E060E4E9373D4D9B4A930D3291F052", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/C2/531C46380A3DA489F7752C2FE6AEA0", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/C9/17C064F3903260A7DC304FABDDC3FD", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/CD/E2995BDA593F96B16EF1AE92AF31D8", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/CE/EE9ADE6F813CD78A1308F14010F463", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/D1/7E3015AC923AFE89BAFE6411B96431", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/D3/AE090906EC3F058A04EE77A574C8B3", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/DA/BAD1584258317A8483FE9CF10547BD", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/DD/CCB6FD639830F39A5D87247D54F616", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/E1/05E61475463784975FC5278723D08C", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/E1/B515E0321E3B85B90F01D623DC9047", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/E2/8DBEF43A0A37008A26AE9F016435F3", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/E3/55D24FAC0838679583537F319C7B72", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/EF/8522BAF9393808A2E6018507233133", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/FC/F7262CC2703E32BD3808B2D50C74F0", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext total: 2209, in_use:2104, marked:23, recent:13, deleted 69", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext slib tree cleaned up (0)", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuid tree cleaned up (3)", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext cleaned up (0)", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Purged 5816519 bytes from uuidtext.", + "process": { + "name": "logd", + "pid": 63 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:52.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22360])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:49:57.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x600011443d90 holds 0x2121212121212121 instead of 0x600006e206c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:51:58.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800ac568a0 holds 0x2121212121212121 instead of 0x608003630680. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:51:58.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "ASL Sender Statistics", + "process": { + "name": "syslogd", + "pid": 46 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:53:58.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000664ad50 holds 0x2121212121212121 instead of 0x600006c31140. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:54:03.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22370])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:55:58.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x6000060446c0 holds 0x2121212121212121 instead of 0x600006c34d60. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:57:58.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000c645c20 holds 0x2121212121212121 instead of 0x600002e295c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:58:14.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22382])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T12:59:58.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800fe59330 holds 0x2121212121212121 instead of 0x608004030e80. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:01:58.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000ec41a20 holds 0x2121212121212121 instead of 0x600002e2d920. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:01:58.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "ASL Sender Statistics", + "process": { + "name": "syslogd", + "pid": 46 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:03:19.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "BUG in libdispatch client: kevent[EVFILT_MACHPORT] monitored resource vanished before the source cancel handler was invoked", + "process": { + "name": "Preview", + "pid": 24046 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:03:58.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x608007645da0 holds 0x2121212121212121 instead of 0x6080044252a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:05:26.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[25276])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:05:58.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000c643b20 holds 0x2121212121212121 instead of 0x6000036340a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:07:26.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Invoked notification with id: 7cc1869b-ba48-4307-8474-0bc68cd9c71d", + "process": { + "name": "Slack Helper", + "pid": 55199 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:07:58.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x600007852ee0 holds 0x2121212121212121 instead of 0x600006a22780. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:09:37.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[25878])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:09:49.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:13:48.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[25888])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:13:48.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "ASL Sender Statistics", + "process": { + "name": "syslogd", + "pid": 46 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:13:58.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60001125b6a0 holds 0x2121212121212121 instead of 0x600007234ce0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:15:58.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x600006a41480 holds 0x2121212121212121 instead of 0x600003a2e920. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:17:58.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x600005a46cd0 holds 0x2121212121212121 instead of 0x60000582bd00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:17:59.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[25896])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:19:58.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800ee5b730 holds 0x2121212121212121 instead of 0x6080072264c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:21:58.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800f65cb10 holds 0x2121212121212121 instead of 0x6080046351c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:22:10.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[25914])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:23:58.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x600008c56780 holds 0x2121212121212121 instead of 0x600006624600. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:23:58.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "ASL Sender Statistics", + "process": { + "name": "syslogd", + "pid": 46 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:25:58.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800f65d7a0 holds 0x2121212121212121 instead of 0x608003a3d9a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:26:21.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[25923])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:27:58.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000785e8e0 holds 0x2121212121212121 instead of 0x600006622ba0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:29:58.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60801005a980 holds 0x2121212121212121 instead of 0x608001a3f8a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:30:33.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[25940])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:31:58.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000d6588b0 holds 0x2121212121212121 instead of 0x600002a3dd60. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:32:28.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:33:58.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800f459990 holds 0x2121212121212121 instead of 0x60800463e7e0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:33:58.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "ASL Sender Statistics", + "process": { + "name": "syslogd", + "pid": 46 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:34:44.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process": { + "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[26381])" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:35:59.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000be429b0 holds 0x2121212121212121 instead of 0x600003c325e0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process": { + "name": "Google Chrome", + "pid": 85294 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2022-12-13T13:36:19.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 13:36:19.906 GoogleSoftwareUpdateAgent[27321/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp setupLoggerOutput] Agent settings: \u003cKSAgentSettings:0x100228060 bundleID=com.google.Keystone.Agent lastCheck=2016-12-13 10:35:32 +0000 checkInterval=18000.000000 uiDisplayInterval=604800.000000 sleepInterval=1800.000000 jitterInterval=900 maxRunInterval=0.000000 isConsoleUser=1 ticketStorePath=/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore runMode=3 daemonUpdateEngineBrokerServiceName=com.google.Keystone.Daemon.UpdateEngine daemonAdministrationServiceName=com.google.Keystone.Daemon.Administration logEverything=0 logBufferSize=2048 alwaysPromptForUpdates=0 productIDToUpdate=(null) lastUIDisplayed=(null) alwaysShowStatusItem=0 updateCheckTag=(null) printResults=NO userInitiated=NO\u003e", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 27321 + }, + "system": { + "syslog": {} + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-suse-syslog.log b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-suse-syslog.log new file mode 100644 index 000000000..b7682f5e4 --- /dev/null +++ b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-suse-syslog.log @@ -0,0 +1,2 @@ +2018-08-14T14:30:02.203151+02:00 linux-sqrz systemd[4179]: Stopped target Basic System. +2018-08-14T14:30:02.203251+02:00 linux-sqrz systemd[4179]: Stopped target Paths. diff --git a/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-suse-syslog.log-config.yml b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-suse-syslog.log-config.yml new file mode 100644 index 000000000..4ef513697 --- /dev/null +++ b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-suse-syslog.log-config.yml @@ -0,0 +1,2 @@ +fields: + event.timezone: "GMT-0200" diff --git a/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-suse-syslog.log-expected.json b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-suse-syslog.log-expected.json new file mode 100644 index 000000000..77d9520b9 --- /dev/null +++ b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-suse-syslog.log-expected.json @@ -0,0 +1,44 @@ +{ + "expected": [ + { + "@timestamp": "2018-08-14T10:30:02.203-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "linux-sqrz" + }, + "message": "Stopped target Basic System.", + "process": { + "name": "systemd", + "pid": 4179 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2018-08-14T10:30:02.203-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "linux-sqrz" + }, + "message": "Stopped target Paths.", + "process": { + "name": "systemd", + "pid": 4179 + }, + "system": { + "syslog": {} + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-tz-offset.log b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-tz-offset.log new file mode 100644 index 000000000..f7196ecbb --- /dev/null +++ b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-tz-offset.log @@ -0,0 +1,3 @@ +1986-04-26T01:23:45.101+0400 rmbkmonitor04 shutdown[2649]: shutting down for system halt +1986-04-26T01:23:45.388424+04:00 rmbkmonitor04 thermald: constraint_0_power_limit_uw exceeded. +2019-06-14T10:40:20.912134 localhost sudo: pam_unix(sudo-i:session): session opened for user root by userauth3(uid=0) diff --git a/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-tz-offset.log-config.yml b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-tz-offset.log-config.yml new file mode 100644 index 000000000..999db39c2 --- /dev/null +++ b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-tz-offset.log-config.yml @@ -0,0 +1,3 @@ +fields: + event.kind: "event" + event.timezone: "GMT-0200" diff --git a/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-tz-offset.log-expected.json b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-tz-offset.log-expected.json new file mode 100644 index 000000000..1b798f2ad --- /dev/null +++ b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-tz-offset.log-expected.json @@ -0,0 +1,65 @@ +{ + "expected": [ + { + "@timestamp": "1986-04-25T19:23:45.101-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "GMT-0200" + }, + "host": { + "hostname": "rmbkmonitor04" + }, + "message": "shutting down for system halt", + "process": { + "name": "shutdown", + "pid": 2649 + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "1986-04-25T19:23:45.388-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "GMT-0200" + }, + "host": { + "hostname": "rmbkmonitor04" + }, + "message": "constraint_0_power_limit_uw exceeded.", + "process": { + "name": "thermald" + }, + "system": { + "syslog": {} + } + }, + { + "@timestamp": "2019-06-14T10:40:20.912-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "GMT-0200" + }, + "host": { + "hostname": "localhost" + }, + "message": "pam_unix(sudo-i:session): session opened for user root by userauth3(uid=0)", + "process": { + "name": "sudo" + }, + "system": { + "syslog": {} + } + } + ] +} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/syslog/agent/stream/log.yml.hbs b/test/packages/parallel/system/data_stream/syslog/agent/stream/log.yml.hbs new file mode 100644 index 000000000..a02298caf --- /dev/null +++ b/test/packages/parallel/system/data_stream/syslog/agent/stream/log.yml.hbs @@ -0,0 +1,22 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +multiline: + pattern: "^\\s" + match: after +processors: +- add_locale: ~ +{{#if processors.length}} +{{processors}} +{{/if}} +{{#if tags.length}} +tags: +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +{{/if}} +{{#if ignore_older}} +ignore_older: {{ignore_older}} +{{/if}} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml b/test/packages/parallel/system/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 000000000..56966e351 --- /dev/null +++ b/test/packages/parallel/system/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,56 @@ +--- +description: Pipeline for parsing Syslog messages. +processors: + - grok: + field: message + patterns: + - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: %{GREEDYMULTILINE:system.syslog.message}' + - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}' + - '%{TIMESTAMP_ISO8601:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: %{GREEDYMULTILINE:system.syslog.message}' + pattern_definitions: + GREEDYMULTILINE: |- + (.| + )* + ignore_missing: true + - remove: + field: message + - rename: + field: system.syslog.message + target_field: message + ignore_missing: true + - date: + if: ctx.event.timezone == null + field: system.syslog.timestamp + target_field: '@timestamp' + formats: + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + - MMM d HH:mm:ss + - ISO8601 + on_failure: + - append: + field: error.message + value: '{{ _ingest.on_failure_message }}' + - date: + if: ctx.event.timezone != null + field: system.syslog.timestamp + target_field: '@timestamp' + formats: + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + - MMM d HH:mm:ss + - ISO8601 + timezone: '{{ event.timezone }}' + on_failure: + - append: + field: error.message + value: '{{ _ingest.on_failure_message }}' + - remove: + field: system.syslog.timestamp + - set: + field: ecs.version + value: 8.0.0 +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/test/packages/parallel/system/data_stream/syslog/fields/agent.yml b/test/packages/parallel/system/data_stream/syslog/fields/agent.yml new file mode 100644 index 000000000..da4e652c5 --- /dev/null +++ b/test/packages/parallel/system/data_stream/syslog/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/test/packages/parallel/system/data_stream/syslog/fields/base-fields.yml b/test/packages/parallel/system/data_stream/syslog/fields/base-fields.yml new file mode 100644 index 000000000..c43f25683 --- /dev/null +++ b/test/packages/parallel/system/data_stream/syslog/fields/base-fields.yml @@ -0,0 +1,21 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. + value: logs +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: system.syslog +- name: event.module + type: constant_keyword + description: Event module + value: system diff --git a/test/packages/parallel/system/data_stream/syslog/fields/ecs.yml b/test/packages/parallel/system/data_stream/syslog/fields/ecs.yml new file mode 100644 index 000000000..1a5ab6d19 --- /dev/null +++ b/test/packages/parallel/system/data_stream/syslog/fields/ecs.yml @@ -0,0 +1,56 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: ecs.version +- external: ecs + name: event.action +- external: ecs + name: event.category +- external: ecs + name: event.code +- external: ecs + name: event.created +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.module +- external: ecs + name: event.outcome +- external: ecs + name: event.provider +- external: ecs + name: event.sequence +- external: ecs + name: event.type +- external: ecs + name: host.architecture +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.full +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: message +- external: ecs + name: process.name +- external: ecs + name: process.pid diff --git a/test/packages/parallel/system/data_stream/syslog/fields/fields.yml b/test/packages/parallel/system/data_stream/syslog/fields/fields.yml new file mode 100644 index 000000000..f93368693 --- /dev/null +++ b/test/packages/parallel/system/data_stream/syslog/fields/fields.yml @@ -0,0 +1,2 @@ +- name: system.syslog + type: group diff --git a/test/packages/parallel/system/data_stream/syslog/manifest.yml b/test/packages/parallel/system/data_stream/syslog/manifest.yml new file mode 100644 index 000000000..f7374ee8f --- /dev/null +++ b/test/packages/parallel/system/data_stream/syslog/manifest.yml @@ -0,0 +1,42 @@ +title: System syslog logs +type: logs +streams: + - input: logfile + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/messages* + - /var/log/syslog* + - /var/log/system* + - name: tags + type: text + title: Tags + multi: true + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: ignore_older + type: text + title: Ignore events older than + default: 72h + required: false + show_user: false + description: >- + If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + template_path: log.yml.hbs + title: System syslog logs (log) + description: Collect System syslog logs using log input +# Ensures agents have permissions to write data to `logs-*-*` +elasticsearch.dynamic_dataset: true +elasticsearch.dynamic_namespace: true diff --git a/test/packages/parallel/system/data_stream/system/agent/stream/httpjson.yml.hbs b/test/packages/parallel/system/data_stream/system/agent/stream/httpjson.yml.hbs new file mode 100644 index 000000000..6364f1ab6 --- /dev/null +++ b/test/packages/parallel/system/data_stream/system/agent/stream/httpjson.yml.hbs @@ -0,0 +1,107 @@ +config_version: "2" +interval: {{interval}} +{{#if enable_request_tracer}} +request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson" +{{/if}} +{{#unless token}} +{{#if username}} +{{#if password}} +auth.basic.user: {{username}} +auth.basic.password: {{password}} +{{/if}} +{{/if}} +{{/unless}} +cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' +request.url: {{url}}/services/search/jobs/export +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.method: POST +request.transforms: + - set: + target: url.params.search + value: |- + {{search}} | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: "json" + - set: + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + default: '[[(now (parseDuration "-{{interval}}")).Unix]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded +{{#unless username}} +{{#unless password}} +{{#if token}} + - set: + target: header.Authorization + value: {{token}} +{{/if}} +{{/unless}} +{{/unless}} +response.decode_as: application/x-ndjson +tags: +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: + - decode_json_fields: + fields: message + target: json + add_error_key: true + - drop_event: + when: + not: + has_fields: ['json.result'] + - fingerprint: + fields: + - json.result._cd + - json.result._indextime + - json.result._raw + - json.result._time + - json.result.host + - json.result.source + target_field: "@metadata._id" + - drop_fields: + fields: message + - rename: + fields: + - from: json.result._raw + to: event.original + - from: json.result.host + to: host.name + - from: json.result.source + to: event.provider + ignore_missing: true + fail_on_error: false + - drop_fields: + fields: json + - decode_xml_wineventlog: + field: event.original + target_field: winlog + ignore_missing: true + ignore_failure: true + map_ecs_fields: true + - timestamp: + field: winlog.time_created + layouts: + - '2006-01-02T15:04:05Z' + - '2006-01-02T15:04:05.999Z' + - '2006-01-02T15:04:05.999-07:00' + test: + - '2019-06-22T16:33:51Z' + - '2019-11-18T04:59:51.123Z' + - '2020-08-03T07:10:20.123456+02:00' diff --git a/test/packages/parallel/system/data_stream/system/agent/stream/winlog.yml.hbs b/test/packages/parallel/system/data_stream/system/agent/stream/winlog.yml.hbs new file mode 100644 index 000000000..927c95968 --- /dev/null +++ b/test/packages/parallel/system/data_stream/system/agent/stream/winlog.yml.hbs @@ -0,0 +1,24 @@ +name: System +condition: ${host.platform} == 'windows' +{{#if event_id}} +event_id: {{event_id}} +{{/if}} +{{#if ignore_older}} +ignore_older: {{ignore_older}} +{{/if}} +{{#if language}} +language: {{language}} +{{/if}} +{{#if tags.length}} +tags: +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{/if}} +{{#if preserve_original_event}} +include_xml: true +{{/if}} +{{#if processors.length}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/system/elasticsearch/ingest_pipeline/default.yml b/test/packages/parallel/system/data_stream/system/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 000000000..9172454fd --- /dev/null +++ b/test/packages/parallel/system/data_stream/system/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,13 @@ +--- +description: Pipeline for Windows System Event Logs +processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - set: + field: ecs.version + value: 8.0.0 +on_failure: + - set: + field: "error.message" + value: "{{ _ingest.on_failure_message }}" diff --git a/test/packages/parallel/system/data_stream/system/fields/agent.yml b/test/packages/parallel/system/data_stream/system/fields/agent.yml new file mode 100644 index 000000000..da4e652c5 --- /dev/null +++ b/test/packages/parallel/system/data_stream/system/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/test/packages/parallel/system/data_stream/system/fields/base-fields.yml b/test/packages/parallel/system/data_stream/system/fields/base-fields.yml new file mode 100644 index 000000000..567c816e1 --- /dev/null +++ b/test/packages/parallel/system/data_stream/system/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: system +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: system.system diff --git a/test/packages/parallel/system/data_stream/system/fields/ecs.yml b/test/packages/parallel/system/data_stream/system/fields/ecs.yml new file mode 100644 index 000000000..7abb6419d --- /dev/null +++ b/test/packages/parallel/system/data_stream/system/fields/ecs.yml @@ -0,0 +1,28 @@ +- external: ecs + name: error.message +- external: ecs + name: event.action +- external: ecs + name: event.category +- external: ecs + name: event.code +- external: ecs + name: event.created +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.module +- external: ecs + name: event.original +- external: ecs + name: event.outcome +- external: ecs + name: event.provider +- external: ecs + name: event.sequence +- external: ecs + name: event.type +- external: ecs + name: message diff --git a/test/packages/parallel/system/data_stream/system/fields/winlog.yml b/test/packages/parallel/system/data_stream/system/fields/winlog.yml new file mode 100644 index 000000000..adca1bbdd --- /dev/null +++ b/test/packages/parallel/system/data_stream/system/fields/winlog.yml @@ -0,0 +1,357 @@ +- name: winlog + type: group + description: > + All fields specific to the Windows Event Log are defined here. + + fields: + - name: api + required: true + type: keyword + description: > + The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. + + - name: activity_id + type: keyword + required: false + description: > + A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. + + - name: computer_name + type: keyword + required: true + description: > + The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. + + - name: event_data + type: object + object_type: keyword + required: false + description: > + The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. + + - name: event_data + type: group + description: > + This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. + + fields: + - name: AuthenticationPackageName + type: keyword + - name: Binary + type: keyword + - name: BitlockerUserInputTime + type: keyword + - name: BootMode + type: keyword + - name: BootType + type: keyword + - name: BuildVersion + type: keyword + - name: Company + type: keyword + - name: CorruptionActionState + type: keyword + - name: CreationUtcTime + type: keyword + - name: Description + type: keyword + - name: Detail + type: keyword + - name: DeviceName + type: keyword + - name: DeviceNameLength + type: keyword + - name: DeviceTime + type: keyword + - name: DeviceVersionMajor + type: keyword + - name: DeviceVersionMinor + type: keyword + - name: DriveName + type: keyword + - name: DriverName + type: keyword + - name: DriverNameLength + type: keyword + - name: DwordVal + type: keyword + - name: EntryCount + type: keyword + - name: ExtraInfo + type: keyword + - name: FailureName + type: keyword + - name: FailureNameLength + type: keyword + - name: FileVersion + type: keyword + - name: FinalStatus + type: keyword + - name: Group + type: keyword + - name: IdleImplementation + type: keyword + - name: IdleStateCount + type: keyword + - name: ImpersonationLevel + type: keyword + - name: IntegrityLevel + type: keyword + - name: IpAddress + type: keyword + - name: IpPort + type: keyword + - name: KeyLength + type: keyword + - name: LastBootGood + type: keyword + - name: LastShutdownGood + type: keyword + - name: LmPackageName + type: keyword + - name: LogonGuid + type: keyword + - name: LogonId + type: keyword + - name: LogonProcessName + type: keyword + - name: LogonType + type: keyword + - name: MajorVersion + type: keyword + - name: MaximumPerformancePercent + type: keyword + - name: MemberName + type: keyword + - name: MemberSid + type: keyword + - name: MinimumPerformancePercent + type: keyword + - name: MinimumThrottlePercent + type: keyword + - name: MinorVersion + type: keyword + - name: NewProcessId + type: keyword + - name: NewProcessName + type: keyword + - name: NewSchemeGuid + type: keyword + - name: NewTime + type: keyword + - name: NominalFrequency + type: keyword + - name: Number + type: keyword + - name: OldSchemeGuid + type: keyword + - name: OldTime + type: keyword + - name: OriginalFileName + type: keyword + - name: Path + type: keyword + - name: PerformanceImplementation + type: keyword + - name: PreviousCreationUtcTime + type: keyword + - name: PreviousTime + type: keyword + - name: PrivilegeList + type: keyword + - name: ProcessId + type: keyword + - name: ProcessName + type: keyword + - name: ProcessPath + type: keyword + - name: ProcessPid + type: keyword + - name: Product + type: keyword + - name: PuaCount + type: keyword + - name: PuaPolicyId + type: keyword + - name: QfeVersion + type: keyword + - name: Reason + type: keyword + - name: SchemaVersion + type: keyword + - name: ScriptBlockText + type: keyword + - name: ServiceName + type: keyword + - name: ServiceVersion + type: keyword + - name: ShutdownActionType + type: keyword + - name: ShutdownEventCode + type: keyword + - name: ShutdownReason + type: keyword + - name: Signature + type: keyword + - name: SignatureStatus + type: keyword + - name: Signed + type: keyword + - name: StartTime + type: keyword + - name: State + type: keyword + - name: Status + type: keyword + - name: StopTime + type: keyword + - name: SubjectDomainName + type: keyword + - name: SubjectLogonId + type: keyword + - name: SubjectUserName + type: keyword + - name: SubjectUserSid + type: keyword + - name: TSId + type: keyword + - name: TargetDomainName + type: keyword + - name: TargetInfo + type: keyword + - name: TargetLogonGuid + type: keyword + - name: TargetLogonId + type: keyword + - name: TargetServerName + type: keyword + - name: TargetUserName + type: keyword + - name: TargetUserSid + type: keyword + - name: TerminalSessionId + type: keyword + - name: TokenElevationType + type: keyword + - name: TransmittedServices + type: keyword + - name: UserSid + type: keyword + - name: Version + type: keyword + - name: Workstation + type: keyword + - name: param1 + type: keyword + - name: param2 + type: keyword + - name: param3 + type: keyword + - name: param4 + type: keyword + - name: param5 + type: keyword + - name: param6 + type: keyword + - name: param7 + type: keyword + - name: param8 + type: keyword + - name: event_id + type: keyword + required: true + description: > + The event identifier. The value is specific to the source of the event. + + - name: keywords + type: keyword + required: false + description: > + The keywords are used to classify an event. + + - name: channel + type: keyword + required: true + description: > + The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. + + - name: record_id + type: keyword + required: true + description: > + The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. + + - name: related_activity_id + type: keyword + required: false + description: > + A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. + + - name: opcode + type: keyword + required: false + description: > + The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. + + - name: provider_guid + type: keyword + required: false + description: > + A globally unique identifier that identifies the provider that logged the event. + + - name: process.pid + type: long + required: false + description: > + The process_id of the Client Server Runtime Process. + + - name: provider_name + type: keyword + required: true + description: > + The source of the event log record (the application or service that logged the record). + + - name: task + type: keyword + required: false + description: > + The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. + + - name: process.thread.id + type: long + required: false + - name: user_data + type: object + object_type: keyword + required: false + description: > + The event specific data. This field is mutually exclusive with `event_data`. + + - name: user.identifier + type: keyword + required: false + example: S-1-5-21-3541430928-2051711210-1391384369-1001 + description: > + The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. + + - name: user.name + type: keyword + description: > + Name of the user associated with this event. + + - name: user.domain + type: keyword + required: false + description: > + The domain that the account associated with this event is a member of. + + - name: user.type + type: keyword + required: false + description: > + The type of account associated with this event. + + - name: version + type: long + required: false + description: The version number of the event's definition. diff --git a/test/packages/parallel/system/data_stream/system/manifest.yml b/test/packages/parallel/system/data_stream/system/manifest.yml new file mode 100644 index 000000000..427b39c5f --- /dev/null +++ b/test/packages/parallel/system/data_stream/system/manifest.yml @@ -0,0 +1,80 @@ +type: logs +title: Windows System Events +streams: + - input: winlog + template_path: winlog.yml.hbs + title: System + description: 'Collect Windows system logs' + vars: + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: >- + Preserves a raw copy of the original XML event, added to the field `event.original` + type: bool + multi: false + default: false + - name: event_id + type: text + title: Event ID + multi: false + required: false + show_user: false + description: >- + A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details. + - name: ignore_older + type: text + title: Ignore events older than + default: 72h + required: false + show_user: false + description: >- + If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + - name: language + type: text + title: Language ID + description: >- + The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US + required: false + show_user: false + default: 0 + - name: tags + type: text + title: Tags + multi: true + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: httpjson + title: Windows System Events via Splunk Enterprise REST API + description: Collect System Events via Splunk Enterprise REST API + enabled: false + template_path: httpjson.yml.hbs + vars: + - name: interval + type: text + title: Interval to query Splunk Enterprise REST API + description: Go Duration syntax (eg. 10s) + show_user: true + required: true + default: 10s + - name: search + type: text + title: Splunk search string + show_user: false + required: true + default: "search sourcetype=\"XmlWinEventLog:System\"" + - name: tags + type: text + title: Tags + multi: true + show_user: false + default: + - forwarded diff --git a/test/packages/parallel/system/data_stream/uptime/agent/stream/stream.yml.hbs b/test/packages/parallel/system/data_stream/uptime/agent/stream/stream.yml.hbs new file mode 100644 index 000000000..e7e66ab35 --- /dev/null +++ b/test/packages/parallel/system/data_stream/uptime/agent/stream/stream.yml.hbs @@ -0,0 +1,12 @@ +metricsets: ["uptime"] +period: {{period}} +{{#if processors.length}} +processors: +{{processors}} +{{/if}} +{{#if tags.length}} +tags: +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +{{/if}} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/uptime/fields/agent.yml b/test/packages/parallel/system/data_stream/uptime/fields/agent.yml new file mode 100644 index 000000000..37de0dc01 --- /dev/null +++ b/test/packages/parallel/system/data_stream/uptime/fields/agent.yml @@ -0,0 +1,205 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + dimension: true + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + dimension: true + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + dimension: true + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + dimension: true + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + dimension: true + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + dimension: true + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + dimension: true + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/test/packages/parallel/system/data_stream/uptime/fields/base-fields.yml b/test/packages/parallel/system/data_stream/uptime/fields/base-fields.yml new file mode 100644 index 000000000..402b646ca --- /dev/null +++ b/test/packages/parallel/system/data_stream/uptime/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: system +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: system.uptime diff --git a/test/packages/parallel/system/data_stream/uptime/fields/ecs.yml b/test/packages/parallel/system/data_stream/uptime/fields/ecs.yml new file mode 100644 index 000000000..3014c8de4 --- /dev/null +++ b/test/packages/parallel/system/data_stream/uptime/fields/ecs.yml @@ -0,0 +1,3 @@ +- external: ecs + name: agent.id + dimension: true diff --git a/test/packages/parallel/system/data_stream/uptime/fields/fields.yml b/test/packages/parallel/system/data_stream/uptime/fields/fields.yml new file mode 100644 index 000000000..7c61a1372 --- /dev/null +++ b/test/packages/parallel/system/data_stream/uptime/fields/fields.yml @@ -0,0 +1,10 @@ +- name: system.uptime + type: group + fields: + - name: duration.ms + type: long + format: duration + unit: ms + metric_type: counter + description: | + The OS uptime in milliseconds. diff --git a/test/packages/parallel/system/data_stream/uptime/manifest.yml b/test/packages/parallel/system/data_stream/uptime/manifest.yml new file mode 100644 index 000000000..eda926bd0 --- /dev/null +++ b/test/packages/parallel/system/data_stream/uptime/manifest.yml @@ -0,0 +1,29 @@ +title: System uptime metrics +type: metrics +elasticsearch: + index_mode: "time_series" +streams: + - input: system/metrics + vars: + - name: period + type: text + title: Period + multi: false + required: true + show_user: true + default: 10s + - name: tags + type: text + title: Tags + multi: true + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + title: System uptime metrics + description: Collect System uptime metrics diff --git a/test/packages/parallel/system/docs/README.md b/test/packages/parallel/system/docs/README.md new file mode 100644 index 000000000..af0d9aa2c --- /dev/null +++ b/test/packages/parallel/system/docs/README.md @@ -0,0 +1,2249 @@ +# System Integration + +The System integration allows you to monitor servers, personal computers, and more. + +Use the System integration to collect metrics and logs from your machines. +Then visualize that data in Kibana, create alerts to notify you if something goes wrong, +and reference data when troubleshooting an issue. + +For example, if you wanted to be notified when less than 10% of the disk space is still available, you +could install the System integration to send file system metrics to Elastic. +Then, you could view real-time updates to disk space used on your system in Kibana's _[Metrics System] Overview_ dashboard. +You could also set up a new rule in the Elastic Observability Metrics app to alert you when the percent free is +less than 10% of the total disk space. + +## Data streams + +The System integration collects two types of data: logs and metrics. + +**Logs** help you keep a record of events that happen on your machine. +Log data streams collected by the System integration include application, system, and security events on +machines running Windows and auth and syslog events on machines running macOS or Linux. +See more details in the [Logs reference](#logs-reference). + +**Metrics** give you insight into the state of the machine. +Metric data streams collected by the System integration include CPU usage, load statistics, memory usage, +information on network behavior, and more. +See more details in the [Metrics reference](#metrics-reference). + +You can enable and disable individual data streams. If _all_ data streams are disabled and the System integration +is still enabled, Fleet uses the default data streams. + +## Requirements + +You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. +You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. + +Each data stream collects different kinds of metric data, which may require dedicated permissions +to be fetched and which may vary across operating systems. +Details on the permissions needed for each data stream are available in the [Metrics reference](#metrics-reference). + +## Setup + +For step-by-step instructions on how to set up an integration, see the +[Getting started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide. + +## Troubleshooting + +Note that certain data streams may access `/proc` to gather process information, +and the resulting `ptrace_may_access()` call by the kernel to check for +permissions can be blocked by +[AppArmor and other LSM software](https://gitlab.com/apparmor/apparmor/wikis/TechnicalDoc_Proc_and_ptrace), even though the System module doesn't use `ptrace` directly. + +In addition, when running inside a container the proc filesystem directory of the host +should be set using `system.hostfs` setting to `/hostfs`. + +### Windows Event ID clause limit + +If you specify more than 22 query conditions (event IDs or event ID ranges), some +versions of Windows will prevent the integration from reading the event log due to +limits in the query system. If this occurs, a similar warning as shown below: + +``` +The specified query is invalid. +``` + +In some cases, the limit may be lower than 22 conditions. For instance, using a +mixture of ranges and single event IDs, along with an additional parameter such +as `ignore older`, results in a limit of 21 conditions. + +If you have more than 22 conditions, you can work around this Windows limitation +by using a drop_event processor to do the filtering after filebeat has received +the events from Windows. The filter shown below is equivalent to +`event_id: 903, 1024, 2000-2004, 4624` but can be expanded beyond 22 event IDs. + +```yaml +- drop_event.when.not.or: + - equals.winlog.event_id: "903" + - equals.winlog.event_id: "1024" + - equals.winlog.event_id: "4624" + - range: + winlog.event_id.gte: 2000 + winlog.event_id.lte: 2004 +``` + +## Logs reference + +### Application + +The Windows `application` data stream provides events from the Windows +`Application` event log. + +#### Supported operating systems + +- Windows + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| error.message | Error message. | match_only_text | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | +| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | +| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | +| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | +| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | +| winlog.event_data.AuthenticationPackageName | | keyword | +| winlog.event_data.Binary | | keyword | +| winlog.event_data.BitlockerUserInputTime | | keyword | +| winlog.event_data.BootMode | | keyword | +| winlog.event_data.BootType | | keyword | +| winlog.event_data.BuildVersion | | keyword | +| winlog.event_data.Company | | keyword | +| winlog.event_data.CorruptionActionState | | keyword | +| winlog.event_data.CreationUtcTime | | keyword | +| winlog.event_data.Description | | keyword | +| winlog.event_data.Detail | | keyword | +| winlog.event_data.DeviceName | | keyword | +| winlog.event_data.DeviceNameLength | | keyword | +| winlog.event_data.DeviceTime | | keyword | +| winlog.event_data.DeviceVersionMajor | | keyword | +| winlog.event_data.DeviceVersionMinor | | keyword | +| winlog.event_data.DriveName | | keyword | +| winlog.event_data.DriverName | | keyword | +| winlog.event_data.DriverNameLength | | keyword | +| winlog.event_data.DwordVal | | keyword | +| winlog.event_data.EntryCount | | keyword | +| winlog.event_data.ExtraInfo | | keyword | +| winlog.event_data.FailureName | | keyword | +| winlog.event_data.FailureNameLength | | keyword | +| winlog.event_data.FileVersion | | keyword | +| winlog.event_data.FinalStatus | | keyword | +| winlog.event_data.Group | | keyword | +| winlog.event_data.IdleImplementation | | keyword | +| winlog.event_data.IdleStateCount | | keyword | +| winlog.event_data.ImpersonationLevel | | keyword | +| winlog.event_data.IntegrityLevel | | keyword | +| winlog.event_data.IpAddress | | keyword | +| winlog.event_data.IpPort | | keyword | +| winlog.event_data.KeyLength | | keyword | +| winlog.event_data.LastBootGood | | keyword | +| winlog.event_data.LastShutdownGood | | keyword | +| winlog.event_data.LmPackageName | | keyword | +| winlog.event_data.LogonGuid | | keyword | +| winlog.event_data.LogonId | | keyword | +| winlog.event_data.LogonProcessName | | keyword | +| winlog.event_data.LogonType | | keyword | +| winlog.event_data.MajorVersion | | keyword | +| winlog.event_data.MaximumPerformancePercent | | keyword | +| winlog.event_data.MemberName | | keyword | +| winlog.event_data.MemberSid | | keyword | +| winlog.event_data.MinimumPerformancePercent | | keyword | +| winlog.event_data.MinimumThrottlePercent | | keyword | +| winlog.event_data.MinorVersion | | keyword | +| winlog.event_data.NewProcessId | | keyword | +| winlog.event_data.NewProcessName | | keyword | +| winlog.event_data.NewSchemeGuid | | keyword | +| winlog.event_data.NewTime | | keyword | +| winlog.event_data.NominalFrequency | | keyword | +| winlog.event_data.Number | | keyword | +| winlog.event_data.OldSchemeGuid | | keyword | +| winlog.event_data.OldTime | | keyword | +| winlog.event_data.OriginalFileName | | keyword | +| winlog.event_data.Path | | keyword | +| winlog.event_data.PerformanceImplementation | | keyword | +| winlog.event_data.PreviousCreationUtcTime | | keyword | +| winlog.event_data.PreviousTime | | keyword | +| winlog.event_data.PrivilegeList | | keyword | +| winlog.event_data.ProcessId | | keyword | +| winlog.event_data.ProcessName | | keyword | +| winlog.event_data.ProcessPath | | keyword | +| winlog.event_data.ProcessPid | | keyword | +| winlog.event_data.Product | | keyword | +| winlog.event_data.PuaCount | | keyword | +| winlog.event_data.PuaPolicyId | | keyword | +| winlog.event_data.QfeVersion | | keyword | +| winlog.event_data.Reason | | keyword | +| winlog.event_data.SchemaVersion | | keyword | +| winlog.event_data.ScriptBlockText | | keyword | +| winlog.event_data.ServiceName | | keyword | +| winlog.event_data.ServiceVersion | | keyword | +| winlog.event_data.ShutdownActionType | | keyword | +| winlog.event_data.ShutdownEventCode | | keyword | +| winlog.event_data.ShutdownReason | | keyword | +| winlog.event_data.Signature | | keyword | +| winlog.event_data.SignatureStatus | | keyword | +| winlog.event_data.Signed | | keyword | +| winlog.event_data.StartTime | | keyword | +| winlog.event_data.State | | keyword | +| winlog.event_data.Status | | keyword | +| winlog.event_data.StopTime | | keyword | +| winlog.event_data.SubjectDomainName | | keyword | +| winlog.event_data.SubjectLogonId | | keyword | +| winlog.event_data.SubjectUserName | | keyword | +| winlog.event_data.SubjectUserSid | | keyword | +| winlog.event_data.TSId | | keyword | +| winlog.event_data.TargetDomainName | | keyword | +| winlog.event_data.TargetInfo | | keyword | +| winlog.event_data.TargetLogonGuid | | keyword | +| winlog.event_data.TargetLogonId | | keyword | +| winlog.event_data.TargetServerName | | keyword | +| winlog.event_data.TargetUserName | | keyword | +| winlog.event_data.TargetUserSid | | keyword | +| winlog.event_data.TerminalSessionId | | keyword | +| winlog.event_data.TokenElevationType | | keyword | +| winlog.event_data.TransmittedServices | | keyword | +| winlog.event_data.UserSid | | keyword | +| winlog.event_data.Version | | keyword | +| winlog.event_data.Workstation | | keyword | +| winlog.event_data.param1 | | keyword | +| winlog.event_data.param2 | | keyword | +| winlog.event_data.param3 | | keyword | +| winlog.event_data.param4 | | keyword | +| winlog.event_data.param5 | | keyword | +| winlog.event_data.param6 | | keyword | +| winlog.event_data.param7 | | keyword | +| winlog.event_data.param8 | | keyword | +| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | +| winlog.keywords | The keywords are used to classify an event. | keyword | +| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | +| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | +| winlog.process.thread.id | | long | +| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | +| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | +| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | +| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | +| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | +| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | +| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | +| winlog.user.name | Name of the user associated with this event. | keyword | +| winlog.user.type | The type of account associated with this event. | keyword | +| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | +| winlog.version | The version number of the event's definition. | long | + + +### System + +The Windows `system` data stream provides events from the Windows `System` +event log. + +#### Supported operating systems + +- Windows + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | +| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | +| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | +| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | +| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | +| winlog.event_data.AuthenticationPackageName | | keyword | +| winlog.event_data.Binary | | keyword | +| winlog.event_data.BitlockerUserInputTime | | keyword | +| winlog.event_data.BootMode | | keyword | +| winlog.event_data.BootType | | keyword | +| winlog.event_data.BuildVersion | | keyword | +| winlog.event_data.Company | | keyword | +| winlog.event_data.CorruptionActionState | | keyword | +| winlog.event_data.CreationUtcTime | | keyword | +| winlog.event_data.Description | | keyword | +| winlog.event_data.Detail | | keyword | +| winlog.event_data.DeviceName | | keyword | +| winlog.event_data.DeviceNameLength | | keyword | +| winlog.event_data.DeviceTime | | keyword | +| winlog.event_data.DeviceVersionMajor | | keyword | +| winlog.event_data.DeviceVersionMinor | | keyword | +| winlog.event_data.DriveName | | keyword | +| winlog.event_data.DriverName | | keyword | +| winlog.event_data.DriverNameLength | | keyword | +| winlog.event_data.DwordVal | | keyword | +| winlog.event_data.EntryCount | | keyword | +| winlog.event_data.ExtraInfo | | keyword | +| winlog.event_data.FailureName | | keyword | +| winlog.event_data.FailureNameLength | | keyword | +| winlog.event_data.FileVersion | | keyword | +| winlog.event_data.FinalStatus | | keyword | +| winlog.event_data.Group | | keyword | +| winlog.event_data.IdleImplementation | | keyword | +| winlog.event_data.IdleStateCount | | keyword | +| winlog.event_data.ImpersonationLevel | | keyword | +| winlog.event_data.IntegrityLevel | | keyword | +| winlog.event_data.IpAddress | | keyword | +| winlog.event_data.IpPort | | keyword | +| winlog.event_data.KeyLength | | keyword | +| winlog.event_data.LastBootGood | | keyword | +| winlog.event_data.LastShutdownGood | | keyword | +| winlog.event_data.LmPackageName | | keyword | +| winlog.event_data.LogonGuid | | keyword | +| winlog.event_data.LogonId | | keyword | +| winlog.event_data.LogonProcessName | | keyword | +| winlog.event_data.LogonType | | keyword | +| winlog.event_data.MajorVersion | | keyword | +| winlog.event_data.MaximumPerformancePercent | | keyword | +| winlog.event_data.MemberName | | keyword | +| winlog.event_data.MemberSid | | keyword | +| winlog.event_data.MinimumPerformancePercent | | keyword | +| winlog.event_data.MinimumThrottlePercent | | keyword | +| winlog.event_data.MinorVersion | | keyword | +| winlog.event_data.NewProcessId | | keyword | +| winlog.event_data.NewProcessName | | keyword | +| winlog.event_data.NewSchemeGuid | | keyword | +| winlog.event_data.NewTime | | keyword | +| winlog.event_data.NominalFrequency | | keyword | +| winlog.event_data.Number | | keyword | +| winlog.event_data.OldSchemeGuid | | keyword | +| winlog.event_data.OldTime | | keyword | +| winlog.event_data.OriginalFileName | | keyword | +| winlog.event_data.Path | | keyword | +| winlog.event_data.PerformanceImplementation | | keyword | +| winlog.event_data.PreviousCreationUtcTime | | keyword | +| winlog.event_data.PreviousTime | | keyword | +| winlog.event_data.PrivilegeList | | keyword | +| winlog.event_data.ProcessId | | keyword | +| winlog.event_data.ProcessName | | keyword | +| winlog.event_data.ProcessPath | | keyword | +| winlog.event_data.ProcessPid | | keyword | +| winlog.event_data.Product | | keyword | +| winlog.event_data.PuaCount | | keyword | +| winlog.event_data.PuaPolicyId | | keyword | +| winlog.event_data.QfeVersion | | keyword | +| winlog.event_data.Reason | | keyword | +| winlog.event_data.SchemaVersion | | keyword | +| winlog.event_data.ScriptBlockText | | keyword | +| winlog.event_data.ServiceName | | keyword | +| winlog.event_data.ServiceVersion | | keyword | +| winlog.event_data.ShutdownActionType | | keyword | +| winlog.event_data.ShutdownEventCode | | keyword | +| winlog.event_data.ShutdownReason | | keyword | +| winlog.event_data.Signature | | keyword | +| winlog.event_data.SignatureStatus | | keyword | +| winlog.event_data.Signed | | keyword | +| winlog.event_data.StartTime | | keyword | +| winlog.event_data.State | | keyword | +| winlog.event_data.Status | | keyword | +| winlog.event_data.StopTime | | keyword | +| winlog.event_data.SubjectDomainName | | keyword | +| winlog.event_data.SubjectLogonId | | keyword | +| winlog.event_data.SubjectUserName | | keyword | +| winlog.event_data.SubjectUserSid | | keyword | +| winlog.event_data.TSId | | keyword | +| winlog.event_data.TargetDomainName | | keyword | +| winlog.event_data.TargetInfo | | keyword | +| winlog.event_data.TargetLogonGuid | | keyword | +| winlog.event_data.TargetLogonId | | keyword | +| winlog.event_data.TargetServerName | | keyword | +| winlog.event_data.TargetUserName | | keyword | +| winlog.event_data.TargetUserSid | | keyword | +| winlog.event_data.TerminalSessionId | | keyword | +| winlog.event_data.TokenElevationType | | keyword | +| winlog.event_data.TransmittedServices | | keyword | +| winlog.event_data.UserSid | | keyword | +| winlog.event_data.Version | | keyword | +| winlog.event_data.Workstation | | keyword | +| winlog.event_data.param1 | | keyword | +| winlog.event_data.param2 | | keyword | +| winlog.event_data.param3 | | keyword | +| winlog.event_data.param4 | | keyword | +| winlog.event_data.param5 | | keyword | +| winlog.event_data.param6 | | keyword | +| winlog.event_data.param7 | | keyword | +| winlog.event_data.param8 | | keyword | +| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | +| winlog.keywords | The keywords are used to classify an event. | keyword | +| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | +| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | +| winlog.process.thread.id | | long | +| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | +| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | +| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | +| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | +| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | +| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | +| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | +| winlog.user.name | Name of the user associated with this event. | keyword | +| winlog.user.type | The type of account associated with this event. | keyword | +| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | +| winlog.version | The version number of the event's definition. | long | + + + +### Security + +The Windows `security` data stream provides events from the Windows +`Security` event log. + +#### Supported operating systems + +- Windows + +An example event for `security` looks as following: + +```json +{ + "@timestamp": "2019-11-07T10:37:04.226Z", + "agent": { + "ephemeral_id": "aa973fb6-b8fe-427e-a9e9-51c411926db8", + "id": "dbc761fd-dec4-4bc7-acec-8e5cb02a0cb6", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.1" + }, + "data_stream": { + "dataset": "system.security", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "dbc761fd-dec4-4bc7-acec-8e5cb02a0cb6", + "snapshot": true, + "version": "8.2.1" + }, + "event": { + "action": "logging-service-shutdown", + "agent_id_status": "verified", + "category": [ + "process" + ], + "code": "1100", + "created": "2022-05-18T06:07:07.204Z", + "dataset": "system.security", + "ingested": "2022-05-18T06:07:08Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Eventlog' Guid='{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}'/\u003e\u003cEventID\u003e1100\u003c/EventID\u003e\u003cVersion\u003e0\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e103\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x4020000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-11-07T10:37:04.226092500Z'/\u003e\u003cEventRecordID\u003e14257\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='1144' ThreadID='4532'/\u003e\u003cChannel\u003eSecurity\u003c/Channel\u003e\u003cComputer\u003eWIN-41OB2LO92CR.wlbeat.local\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cUserData\u003e\u003cServiceShutdown xmlns='http://manifests.microsoft.com/win/2004/08/windows/eventlog'\u003e\u003c/ServiceShutdown\u003e\u003c/UserData\u003e\u003c/Event\u003e", + "outcome": "success", + "provider": "Microsoft-Windows-Eventlog", + "type": [ + "end" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "information" + }, + "tags": [ + "forwarded", + "preserve_original_event" + ], + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": "1100", + "keywords": [ + "Audit Success" + ], + "level": "information", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 1144, + "thread": { + "id": 4532 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": "14257", + "time_created": "2019-11-07T10:37:04.226Z" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.target_path | Target path for symlinks. | keyword | +| file.target_path.text | Multi-field of `file.target_path`. | match_only_text | +| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.executable | Absolute path to the process executable. | keyword | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.pid | Process id. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| user.changes.name | Short name or login of the user. | keyword | +| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.id | Unique identifier of the user. | keyword | +| user.effective.name | Short name or login of the user. | keyword | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | +| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | +| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | +| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | +| winlog.computerObject.domain | | keyword | +| winlog.computerObject.id | | keyword | +| winlog.computerObject.name | | keyword | +| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | +| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | +| winlog.event_data.AccessGranted | | keyword | +| winlog.event_data.AccessList | | keyword | +| winlog.event_data.AccessListDescription | | keyword | +| winlog.event_data.AccessMask | | keyword | +| winlog.event_data.AccessMaskDescription | | keyword | +| winlog.event_data.AccessReason | | keyword | +| winlog.event_data.AccessRemoved | | keyword | +| winlog.event_data.AccountDomain | | keyword | +| winlog.event_data.AccountExpires | | keyword | +| winlog.event_data.AccountName | | keyword | +| winlog.event_data.AllowedToDelegateTo | | keyword | +| winlog.event_data.AuditPolicyChanges | | keyword | +| winlog.event_data.AuditPolicyChangesDescription | | keyword | +| winlog.event_data.AuditSourceName | | keyword | +| winlog.event_data.AuthenticationPackageName | | keyword | +| winlog.event_data.Binary | | keyword | +| winlog.event_data.BitlockerUserInputTime | | keyword | +| winlog.event_data.BootMode | | keyword | +| winlog.event_data.BootType | | keyword | +| winlog.event_data.BuildVersion | | keyword | +| winlog.event_data.CallerProcessId | | keyword | +| winlog.event_data.CallerProcessName | | keyword | +| winlog.event_data.Category | | keyword | +| winlog.event_data.CategoryId | | keyword | +| winlog.event_data.ClientAddress | | keyword | +| winlog.event_data.ClientName | | keyword | +| winlog.event_data.ClientProcessId | | keyword | +| winlog.event_data.CommandLine | | keyword | +| winlog.event_data.Company | | keyword | +| winlog.event_data.ComputerAccountChange | | keyword | +| winlog.event_data.CorruptionActionState | | keyword | +| winlog.event_data.CountOfCredentialsReturned | | keyword | +| winlog.event_data.CrashOnAuditFailValue | | keyword | +| winlog.event_data.CreationUtcTime | | keyword | +| winlog.event_data.Description | | keyword | +| winlog.event_data.Detail | | keyword | +| winlog.event_data.DeviceName | | keyword | +| winlog.event_data.DeviceNameLength | | keyword | +| winlog.event_data.DeviceTime | | keyword | +| winlog.event_data.DeviceVersionMajor | | keyword | +| winlog.event_data.DeviceVersionMinor | | keyword | +| winlog.event_data.DisplayName | | keyword | +| winlog.event_data.DnsHostName | | keyword | +| winlog.event_data.DomainBehaviorVersion | | keyword | +| winlog.event_data.DomainName | | keyword | +| winlog.event_data.DomainPolicyChanged | | keyword | +| winlog.event_data.DomainSid | | keyword | +| winlog.event_data.DriveName | | keyword | +| winlog.event_data.DriverName | | keyword | +| winlog.event_data.DriverNameLength | | keyword | +| winlog.event_data.Dummy | | keyword | +| winlog.event_data.DwordVal | | keyword | +| winlog.event_data.EntryCount | | keyword | +| winlog.event_data.EventSourceId | | keyword | +| winlog.event_data.ExtraInfo | | keyword | +| winlog.event_data.FailureName | | keyword | +| winlog.event_data.FailureNameLength | | keyword | +| winlog.event_data.FailureReason | | keyword | +| winlog.event_data.FileVersion | | keyword | +| winlog.event_data.FinalStatus | | keyword | +| winlog.event_data.Flags | | keyword | +| winlog.event_data.Group | | keyword | +| winlog.event_data.GroupTypeChange | | keyword | +| winlog.event_data.HandleId | | keyword | +| winlog.event_data.HomeDirectory | | keyword | +| winlog.event_data.HomePath | | keyword | +| winlog.event_data.Identity | | keyword | +| winlog.event_data.IdleImplementation | | keyword | +| winlog.event_data.IdleStateCount | | keyword | +| winlog.event_data.ImpersonationLevel | | keyword | +| winlog.event_data.IntegrityLevel | | keyword | +| winlog.event_data.IpAddress | | keyword | +| winlog.event_data.IpPort | | keyword | +| winlog.event_data.KerberosPolicyChange | | keyword | +| winlog.event_data.KeyLength | | keyword | +| winlog.event_data.LastBootGood | | keyword | +| winlog.event_data.LastShutdownGood | | keyword | +| winlog.event_data.LmPackageName | | keyword | +| winlog.event_data.LogonGuid | | keyword | +| winlog.event_data.LogonHours | | keyword | +| winlog.event_data.LogonID | | keyword | +| winlog.event_data.LogonId | | keyword | +| winlog.event_data.LogonProcessName | | keyword | +| winlog.event_data.LogonType | | keyword | +| winlog.event_data.MachineAccountQuota | | keyword | +| winlog.event_data.MajorVersion | | keyword | +| winlog.event_data.MandatoryLabel | | keyword | +| winlog.event_data.MaximumPerformancePercent | | keyword | +| winlog.event_data.MemberName | | keyword | +| winlog.event_data.MemberSid | | keyword | +| winlog.event_data.MinimumPerformancePercent | | keyword | +| winlog.event_data.MinimumThrottlePercent | | keyword | +| winlog.event_data.MinorVersion | | keyword | +| winlog.event_data.MixedDomainMode | | keyword | +| winlog.event_data.NewProcessId | | keyword | +| winlog.event_data.NewProcessName | | keyword | +| winlog.event_data.NewSchemeGuid | | keyword | +| winlog.event_data.NewSd | | keyword | +| winlog.event_data.NewSdDacl0 | | keyword | +| winlog.event_data.NewSdDacl1 | | keyword | +| winlog.event_data.NewSdDacl2 | | keyword | +| winlog.event_data.NewSdSacl0 | | keyword | +| winlog.event_data.NewSdSacl1 | | keyword | +| winlog.event_data.NewSdSacl2 | | keyword | +| winlog.event_data.NewTargetUserName | | keyword | +| winlog.event_data.NewTime | | keyword | +| winlog.event_data.NewUACList | | keyword | +| winlog.event_data.NewUacValue | | keyword | +| winlog.event_data.NominalFrequency | | keyword | +| winlog.event_data.Number | | keyword | +| winlog.event_data.ObjectName | | keyword | +| winlog.event_data.ObjectServer | | keyword | +| winlog.event_data.ObjectType | | keyword | +| winlog.event_data.OemInformation | | keyword | +| winlog.event_data.OldSchemeGuid | | keyword | +| winlog.event_data.OldSd | | keyword | +| winlog.event_data.OldSdDacl0 | | keyword | +| winlog.event_data.OldSdDacl1 | | keyword | +| winlog.event_data.OldSdDacl2 | | keyword | +| winlog.event_data.OldSdSacl0 | | keyword | +| winlog.event_data.OldSdSacl1 | | keyword | +| winlog.event_data.OldSdSacl2 | | keyword | +| winlog.event_data.OldTargetUserName | | keyword | +| winlog.event_data.OldTime | | keyword | +| winlog.event_data.OldUacValue | | keyword | +| winlog.event_data.OriginalFileName | | keyword | +| winlog.event_data.PackageName | | keyword | +| winlog.event_data.ParentProcessName | | keyword | +| winlog.event_data.PasswordHistoryLength | | keyword | +| winlog.event_data.PasswordLastSet | | keyword | +| winlog.event_data.Path | | keyword | +| winlog.event_data.PerformanceImplementation | | keyword | +| winlog.event_data.PreAuthType | | keyword | +| winlog.event_data.PreviousCreationUtcTime | | keyword | +| winlog.event_data.PreviousTime | | keyword | +| winlog.event_data.PrimaryGroupId | | keyword | +| winlog.event_data.PrivilegeList | | keyword | +| winlog.event_data.ProcessCreationTime | | keyword | +| winlog.event_data.ProcessId | | keyword | +| winlog.event_data.ProcessName | | keyword | +| winlog.event_data.ProcessPath | | keyword | +| winlog.event_data.ProcessPid | | keyword | +| winlog.event_data.Product | | keyword | +| winlog.event_data.ProfilePath | | keyword | +| winlog.event_data.PuaCount | | keyword | +| winlog.event_data.PuaPolicyId | | keyword | +| winlog.event_data.QfeVersion | | keyword | +| winlog.event_data.ReadOperation | | keyword | +| winlog.event_data.Reason | | keyword | +| winlog.event_data.RelativeTargetName | | keyword | +| winlog.event_data.Resource | | keyword | +| winlog.event_data.ResourceAttributes | | keyword | +| winlog.event_data.ReturnCode | | keyword | +| winlog.event_data.SamAccountName | | keyword | +| winlog.event_data.Schema | | keyword | +| winlog.event_data.SchemaFriendlyName | | keyword | +| winlog.event_data.SchemaVersion | | keyword | +| winlog.event_data.ScriptBlockText | | keyword | +| winlog.event_data.ScriptPath | | keyword | +| winlog.event_data.SearchString | | keyword | +| winlog.event_data.Service | | keyword | +| winlog.event_data.ServiceAccount | | keyword | +| winlog.event_data.ServiceFileName | | keyword | +| winlog.event_data.ServiceName | | keyword | +| winlog.event_data.ServicePrincipalNames | | keyword | +| winlog.event_data.ServiceSid | | keyword | +| winlog.event_data.ServiceStartType | | keyword | +| winlog.event_data.ServiceType | | keyword | +| winlog.event_data.ServiceVersion | | keyword | +| winlog.event_data.SessionName | | keyword | +| winlog.event_data.ShareLocalPath | | keyword | +| winlog.event_data.ShareName | | keyword | +| winlog.event_data.ShutdownActionType | | keyword | +| winlog.event_data.ShutdownEventCode | | keyword | +| winlog.event_data.ShutdownReason | | keyword | +| winlog.event_data.SidFilteringEnabled | | keyword | +| winlog.event_data.SidHistory | | keyword | +| winlog.event_data.Signature | | keyword | +| winlog.event_data.SignatureStatus | | keyword | +| winlog.event_data.Signed | | keyword | +| winlog.event_data.StartTime | | keyword | +| winlog.event_data.State | | keyword | +| winlog.event_data.Status | | keyword | +| winlog.event_data.StatusDescription | | keyword | +| winlog.event_data.StopTime | | keyword | +| winlog.event_data.SubCategory | | keyword | +| winlog.event_data.SubCategoryGuid | | keyword | +| winlog.event_data.SubCategoryId | | keyword | +| winlog.event_data.SubStatus | | keyword | +| winlog.event_data.SubcategoryGuid | | keyword | +| winlog.event_data.SubcategoryId | | keyword | +| winlog.event_data.SubjectDomainName | | keyword | +| winlog.event_data.SubjectLogonId | | keyword | +| winlog.event_data.SubjectUserName | | keyword | +| winlog.event_data.SubjectUserSid | | keyword | +| winlog.event_data.TSId | | keyword | +| winlog.event_data.TargetDomainName | | keyword | +| winlog.event_data.TargetInfo | | keyword | +| winlog.event_data.TargetLogonGuid | | keyword | +| winlog.event_data.TargetLogonId | | keyword | +| winlog.event_data.TargetName | | keyword | +| winlog.event_data.TargetServerName | | keyword | +| winlog.event_data.TargetSid | | keyword | +| winlog.event_data.TargetUserName | | keyword | +| winlog.event_data.TargetUserSid | | keyword | +| winlog.event_data.TdoAttributes | | keyword | +| winlog.event_data.TdoDirection | | keyword | +| winlog.event_data.TdoType | | keyword | +| winlog.event_data.TerminalSessionId | | keyword | +| winlog.event_data.TicketEncryptionType | | keyword | +| winlog.event_data.TicketEncryptionTypeDescription | | keyword | +| winlog.event_data.TicketOptions | | keyword | +| winlog.event_data.TicketOptionsDescription | | keyword | +| winlog.event_data.TokenElevationType | | keyword | +| winlog.event_data.TransmittedServices | | keyword | +| winlog.event_data.Type | | keyword | +| winlog.event_data.UserAccountControl | | keyword | +| winlog.event_data.UserParameters | | keyword | +| winlog.event_data.UserPrincipalName | | keyword | +| winlog.event_data.UserSid | | keyword | +| winlog.event_data.UserWorkstations | | keyword | +| winlog.event_data.Version | | keyword | +| winlog.event_data.Workstation | | keyword | +| winlog.event_data.WorkstationName | | keyword | +| winlog.event_data.param1 | | keyword | +| winlog.event_data.param2 | | keyword | +| winlog.event_data.param3 | | keyword | +| winlog.event_data.param4 | | keyword | +| winlog.event_data.param5 | | keyword | +| winlog.event_data.param6 | | keyword | +| winlog.event_data.param7 | | keyword | +| winlog.event_data.param8 | | keyword | +| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | +| winlog.keywords | The keywords are used to classify an event. | keyword | +| winlog.level | The event severity. Levels are Critical, Error, Warning and Information, Verbose | keyword | +| winlog.logon.failure.reason | The reason the logon failed. | keyword | +| winlog.logon.failure.status | The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. | keyword | +| winlog.logon.failure.sub_status | Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. | keyword | +| winlog.logon.id | Logon ID that can be used to associate this logon with other events related to the same logon session. | keyword | +| winlog.logon.type | Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. | keyword | +| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | +| winlog.outcome | Success or Failure of the event. | keyword | +| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | +| winlog.process.thread.id | | long | +| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | +| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | +| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | +| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | +| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | +| winlog.time_created | Time event was created | date | +| winlog.trustAttribute | | keyword | +| winlog.trustDirection | | keyword | +| winlog.trustType | | keyword | +| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | +| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | +| winlog.user.name | Name of the user associated with this event. | keyword | +| winlog.user.type | The type of account associated with this event. | keyword | +| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | +| winlog.user_data.BackupPath | | keyword | +| winlog.user_data.Channel | | keyword | +| winlog.user_data.SubjectDomainName | | keyword | +| winlog.user_data.SubjectLogonId | | keyword | +| winlog.user_data.SubjectUserName | | keyword | +| winlog.user_data.SubjectUserSid | | keyword | +| winlog.user_data.xml_name | | keyword | +| winlog.version | The version number of the event's definition. | long | + + +### Auth + +The `auth` data stream provides auth logs. + +#### Supported operating systems + +- macOS prior to 10.8 +- Linux + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.pid | Process id. | long | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| system.auth.ssh.dropped_ip | The client IP from SSH connections that are open and immediately dropped. | ip | +| system.auth.ssh.event | The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) | keyword | +| system.auth.ssh.method | The SSH authentication method. Can be one of "password" or "publickey". | keyword | +| system.auth.ssh.signature | The signature of the client public key. | keyword | +| system.auth.sudo.command | The command executed via sudo. | keyword | +| system.auth.sudo.error | The error message in case the sudo command failed. | keyword | +| system.auth.sudo.pwd | The current directory where the sudo command is executed. | keyword | +| system.auth.sudo.tty | The TTY where the sudo command is executed. | keyword | +| system.auth.sudo.user | The target user to which the sudo command is switching. | keyword | +| system.auth.useradd.home | The home folder for the new user. | keyword | +| system.auth.useradd.shell | The default shell for the new user. | keyword | +| user.effective.name | Short name or login of the user. | keyword | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| version | Operating system version as a raw string. | keyword | + + +### syslog + +The `syslog` data stream provides system logs. + +#### Supported operating systems + +- macOS +- Linux + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.pid | Process id. | long | + + +## Metrics reference + +### Core + +The System `core` data stream provides usage statistics for each CPU core. + +#### Supported operating systems + +- FreeBSD +- Linux +- macOS +- OpenBSD +- Windows + +#### Permissions + +This data should be available without elevated permissions. + +**Exported fields** + +| Field | Description | Type | Unit | Metric Type | +|---|---|---|---|---| +| @timestamp | Event timestamp. | date | | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | | +| cloud.instance.name | Instance name of the host machine. | keyword | | | +| cloud.machine.type | Machine type of the host machine. | keyword | | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | +| cloud.region | Region in which this host is running. | keyword | | | +| container.id | Unique container id. | keyword | | | +| container.image.name | Name of the image the container was built on. | keyword | | | +| container.labels | Image labels. | object | | | +| container.name | Container name. | keyword | | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | | +| data_stream.type | Data stream type. | constant_keyword | | | +| event.dataset | Event dataset. | constant_keyword | | | +| event.module | Event module | constant_keyword | | | +| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | +| host.architecture | Operating system architecture. | keyword | | | +| host.containerized | If the host is a container. | boolean | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | +| host.ip | Host ip addresses. | ip | | | +| host.mac | Host mac addresses. | keyword | | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.os.build | OS build information. | keyword | | | +| host.os.codename | OS codename, if any. | keyword | | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.full | Operating system name, including the version or code name. | keyword | | | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | +| host.os.name | Operating system name, without the version. | keyword | | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.version | Operating system version as a raw string. | keyword | | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| system.core.id | CPU Core number. | keyword | | | +| system.core.idle.pct | The percentage of CPU time spent idle. | scaled_float | percent | gauge | +| system.core.idle.ticks | The amount of CPU time spent idle. | long | | counter | +| system.core.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | percent | gauge | +| system.core.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | | counter | +| system.core.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | percent | gauge | +| system.core.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | | counter | +| system.core.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | percent | gauge | +| system.core.nice.ticks | The amount of CPU time spent on low-priority processes. | long | | counter | +| system.core.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | percent | gauge | +| system.core.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | | counter | +| system.core.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | percent | gauge | +| system.core.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | | counter | +| system.core.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | percent | gauge | +| system.core.system.ticks | The amount of CPU time spent in kernel space. | long | | counter | +| system.core.user.pct | The percentage of CPU time spent in user space. | scaled_float | percent | gauge | +| system.core.user.ticks | The amount of CPU time spent in user space. | long | | counter | + + +### CPU + +The System `cpu` data stream provides CPU statistics. + +#### Supported operating systems + +- FreeBSD +- Linux +- macOS +- OpenBSD +- Windows + +#### Permissions + +This data should be available without elevated permissions. + +**Exported fields** + +| Field | Description | Type | Unit | Metric Type | +|---|---|---|---|---| +| @timestamp | Event timestamp. | date | | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | | +| cloud.instance.name | Instance name of the host machine. | keyword | | | +| cloud.machine.type | Machine type of the host machine. | keyword | | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | +| cloud.region | Region in which this host is running. | keyword | | | +| container.id | Unique container id. | keyword | | | +| container.image.name | Name of the image the container was built on. | keyword | | | +| container.labels | Image labels. | object | | | +| container.name | Container name. | keyword | | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | | +| data_stream.type | Data stream type. | constant_keyword | | | +| event.dataset | Event dataset. | constant_keyword | | | +| event.module | Event module | constant_keyword | | | +| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | +| host.architecture | Operating system architecture. | keyword | | | +| host.containerized | If the host is a container. | boolean | | | +| host.cpu.pct | Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | percent | gauge | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | +| host.ip | Host ip addresses. | ip | | | +| host.mac | Host mac addresses. | keyword | | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.os.build | OS build information. | keyword | | | +| host.os.codename | OS codename, if any. | keyword | | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.full | Operating system name, including the version or code name. | keyword | | | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | +| host.os.name | Operating system name, without the version. | keyword | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.version | Operating system version as a raw string. | keyword | | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| system.cpu.cores | The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% \* cores`. The normalized percentages already take this value into account and have a maximum value of 100%. | long | | gauge | +| system.cpu.idle.norm.pct | The percentage of CPU time spent idle. | scaled_float | percent | gauge | +| system.cpu.idle.pct | The percentage of CPU time spent idle. | scaled_float | percent | gauge | +| system.cpu.idle.ticks | The amount of CPU time spent idle. | long | | counter | +| system.cpu.iowait.norm.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | percent | gauge | +| system.cpu.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | percent | gauge | +| system.cpu.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | | counter | +| system.cpu.irq.norm.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | percent | gauge | +| system.cpu.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | percent | gauge | +| system.cpu.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | | counter | +| system.cpu.nice.norm.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | percent | gauge | +| system.cpu.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | percent | gauge | +| system.cpu.nice.ticks | The amount of CPU time spent on low-priority processes. | long | | counter | +| system.cpu.softirq.norm.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | percent | gauge | +| system.cpu.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | percent | gauge | +| system.cpu.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | | counter | +| system.cpu.steal.norm.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | percent | gauge | +| system.cpu.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | percent | gauge | +| system.cpu.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | | counter | +| system.cpu.system.norm.pct | The percentage of CPU time spent in kernel space. | scaled_float | percent | gauge | +| system.cpu.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | percent | gauge | +| system.cpu.system.ticks | The amount of CPU time spent in kernel space. | long | | counter | +| system.cpu.total.norm.pct | The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. | scaled_float | percent | gauge | +| system.cpu.total.pct | The percentage of CPU time spent in states other than Idle and IOWait. | scaled_float | percent | gauge | +| system.cpu.user.norm.pct | The percentage of CPU time spent in user space. | scaled_float | percent | gauge | +| system.cpu.user.pct | The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. | scaled_float | percent | gauge | +| system.cpu.user.ticks | The amount of CPU time spent in user space. | long | | counter | + + +### Disk IO + +The System `diskio` data stream provides disk IO metrics collected from the +operating system. One event is created for each disk mounted on the system. + +#### Supported operating systems + +- Linux +- macOS (requires 10.10+) +- Windows +- FreeBSD (amd64) + +#### Permissions + +This data should be available without elevated permissions. + +**Exported fields** + +| Field | Description | Type | Unit | Metric Type | +|---|---|---|---|---| +| @timestamp | Event timestamp. | date | | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | | +| cloud.instance.name | Instance name of the host machine. | keyword | | | +| cloud.machine.type | Machine type of the host machine. | keyword | | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | +| cloud.region | Region in which this host is running. | keyword | | | +| container.id | Unique container id. | keyword | | | +| container.image.name | Name of the image the container was built on. | keyword | | | +| container.labels | Image labels. | object | | | +| container.name | Container name. | keyword | | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | | +| data_stream.type | Data stream type. | constant_keyword | | | +| event.dataset | Event dataset. | constant_keyword | | | +| event.module | Event module | constant_keyword | | | +| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | +| host.architecture | Operating system architecture. | keyword | | | +| host.containerized | If the host is a container. | boolean | | | +| host.disk.read.bytes | The total number of bytes read successfully in a given period of time. | long | | | +| host.disk.write.bytes | The total number of bytes write successfully in a given period of time. | long | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | +| host.ip | Host ip addresses. | ip | | | +| host.mac | Host mac addresses. | keyword | | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.os.build | OS build information. | keyword | | | +| host.os.codename | OS codename, if any. | keyword | | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.full | Operating system name, including the version or code name. | keyword | | | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | +| host.os.name | Operating system name, without the version. | keyword | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.version | Operating system version as a raw string. | keyword | | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| system.diskio.io.time | The total number of of milliseconds spent doing I/Os. | long | | counter | +| system.diskio.iostat.await | The average time spent for requests issued to the device to be served. | float | | gauge | +| system.diskio.iostat.busy | Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. | float | | gauge | +| system.diskio.iostat.queue.avg_size | The average queue length of the requests that were issued to the device. | float | byte | gauge | +| system.diskio.iostat.read.await | The average time spent for read requests issued to the device to be served. | float | | gauge | +| system.diskio.iostat.read.per_sec.bytes | The number of Bytes read from the device per second. | float | | gauge | +| system.diskio.iostat.read.request.merges_per_sec | The number of read requests merged per second that were queued to the device. | float | | gauge | +| system.diskio.iostat.read.request.per_sec | The number of read requests that were issued to the device per second | float | | gauge | +| system.diskio.iostat.request.avg_size | The average size (in bytes) of the requests that were issued to the device. | float | byte | gauge | +| system.diskio.iostat.service_time | The average service time (in milliseconds) for I/O requests that were issued to the device. | float | ms | gauge | +| system.diskio.iostat.write.await | The average time spent for write requests issued to the device to be served. | float | | gauge | +| system.diskio.iostat.write.per_sec.bytes | The number of Bytes write from the device per second. | float | | gauge | +| system.diskio.iostat.write.request.merges_per_sec | The number of write requests merged per second that were queued to the device. | float | | gauge | +| system.diskio.iostat.write.request.per_sec | The number of write requests that were issued to the device per second | float | | gauge | +| system.diskio.name | The disk name. | keyword | | | +| system.diskio.read.bytes | The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. | long | byte | counter | +| system.diskio.read.count | The total number of reads completed successfully. | long | | counter | +| system.diskio.read.time | The total number of milliseconds spent by all reads. | long | | counter | +| system.diskio.serial_number | The disk's serial number. This may not be provided by all operating systems. | keyword | | | +| system.diskio.write.bytes | The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. | long | byte | counter | +| system.diskio.write.count | The total number of writes completed successfully. | long | | counter | +| system.diskio.write.time | The total number of milliseconds spent by all writes. | long | | counter | + + +### Filesystem + +The System `filesystem` data stream provides file system statistics. For each file +system, one document is provided. + +#### Supported operating systems + +- FreeBSD +- Linux +- macOS +- OpenBSD +- Windows + +#### Permissions + +This data should be available without elevated permissions. + +**Exported fields** + +| Field | Description | Type | Unit | Metric Type | +|---|---|---|---|---| +| @timestamp | Event timestamp. | date | | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | | +| cloud.instance.name | Instance name of the host machine. | keyword | | | +| cloud.machine.type | Machine type of the host machine. | keyword | | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | +| cloud.region | Region in which this host is running. | keyword | | | +| container.id | Unique container id. | keyword | | | +| container.image.name | Name of the image the container was built on. | keyword | | | +| container.labels | Image labels. | object | | | +| container.name | Container name. | keyword | | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | | +| data_stream.type | Data stream type. | constant_keyword | | | +| event.dataset | Event dataset. | constant_keyword | | | +| event.module | Event module | constant_keyword | | | +| host.architecture | Operating system architecture. | keyword | | | +| host.containerized | If the host is a container. | boolean | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | +| host.ip | Host ip addresses. | ip | | | +| host.mac | Host mac addresses. | keyword | | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.os.build | OS build information. | keyword | | | +| host.os.codename | OS codename, if any. | keyword | | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | +| host.os.name | Operating system name, without the version. | keyword | | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.version | Operating system version as a raw string. | keyword | | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| system.filesystem.available | The disk space available to an unprivileged user in bytes. | long | byte | gauge | +| system.filesystem.device_name | The disk name. For example: `/dev/disk1` | keyword | | | +| system.filesystem.files | The total number of file nodes in the file system. | long | | gauge | +| system.filesystem.free | The disk space available in bytes. | long | byte | gauge | +| system.filesystem.free_files | The number of free file nodes in the file system. | long | | gauge | +| system.filesystem.mount_point | The mounting point. For example: `/` | keyword | | | +| system.filesystem.total | The total disk space in bytes. | long | byte | gauge | +| system.filesystem.type | The disk type. For example: `ext4` | keyword | | | +| system.filesystem.used.bytes | The used disk space in bytes. | long | byte | gauge | +| system.filesystem.used.pct | The percentage of used disk space. | scaled_float | percent | gauge | + + +### Fsstat + +The System `fsstat` data stream provides overall file system statistics. + +#### Supported operating systems + +- FreeBSD +- Linux +- macOS +- OpenBSD +- Windows + +#### Permissions + +This data should be available without elevated permissions. + +**Exported fields** + +| Field | Description | Type | Unit | Metric Type | +|---|---|---|---|---| +| @timestamp | Event timestamp. | date | | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | | +| cloud.instance.name | Instance name of the host machine. | keyword | | | +| cloud.machine.type | Machine type of the host machine. | keyword | | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | +| cloud.region | Region in which this host is running. | keyword | | | +| container.id | Unique container id. | keyword | | | +| container.image.name | Name of the image the container was built on. | keyword | | | +| container.labels | Image labels. | object | | | +| container.name | Container name. | keyword | | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | | +| data_stream.type | Data stream type. | constant_keyword | | | +| event.dataset | Event dataset. | constant_keyword | | | +| event.module | Event module | constant_keyword | | | +| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | +| host.architecture | Operating system architecture. | keyword | | | +| host.containerized | If the host is a container. | boolean | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | +| host.ip | Host ip addresses. | ip | | | +| host.mac | Host mac addresses. | keyword | | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.os.build | OS build information. | keyword | | | +| host.os.codename | OS codename, if any. | keyword | | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.full | Operating system name, including the version or code name. | keyword | | | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | +| host.os.name | Operating system name, without the version. | keyword | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.version | Operating system version as a raw string. | keyword | | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| system.fsstat.count | Number of file systems found. | long | | gauge | +| system.fsstat.total_files | Total number of files. | long | | gauge | +| system.fsstat.total_size.free | Total free space. | long | byte | gauge | +| system.fsstat.total_size.total | Total space (used plus free). | long | byte | gauge | +| system.fsstat.total_size.used | Total used space. | long | byte | gauge | + + +### Load + +The System `load` data stream provides load statistics. + +#### Supported operating systems + +- FreeBSD +- Linux +- macOS +- OpenBSD + +#### Permissions + +This data should be available without elevated permissions. + +**Exported fields** + +| Field | Description | Type | Metric Type | +|---|---|---|---| +| @timestamp | Event timestamp. | date | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | +| cloud.instance.name | Instance name of the host machine. | keyword | | +| cloud.machine.type | Machine type of the host machine. | keyword | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | +| cloud.region | Region in which this host is running. | keyword | | +| container.id | Unique container id. | keyword | | +| container.image.name | Name of the image the container was built on. | keyword | | +| container.labels | Image labels. | object | | +| container.name | Container name. | keyword | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | +| data_stream.type | Data stream type. | constant_keyword | | +| event.dataset | Event dataset. | constant_keyword | | +| event.module | Event module | constant_keyword | | +| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | +| host.architecture | Operating system architecture. | keyword | | +| host.containerized | If the host is a container. | boolean | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | +| host.ip | Host ip addresses. | ip | | +| host.mac | Host mac addresses. | keyword | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | +| host.os.build | OS build information. | keyword | | +| host.os.codename | OS codename, if any. | keyword | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | +| host.os.full | Operating system name, including the version or code name. | keyword | | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | +| host.os.name | Operating system name, without the version. | keyword | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | +| host.os.version | Operating system version as a raw string. | keyword | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | +| system.load.1 | Load average for the last minute. | scaled_float | gauge | +| system.load.15 | Load average for the last 15 minutes. | scaled_float | gauge | +| system.load.5 | Load average for the last 5 minutes. | scaled_float | gauge | +| system.load.cores | The number of CPU cores present on the host. | long | gauge | +| system.load.norm.1 | Load for the last minute divided by the number of cores. | scaled_float | gauge | +| system.load.norm.15 | Load for the last 15 minutes divided by the number of cores. | scaled_float | gauge | +| system.load.norm.5 | Load for the last 5 minutes divided by the number of cores. | scaled_float | gauge | + + +### Memory + +The System `memory` data stream provides memory statistics. + +#### Supported operating systems + +- FreeBSD +- Linux +- macOS +- OpenBSD +- Windows + +#### Permissions + +This data should be available without elevated permissions. + +**Exported fields** + +| Field | Description | Type | Unit | Metric Type | +|---|---|---|---|---| +| @timestamp | Event timestamp. | date | | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | | +| cloud.instance.name | Instance name of the host machine. | keyword | | | +| cloud.machine.type | Machine type of the host machine. | keyword | | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | +| cloud.region | Region in which this host is running. | keyword | | | +| container.id | Unique container id. | keyword | | | +| container.image.name | Name of the image the container was built on. | keyword | | | +| container.labels | Image labels. | object | | | +| container.name | Container name. | keyword | | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | | +| data_stream.type | Data stream type. | constant_keyword | | | +| event.dataset | Event dataset. | constant_keyword | | | +| event.module | Event module | constant_keyword | | | +| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | +| host.architecture | Operating system architecture. | keyword | | | +| host.containerized | If the host is a container. | boolean | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | +| host.ip | Host ip addresses. | ip | | | +| host.mac | Host mac addresses. | keyword | | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.os.build | OS build information. | keyword | | | +| host.os.codename | OS codename, if any. | keyword | | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.full | Operating system name, including the version or code name. | keyword | | | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | +| host.os.name | Operating system name, without the version. | keyword | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.version | Operating system version as a raw string. | keyword | | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| system.memory.actual.free | Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. | long | byte | gauge | +| system.memory.actual.used.bytes | Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. | long | byte | gauge | +| system.memory.actual.used.pct | The percentage of actual used memory. | scaled_float | percent | gauge | +| system.memory.free | The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). | long | byte | gauge | +| system.memory.hugepages.default_size | Default size for huge pages. | long | | gauge | +| system.memory.hugepages.free | Number of available huge pages in the pool. | long | | gauge | +| system.memory.hugepages.reserved | Number of reserved but not allocated huge pages in the pool. | long | | gauge | +| system.memory.hugepages.surplus | Number of overcommited huge pages. | long | | gauge | +| system.memory.hugepages.swap.out.fallback | Count of huge pages that must be split before swapout | long | | gauge | +| system.memory.hugepages.swap.out.pages | pages swapped out | long | | gauge | +| system.memory.hugepages.total | Number of huge pages in the pool. | long | | gauge | +| system.memory.hugepages.used.bytes | Memory used in allocated huge pages. | long | byte | gauge | +| system.memory.hugepages.used.pct | Percentage of huge pages used. | long | percent | gauge | +| system.memory.page_stats.direct_efficiency.pct | direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. | scaled_float | percent | gauge | +| system.memory.page_stats.kswapd_efficiency.pct | kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. | scaled_float | percent | gauge | +| system.memory.page_stats.pgfree.pages | pages freed by the system | long | | counter | +| system.memory.page_stats.pgscan_direct.pages | pages scanned directly | long | | counter | +| system.memory.page_stats.pgscan_kswapd.pages | pages scanned by kswapd | long | | counter | +| system.memory.page_stats.pgsteal_direct.pages | number of pages reclaimed directly | long | | counter | +| system.memory.page_stats.pgsteal_kswapd.pages | number of pages reclaimed by kswapd | long | | counter | +| system.memory.swap.free | Available swap memory. | long | byte | gauge | +| system.memory.swap.in.pages | count of pages swapped in | long | | gauge | +| system.memory.swap.out.pages | count of pages swapped out | long | | counter | +| system.memory.swap.readahead.cached | swap readahead cache hits | long | | counter | +| system.memory.swap.readahead.pages | swap readahead pages | long | | counter | +| system.memory.swap.total | Total swap memory. | long | byte | gauge | +| system.memory.swap.used.bytes | Used swap memory. | long | byte | gauge | +| system.memory.swap.used.pct | The percentage of used swap memory. | scaled_float | percent | gauge | +| system.memory.total | Total memory. | long | byte | gauge | +| system.memory.used.bytes | Used memory. | long | byte | gauge | +| system.memory.used.pct | The percentage of used memory. | scaled_float | percent | gauge | + + +### Network + +The System `network` data stream provides network IO metrics collected from the +operating system. One event is created for each network interface. + +#### Supported operating systems + +- FreeBSD +- Linux +- macOS +- Windows + +#### Permissions + +This data should be available without elevated permissions. + +**Exported fields** + +| Field | Description | Type | Unit | Metric Type | +|---|---|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | | +| cloud.instance.name | Instance name of the host machine. | keyword | | | +| cloud.machine.type | Machine type of the host machine. | keyword | | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | +| cloud.region | Region in which this host is running. | keyword | | | +| container.id | Unique container id. | keyword | | | +| container.image.name | Name of the image the container was built on. | keyword | | | +| container.labels | Image labels. | object | | | +| container.name | Container name. | keyword | | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | | +| data_stream.type | Data stream type. | constant_keyword | | | +| event.dataset | Event dataset. | constant_keyword | | | +| event.module | Event module | constant_keyword | | | +| group | The group fields are meant to represent groups that are relevant to the event. | group | | | +| group.id | Unique identifier for the group on the system/platform. | keyword | | | +| group.name | Name of the group. | keyword | | | +| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | +| host.architecture | Operating system architecture. | keyword | | | +| host.containerized | If the host is a container. | boolean | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | +| host.ip | Host ip addresses. | ip | | | +| host.mac | Host mac addresses. | keyword | | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.network.in.bytes | The number of bytes received on all network interfaces by the host in a given period of time. | long | byte | counter | +| host.network.in.packets | The number of packets received on all network interfaces by the host in a given period of time. | long | | counter | +| host.network.out.bytes | The number of bytes sent out on all network interfaces by the host in a given period of time. | long | byte | counter | +| host.network.out.packets | The number of packets sent out on all network interfaces by the host in a given period of time. | long | | counter | +| host.os.build | OS build information. | keyword | | | +| host.os.codename | OS codename, if any. | keyword | | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | +| host.os.name | Operating system name, without the version. | keyword | | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.version | Operating system version as a raw string. | keyword | | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | | +| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group | | | +| process.name | Process name. Sometimes called program name or similar. | keyword | | | +| process.name.text | Multi-field of `process.name`. | match_only_text | | | +| process.pid | Process id. | long | | | +| source | Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. | group | | | +| source.geo.city_name | City name. | keyword | | | +| source.geo.continent_name | Name of the continent. | keyword | | | +| source.geo.country_iso_code | Country ISO code. | keyword | | | +| source.geo.location | Longitude and latitude. | geo_point | | | +| source.geo.region_iso_code | Region ISO code. | keyword | | | +| source.geo.region_name | Region name. | keyword | | | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | | | +| source.port | Port of the source. | long | | | +| system.network.in.bytes | The number of bytes received. | long | byte | counter | +| system.network.in.dropped | The number of incoming packets that were dropped. | long | | counter | +| system.network.in.errors | The number of errors while receiving. | long | | counter | +| system.network.in.packets | The number or packets received. | long | | counter | +| system.network.name | The network interface name. | keyword | | | +| system.network.out.bytes | The number of bytes sent. | long | byte | counter | +| system.network.out.dropped | The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. | long | | counter | +| system.network.out.errors | The number of errors while sending. | long | | counter | +| system.network.out.packets | The number of packets sent. | long | | counter | +| user | The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. | group | | | +| user.id | Unique identifier of the user. | keyword | | | +| user.name | Short name or login of the user. | keyword | | | +| user.name.text | Multi-field of `user.name`. | match_only_text | | | + + +### Process + +The System `process` data stream provides process statistics. One document is +provided for each process. + +#### Supported operating systems + +- FreeBSD +- Linux +- macOS +- Windows + +#### Permissions + +Process execution data should be available for an authorized user. +If running as less privileged user, it may not be able to read process data belonging to other users. + +**Exported fields** + +| Field | Description | Type | Unit | Metric Type | +|---|---|---|---|---| +| @timestamp | Event timestamp. | date | | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | | +| cloud.instance.name | Instance name of the host machine. | keyword | | | +| cloud.machine.type | Machine type of the host machine. | keyword | | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | +| cloud.region | Region in which this host is running. | keyword | | | +| container.id | Unique container id. | keyword | | | +| container.image.name | Name of the image the container was built on. | keyword | | | +| container.labels | Image labels. | object | | | +| container.name | Container name. | keyword | | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | | +| data_stream.type | Data stream type. | constant_keyword | | | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | +| event.dataset | Event dataset. | constant_keyword | | | +| event.module | Event module | constant_keyword | | | +| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | +| host.architecture | Operating system architecture. | keyword | | | +| host.containerized | If the host is a container. | boolean | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | +| host.ip | Host ip addresses. | ip | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.os.build | OS build information. | keyword | | | +| host.os.codename | OS codename, if any. | keyword | | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.full | Operating system name, including the version or code name. | keyword | | | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | +| host.os.name | Operating system name, without the version. | keyword | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.version | Operating system version as a raw string. | keyword | | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group | | | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | | | +| process.cpu.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | | | +| process.cpu.start_time | The time when the process was started. | date | | | +| process.executable | Absolute path to the process executable. | keyword | | | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | | | +| process.memory.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | | | +| process.name | Process name. Sometimes called program name or similar. | keyword | | | +| process.name.text | Multi-field of `process.name`. | match_only_text | | | +| process.parent.pid | Process id. | long | | | +| process.pgid | Identifier of the group of processes the process belongs to. | long | | | +| process.pid | Process id. | long | | | +| process.state | The process state. For example: "running". | keyword | | | +| process.working_directory | The working directory of the process. | keyword | | | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | | | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | +| system.process.cgroup.blkio.id | ID of the cgroup. | keyword | | | +| system.process.cgroup.blkio.path | Path to the cgroup relative to the cgroup subsystems mountpoint. | keyword | | | +| system.process.cgroup.blkio.total.bytes | Total number of bytes transferred to and from all block devices by processes in the cgroup. | long | | | +| system.process.cgroup.blkio.total.ios | Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. | long | | | +| system.process.cgroup.cgroups_version | The version of cgroups reported for the process | long | | | +| system.process.cgroup.cpu.cfs.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. | long | | | +| system.process.cgroup.cpu.cfs.quota.us | Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). | long | | | +| system.process.cgroup.cpu.cfs.shares | An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. | long | | | +| system.process.cgroup.cpu.id | ID of the cgroup. | keyword | | | +| system.process.cgroup.cpu.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | | | +| system.process.cgroup.cpu.pressure.full.10.pct | Pressure over 10 seconds | float | | | +| system.process.cgroup.cpu.pressure.full.300.pct | Pressure over 300 seconds | float | | | +| system.process.cgroup.cpu.pressure.full.60.pct | Pressure over 60 seconds | float | | | +| system.process.cgroup.cpu.pressure.full.total | total Full pressure time | long | | | +| system.process.cgroup.cpu.pressure.some.10.pct | Pressure over 10 seconds | float | | | +| system.process.cgroup.cpu.pressure.some.300.pct | Pressure over 300 seconds | float | | | +| system.process.cgroup.cpu.pressure.some.60.pct | Pressure over 60 seconds | float | | | +| system.process.cgroup.cpu.pressure.some.total | total Some pressure time | long | | | +| system.process.cgroup.cpu.rt.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. | long | | | +| system.process.cgroup.cpu.rt.runtime.us | Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. | long | | | +| system.process.cgroup.cpu.stats.periods | Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. | long | | | +| system.process.cgroup.cpu.stats.system.norm.pct | cgroups v2 normalized system time | float | | | +| system.process.cgroup.cpu.stats.system.ns | cgroups v2 system time in nanoseconds | long | | | +| system.process.cgroup.cpu.stats.system.pct | cgroups v2 system time | float | | | +| system.process.cgroup.cpu.stats.throttled.ns | The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. | long | | | +| system.process.cgroup.cpu.stats.throttled.periods | Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). | long | | | +| system.process.cgroup.cpu.stats.throttled.us | The total time duration (in microseconds) for which tasks in a cgroup have been throttled, as reported by cgroupsv2 | long | | | +| system.process.cgroup.cpu.stats.usage.norm.pct | cgroups v2 normalized usage | float | | | +| system.process.cgroup.cpu.stats.usage.ns | cgroups v2 usage in nanoseconds | long | | | +| system.process.cgroup.cpu.stats.usage.pct | cgroups v2 usage | float | | | +| system.process.cgroup.cpu.stats.user.norm.pct | cgroups v2 normalized cpu user time | float | | | +| system.process.cgroup.cpu.stats.user.ns | cgroups v2 cpu user time in nanoseconds | long | | | +| system.process.cgroup.cpu.stats.user.pct | cgroups v2 cpu user time | float | | | +| system.process.cgroup.cpuacct.id | ID of the cgroup. | keyword | | | +| system.process.cgroup.cpuacct.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | | | +| system.process.cgroup.cpuacct.percpu | CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. | object | | | +| system.process.cgroup.cpuacct.stats.system.norm.pct | Time the cgroup spent in kernel space, as a percentage of total CPU time, normalized by CPU count. | scaled_float | | | +| system.process.cgroup.cpuacct.stats.system.ns | CPU time consumed by tasks in user (kernel) mode. | long | | | +| system.process.cgroup.cpuacct.stats.system.pct | Time the cgroup spent in kernel space, as a percentage of total CPU time | scaled_float | | | +| system.process.cgroup.cpuacct.stats.user.norm.pct | time the cgroup spent in user space, as a percentage of total CPU time, normalized by CPU count. | scaled_float | | | +| system.process.cgroup.cpuacct.stats.user.ns | CPU time consumed by tasks in user mode. | long | | | +| system.process.cgroup.cpuacct.stats.user.pct | time the cgroup spent in user space, as a percentage of total CPU time | scaled_float | | | +| system.process.cgroup.cpuacct.total.norm.pct | CPU time of the cgroup as a percentage of overall CPU time, normalized by CPU count. This is functionally an average of time spent across individual CPUs. | scaled_float | | | +| system.process.cgroup.cpuacct.total.ns | Total CPU time in nanoseconds consumed by all tasks in the cgroup. | long | | | +| system.process.cgroup.cpuacct.total.pct | CPU time of the cgroup as a percentage of overall CPU time. | scaled_float | | | +| system.process.cgroup.id | The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. | keyword | | | +| system.process.cgroup.io.id | ID of the cgroup. | keyword | | | +| system.process.cgroup.io.path | Path to the cgroup relative to the cgroup subsystems mountpoint. | keyword | | | +| system.process.cgroup.io.pressure.full.10.pct | Pressure over 10 seconds | float | | | +| system.process.cgroup.io.pressure.full.300.pct | Pressure over 300 seconds | float | | | +| system.process.cgroup.io.pressure.full.60.pct | Pressure over 60 seconds | float | | | +| system.process.cgroup.io.pressure.full.total | total Some pressure time | long | | | +| system.process.cgroup.io.pressure.some.10.pct | Pressure over 10 seconds | float | | | +| system.process.cgroup.io.pressure.some.300.pct | Pressure over 300 seconds | float | | | +| system.process.cgroup.io.pressure.some.60.pct | Pressure over 60 seconds | float | | | +| system.process.cgroup.io.pressure.some.total | total Some pressure time | long | | | +| system.process.cgroup.io.stats.\* | per-device IO usage stats | object | | | +| system.process.cgroup.io.stats.\*.\* | | object | | | +| system.process.cgroup.io.stats.\*.\*.bytes | per-device IO usage stats | object | | | +| system.process.cgroup.io.stats.\*.\*.ios | per-device IO usage stats | object | | | +| system.process.cgroup.memory.id | ID of the cgroup. | keyword | | | +| system.process.cgroup.memory.kmem.failures | The number of times that the memory limit (kmem.limit.bytes) was reached. | long | | | +| system.process.cgroup.memory.kmem.limit.bytes | The maximum amount of kernel memory that tasks in the cgroup are allowed to use. | long | | | +| system.process.cgroup.memory.kmem.usage.bytes | Total kernel memory usage by processes in the cgroup (in bytes). | long | | | +| system.process.cgroup.memory.kmem.usage.max.bytes | The maximum kernel memory used by processes in the cgroup (in bytes). | long | | | +| system.process.cgroup.memory.kmem_tcp.failures | The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. | long | | | +| system.process.cgroup.memory.kmem_tcp.limit.bytes | The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. | long | | | +| system.process.cgroup.memory.kmem_tcp.usage.bytes | Total memory usage for TCP buffers in bytes. | long | | | +| system.process.cgroup.memory.kmem_tcp.usage.max.bytes | The maximum memory used for TCP buffers by processes in the cgroup (in bytes). | long | | | +| system.process.cgroup.memory.mem.events.fail | failed threshold | long | | | +| system.process.cgroup.memory.mem.events.high | high threshold | long | | | +| system.process.cgroup.memory.mem.events.low | low threshold | long | | | +| system.process.cgroup.memory.mem.events.max | max threshold | long | | | +| system.process.cgroup.memory.mem.events.oom | oom threshold | long | | | +| system.process.cgroup.memory.mem.events.oom_kill | oom killer threshold | long | | | +| system.process.cgroup.memory.mem.failures | The number of times that the memory limit (mem.limit.bytes) was reached. | long | | | +| system.process.cgroup.memory.mem.high.bytes | memory high threshhold | long | | | +| system.process.cgroup.memory.mem.limit.bytes | The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. | long | | | +| system.process.cgroup.memory.mem.low.bytes | memory low threshhold | long | | | +| system.process.cgroup.memory.mem.max.bytes | memory max threshhold | long | | | +| system.process.cgroup.memory.mem.usage.bytes | Total memory usage by processes in the cgroup (in bytes). | long | | | +| system.process.cgroup.memory.mem.usage.max.bytes | The maximum memory used by processes in the cgroup (in bytes). | long | | | +| system.process.cgroup.memory.memsw.events.fail | failed threshold | long | | | +| system.process.cgroup.memory.memsw.events.high | high threshold | long | | | +| system.process.cgroup.memory.memsw.events.low | low threshold | long | | | +| system.process.cgroup.memory.memsw.events.max | max threshold | long | | | +| system.process.cgroup.memory.memsw.events.oom | oom threshold | long | | | +| system.process.cgroup.memory.memsw.events.oom_kill | oom killer threshold | long | | | +| system.process.cgroup.memory.memsw.failures | The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. | long | | | +| system.process.cgroup.memory.memsw.high.bytes | memory high threshhold | long | | | +| system.process.cgroup.memory.memsw.limit.bytes | The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. | long | | | +| system.process.cgroup.memory.memsw.low.bytes | memory low threshhold | long | | | +| system.process.cgroup.memory.memsw.max.bytes | memory max threshhold | long | | | +| system.process.cgroup.memory.memsw.usage.bytes | The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). | long | | | +| system.process.cgroup.memory.memsw.usage.max.bytes | The maximum amount of memory and swap space used by processes in the cgroup (in bytes). | long | | | +| system.process.cgroup.memory.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | | | +| system.process.cgroup.memory.stats.\* | detailed memory IO stats | object | | | +| system.process.cgroup.memory.stats.\*.bytes | detailed memory IO stats | object | | | +| system.process.cgroup.memory.stats.active_anon.bytes | Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. | long | | | +| system.process.cgroup.memory.stats.active_file.bytes | File-backed memory on active LRU list, in bytes. | long | | | +| system.process.cgroup.memory.stats.cache.bytes | Page cache, including tmpfs (shmem), in bytes. | long | | | +| system.process.cgroup.memory.stats.hierarchical_memory_limit.bytes | Memory limit for the hierarchy that contains the memory cgroup, in bytes. | long | | | +| system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytes | Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. | long | | | +| system.process.cgroup.memory.stats.inactive_anon.bytes | Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes | long | | | +| system.process.cgroup.memory.stats.inactive_file.bytes | File-backed memory on inactive LRU list, in bytes. | long | | | +| system.process.cgroup.memory.stats.major_page_faults | Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. | long | | | +| system.process.cgroup.memory.stats.mapped_file.bytes | Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. | long | | | +| system.process.cgroup.memory.stats.page_faults | Number of times that a process in the cgroup triggered a page fault. | long | | | +| system.process.cgroup.memory.stats.pages_in | Number of pages paged into memory. This is a counter. | long | | | +| system.process.cgroup.memory.stats.pages_out | Number of pages paged out of memory. This is a counter. | long | | | +| system.process.cgroup.memory.stats.rss.bytes | Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. | long | | | +| system.process.cgroup.memory.stats.rss_huge.bytes | Number of bytes of anonymous transparent hugepages. | long | | | +| system.process.cgroup.memory.stats.swap.bytes | Swap usage, in bytes. | long | | | +| system.process.cgroup.memory.stats.unevictable.bytes | Memory that cannot be reclaimed, in bytes. | long | | | +| system.process.cgroup.path | The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. | keyword | | | +| system.process.cmdline | The full command-line used to start the process, including the arguments separated by space. | keyword | | | +| system.process.cpu.start_time | The time when the process was started. | date | | | +| system.process.cpu.system.ticks | The amount of CPU time the process spent in kernel space. | long | | counter | +| system.process.cpu.total.norm.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. | scaled_float | percent | gauge | +| system.process.cpu.total.pct | The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. | scaled_float | percent | gauge | +| system.process.cpu.total.ticks | The total CPU time spent by the process. | long | | counter | +| system.process.cpu.total.value | The value of CPU usage since starting the process. | long | | counter | +| system.process.cpu.user.ticks | The amount of CPU time the process spent in user space. | long | | counter | +| system.process.env | The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. | object | | | +| system.process.fd.limit.hard | The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. | long | | gauge | +| system.process.fd.limit.soft | The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. | long | | gauge | +| system.process.fd.open | The number of file descriptors open by the process. | long | | gauge | +| system.process.memory.rss.bytes | The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. | long | byte | gauge | +| system.process.memory.rss.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | percent | gauge | +| system.process.memory.share | The shared memory the process uses. | long | byte | gauge | +| system.process.memory.size | The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. | long | byte | gauge | +| system.process.state | The process state. For example: "running". | keyword | | | +| user | The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. | group | | | +| user.name | Short name or login of the user. | keyword | | | +| user.name.text | Multi-field of `user.name`. | match_only_text | | | + + +### Process summary + +The `process_summary` data stream collects high level statistics about the running +processes. + +#### Supported operating systems + +- FreeBSD +- Linux +- macOS +- Windows + +#### Permissions + +General process summary data should be available without elevated permissions. +If the process data belongs to the other users, it will be counted as unknown value. + +**Exported fields** + +| Field | Description | Type | Metric Type | +|---|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | +| cloud.instance.name | Instance name of the host machine. | keyword | | +| cloud.machine.type | Machine type of the host machine. | keyword | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | +| cloud.region | Region in which this host is running. | keyword | | +| container.id | Unique container id. | keyword | | +| container.image.name | Name of the image the container was built on. | keyword | | +| container.labels | Image labels. | object | | +| container.name | Container name. | keyword | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | +| data_stream.type | Data stream type. | constant_keyword | | +| event.dataset | Event dataset. | constant_keyword | | +| event.module | Event module | constant_keyword | | +| group | The group fields are meant to represent groups that are relevant to the event. | group | | +| group.id | Unique identifier for the group on the system/platform. | keyword | | +| group.name | Name of the group. | keyword | | +| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | +| host.architecture | Operating system architecture. | keyword | | +| host.containerized | If the host is a container. | boolean | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | +| host.ip | Host ip addresses. | ip | | +| host.mac | Host mac addresses. | keyword | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | +| host.os.build | OS build information. | keyword | | +| host.os.codename | OS codename, if any. | keyword | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | +| host.os.name | Operating system name, without the version. | keyword | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | +| host.os.version | Operating system version as a raw string. | keyword | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | +| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group | | +| process.name | Process name. Sometimes called program name or similar. | keyword | | +| process.name.text | Multi-field of `process.name`. | match_only_text | | +| process.pid | Process id. | long | | +| source | Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. | group | | +| source.geo.city_name | City name. | keyword | | +| source.geo.continent_name | Name of the continent. | keyword | | +| source.geo.country_iso_code | Country ISO code. | keyword | | +| source.geo.location | Longitude and latitude. | geo_point | | +| source.geo.region_iso_code | Region ISO code. | keyword | | +| source.geo.region_name | Region name. | keyword | | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | | +| source.port | Port of the source. | long | | +| system.process.summary.dead | Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. | long | gauge | +| system.process.summary.idle | Number of idle processes on this host. | long | gauge | +| system.process.summary.running | Number of running processes on this host. | long | gauge | +| system.process.summary.sleeping | Number of sleeping processes on this host. | long | gauge | +| system.process.summary.stopped | Number of stopped processes on this host. | long | gauge | +| system.process.summary.total | Total number of processes on this host. | long | gauge | +| system.process.summary.unknown | Number of processes for which the state couldn't be retrieved or is unknown. | long | gauge | +| system.process.summary.zombie | Number of zombie processes on this host. | long | gauge | +| user | The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. | group | | +| user.id | Unique identifier of the user. | keyword | | +| user.name | Short name or login of the user. | keyword | | +| user.name.text | Multi-field of `user.name`. | match_only_text | | + + +### Socket summary + +The System `socket_summary` data stream provides the summary of open network +sockets in the host system. + +It collects a summary of metrics with the count of existing TCP and UDP +connections and the count of listening ports. + +#### Supported operating systems + +- FreeBSD +- Linux +- macOS +- Windows + +#### Permissions + +This data should be available without elevated permissions. + +**Exported fields** + +| Field | Description | Type | Unit | Metric Type | +|---|---|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | | +| cloud.instance.name | Instance name of the host machine. | keyword | | | +| cloud.machine.type | Machine type of the host machine. | keyword | | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | +| cloud.region | Region in which this host is running. | keyword | | | +| container.id | Unique container id. | keyword | | | +| container.image.name | Name of the image the container was built on. | keyword | | | +| container.labels | Image labels. | object | | | +| container.name | Container name. | keyword | | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | | +| data_stream.type | Data stream type. | constant_keyword | | | +| event.dataset | Event dataset. | constant_keyword | | | +| event.module | Event module | constant_keyword | | | +| group | The group fields are meant to represent groups that are relevant to the event. | group | | | +| group.id | Unique identifier for the group on the system/platform. | keyword | | | +| group.name | Name of the group. | keyword | | | +| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | +| host.architecture | Operating system architecture. | keyword | | | +| host.containerized | If the host is a container. | boolean | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | +| host.ip | Host ip addresses. | ip | | | +| host.mac | Host mac addresses. | keyword | | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.os.build | OS build information. | keyword | | | +| host.os.codename | OS codename, if any. | keyword | | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | +| host.os.name | Operating system name, without the version. | keyword | | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.version | Operating system version as a raw string. | keyword | | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | | +| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group | | | +| process.name | Process name. Sometimes called program name or similar. | keyword | | | +| process.name.text | Multi-field of `process.name`. | match_only_text | | | +| process.pid | Process id. | long | | | +| source | Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. | group | | | +| source.geo.city_name | City name. | keyword | | | +| source.geo.continent_name | Name of the continent. | keyword | | | +| source.geo.country_iso_code | Country ISO code. | keyword | | | +| source.geo.location | Longitude and latitude. | geo_point | | | +| source.geo.region_iso_code | Region ISO code. | keyword | | | +| source.geo.region_name | Region name. | keyword | | | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | | | +| source.port | Port of the source. | long | | | +| system.socket.summary.all.count | All open connections | integer | | gauge | +| system.socket.summary.all.listening | All listening ports | integer | | gauge | +| system.socket.summary.tcp.all.close_wait | Number of TCP connections in _close_wait_ state | integer | | gauge | +| system.socket.summary.tcp.all.closing | Number of TCP connections in _closing_ state | integer | | gauge | +| system.socket.summary.tcp.all.count | All open TCP connections | integer | | gauge | +| system.socket.summary.tcp.all.established | Number of established TCP connections | integer | | gauge | +| system.socket.summary.tcp.all.fin_wait1 | Number of TCP connections in _fin_wait1_ state | integer | | gauge | +| system.socket.summary.tcp.all.fin_wait2 | Number of TCP connections in _fin_wait2_ state | integer | | gauge | +| system.socket.summary.tcp.all.last_ack | Number of TCP connections in _last_ack_ state | integer | | gauge | +| system.socket.summary.tcp.all.listening | All TCP listening ports | integer | | gauge | +| system.socket.summary.tcp.all.orphan | A count of all orphaned tcp sockets. Only available on Linux. | integer | | gauge | +| system.socket.summary.tcp.all.syn_recv | Number of TCP connections in _syn_recv_ state | integer | | gauge | +| system.socket.summary.tcp.all.syn_sent | Number of TCP connections in _syn_sent_ state | integer | | gauge | +| system.socket.summary.tcp.all.time_wait | Number of TCP connections in _time_wait_ state | integer | | gauge | +| system.socket.summary.tcp.memory | Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. | integer | byte | gauge | +| system.socket.summary.udp.all.count | All open UDP connections | integer | | gauge | +| system.socket.summary.udp.memory | Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. | integer | byte | gauge | +| user | The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. | group | | | +| user.id | Unique identifier of the user. | keyword | | | +| user.name | Short name or login of the user. | keyword | | | +| user.name.text | Multi-field of `user.name`. | match_only_text | | | + + +### Uptime + +The System `uptime` data stream provides the uptime of the host operating system. + +#### Supported operating systems + +- Linux +- macOS +- OpenBSD +- FreeBSD +- Windows + +#### Permissions + +This data should be available without elevated permissions. + +**Exported fields** + +| Field | Description | Type | Unit | Metric Type | +|---|---|---|---|---| +| @timestamp | Event timestamp. | date | | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | | +| cloud.instance.name | Instance name of the host machine. | keyword | | | +| cloud.machine.type | Machine type of the host machine. | keyword | | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | +| cloud.region | Region in which this host is running. | keyword | | | +| container.id | Unique container id. | keyword | | | +| container.image.name | Name of the image the container was built on. | keyword | | | +| container.labels | Image labels. | object | | | +| container.name | Container name. | keyword | | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | | +| data_stream.type | Data stream type. | constant_keyword | | | +| event.dataset | Event dataset. | constant_keyword | | | +| event.module | Event module | constant_keyword | | | +| host.architecture | Operating system architecture. | keyword | | | +| host.containerized | If the host is a container. | boolean | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | +| host.ip | Host ip addresses. | ip | | | +| host.mac | Host mac addresses. | keyword | | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.os.build | OS build information. | keyword | | | +| host.os.codename | OS codename, if any. | keyword | | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | +| host.os.name | Operating system name, without the version. | keyword | | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.version | Operating system version as a raw string. | keyword | | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| system.uptime.duration.ms | The OS uptime in milliseconds. | long | ms | counter | + diff --git a/test/packages/parallel/system/img/kibana-system.png b/test/packages/parallel/system/img/kibana-system.png new file mode 100644 index 0000000000000000000000000000000000000000..8741a5662417f189d8c87388583c4aa8ff3a6e5a GIT binary patch literal 205298 zcmcG0WmH_t5-uSGLU2fM*93QWcXyZI?hXMG+}+(_a0Zva;O@@g?(RJ9eea%g<(!{y zt-WS?&(yA6(_P(N_0_j0L|#@5;S=^J2nYxS32|XX2nZ+;1jKvgkI-+QXrG_6y}iA2 zR1_10s2IiFhk)RRkPsG7c6)b}0pq4Da@!03$t)?jhpZ_mwTG8LEK?v66PZoW1I@aI z7Go%+jO;1&`sr)1xWc|jKJ0m(tDvCNS6D(=QqpLvgV*7e_Jx(7-{Z2|FS!R+xweOg zPifG#6 zUWva{@B=C|{7ryZXe{z?1^z#42o3M-3B#y%IbI|_%);A^;&*alRt0D#(2?NZTa5IQ z@R6WctPDQmRfgvR$gs)odQ4ndNg^X>siy8$-HX^`zr;+WS$e zQiiUc_3G4p&|GrpdVgW8-Q@5=j_=tiv+(Kk3|Xq(zu2*8gb%|oI+j9vHiB4{R;Y5j zsGLd0^j!Vn2KCA9pzvFfJkn%0z0V+{RoK9YbR4oHFLXmXqI}R^zqoK|)}An+@MMSV zxrsqf*J#GcHnTer;V}nMDbGisFUK;+(L(E!^DceG1bg~$wV`a_N$Zn|6Y0(I5(S@_ zjAM%<)rSRQE>F)k5i$IUu}w4fT-%*5`G}T*uAOo*B{$7>8oJX5A(&@7S?<83sYgnS zYfN|z58knx%Q^WV8Kb4m2%V%$(?Gx0^ zN{_0Om)h3dECz~#gU{k&>gsbImS2l zps+E|b=n&6^8C2j>G%GItGavot_c+{Ep?N}WxC>e9;c+kv;q7Z%*V#U@?~IPU{SdJ zZUfHi`FhShRk?y2q$-CWN3rQ{?R3;-EUi_;TRBo&KP7@MI8MC8*2Lw5>qZw?UmgSS zsbErMwBuyyHn{#gk!w?6%1KQ(?+^cz2<>`9X`G|8&s?p#h3|L1oZqcadSGm%MPVlB zXL}S8u1&w$9X28@R&X)PCcT+Uyh_+&oT|QgnsxHig(CGq&6jKEkVc>Wq0-0|w1&^1 z=AN!=#&E<(HEWUW6CU{yF3+((bfm7c1r&Z&cm4;p{d;4Wv+u#CH-jA8d$a~KfmC~| zm0ymW5|k_{wkPgN~{ zV-gtXA|VXbjRi{nnzR*ZA}w5;(;1?m(_Q<^Yv5T+USQy0;B5kSLEE#4Ft>nZ-gu)8gSN+!`lsi+PDz zbc%Veoez%AH7dU7ru&{?TEF1w zm8n%mx?k=X3@0-LM@0pp_9!9Zc3dLYcFm^|uid3@E{=l6- zJf~gw$%}issjiL4T1v$~>iSjen^YoWOb?IO+NqW%OSP;^U!E}gj4iYxY5@Q{u7_Rm zJMK$QTU`@pQkSxt#C**eyX18y>@H#&apd=zG4kHKLB2xy`@ZiP2L@_;;&&m6F$WpO zI{6vmHv4KH-eS5FHeU)*gfz(pXab-o1UtGiy^We{~B? zlQG1;e)lx`>iU-eH45--r<@L{7y%vhJJAOP@83&WJK3i+=ks#OFOu#~s{Y9;j(wLZ zj&lR)TTCeJ+X$Pi^Q>ce=&PJAxRs(b0%fZmrR1vLSS)x<2mqmUKx+}0iEHKNZ{WeN zFNWGUd5Pvv#xX??vssd0ag5&HH@tOqmbBCJ#-4l{@s`h$1igp0 z-}8I-4#@-?bv~j)yNUm6BRGp9StFAI?}|WpGNwTk#w7$DV-HyTPL@KKou%uoPb{yF z7-Gy*SaJ?C$NO%|bJ8kJjr~}y?TEwWFi?iLWZD`KufVr4{WH-ctW<8OQh{d99dXtH zaV~f;mlfvlIuB^#q(4M9g-XJZQ)y{9|3ic7%tNl5CqA5vb3)96*Qf#Kxp50!#BE7x zhsEs1!PNN1YWtfUV8~giiq9~4__q&Z_4Um}yTjapJ4<)FPRrJdAl)La4g(~e>5FEz ze=-k))nvZJ4NS(^^3|1-*Zp?V;!XeCUWJ5@k1x+qSty<2{|gSo!f-U2Na*ai0h|iL zHA>R`{rY<%?{z{}DX(2<$Y%B9m-b$&bnNS*I8P#5?q**$=zcKp8`eqf5g2VCDT7;ZpVuzHUjIWfFDzE- z0uEAzGK$Tj^BfVgSHA9#I{G-wc0_MzIe~Pd(;O_mjc1>TIwrb?xMZe#g`YO;6&a?+ zSD@C{5kZ`8umh-9jegI#c6TjYBxi3<+53lX*OLI!+U7^Hn!PDyjbM0$=0JPvEaWjd zHtvb`kR6?R@z$~$cNyapKI+!ztI)~9>WDMLlwTixcXvL!av3mMhocv?1Ft{=AXl6*k%bcIUWD-^h_#=@4QwgQ0N|Meo#YKBDTe1bf%I z>mHu<61EC-1B__4q3{F@Uotvd?D9_~!{7T5SA3(5({c`aO!8e@K{UQ5BZfq@;ekS; zdqkT_;)}#c%3{$dx*F+7c0n0=PQ)8^9xqcx)T}fCt)&}@c z1KGkk{j_OBhVu}8KBs1uB-av4tU16&y(KZ$`LS1p;%ZLOg?3o;S*T*J)b#>-eBc3) zYy6&U8EdrOc~$bzS$D-RYol+D)7)QrxWabad)c&b)_i5PHO)M~IX*CI*4G)bdWF8(2#!D;X|_vJTI z+Bg%fnNcR<*N=3?f%;Kq5lWT#oxW-Dg3~~xnw1v(r+tH3H>_H8K#N=thE`N+I+Y?x zyI7guA+u?+MNH%=_|}&jGjBI2P4qf?8K%ARBC`)+_~jVfd3vheO_qrapR096SI9! zE?rqmM=5fh0j0Zn8Lj;Ea$D5x_CjTu={4Ht0kMxnW~x9^nmacwknp}9pEz(v3?wHB zPxY%R=}|%t$)H6biauP}c53vLNei81$Q3j7AOV7l1=n-{nx`?uGVZ}filV0GVItP; zo@nR>hhAkLw-?dp!|jMBN$9P@&k7%mj<%bxv*w=t*D|i4+dhwwZD%Jidh7Gqr*Q21 zS`$6*Jt_vP*;0AH@xg8LM*Vu_TKa4`(V+>CTk}2y6f%8-|xov~&IBTV$ z1+>F}!!TUNDtgrzahhosRx$+C=vlGgvf*r<^)iSwM{mGjs_--vO^Qvv?Sj0@YS6*y z<6X#VyIF}mLpX}sj(gAI_dRL&`0g}!jVrCP5e^*xVG1^?s7mC3V5J_pO^B~EOi8iI z?9ivW4ed09o%KBJy$8LlkLQQgfc85$xjLNi0eY0f5 zLP$~)*_u{BL{D5m{XJbBN_Vse=BC)#@9tVP{j95c-|pRyF}IN%9F0DT2H=LV&Hf*! z^$hqc4RB?u(ld0J%0>-&jT5FZCYO5^1$)j1uk^+N_m|zz)6iGwr+h3O)_koYE4F;4 zQ4!?1*&YNyFU$5>m#jKG+OU2xUd9?1ZhUvNZos_9a4QEkj>~cPyQa|+6h3pqd1`m0 zl6Kb7=O}jzZsLE1%Xexh^7w`pT=AMr>J?FKZB#k2#_XSHwEHtS;<+?2O6c+uFj>u4 zMKzX=x>ZAlrs>2xHh;UUY#dv8ACwPQx#+kSHW-WmW=mn{%?DkkIH#O37ICcmuDVA) z>I-7cL=b&ZbibI597_OU=gJYqG+6yXk|8n!wZ0gadr> z6RI8VR@`p#=fp6dOL>v@1lK6N&s+7n38|(@V(1v}ov)jkSlSwdm7*9#+ zkbmlB%L9|8vy+#=(7~>h{HOVC2rYWIa?!!5;%h@mmeEKm%Qei0E3KYSN+k*;ZB-55 z2T-4`rsP!HN*KSuNcF(9Y;JAoer1@&^Ev1i$0a>lY0=zQe1~@?*~IMCxE*i)@e#c( zq|RnjUhf2$vC;wK>DPFhDH+U1;h9Qeo8!QbUTPU|F6MY2Yx=P0J&*44?yC|G zQ9Y$OnZ*z>H>F`65u(PvM?Hgv&DEyL8GV9qTXI}yBKN$8k_&Dvp|f>Pzdz(Sb(;TA=09}wFP;i zS*#tOcTcoCqqR2azWU8JK3;xx*^xO4Rh=>ByYHh~za9Lje2u`5=3XiLX!fCNn;=nd zhH#<9_Ijdt2K?FsYb|YETFT%~()d`5NxiW&`n72^WTJo2DvIzvQLIW*G*N4dm=CMM&_s5%;Wj&7Ga~#WV>L(U}UAf6$dzE$r zyH*w_6;q`5#bE%vy}MMNbC#c7SmY4!hG}+W%##0BWB#tYrP%R+g?ly+4;#S?N9+oY zg`q6Y`Tnrxkcj`Vi><1}MGnRC&SAC1%exMdvS5X&7!Yi|`g+J*pEDB}r|ph*ncEm9 zEGD4*S056v0X-3OFie)P&6LYtSN>LPPNDsh@bgmr%$jtx(yseg411e}i=M@sdV-y? zq{o&+L*XDJaC)L=2t)B{QAdY4+YLe*U2lYU2~8fq$Pf)(FEK_NGz^T<$#TOiZMuyRv2G*r}FwNucifHI+#j4x-UGwr0^_OhOB+&ee6)r>&~6#3eTH ztNL2*AnJJJ8`hK*$>=r`YDVPqqI!BBOqVpBbd$`nz%_2bpt4abxubtEZ1#}#_S}T| zLPKqMEcx?iDUzfsH~Lx#6+`Y93$}+B%!>=}vzL9s=3rNhswLcTJ$DP0YIq^KjTGdF zI4h&Y!i@kdB@YGwoeacO{}4iZwY093nmo{{k*LF#6F2H}VHmPnTlj*MOwDvZ3~Qa; z<;7VYWzvS#{!PlrJY7t;u5Cd_%$O=sQMfY7sVGfnwS9#2s==yH!H=(E2s3@SXXjdR z@LE$_r1{_QOS9X5PX^f`b&#LF+e8(Udxhn+7VDCa6_##xg(Iu76lbmMg<~%cC@;zKiIY+e z4+o0X`%7O(Tba2QYD-k2?~gKY=bjpLuEg`R8|j{p%tsIFLw6@UhYwT4t>+3!9@t0s zI6DR>!%6gweemCB55w;D+De=Bms}=m%{9WP`Ix_~+dLKsyYY;_!&?qoOED*^A!B(D zNA4TQIpxFJRGWq!!k@Yi9-fk6V^%|&f+Eos_kLmJ65;hkAXQv%qZ6$RD#W`KGITl`JE%Hb(+S($^7j+?GQ%2RjRc#FJy^D zTS~cBeh&C;Fpa3wfu_8@_;#5chfXZz^b*_E4Kyh>VbI{Jn~m{xcdQ;Ew=!T+aJkm} z$1jOWNbCR+3|T~#GY_)R2s|$I23v688#IT_?N$}1>P}^`SobYd>gZghOx0ZAIziqj z#b&wD?|7*p&v+ZP^D6o;ppl9GF76-tv4LY&J}}(B5A(@8Kip5 z=NEVJeE?EQvau$^+yj$$ktpe#IINT@y&9-03Ew7&$Le*m)IJ$c?ktQra>6{DEwj1QY(bKpC2M7`E+UVC zJ>%kS_s8VcRK{q-dN1!S7F5L}=3WK@m8&qNOHrw>B`8i<2jNWbFM=X8dQq*gx$u(+ zSo8I)VFlNZ&iXcBf7W-+Mf z{B%eTQgD|q#8lMhmnwzHyn5Ue?oJuLBB7pa6T5p}0%+O8aM1!}@k%X~Gqpv*aD7ft zRqvF3W3B1g=7v;RYJIk`%y+gi;;7DDNb$l{MkU+ss|P$UPqK9z_A{_Gv~8piEFI`< zE6uh=!|Rm_o1VT%uCwCO#A(eh4;R;dcYEg?+)F>@tTv~V1+ugT)*ez^?w>;e2jt>G z0eeg~%*}ONpU#nlRTmyi3{*w|9qtLf!xwtx~);%EOHJ~5Y-bK2DUNb zWkg}+xQNGEz3 z1&|&Ib~I5evOQF%R(+d^4C%PeyDq2{Mv4>Dd(?!hR$|6MBc%0d!ZwuFm4Izcb=cba zBD&5CA{IOiSM&BIy&Ld|#ru&95(Wo41N@-p)WCJO6xAtOysQES&)j5Gd1ypjGYuMW zA0>IR2js?XmTv`*fucK20%ZY)k&4|jhOXN?$@z6(@g;=C#%^Ab8dc7*Ps0C<_$n}K7NJ z?|*3EOC6ZQFRc_p)q*!ygZI{$tKpR5ip(O#bU%F;0jPny08v%FU)=mCD!Y{5bEqiC z0}F0IN`g;Ki0xWUZN}W4CLtHezc-jndn*?~32r$u6t7IxT-#C>+Q>81Ovh2v8i0A* zV4_(~*siy*%*nxoZEWV1Zo&J%SSo**e5IgmjbYdrwSGz+WtZ4D3OI6)43GSh#?~Wb zg=a!{DFTM*=2HioXyR6?^>rYuWS^rN@v}^u8%4$!u^((b%d?0BUz&Q%eebpfJ-Uw{ zc(FQO1|m2{)HEC)kOWksu{k6>*hp?AxywEpP{MER&i6*00kjyP;-{F-tXV!khtkC8 zKX(|dwOAwMj}siGLrM)lhPD2qUPIgkOW_a?s#w zaXwpjJIr*rcB@ELJHD;YUCOuQ6QGGOzM4jLTOyJw3#sN)(UV4X=erweI)?iHs#=78 zxunt0mgcs4a&7}RdZ$P2Iv1sZXPmNhU$qFPl#`r zIADQDtQcXQD7ek_(hH2 z3m3&@$ZTeAF(`A-%-NKj%RaN5O6z>*z$lc%8!Tm(i0|_eOn_K_%~JH3^@Iri8j95* zxAQGfjTZWRT1n1))y#6PLL>+gkKPdU@#=U9gU93Q2dV?_{TAA?;}}mF^%)GMKow!mjPjlExxlB^+2=$mk(_j1Sfw&;p|}B?)4x%)3rrZxTy6ED1pZ) zd@JsPdV0*!FE_AEa6W*fxO_vIllsx3!q5PNUNy)r-K4FrYUdSy5{})kt;*g9H!vy@Qv-Tx|F$hk z2p}|m(-Wm&d`4QQ$0QNIcY(DaNkp&&DZyOlWK(~iN!?UiwvI(iM#{&3+fWykv z?I0omg5wmKp#ha^Al*lf2F=^JZ&o zde3ok6|dTn@3&vmq>OeWQ0MNRV9Q+MLKscy!s3TJ-!MOcy|e8ra4R$dgTkphq`uS^ zHuYfZfh_X@o22lRDW&<%Ztm=zFJvavt45{%*N+VN##==1)l6>$4`Cl}7a`n}yGa(= ztWX`Tr}{9#$L4jf%6zZQ0lb~iLT9q3n+nhKH)Z%?t!_IK@B~wM79JLl`=EB8LW;3c z)_>cq5g`)~zYbx+xTFQZN_lQn(;n6zHGB7Fi#55yzGlzH&mPhpvP3L|<~he;JQ!V5 z#9WXzt=^5wdmofO@6iq6zLfwkpzIs*T~$r+17{RiA5{z7c_eyX8pzjG;E2kkm-f|f zH7Q22d3ecB-moX#ti_re+aR@kmy{EuaW$Y4r!29ecPm15B|?I_v6Rfr>SrIKLZ&%9 zw+~2hFk$xw7sUg6OGb$UXKfdCx37ohoC)t)DrD|X_cGCMMf0k>GPoP1BooH(A zhOX~APcR`{S|bMuavk&n(}0Hhfb!DywW4G&B49RwFlcm9FSlUSd*dJ=SS) zF&N9_DON5)eYidhdPDvts1LHWoeewzDkMwXLx;8xp3xp}sj#(YVh7%}et;{tNopqR z{?TQw>Qd3xs%v&DpPEHta|C`+bjBl`GE^;Yjp6O}oSxAV(Aw>!Y4^k|Ex!Pd4L)^G zeTIHoo5wxe7$*tOx7HYG_J}Xj)Kg>V=#^o6K|hrUBF6Omh&(;PxY9a~1YdtZA`s$^ zRpdaqmWJ&^mFPV~@Wd+QtG{iQF1hoy#1J+mtv zWv%QBf*Bl?W5tWOUg3+xJUUg{%~C&xut&for6*&g2v!|U6kJBQtem@1fK^DH6BP@v zdM>NYp1mx~TNuc}36iY3%m28*csGoHeBR(;%W~*3`tUJB7tV+ggXAgWu^gMj(nv+2 zy{NjKobzeEkpnog>TfFzNu2$FrDB61D?=}8QB`Ny=;Fd&rg_t74k$2k=PG6s1|H@m z?4C*S^&OpJ%up9Gdd|%mxCYv+UvvddM!TkaDHPo~>>M=MlE;Y3^((0y?8 zAg}ecGV1}>NG++WrA*Vr(y~$pD5)vxa?(zO6+BPiH-BTiy(ELTLF}@D=1x5DBZ@lU zOiOdfrn^*`SNyop%cqkw%}96XlVQ4xHDlZ#I2nOR=fWb18k%!6twZ~4P5r4A_2{70 z@#p!bsivKAOZ3fcOhixZ}veWJX(%Bd`xU^oP<*O#+Lm z;G{6X4SlGF)3AWS28h5Z#)`YW#N1&i7bc9{Le{z4uSAyeA_@ii<#AKJiRyX`j&{1U zw!)#=QC{&o-Sl?f_#Q*P;BePHVdTmSb$);|r%RWQkX+wYrE@kqGH;u++}QDZ^?WQ_ z%CoyK*y@+pdK*l39VJopt*#M@dCbsk!&Jn6}pM?*D=6Y>PLlu2lk zeZsyEZE1BpMS2&F?RtvRf*DgzQ6~QD`ae!PS7iAKtecU=?jNhCXi>U9+4moX{;T`` zi}bffAe=4#p}GS#_Ut}!<(1GY{nLM1^`};F1b@yaLjv*TD(Mh{-aqh*Km7V%4G|GS zHGg#uFzQ#WQsMUAJEJ|K^mqy>#+W};{a1ru0kwZdiF|1mt`6Hs(*t@V)`o=k9DT#K zXssESODe`!r%$d0k+V!O+t{+ph~D|q9yh8<{jW`ZO8dy|?7gJJw35nVnJbsY zYc^f15NR}+KxkswGnI!)`S@tTS4z#nf}pm6W`A?w%mG|Qb(aE)w|CeC0YU`1z+O9) z_|L`!JGbV3t3>b4Vyc<`&iJjUA4~CB7p9#(fUzvTs4?D0cr*%GVLQ7jrNgF0#{Fsk z&*--o!ty;eZrS#D%m9rKK0R$RGCs@BA2E7_%8Mtrz>$W>RY1(?V$Pnb+~$ve$K3oB z(%I~M=x{VZ=AUd#$1<2C&<9;FLV79acBQ9Y``T!1pF=>5YiXfZ(HJe0Q8oC!mD4(`52v)~t&Y?F+RXI%DwmB0QkXY7yHI|?*$ zS=mv0j}PR*c#)x^-4+Q|Cj|<7v#man?+rfuD;WQutG~iSejpAOkr=K*tua)(K;1e}6M8Nc@VE zv&9k8?ih+Kzdv(k9VQs|fyAP7m9L7E3Q&guihjZ`jXt zy0|*cP67bUdih*o*kb*=oSd9ROM$V$0{{7$JK_97(|J5cO;P9#)VOo~&E`gcR8K2S z%kgZBC!=MyLbvj=|I!K*Y2?qpn0rU4!F>rzb8AX%=ucr7wZ%mDyA|DfP%s2x+G+%% z<=TM_ld0=L0@vEssW&ehX+c=mYau60jH6*v~J0CnHJ>t)kX$ zKGl_9gL>NkV2S?8Deh$Oi+9{>UW3>XA=jLXd7=a#^$esFG@GuR$c`y8RT+tcfCJh(axSO$2M!nc)Q;idlQvUR)P9ieZJtjArK-DYcZlmu`<>B{1$-H11%l~4mx7y1 zH+K3Fnj0H@l+pjV2`ZuA5fnGKf|kS3e4_YEKvmPVT)W>Lj#^Bt36*}&;pH)`7UI&p zOY!J&i7n6_OFV`FL_t1}X_sDEx%WNXPSs>VriOLQZK0>IfH|yM10N@C-hr`(K5?nF zkaU$_vSz-{y69k`w(=r^RmPgSH-E7HyJy>vcn}q15>D@@#lsky-E%YHR@|j&xiE|! zM%JOln_eTjv6=|D$kUcn-gqiC#E$11oLPWY&{Bh~kb5v5pAW8{*ZD7((h!b>h4zb7eE2s1F@J1*~EQ&9k+4 zeNz@*I@mrVnUC*epfzqd!SWL; zG_$4X9q-|s@F;ErgH|CZuuj8YY6j(RJ_Q|V?thbfv`1k}sUvGp5fa}|w z3mxgGIPUf34et^Z8V&X!JL@j_jO%4hpX!M()IBG=7Bm-_>u&G;>(Vlbh`tU!7MyS{ zp$b||_z24qr~9Oi!M&JGY59S4%xUEkMINbsw%I$A4MLqDO^j3cEBc!fh@n95Gy0ywvzRx1Z!b$`+&3SZt zuP`!m6+DE!t>GW10bqzC{M&9d+ZQAwrD39+tIeCP$y-+aVljvsa@TlPtcw?Q%2OoY zWw(YRJG#bvpj2u8#;=9KFbukl$pWcj-8RnUm6e|R!H3@w!0StoOj`kI>jWoKH)9jy z^%~F@$9T#F+FuICTFcJoAe+GBPSX^fD$^@cQp0zemAw8j2rZnc(3gKP7uQZGkUf>r zy2FWOo_@sz-vVg;RWPALFlWoG;nMeLHs(uc&NPq%M`;dnd|_d%(?@2f@SK%IkQocF zl(iF$yy0uzsGsFQRf^m8?%JNpH;s{0Y?9(BTfUTr>Io2}QHNhQ<|V>?cRyxoq5UH8 zI4nq^VMw{Vyw7Z;%g)zLUUY+sssjW(*vR(kbu&6FI(xmElcK94bt3F{^W9UoKiJXv z{7CxNuBn1!+x&Uq(?IPU8xEO*0Ad2kxiS_?_qnTxy-N*A^y56jJWrvqK2 zq%>xs?TwOoqDYC1L|n1ghGzZ#FlYMHJnHSkRkb>mTjf(7Zz+7WdQk}m({-L&S{x?NSf2(A7UoGT= z^X+e7fGIPBd`KjLwo_j#jMauA$J*gacDr_f@-VmzM0b9>=p&+>@4)Dr7rq%;@?IET z=~sKix%jnox~y_nOiQBLh!Sk<8y&5LUGT&lIt$0tczJhSNwl7ExJlWP`gAw!cFqRl zv>vL}>9uXo>Oja+o3LXvi?4FQdbQP^_0fXLI0Bo+?s%~t677vul4v_*70~}}lMbaj z{;LVy3i=1Sm&AJ+gUUz-Tj7?SWEX+`oER{(VpX3D08%EB1o!Gmtn6p45hA zz40_7#}-bo!tIer|7j6Jk&%QId$gZvOOTmik}O(nXkO@KD}0HA#scDgXN;u#Q@wgN z81b>H18J}nhS(#yPvIdm(9M3^#*26}ZJuP@tcG9D^>j7jWTnOO_vKr$yvq002hb7v zh05ah4Ufq9QnRzAUnJ3(zj`c$bnJ2LO{`DZ_t-Y#7WW9U#&(Z`t((oF<3y%Evax?p zCpux@MU`T%+2cOaQs_JJY&Yf0H9M-+H|mSt4^U)(>6J^&0x8|SbiX&N-Xc`Qmp6>0 zm~H2Uc<7hyoqbUAw64)Lv(y>bIdTfE4+!6vULr~giNjDDZ_Ttae3$>_<0UZ2n; zK2axwg{IpTFqTx`PL-X^hyrWN;Tdm?Z-1VyG~Uy)v@Fd@D63A6ovFUsRDw;@J2j+a z#ov=1hzW{XH5y9ZpMbEP;R-k55>y~2gUv`|4r&vF>mG_2>)3unttO)*iDjAF*fyBl?&5 zGLP7;u3vBrCc~IA5O0xLGP-();IB`1j#GNRU)+4(a2QP=0eFxo=co>b`9)yU1}STD zC{7}+986;zv$kOf!(XNuTfg`P4^nX#q+GRnXda#@~T0I}0ZzF2Q6!Df)U<95ngbkTn;NC2;zIqRe6$j@|xi48!1GD`*m+Y#%w}|=D9pU}hgVc+EJv-?V$BYt2<0{OeKVZr*#qLb85YLz z4=WjO2V|c|TL{?<-T*qJCu0khXqX@*g11616Y~U>MnzCo7C~-qF1_!I*BiYIgT-8)%b;ZFX_P=u1 zf1a|Fk2{&MS;;L$%7)z}Q(k{6^~aIJYHgZCqjxoCM<0yhb(ey0b`Q;QWA)~{A=iB( zM^#y62xPhtNWKFo+fVmS3*7{yBC+)>qrpsUbR%dQ%whYu32fNh_umNCGdT3ajo95! zb(;~&u}{a!iI9fPseoUBzx|s$Cj_l`ne%((X2pVW%Mu&HQ-GBlA=`FOs?N`3!Cv%; z-pGEGOseK&NO!?&#-Ecwqiic~16xUz;Y_Z47ou`*fBRZik z!XvOvMU2?gjp2+;v_klSl&ST8uOvF8ev5XoXPpOZiX?35#{+0snZI@9oL420-ko;~TzcrngW- zpHYAGeo8}ogQiF>f!p(%ld<-w3`kCbh!`n>TWu~i%k_06)0(5=sNey&;Ts>(;YvF!Y!f_CI-jGMwR*~5Bx9eF_-owg3qtvoB>h`(-k0Hs5wah&sm_pL`Z~l8SJ!iB(}=JvCVb-wGp)R-JqgM}$KL;TQkbVOx!Z*fY=`^)IFEl~l zU$2@-pw^|O6Bj8QA@m}PaAMNbioBetR{HuX3(sQaq@oJj+7Xw5rbW($4qxBpW@k7Y zwp5YHW$f37!^#X*=iF~5wnb7>u3rO77A?xY>%QT8x;?0u7;@EjQ1<)Z|6sQMdluFI z-fsh4Fxc7=r9VA{m>3l+*HVLdI443xrc9^>NNvGRd3)8s1Rdrwiio#RXF-Cmrzl6J z1H?3>oWtr^j+e@)I}DbS6aX!*Bojk!HUT3+^u}X}l^$UJ?6mRO*(P)OxR)Q|+3-n&O6eMMhnL~{<7q0v zyoyUbd3hWngmd_Y_7V-G^6k%nXmeD4K3WB@bM5G6*3tl$$EcRh*h3k+mi)t%N#g$r z-XLHJ5&>bc>JuyTy}uJ8WgT+lX5175It^ z1X|lDMSmU1yhSyyUXTI;0vxi8YW~Tg1SWL*lNm4z4Rhpd?)5!V!z$)G?<45-7i`j- zM){vB3?;e#JrMe{ZP$RhH&dn-DKz8^&)}IjtwaV#%u=DdU~B@zTn>F|c!GJhnZ=In zy<+TQ9{d;c=O3`a+6j?-t%=Ol;T#eIHgmtdygNFmVpaMlEe%f};)S9>4~nC)2RkXm zLC_zJ$A6C<-rAiBP=U>p>NyKRp6`raUrbZ{%T47 zr;Gt=Hlb>A-2%p64Cg-uV$j|Mwvv9l|M&Uu@9nSBke@-H;#eR5a^}2Aesy>g2z^4e zgZQ&M|I<%@N&N6vH<&ch`#S*<**Ae0JxIj=>W@E8v*}^oKAV_UoE%PY6E zv?(N+WPIlvFY0nR6X8z}Tg#IEVOijNF|)lazIH0MW=j+N#-utv6-y@}e}{S}hW1qp zc*N)7laBjmr)&j5%t_wo^a0-#SCDqn#8u==X#JhJt~~EP8M;1`Z9x2a(?3l8XG8n# z7bjDhPon>MhyTF3J9XrK_|NP3hOqPh9ge5=HgY?XsdXZMJ@-lN=H5omWloP6@sFp5 z{?mqkc+=P5rdV?8zjLAGYbb7Qp03g_gKHf;r((N-^%K-pr6wWi7qyPLQOZd=jQOn`m0E zSG1Y{gC2j^v8353b}2#g>$fjqg?{f+C!*#~L9NH0_S}@BT(+e5Mx6B%pc>e=lR56b z=GJ>Mx_5umy>Cku=er~jvQnmjB)n8(hJP=e?+;iofH}m#LR1n{$-Pv1Mq%lj3J&?- z^*-uXE696vkn%A7ChNeBt(O7WPb`YO18zF|o|mOs5@oyuWt;>(Y1rq@37I z4-srd<$+g&cgJk+yeikXX}xdiwP#R^w98>`rq6|@`i@W5k1Xj43$_M>&Mi)#SH?Ux zK|h0#**KBacDUe15Ls>7gwNbXr!@ zf9;9BrjYlMM6*o-*48hSCdmvX$p(F-g~`?r?qCL*!+>ip`WhuFCky!@pyYabU(ouY zmd)gxwN7HYx1W^L zaZ1@r0-`V4W0U;KcJmaP3p?U7gdm?L3eB^({%i1Fs|z zVk8D)qJCIJI9^t7(9l;oZmsgoc-SNc&XxxBcV2#6{7mGpE@k}@7G(*g>WDlLI#D>G z8|Ew~*klEJPi(h**x{*2^;GzhT>3yYD+fO2EM*0pd8Ko}`RDI_o>z_GXyBG0H z*Yql&Wa-#L9Rr5exAl!!@NV#tD;YR+Fg;K*DEH+ZgE4$wop1t4-3(mx(H|sUp2S-8 z#gCny+V7Av2a)~8me4jWo5KhT8_+zZf=aZyvxkuHWsXyr^KFqb`XVnMtmC3sOG9m( zDY3)uB>#FaU)}!U_D3il`ObM(3zrS2Ly2n4SQyoN!8kr%H7Jy--vVj1$P(2h z^)JU@-Oh7>Zo8SE80*r^Zq`|cr=Z=ZBvP)a53curX?b6{N1ZPGd>m7^Z5l3J{&b4e z7(s{Op+Bl*UGEc#5pd_ML2m1WsfeUwBCJ0Ow}MP8Vzc{-%ur4`+Wr7RIds1Uutcdl zU=NhGg0O80y@i?U34C`=6G2GL3LA!`S2w6cA(m@v#&(rCh$1Sb5 zwLouBO4>S3IaBYTzK}@0eH$pT=_2t#bw)v=p5`b&EVwIZ(tOt#r@GRO5=bm{+4YcZ z`K`F>MurN54SoPg266=%@atyKNzsHO0RGAOJ6oZ3Xm?Z%9HTIItpyvsZ4>jXv_uT# zIkJ+EA#bnrl3IvDVXQ2O^X@wlukHu5mWV~vU~qhBfjO&_B6GQhvl8$;+a(3Hk*$i` zX+I_PE%EA7F5S{YeOJ(0zZuDraM$-Y1;$tWe~c0ESH=t!L%obcmn)UQGHnTRW)e+o z#|anW7ro&|9mVakBAL?sMRc3N&Q(17J@ppGRr5U(Lq!Je&)%>+FWkS>S`Hdy4kp`h z5eGCHJmu*5`iHoXgm$Jbh`#N79~z8ERnkfSJCoNiZ|yl|-icwWr3_MImzP zytA2S7`(q3SrEKuoL2hqr7y8B9s@f%H711dw0tJAsG%}!V#Ly{@9A%LuUA&cd!NCr z$3qvh;ojS$Ya&HERB@AVtU^l4Q~EFRdSpgg$NBU=E1Z$%YAfe9 z|A)J;3XW@8wzOqgV98=;W@ct)28+pJwwNte3oK@4v|8LkTg=SN%*-13y}9S!bH<+e znTUy)zug@fwQFZ(RVA#<%zPNlGiMI1ox-@evG5g-4v^jHa+F%1_o?KTxo8wp0&nFc zlpmPvq}C%h+4d_Wp~(D>WJY9&VfVf*uz+xYxG6XZBq}GK+<^7nDvUs_qU=$w-4;<@ z1m^;Eq)Lm!rw=DUue9@zstPAk!#h3Fhq}0(M5G^a1a%iz_PeLsiSyHv9<}ip1^Y#L z^BV3EbEPNy&21zIUaosoW}o_T^zk%V&xB41!)KkK#l?cNM#K>*Zl>RtAK2$tXRQcm z!oqXVFh`AZH^A{xx{cP9+iRQ1@8Z+zR~T`{%<6RKHUF@|l$*2<3f_(D0y}d!Qr>+Y zBFi#%>y)(u^kys|)*QYOTk}=(kN|Wi>6PQqEMN~Bdz{(1_?t@F<}FQUhZ!^(*GUcj zr(XB(XFs2}Z+{t=*>GE4-N9RuG2P^Hbl=|G<5#?Nkc3kbS{aT!FqSA=mixy)$gM_m zUR*3EXK$6CEce%cY_yh+7|QaoDsL}U2N~3DV)F=`)msZWD1LvRHk3kdat9?H9mcJ0QNc54E%1>4 zFA>}S$sNB(q~054vJ37vb$_O5ClL@VV=%9#|NZL-{D{b333}<@LjGMX{BxFcPC^Y8fN-?hCDv9BeI+Vh55|3na$_N%5*8#vB?aPn^)7BE0M zr5GI6UYg05PSm!Jx&Ad0!3cPBOH1~|-ueGY#eTJ(PX4Eg{cq9w557_;fh{s==H1S5 z{y}LIF!*JP%y!P<|A`>_mofAI!3d|lwkMhce4{cAAD_P~D|fqhOL0!IPdm;Xlyiu5 zYqO_bP=xjizNN4k?wc6fW6d-Yofl3TZ_7x(mehFK)6V0&rGc2HHz;iOt$s~-f1Hpt z<1@yYpE?~@HSM!Ux7%uz+jsxb=8n*BJZq;+N=lvME`W7i!5?sb)R?8Vx2Zic!TDYL zBcpBn_=f%dt!C%JxMGR1rV4ZnD1Pu}f#22$xIl$FLqr@MSMkA1q1?vFb-uhu=C{&K z?DvZGSUukwm^T*?c!R}arcdK=@6JvMCI^|a(jM2l!f4weO3kcE5wx8SX`o+fp?2ru z5R;K3?9fvSu2FNh=iUV_|>`qg4&h6|0&mAw|=mP)TW z!wuX;SxFazQbo7S<)_5X#=}x$QmP6!131=p{g}3_I4qjS?TP6Kxus3IfAn`0*4WkI zw5Wv`C)+j-4$gE^p{2s52_@)R)|BcBCTY}jwrt3g5WN|Zb47VuB5|lE?MoJv4-F&# zj@?8@nv!xoFTYKqn=>xv=4;{SX?wly#_0>y^HhtZubmAC4t@RotZH==(KHwGj5?0^ zJeQXwJS4ha)qFbe4f&F|9}L0#e&_YTL82%>p5f(SUAZV$EsBGV_F)taT2bFnBG=DldG7hwJ(AS+(ZkcH`jmEGU*J zYF9ZyPp6rqfS#&^dc%sxvh@c$qpHHe^m~!dZ;n|-JNNZI476&8<*vtnPQKJSiK)D3 zdg&;zOfJYl`su|`8`V;tQ9u<5FVb+g`NEcc(*SLjB-;V#x_5&)-En&2V2R8X&ouxU zy6Z+yH%rZUBgEdbPu)u);hkum7NMLIWSo@KH&r=7^YJ5CW4%rVO4q%S+1b1CO(CI| zwO07vg6}G1X1CFhr|eaYKMmq&_=z(j40T-WB24P(_PEh5qbJz>dz6Wid>p;7dbZBh zF~*k4m!>HWTC0fSsSe_`);V20uHcJ^PZy}IoJVjg;R^*f;t~@DqqzJzI_xG*NzHn? zjLmv+3ZFgcF&?)5*Rbs`XOlBnp?qeyX{J}u>Z*Q?*%+9Cfx#R#XD_1^I9%8XPgAc^ z;L_MPUb`1wRiM#@tSmUSE)Wl|v5gC>9#-t^66W@~+C-y~5|$Yvv0V(Y!(y2qM}ArP zy}A7kg4@!{X4^)Aw1ECjHU^az{f2y4R`vB8wsaeSx6{?I)LzxcikDM+GtAYnF1o5-@5dJNp#?{be+EqjsSePB#c64dDwV|GrcW^xuZ_M|)R-G@vY@`?Z zbiS?;;~A3sJiQVBvURq*D=yk8-TmU766};%o#h!}=T=V^gxQse9ZimSqRyOH!}N_} zL5O#9dK6YMq`8H(HQs1#`!b~qsznzsivNn^t2DXc)6B|h59z|$wWCh$^CARswk3>}E#C!aHc^B% z{?Tx)+enA;kYC6C@}(|k+dua#>HM<#3<1Uh53HWKhvA?j(6wmb$!vi}0Y6i^&V%hI zqtzU)pYv0^c$$^gqNAYpJFVRDHGVrP;y3hi?kK2ROZI2RC{pj^#WA_P(sh|v);uT1 znO75{zkb8(82hgH9`w9ocot2pAhdEobh%f0xY)pnvN;rxNQo*Y9H~G*0xx zf&10|TC!=z7>?b1opq`u-phTVjC*gL&}sq{-}$=oJL^wjMW~pO%F*nK-SpB6hY)e1 zzOL?~Pe4TONWHJ7pif2W^<{4z8m+p@0B?ghjGwQtb5r6-_Eq%Vqcu7!T#h1%f{L^5 z`HEigYPUkc{)YUbBE=%1M^_3_XekZbniY%?UuXcA1BIk|sxB;es!4=T(?28-$33MJ z;*LBeIVgc`&6X?l85&6910DD`S0^;QSW0tY6r{mz)*66H7^eEHdnlzV2bl~z$0lES z{(B5t?`zKGM+Z7xy>%IT*>>Q>dcm&Nd)*oNjmbXCA|)LS(##IdE)9`Fnoz;%nIEN| z)i!3tR#AA7NO(Og^d(fP0K#))jtaNe@N7_^&bZhf;wXmo*Dyq!=#dR#MzG%!CyrEV}P?XhMU-qeC_iaiTR!QI-l-^U7XbtpAg~{8LF@10eAfmx$4AQh`WA`SJVPs6&|}k3sNZ5 zOVqwO>(FT@(pLZ8Th583kYSM81^T@D!w-YqCXFm;Yqq!G>i}=3)#1ujArSo~hCmZl zK};e|_l35VAMrahn#rRSk?4C4`rHDA4_+B~Uk%%Aer$i_4=qxGEq{&k@RROSL>HE2 zE^kPrT5FzBC?TbC?jeaNG8VA-yXFp~K9#+htZev@-{1c%Q=i&E==}Y0+l*&ij?&tM zI;7#VoCSrT)4M@Tq|yQ7`6lRYc*(AD)`ioJ@rhn4HMpl>J}My{xg3p@Q>Y(~8}~VJ z`^uzq4p1CuU2$Yv39dK*AKqeB^){*aqU=ydq$AkgIF8RTh1v1y@T}n0JvrWvJ8R{Z zcG^`nDudX5TdIMsa|s-Jbq1gNXIm8WjTyD0wQDcN;?g>o&Wp!zIx=nO(6_*DvR>(+rwFK}@EDLSKqogmUEDDS3*S%=(+P4BmUVj1vATy6+@disW@Cd&nqc+**b zc)p_aRH~()KihWr7PGcAfQV69@!}#W(HL^Am^&QTrWrdL~4VHMd->71mf$TN<7gHSInb*6&Hu+N<13&j$8ivbUJiWt?#F zjNLl)nn%lonh$VS57{IWF+S_o;{UvS-nPe}&QObWrZ0CB#k|-QOuvt-=w!F$;X8Ai zWJ1HzBW8asF5@pumSyxYKSSroj$;Dm{GO8}2A+++mEnzQh0%(^5%2_{Ktlbhg}(bz zT7^b^{Tvk2SbAD9C%wtD-a}na|s%KVi-84;A;dlGg(PGnU}2K`L8HwDyTn)B`CWl>J1!#hb_71kEj{ zhfXTmS+mtfj7d6{6X{AgWgbaY<#nEjx?m@q;hf}Z!0*k403Wqa_<4lBX#+T;PB{tx zCAPJ0-PbBqM2f~)O0OFdoPZb0;|3?8kUH$-Q(st-5|=bYLQWL@=Mn9U3#n{TVf?&| zCsa!lY~w0-rb4U0MUUHM{O!7u&)6C;8jXY)gq;Q`bvPCZhZYQm2bd9(?`E7~m z`Z=bQu~Ba@CP<8T@;fbsrNFL3>od*~CSpRgr33&G;Ued>(kncwDFI%VYU?8#iVbA) zPBP)#!7B+*@&WY@r>q=3thO^KHZ$!&bsjM8I{0asf}SEqaYDrms!vo|K~@!UHd7Pi zuLshEC#$2JPjNjN@^9{rZ@!LT=H}+3k|8Cp^1f~Unk#eVGuG13*)D{WK%=Xl;xqLl z0b{m_naa$s&LUe&*vHf7%g1FND!ETYaZ}U>6;ZUL?L*1DFC)vzZ&Xybd>#S5Je}{g z{ZK^Tzn4W+mKiD^Y#Fsu(kd`X>96WCznfths*#nQU@|E^$~QN$u&4kP7K5_Ce)zB* z#GOSz0Dt!~+;Ye@|Is~I$5sv9tPc{U$nG24u2@q0*+%{_v_}4D(#wRjLgEJ zsFaSy;smpm0P>mnC(4E`COxElSP4>|eo zt)z!ym-y{F#0mE%Y#BBdLX!x0{P)HCu(Um#@TB zUh6$D)nj;)+t4J1WM$|Dhu4`SxC6LG%Pyp-iREsBoHQvPtqK(Rpk zC=dg)a9x@14W~F$rC|@x%xASb2`bESiKdvJOOVLaSx6uxvvCw^NPg0Oq23Nw$S9k( zq%QYjjf9n$_oqwRGaGQ3<#gFn-l_L_fgnRASsyc~ zax{@3*>5mZSoU;`xe+?UM9_~BebMoc3t>&1(oHVB;6M~IcI*Np@s;Ba4=mz|HGQ3$a%T%TcTsv?juGU`n$8Z zik^nfPyM2Hj$tGk;M{Gz*r(T~*rQ@1$qS`K{SwQ#)3}aO)T90!Ma^!_+Y!Ni=IP82 zmozzP!b|;=1Gz-~N1B(sOeRY$BKA210)mG* zMG&9A{)xg9@iofYD#48Vhk5t`ew6|TO>1w_@`8C*6nF2s&Mu zg+AGzD2CBrBhEVjmI=cD@TmRgXaC<}2EuEeI$c;e1M;7jg%4^}=+IN)GuEF-&_BLT z6R7JLh1Z+7BFksCZo|1_bxqweXz4~N6;7@fl*ehy)9lHaJbSbNxnAqRrVRmi^Pz^j`ds>u^%rl1j>;4*E>of|~2?oE}q`xM=H~b`E?X2RcX#T|S zG2-@OV6Wk9`6tHMxTR(Ni1GUnHN{Not#um`(#8G0q5zHZbuN#DZW*0cXuSr;y)R1y>Z2aiAqS%FFU1%Qcd!ov+3 zo^Nhw-lF-voH}2D*l?>`SDdPrFmIocS|MpA_eevSfOAjn*G*xlD40H06zMOu^);uNE#v$u%8c;> zDuZt?Sewy&kXO-{alpmMDH5u4-GMoBEjfIHBdJn2P`s7v+il*;ecC1{pJujUNVp-<_O#84v|7=zra zN)<6FY(~68See3M#`PsqbGj-;_ZsF+g_0OJT(=s_9diIyG%vX4k1R*_cj za+E>V7Q$u)b{f494m!w%jVeyC4kPseN<7TDL7>8XURR2ypWVp(xy^4gF03*QP+@e2^e9)>eoUP>8tB0r2t-GP=WHDWNtcm+%JMDQ9dNh;zr`%0V?GVVk+WDxlNaDD| zSB$}Ygmxq2Y70buGgX{B?>K@o-5DlVXf&C<<<0sq;B~ycT)oXGbKH_5XFu!678&u_ z=cTfsq&aO`7hO=3s(c=f;5TG^6Mp&_o?zF?N3P07b2LnH)7Zf*t5coOQ~#j-KAZUO z$8`}NSVmsBRM+$Ns0hz=hmC+)s3^42zO82zo2%oL+@tkyfmD~zF<5A&qBxDEw(SEWoe=dait}?jBPb!M=M`RsH_;C?NLgI7rWpPZz}!bp<+96C2(l?GOv@sx#&rG9HYZ;0Zph7+&Mn zCT7TE7}EI1kTcLu?w9~(_0{btc*DA9)rXrx`#ubsiBWI8XXHbIW)^|^fPPMR%|fxn#YCe3}ziWtoFNRez^i2O+b5|O35)d!m&JC#C z)34A$`#N^Sg-A5m!|3u|Hjm?R;H`Dml~ra?(p^gk9g({+Kl7VFd1qw80_fvC3>)-d zdsncPXYo*j=Ohmg7Zko3NK3An&VY~HXPwQwDTV7bvMCtXL%qio9$TMru;v7~UzU59 zRgpSWNMsG;NF32ZzYlee*U-@F_V|2}X6@J&eKjJ2?`_hkml@=dJAyhziFZJPy{)`L z1xZ}pRgUu`ufr9TwW(2fUz4!=`dlN5v{uiL<(|nxT&7?YK>UEe6dG=b)R=EVy${7u zORG~r?zrz_L2dQ_b|Jum$B0gNHYD21)?PaD2xetDtvwKHh?bcNkbBJ=BdHY}j%}$l z$_mf8h}sz1dZsmC9_KG zqP(-?l#B58vl-;3gwD=#eg*oP?S;#yig*1GvY`gCw(>Dm@ISVf31=xyUab82(kr#S ziTJ{i84n3HXJi9MFcU-aC1vfLs!Ku)s63YE8yfLwbDS`l>I&D^ic9TwzA)9z^2)>13~bxJe@Sg`e95JwWB6L6o++2PI%>Q*ah(iER;~g{h_w0BFNRm`G@3UX zSP-cF=mvcB$ul)Ex?Sed@Um5>RJTQx81NB0m@bk#8YzYg-x)AE_Z&;&PYxLo9ync1 ztJQEWt zD=oHgASg*Y*3TcvNvY8Z*pNtL!1o>*=?t%F`Gj`hWCJMdbl={~jCi{aO`}EqRnQE) z0*-p3V0vv5b2BSL24wCRuN*yH1htzyZY3|BdbMF!Sxn7(vl2E0(V7VZt&;*O7y7r0W5#)tZI zEP@4kqB?<)T-1V<5T8TzvFVg~gtc`2(Tz+_-D`eu+1bXvR)zQI1c(}7?04w~YKgjz zk+SiAn%c+5pB1Kw&B;GB*yT8tDnA;ORNp%F%M{h<=OVp}JI#&;?#3?8sDh8hmX5Z) zZZZqYcX-DUn6!S-ln)4JC;0YD+!vxabyKYwvzoBa+H7IB`sqiu?QA?`%5T!0ux^s6 z+q_hc@t}Sx0nI)nQrZ^u%3&;tZ*7xQsd!W~3~{@QmByYXs1v$1Sm;e{syx00x{`wu zLMp^h;Qzw>)ps=TU#2J}iS$V{+1@!_}=**AcA&D9oX#GhJ#H!~W&SeY+EpoembSdWo_B)l6gX3nZTb(ZbZ*fU+y*TT^} zpXw#TUT$27hz7gHzd$aKS|S1*r*@kmAbNteMv4Uu01}M!-~3XrzSM;z3f6}3T8>|G zoEwjM)E=w1sWs*&>HLtwod&ew!RUb$X_|6Q)yycnzt6+9-SBGIfbtY*4($7~s-nv* zKf9Fc601ffmrzwt=5Ppk}49s-o7?wfs=G+ zw3oF$XrzRXj_6{NCTriqxMqo|(@3N|pjis_3c|8ui~U(|FBM5-rAK3GNw8@1PS7j* zx)F|>B4uA)@?<4s6Bf_OB31NE$pIw!>1qXe5Pb_ z(s3!Q@sJ6%H$VgEwiULC<0GydruT2i!kIrjFDjp*48XO%q%sVBx<<3y;?!@Uzl^&N z)A)SSj=gZ)qCK}OQaxIut|Q!0v*YW9aRA)=02|GAXCqe7wSSD@jDr}hoq^0YAaJz^ z<(TBXKfpYnA_ju=BYHFM##GzMOO#buYC6H$GIBJ&N%(jB)mI!WG8ZpunMcpH(G>eA zCk4se7WH#LW!bK==hUMoP%$=MKcH5(83PWi!(?90$Ma5#y_xh~$;^zg1;}DT{G$k< zlWGqN?mH(z4;k!9S(I~JZ`^(VRmwN#uCdtNn>&Z_)N*-5C)$`&g1m>b85*mv>)+dh z4f|Nu54Pr487~ir8`v6)HE;qO#Z>p0nXc$tx$(UAVE?PI;ED0rAisP^(t7hBZzDg{{h9yTk~(;jtLq~|C1 z*bC7}vMo)aa&B-pqJJIC*w+~Gb@6^Si%ko!GX0`xVSlgK*~W>yVmzi{BLb6*XN3d#ToX8kDa zDEK~<<+7%V&g%thAL7X`8i3bi-g&sZGURM^@O3%GBL;~AU~8)Zx>6m*89TVTILLe= zp~|Dtr^YIPY<&tn)`@UYC4{jmGIzx%VPVOUaJ&E+=e+jmT7!J3AE@*2xX9fAMmG2J z1~^e`9MKA%%r*xzFzMJ+JgjX$cg$O4>RX1pOOXr;s!T7AQp^<%KrdC%*^Oo0ta@i$ z(nz1+7r9l_Rm`6oak9lr{?VsS9w-+pWl@mM0e=IcHNg7^s=9$t!9-9-)<@-d<6~p5 zN$rQ&qZ+QhIO?myw5w*EHnJvJs+k@nwFif>rwQ0GsT;PnhdlbZSh!PICecfX*ldQ7A~p8n{;$lHe?Su!yrjGy{e7R-~Ny zs>!LGINqNpS;?$6hl#aamWbrpS~aNA*r~0s_-%`ZOh6+WXcWriI+}XoA`LPpyQ(f# zCbfU|q(OIf`RP-}CzkPY-?GrOiFcYEl%fUY{VapuPxgZYG?Lj0oPScgDA;CF;@@H} zA83dat8`bLTeM|lOY9bv zDO59j_AjGND3XtmL6GJ(KIuu?5;dDB13t)7%COe%^w&%hi_vW|qiZ_X1HFGDw2N;j z*!IaEGa|Mh^s*=e)07fQfY!L@Q*3o09nTE70iR>s<(%n}*!KsSSmCW_)?F4-1)>9v z1w?c#DxJ2PJ!k4(lzhBJ9o2oTbvZ3kXz@eHlPN}3&-!!JKJ8f=C-i8ZZeocqX)Ncj z?GbL~RE3@e2jfjWDzDROZ#n62K+*W#|40{}MOJWBD%qTzH|U?!3NFSaWq-c;Q|Kfaf8f~mpC6$Yl-3z_onWQ~A1m2|TqjCMRj`0zWmx7Mw=ir@@?t!^lh63RR z*so9a6uihcWifu{X2@Ri3dR8%^*CMS%xXku*UnJ!POi^4ce;|pMIil4ken5Z@l8`S za^l94pW%Vs7j~PJTzH-<&p;#n7+78Pqxi15r?Wxd&%LkyL+f}Bgr&u!3U68Wn)b@O z;$3!w1dVSs!fC}Asr8$^DASfA#;}ma^JbgeOt>z_S^?XiSBt;PODGX4saq_Oc7zsb zK%25_(~^H-_{4$+$8_W(Hcxl?k@n{!zOr2#68({odkLWq*p*+V8++?54epSK7%?3S z2I%2B>~<&EyS7EEW6tDfhXJRxwllxie#DZ*E@s6M6ijtlY&{3Ep5%ON?bV^x*!}Pz zni%fhnx{E_JP49!#>f8Nkmm-#f4q-Odc$`5(9J_@WI#lc4l|SIf-m!Al2P|LNtGeu z@atW6mDW+33Dj_C*KVi6<~Ck?3Tq&S-9zm>%Mu%|@u$oA+&QV(u41+ zbPY6=D7^J*F_*?gF~vN2l5-gY(qjY*qd(*KY)X{7eDe1GOCVm4C4<9T*Pm;8JjHRWZv1@f*q zcGQ~xcRQW`4%wW_W%Ykea=c6z0bd|7OhRhve|AH@-t0X#nV9}W+m-gDN3#Nu0vJ=p z!}d*Pc0IlJLgisAi$6mZOkdcDH*Z@v*K{e!T$;?!d5pzic5Ir$w-~Uosme_s>Z=is z_(Eah*}z@kSqYJA(m%fB_yymBy}QR<#9R;V`w}Tp0LKNU%!->BoD?Is9(Y!5PxPHo z)zUqC%FTyo(PR z{*}2mGBr9G5e@K{PQ%OcB~h4`@|uNutoT&eC@8dXOBB_{e%Ca#hX`||4&zIb)2=vh zU=^J=@M+z#_@@1aFW5ARomEC5Wz|dPpXSUR5p5E2i8shJX!I>+MCWJyoTr(d4c#_* zrp5^0!|R2+Gtx=((76O0X{Qn%ovG}zB@Z|1!XsdXQPMgxjzQVnu_PN;o@~a@tV`cL z4$i(-E?HCRv*hO;BdW$indHMyxTlcs^1AY&9pSCZJ}kiZ$Nh{q&LfXhP^L zJtt$|KyC>6*%UI=DL$mbMu)*Bn)U6DccuISjqnAL^~FVz_LF9g915DjAyu)~RUwE# zCec(SfGe_5jcq~W>w<~9^UcW2UgFkDq6el>gLgkjC-G%*qT_uRxxwd2A(8?2KzERA z5)pP%xEzoyAGfm+D$dzTHZ;j=Mso4-j<7HHIlO_kl~Gr+o(CBxcO1OXjZ*6Hyd$!u zuu?ek!`9Z|2qn4Q0V2Q5c*eo;yzJeG+3jf>OO>OJM)4B!ke+kq5ivHfSM>taG!jvB zC;9iF&}zCb{ft*z;4MSb=PurJ!9%s* zr{|g&=CYIfceZ=#G=KQEG*6R&97*^EuHX&hngVwX$dMFe=tn5qLt-fbiV%K}gkeaa z0ghP8)3t$6FSCU5obtHdu5hm7AeK76hpZRuT6zK4Jd2a5jlBvliHkbFExslhR(Iwm zU-4~%(d#K`3%LqaSC_+1`~naOR~I*g}d$C++i1{g9ZmPvO@!nnUHl?A_XOgZ2>HEM_?z%#A7u9f?^K02hPvkS5z?l<% zmzkx_T%wVdcAg`Ua;-Dz(M8-WR)XWpQQBR)M*j2{x6sP#4ck#`TVj;fSv~r~R3c4z z^P8;t>-9TM&9qj8f)RPbqxe*W!iLfnRF^?&*G#R8?stE;cKxW3E9dD|*b4HK#aRRo zmxsqN_{qhi#FjgE`t*1KO6xmjX1?Se`~J?T*Xs^H@gQQT5cP$IeBxat^h{nmR_a=?_vWCVUK{?i^-q6je_yNbibLO~eNB{GJu6`h21$>O>ny8qY-Vj;iVW7W1gMADUBKL2k(+ zJbgaj5oPLnN%n!m^v1Ww!{tW1Ha;H=vAFTOuggkH$wN=-xBLsSEOP#>K$lqL-1Pf# z<9@H>hR~I*xSAC%K9U02L=-{Iau-vmYt97*VrB2}99)+^C&_jWMH>&w9bKi=FBCdj zyc0aUGqB!bDgX3jbJ+fJ478jN$R!`6mp&B-UVWqn66$^L+)RzF`MP-j^vTjM&S^G1 zbZp+`m02!0b_eoaGI^Mv<2A^tJQsJJ*S~%rKh9bBw6zQa;i2L z^!{4V^$(fVuK!QCiC)1l=OwlY3BL!!(0TlVsXUMg{Grf;o!c+0jN25uv@{q=odVqI zziI*e#gG4ZNc>epA<+w&;LYDpoqvUh8k&Ehdz$xC^Z#ny{nw}ddhi>_ctw#6v_d2N z2XN%CZ+(5x*8TOlx>rNvzh}q~6M2F+O+HNlgyD?=7sF+LTyrR}8iXc<$z-y>dsF^; z?T`1wuYCKOZTgxA`1iZ;Uq8`*L4;rg)6IWBlh?U2{NgNzJK3KE!H)13H~!yG0z9o$ zWT8Gp#H?JO_I`09aJFt|6(kjQ_NNc~=KEhRQyt`$4;@W4;z9uG%AH;4O*EAC3O*eK ztQ>%WnB3&uNa9mLy6spIAKMA1FJ_x{M}N&y5c)qY$A2&G4^Hx5P{Kr2(s9F-EW_ah{ejMP>XR?gFheNGOvTTK zIvNtR58ruSYlQqw(*FAC=lDx+pAC0fz+p;`)e9*j?qOAw2{j55s3UPo1dz^+tH>pO z@$I4ilN{`%3B=DJXrZ@VK%V54WX|GZ&1M5c&H< z=M@n*O#TZn2pPF80Ih#bcUN+~OQ~kWYMETqW^mpj?e@Rl&8$S!=&Ty7^ zhUxX6iFOeaLJ!?w4?+C@8*vXLP&oRUqzLsv9|HQ1WWVmF=A!2=6^!k`KeDp_^{6W2 z5o-QJLN>{1@UJ@nUNxNt_796G;P!f~#*2r{{00X4Um3~I3a zHB)LM%31wofIJgDyU=HeC(97jzW}JQ=KfZD!f^gUTCqu&7hJ7fjLzt~>6V5Sg?AlG zh2}|m*@f?O%LQBA^ijaAm|r|y#5%j;t&St;jG7~|Yz3a+rV|>45ZuWEm5_VG1t<1o zKkeG33d6wQ=WO++=^+cd&;*3wX>ALt^$Q}scQwpXV^_|3t#YyjE3t>ihdR^at~Dc& zKo*tOP`}8R;dT_fk|QF#ol$)9Ar|)rejMIYuWW1ikjA$bId0 ziYnij(ha$jgYP_dolLC@K!sOK3vyXW35fX|8dA~|N%+kcI}rt(s7x2(L)1z9^9AAp zhiEtTwy!%B<#OnI>FaDs8Ss8jTpy^DnU#CIE2PG(vpYO8l?h(mGqG(WD95+gN6)zA zldhF-+FKK%-tG-${8(=BU^E{mp)jD~=f{_nl)O&l#nWSR@j2c;Ila$m!GcmXtA0$k z=E8WvJ4$shlONSq30MA%+Ch34#&oukV}!v|W*OKSn`6k2lBiaG7^Y`XdqLf9Tb-CA z`63v?q?2}~6nDkUmtHSFpe=Fn)79M!kuM!2(#e=gEsW3|-hy3>U8jGsRv-};8a#4T zUIVqg{-)e|!LaN;TJxNjyqY!UyY(7bmC@~S`Up^TKClIw_u9S&2FSm$0KBR31azc- zf1=)AAJF02OKE=w@vAMFiz zUx~nzI`>IC0pm(>lSfZ=)c!rot0BM^df7Kj-W)mYq;ThhmxN<<_VsHCVR^cw?yX zZ44sLlzay$^R|R_02|j_{MxhZ=TJM{NObxYmIBe46swfi?D%q{1@Uw|s{m8V2W85D zN85%RTxu3ZtI_hPZ1KFdG&bTLeY|#+cu=WFlOt8R=ah|bKui9Uo6LZ+n^#$3(i;34 z=^bXq)i$^l8`FsVzwUoO>4YC6{4e3=69t5voR}aG253vcSYS#U> zoDr_HkJi;fw)^SmH&kWo$N=pU{!=on*`o9xOoTlOyr1r2|RgFspmb z+GTdyp8^t`$u?r_iMnS$4p@Y|?Sr9%AOX6Tm;=Mz@+FSnxSNZ=-DjIRhnh?{s~9Ll zi@Hm+JMOkVp0CcA=-(gO;MIlx_+#RB4gp``Oy=1=(7EnGg3R?V^eGhUYY0 zKuipROeV>f&3c}Ikx{W4>zcKuiR{pFR=Pjaz3lyb)TU@JbZqc+`wf}C+o-DR9laOr zR$td;J>SpIift!04R158IIL(*HHYeQ65wmSXW$2C`CO353h}BlY{wh%yFbcLww`F- za`H(cj`a-3Pa#abGJiiOvYK8j_`iQx$S%g4DsgaV#+TjDL1N zPJ9}hx9oc0B%62FCSK8bdGnbtcQORJ!D3f~q=z%b3gR}A&}j?Z^|~-tEeiU{wyXDE z>-4c+%K%wyGr9IitC`~@3(${CK%~0Yy5)M+R=vrX-;^bmes-Jg#YzTR@NR$Ewx010 zo1Cg@WOUukz#h~1WU1H<*39QvI#p64Q-HT@uZKVQY!;6;b~v)!PLp5uVnVR(b&f1^ zNtr)x=oU;^BOiQY&tyh~>@gt|r~1Kd1EY z)9$sG4VGC8_K;84GveBIZYam{iT7f>LJ#S#GrUven>)#~fll$0W}DKBPwmHi>A2^0 zs~w>*we|2+<5i8;XSZI$TYL!hH>S;(N1wSX#-E?v>4nsq0r*vxSrBL&b1!s3J`)FL zkGpVG0shQ^7$)(kS6*nKxH{7^0X)VMFZ{Pi;!K}s*DX6Iht$07kB6mQ1#8TO7Zo+NS)z;>N9b5HjBXo_d`Ct(p_vTFs_f`(klP0Q4CMm=4Po}(PzUuu2FDkDl z8tHk9M~3z3rZG)jrTaxwyoWc=K3s1p&xz`8^U8fzavYhS$G_KhT6NpTF84&uv6TYI z${~yvp@4Pj6RXR~Fq2o}$C53|I%?D(-sQ*{t-W?tC^9|QXnFZK;)I$X2 z!}Z}rMLqT{fta|7YZ*+}s9SSUAc#q0xCws%RL(y&d=0{c>APcNA}co2rV0mCV`GD~ ztJ4&`PSpz&*IzOoV*y$5^cxK`N8R?a^VdBM2Dr7~n7}%%%q{f*su>QSJmSx6Ob3$s zl%IL0Jq8Jzk9i=zFtOPAM5$}Pb9I*}KDgBk$9d$5uW!EzszK6$7@a-M3`3NVloYhG zqB(AR@dgG%3)~zpc}1==A$D5iT0SsX$!Lb7^DhBX?{)ldckjU@^{>n#w*Ym7wOQYv z-^I1yVQ)#j*wiw-EOeMHAE+&+qWB?c`coW;6vc*+f(=D#reGwDx}b>ZPN~p*k4vfs z*Ly^Z;6{$pPYE$7CynGLg)^zTTM>n1*!DJMgsqaBG%n*BLvVS#f~zTZ`QZ4PzP%!& z8I*V;A*8?WP&P~<<`6EiPsBpAto}|GId--FNn958fbG%-Hlj2t9E86P5M9X;et<+U zrwh#F`SO9-eeHzZMYQr!zm=LlNg4gPo0)wvL`$ogkbj@{^!7HD1qNtT+A82~o+s)` z-QIfSp}_qqfS9}xwqlU{X|u<<>~VJb$Mu|^{&B2{8FOF4 z&TA^KfQ-;@tyy><>w~=6fjDzP-q-t$Stca$TEV;Dm7s)=o4V~*dF;#NH0d+)0HmaR zABkAvzj_Er)`Lj_A{ggw zHX+F+-t2-Nmw1uBo~8Q~#x!URpQG@;9(?2G5N@^()3@=cFlwx}!vU8F*c^db-&}?; zb>5U|$P(%&{~9JMm^f2XjaXxspXdl+iw`@-OY5Ts0YyQE+2NP)!KX^r4xP_KCak6(#`l5h4POh^5jS2|>n3nzebc&gzk-+HSYd_a7A7<0--GK|sQRX@YJ^N8d++;}V@{WV zZRMD4MnbEgu+l_UDR3`|d+ETy`+?Xv-&gsV&=|Vh)sU)I3Tc+*4}YbZBV>9qJD& zcFx6LtY+1%Z?2+AFj$)7ifR|lU+W?DAU{TQMke^tz1zg1ijnwUg8!J|N+ zSf5wm>UAlK1!iT33-;bA;E~09sqCmFG(*Wn=SFd@AFYMWp7XgO8$8x+1^l;rSAlTnxvXz6h-~&jj(0pJ{_BInwD4{t_3>aN~G z`&%`1J{6y8vGfdyTHM`zZa4$p1hS)BEoIENUgp$lvLgo%F51({M9i6Z*tGH{ z{IJ*s1$uP3pRDkBa`9f;hvVpJNM$1h!B)4%DCft%P8ZL<29{UWri$VI~oFj?g0S4y^1-%XgGcdh=F_@B$F379^8AsFVc(j}(R z3I)=AuP;y3U(Rjl>I*JF%p5xFe#$J>x~HM%nhdxe$Fy(Ot(KoJVAMq{yLr_^KUCkE zIU6wZ1Rkmk%SA1Japk#7k|Rv<8-ktj^?b>zphik8@4R6n8H9^$8;oslo$xS^ZlY#Y zv$S##m%j+NstahL!}5{pqeg7w*@0#BYqejm≺8>u0!IUfH6o(Gc8;yv2{u~PokQe z5v3iiri$AUr&54`>H9a-VAbfvgDolXlXN1CUgT8AM*xK6B{}F zcHICLEYyR)DrelINh8DcW3zy51R+BetggcR#*9bSrBG)+T+L$)S1aA`5v-m@eh#GO zQS{`oIz4V(eCKOp;^y5(ev{q#w!g~)nU{(x&5%XAr5IIGA!NO!q#*IlK>(H6P5;&n z$7Aj2Qr#g@rYipFYkZMMvM`B)*=&!xU30gNt+Kc&74J(69kO^l&s-Y*(sBn?zd*w? zS`c71Uqvdimgi;AgB|ElPSYD)w<6{Gv6B`UPR+@qwKB#Upfs1CIWP3C0(Bvj_ z4cwD5-uN3dTnP>l5Jn^x%NI%M%Ucf7HQTR6lnO@l zy;xCI>c8my?59jrT*3EQOo^g;d10I?A2Be|5(Ih}9W?ZrcgH}84WeECWP}jA3Z7a_ zaK}c?i$I_1JnidfZLO77s@1UVK~;p!dOh52rpg=>8D0=`awSl!A*)WMocgGTMelsf z{KR^CnfF%S)>@xy$#*N)cC?S#GM?Xh>_Fp38hIl`3tADsGL=T=zrSi$6)XSUNWVme zhiJlK>YF=f1O{!DEAEI3_LVbd#bNJs#+jz#@3QA(bj#UKr>o zN2-P&ZUqC4E<+X;%-r`-?-fR7c@5gQAK3PCu`ks6jfvowQum(SDx5Un(!;q|x0R+o zT-UZHs61TUtewX?r8|+HKb>{xzdk=Ce=w4avA@}U!aAD(S>JBTbx+PN@3wrY--zoY zuY=N(j3_@}uKH+~5c^rnQ?-9^nPALMSZ~nsPA`xHqeJ@Xqg_0m;C#ucEk%hdOYG?g zA`I!;W9KNZjVMj{OvE<| zRn^Ha950QnoGM2$zSthfF!DsoPQyiP?#1>nLlGOlFv)vlll)uwdn>7t#mp7>(c%f9j)L|y6pXA3OK8@WfY7n_`t@*ve<-NjwD zzya911xusW2%RTpp4m34J(*U}UZ_>CSTG{t#Y&as7s}&ED4V}KYc+?15O!Fs;j$=_ z1+T=S{WQvSW$<)nJW01k#DI!BNn@XE8h6v?F=)}iS-bK6-?WVbA%Bwo&j?biX`LHo;>TPC_|+yu*11Ipx{ zfMF-^>$4w*+fZ(HoTRAD4!@9Hn(%$O`XhcUcycsvp{Tnl)323DYbvk}=HZC&)>zWC+dcC2RtSxb5%lG5{*YZXtirlvy45P$*yuxe%_5?3|! z<_Ph~+KJOnC_4pVZ`qbG1Hkr@r9aC~bnr`1pvi;F1=n}UMH|@@cvIfOpUXLY3S3Oz za=9tXmXIcgif)x#-9X}vq4`KrJ>P0dVbQ+#&NY*&7T_~Uo$kYzqQK^?@$_LAejlG{ zMj`4QHhrwkTN+O)=uHM5`fGx-n3v4XR#}=ylEJ}}nt#$bjGm=L!jY0=B>EapL`{w3 z*WFFNrxL6nZ~UNU&hSOVmw2RBBBAndzB6oECPBf;s#|GS(dCaw!{S)1>E_vw&@zm; z#0uhIR)=cd$7GStA)b<7=m@%0pn5tB!AvXj%iXj`WTC^66Fv2|2D+gR2}8|)i#Um$ ziVL;~FX33rvmcu#@}Oj~T7QCa@w3BIH`X8`LYRSBiEUPz>u~H2adl;J=?&SDl?f1M z464%V#K^^s5*R3mO)RK!Rra-IB6XUoqE(%!pHJF_dau?dDdX=$L<|m}{e6>Kv)OMN zT#~f;I$GmL_x$-!TFZ>6Q1S`}P0{^xY6$6%*|#oK6?|?K+mX;vHR=Q(mrQjyRclz+wGr!ZHaO?QFyGO%}r=^gJB)C#WTa(ievJ> z;07R?lVYt)DQ|OK)EN)mEl?=y1*NGk0P6OXq_u<_fMvAAOfEyxmZ=G}BMAl=iJN5^ zM@6sPX%&*1_1%gSQIx;FF;YcHi!@2U7$6<|u+KKdZKnOT2+2~D*Dkhj~?D!c#X zBduQ|_Bjq+W*_3p`U45?3IoanaB`wPkid7@ut3ZK#VDBl7y0M>iJ@46@A6Vu2+?Ve zubZ_BIw4(7Tm9dM?&Z)6b!xsw6r>-w&VLc$3qM*zkJQ5L*^a3_@H@2N56xXI`H)en z>id>^=rjC%nV7DqE%)H?n7YN$o(qWz9WZQ65E7>bm)?$)SVtlBdTouJVQvYO4PBT4 zI+)}%t8!j3kA43tRn_9UpSCnkmYlIqVt>9KjQWOYABShP!tvyeIX}xGmCV?;MNf=! zep>sf8b1!6<*V?p7;Woi&D?ehUI%8EY=sCtT%a$UZM2zaQutGgK;T$ZwXJu<)NlS zIW|UV!m5zvF@EbiJ+JF-#aBV+m2euBT%FlkshTE|3U&j*1S6QfVYL5BqZdw2ZHR7ay@6Lc(MO^l}W< z++FynYw{tHscEiv%qsomJ9%8k)%$gP8YJ{9GGBGt{8cl?P^djU+-2(tu_NB3SX-(? z`r8pqQtNM!q#Csy_4qh1#N1ggv`%c3yig9n$jxnzFX|?^Pp!%-Oz(nczJ7bMNS?tP zlSkh=3PPzplOiHQa#z<5ZE*l786JQx(Mg2=5Ug#l-Q%s0>_$oZLyb3yW4sLDH2d3zkH zm!&+5eVkt#K72g?j4$ERXRqZJsK#82k@0%Rm0FeJY22pR1(w#9(h8k}jFx~SN($)n zCEVPIImlJ330DZw;Cu!sGh`^A?apXT)dMfKS^>`wb4QaDxxC$nar615j4d1#1>=3g zm6bDp)C0?xBbpy2GJxc2FojiVu+&--&AN_V=_{c5EMZU}`Gri2RZp+PIxZPckMX#9)`2zwXd!0qzln{^Ly{ii#i?zcsTMN1y^;Fv`nDV*!7 z-1I|1i227xCZif0`ok*M{XN%WKAF9`K`P9IbdV~^h3^S#YJuj_Vp&2j48C6qC52ds zVs5h=i!S_Assg*ZRvQJd0|IQy?p*Jd(v{qK(%H3X$-E)} zr=YC~d4wN=M99`kJg$2aoO{mj6CqugIY}eK%Yf_GH_pQ4B|S^}01B@K-1Kld*(qIY&>9i3|uYr225n!gK-N*#23Mnrn7b{T1H=B&= z^BkjeQ-cBL>4g?-9c8apbj$LCN`Ur4i`0AFH_pD(XNQSs@q2mJQQ7eWR)^c+v%jNy z0tyJ*3)>A5?YcYeRsJAqZ}Q31sy3X0Me9vc>H^1|F&IhdA%c;i!HCrl2R&Y!57g*Z zXdw@ff!0;!w!x#*Dl#v;^be(~8BIj`L^4UWTxb4G&4;7IbiS)u3B0*!^fCeMd7rar zTRf?x!#y-*7&XS-ieViVEeTY#&L<~s6ur{NOA4v56VOFpP%>$gYE1Gi$W+j2`*GM@ z@GI1NoO#cO$B3cOGN91c`r(m>&D|VLf$wX&)c#I%aP1NEi|vaXcDxK}?ZUD*a$>ZI zHRsJ0MD{&&0GqvOgc#JF;JRbkd0+KS7H69C%R{U6%m-;B{eAD$VZQ<()yW!y__ zVOFOKB$_<;eg2O(dV?3obaJ5d4v*v__q5}36>|gsPX-r1=>s|Agq zCXEkXzko%KpXsW4vH^)w0@Wa;r=t)Y?Cw7aq=*jHCqRsFM|k09EWQ0d`%g%erjFA6 z|EXWkUC^m0aiVHoiy?aHi5~41X$2A(cMsoLS~+bvh{`))y{wG8FKBDdH@Co`FQJ0X z`ZuzkDugJcb%&qUiKcPEW6_DN&Mh&g^2htM=zjeld_Ouc&{AVGY_?q7O<7jG z6yy!IflG|g{0+nZqlHd_us>MU>AehJJmi~Nr$uB3+FoyX)89P1NQap0x)d$oTOfPX zlVlYSp;FgEdJI)EjeWIKSF};&HfiN1&JZ2ZHKRq0^8f#IxOZE~ zT*{YpMecchepPg@J8s|uul;$9mKcp4EH=2p&8UPk6F}kD3%R*{)4J15>Kx zw?OBgNy@H;9H{P7?y^|#{ssH`6n=zDT?JupXH>3K+Y?;Nwc$q!OmohkH zw)dM&UO;8XHC*-$aH-?emtKY_Ns9shKXl+uLxId(;ogktg3Z0XfXGP1`{g$8YlzO+ zbqqj%dmIHVvqqcFY9$Z8sT(ZlOK~2oMcAD?9OOm-VjX%0w>dh7_-R~yo)NaSdqNZ}>JZkK=47s7}F0JLk z0}?;p993C5(>g?_Hni5-2OrvN<4bd;*}b@84}|Zk>G;QgO>CX+FOf?*i=IAgJ!!GY z{b{{NFo*dmqdY^Z+y(mWe!%)f@X+b42Vpr}l?MVcfJhOm)AXSE*TA717kgPySoofz z?48Sqg64`S)^~M~TV<#4^w>SE0haDXC*M|06 zwv(#}7O9`gj36enSzzjF(!Qt5fy|c8*$zA?$)A8B^TzJMD!a)XwP5&`Do~#>y>q2> zw!<1`X1+2bTQw>;rsw|m1%z{9ei-`qj^=ZEAl0|NkJMCD-HSEG@1+<)D5_{EDPg{t zbJB_E5$O0d$fJBKCJ(I5w2pb6Y<{3 z_@e@EZ_XKzsWr1yz|Fp_1-8SmXg-7gWgKBEu4DMI>KCo^LDya71oDzA{^I>*(q83b z<125oV}savzt#o1PUi(0aO;2|`+RLV2Z_Rlo7l#8^_eKWv7Ax*^^pueV+pQeJuPfL z;ie1cNBw5nO*Q+;qt`||FnKfUEi8dDWZ--==g#y&B`SFf*s~m=sUNn^&YpfrneO71 zR$m*ixPq9I;f3$fjj;8DT)X>MOf_$LV>RdeX4^babmKzje3V&dyOGrTrx0-alv*kt z*gt?}*=(S9sN#H`rquZG5Miy=D5tC>W29$?p^cjw6re5Hr%%upT2EEzLX7WmuCQ{y zQlC4~(uG->AE1kxfCm^43=+Ns7NeethwcA@uiVk_%P`JogstKpe=q zTd%KIZ3eeoOo^>}mjbQVsYh%S!K*|;Y#QI{oTg+$j>%W9E}mUcPRtX=W(JY}4QkhM zvvt?SiH53SGZqS8vo>J)JNfAoG&Rr#Zxt+F@3t7lgxUh3A~9q-KYd@EQL;qgUkg*~ zR~XDgsXPVGcXs>zt`36PCOrn@C{O7Jq#n%*@IXw_zt14vx#b&ao#Sa-Uq%>qCCYHn zQBiZ%zEg%U7|YR6Q^QtORap^ps}aR3?6PC<6-4M?IO!1GyjMNJUk^}U(wMMtf4YFf z#lS1Hdj8Z%`Ch?b|1^FP)U22=a*|p=rbtZ#{K>=bg-N7Zt_&1c^%;*>oF_E8Tc6+B zcx>X=*h3%|Z)f$Kawb^-o^;Z80_EMo8(FwUCuq)1>gW0jL=L_JBBRa^sj8LmT;E&) z9Zwk=8Emn3mo@Ype+rZSntMAVW^)l=p&I(mRtN%h~me2R{R~i_jC|QQNyIHJ& zvBc?cMq2LE*vy(Pl#32#j#v++t9uPHK63+I^!7V;s;{pgq>nt|@uwFs+MLPw`i6#+lb!mzpAO5gv9PqVgs4kQ!yom? zeIk8*Es(j!FGKI}t7#Xp-|VzS@Ph(Kj%J_R9-xQL+}4=eD+G@M?9!Rh_&g13pjove z#&C*#2VRVQAq<7MDfmG?%6fyQBPCk%OP&&9QM7z@^-nE({|Pno1H>Qy!l5xFNt&3M zVY8EZtu@(^$J6VC7Zy?&ChbgSs(N_56oOPWT|9u@gx>0%M(#%Qqj}!-toJlNi>^4X z1AK8^kr75rqS&{#Ev6H;kS(T5yR)GRn1^H)J6sqD^HvC7t9BdS!V@0H2VNRhBUU0O zE<(i248@msr-8TCmHC9c;&fS(h+Ja*`r=ve^sR4@R1soZ)llUE+iMY(7ja>Q_2a#9 z0MYp*kgBdXVtU(>Aa5nn75=dw1Y6sYzKE*ZCr$0qHj8CWfvXgT#=^REoYLS2TQ>8= zGMgh%Y?}l}1OrZNW&Olns+_6=kut`~fq?}17{Z(PIP}@q)Ne+xn8ExjxeqEER#hts zzwl#f9=3k!_rbNAM?K$>R~1n}w74mphbi?WE^5M930#;sXdv9xhf(X^-AHLFd=u_t41;yI3^|bDUn8N zl(y)FEmSdLLpi0g?p*{9yy zlZQe`SlW_4@yz4nlEJ$=L6WZc@0Xm$p$gnaE*xc&7wliU!XjHm{)&0Z_)86 zjHOMC37q=@aJr>g6s3z6=9f&;^;c`GnhaGTcp?w2nP0RGTI8B=`okzuGra>KAm4hT z18|J&{%wwb{2mFKl|}rc6yl4KRrHUY%a^#Aj(3;^94my{ucJR z;6;>VTjT96GJ3+|6-^~@?8B=cES(wv7=HFI0aZZzZajLSU&t*QEy})Cbv%09l`MQ6Ab3g?p~%r zq~VaAYbL`s%l;YY`7}<_L*$c2`Gl3$jnOce$K6q`D3Z5PtC8yJDCUWX>D5wm}J)gLp&MTuBSAJpK#NIc zJ~|u?Q`gT+^kq{uid)7dOzZMmsR5$Lz#|8|Csu+EJYL%A;+SpzyI#FjD&E>hl&;FC zaAq)L;yA2}l}N(mqSp_s9?GF(fE;gAw&(9%l}KIA(SPC}H)W@HB6-~+`kzSnmlp?u z))*#jPLT~3oJOT?S0hKS zXmi5ezhD|Qvr`si91*9uYl4@wGUox2MtLOBBN>V7Q&Ciqe*C7$UvBdO0umzm(+R~v zF(x&jQ}g+>+Bb>$UBlj-e(>ej~X5;t~V)S4mo@U1_3JW4N}GLnhe4kA2z$( zcPgb1)tj9!!a#_wJCWA&mt{IYn7O4~)Zec!T!dcJ+2Falv{?=2!o9BZL^|`urtL^h3+U$N?cPS{`h1X z?JYao>_L4BP&00djS5h>z=xw4{f_^#t3L(Y353`gFK4<}Y5+!DYSXVh3FC{n80b73 zk`m@m<+*ye_w&M1nZpeqjgFI$nut`=fN~^74UPr(&V+u292ytin&72=H<$@tY{$^Q zAXBD-0R7pF#}V$axh8>OX+ZsA6H4`A5|{-;;Bu$p#sTbTs7)c%=_7B3 zYL5P*2054=nL@c%AWZc6^jOOh>f^fvTPfb(k8!cc@*jiz%b&sXy|s4)x$AE9Q&$>6 zm_GbE)(=fIXgmekO6yKHo!J`uQzntfm1lK53`uKSH69sBHE@G>qN*5#*08o1N>!Dd2)|t9t+cS%)UUX}3R z-zBVwEK3c|THEsCs`33Lu($JL;3vGCE|acPp|oLYvTr~9YV_lh^j*~8!aq4|89RVu zA}S2T)ye-hYyJ-~*L63axfwNSf>r|VI&2aSiA&Zy5Y(tuK9h_#pd7WpX1C0To;)qZ zsc42m`q^z;zizQh1{=$JI$_nMZ-Qp^cP)AQT^GY+os^6}%}0#3;3arPaZ^ zu!504_<+(uTl*)%nzZ`;E&x!K&KYyTt8yd7Rz;t+$1YvT?SincIw|3;4oByG3SM$( znVTCRd9Rb_8``|8_N_RVUr2dCOA^R3Wp{A41wfpj3t5FMq;CyWbslmqqcdFo9{ry= z;vaKzSL>WK=o~VZ2JC5Z$z6UOs?<$9c3K?Stqi98_K;9H1+`ta&Q@llww zo)Fl3y*duwr73^>s@`ZQ2r{CLId4^G`yGCrcCUkBBt8UMW?657zwzzw=%kGt=~J2G z#p$1>vmT@XOnb*3>?-npNHA9%*S_eXp~Pmhu|UHWm!AeKRI?(I!#2iso>~c-(oHtz zu$~vH5ZW#sFkxjco;>)DYi^)cuz@^IZ(|JQUeFV3UMO>D<6TM;A0b6a`9|z6liNl+ zMLhpIRr_lc&H}n7gr!yrWkNiK9`nj{ZoC$XlA7Ut_3iBl6=1Lwe&1h zsbeS@?}_VtQitkdYdOs1tQvwb2{4M)w?TIlj|`t(!I8a)_{NS6jj0`Car-G~k&h)!BP^_1uhm>mUpssn5nERFA_E5n1-VRn} zE-t**B9s88dE5qSO{38@y^w+TKEHd8BBBYs*#JzHU2gk~hXl@zp%z0uR@}}bmY-kY za*K*zdQUyBLg~x&p}b-dUnF(h&~1ii9Xy9xRO9QGqCvhN)TK2CD+V|jw~!=cGcQ^N z#9|WIn3vm23RuPofq#08;VzE`e(Snt(!aB`|B`Y8%;0X6?cN|5AIHYryL^9qB4DE+ zxKflZUoV&^mQ1h!#-B-ljLl%$xSLSi1ipv8xgk8tv>n*}Efn~`MPrXoN>rTsLAkB0 zKbvMD>ap~N&UTIe>-~Q{b_#>X?nddXb7XPrZP)2Ex1%c8D3Q$Tl#$F6RJ4}Nf5JN% zE}J@lC|B-!^6hNTrmG6A{Gm)LPB&f_+Af1w|SET)z?ErFiMX<2ay{=*5Y6Td-WwovZ`@3o)kpviT*_ zhoQ+gnxpra$o-FG;IH-8U$*2E1U`}qE8~53dYcjg|JmaL z;7cwER_utNNI-TOJhTG9MxqG$I*QK@e9H`rnvX$Z6kj0^e>Ro7mB?v7Y8f*zJqv)t zg}Ah7ZN=#DyhOEXB!Pf6J_2vv!U*h{zWxZ?~eQ+SjQV1_frsU)yBLs z8vF<&*$5LRYrn!K>F>I*{@OWd!9PSSHsx73mUVebGb6VGACqVr%kI(qwK4<7Lo1A{ zMCA}}$|ROk|4N03$|D}y+K`xqd+ETj-Q!4i?d-xTzNR2~S<1xp2;=O<jEDgpi*Xaee!J?jIRd7Ul#pz|{wA8E$Da&k@9iKw>aAN# zN!9x-EYjIa72^3HPC>!o&wsTyM&VN1OFTj>b|iW=Zj@UgHE^t9)pg4EI$_e+&qEJp z7Q~!SZ2Ab7OHb9Co5YNS&fF*|Pd1l8UvfWf$&|Sc5R{UMkp~78!D{8>&)n3*nHRLl zL|BGF#o5`R*hV4Z2Lw(s2%B^x;$w%?Fow{G;`lLKh~X3ql(J%rBVA02h!L`ihNO-T z>fH>(cieMY#-IROEQ7}_Qh?(koMbX1O7r!#o>X!fdhMM%<7a<=9QYM23&HEN*W?YDFmyuiCX8%LyrH+1b$JL3bxfz-a`zKDG@{5y8zGAF3c z70)I%+r~xv>X2G z-%D+%A#dsTRO-gNFZPqzMdHyOb@}ADqT-$TS4}Vhc-kE=r+H4;uZQXp%+zKl5xuQ_KZ zG2Slz$(b-t$#MC><4-5ZV)3w4Uo=WPxkPr@#b$e7)ounS*U-yozhG&{ZC!CTc!K#J z-RqMLRV{r2&$oFq_m^h-9T_|?;_o2fp66U34G_IMgC|`K@4MY+R!T-c7Wqb;T;OQ+ zxq7^QPa;1+^rN#sjEbka9?dNHwc6KROhb;k>gGdxmZ6Ri7!zKkVgb+-Em;%WBs}6h zNzZRgrv=;<*%~!+Uz+(kMiwoA=}X0}JM0GD76MxwswwTLSW7IULlJV?TOY$?gEtnY ztlU2vMLd{UOOma49rs~t*05qxCy?<=ZU}u1p=q20NLx$N|+$*zjFSPRdAp5 z4~yT3^&Z7=6dwI(zGf;xcs4VJPg7cPEV{x`rFyp|0alhwV}yHF+?_I;0nj;`^11SP z6@VP%Eq&5-IS~H&dL=?vZO)`Zgv~iR9wMjRpcx;$8o*iQqQZ5U^5h=9b0al2+z+CI z26N{Ep6+c1Qq`HW75G1R{T@I%V?h0lz~K25!97e9$Wt5|Y0IQTuD=`%HWR@{71iS| z*Z)jw!u-*u2YzP!IU zb&O3tzToh06VWoUIO$oPHzt%mZXF`F2ES(k+f%b8`7QGR73C+J;5(0bi4;HbI0^g~ zA$Tjb_*FX|?&N?_+ye-ETaVXgmxtp~*1|hYz+rcMv0brg)9TLw)6{4?43UVE5`nci zHC&RFN1(wA>?!||#yf4i7)4d(_Unz??xT|y8`d?Qj((DEBP$aaQ- zwqwFg@Ahq_R_q~wcS{;E^ICFv4@9*6>W_i~D&6`%>kMi7Xyj}A4xU46Ugn86p05Zq z>X+iB@R|$hbO4W~A0nKvr)V#i%8)#^H`o7IRo`9dpZ)eB@KEmxh@N8!V#9O>m+KTs z=YmbmVg#Ur@NkIt7Z#w zI^G5v)Xcu(>O!SVE7e&-z>@tOt9PBkW54^ul6D`XX0BW_2D}6f8sL(Q;-JhxyZ0H8zzfVQfJiv)fbD_FK3JdxNAe=`=hq})@v4RKbHsF7KlOGZ0{u_fN z*=WX1r=)PcXfPI^a+SUTjHkx4AR-UUI^H4qr>D<4PP-L7OR;uUy7BN3d%YAR6b+~K z5P7Y$Zdj;CY-%>EeM4)9pvw+&-XM$^o6b1@n=FBRl$7km_^xN`V$l9IF{5=9ebQv# zvhPenTNuJAEOntrY4fxr-5rNs$)fv*-I<_~FlV`1imxBDe&y?!Yps(juzsPw?PS;l z3sqq=t3;I)3_!J2ZT5SzgQ>Q$!%W`RE@?ZArVwdo2Vcvmo;XVOT=EO0RlUh&2mY#5 z26|tr?Y_%rppx(c*ZnS4Ba)dEnXk#1Y7I5$ly7-`vyOK-GjYhGPfADpLY-it((YY7 z9D98~e>VdL0gxpAw;7EBGS!fy26G4X(U&1jl2LK*SwLUc?Y48{4(XsSEW#V&AK}gE z_>~kt(FSZ>LfspOUc75-k@Hz<6#Zy2rHv^t4ax$91G2BR`^-KkOM1Nv=Xc!l2BrJx z?8Y{*nFbR@{pPlEMcsry9)>Res10>|?(eBA4D>#A^B)Ura5L){We#eZw^R4gmkV6O zpq;4jk1Neb0>3`mrOg-mw>8`EWbhZ1c;iU_r5IaeG>>g997?3 z8YW<#UkBGO&My*lt5q4O>9P6HoBHx|#hmjpyp|`uht+@l`4yP=uOy;K{KIiV-eLX+ zG92>(PX~%_|I(1^{W>gSN{�s`6crP=vnF4J(FN_p-azMoqrZeRCr1oP~*sQJ}}! zn^f1z0i*W8t&VoFkcM%`A79yip9^a{lEm-Xf_DgLzBbAq!2}52V{0|kH40_KkCNAw zK1bZB0RC;~k`v#DmXJ-X(P`qWvd)x`B^hzWK?}0o-7|UsYE_?M`=VpMTesG^)smIH z{R0?a8>b5Vcc*Ejki8s~+n3-;kr7`Mxh$}Y@=&O+4%vw@1a39-(KoV#uKlV2_2PV_ z!smHq8U?`Y=IxPhjh9UG@W$rXdpu(!5&8y`qgIq7_x*FR8?!dPmhUBL|{C~ZJd1QO&mb&;; zBuAg~ef<0A+i$oRaDH<~kk6CaGvO#QY3KW@2A9v>0kCoIdXKN#D{XshCM>lswFnlY zci?8ODK-zU&282LuR8v#y+pNYS$IlIXAt+#cZ-57~W%%3sQLUvr zXNWKTUmh#%*rY0J;rxeo9+og^r4P-mpUQOvenoEyfKU>4z^*S`xy2ruBUMZbk}Xdp zAs@)4hGo=d-WxQCEgR_P{Gs6HPZj@AFf*vK#wHja&;At2qtFjMF|LyH9I&@N$qF^r zKyXjz4aQ?jT7mby-_s5krptU$7yIj@b(4+p7<@E>w)YW>Hf*B(W5l9_;OvhD`uI}W z8Lixgx<-jB;+F+F&x=X;H5P~;pY!j5&Ml5O-93Uf>rydMd}DS3RqdXz>0U7pz3!Xl z1vh@umH*hZLBs@2I%1kqTHB4vRDC!1#D`8e2rG$gZEnxwx=wz3ThylJ_cZ~$&Z`Py z1{Z*~56{pzjoys!X+_Ns^tksuTh*&qw^8~9aerHu*s)v{XaLhcL@6C=AIL=mXJVZp@dMvk}UnEqv zjwHx(b|)d94edS=v3P%e#&ti!F^}?Ae!dDykTVKKe2ZrS%;hy~CSz4e*Y;=s7OS3x zbobmG-edgjEkOr$SJsKteSgIs(YvR|b611EZxQd*lg2Xnysi*T$my;XFQYSbRn82G ztESa|h4EelRroQnX26K>%CHkdMuK|zWlF!)JJ~|xc3_Tt`IyPg+d^gpDKlVHa&9~eNIyME?i#O7?po+Knm@7H$4 zHrrWTXC(EAej&j z>zt?mDiQmfiOG#TJ^9)(-!PxI$Y^5=t6d#3>iZ5_Rawh2gO@1FWi@xgg4dS1k6cf$ z(2&pO#w11U1rcWc7s2%@?=hWPA|fu>C>|w~N~0}_g16N##4-WR*$Rc6OFp5bR~9$< zdqljs_yf&&X8wM^B?9-Y-h*Q0xNoRkmD+8ly|29XPkRgZk{kw$$0^lS=ku^xv!5Vc zMO#f{V=mj15Jr8Kb8|SB)coFPT})%6+db3^!n%`d`|f8~+|Kt%`8v~@5-7VEnx3aT z;Xe5{%IP{?EF0RShSqxckCK3^PLUcS$vtIwaDak zE9ElJIlc(ssq%hDx_Uk>5nN86uZI3uQ}T}()lnpS)A&v47<~KVS59Frp2Y6Dg;}im z$qlcalR)XHk7(Q}gsG{idAo#F{62_n@{s0VGatGCb{r&u***`GI|*x)d?y&dElEAKaL@9tM(Z4~sH8_c5*YK<#IPgJZEL z7H0-Fk#{;)1o<)i>;B&h$(soXK1KIBGQLby!3{xFHjk(OJ;!`-!Z1; z!B|L&tYIL4;pe`M_oA+9B%Km^j@?5JZO~T>!MqWJk~~a!1J%IJ`Dc^`Bi{7iBIcvA+{uNDu z>5&zCJX}0;0qrV}=*SjdaeXCp{Lam=H`m=xurb?$4|4u}`A{|Njmzwq-tWe{NKOJb z5;dHVB7`v@L4-NzA%-G0w%a(8T8sN?q?W=>hbb?iuFrh|(%1U}4pEMQCvF&Nnn`Rk zUyDL-i|2o!hy*J4j4L{`dYe#J;%1R=>xOS|h&^kkJ=PoWbr+y~eP7ML@Xs2*Pww7V zy*eT%>17~?d7F&>;L6*XL{E{YIfw!JEH){=4xtZAMz;ssL>V-%L>Jleb9o@23GHk5 ze4$8OH$7o5;Gg|f)kNXf5l_8J4WVDM6dCn#*{6LtCH?!iAEUoyc92mz>#F9rzvX$V zJ(qu*+YstVjAE&Hkm(dv1AFTrH1}vg3*)E9rKX?E!a`ITdtHS2cCj;#+)3%WAfulYNfm?0l*90FNl1m;SacgU4%5AJ^|{4r2gPi)6ta6~ z0T(eIz8j@Ad?b(BtuVpt*RRMcdoMiw(lmD<+2Fdzl`7aB)reJDvGgOBnu?~gWX>>AFP(6 z<3{^jUm72v?mrfOl5^buoJvzpN(O_?3K7x&0L~VZmcd9p`ewe_blI>nOqQJXbaW{( zOGA6cpkZd?bBcc(e`2?`7}6;JJm>SPbnE>UAUyK^gG}<@gA#w7Tom9{{EoVbu1`JD zi5+bgG@R|;(mMzc=zEl58*x}dLN^I?r!9HPJoG0h2qcPEUl$>abS=-C%Y7PC1_A0< z6|eg%tv;TO3nbF|!M{3SRHi8GA4@6wVU7TUTwG1f?lg8zz+gM8WPxTh2$DiYP)%~) z8enqqlUl#nk>XHYbc}D;d=$h-vJw2ij@AQTF&$i~-?YdqLbCRa~-ZR==*%n2!%36JxT{5LH6i6gGWbuQ%)F+b~wT zVqukdhWxkmUvWnl3%VaP_3V1qa+x%2cLk7PfyV4V=-)uB5LmN-rXLP= zSgZd(y#KFz10$W#oc`uR^0AmV&gFiGjE4f9iYSqLM!(cjXH1<5f{m?7Es}F;QAf)+ z5PVAa?9-u@N3V%s&26IHH*bLYioFyY`c^##;o(6OSL5CGMflky!bQaJA3v6CKLLo= zgZ%YdBGEk5bmz$aao*9eG3`?E(n%1C4uX}9wA(P{p7`6MrP5WzqqgD+(B3R&=Op82 zz~nM0JewLE<@0fJf;;!2Uzuiu0Gv6PFoGfn`RsikFO&Cte$1-}imckJvf(WtLh^rRUAq}aRzA&ALHE2IIn>mFe3PH%Vyy0H54rVXuOua|NYq9FL$LUH#R-C- zr~rsV8lbuj#Xo-@;4bjcvI$VUL@eJL|AVvm6iZjL@@~2CwQCwi@7mkXwoD}LoJv+g z`BG#?sG3=A0m9aZg!;LEyJk?!!HF0pto_O)8a8S2#kY>0uM&m({cx%@Du~SK-#piL zn~jdX4%v_yvW#d6H4F`#lbIh6647=Dyz(}rIs9Bp?x~FT%mW(?-{kIK={$TUYTvxL zv>osU@UPGS!N47k1(SxTSxk>B6| z{+T7v-={GPF=Fs{0W%?6=bLds6)oHyb2}+oEZWgmt;Q3}`>$j$vLrKJ%3z{B0iZO^ z1m+`2BIt3OU>U@u85^AXHQo@Fr~A$O#btKMp%CCT#$tYEq;(EEP;Sd+e@GvGci)(h ztxmZR6Fsvrbxl(eQhRL(b0c6jdxX*$frpCFNHcZ`;%dT`+-TpY@BhGBGn~AdTBdq2 zJ`_W(9-Dra75|;@JNt;7S}i^n)XpdMR25n3rTfI}1v|08SD>k_&LoFAOw+AO@Y>(X zr&`9hKxZb*u#m;w4`TNkas*5h(Aj#`dDf$22>OlXLhg)4NyZHNM}6d@)?F8)ADETv zi!t+2D+%H0rY=2fc|PUoHBpp>=4kgBfPC(6rBATc^@;U_yK6eN2_5XoR9L-i!$Wln zB|io=ZeYOyN2381Q7om+498P^j+iAH3O1KNQxHR59nV&Q!9LG+<`e&G@Vg8ETlR+^ z1x+#i3T+|!c~DMQ#@|zkbEMrOeXvh>R!XE-JJmlx06On_ctAyhG3?1>u~B3hMk|Ml zI-wb}T;SwNDAMdQwfZ9D`J6?b{X5S*D=w#qq(QSDG>0GeG3S8!(WvMcI^U8`sk6~3 z+pTNHikH~=s1da6GEhp77BT|UXOSNTB+MGt%6V|1#|hyJ8U>6YvqQSF$a#;UOK{~yKx3B0y-An zqN8^;d^uNYsa8j08N;Lyw0DH6bXoSMVhFke? zqRoiSzl)+8@{_1F8M56z2L1GW?(9s+MYUqNCTv2NxcyiM!ScgnoL7oP;IL z@}HQPGQG2ERi|RF7`8jWU$HUZ(H-q=uL!G<0Di};^?0pf0H2CDLxZU3KjbRWAfiG8 z0T8(^=1~NBW(ox7@B$5*yQUa#hd}f34$BDT?zcN*jB*P=(|W8^i!xZUwEV~<$r&=j zEZu4w#lG@@Y3&;Cn$3f(#Z%i?hf?R9_UYg&{2)3P7|{YCy>_eY;esfxNV4kV*C*CW z`ID(ynW;p0{i-G2nh0w9`>5$T$C4e$mzP`h7U!$lk?Xd(S2>qfqmw#PKTAx2v9$=V zo12*(TC&_v%OU@iGRL+U5TN7_RloB0MW+5lc%Osb9*_S&mgIzxc?=V1{QQjI|$HbU6RhM6v= zIR0C)y-nKG(c4{KUVY`;A)gbocqAwK9TDuTT`c26#P5wMsbxnkyPMi+ER+M{CJfru zHS3rWQW(srI^WW6K28Pg1Gn2C!lFQF6L^=xAx3z(5HrM6%U;5OGq{=Wz zCWAe$Ui8&eZHG;jYq!c}mG3aHn*X4O0E|V{@PjDyf6!=|j}%QQ?{?!zIJ_&RU$@nM z^4ioW2eu(dYU;O63($DxLp5WfzE|8VMMK^+_ zTV?jJd+3G5Gfnjav{Qd-o-hoq80mN32T44O$+uF)n~4^=_$gYpZIXNuD#RQdk07in zmYG*jWsON;w+Akp*9*E~aIx%M%}gR{r~SSUpZL;#T{O?M3_79aML{}+dStBG;Ul6T zsr;gliAUgH+n00k60gP{NXM^`UZ$a671~xwjDGqI6hDsxL55r)>e5{~yG=7Q`04Q) zJ@G~FStrKJky~0vCeF;GO^);62e?f8g`NdReeSw-SN$Mb=?)rw#nIPPj~>FePi&-n zELaF2D(k`z?D(*4xgd0v1od0wBsmp3JduxQmGEGJy)M%smS>0M%$Kw4rP@JW(Kr3F)!X0MTrKUpPS}*RE=jjD&FyEGbh`2S z1G{nCWS2k5QFGul)-;Nk@0tfT$1tSRA5~@sjntRF+&rYbG>8Bp_U&NJI>^$xn6xSu zEhc09I-gzzMkV!5QjeQFjNvkl+jld6kyf*r#`d??)OdzY72@;B4Mh+vuaF$vamR(? zn+T7HPFRQhEp7d)U=zv`75y3+NgLZIuiy0=^9I0^VB zrsrcaKE%RKM;xZv3Z`j4ujm?YsQ3G8ZV2i`gQVF14g<%MT=^j+%b7r97B(m>8neg( zXtm57nU&jflxnbtsMmk49pr)YASN*iUA((z7MN{xp3Wrt6M&V2?jdXfNP$W}vI*7I z<2whFy?%23PeDs-*iG{S`d^{oTDGw^UEm{WSs1B(dafj-j%FS@@0H8!k^(}!;cX@7{5_f}$=$uldTE^PeL#L1f89}>PtSx14y^vSYd zFhS}JB@8bT`@m}?i#X1pvEM(%K#yHYA68}MW_YLdLWeo)Sz=NsG=clf?O_AiC%7=FDn?*5 zwF@}FLd6)9OaZ3n)H6Mx%|tIVrl!D@n3<6Zwju1s>8 z_KFb1OhNR+gB*~79v}esAPm&3lHI;|Fm?oeB+Z{m+BP}CYd?lTk|H#MF%+;WA=0*= zESJWBoln)`H<<6O9A#7Z+t<(*p9lhA8))(oWScJ{*`fuzs_|2~hNyh9o=;(OVxB*x z8gUH4d43|s#0(g6lCzOxPAcIyH32mS5e3pu|CB+Kt_#f)xTmu$_A#E2er3=l<+4S; z;sIDM8w(61m?3-GVlh|Ovv{8Q8ik#|%q&2uHZOU577eOmCCN3`dkL~sfX5!GL2C(* zgmIC0;rj`3HfPPbpXl*F&0Ig^>bO{OfsgVlNihZ+F^M{w0;#NGOBijdH zGueZHJ88hHYy9cCv}5k`b=YBR%Wyu0fs#ujhkd@OLNcpM_QL?#0Fu8~%xRymao|+Y zlX2A6>K(J4f?N10sCKRQ$7k+i8GYGAQ0gF^))0aIhA!2u= zR*}h0&vZuH9~gZ2S&fVoSOF(|B6}X|i=5@3(gJU1%T$Y(K-}e3Aj*@Aw)tk-DoU^c znpZ4HHnFzzwySzM*r=tAL@ZzY1D|J*Ms^YI9Sis+#*ATXkDiF7VSY|jpAN@pP^ z+&`F%oPPitiuds*kcJeS6-Vev8*xtP8EmO=q{m~?h}bj2(ss=*C=9G z)U{X;5G9k=1L$Y@&RXC+-iJfiLTYE=kh}% z2Z!Ek7E;*m0d=btY&p#URAFzvvBveGnkjKL_mqBRJ$jzHaCv{A)Fm-)7zr1eGi%N^ zAJ=wNx12dY8zWQ8zAZyE&o+l22q;9Q1t(WicBX}7Ql+rux9987K{Tqur6gHTH)rci@Ja;PZ+Bx?%byd`*VB8@Er^W~AT@*; zs8O79o3=MDUl)F01lHp+%2LOpPLVUxBV}0g-6en3_#4Z=V;``W)ni=h#}K}BiJAFeA>*OO*XjMqPmM;4;b?{i7F^*MMBEN&o}Ksf@@5j z(48lbOQIsvVi?~6aaaFN2VY`IGz-%b6F#|NzF#9GSuXS!f?I$9Xh%Im%u=&M%xwGM z1TsiZ2l)wH@<(STO0t0`uUvm*AT}Q~8P0LLNFG)D&Zn9d!fb_?8H_QMGwk}~ zkbGjuh0{faUAZ{8_T@N@zC@}NWikf=>+#gG{b=OEWfn}8%HLH`igLnvUCe8>b?RuS z2xxxpioXq@0QE-o}L8`DRZxWZcnpPINWpgFK61{p?dtozFZoJ$&!UlSc(bO z2-2>jS%Js(!G#Rc5D3`_+P*GP4Mfjpd%erJyDuB1>|q%O!G?@>917}YfqCETV7Q-7 zv@{RBkV%W~Z=0i(|8peNC;I+?d&*vk8o&k`oou7XUPELJ>2A9gTP$sb{3+LdRywrl zdBWcFNiC(h1kT0p`{-uCqf{p;LYTPmD$zY)^?RsF>%JO)Q#*oZ5I2tr+|GA$2$F_N zmG3@JG@?bY1-(?CmQ}t&TTxeHcd~el3`}oc0|UVDhr)ev9*yybEnz5+|MdUt?0Mxx zdyD^D9tHYK6cC-7AlFQwV)>Tc2co6t`xpK30*I9PVz~w*Y8cI>7U}ZO$^&odA0I0S z-UO=n&9JZoQBkXo>a!q~RunhFo@p3fCHH9tR;~xw`n1l-7Yi-8urE*?WcW2crLU}o zq(?;;+|!0w@U?0z8LsO(1I4h-VtUPmQX)?ZueE!Cb{i9ahC zk(yw94#M|gAX<2MIi?jT6RwYYKQ5o9$UG1X6yk5iXu(+zkzo@fl^uCv3nw&UE2oZ0 zi!j5L+yBSN4EI!t^S>gg12tGmZ>j0&d^?!e_30onBeNMojMq1I=Q=NVChf5%{kq3Ymz_#W8AU@yORN1 z6#Zzxt-zKyZ)unN!<|;>9bn7Q#4Dqt9cFjsjPmUSvn1H~qM`WEKIS?s3N&pWm6>m$ z*zpIgN3a(LdpuOaCiQL%Yr1Ygy<8f#a7+b5X{>YxKgC7D{Iw6D8P$@Pss87o=olWa z;L!Gi?d$8NX!?fa6@Sk|ne4I5f&)g#IM22<_SZwUIgcyAiQHe2 zbXXYpneZ&a9osA6s7QVV(`@an*K}J;c+@-j|y`TD~2jQDVPK;i#xsww|IY|q$ z*$9|!?yiG78Ns^25wtFDRW_~#tv-1aLDp~a2>zW|sC)uTXCWBeOKD-wax|_a7R~`t zO(5Rz3uZ7h6j5tHGhL=_X(LomT-Ua0iC?`m{f$eW-j)YEH`RnOI?s20_ny$hgt;X? zn>zZ{Rp&OQ<}QKC2dHGl9_#XqS|k#6V8+b&58R7diP0V8?-2Mef5Sn@T46^s%rq-& zFb21%x{^Z45=-q76F0R(MFG!vul`NNJO*H+1Jft%m}q)NIw^~)2B)sabcqu;O!Kg) z1GXEJiP0P#$5*0e?@bQM-d=J+Ry>}%j$k_<#Rzd)mRf%`>)QqE3vZ^M{F#jID{CLFcv~Jn%Oh5{C{$iSMJdnH z*crzQ63pug;#_O!(doyH1W)jY==Yt~poTVr7B73_d!W_ufuQnBMx+1s5}Bxx_p zRzRZcqsA`@V2`0+zuIM<-?505Q`xfAd$a|8K#Nb{TvpX&!y_TsyS#ib4iaG#9SPf- zQYq$hfW7TDqp&n87Yq@AY246k5)u@=`y04r`#XVKj-bX1e6ivnWmC;0G&PQ@&hY5z z+uHmH14-w_->R$Z`r*&naomX?tN z*`WsYFV+mOXj!NEIJXZcU(A z@763-;``|YF91anHLzOtJ7ka8fQ&cEC(k1#pT0h{P~=5dDu?&dRniwuhk?H=5dU$6 zd|4$L!&yaBnevV=Q;0G6m<`FE^#YvO?%=(rro==E@&r(Ii>398Ic|O&0os&8>>DE|XW9D!XPte#k1m{(PRF&b9@vh6wTw;Zz zrVW={&8-ielWVY`h^6EgMFNmQWR=AXA8*|N;hF~e+N;PxDR_lZGCh$e9I+xG@>e)u z1MT}THDCI!Bi=ocT+#J3rFc(kl`@PK9nb~>I?9lf%vj+O;Rnv6i(+0DWD5pWkj}sb#|SSeP?2(kZ`dbFrv;3a@t*+Y^0=<+=i9NAZF%8>q_O#m26 z`YU^6T9}_b7wy70)$C?PStZuyx>xcPXmW~+prM0Gk ziYY(r?q@+wFb8&oKNdW}>aLv^~z0Xo8pF^56S4A_5w?%)W_SW(%iycc_zr)P$N z2ziyfC)Q(z>3PS+os>^)UvR258HXGP^+v_-REWKPkoZMUsjK#6Ui#R(ze<3?hu&f>4GN$4l>ir6-} z%}CM#y&Feym$FCh#&T(L@1|H}q zf8!cqFci38%TK5k)8tlW8FY-qk8M~>ib#&mc%?H!>IEe8=PKxhI?dLO429WkX4r!_ zyG91u#}>i$_ByEAQFs8OB~;n;5vuqxeii7Rj7fkNh@1kWWGPcDFpYn<8K!0)(mZlt z1lE5MShc=NY|61}_MY`|*^aA)ddHx3Ma-lwrL)mOfI_Y4fSxpD^ z)oM!7{>;#}mevLmz1w(lZhkk(m9Ro=4E;IZf#gphF0ZLt*B`;%$u%WElbBB&O`XvX z7vqTU70FC^#DZ<@ZvdhA`yHx&vk^*^y@#R3*vndmFcVKr)*BbQQoeWVV@XQ8GYhO) zji%E23QC>(xOB{Kr0Kb>K@2-?l?I)mA$}z`QfhPPK||P>4XkQEn6{66)^bmPFJkiT zbJ4!4Gq|cAs60Ri;VJO;rcK&Fs)L0$U`Nn986+V9KZETVez9PE6C<_W`~G6g2CKfj z5IT32)znlMb3Q79AFWKB8GjJtAO4a+PA= z|8Fk_P+ypgM~FIG<9hylf{~}rm!K7?7AJ>I67pjiPg%6a5@CV>mgn{S+PXAvJrM+! zgaOc+KR%uxZeqW)+`c z$xzFc-Wa{f5|!ufp{iM;to#WCu9y$Uf{0Q3&%%3XWwd8vn@b#~JSJxu4*}1zLBm!-?tD)Gn-X6fh88r5rudKFZmP6UcVE z$nm7fh0Gedu2C%Crict5r*lz>3LGTWL^NQ40pR-q9zzgD?S}gGL{f)J;Tlm7R3B)N zWgh{ zGxx{UG*f<+FGK@+lI;%p67rv{H4!5LlJm?Nh}3*b>rm{?x>HJJ?8B_2u7$9Eg&?^( zCct8*xp_Mgk0>-?kz(&9{5=$^AWnFXsqo2C`K&%d7*<0vYp3sbpCVK8S73eRi6zt3 z(!lvZJ0=-`C@*`5Glg!n2GudeA z5LuS9ibdY>L|c=<*GXb!|IDUw$d?X`_p74;Y??9ErR3qLS?*e3Hy{1}>gck@6|-(N zo;At837ga(GHLXinhl4SxZ^7->(||M_DYosV7N6YfV;(8o+-6{=)*^TaAjdZoyW-e zZ|00#Y8P`3=4+-v6|TsTL^w>OG0WYo>j)@C43is)aRWhKu&`h)<*dBQnL8`X_seDj znABs+X5k(P)-td9rib~6W0$b9V2{@K^~9aav&-$gznP1El-0jaj&aUD0jrGU8-51m z0HAvUH$ON<{+p!x^OF!&lV37Z3jl1nvS6@6Wp)<4fz0aEmmaFitCdrAZ-%qb7y<66 zG5F56w^|U#Woi&yt;i@pi>Kr}ls)vNj*a{~w+RKJ8a~{`AL71%8QBCSZdKt?(|D4s ztPf7USKyMZdD1+{!0P|F_zT1m3m=SZ{02d z8u{A=EFxHos`4IE{PWpk&3q}Dp&p@sOaFj zQ2Xd0tte{|_HM5QOzr$n^cCxp+ zNXtzl(V*np+}(J*_A~NY)v7x+f`tDCGYBx||EQ^jhZsMuxEFGL=U_gzD~+T7n61@N zDLWqiN%>QXa#FHmGoPw#1hh)izMY%|B#_{8?1Gq24w7F{lzD2R5YrZB{O7TUtf z8tsPr6vT_KluwS{8fJR_3)No|67DuMwPLhI`=GwUmCh1bW3iKBTPtL27yQlrEYZJT z@OWh-=A%`HZinrx8%MKS1f7tamuTnd9j7zdXsIFS*?xC*3qkJGd0t#hf8i)@iqFeK zzvA;guK$*}1?)vKIJum`l#E)|smtm$Jv6G6*+_5*4Xhhe-u&NW?SBD45vFQak6cUe z0=0JOXsQZ{p!1P7kp|a{5>04z6aRvF6K7zK<87e70Pfx?5!I>a`&oH<4&0>S^Doy} zq4IU#rPFg9%q7RraHNkO%_6`@;3BPs2a%`&)b?w+?mdSbrAWsWjH3s~O@<;bh$CU? zrP_RBstgbe9jK4RxR_27qt~WC=>1@Rp(74Y%3-f>IvJkSZDdw7zPMY4GZ>(v$Rj)b z048{x)tShFur0Xs204~_xXaO~yPp>UFm7;>r)6-9$K|CMIZWfT7mMgDCKyjb=#Hp! zbdQ{IeHZ#;)8K&V?xMzW+_H{_~J?Od4()tr~*WR0|#6SC4|RhU>_T zL4b9k3mVmfss2HveoYN=Wtlb>baRT`oU%QL`g z484yC*+DEF7^pF3Sz*b@ z1S9TUf&#Gnppc)gedy}zY?@+(_UR}!t_R@HIn@iBq*pA&&U{@0xN7b$Nb z2C&$`sxzy&B`sKyaDJ#5n~>|ym0}+|2ypYOhv^lxSgCUE8LHna6+$hWP2&C4+^!4v zdB}W2rhlmZYsv@C!0$3t>nkg{mh(v?QKAyk&80SwR=Yq>JdWRQ2IWNBYD=lM(z>1{ zUOD&IJhLwxWDoavO^-8EQc{!vXB$m@w*WG7nOAzX^h6>dA4c3H zT;gxfS5->T_b=&4L-Hk+G0rc1^A%~q)0dr>2z9|Ke~PsKGwCBx0T}(m#0e{iwetXt?s2)cPdD^|w!E@xSj5$!#ayN(8{{dlMPuXnT|Y zs@k1}R%@-6pqz?{nWbyhEL~Fkt_~FK-v!-~(?Q6B9o#CppMpuET^CTxJl-+sKW2-; zmaA;<_J%d)JZ@}yI(P?Ec1lY-=tJStz@otd^cJzJUjiMHN?waS^lCZKEf|*SvT3#K zM}0A~dUSY1!7~!Dw{k@WkBnVsq;-7jz9GzU+~p@>iy-Op0R-H|b6a1d#j>1V$@1U^LHrCWQ9 zoy@Pk`c6hb4y2|6ZfQ{x|MaVaOPc-L6^aSV5zxg`GcXvT>Y~{{q68+0#M(X~l%~ z@rWrgGGbYbiBN!2YdiLFW@`V|DlZcu@x8osAB98oVMi!OV4hNnqjkUMhwU;%4} z_3>+*Mu+s!ciD#6A&l?Zw8m!leiWSYNet}AYUToQ58;gcVWi#NV65{2%5YugD0h{8n0iTNF$amF~m z-<7c?xSsem@lSpE&ei3glK$(T!ZXg98J8}OazTu=WBiE~ftQnNa?t)*{y*R;se+A8 zBczBAUxCdD#Pw82ayii4oiFcSm}seEcSblD}kX2ZR6-$X&Jh!Q(2S$iK}^Y}+X&D8EihV3vP29`2_GU1<`2!CZ& zNH8TOB}{eQ;nFZ#a(b)ns^g!on#1t0>L=NO2%KUG(b9G~uy9o0|B)KVm!(dHyB4~a z85T+|u#9H@cJVG%jufIjM1~?*UgNO^4i&$!&Ut7@kb1A8uiADz@^y zrkR3Dj6So@25n8>74i*TW$Iua8D&ifcXOb3pM9Tfl;PTMSbD;Gj zC^-2f%}w0T_@TYw*7>Rt?AylYPR&038&=K@83d=k7ONjN5i) z3oR{IWLa+v#rC{cp%Ak%*{V&(OG@Z>eu2Z^y4{X%Q&&i@QN{>tXj9Riz+Jc%RS-;- z>+~gVPICXwiv2F-Q5Dab&1QmUH))4r)gF`Y_7I&`sG_sS(djIx==D&5nw+y4FM2nn z-mARu+_aS_x+D&1U1?&i0J^S#)RkHkYl1kQ*dk^I>Kve#dTRTTu!~iO!M0xhUfeOA z`oX8)i12DEPrRyfZpkzHv2qyWsp#o*MA)K;@^rKGvzNiSzd{iqu` zZra9OT2KaaDze3@xrBHEU%Hmiy1iX2(;Q@wNVY>}SM^jo$ZuweLhI~!nz7K^qK$S1 zv4m?OOP*y=*BOy*ct3Vux)2zunoqxr#mbghZ*%Ce0mqzR8JOEa%KYEdoBy8lB)p1o zaebR4bfY8u+G#-WK{W8k`+hef8rw)1Tx8rV4Gq`8ER9uMqV{4OAcfwjA#EpPEhbOJ zJ(pA9YBYxZd%U^psA`a;+X`xsS?sTm3*cpy$YAh**_<8f7n1a%Mc;CO7B7eH>`*l@1MNpASlR%Sm@2tnr)T|O>&x7 zBcWq$jF^8Ps`KY}_9fcEIy<2kGH#8Hf>DJt6Z1Ml76AQ=pEZLv2U3@x_=P**ctip? zu&Kh|dMB#*FmK$oMI-%FTB2SAUM;}FSLswXUiHf|4K$mrrohks12We&XwiMjkVK8r zJY03;ATJPp#z73Ing1wiqIuc^jfs_Pu_kzkCt>roC)srO_Zb@cdTKaiu&}fyx&8^S z2uAlEA&X|w(p)YsHgRe9x|BOoh?;imY;=k9&3EbAc zVEtoRW(<_)7f+ISnsrJj4RKpD39a^$Qx{8?S*J59;N9B#fki530b~6He%8bNBjeGZ zR_PlORju1EYsoGBg{V@N0Q#A(-1xIOJ^UbN0RAJ!DV&bBy_>7iotoZ1d1Tq(Ve}#!PxN^c?Z)xi=gARR zw|8xM59`c4=o%vkd0Q}BRB+AfVmO+|jn$oLG#8phHMr|{)WFZ3dVRat;tO@y2&>s6 zsGRsTyyuJSCL?po5Okp7ucCnbA#652ARF&Lu1^zg0V<%?Hd3TD_$OMf@8fAcwtdHh zVu&l5gL~_|@c~}yie{{V{j0JHrO*L8R(qbZz4X@Z`12*?+AAGKU)&NxmR;x?{}2w! zD)unxlPl@1vy4c27Bb@K{|(0b7rpg;-VlVVCBfM?pwW{VXW9C?7+P&%4hHV>=AJuE zp{a&S&nU?!jf0EI@!zoNRZ~wJIXc_D1ReHrq2Fk!Jr(*=Y=|Z zoqkB(;KsfT{TO5GE|$xK>%PuBiMFdXGVixnhhmFrmqhTF_J$NAIf|E~A;?CrB*>$? z5~n1II^6%bRpD*Y>^4j4bzn;7F#Y8ACsz+-&O&U%osGgT%wotiMd~?u zU@kRU=6XcF7R;i0yB^TM8=E6EMmP$PFK^!kZ-yaQLz7@p%1)VGEDUReWESlcCz^LOxPa638+s7B`N$5U_u6VvbY%E+{7`Le>I&2=JRcH>G1o%;uxkscQlY zXIUW295p5OAIk#{+OE$Q*v3KNqCLz+vP{q1cnlY32GJP3@>9%($-}dzhN)`TeBtV& zW=9^X*A&ui#v|vX`|5?Azud z^e|SyY+e=OkZInvm$P2g@Qsp^Yl1bNF_q)cOL%sb1D00ZWDx4Dh{9B`JwrUUW)#O& zP_2q7BwInT@&-5=>ih~x%=$9?IrBhiQp#+R%v3EHogCN7VT)5&=F=5jPLWmIt6EV;kjA`-atC=;XLiKv%-nM4+;I6ihU~|3~tu65s<}coK866+aq{hsT zK)h@o6%7TtFMmkO^xrISwpq9Y{wN(h(4r2n_Z&k53;~|6=gEYWLo?&VwaP~0V`N{@ zcY+T5?N4VlAgL1JWyL=;^F~CqcvUxTpx*6~RNAx=FRQTr=9OZ3X+)=C{J@Po+T;2W zX^Lm}NbWPAbx%MZ)q>xGe_p?ICiDEW&qwjAxw7;v03JzUp8`-oZj%__eg6+hffZn) zwRm~ywRO1`C`-t%JZ1Qllw}m`$@svdlO8c&YWmMsZ%}!I^=$nF>bjvbl3h{zNv1Nn zRzL~v@{J#P9XAe)7z-b1nHF~1w^OaLWpxkl29&7eyJd1gT4+|V*swbkH^|Pa1;xG^ z^n4;Zi8Kb5>UTrdt8Ygg!df*bcg7z-I<8bOnnsjW^&qIIP@ZZu+m!!d`?*-tj{iXK zXc({vlSWrWmk*v6oa&Y1R`vn{Syq9bHs3#dy~D)WW(H3UGeHk3Pjvr(bbSMGKmy- z8k#LJkgiQA6E9+kar<7yVZh-}2)SHQZ?Ief(=SJwMn2?!6sO{v?gRS1-hLUMn3=eI zjIf7BNtlS|*4k=LhgUR#rFpH@C$DJubw614>Ynmz!lEl-!xu8i6y}PC5NE98t2~}= zdR6Y8(_r1C^zS?CvIwTDJ0t7=3=B!FW)!A`jj{YDI(PzFeF9FhbHONx#PXGfP19$B zNCufl6bWPMLaqeV#XqSs-`T3)p?;<6WgE0M+XzlP3ZIk6BSoAOl^nX2L%!BWks@)T z*g8?JhtR67u-p`v8t4M}L%jet0YI{bA1chL*u|}Zp=rwfo0Az;`ci*#a?^)+@@u{{ zFGo2G>RU?a92Qna!{QOxnU{E#Jl#PqDmoyUtZx54D^pb=|LO5lU4%d(*%gDis#eZPZkd4K)gdEm+NANF1$y~0TCgcyWT~UWRMs*H|JPCn=NguO z`d3WiC}KI7f(XlS%ftiSqvcghvtR`_W?&PB0GXa&IGQ@JV;;+{9sqN})xoWT_0O0D z2U+?mtGta+_69ZerGr`@m#$1NbkR)%2?GAAYfK-Pzldl*_O5gApsomC-896 zKiT>TG7ZD~5&@?l#xkIUHhj{r3YH6MycBrf0s-V#w|%35GLxM!l+B{)1G-(>CLAOL zz*e=w{wWn+AhhVfQ;6-2?%!=;P<2jQP&gLb8xDPrT=mWiF&DDm2q#-if9jo+zBu6i zW@{w93d%p(+Jm399lB;~3ynQY-PJ%Cb|%8a4AWzr2knhI_DWx>McnLYwr!IEPArWA zph5w0+y0+y6%@--fcE63Zzh>$413(DHp6DuHLG`Ulc-FZjIFXJZ9l z0)U8h!JxpB{E=P*9IY{M@V0ZVCK0%hURkMdlS?eF^V5EcMZ%rZ*DSR_Qt1-^{((oO z=-5P&EEfP73X#aRf2#f`NOgV?A73|SAi-dIu6qGx4y8m= z2>83QvHYcZP<}6;MNs;|Q^J4nwG)uytg@mX1A-Q$$SSwjdKSEZ?dqC}C=wnd2&l`i z00(kNQZY|+1iO#;g)WT=z}thcD3t$wFY90L)gb^P;copFFVlE`Eo`=`;-$ctemyxA z1D$=svM$6zQmvGTU}ub`zGGemgd`1E))nucm51N)EfYQ@~%7HFC8`nkdR$y^Pbur^pBMw&2*M+T-QcC$Vo zAdDr(-KClT(5+1${LPY^ZwtGm%VPGAgH^I-8zmss->}D9FY^@x0w1&7b?KMup!i?> z_#?fqD10;!EF)bOM4)uCGk*#73|_^*Y50 z3m@^NW?lq8L-I8PRz{E?Wg$f>toSXQ3(?scf6695;2H;huS_;hQcz<$*8<7?)F=;S z5Jt#R&&xuyAJnE06yn?+DMByV&T)LYzwD|n=w8|*D57Aq;cKIRZwc=IwI!VR2#Cj_ zL0`1giM{vEL?mjs6EuKH67~*900q8okv2#`)#IMJuHGE=DAbV9t!@&84kv{Ihiyg-rz6u87GdVp9O{x?eleZR&2A2vc9_})0-+@&I4d4E4S+FiD{x>Xka2N4xj zO(!)I-Izf^?Hi-HR(j211kEMt8)fGP7LW&Tec97R-cd| znZbbL->|U+Di*>2VN3q4)RzF&N&=_nmiUL6_{(ZcvICZEnzjQtHs_D3&c8o8;q!kT z{fwSL`tP6oV+($!0qABKw>GHwC)57=h8rOZe;)`&>YwKOFV$q01b7bj3=K)+$PJ|c zVAju3#bd+Tois~ zf#15c4RE*qweQk5AnXR!{pbhVH_10qhWFsZf1_w{MOE|441bWchQw}nh;XW#)X~8w zDk`cDGks)NsZ1^XD=9_Rd59#jQT+huU;n~?hL{zo3|lq6^a_}Ib?lKtzUY_Jzr{KM#JEZa`67OpK5BXYgOfGx=~Oz`($h9iE;NAU9W6Uo9*wNV-O& zlezxdHx@~NC50v6tyPOeZEIFFjTHHoq=b6^WlmbJG~vI^VAeR~7ZjC_OE%+akoEQT z!=;)6(hv#;acAG6c+$C%i3zD1g);u3@Bh*ZX|~_o2xxpcbi>D;s-OMBz&j7m^MWC@ zQd`R`l}Ouo^AG@6(mb*4keDE3sNky$_xFxhB1Q4dSbHvBQd(mR^GO?I*bYU-#o5vJ zsQ}7CBtUyld5ZC?l{%kY9?rvqf*>Tm$N|nP`usUtH>@b@xv#G;<&Bc>FN}|W4Z%v7 z)qciJ&!SFTJzlYk-+2OF+T80l`f(4$^f6*So%!R6`;6d!u_wy{!fIF_*4lEW z2qU6mWdT&|UcllnB|rB11X_jZi|bd?AJM~~LtTfx3GY+RF!@I) zc?|1qvDR!{&mO8Pie5uT5^#4kGk~bP;gO;CueEpsLh1DU0OynMFnWLJcB2&pxePTU zBT^tdo}i8n!SAcu%V>-8MMz0WZHjmOZK)~?0AhESGtE97~CIP*$?I8tOAA z`ZBd#qTcT%sw+3*beLRH%hw-~jBE7ma-XAAuoUVsUGI8S%nr<4(p_XM9cebKKb&8s zM$j-e6OLY;BGJ9Nm-iV=dxjrOGi56(Wr{t{}p>3Hc01Lzu2;4 zv!SqWIk8_|#+)!m?U?cqc;h;mR~FzPZ8YKPEH(I2J~`HQ#($X5k@^sm!{4)F{c@Vv z(ms9DJDS@MLPY`Dy~)-8ODY#M70oT^0$z2KNNe_O1-6T5p?(TeRP7ywcf$?1=Nv0C zql^DI=1IA+VR8rpr@ZMx(=O38BCZ8=X20BbX#?DVq|4@w^~_~xD?aIdPO=vkBa}<_ z8}?EemtpD4wZLnP4&n;6ZYms)(1y1Tjhof84N7s5V_?&x%{})i%i-n)k!S7;iSFuK z&*bc9B6Rp|UzH6aA_s)`i-h}Wtj`{4Txe=6G!ktJW0g*1y3;*9lf6?)HK|voXVC?1 z$}0PUt@nL+^v^F}m1LpBZp0Y&=+^4`@F*i%+QfZVjvIFF9+Ywh2k>|eNG>hyL2;Xk zh&H`F^IXT00vwHKd^PP?0V7e`jq7D#TfwQbi;Hr!yqO&E#)i&vB3L+qk$r=^2xe-x z45)a_ON{=U>)`jYfIjtJ@RFKckB8Wowl55C6$2YCb#WtL)Nii>uhC1G@KWvl#%X6H zSmUflD~?XCO9YR?cq6%ykiPw!_2pZGOZCFzc+n3ayF63ByDpT~yc@RNm1>PJG(R-U zrcXK}{YuWe&C@>*6EtFsIAAEm-@LXKz2Z_^7H6N$E#2T2Ik}EQ>5qJJjgRA4N8Wqo zzFKH;r;ATC6?VnVc(eLwwR&i;m_H~BJou4kl+46w3&xw#gdVs__Ypj48QixBNfecJ zqn~Q4bN-*$fq#b(phDK+2ga_ki+Tv8FqZyS7qrDZL`oE+$s1bXBtyhQ|2!Jr0 zPUpS@ zzQy50Vk2cn%NB`r)Ovw2g^&BSXTlctK8?B2+5z$`&0Z#q>1R3+K2TTRo=59~w&Cn( zhaz&_(1_9TvU<~6U*{VmHB*mnD}>f7_#7M+8*;Fr9_hY+F1)Jcyo%$Gxh!c#rS5p6 zTpNrAG+zlcG4U?&yog9v;u;B7JK!6+*jIt%cDMg>d7QBMjlk$eYVl$XR*vi*wA!QZ zCi5+%br-RF797W-6`GAC=y->e#nh9c-#++j?dqk0E81oso!Ii0eWt@@Tg0)kQSAF1t~rX}?~t1O_Q-(gNzRnJdQJExbJuI}o^=;u9u@QGr9N*y*r0MqUwM#qQot!oTv+3KdC9cSF0sHIr zCU1(Df`>xn8kybUg4+9Z{FhX0_=-}#XtM6^T%q&+sQGsKMCW)T$7N_V25~aEpVy2J zx;v1TwUS{V#WLeXAuf$20;Qw@6f+?#5mShQ4`B#?Sh$VwJ1+wvM9NRq07;BLL%iU% zRA*^apOszU4$oA}h#1xvLL=2pVuLbR7C$a-t9)b;3WLZiz;ir+!t89nl|k-_DN z#-3HdozYB>*keaRK8x2=UDk9d6|}G}mM*yJPj-G9{^?4v z!E41vfqP_^q9RyF&{+~^=^^kH2GwsDwH?>o)algtf4NloOs|nlv^l!|G}vS>kCkt) z*^$vlVmh6;bI2`RA#i1>VB3v)YcfQqvF&LuY7W{c4k>yJ1RTMT*#HCxpL zrAa9|Qn z3}bWMLtor{rdO7K&o2_DsXO^ z6EACh@r5wmbIEuB33mjPfV*+@=BB^LwK5y-n>pVFvP-|tlOx{F2(o#W)EdzQ8cTYk zJTF;@Stjy%<^ylh`MMZvyi3#C-h{`Mhr>&2<=)*T;J}2|vP+nSR}!8$+oo`;gxI6a z%+WWM3@HOf*bbCm20=DbMrzKEjY9v)NCAN5j#QK29F;>q5zyQC#pQgpn>y1uTrdV9 zt{`B-G1)0cITpiMMKEc_g_;&^^wD5Qlljau74<==Z}n+Ac5g72av8n@QFFMaZ+}@f z!CAg!!`z&9&myr=>?=C&JuXb*D91@hXX#T%&cqudY#Cy%xk>TP)x49HPsmhW1uv1% z2Ggax2_)D$fsapa%xBZ9^KItjc(f3mL@+1xj$!T=cvkjdjgN+@!&L`-TzCDf*(8z~ z4z%ro(Fn%yGDJuQOd6i{7<4Ta5npyaQ81oAJu}{?=Iw?@Rof(X!COgxY~o$34sgc3>x{;+~C2 zqY!tDg6hMTIJI(oFxB`XYa*%BUkT>FUSVUrgbBsbpa7dn;&f7A2GjBaCxrjH$!fk; zXGY|Z%9Z20;BiWI)%7X4f0rR$J(Le7y0NUmDY1xnhUq+WalM)D!(zp-J4OL~N@`o- zY{MBMp;4@?JDDiZd>}7PB|idVl6dqOMKM>tS^ANRc{Obx_|4yXxgG?ZRi*Arge|V433XHzVmOwkyw2#qbbYqC0+sSe@1pD#>EuGQqK@U1=v2$AdQhsdHbwlWEy&%@MV22ng zi?X*OVZfTMmaxEfGl^4K|FC;rV^JCC?_M}h=T&2uME^`yv|vXSG_?$Tb@zh}tGctF zsl5d@AFUi3P5m#e)?g|H6EBYu=ty*#;MaOy9Qm0}_#B>+jRza~a!l04x0*KRGCj)` zucv6%t;4*EP8&*(t@h3VEt`eX<9n+96EJ&oG~ISim5u&Gu^Y|e5#^Zm3Wafj01v8w zG?^MwDbRr@;pQ{RP|EV!>Rv)ESHYA7L;nPpZ9^xieHOBFXzv`7YRa;hb9$y6JBRef zDKw`{1RB72$|W6^#g9ka2i~c4za!6m6$=Yp8%^6{0%&hDd5VND4ae8u32s9}F$RXQ&W>e0&IQL)u zs?uhWY~NR(cQMf&>C=t02p6mG-@w2ld-ddLWNbyq1>fMT+h|nxbf5uo>J%;{l~BH* z5zeQd*L$!LcfJ2}_0?;xWJoi0oB?OXL(p8T>J_>!<(H(J>F70=J$X6i+5pGr)kNDN z*$=p0uKj{GL8mQx!&bvREaI+wyrPh3F{xW+(wVX5Ri~;Em4UBTXly%5K9)wA8Ac-g zl&u7shP;gKa?TI|Aq``jg8Mj%wYDq{#TYH%i91gV3C4rVa2?1EihUbTxba6GSW*F7 z`&H*1+aUi*pxX=t9}pcwE>%J-dDBDFO=ydWFM=W(2Wautq_!rHKeohFsuadD6yQ?M zXgeTjtD~AHJ7?+*OydO5rxV#Kb4T_>} zSLO+*Dw)o2tt?$!*3;V6Su)sAPJcQD+CR3^iS(&4Dg7*|Q6=QmUQI901j+!I2^!JW z)F7hC*F+|n$G)dqqies$X60AMNYPMz_)=j z(wLe0Z&j5}Y`kxF(6ZkVYTnc}sc@)ytG{H@o~aS}C>IU+z@r)x+G{x8pV zPI@4sJSPS!WV-vnwSDiUjC_R9((wVotX|5a~) zqm;V^+IP7%`;^tnwF~jGyKrdS^PPqKQ^L~>R$SZNvT_Y|2W^!m@ObQZ6XpbbeEv6J zjW_)S#^bN<`Fq71-`<9uS;M&RJI5Xs#%5r0LilpHJa^8g+FhKs+^&^M2_9N*R)pp% zbiF~HT;z%vVyQW=X02$I;AQ5#M2^?xF79q-ZfY<_iZ}3BCeNN_^HLA`nvxWwJ9JIs zTswx0`xlTs9WU~1tIBv2%HZ8^Z{3PXdN?oseHH+G{oDXUjs&r^25`Qd;j8Na_%?>& z8)CC=69c4xRgId=C`jA7AN`71aL69^02og-YIl+!sAMV71)8r*O-h3cs{)1+i=gA^p4XrLGG_4i1NF(txm}K-0hzy+OL#? z#R<-ui#Gb8e7^$YKN1f1LCkq_s1=od-9aLDFVbcVX=o1~NYwIX!>y;Wkk3X2Gag_Y zJfAYW3$v-}>G2*i>sq;q(B1eND83V8`)DA8zPzFGWu&JiHbW>7P4kB*mz8-M{*L_D zDMY#!v#G^d_7~0-)8W{gt{}K|e+uOF0WD2e9G+8qjyelU9{&%?^)MbRNzQbd4IFDv zEOlEW-6zPU6|RfSq<1mg0Pb55i{n-7sQUZUQGW4<@jc*tGS|FTUNt|qrUAGuNcq%I#ttP2ziA$9A_$o--CREY|c^c9tAy{3xK29m4k}rBD zy&&TgT14UKlb|y!Bq3=7;~C+Fc_sMdX+pNg1`0+!gL*=%VOn$C_6HJCmp_$w+O2q> zsOC}R;_tMwzU9WpHa}1zalPzNsTTJO@6%aoya=cRcYi|0(a$ehnZ1g9^g9=PoVH3 zyWFsrB2X{4*SP0YymLntxECK--Ui-GhD^e923#*it1{oGLiBAMQwV#DRxhL9SE;wz z;afz#$0NF7`N)h11hfBb_pI?lmO;NP_tmOW6a=zr2>KlUuoO97l`E$8{~89OpCavUA5bP|S3wLV&2?)hD; ztv6z%&*B-usrqJhyI2vs=X;?X&eaXuJjm8VAgy+ZL6Q3!j}tu=L(OJiCzC_#xTeXr zOvF=XhgCc7ElKxzpP1+O3;Xg%gHD~%-t9L?B!A@tL2syplYY)u?xR=eZzu}VF%cTd zTXJ%pW`8-0@RHQ~@rbRBqDAHovLXH1=DN*l>e0Bd%d~yQ9rzaG1Ni(Lm&E62C5hR# z#-V~@IiYa;5T_abWM&UdMI@SsY_snrE=e`MOx59iCg?Z9)ayG^{s+P|3+HW4_K;bh z%@~SN^aMUh)S6DDwOuK6IbWuD5wDej6?umNN*LtNUS5Ke?x$DTs~L$Q1@CS7ZX%v^ z&7k}7Y&m+q0CNQW9<1cK4sF)~(%g&av{%+aDDIb&ru80PgvIFPL6Gz@tsV#C1W_{( z@@exlIk#>a*jKjoYJHg*u~)asrp*b@c~56dXLG;uY*EM9-!mvlwsEvrs5Z&Cf}tANeSA3as&|1(r%^Yoq(So8D5;56_IpXmJak8ZVN7 zY=;l84)s1aflpu>TTlC|rBG=oa3=W38nGe5rG9u;AL|7O?15181P z;)-{+SLB+Ch&m|08Px6k5$~{7LG1AO>3rp&{AcehbOl8h8ZjAEXD9y&&_gd6Oearj#@vG+l5?m zdQp5Vg}=vYq1}5AKJK9)4n&xoHNF@v1gJX};2aF=7awG*T}Rmj)0C$`SdtlCYW7E!dnBXRS5GOha znbbWzFryLZ>o&ztsiPaso)j;cBqp_MZ7e{Z96t9f#(aOz4c26gBnJ}ELcBm&{zd1O z)H!qaHN;wqw%cLmlLP|G5Xi`4_Qa-tm#Ed6KiNS12AN_-%}3V7>A{q0A8aMD&UM2Oz`IodUI^85Vt4%dC&Rw?90Xul>AfR7M^&5f73eL27ujQWXzB#z>G^JaBsKa3?9lTV#o zX}=Dx9IF>VQVVX;(TW^)Vd+i4_c>LpMSHhT=yE26k0Eyi^{VuU#>Xd!T~+5!sz^_2 zMaCqF1Vbq(D@RsZp1d`L36~DNd|+%p10j&l$_;^pI_+(;378g)X=FF_qM-aUXkGy2+#Fmq{VCuY6Vow!Na&5fny!F_U^#NNfV!bM-b?0~;$0GssWOn2aHMdWn2T=8_o8bl5iF89# z<$qSXY&A9QvMUs#ezJ|7{#XRgbRc435Z92zVExk0XNl-ZMh7`aw=5X}p?XCyIE<(u zf&CEGj`5U$i>{-G=D4H{GX63sF*Yv;>Ws43GISJE;1l$7Tsgd{W*%RQyQMkEagN26 zd#MFaZ8rnMIo;tikhg}lhAZ7`ac^zD&#aX)F)3nM_5F$)ss`**s^+JP)jg;4rj0!x z&DM|6Maly(2S*ea4Y7E<&=}He_{};vi&c0P8%cnL@N@yrRl1R%g98utr#`j&Nj3G!n-w30tJm~<{!#& zsx0*Cp$~b)wUa+fHgjoBMIb>4oeIN6+u8jRKdzueY1>fr1|Iwt>X)3%6Yo-1JPqnj z$Ys!}k+3Q0^Z2?$ItIG^v9@Bbm0)nHkfAjn5uusj@VBa~EJDG#((hnl?C-#0O+`Z? zq3Z-=pnKi;?Ew`)+VWog#PfjQbH7Bk@c8CTq~dJXWPM|lf$hPsK z#~00X1}H8AsB_t&?Iq3NDw2hGrfi-i$ImTmUc@^$Nt`+@PPAZpn~%YV+7tR4Df%h; z4Tz17R!l3>FNDnf3NUgyUH4~*d&NRNZE@yQzcN>`Xi8Oo`kUHN&_hk#*C5$S>i35r zm67rmQ&Woq1VQq8-?=KJ(Pue7bTyvMtL?GKZ#${T#e0bLEfEGES*_71 z5sLVnTdLd?NSGLh#!bpnr!|bJMuVg#LIxeOnlW3%vkJnWkOF@LzlGuoiZ_+oo-XO5 zDs=X=W3?DqzGb{UGr0R+lT3icchx$r*Qa^qP)%mE*XtokjpuM;J{>T3LRId_<%D8} z)KP^hEGqg<_9wm_p<5veRSoRcA@8BZ>xQ`qIXktFlrH>t=d(^98pW#te4qzJqBM&Z z1=l<2uGhZLgM0?W@3aifsyL6B6CUpTstN6a>D>u@5d@lb1Qq<&W3tc5v{x>-P|JQF z9*v*VEf6PY0@KU6D9lNu-MkL?qE~{^QBk)w8%;8jKrZ;ubZUCDm5fh(EOlb$+~&}a znV=_kV_GgxODeXtb}Ht^3C;=qMETIpDg~v*KK2H#QPAoz)jy7=*`T@hKvvKtyco zomxdoTLwPh>9}9u!-Nqdd4;N7D)a0j_|Fs4D+fh$O<;cMr|o$beDTX}aOfS<(&{Bs zV>CN}9UQLqj%C7ir`gl23AO!6Yj64xe5X0O)C|FeK=9BZC#P_#Xl{yva%tmBw)wuc zy4lhP_h%m(pg$t$61t18Wj)l>!WA6U5YakKHgIy@sdPpweSA>7HqLZ%>A`@TQ4%<4 zq_>hBF?hHqy+wb{$2T$4S_Vx%ih*JslxX>7^GrxygI`{rJx(t{l#Q1aZ~|cpP#Fe? z18i}H4M=v2Qz4BSYKX_S2uQRkZObAa7ptRCNNl6_TaQeBjm8q@Oy9~;JA#_DyHZ_` zNn~+9N8egNut4Ot1Z4k5^qHF{C*N zhM3R30AZknyBmFf+byBTArBVY`-Xt9=QhpJ3Ak!{f^gN<50nXN?1k{3p?5d8==rFa zmr>tRg<&eItes9`VbH@E>!v73`aw6>QvpZW&49jGY-`b94S#mJp(vTV6zP6Mvy3Wn zUTkXkdq;FqD|-0>ob1}pAM8^;5=Wse4M&3<#d_6RAh44(-crOynzsu&WH_rMLWV(h$> z*q${mCnPXwUJOW~rA`+XR~#e#LUcSd4e2Us!r41X2lPde@)j-d+ZJv}J<}Qed}nNF z5I<4Segrk&BEGgg(lkY8^iZa1pxX0Ev@Gl7t>7fOmJ#7*I&ow;-9WCm6GEeK-~M8i zs8&wik@sGvt6|Tq(kzWAlbo|^Kt%doNIYmyvtH(_5-@0`|* zFF8PagWoRnXDBY>5N(MVr{gNIrdm4^)@dtotdrLebJwuva|wkN;jf^q>i9hB9vZ z@nTwvg5)hTe~=lpH+tc*oRX+gpgXF}im0;b?3VWPS1U%%iFVKnZc6XD65(fHCWm(w zKOXSVKD|+JoETt|D38j4ITDQ$+cT-F`H#)52Q}?+EIqR&xUG#H&Hhd$!>ml!k_na$ zQ;qn@Yson6l@znn^(dklN%yHD$1j{>_;1&9Bvgqq89HFe#l`ti%|As|6(`P0T;;&} z9VT`~te!nPKcYDrS6HR47h{a*?O*23lTFsuQQCSaR}7^eI@DSy5AN&)=Me2^FS1RR zkBi(hEE_>ezj^l5WhVRw7yhfqg1?O*EB^;z+D6D#VW9AaG@z)TJ4k0aZ&*~=e$+Pe zptP5M42sPstQYwv3)}?gZcWW_4aUy{vgnyWekS*lSF!UaE)+nYsx+iXYQynr}^d4xyRwh3q*YuOA)!}-5E z`n;i2y$(p2Y0YR)dHzAi-%KX@-Jc!}N8R!RnAqwaA}O4N-h>K6LBR;}-b~e>#Wg}H zK6=5_+l#@L&O@~wlgnnrB%6ix>wm}KlTi@#g&qQ!G|QrZfIJigX0dgbj9O&OPeAet zvae5|qHA*3Diz1YOf}Ox7ncG;NopqM?a`zUuG0pIVu*;FHr?YqonG&wUOq{+AWI-= zqDg5%*mSYwT&a}L3CbFAZHl8>gy@XqH3M*A;bz8xr63IPX;QZ6?E^Ob4_Z!keiE6W2vl5H;IrhjK{ zQAX|wdv@E!Ajx6C1BcJu(Y7d3ET?~fxW{An`Bvj__((=4m(J&BrqCZPYPEYwaLVWQ z{kR&1eA%Bap{%P|B6+$TXuig9aRhHPo}}7*NIfpntZfm@mB)D*#db=htSpSM1yNSh z6Ul$NUL`YcDbc7yze3!6jAU?RERb<(d7VM+K;=p5Kt zwTy<`*|JMEj@Vm$eYmb?hOVjDJ#RB3Qtz{#s^@8#f{>6i$0mKjk5(OCG+nx=d* znc<{>NHra+{TT#{x+;mj94Em-(toN2-Cef(YUd?W*VA7yhY&d0cAByfD7(?))%*}U zYhW9muaDJuCW8|W!#5gI=xROvWm-~M$2nfcO(<66&_f*sNheIbOInQ?%RY`Z|*r$ z9F47ZQyC;l1aI|^FP$a5DHBN3K(PRnjr3VVcEDzry*f~LaV=+xV8>`Qfzcz|n|zEe zps#`{UlLt=Od%~~$#$U!X&P4U;wT*NV7yOp>IRr=-D{|4`0_lhZ&FQlYisE9F~?v7bpd~eupjsMMYG(sSk zAdR4$abAE?OH1gC9#vQV)$;4eyH1z~BTOe}KwCJCE##I{eYOm=bvW!Y;w&6jVva~Y zkk+@n|4`<$!E)}8h+4U2*3OM(as8I}ZI1bGT!S3WP-}rf4Jw7#s>1{G?t<7F@4lqB zE#L&A<+<;#SP^)O1;IKAoeqsp`(1}~dq}n6X8r^kgmuj+_D$G1me|1-T^{K4 zhm0`Tb~L1`3=lMX#RTR&4xwamYhuGlQ*dlBM=%C4NIj~zjo1RqY6XbrOD@XxpMi?! z84-cOHT*TLj}M6x-d&{AX{0z$zDUs7f`ElCs8bb9mT0pjoHA)2ZELYGlpP4s(&I4f7VdvrwNC%< zfawE&=H*i=fSj{H99q+lKzIG(z!_rPk}r8bTq0D@zl-nUD#y_+t-1Wp6T<(^&&BUK zOW_5iHW>a&x`7W2=ETS1Gv~J>`h?E!FcL>zBh9RJ`wxsFYyQg~@0lZ){VyZTGD9b` zGT5+|Wsu66eV*GT74zMTr5q`P$*fn31XRqth~`Ksp-~DxZ7iyGzB+&s2$&7j+Rjcz#OL}vBZW8s5lR9Ox+Qm zYtOv4+J2coL1i~M7oI&InYP}&WiCHe!ywk1MVPKvDQ#xU^yGewr4>U76wDL011ex| z&1ch&I5Db$ohQ38rLRN+BZ;#d>qI#`LS?6|*B`yBDq7mH`vyur>4eP7Gh1h_%sMn% z#cERn#U#sg)?$B~4wi3O@>(G~C6PP339;-7$HzryMPFlwK%P1bW$ztImt@X++?xfN zxg-<2_Ld<_)h;1<(;JY;)W_LMeS6dr^jsZw!iuz6ha)Ra=C?N|#B@ffG6}3agbqRG z%NK)hY+o<|;GwF%Vh_KZ2PxEj1;2=7irY|qz+j>JDUA8ZdN^pNM-W{u-$9IxLuuE2 zX}_~nI&|W*VnVFo@k-DnE?|CxlXMe0JxH)`U%EEpsz1Ybr0S9@Il%})fy^9(SD4D1 z%G4A6hj?v#mSvOzq6Y*;r2_l*jY<1G&<`APE%Yf8xnRf z3F?zF`=X;H3)$2-C+&;O#g;dE>h-e821oK~xbsd!Yg%L_9y_s1fp=2Vu8=UKSGhW9 z)DC4BjLCi-fsuNk!Nd!}aSHc7#STot&8@#g)a<%+_CU9V7} zeRq8bUy#krTQq#ZoN6@I84=0bOY!o+Rn$Hg?`ySWOV>Ft@lIuVx6Ex`zPvk$wX(dqU8rdFQ8ofm8PYc)kd)XtfwQ> z1@_0nCwgl#12P~Px3&HC^Ar&+0gh|-46l}#{? z;l-S>2aL@#ukJ+nym=X}-2N+flKZPRuLsD>?fd201C^nB)8{d+yGn^FkZLpUCxxxs z_|Ph=A(LFR6%XeGj+FjUJM5Y{YNWZNSS162Hp#pl-ya>@JDCoq2A_S_JYe~cvQZw* zhGeOiGb;8>k+A()X-e@ZTp*h-kWYO}!|c+c=*SdEJg-`9-FPC+!si*wrajDpjRQf7 zI+1e>t;=d;s-7Qi>(eo)~4`z5Jd%Wr3<%=CJT0M35W853Bvpse0PnVM3=0}pa-*InkPXxp;YSlC_O*}sXip~Fbx@_84jtMeA>9 zTa_!lksr8~+B9>4AELku{kX?LzGW@f@m9TscmXY%$2Uk5O=8;`V{0!ut&<-jHAOi= zEsINcd#&uow45)}Et5D&YFs|&#N8t~#U8fBx*WSrUR3pen99fa=&OI&ut)5XFAMZg z3DC-aZJTzsm%xG+>KIXzUr>*&oH=KB0n|Z{C|9*?*8H<+N<`8dB6Dm3fT;?EsO00Z zKCM6&YfZOi%gwyJ6}C{q>&Oonxdo~CFZeeLN;-q3j~W%f%q7E3c1r0wLPMCM%|-fq z!OuI>9W{;+dMG2t#-A#<)=nHwW_fnx69K0M%i7rZyAEZfuef~e+==|S>*mD#S2%9Z zk8ga5P%ElIP9^#thI%G9$Dp zbt$gJlg%bCH)Wl}ML8`8ZXq2hx8Qt6(w|f#;-oJW8Zsy9X$aViw-I&&w|4)WaBcD_ zXe3=!@=R4~@qMoES8A``%U&-9bEGLPnE)c$Mv={~>rc19?=-POf;wx~7g5-5mou7X zDp%0;!WLq}A!WKJ{bsj6UQ8{%U3X1X9t={BZY*Io~ zcR(Gyo!v{3NHv%&bd5|0YyF7?*`0KvS7N9h-h9J~*b&}ww(72DfZkRk<4(D?;@ne* z(uEwpG;Pl5dMJ`)){EtbIwKI>8c7DjU+|qyFPY`+@~~a~Z@U zzP&qYB$vfiPhjW{!%jHEC5vTGEV3cK?yPMRVh1&24in7Tqd5*Tj? zSvjX6j#%PVP>oGelSVu55PXsD)Y#4jc~nG)?Ys^c*UBs>Z>QJL zAHg!cKiPr53N5O5BE`Sxbmll6k*YD6#|Ae^@rKtq1nBPE=<3NK1|*1kVng325J;mI zP$pP(kwL<@U!fB!wgnvQt9XXh&FiMYoH){XFJ-kCDM}_VBHJ{01ZSb9Q>jzW zwcDayyh6mTs}tcS)lBIecwVK=z~{Y@Np=P&(EPEdtl1q%5c$hn|m+^9dTB!0hxVC z{A=>3)1M#4BGZYjo>nW^-u1nA_)SwfLzX614q@kZ_BOZ!CX#O&&Hsmi&6?JXD=CjG zZsJJ*c>fNVP+L0v5u!|>83p?jCZNTe54ahC@@as_cNVr|52lTMDodYtI*z8&W-iv^ zdPC6Wp;*|lTIju^M-A59#mn70v*4N!PM0JFCOZG-T;dff@h-_4pKH>u{JN|&?bkIK zOb~HDJZ5(aT8HH$RBldFFT&2!q7l@4S@obDRQ3Jka3OdgWiFv>Iu>0t&ULOdfxWWG9WJ$WWOULa4p`ZKOqssVS>-vfzR`4GEibt7`; zYL!XUgDc5_gP~?XG(QmOha&mgV$5`t2#~p^<#F1BBt->Bt0um~%xrZn80Lr}RLXtN zX48B|V#;3wXw7dJ8KmY%($^{o$yme9oe`t$eV@EV92chjR`&1Xmfe0LT07Zf7W|v@ zY&e2riPe8Yy8g}=LP_-I1d_Mz5WW_tL5aLB!0;8v{%RIYh;K1*9rciu9WC`1p06ak z;x2;u)a}I*Dyy8fj2>;bpyI~_7Ryg1S4W8-v2*nUS$E@gDOQPX4rSEg?w=jXC4TJY z5%nRGqds(8qyFmo&N27|x09g^-3FoSAu2+Dpi>yc=eyHqPxZzWriK+jRl7 z;r!_)A+k4)>a_b;j%mC@9G&z>aD|?@4L+k{$RXnm4ot=kf=Bv22{4#s*GbOGkosU= z(&a_PcVxLH0eZV@=2fJ!*-r6R?sJ1vwpWw}ZU)>FGK>BirVm4u%-;ND3-gfPs`${X zNSuhTiT4BR@MPLDsu&iD4C^mFqJA*Ws=YbNh%M{AJr@m~$kXoto7adFNm{LpOign+ z8CGy zfkIT5*nZkSA>*rkzs2>Ki|pp_s`9uJeAK!}kDyBdbMICjb=LKgC)RW$WzkHSFo;lV!jdJH_XQ_4Uygq5v z2%n*=2x3>{MVXeVG9QR)YTKqr)Y}Q>vmPdf)_&rYK!bq#)*h5K@f+{&V$`tNanD z*>{#MKmwN~(#o*+M!6o6Fj(@vvi0jRr}syMD-@q4+x9u_UuUz**jc~g31^ew1I2&( zR_Gn&6%zzZ_#;nP4zdu44+OLe3YfAF7!?6}5n5vSfDB&)*e44D)dwmYR2oUtNB9?U z_HIn4yQQHeonvAPanvWE59p?q^y~dGOG6{ajkaX_$q^A-Ty-d5$q9+XZ$JqmzXLmx zSTDSk`ZkSssOfPmlwq_PX%jX-j)Ws~woCSaV)uoku=0WOqZ=MnfwaZ?O_I<0#}RIUg!R@hVZIF8cXd@ttvpm&$U4tc_XJj%PAcwnN}2?ZJX!r<)AdOv7sR>lR} zsh^?b!0Te+`2tpC1Y4_mgw^6 zuG*a`GO+o)>kk+LOq>lQRbML>46dtd=l&Y3lVytp1@zsTq(+BLc9c{zy_LI!KF4SZ zI|S@Llu%DU$K8(!oRZ>wPMLIB``#)&1ei_em?!BSTy5dm0#X){`DtQBT8-ladtV+}3hr3^azKimU3$4SFEo^o={+RB?o^HRuIRYv%N zUNAYv9mFJM$v=ogk)&}{=M)gfj<`cS5&(bkt*T{CJ8z>ehf+>T);7MCWcnX!d*bQP z;7`FxDiI>PsjXWIqYw zPAvO&oMl$1?OKg{3I3VPpGjy8Idc*SIt^Lcf#5XLEunKNaY-*2$&-LSb-UwQp3&y5 z?Hx#ZfxNj?i;L{KX8~@&!%wc9{!aT!&kWBUDC~_1CG;+Eo4cT zg^rUxy%eA2W0K|cVOOTXt zabVmDjj$0N$@T8T{P~uh#aJth^w|OU(A8PUT&mnB(xrB7_fNRd&fhO5 zS!(f^h`6kF@R77`%feXmJ~w{h#Df%B-M0Z>=Dnt4<-5kk7)}aO1zL_zy=dGvKwRl) z`r|tqj+8T7PDn`4iSS6h+_|};ZIcW?oVymsQe|7O0)j7vdcIG}SW7AsD7w+Of8d_G zLnaJ!RmzomNEdAqtJzC-fDRh9WZ|Ua(;pmpR+%DZxwRffuvxgeD1)?CUz&BL34zQo ztZ=^2dYW+MJe1gG;}8gsNFwNNytluYfRoMecL_(x&$HXXQI1tPT@)QDDhD|(NtP^NTHuDXov zN8)g>TAHJqU}g%xt`l%qwbGV+&I z{gM`%7F5nHU6=Kyd{(Vxhzb!;I%45K+xmA}S`7l@FWJw*JMJaWDvEf9D`og|8hJ`4}Xe{6&d#I&a>zX?_!P|nMXWZpyAos*5xF!tT^Gh*sZk8sACuIjXSd`zYMF_DgWYN_T3ZL%a5E@A$J(RFV#=MWVrVKkx9YF_iW~w5^D8}j!m%zc!6dd zT=Xioc#l0@uA`V)lbNGj%?shw#B{3cA>T+P>qk}mb`q{4ML97OHr zP;m>3RC+7a9HPU^W_M6)Bv7Nh9m{G3?knu!0YLJ?VFZ_lpg9}ok(C727jt}XlUL$o zYG?dK5MkK@d%p?vsDOKvU5ZqxcH0{bTlbIJ+(N;aXrXKXIxna54#vL*rm{g?QG|8x-Og9m zXBF}0LaaqlE>dpdC-&xYsDJkeEEdbIUELxS>kI@j-cfcj%4s%Ro<=(s%AAE^rd53$ zj)ORx(LX*snGHKl`re_6eM=k*Dz%LQaSiaejaH}M6ABk`UzmqaRh#mw)mkNpy^oHo?AB<)8jJTq}=k98zq%f z6c9wnM->u2WHHb#2(A=ELJ0)Df?$C#%3(}k6Bwhmo=F7{ovNzIieAQ$_ESM3uE@V?CK8`kZ#1@TC7tP-XKk>#R0XOyc=En zPL|e9Zhh@c)}8&-BPxKI2~`>P;73vCncYAJVpY0DB7PsAZ;3DE){OOG<|+r;34^TQ zL9fd(%njg7&z(<+zHTqLI?PY7``3fj@~(R zON)N*%1a%j@aOs(dtf;zS*)c)t~F?fyj`6{H?{L6H(D+aoF1w-^Vq6zH%bPddSOs! zL$sbYxD>1mzJ`F}2yvegKN|o+j3UM45OFCO~z4d3sb{;k0#{s_FYRmqJ^YfQ6ripul7I zSM@KiqSMVeVe=0bz*a3&HwH~kYTqQ%H?{%@kdUyB=ihFST@*QNC9~8o8n1OG=(rw~ z-AZY_2_qB3?5|!HxM-wRDAUnPUz}4E;9%zTHhQ*4&O>|!PE`iBo+-1*oh~xQl;nn% z?3GjD=g2mgn~PCdjiIj)raU%QqXLwkiw;R(u2r{#`pU#4D4wp z@mKU#QTkrIyin>_;DR|oIYIkAfMm1O>v9vXvfraW(htyT8 zpDdk@d!K%(2U7VKH{h>4(6OH^17`$MyR{h_aFqB!Us>ApQ)#3<5X)e`i_GF{DqmrM z2Z}9%LS{3ROazjcq;{zNq?&9l$eItipZC`Hc9AvvwQ~T($Ev4G6xK^kvZ~_R3CB@? z#LUS%MnC^msVF@G#(=O3X|1?d#_u>?Fb4s{V|Im=gqAsByGa47klVuNT#BR~Xa1o+yF4*g>Kkubx^lQKt3$gzN65 z7DDJufI(`=1uj-QZC;bo1|0qhCPFFbt2TkH0QT37|4-b}ZusT9bz*ZUPDtT@iSqpO zjK@DdKc>7x&=)Zlhxro+|I0)B_t$uo_c-13S-qKs|NiMOjsMFiAS;IQEApxTW}Jc( zFyllj4#1fI)%%}a*C+{at>gtBA7yddmCgn7cj@m4QOKFcoPs% z5D*!*TfP1Yn`?&1l01RhkKyax*w#w<9&A5+%`=Z(k>~54_-F@OKaieT$$jeg|LQ<& z(8$06^-4yz?h+nM=ZkY=-nnN$jT-gpBypoEL8v&02{Nar-=1hFMKNaoF3m&j|vMJ);76)*yMlj`ptKYAO zDlE@eDg=|(I5<9n`e@8?=v>T3tQz)qNYTNzmLWU0VrXvb*AmZGBeQET^=H91wJJ9l z_H1`k?2HtG9#1{P5TXe6zb=S3|7(3sI$ggf`20=hNkwIr%ZC%`HQzo;_cLl*JJ1oz z=612xrA9Y9Bicpe**91pdng7_;l>$-3{b5FzsoNlj=tM7plBY73Glx6C?-ubjiMKu zRE}{7?~H*bEtR^ztkwVGgdNWcRFO$rFfCY2%9rYCZ%(zi@8_kvXSVN#lW~Ma>S6r| zka}C)6pE8-B^_8ihXnP%jC33BSI}PQ;Fs53*MP()qfbqSW1pibc2aD;#d?M zl;Ati3bn->PofU&OSCU84*yho<|0@LXZC$kVPKlnBJYhVTl2tSow-pC9NrjkRa8HV)={`sH?Vai`6(ztvr4tiM>RhJp)^&@u5 zcq^c7Z1IZC95YM@W#+m1@5IQ2A_9-|kF6qr}t zs5rTKK0&FwRbKMRTo76m{*+p(hh1qgIAv|DbG~fyB$%~H``X%Q-&?;=)rHik?sifU zrWB?DKf>9Z+MO#fux;@&V-nO>k`D)b3CX$hbN=)Ae-zEL~z9fhCOKfWZ zwnPYK%CtbAq9;qmv9EK*NEt8fL7oFYd7j~w+1*L}+DWB(0H|9S|7byCuwrfnqn+V* znovIWWaXAi?5rl^?;?0F1Mdo4vJ8jf{NvWmc0W1v4$Gh`|*y@8+6YBL5R9InzR1;ybmybo4 z*C_D9%4jGR$@bP)bX6pm;Dtf24uZ>+M{-BE@Av1v@XjXlw({06$YtGxeQL7AXFujQ z)SNmdYL%?s{I!cR-?GuhshvZo<0{t-$)Z>e0>Ohrfp109FI_ASk}dPC!?2d+^L9@+ znxq~Th1w<_7}~ym_kk`+@G+b+-V|d3iUgvR8&?(1*V*A1^>{`YFa<(r>rf)r{1x}S z>3;d3ioGd)l2cG*s+Q?+y5G`D#8Nwsa;Lh7+tX(n806db3A-HM+GxerBE4#JegLfg z3QH+4mdjX>&ZoM1&+!zKjlKe!lHv0_2ObrYi1VhPaujzu^B{InmLuX!tBSJj(doJW zaPja@55Vf0Rw)=rsjoUzKMsp$YoMjH{oHvt$HJRM&6ZCoN&y9;OX<4V0A}hkRW}^p59dLqb#Fp6+@`7eEN6I;A<-KjGPfm;BUdF4U22z7xUZ4Sf9n%JC)9j( z`?2}@)ZOL47wMvNuW31V+J_QEDl-eyRJ%CC*~&oR{(AX2Wl$xX{E1#sx+UGh%*)Xl z9graXN^iN&5b7;0E@sr}G?J}xGbuig9|2gM6O3G{89HYxn%t%UchA!=>wea5{alL3 z+@qv!-6A>kQJ4~t5ZSHxn5o6d9cb0&S*K1p9J=;Hc=KjvBlj?0VF6QzYHh>&$cdz@ z2^NPHChk_=5X)(k*-!%45M54p=Tx~-g~ktZaM6f_^2tp1K={Ts?>6vC)aFCtX3!RM z&g^(>+HV2Dp6Iv7+mrb!W29lzC^KElJpjDo{R=sPeqmvI&B$px;4IWHD2f}5j9L&CN(!;Okj#8#yYC}HDCT$G; zG%C5zDkz|an?wp245 z-%XZZ;xWSsor!`=s*83@6){#qlWa04WS3=TO7T&2RRf9!;}yuqWodhxxAy)O7s0x{ z334+vmZtnV9_#pL+adAEg&YTvDp7p%(QpW9>-V zyvd=r!%cHr$d=XZE^fV3)|KK3wKbZ&b!WR_QLNSm$sx+S|K$rd-zeT9WvYDGiD(6> zxAB16`Cw8psulEY#~6>{T$JykCHIy9-RCQ*CI?g#9`X4{%Jf{wLpt;UeTM>vu&9Hy zvSD-5#&3R4Df4wIvwe%f{z;{MX!sU46<_Ti4R3_W)vwn~gPaW`?CQS0Ro6|r@j#Wo z(N2Mnl}&aD9Qg5aJ0jMSF;IooYFQW=ZI zxempg295oUF1}bMp!DQO_e_PgowoSV4Pg|I#-AcZI!hHoYi&p8en@Du(Z5n>nfqzH znMy<4{7@RN`&vcN6Fmf0wWxMO^miE7CIi~Q7mZs+4j_Kw*|y&Si$MnmFb zg%WRz6FFX#4^T(`Us?cl1cSJQXkK0MN8L-*>t;+011k4!)iC8GDzl!SXN-WLp9wZj z&rd95Nv04$8zGL&+H%cBh}PN#Fl2v|xI1F91mp;4j{U5=?|53bs^Y66WPipct>q=i95AxE2X0*gvA{5^ietBLR2hKVk z%gu4xJXhl=Vru)sIcvSwhFtXx9c%6OZoBJFCC|*G1u}>Y8mSeSy_@AZT&oelIV?yD zyHH}-sIejCf9XzOH5C!z9j}JKsWl1uwba_1EW0|xTvmYLSDDxSDZfr45Wd83%&B)B z-L%)}@^)C~w$2!1y4B3~8COmeV~#Q#lsw3DaxImJo9I&Z2lF)@Ai==>9 z*~A|hn}aCUByi2ogI#?TZlE7?Odu2c=1VmwclpL-y7w+lO4eOGBLrJUlw#L4$wKOh zgC!y{Z(!MhR2BN!R7bQ5@Iny%4uE+kHrCb_dC}YeikC_}>%jNt zFBx4HieFL`(Qo_nLfrxJ>Txt^Vh#KR@P_xy@t4U<<3jqWx9GmPQUkn^(ZLC0b)APx z;B@$J6i?B%t#PrUyoA6U-RnbRt`px|`Xt<*UR863q9wn`<)nS=2;jG9yA$=!*)?z{ zgJe~~+A~nsu*0pbQ2JcyRmPu1X(w`vczs*PwW$}D45@+@fvSklF#)!iwep^KMlQ6Btm`vtEA<> zh=_R7_wg{U@c{IEmf!uuAHIC7)cXEJR=!dJYIF1Uj{oJJ6-!si?DEbf3p2A^LuK>b zxM7yiFa$KxZ=C3V#4#oKeWYCFSKr>QKjY$ZW0fJRG-}KS9xn`@Z@}1bx?$gSoBYmT ze*oAhkw18Z`3eA(ot@or@bfchO*sjGO-ZbDf#U z=6qe~4agN#GXE^7|M5q6B;785*Bz=zdosm=Ou^IU@O3h?Y1H~}*YG=-7-TTxu~h#D zdo7}u&jq;{Sq$2Z)k{5xW64~;$Hx{WL;lojF`9)+RCjlGCfdV{vTG6yvYKADMg(qw ziDY;Gi!uHu3?%>lo%sh<)@TnSu;8%JZdyrr?lMMbRKG&&BOqaNOFvG`H-TjIKNM;I z^S&jZeL7t@wV{=@heiem8{rfwIvsL^zzq#dSkLiN<^9?2t5kFYq^$ATZf}rR7`w#Rki6T_rAuBS+0Xn~% zcRrmc{Suwan4(0x->9l_SrCxe==;U(!DvJU0un43nmmfUkvtyctu1Z1Ys_H?ybRyV zF+ua24)ou)qL+EIL(iNPz|}=RKYnHcrgW!ct_fNiWCV|3K_<5!#;5gERyRi}Afj=uD3!OjmleO<-Znwvj+5jx~i>BzaqK zHoL=#B;qt4v&F@<21Z7Q@M#{GK`-%~vu?`Enid8F00_S)vHdpjCI5 zR|&8k^Q6_~zLekssBZV<>K-LR3dxu6?SZiug%07rb z_=3Trqa7~I3CC&N1P*Hgek^-|7d0jnLJP@0#}u9J`B9P_2h3&$+j|*P-b=dO!1u?I zk5=P9WXaE>&xr6e_)#YGr4+rb>BHi2e(lhA3^C;~T6nOU-6wzYXtBH>+c6)CqjMW! zjP1LIX9-i-Bgx~OY-9-@No2|6{DN5okJBBDPU-&_X`X*Z2$JD^qA4SesGJVN0uN=S z>!ujQK9*JLA&G89xp#%n<-T2zbI3 zy?WN?nX;9r^z=G!UhFQ+p9@#=-^w3t50S|{=Lj!*Ke4)V7qbzzj|kPeq%dKdNBvr# zp;A2W&Hwbo?G3hieFw?9J|Pw!h^Yg!R1Z{xF-I=^?*zMl&b?OxFv@b5ak=h5%7iVa+#Aj(YjNmb ztFt`>%k`$5m03`Fw~GQck9;Wl?ZF~kP&6uokz^I-Gqrgf&Pq{}kvHr0-KsN(Lg$M~ z`V>@mk9S7RxO-ux46B<&V#Qjs;>{Nps#+yvN+&@Tb#(2LP2pR4gu3nY=A5D`b?fau zA2`qFOkE7|+grEaxk?)S^bP$HLN67}Zn?PMa|JqEi)ed&!KG0x{Sr^FO+UCqu6-l< z_3MOn60gJl&u|5|P%NfSwgqy5T%qGAj`!%l@v?oqX?$S!dF(MxqYjrWH5c?v?6huH zA*8u>5_gXL3pa^tWi2!^*dt1!p-}Zooa{^SH2HUu9dDaB4F+%tq_foQHc?!llx-uA z?`=Sv1#TLK5f2T~tO#k9ZOP5k(;i<5&!m!h$;n+$I=3fC@%=`7Lr8rYAEF0Ftuq|N zZCjgiBnFarmTIOJ7;@x?S%LVxE^f`_NP&Wp#0029!(Yo;Patx1m~{D3N^ufo0SwOoaFpmEJDMJ)wqGxZ#g*2M_} z)zHguv9;{R?M;D$tp>Mc*zVAApEzWfp(mLT>F}l{y!%Pm z#`*&#H&+XCd*14a$yRLO-l|prKqJ8V;uJF7HtW|uqf@v}nZ;_e>x28TmPqx61I@p!sGQ4X>qq#{?%&8;!Dv|x~a zAXQI7pvINh%%!7cTwHULzvOC-)|OkI__y!WP12vSj;Ot~66z_dBe@ux0kW|;3LHL`tnhv#pH`Gz;=RCDEa0VdRGV{U*_bgua7Qr9aUl_@^S$z0wZ zjcOCy31wIW1pkL7JoZvzC$4H#$F~Ho->j_nsGr#1z!^HO1ngfbN&NfbdOYZHqW_=2 z@X17D#0+3)%(jnS*C^EpIaaX1%vzRItdbOp{u|8LZYY@Ua4;GFMRLv#e~r_X3BB`cJ|4;4yh|b#)wCe6_IsPOB4zc!u!ybh7^U_xBt6E*4Zf%3OuKs$I*j zsct$!MAaSyh{}M z_ZIh;MhxB`a6hWHoQUbx-9kpZg)FB^?#(O9L@Ccc?rU_!tq^E2u~RzTj8S&5{Is$5 z`TO(f+T>)hu{`uSFBL4`?w>IUpD5Y4p5SIhF=!*K0?*HF_S(u@=i@2}kq|vTe&Asc zW8#(7Eys~#gwa9;I|x9*jraH(OmC49RFu}KD2vd;5kv`_)B|YTjLCuhD!T}*_k)kv zVcH}?zKg%v2oa1C(Fy{0N!1D}8RY(RPPH3~{L$mQ)(kgN@AvmBp{T{m<5XrunVD`x z<8_Gq58p`m)$E|a$Y!Hb!yQ6ag%lLPqON^l1!()e%E^aox=BPK){)zXZt}xu*@4}@ zm^zqcAHAe3h0tLfoT27&EU0?&Qc~;66OicI$;eT&}e)>~I5v@ElFP$_gob zjhqEFFEn`*4XekLNPsT(-4t-YE&_BLvZzUp*jc~A&u za+)6%t`d+4n0=m~ZnvPhYAi5Z7-D_QxpIltH*%s&=-d0!Zje^GIE}}GKhGUjWaR!D z(&skg%tnKq7{;IK-8Ky{dmPYWXb8?v62fU%sVqpVAQyl8F-XJw;LEaZ|#xM1}#MrwK*>+B; z$0>6v02Xhf2kx_K#24^StFgTH1(_%rsctOfp7qufw3M^fRL5l*45MR9$JV@7F3ksw zQ1Ha_Hyi8ea#^FHVAw$}ZH0N+Ja+H6R7uk9*9TFK7dRRgFIHpHWuLXo+^IU8y(HVV zM1zgZ5(1TV`2%q{Lkr~V01pI&iU`kq`lnh<*P;MbHB8pkR@4jQrEfdob>&-$y;$gq ztEsoSOmG)p(;!6?GiAS}qZbtDaJPO1opM%MB(@9(N!F!HmY4A{IFI@Zu3i~zyGJwK zS47Hf9h8Nf`sntKP3|IXF>t+{mMEC4r2tx7Q$ObFQk1%3tcaCVa}45dVQz+{BK)kk z;B1W0Hb*Msu_HEGt0Wy`ldcguEY#a)J;ZfiOit46kR@~$PTa29Uoyqo)Jw+Y_F?-{ zIx%JQ?X&SJU@^${pLL_w*970>ZZMl;5f~7ZrGQ;!mhT5Ey2lC$gP(mz!SvyqTsz@u z6E5plb!)G|DMr&G;(6}7imoLrr20h*d9`Q&35`s_EA`-f=a{{rFN>!=b{$2XVB$mq zVCpalxQZ&c%DFw=-yUM9ObE4bKTxjGdvYT(Eg87!9U4hpQHKS$05dy#6Ezm`0Y)T7 z2dvGH%Om+SPT+1(sXjM_{0U90kVjCnLv?GakyrgRIn=$fy1)Wi|MsJ^Fg3gC`0W(n z=xo)wIvdm@{wR;~x64L#*Fj63bA0^U)k4mD{?ME$nf6~(Q22#}c8ZjH0XJ_`&=jDy z?;Bm=aPYW~=YmlM43Dv+yVD!YD_6k@53_x%)~-~pmi(D15K4&+ z_lBvl-_Y~TN-ep3srp2_B&`T#2AIFQKdLZYFwZC1nhB8vnPJDTKs}zj-snvYF;xv{ zs&T(s`biRMu^c+C1UM#Zt*Kbjz6o!(hHr2f>6_IV|1?AB>uwlg1T0&AsyVadeeQX0 zaB{DM+w~y(_}(^&f5ww*y(7_us2jIXAa0Ssmt_U0Hz_6?crlE0lBVW&V6Uo|rG*3q zxx3zX!BVcvol-EC7+1D{qV8!JQ*fgBulML;&8jW_MThzBJn)=jo z24@k?#NjwZV(Afzvx-`9#5r43OXJWcrJWU~w}7wP(KsLG($XZ*O29$T)B|TRh1Vs{ zE?Vk3l-m}zw>anIF0Cj422taVL+DZd?ufkXBRu^AH|{oeo%vVQvZ4}-|EE=tg-Sxm8G9GjaIOqBcw?vfe_n7IBPBtc3Wui zx}{(Ba>Y61tLAvL*?6!~YIA}{JougmDNcARA#5cJMv%tw;e)&L=dABjfuPII1xW32 z;%0V|OoFMo=6bq|^7#jIJ3Er7sOTCf$(wZQTA5A@D7?3E3pRKjn&K{g(Gac*ut|XJree z%9KZ6H7Mk8L35n45~t4%vmfGSh&Hh|pFK_4nzT?6sS6@|s6!4L6Ly zpOA7rn5>;Dnmk|qX7aO6qIkUV4CDQbtfiN7;gNM;#CR*iHwOdPEg!{DM91L(ov$%* zUSK?+U6~c;D{VzKmHg`VQ4x4( zH=0j3Wb`A*!hrWw1;&gdLo`|D+v9nJgX$^TK5I2pE-#ha7s=0w;ZHUJ8r%U*+&6Ut zle+3a+W{{ejY)@c)i}aMM0YHm4@O%VqcnO5&Da3rX8I{ne3rda77c^3FlD#Zb5fzP18E@ z(NMze)AOB1c#?xVK^aJCZ-X8kp{T5^Mb~g(dT-yDf^=_p?_#ELR}I6FGB*Uj<02rB z*7C0AFml79OMJhmz*_mfb~8J!KjMmX{ebu22f?iK`Htem9qNue6ZIn2*>ZTp>u!aP zHp}Hvyn3VhDCM>oSAI!q6;k}|RVaPp;Sf;X@^06!N8Jp#EZ7J3a zNZo>mbgyU5n#g@43yXP$(QD?E71algp!dp?=fGThu7brjUMm{Sn{jZ!y@ajv{$B*K z>OaJz{8ZQorNcDw0>CVFa1e=aSBiOqb}*aIOS$2`>)3ZlS=@)tiiv zKOfG_9t=km6)E*1=!FdndqubV6MtKXzy|PlXHe5Iew)W{4BaN{f}bi(lY*$V9K0$7 z9#i%<2i46HM%LUyW(G(_Utg}m*UZlk|>hf4APYjP^eOuh1f$-&+zGstO!O)dj-5Nc7k;4CZrB8co>%6u^ulA=0(VkelK&OAtSfwV!}?NAEHaU zH6o<1M{47@t4#hd#pq=Up*A*aa{;Wz&hsqF%5$-ZT?O&;t2M&H^+t#!7aLCJXmdW% z76gh>Y0X>`OZ{T~3O`WuGbM5v$X~t-K1Yv!Z3+>z` zby{$3PxyE`O>?4j-<;)i>*hqg$1BZZ&^QPARCf(r~06r0gQpe2}i^&_URN)f87gIaASQlF9%TNZ=2U#!R z9+YU75NOo|zaELpO(svO$f2rXipioKuQ`mAYwcXjAYx4O?ym^nT5Nll3iJ~OQ*jbpgB zr==AQ4fU#6V5y_gz)jDO%p1hVqYbL=VCL$0M=5=7Y)^x`6}k^~?br8cOxd6+7pHZJ z6qOdD+_Gc!@O~FQhYUpDWZY=oCiGVK)&Y0vt2T@eS%(8kU)6QXK&TFQHiTdx+VQ#K zn2%j*w_TwyjIu0ShR}OXC2TS4ZxVq2plY>N!JCoUmYqynpQzuGb9Q&~94bs`;cjT^ zSX{B{q`7TrZsylsiOvfpSb+^WUF~op?U_7zhp7!MERqBcP!3)n+x!P{`}xmy#;y6T z4I}j&F0`=CR>k!mTJqeeTI?L{NQX#tR6kgC#neMD;WF8iHxwya6*n07vkvu3JmI0N z=vK8&pd4s2RVxb=AKk)i>b9uQ^}LUy>h7wmvS5i6Yhe|@Cd9i)Ow?){BQG)6=>yR9 zHLT!gG30qVYb^xyeA~%DqNI0$UZJ$;HF34yYUwbeR(qMFsA9lM9`Q2k=*-V`F;%th ze&Qxz%RaNhY?vScog{F&cK9a_-D?goj&bc_5onu$osLFt)1{?PeFu%34BL53t7A2}_b|C|-l@M;?M>I00Yq+lkT+Nj$IVwFrTiguHj?rR+t; zBVJb{97oTgq3}wjTIy#!UgN^Uk-dgh*8GCoWi~T|iyUOHUqZ=!^eNV#Y|J_?_iaKW z9Sgh3VYhVl_rJj_Lb&e_g>#%cJ@aPQ^zF566~|WyEne z#ct6~ag>LrPF8-NRd_UZ74EiP^i#r476ZXdfx#LUS7PqaF2UdC$7^~S(Z`?Je?5wt zIVi8+=7ecsg&KV`H{4-YTydL&uwlP%;~jHT@>c57cw!ZySzTOG5}%|2w;C*t9wocw zt5`0BK!i9_FC+PaI&iNNOYsRjd47m>ur-qJ`dYOn;U&cFgrkpnB|>k|EN#x}jJPDL z-s3jq+ODBD=BZ+}L4VZo4+~fE-Wwvc;O-y{+ZKuGw+E5;2d@S46&NBvXd%6&@Wjfq zzKpW1|BEq+u>iY9rdc=mZA5>oVDbXGoxTziH=n7gT8)G7BiW` zst2Z$MX?Iozp_gqEqVI;9fHFL^C<*K;E-A(h*c>O<2y40|Piq=XN=BCd>58b5_-x)HX9*ok9FrISvvl--2T|S@ z>KhdlyhPMnC#55l;;T&jcWidT8v_c#q7VCb>?KX$+Xbp}fJ*AWBT*sH(uIn@iAw!N z+4X;zT!=q1b70M+RQ&&js7?R&2cVLLNiT-fCgu(_2|3aPq`|C%k_NH~R zc-`O@caV;kgyL_{2K`}!I&f;0;(hifj}K+yzG}XZ2&3^(SHGvo-wvQKg1sFtpi>EZ zD-5n?tAO=4EV1C%KeDX8S`#1sM?J&;GM8L2xCt_iO7h3w9^Cw6olpLe-!!Qi`0#gQ z`AG9dH2-aw_RSD64sS+^y~fD&`me74{Tu|rdL-W1TK%4{dVhBT`5&oX&QQ0^p;q~9k>qkf43o>-;G$PA3(7wi@=GMR0Qw@+~%UT|+GEI777 z&ymQw)njZN)PK5%i{@x!r9N#IP3+vhilNY*^~bfYUfs*7&r`9176@?fw%?)zbuvko zvl_wC?`<$qSyhFeVZycw^JsOiJdL6_o4HtkJRWO#zLx6wAH9|~Xho!ycG>YQVO349 zo=to1PTot7ZE*F+oa)pyUn+64L~PYPK7~`^fyQd2hnpc*#nQI!EeBhEt`R&=`P0T! zO2Yq%v&wd@-@8m zDQAF|8X6TT>V}?Y1sB!a_sH00j24lAg^S#dksmt~2=+@Ivjhznu99Q(Rr4xVWWSbK z&;l&KDsZ%HkmZeGHaK!bW$Qi12yusHXj;=Q7#+SREA^ft*y|sW_icWVEG|z#LD!#F zy?$k7UtkKc6hJ5vt(i0>(Vje3zbS5!K25m|X(4ohbtZipgdJ4#?cePRbCMPaB@5u$ z`Y@E*Zv1HfIMq|&g46101CBcU;%N(ONJRi`(CzJ?aq??^6dN0`?csLxNJ^lPW^JRl zs5N>};r#X93||t@QhbX^ zTU>$pxx^!qR%)5Bjr~|U4aEjarf}#LT_!`VD;Cs>Hg5D5#?es=zrZ%Hr|Hi7h~lW3 z8&!uD%lNd{n?-rK)ylUS_sXgcV}A1-HQ92{_v*Mdx58ZYZ7OsXlA)lgF?Vl;H}Aq@ zMfKsfB7!6JH1f9FBiKoybW(F=&p+U%7ewXC_DMoq?-XT*v*h%qnjlj)>0)j1jev`7 zIZVVI_dXC(Q;7cgD{9-}1Qe5Z*GZQ!XAaH2^q3ZPOkbRiN_WTID1bq^D-f45HJ{ep zxwHI9JitCgR#u`CbVf@hc|+)^or0eR1_A`_J>GUFEI*n!mhrd^AeMxZ-xxRJ&CGk1 zxkp?>1!(eY^SxR+{p3Hpte$dFT2P z!uMWM6t*&|?eh@8&&%*lH?9^eG?cvfJLJ|+({c28 z8KCDmr?ezlFLz=@p3~F{zvxC_;X@<;BWIl{By3{@{oPY-{Tb%{{(5@Lu|~OtxMzv^ zz9*bsGgh%)^`c`5S8{eOh zxa()>QqfI)+}cw_|BzcIYN3@p?Mi;Cc8eF64~2{!D*C)Pq=kgF_D-oxN66TIa_OVN zV=em=l1guIalKlzyft-d2$Pjln`Z;fEZ=>iU!UHLm?P8rD#MLGgX0ix;Qk%8$A=Qc zs3)7gP|geXK(-flFCQBIW3`X$7z9i6T7yJ|v*211U@Lh-*O^qfbI?iecIWEAm5dv@wpkY0OpD0-Z^f4O$KfcZ~D9)&9(+LTZ;O-FI zA-F?uhv3ctgS)!~clY4#?(Qyw%V5FXVQ^U9t(9-Lwzlp+&)@S@pL4ppuXA_iE$ob^ zy`Z*U82jp2=bNFVHpkb5J`=MlZMDuISJ+V0=?)xlS!~CfSmeVMvz5vzaHHQBmd_aB z&7n3DuNCl=yWN7uP%Q9g<=AgQxkXM-v5W7HSv^hOI=dJIR`Nu^-k0}YOFXY~O}B5d zedh?(e8saEG1$H?zC6n6KKthNYMJNpM?jfxq?u}g_k0RJ;uzV+Y3}YWC(BmSnW{H> zRA(4&n5$TpkDA4gp82@>_?6%|>U9ifcvlC|>?H8SR=NK}JF}i>NRi#9-Q2VIYHjgP zm35WRtg5xOjizU^{%*?IDNui+?kKe4+*16ccCE2u{^7OdrvKaFdOMR%>0A3;OFG>O zV_(1gdFt-pp2qHWqViitkp!$QJd;biBpaP zG-kcR%i~iylh{}7@kV>s9;UIDltPxatZ~h-h^v8y%`=wjTf&GtkLO0KmEAI&$6MDY zo`a7IYb)!sWdB5H)kA4}Th$o5#j_5Zv!gl0$yy}{lHINaP;Rd9zyw5l@ZX29hKMh- z+)+AtY;%5<);I?dW>qgCX>N6$zFhx3P!KR@@ev;;>YuSbZ`Qge1Z>27(#|cjJ(~Q& zYE18AV4tFEsh#0+_t?r>AzhpK*Y80JY@b+14TkeZid zd;4cuDRDZK^kAj$SbRllt7*=4eRG%kbd7$v-VEEJCU|6bCKxg^7f>7-ncfcpW@Uu=mXa%i(!!e!Z`p`(!O7o89A7;o3eoQKj z^`>~5_#79jgAMYq6->z5ykU>019?+g*1h2m=~29@3sqHON5N#bF5COcS%f)5j+Lp$ z<{HB_H|t%<*sX8?Z1>NhxMhlx=6}py3Hljl=OAB^gUB=Dt#(S}oVe^_Pv6oQ;GNZT zV>_r`P<`OzQJ^}W)<0si4AzemZ=8GxQM)H)6{@oV7C$zS|iFM`ou|1FI3qC{WVUHdhwjHK2ouDE7GZsM7;DqsQ;K zpRlP$SZw)s)s()QC$+&Fb{~;GgwKU9g+ujz=FM2N?kt02yvDbkyZfW_OxXNNDoCjF z)#wZ&?&}`C`smJ7Y%lcs^G3G3tHosdJD(Tu@nsklx7c(bvHt@708B_WVYs$FhilKc z^CwNHEAx7!cJ(>fYivGm4T71E;teo7ZF_ZM*p%J%U~KPhW>Ic`cVSqCV!HpPY9_D* z2TEhKn)o<2lmGq=A5EazsRs$P|0*c&Q-C3T{FU@i`?44LB6lKEstG_HW6&E56B>C~ z;cJY~H+;KR8`NwQwRjD$lg)%cHVuJBJ^~2vNTseHGhy@Z#Vu6n;%Lb{jZnrIo_Eaf z=$G#m7~c18FxA7bA!HF9Z`Wt#M|mGO#gYY7dOJfu<>?|_NZO|3O{glTA}&EWaU{P4$KvAsq)rd!P()mt1Purk9#AnCQpBu(IDPt=(H zLCAR%X{61l7?v);bYbd;-Jc{1+O^<}%^XjDJakKh;{;-34kXwIH%%dv*)%iZG6 z$n@i5hD)=5E*0yJP+{68eea_w_W50_RetB7aWQMhyx~io$tiCpI{UacG0MCUw=yYh zkbSGv5*qxvDT79(&sN-<4aC?{I@g|Ya`v64N-We-au4fx=z$d5!_giCz-OLiGr*XONCs z{qe{R2Lb%Hpz+6&PCRRKXFv*I{@t`)$}!%QXxZnpr`%@hJ|WpWll?K@rfm^+R%bsr zP2z=-)b9=$oICTdhqIBJEU-C`^P7T8G_oN0-~8Eo{T(8Z;MFkQorouLb=DRSnWGcP zpdq-$DB5%!=9fu&`-ti?d^5}BFib_Ua`u39SMwF8Ka98x7Iu~B?|Mp7$1$`hNU}#g zrfIM;Kz$@Y_YQ z;%==Nkj-kp^C=pC<3Y{{?$R0J>2qB-Wcx$)~aHc<(S(1MZ?>=)tRo{!jOUM?EfOYiTL+$IZI((OHjc)qgo$i7`v|>mFe>O?Q+3!~DnAqn> zpQjMX=ADpEVImiuVeF9S+lm6jZA9$c*0L-22_k3gGJ2$68_c|P7yQiyHzf)4mSfs) z5Bftm6>d(AuX>x8Phq0>Bwy}W!)aX`u6vwTiLULK2okX!d8LYn{z>j}Q=^NZ83*@0 zbn;%BJ;QnHHk9CNKF1LHu)MY5%gh54o}VE(BS?luEMV{wz&m0o$*b%jW<$3xFv7}b z0TtIxyrW(P;osYfI`c8O2IEUeGsaF}i06A`V*=E_HRbBsMt$Zlo?)E2ub02aeFE!zIa`$gUqC~Z zne3Eg6qQ90?47ODqqft2Ofa5bJ`Hin7YN=QUX5ei32c7}|Fe?SdSC3xCjczneN!zf zV>*yKPj_6M5510mPFeWUcX>HR25Ioz7t8BiJ=Ppui#{SINMTGmDro9{ytYbXZ1X(E zrY+Vcl#Oe$y@NX>{-@8@^whT*U*P*kil80N)}@q!<_1@SoWp*>$Oyh)9qbj&beeUM zb$;}6JAt9X8B_zeygNWa-5q% z`GK#oI$WoER)9)Dy5q{-2CYyB`oe4Wdb|8N>}p!pVh}B_I(%cw>ZWcL>eMJ>uj0HN z9pjv!C9@T=*QFmjJ-zIEm|_JEIZtTKX@fX>Se?zJ6I{KC)x86{iDdlTR^NN;0HItp33YLx zZM#NnctGCVz}jJ4_5|>B80(xUS7h0CyBt#~hu2xLSJ~Fx<@^9P%IuH7ENqk-QPFkj zd#NI|EW3+Mc;iWX?MHi$yQ^w$T8&wV-n(>NyaEoHb>bmvSs&UyPI~yBxDRznC;U`C zzKOg;PCsSXv8{u=0P+$DK1^D+$nJE=*PL`!I!`?ao8`L?1VVu2>^>e$C-|#@3R!0@ z&K3zniwZ8LdtuC9=&$N4ec5M4QvoxW1gJC!(B&Pp^TuH#n-UMMU* zmw9tcxzF&J%&+sDsq@GcISW+>FH&}b!8d}P%l}NcJI0?T_rGfE?To9wGoV{&dNMU# zNv%?x;aR*|HEU*#0dMJsd4^YTs54Kx8~YhI(e7()SQWM)fd};oX(n>@jWSO|ii>JU zd*DILCXjS+1KSRLjdTnVK6u;=$c>HhtlLx~>nT{16#JIYXq{koLhMiiR?6HYAyYe& z9K6b{E~s98%C}J-G`F(ZlnPviI7_0lBjFxo;W4QKRJ)AWnxk{HbwYE)aWWcOz$VXN+uGBSm zF#Z>q7e6|y_AqqCDbuZIcDQYzGvjb}P&LCr$EID*Zg8}|2*dPdNF96KSXIu$a4*|B zgJ(BRot$^?c6?Ua;9A%}-WWaYc30-gaD+&@E?IgO%*k)mtsgjd6}2m% z3pS@TO07~qzxFVYCF9;(J52e$PntZpR$q1){PJgii9c9=0u+Bwp%zB$B{4`DiETM{ED ziMD3X?UbxFd+@*#o}8LjNNL>%FW#Nc+*Ak>b6kY*r4*hgoC2##w%B|y_Pd0xi&t#z zjAYHt)~MdHJ8k{S%a-ro^IDtN$snKFzHOvyd@r#&gH!uMI4JK=6B@21Fec$rk?P_GE6LI$0xXdc3(c{nRJRHy!@i`77*6I{M)igMoha7Z^~Gsf12?Q#hgj+y3*h?&c-)ZnrmJacxa!^<4<>1kO>TG!Abp2n|`u zVvCwDfG?HyGZkFx@)g@)0aNwdi(*5tr_qNC>)nO+KAWE@4vLzXZgu!pl zRFU#TsX?A8xwp}S@2oM4-_OL_+H*H@WDWKAYPh>^&613yE17r?#Tk)Vw1Z#%W|k*b zE{m6e;KG!bVm7^Q5VL`CuIUSgwHku2w{tM>AB}*rj_Vbi#FQY<6>ZH3x1EbG%L14^Y0D^Y-U{r8H9 zn1dJ0q+>-f+ph;M?Jy?_{e#V)cg5wBpBI@ze${Mx&fv$}+WqAV^LWrEm~DmS5BRgc z^V`xrY%STjrN$I-8##{Rb?m*TauAuCQ=!lM&c@9}zTz-j~xhMiiOs9lZu)y0)&&GEaYdB zpv|25Z>gpP7TkrPG`-koFm}U!N$v_6Jgxkyx#tZdIK@P{4~9?pIE=AkFJ)IIGqs9(tB>5gsW)| zD{z#F6jzaZLJ4}MwLb;3kw1pp7O&p*a&dxJWBKB$5;jb1)1Z@zBt{ayg|3=HJ*~qt zHAj>bVv1VdE$oKOAowPJppgXS$M-~;s44HRqS$+emM;--5xxZ4-xIEw8tX(`?SJ(a zxn7WEX_3^PqGgq@hu8*J^bqU_WBe98(s^JO7FXC^nYh~kjG&@fI!c&*_lz`YvSKcB*f0I zdcrbV4)c)^RKtjNt;OH?VdSc-B3>IX^#>@>ou;1Gk#(1xmHySiA3kx1zcXIgO!NSe zpq5i+esIHYku#G{)ZohONh*-V9|mg=c4ul9Po3DK)spmRk>dzX651`jQ~FZ{?`h3$ z=_j2q&ccJcPxdc`iF!oE@k?82RT)DnKHrywIsWbDb*ZSaFG53vpGr2|R;IBGwyc=D zJ?xM({xtu+7fRh?VE%CMrRH894WKjMJyHY;hb_QM&EG%A`2fd7JqLXvC3kM}fg6AFb9{&VMO09(-VHPDq*}f89F2=xfUnHZ;aDUcyz zwLOIl9`{9uy9Y@^SJSrTvSmRZ4FCl@t?*5MDsU5-Ey&%6`ni#_;oQNS7CwZ{c!O- zxvbpN4xAnk5V$p{s@UF6#W#cZDjEn%qtwZiAd99HRWj^srz)fmVEn_dg$@O%r&Ff) zTF7Yu{YihYbD{(hLDiz~pbXuwhl>y>-jMqzIo;l)QTj}|<8@Ll-Tl*t{6iM^lo801 zd-n}>k76v$qA`K!=L4AGETe*Y12L!w%4_TI=a%u3{QVWTLlu_LKC{^+9Lw&b?BXy9 zxq0#KyL99k3s+Z*zsm(hA-kl(H!WD@+cGERihA%&2S{zV>6#I@uoFjVvEmM#PF#|D zBk=cF>GT@BQ6mt9TnFKrU2J{Kq+y{aI?TQM3&7t<6c*j-=E*Lu?Mf6F`DIAW4Vj+s_DneEr*>)ij;sr+;CnN}-X7UN23IXw_Uc6n<; z*OLbCY3Y=`g6nul0vS11bE6SJ+l1%@B0D%-?%iSk3}uh(Nv>p3O8<`P(a;TIjA%+~ zMlyyYPkf5r4{wPsA(UUJ_zB!|{Dp^x`dXZc9Exv+ ziMQwE6eSw`+uxWT=33LZ)a*Yn!IJ>;t`2p1UEXfhuWS6aKk6&6`n^|wuQm);tOw zv({J3e{(Pq-;i7xh2^SijF7zV#T6oRVM{N4{D?~Co3-Y0Y#(2~BS`7UGLar14MH(! zGwJ+dve4_X>pnnnWQ5A?oZB+L6P=xc_A)e5vPK?0s2nINa4tOYO##|Funl!^qJ~5x zH8lo+9VHRbn{EsHAK+{dfaVA@zP-M6UHb*L3)l5-CJ69^_3+x)H`A&Zp)gO4s8ER6 zOJAn@2gRK!s+I5*khP@eKN|d#@QSQoYMN1r2yJGri&1$aafH7>acDA9kZnUDQw6Ke zws0yFA@|G?`XEON6VEJPpw1%)zw`BGw{navCQq~TM%Cfv@PAliwI9Sf>~gD|9L=Wsr*eg?*)k&Xguj6wF(2Ld-9=m1EMEpf95E=tNy+g zxhUER?$e9`cDUn06yyV&SHG!r*i=_`3*yH_2&wu`@AN-Fj~$6=AkQ2Q$|CPIfNWry z%L_FTeWRBj4LPkCeiX$M;?1le0d3f`WV7{s+)?)FJp)T6ZZrA6Lf^#Ozb%|!M)(i{ z?tMOYvJe;C2Z8hticG^2BD@|7*dPWv>>O3L1y~IWq9VGa^Gfb(8-F9GdSz$ku9;;# zJ|W?mlKkO!9KqpWbK--U)*F)c{4iB4+_Wf|V3JUh$0o_Etrffr#3PF;y@FNI>417b zqckj$l^H1f95HAuRiL3B6P+JC~)!f+klY%Ra}=5W2|kIwcil&mzN=F2kC{F*{SGP?BeCf62v=6*9=WT zc*5WbsvT8AdLocPh5@D8zHZOCA1#mv{i=Wqrd67$%Nc21(a)2}S*KB!!<9{$*w}>a zd09Fyzk;)%{q!&h)qL+z)dv9|9r)9Cj>W61Jlz6NRY2fEXtV{Rv|16mD?((W*Tmll zX6?(`PT_rS-V~XL+Ms3yF0a~lM;7f$>BCr&gY_?8oFf9G4vyrdhQw0=-*(6Ryc;FTGD{!G zE0$pWqeSEyYONVJ6V6y@jm#}%6!O-e4l%#81>!Hp@}G7M+Q{F9cTj}z~85web_)J zHjN0~7DSQtsegHCvv_4SC9R zF+0b_)1JVI7w}Vdxnow(Y)BN@?>vxa4O(m+kWE`c*fLUAu-lCR4waRtu2wg082lG2 zvViEq&&)v{J3>~CF8c}Yn>C-(Ho783WRy!m&G{;9u~nBsebE?Jlgr^WTZEcwAvr~x zCuK%Yi7?R=D-2R8hdFx5Uo<}^1h%)i@XwUneZwL+l}6vhy3FyO?Al}{Zm&k(PB+vp z$x;KKy6LA9Cn*PH%vYN&(#ac@f~4DG5FL{CvO5wHQA=dN;dML)BiahKng@F?pWlf3 z9Dhk@k>vk6wADfO*%Y2u4$f-H5Px(dF~RVz`L-D1)UXLaOuYMEo>g(-;VM$FTD*(v zQT;$~DfTL@;OTMN_x6nb6KIBUCdHlD@jckkz>s%hUAApmDdam{r=8SFc;p26?G^fM zf|jSx@KquW9`>66;m2bGYU;;B;JLyi3jM=yoo-aqaV90!r9hJhdFS!ERy=VR_ z%M#O{h1GSb&9Xg8e4CkPIKpR6a$}R&=FlDqk=L?hz?pkxvK~=&*3z4-y21|OBIX6+ zX3rhpbNKCIfdk&sX!g-{T_Pxrc|xTDp3Ll``YWVvl7pzG*i}BCgXm8cf7_cS#RlqK z7R|eNMpIJ}5jp&=zy6RBpkpNka!?)*W4Fui{YI5F5&#)Z5=@V3c%O1@$WFw54Z@Yx zh-VP^as+Q%K36qekmckrP27-DR%A&~%dVPHG+KguwJNFUlDC~E>-$@FXD9f>a&87~ z$DGy27u3 zc5JwFxWw8YO*b7~9{H|K-DkniKlFGyBqtsjezE{VNsoz45wG9$NE ztywBNi--_|%hVBr>zM7Y$KE~raJ#s#A#GK|)g3xWO(t@(%n-8`Rl^ZII$}qh&V?VA zKn1LO=(cOBVJT&9wIe6h;Rbz4oc*c5c7DcL@ku0WQwE5K$#2N*=f1LD8!HfqA_WXK z)4IcGHshG;N)jF-Nn*|%!x7yM2v~?WhiKuv0F(|@<&D_W~TP_VILYwU9m(}qE4=J4~NoaOfxium~ zYUfJ=rnm?VH0K`A@Ci+}xxAxjjC!d;BXK_U^W-vGIw%`0TKUD3T{L{#R$>ul6tvYb+W_(#Fm3yVr|h{r=r_l6|{2y{kFS2{v6BC+9{=a%z45CR1{?cv<=R>gla`giB{YNt6&5w z=_bQp{Mg9r;$4FTFUu$KSA6lHGFZ>~#CM}cK89U>2v=sMKY-se+r3@s=jQ?iUIB^! zVPGFy0ppPkiRs5hg8z{>z1*YHPf81890g;Z65Y^_jiESwKRQc-cIotf|I^4dU5%Js zfR*GMbBan*l6QsHNkP3ew~`hGujaEUBXHCG_~3qYNWnuvYR_oW}&Y&9f}oVW>*$Y9+<)hy!PIHz$|5Vj*>pCt4;Iy zGDg^LPI)P;DzNOG+iR|-aT`R~cT}^hHUwc*2N#3?L@o?_w$YKEa&-sj8`9o6BANJO z;!U7&I9bB=7 zjE{q%64dFlP4jqX$b*iR#G$ z0_8!eL2C?hS`nH2%=#B$5)N$`m(9lOAokK&KBS|8OPdDq)&lgZ77EggiHo}x!d>(= z^Ge8I?aAHzDgI@+h-Af^aY#HEjGEV^fG0)Zz^|r{Z>d3y6Uwg%x_0t5?@;a;vWf^a zj(ANur^xI%*3MmqeV6_vey)I;h#{6I&PE$*n8-Jp{H$f% z!}{H6F$%Glz(XEx=k}3Jeku22=xpSW!YbW>qWb-(prD6)B^6n8_>@h~GyZYIBd+;_ z+jvZB%BCWHCgJTNI}pc&Q6QQbU4Ay=K_@a&p5j#l1}OJwV^l$v=sEV>R7>50)i0i{ zs+i$xvIL2R5nQ}^2SiY+p+R>({S^MTtSwOQ6DL9QoXl1f=!d{Fas?dG69~JbDvDPv zC$NP&jr$X6|o>^{lv!b_hETPx;`F2z~IA;3*5^t+;nB>!*BV`cbE!;Jg0uNs(Af0{?Eh=%cp$EgW+AbeJ+G z+~gR1y)=RXJ(EEvKB-0<9}~w$-8^QcB-_`68FQuo1GB+o4*Z8-`r2^je+3s z9lNK)@HcFQ}bi?QDesR2nd5akAQ7%g+c;ajT;wxn=d9`QVfby#i>QYOmpRu z+-ioeyqu2KT&7aLABAEc1n=^(lWgcY%}r@=H%mop^iJK?v*ynVK)%Xx0UI!C?ERpI zS4+DrtaB0@U6OXT@U_zd`Nz-G4(WE9kFN9@S5l!Gld7I73mZiztu1-&Ko+`qN-c0i_Qie} z=4;Kf{HypkLHvk{D(NG4?r85N_P3zIgL{)Kik*hv($;SnfdqumWM{mTUkiDbxs>?q zE3F1Ay2~XQu}{;e=QN|#YmPKH<*UEBx(hlat76}j?_wH#Ojd~x-rTzFORx#t* zRh7zDt5N~N;wc#gC6r*A{dsLRibR{!m_ou?MXs)h%HNQnne5FX4u`0W zlAC|2qmh|@F=UQISoBBhab3U4xkl?v6^~;e?MS9okw-W-NZzY{!u{~-v-k->dp08~ zy(0b^!ubGr4-wj#TK+-}1HRSYda1Hw&YAv^9JyAW=BKiL$w2>fJ@4nU=9c%j=U%m^ z+INt^bA=EQ76|GrFQz!lBRsp_xENVLGFY_u(ze@Z_FD{KKc0rcv~rM3G1AmL39Wsq zP0I)C{f2tg{r7(jRB4&W5xxRL1R#b=&HmYTWFoptxcS$rL^qd0DR+UO!2bj%2FkyW z(9|O-l~Jr9NI`2$9%=P~=+K@46{Z7O#mm2q8cT6+)LFWeEy75fXV%dI#=uju>8tz3 zrutU%hPRsp<+%NcsO=23!o0NbFzv-SM%IJp&DSUX)#!&J=wf0GpKpc8k<$F0DFe$I z((7c)$D))q!(V3J4r>REeNHFf8OR83*YP{_rkPxoAQXrmyYY%qU zhUA2Ti+((RK?oZkqgwn zbK_I;&V(os6?!gK66#n}j3k4KMD&u_EcT>zxTa%C@d<(;d88Qr9@-AAHG6g+;fMwg zQhhG8Ta+Xu9Cw(a)@9WzbX1R)ld6vXLf1etWdc@s{mz+K%DnJ1rlo-UI z@4xf&u|VB9qXM}rKi~k#mMC(l7Az%LAT#Q9<-IWD9R3-3wfXvbUbHf4`E4)4@(1Im z-!glXoDSV&IxmZ%78>hkSmothVc)^nmk?;GOt+Bdm9w4IxOfv3#{rS{S(NGjLk~eH zH7W#y<$iu}NJ#tdy212)M|kR~t&wGAJnCp1@k8?cO0CE+0eS;G_AFuT;p~lw zNIy&;^h5E6pl)=1KgInO7Nf0BtbcmS(io5zBxvT&~0zP%y$xcJfNXzPPzm|=8Y zgXLbCy7}gtM7Jnp%qQg0i+$2LxiD?n5axN5(6c>l}y(D$`)^^z(UgJeeooTBF5A-m0AXP*uNMEU-yJw{$ zlea4FOX=B<2X&@4z0$eQTk~=5?4U9k_);8wli}W$Fy$yir%$@D$2I+_K`Xe6BiTk- zvsBKdq2!70{*0O6@R^SL{sSp$_+sHniwyPkyxMc*|&I2&yr^iWhZ212>Cyvucw<6YIjdbf(X^iM&_U? z2TOq_se?yD;C!W5az6Xl=3)2to3W>&ijsePJZT4K1r*sk8~TAYGO$@V)Szvz`y%c6Qp=NX7=7PE^7rUukC4 zt#SecFD)CU+C7aHqDRo3vTD2XuU&S4pVO*Mwzj0{9U;MJ900UomBJ zrtLq$y}3Q9(yQ-mWZ=6y*a_NkETz(eeQCra-o?D}e3o$D*GFsb@aGJB7#h4h7z4IE4ZK^lOCc4=#!+VhoZZo4 zE<&gm5zs5RIK*qg-(#O}xsB@}$=DQGj$Rns3zsUA9;^8u=bUwj3RwwB&VSM6vsey` zDboE{T+S*c|1@mX-{eTMyXp*GU5V~OU&%;GLp}X7c7tJ9Ap-(YsOTYf3b9+I2h{Jv zUN@&a^wFo1bJAG1aN*vtjvXvDnUtXu>7>&aBE2_(=UR~$@x{>YW;44y_C4Rd8t*Bt z@xBlHY!6CiiJz{a5CqrM=zoR)US^ut{z9|HB)C|?~Kzbg!6V^9nVVT|KqO(EcO#Opk zM>Z-`;(GC`FX9j_N_F@vFd?X;)yEz{QD%iTYILFUQ?L5tYeTZ)0^U0UDj@N*1H$U^3&F*NzO`E5H z1{YIs;Y7&d>Fy}6?r$V2v<>_>T!z*z@sy8++5*CB`y^0m0t)}wW0VMr>Zal{oQd9; zlO+9&YB^`d3)`AV`)xf8h_Ir4(H5{cT~hp6GIfAawBDHt$OvcH)VJE5$o~9Q`9)c~ zN}E_SB4jgaRuaAG#9vXt*|mo4H?48&&fbV`g~x`Thqq+|JbqN)E*!Z6zbJct zn{hE2JJ}c9Szn8$o@P<)#B_spXhM<^vXca1LWKwyW>fEn6n5TNNg{70z@`uQ8xt+B zuMmR22&^H&+$uSfA82adyQ9eod+C6WY4DF)w_q|;X5I^eq%M;?`~^~G4mUJKSc zBNqQFiA#!POZiTv3Mb`#cw0b?ix1YAn4Hg)-mjl4#@2(k_fi`g*l~P)#PI@#JUbZ) z0u@vjM}c#oA1D3T|H!D#8X#ANj(PGd^tY@5KeXplqNRv7XhFZY7f)O3W!MVF-8*j% zYLzP=qTaL{|LdOr&$pdAs^mGEKEItJb)A=Gjq{-oy6%gsNSD&z@T&bgum{#dYTZAJ;YjW>Gv)yUUT*kI)d8nF6S;_HH z+;XB!Nt-g6O23bU`Ao3VvfZg}icf2m94~U1u=AxdeeBrEsW8F+E8t{4|IX>r)v|i3 zTC01XbN*+ImZRRGex^t2mS~6CX`{;(z|z=@Rp51V1oiPH`sQ)Vot5IL{Vu46(2x&A z`G%qp_&$MNVf9_T`kGC31z7nuckP~-)Pg%xm~!_O^IxRQ<08o-CO~7rNl-%>M$neO z7q7=_2oHaG@ClVJU07E!uTgn|NWR_c_llyd`iJg6OC>xT-vPn0%~9Nvz8j+1-H_%yqB;= z-#WGdnSFS|N=J=$uEtD5{0x&b3GaUjZ;PeGVJv`qL6uF^3}V(Tf}dM(#S@3$Sc=vl zk=?*ns&8aMdg^vy;YGB?jTf!hNzQNMY}>4Aw91kudkzNU#j>V*M;05ziANEEhx%2^ zqpMnd3oaqM`d>#==ck-iBo@y*J)CP@zG+bZ8`+H=t&)@Usj=B(p*@UX{4n6#H3q*a zkycKWXGo|CEMe9)F@o`o?>rNXLQ}9UUxjHET+T8i7>UzFc$BhHR?oJJ)fTZgOg)6H zJQthslXw+lq=6q?*B6;l@C*cOZ*zhQhN0g6cSt0K5qyfGQ%I?E4Nj0U}Yz{kj z<$&%pv7Jcgj5}n#M<|De=ZqUW8Vk9Z4B5r#iS&#i=C){4E(l)S=knC z{YRSAOn?ngwVnx{2wc#dNK2MJS54Q*GEivxB>HLkk(<5%!)M_+63qI$4@`}Ml1=9D zSNh;Tu<$`t$7BUo#NbC^Hk;!?(Brlw>9yXI9`U)l64PiSZJ*zDW4kEn|K6gPoK>QJ*VLv#H<)+(KrYhPc;J`L{#3A-u<*Ah=1E;1wK#M;NW1=8&2c>cN*5b zGzR|$mEKSO2`dP%J za&Y-@!%T+8N#HZwy#cq;mNfe{YnT5*KK$)Dl=q6R2Jvagl>&z0Vgvo{3a7@U4JjzE z<)xdfjT&2f2Oz5Pva_s|>Q7WTnqVjg^SAL*$OYm`E$m1j&mcB|(VJiLIa?)`hr@&q zg^F#8x99w)v5p4z|Al5BMM&S3(02T3T|ZQ+JtG*cql4!mV>w0L z3f>@m!|3Pw#L#W2Ms^BZtlK9I)GfUIZQ(ft(BKl;oH-ExLHoK9!aUq;V0MUO-hB~&d`hR`Q5tZd%^!^t{H(TaoKeUAL!<=|Kujm zS~>NS!BOtp{BDTv4tWK%uJM)y${x>!|Ja8;-U7PLwzQcn)!X)}=5pEc179>f!t@d* zc%zcXlTU}eYpYl6Z2t$Ms;32tZ#I)bh~$843*4O;KaQ!XLcS*De{J6m;p#J-A{O(2 zqSCV=cim;5R|ClTcurnQ#LLAB2)bC~#e1#0lj^n$;2elQ_r)z;IB%P;sYo3hqp}!7 zZ9`^=Ts}+J(I=9;mKiMc_awK11M;eVyASDP-Vg+@&!zK`P>~Fs;kdlBeGVG9XNP{J zAz@5Z35rA`mR(O0HP~)5i&S*$*PxmZiy{}rfgA6T+YL4dRWLS3Z16>(xp@WD2@DY{o@S(RlR~5`a?u5IRy6n zsFUd8*0SF+4@cpKWbH7F+1?)Il-!;TE7S8Ut1U9oN3wyjE1 zF;;A+qDoS+ZQHhOCtvnG=ia;b`EFZ(=2~sGsWti>qmTC;Pv`ZWQcG38e)D1mPRuF! z7BWn6YKB_uAIvXrFMj(jq(KmGy45`AH&${u05=GQHV&I1Ae`3lW!>?acKnY1yeZJ$ z4->u%%;-Lk)YeeOkIF;{f|lXXFBc_@sUL_H`aM0}Yi6l4KIW^U8BVxO*@DKj-bexn zAQy^~>Lj#h%$J+D9Hm`W!uIr}mr1uQOIJhXV@>YRaAYR8~$`E^*0YF6<#7OxBB zcGh5b9~h_*T7?H1SFjUj`DDgr4xg3SUpJ(Ce4i_^@#;OYQ=(Lag$Iqh7KAa+87_5e>=GkQ{~N) z%`%u1garVylV#8^#2c!y)L8iz&*k~tE{fa%sa$B8-?DNW?jqQG& z_scO*T8Q1JOsG-B;oo1h;n$Q8yL2~0xG65Cm3G%AYr=| z9vyJVIKhZQb4zdVD1g=`t5RdMzI3as=|1GC%3JvkY8W>gTg3-=9m3Ao;vZc5w!QoR zx!@wp=TL2K1V^(RCoNAnCT~*+Crl|Hu>?1;c|cs%s~6L{7#u3ji5_5n{6Q=ITgsYC zbfqoYrF1I~I<^v0!O7`iFUBB&V%_g?X&2`5idtNDQ7BvC`!ui+$RDKOopuSbB0AR7 zOCaCV7S!YS-KIt>{Q>(R3omS%S4&X5uI(dydh25#7Ii zbYTGqYnDnxvW(br48ifThwKG9+h%CKK+|8iwY+NSD!SkJ#SD6agI9XrJ60iS2A4vk zY=72h{J_Q70!}`Zdg7X|(%Qg&@J@cgW_}wRfM<5WU17)jSPLQb8IJP&*-uY8Nz%yD zB(Y3qawj#(vcfVtq4oM8uohE5Ni87`c(Jk@+iDyiqd4J{;mVGxOhMT89-32ComylR z^*f3*`|@s;%I#q#G$39$)-oj;^0Q)3SF==8ZZWdw{Ng=8eHJNLYI1a^#Y%XqBU_8o zziMw>D#T{k2;tk?u7**a18K5Jm=~f5yjXLKvE9u-<@`OZVNDZes$HIVdD7N+qSkYmZ;UT@TvA&PlZl|q#XggDGrzIhLn|AIS;|f&r~!uTm#E2`zy~Ez{ zbaIS47HpnRQZKKeYeLjsXax^%;4CRDY*ch@q(cO-VtAxNN-j6BH{9dD(<5?s=O}J) zH!C3>|1gPC^>B3#^`5P|=SZr+F{7utIgPIv@293f#?Jl=MR{6q@1`<3T~T>E=qDc4 zQhGI-at}AOBoDsmq&GW>?ixq=h6kc{MOOFONQWU1bM}(BxKio(3X;G`%^1`MXc_p6 zh@g6IoViSEn23kHHojIf;do&;Ux z?w6ML>WRU>tVs?7kRoCTqO82!JLuyB%Z*AyO}_%&NnDM~DNo=d8W)2LtuSfpa!6iN zd%GCHC2!gltiP(DwJ1Njf?FDM%XMaiK-sk<%<(IKdmSiZcX__#f8+T=E z03dt?b-g)ZKhBqtQMfPtI6CBP;~H~Z_$)@a9POWj-m6!^u2gqy(_mx7_U;@W@DWAl zPZbjaJkb586h<0rssYh=DEkC=Xc+m4$)2JBxzU*=xJL>H%3b?Z+f#Pf-suga?7&SfJVC6-O(-EQ5{9t==EvOL_k$m;>_dJM z+-%_`4t4aWI2x|q%fsQ?X0P}6yRo=C;m7Hawz|40PiU~oGFIQ#?R8K6nlv99O{p?y zy#HTc1nSe6yyzsPsm&9zyf#!+{2rRnX#2mN5ZrVF9~cj_HB-deQUMt3oELzxebKP| z@y9|&K-;~MPu7ZEZh=jWsMig9%FPG>T^UR&9nD~Eh_a^*{4b+VIBa}Y0!~Bw{tVHW zgias=vD6fs3!mB>Rpy=_6vZR*ur2~ME&nxEVw7yJmp*g(_(*S87o`osLs}3;N+tyY z8ka&i$Av}!^2sI{3&d8JOddHvj-vV85n4KW4iGhql+2d3*)(lP9&?Eo1*goysBku# zOXef(+@OT>jR=NM(4_Ah<^mf9NgDscUXepv3k7}w10x?uFT0?gp8Nz753;HUaucHe zxYrZd+Ye5|fHmou`;0Td=a9Wv91=S<7i#43iQvoCm)*BSazi=a!e&-zyT$slb?Y!3;GYP-)?_O~&zN z_*E_9zQE`9Y5d1e+8HDnd>BMgt{|{e5Rht$Q%%1KzrAx9n)>i__`-eP^(f`pVk50P zz0BKo4AK2f67N0un6dG=;Rzv1~XI0Y@xo{5nyilM+A*X zkUd_T(l;H!WPpK{`iMVDc{=>`TQ%qKE0|a9OPX*j)ckqV~l{6ER8FWR^GM8|j z^iB?=c*$G?X;6sg>pKL}(cP-xi>Ny_*F0j~9H@GNKdi?_1Ws+=*`U7FVd6C}mR0=V z_ShNVnClDzTa%nwm`iexZxj1Vr2PA*3o2kD2!3m<2PBe4^ z)Nr-&^`>PG5}vy!Q^XG1(p1VMwrwdzXV_05=zM?BUi1HacPMz5T>doA@g?sZpVZ`m zsSDuC_Bx^Rn`ltydG#RlmP^EbaT#tb&aH zlOpSJHv9Yqvtabu|7H@Tu}G(^w~(m9#ri$5v;x zX~0(Zj)eM_64E6&ngg9sc!$wM#?|m`i9vw`K$NRc{ZJH3{_t*M@%R1=GTCL7b!wX_ z0zO&L&*mcBa2BWQkp&T=NEChGvY0PTU-LwVaym(All}#?#_97{;M|CXRa;-Ji^@dh zL};S?af!?*RiThKXJOO5wCGBs8b$!rh%`mTTg%p|rFPsQ%eRX=CqfoS@QaM9b+fNE zPO7IDU9++#nv`=Nr?Ki`MU*K)SrjZIFwhPcbE~QDW~ep89$!AG5yQvx=is@CMR?XZ zdQ^+ea(I3ido(_sZC$!(qqZ5osEPk(0SL8g9NG%qI>@0}&VFS_Nhj+I7GHgNLr*Ev z>_63NUy?3%@ks_Qah#D^@{RLAB&pX}#?}S5W(i)sS(s{(^q(sGe`xOSgbuB6Ml0&%{`@t0UyGgo{&xBQx4Xc;>;$PWgqD(j z_Y(YH+kX6z7GGB&uWiLP{g3DN&-4HF%>f8#obUixLJRpnO%gyr4URrwwpAN-0y#Ft z3`;a%AI+|XIMIF8Jk)#G!(?kMNjGOAn!I++CKxv#xGy`!r{`lU6LwkV0Yyg9nmCl} z3X#R=*3<-OqM{`Y^E+zt^aUj)H_7|^YSOk!d@l~&!x1m!rk1g(+Z%-O#OZ7Jf9evv zumWdB2vb=q@WI-L2{28vGi>OYgRI28X}kUxISquAwFBo+QM%fk`h5;`Dl^WP8+ zN_{3~#()j&MvU4r0BM2M3%#9*D)<8%9-vFfhZ)ip_g&Mp*pdlvKtY(WA%z#|`VxHCNU6T&KQNF_t9@l}V8YKj; zO+<2hD08VhPrkk81<}f;B_A6msKvNbhM-v}r_eIqE)nUSZX~~kUd>*)v}K@<2)?C0 z{@5yB`%ghjTZl37g={iQ={Gl(1kU=WRm#ZUKBLdp4)iBn8L;dU4$?@SqRlOZ5g%hR zU;m#uaEa;SKN|9ryO6-)hrWZoWhGNPsXeR4yIx;+K5}9rs$sve^|e`pK_X{O75~l7 zM)4E!o{bNxap>iKNa+9i07%wfP>yhT(Lj`9u6Xn>e1R(Pl&{Km>g9=zW;VA4)!k5V zWP>UIyFqP6*&NQz7)A20b7tSG5}LzY1N{4FD73rAWe=Wn7l|C!q)@}|mzG$-D$RzX zkcolzYZ#2SV@2BJLZCysTi4l*my#KRaSyoWnBK7S^o@BUe*EO6%x@FjW2*Pn5U*xs zIq^71w%F&uJq8mcPVPv(Ujz|a4||ZN3ia@DoG?0z);Hsjh*0?zL}icRWGePe`9r7e zdRbpl;9NQWo#PCb8><+rvIrzB%MV{0S|bBrWN2l2NzX}?H+#(g_k9X;~jiK@n)XO-b_^#Vd*GV#eLwrsMDDXGo=L z^l?aS#%HLcBR2(_R_;_vi`aSUy=DrcF~yVZF&pa(;TvJU zaGYXta{x>Da|=#si7DH-m*qHV<;(lAPVD)#{>n8a`H`xtDxl+EE~IK06R(7*=4;1G zLs#}$GP0q}Te=My(~#|=(X=+*ITJZLy`)R-lGCwYhbJaCxwnsT>H(t>`Jvh*ErXi) zSlye6I-JA~i+{dM3%WsCG!p-K?{2vV{z%fMatQO(q9p?)rq2#Zj0=c`+~q`^87G-U zT0|b@#aWD+UwJ)!4rkMYZpvAaC+uVUdXUeF0T_Md+&+=}$v^r;76 zKxX&`QdST0ir?txNqBfLEBd|a9$G@|(QNRgOtq=ycXG*q3cTy`h3+8n*??SWB8H#L z2eNZ1km^2Q2PLyQ@F!jF3p4ME%{zrkWMD*(P%e@2^0BaD9)O)4?9WXzKs_M_b91^g z%%?mXLpxVBAv=tTk(Tp1oG3a<;;zU6Ep!A#cDIP#M@P4ydbgDQhP!Ag==MS0YeIKh z3quWI>FfB?@@l^a$`gSSQUH1!?uxvT zkOU#&aiy}U1;{*m#`zz~^k5K#iq&hHL@1N3pMk%MNcF{KH5HF0?}aCR7;6)u@3unT z`2)zi4w-_yMQdI#8Mi^E8Lgx>quZiXH2FsatihtEi4~&_PRC&X@|V3*D`EC{DXRON>|mQ{nZu1w`hnS zTm;hoenbEQ+I}RC7k?s2y~CZg%nJ3V^`E&Sjo=Eopd4tW1ayKm#}~M8OkOr;1Y4R~ zLR$Re^Y(yrHKV>e*Mlh2Tn$B5E1X+Q=FjDh$FT%iKYK06mr*PMjvLElurMPzW3tG>+&yvo-{mt}`eMk#lt$~L6#O~!~E2MV{!jBYT>aN+v z93%Qs3vRMp?$9Cz!Qw&!8jsZD?a_@n?ca)rZJua!pKH}NAfC);;%=I#e0-w!4$u*% z8N;CaVhMawqg7L$5M5jMY@H`r5A;fRpL7a}1(lV3tHQ0jw#g@A^5qj+(R>|T9-%%z z>Q^t(P6bAJl;dM{rS#C3^$jiMs`1E>&ZSVX5y^D64io zNjs__Z`ij01hs|O zt$zY(%ZVAn!D4DgDe}V>dn_%M2gE5CnH=PbC^inf`XK6AF z)oj3gbcn1Bt@Poyk$jaJxhozDdt}_!2|8rQ-7&>hU6HKdT^q8N)s#CoE!_tj4ma{I z0#}Hlh;NkbFgc4e4gMp6AnEwCVAUNRh(E$v$JaZ_DAlHRD|jjGoawd>is5yWK}7Kn z35xn|a|K29PpsNfdNbxN#z+zxQ?DDUy8=H8V!%R2&;rq&O<=10_d2LFalNcEPKH6t zce-qp|4SgpIW`F=03DJZ?yCEvxe0Z z68G;8O-@|EmyjGcIBh2m`CevWL=1hJ+ z=luzSh2k+D1saAIjVTitJUzWl(lb@es>9E$tx zLLME%eMICTRp}8#115QBWcakbr%cut*{}Ch=NhZzWh`$R{{_L40!J`ZI<~QI!J;j? zQEo!70iwXT-%l8J4QP+$`^^Eqt^5~XYWXj|RN_%|kzB?1XUnm+4$K@lQW6+Po%F1T z1o9i1tFs72R;F6nqGpWDsF)4BbrSHMxG94rjFKw-5=DMwk$FUF7%$0wGK+nB||5!7pFt zGpQyFZkX5A)4|JB$I=l<<#rq?Yb!mSc$H%9zR^@aj!W*m&!9bn83j;lV}ax=s4Az8aRoEHau z-fcGFXQlEboe*}lhwH636?cUfnoICHjPc*3W7 zefz<-{29$*R_&!T5ZohkHo*{F_`zf6;+0L&`1wWQDc8G)XJ=?t&*jZ}FW*QFo%g_; zU7QfAt?M)xK4ERc{i@@*MW0oAZ(jez-GeUsk`!1WPqUu5gLweYV$Azuml5@=ny5)2 zTQ*!dAF&HcGq?4DxhECBU<;2G5@>v|+eFTR(I)+LG%hJKV7AD5k5282Z&fi>?;XQ4 z?KL~ICmH6*9kR|ZD?n7BJS+*t-wC9tvd}NTjZkAXB!4<=@ibCAdQ1j=3Sus)D$OkW zN>D`GTiJtl2RR`ZZ)y?`75|CJX0&{@~qn=j>d@xC`%!TZm&4-QD^#~KNK7-q!8 za_hC+g$Qk)uP3dEiez5zGkcFoHD*+;=BW~?5Avso-%56=drkdd}zO?aQ5FbagBB2~=vZQJH zI)t@!fLKKutdX4SJ=5K{S^!w+a{;3R?g$3_mY(bwCOVfHM#J7=UYW?y04*I^G;T0q z%b&LR0C^!X!(aTj=}f!&|E1Sb_x+{Ub|bfV|Hbc#H;2P29;v+|6H?u^v`vq^Z)76N z)*&M)gx8ZA7s?h`! z7-S4S41xt-NSN2f6Pq{!Hu4vPXlFa4QyhUf;?>m4Ht*3+2Y#vLWn* zC^Nf91Cz7W5~5yj+X|dOt`vj84?Bq=>>w2L;CDjl7QU#iD`Cu}V&X_ECvph+^JOOv z6U7Sup=T00CgKX*_7Q-gu@UTny;jJi`+Z%p!ZcIz?n%pG(G8{2XZ>hW)5&H`zb@D8 z17fSRfOY?WjAif<88g-yorpap@H7JfMR)z;bx5rf#Sq9CQ$n?J|xSfkWtpMPaaUB_rdX)dE-LFfr-r+nNsSy@(cU*7I#;)k>|1EK7wA- z7D0W$)CcUDgof7@ZMP9~9Gn5?=eohmsL&{}{Nep#HKJRis}VOBoI z_l;;5>rh`TkEpwNEqv1k+px(gJIppX->J7TdKJaU*Qcjg+$Ldh6g_)k*gJ2v<&JOE zbxfY0u9y*hP43rjpC)h5(Imiv@y4DG3F+$il6?Gj0}M|amb6+GI@yKkS4sQx&%B|6 z`r{&VOXsO?YLM&AQO;O&OnxS;ZhQg2lT-18Y6mwPklo^T zOx`tL{~phTA2>r#Hq^}!6|M{9jiD(pPQN#jsoyn=k>zb&TfZ_-ur$W@*6ve%&z(?` zCFY&Kba=a^#NrB!l=lVIBqGiStY7?B;NTH@`bsU-FFhq`E2OM$Pz|E}>&`Y7lONB2PUO%sKH8X3IHQly1dfox=f> z=r#v=q*TjN2JCMsTkM4ilpvT-2v1MXr79v6%T=}B%K*cnw>!Eg&pKjx`Gj+rocbas z=8+kgZ>pLq2^2HY@$`jYj}eo}t%Q*$@4^;lAKLCns=qdUj+*QLO=-ZhUKF+B5~J%- z^n8mRPJ%6L_4@4@wyxS#-}4`%5D3V**}kbpey0U|;Z1%9adosxoXBg&WNb^QY)7u1 znxfl?%_ByX!DE=X|5C3&&-v^BaLNY0Rg-h{A3%{2kv?|)wZ45oU2K;8TKnl-?k;!) zOb$hZN3Pd?bh$#H6PcP^=*qEBqjm8Bu_FsGQd6UTu^Gj zU|eMB`N_FO55y)``>jtA=~|ZQ_P2>ifrTm&Ma0w=&q{%^`AHhU>`)(K4$v0JnUfxs z^Usy-lbny)-j|$h&oiTE%4^;e8`hQW3+@%|0Pl6z2P%nh*M-qSH=k-s^jT=Tos=0m zsv)`7q>0aA+xm3;!c6frIhzZu8gn3o0e|uOa)bv96RB1RL`&_7(*m2krXXj-BwZ%n zQh0!0+|J0-ulC`(0PYH3|L_ir?-&qR<5(Skx+*LA$36t_4%F4$_!nd*1_b)`a7Wu* zs2?r!bC$33m{XVu*lsurZpscL;U-;UE@Sc$&P_}3-&6KuFH3IWk``DRk0(4?9~u3p zZ^Z{I$0}81{ya89eYtPYn>N<d+w}K|z6mfdYOA2oMq?K4~ItY4Rj8 z<^S}-P7XG8M`B}Zz6ecMU1;mj3_-7$T*szqp-jiTIpp$gD2&BEJhT}LqPcjh#La&( zov9AW^S!%!Oa|O9df-KQU?+J$E|wq{C1e2fp!^rqAR5J>jAZ6axZ@g!K6W`{??y_a zqB+eUy;z;dQhLA2nscozX=Xe{hyKhJus>hjBI{ws%A1z}*Dy}@5X1M;U0?J6eII@U| zP3P--sMmH@!sA-4*lq5fbxt`vIe5J5-|ws+BVy+qXecAc;2CABn4{&io>VuVAi6EZ z%zn-o-&>+%|A$lyAh&+)uF77&hT|NZl0x^@h3>m4v4+JVAxz#3ycVo9UNolAXTKjc zFjKb0H-OVt8dgJw=?Xi5S^vAuApY|KJVg^4z>BOz;IsuYz*(CIl*X{{+H-(=`bQoz zbXhb-=ORL~{t&2ruLkP)6rCp~e9$+s$@~3Zt?xgM^tB^Kz{An9_$6;4+%3!n3urf7 z0u*$B01Bc-2S0mW!X|5}$LOB@N}CYp|9vh0eL#6o5rHujBu6^L|NiCw+W#s;OaQdc zZ}tFf1nTcW(KG>h#R2eq9NzdXdI@&Rr_pQ|95NR+P?Fi1C!Is(->R%tx^> zL)NP3o%C7x-dbLTs2Z&pxGa(qV`!>itng=443+&y7Z@sfGR{(0J5_CHhp3KA2y1zT zoiPbFP7;khh>Pnn56caP+!W-ps#pkD38?yO>jP{|^1QC?AAS^m5^kCu9W>o&-(7Ph zt>V=I08Q4wC!6RWrq|PMY0$n8>osLc>c8LM)(PQO$=f$cb{h6X3v}NH7L6oKXl)Zx zVq11tU3U>p8+`#iD^%j7oBH4+IU=cBv!T1VsE?+LowcufYy0EEZNnZP@B-uS!8=jf zK95c^jy*AIyMXjvYdh9DYQ&JXaipfmfa?Oc0YG0?MVXJ&K*K{bLal=QaqfApX6ds1 zJ($!QS?&lNuP&NCH$PuZ+W~HZVQUISSy8Q$)(zE!)bh-KjY>ShcE`puS`Kp6QH|y~ zJo;19*xcX~4U`dg-=3J~Kv(zEbvE|__fK;vE}4X{i#bRQ>({`0@H2z!A>GEmm+4sO zRzk}hcG-DDb<5RkusVyS*>}GAa04t9yQ@D^vKAWGe6u$ZPJe#2ft3WwI+DI+`Y5Rx zNhb*gySNOT_$==cwt8wp{ST*H=k37JZ(B`mMW96+QNQozvCbV0n%+j8-MGK^r!$?! zpIaxcCkEboYa4fT+HbM8$gK+ok~&QGxd{exql>pGeIqZN^_!56|2ldwOp&)ol#P9b zZAR}(Y2-y_aWjG*kluLQsnkl?kENtsiWTU;x3MP%;oO5IW|2ETAT$19+1r~el&XUm zSX4B$yrU)ZwI(ZegaZ})Oh73Ce~^z__N%{#`J4#nka9Cj`0Rv%E?*MHxgbClU=%b6 zj3mY?wvYOu#rhp?Qi<_TNeN=5yKW@W2=LxizTbDoZ901W4Qv0tlDy07;55bNyfy5K zcVhIdUXIIx_=ePEcSv85@o!+-N(A1MNwWK%6?KQ2G%YYSFSTS=*4FFH&ba%lOn&Q| zY)Zq$A(~7)wZ#GD2wK#O3oS6_@K9eh!?nB6b&Zq7jOB@zYaI|SH108z2~1%=idIEN z)p;8eHt6G0eSQXM9lt%qYV!w&E35YsoWkRhXx>)4hTx$P=$zN2CFFdB(?)t<7TNP! znsQr}jyRJW*&e&&{~UNo_7xfJE}&{9#ap*E75vfJ37=P1!qj0aF}qj2=<K`ftICzY$}qMW)EM7txdCsvCmdDScPSZOZik%gg>@XYldGX6{*}QjSn+U1yxr zt?u9Z)jRRix9Q6&PBH_2EeK5dm}-1Dy!!7m^FL13tKCx2_Bes^fY$s|aqXe@i=9_zA~bu8;m1JBVQL!hG0k(LCa*g`mZ6*nhu$?)9cma!tf)c9}l` z_L%fcf6b-PtEs`y$^O_@^v$9d6*%JpqH96=`}_JzTOijpG_l=FES~PX&aB2MV zA$wg(X#$333a)`PK8$XbP9qM=0(=NV0c;zL{A*SpL?MQvpAD}MIjxYp-ZVaxGq=(3 zw3FCAPn1Q}2;RPU^&k@tz|CHkhc*nC6T5yiMse#Dw&ua5w~VCKaRW#ZkazoNpF3u# zAV>3!q&cf+8VUxOH=&FqIWA>^fTB}BR4*}@(RENAf6+X=0a|;&O~^!q zU_`BUyENL#40jZ@Y9OW;QX6zWnpBV8W|`O()O4@EUlR!rZ+w-GUuKypF)3xiAFIRb z(y{6+;@tG7*E$8yD-|(cw)u&z3iFNBrd*$|@!$>YA3H$#U@el`nHzb{^0k}}rC!kw z6VDCO?CP&$L1{nDe*dkTmvF}>`Wly%6>W3RKm!v>)%yFatL!R^?b|t>h>0a&Zr;DU zA+YwRB8u%!Lu#$DwGm{wqhlCpdjV7>n&xq07ADbdZk)XQMa!(cBi@8VHb&LP3YPLi znWm`i_O7rXOe90#ZqCn7I0^;Hhfzt`gYU8EE<;T=22C@~t+a6-7Qr+yF$uE}wIsEo zxTaJCg9&t0qnC`^XOx@KKgo)#={V6Bs;~^0=d(;SX_)Z_(;=WW_#cg)mb!T|m@EyM zx%lhlP37P8L)rFZZ!EbVV%mdN6PBrMmec@0@Shzn;1RU<^P3i?Avf6{K8s@7f8X?! zv65#YUM1XABvhpxAfY>qW8&vOL2NU+5P;E47))f&df1tRw?Mo&ctzTKgHj!`QE*W4 z$r*op~t={cN>_#PsUlS&2c4J?wfEdn~I-Hm26S1Nc z(VH$iO$jnP{M!&FpCh9;-LGw0;?IljDklUpo|+sSsV1dE?k7h*)c$1KrzneE z1!B<1=}dunr2W!0>f?~x?(Mk+ofqcs-2fuw z+X`aUle>sGa?6}wx9r`Ir~Op+bA0G;Z`poae+GiAAM#=7Tsq3zfa>8Jo~$JO(LwpK z;UDB(z1Kg5Ro6`^06$_ss(iQF_9(^ZpKj{??R2LUrIGx|NIL(psvFC(&5|9fC@BX3l& zc22*#cYc+v(sznYZXZ%Rt!E-RrH7~jADou^-hGVe^@I36n}-0vGAN9C%*eP|T@5#) zLFC}$s9e6=-g(_o+mFCD+&VadLD+THjHZ_O$=@;_g!g!DYmIov?XZgSXZl9xY6GJUL$Immybn{Bb6bz+^CYHsDX{0Pe6jYGMd@+q1@^kC0 zsJXQhxarwO8l&GfEo88lmqj$?)U9RW@9ZF8BECzx8~2-&C^~$NB;2aT2qTZJzyDJB z33>!ZL>cxrbc;&M9VjTs=MyDzmk~3>pqJ;EXW!b|a^U$W_>f`JCr+}z!Su4LD7@o) zLOD>EM8@Nt{BF?YN=$NrS2#K9Y_phzJC9fJ10hhOsJH;Sz6A%^Yf?W(NtFk>E1sSW z#y!u%fPx%V_Ry>+r|6qM3$>-(34bA74S$C0Zud|lhVe@ag~Q3_U|aC>J!4_}i&W%GBAW5R4d<(350_QlpKM^dSt!KYhUQ8m5Tg^&x_&=j z$*t`@bn?cfSz2~AIvW*kda~xgM%&`Web5Q*-BIrDrZ%Xx}CR$GU z<0neqB0$yg#p6>*`y`!p)AgfpCd`P~ToF_=h2u&?AhKGttQ?ykb%JDoA$}2r5XT1^ zo*4)Zqw8}$<(Hu`DDqEC7nGW1uD2kUdQ-(aU)wX*zu}WTTsJkx088H@@59m)Hx5jS zp1*6BUuS`L4%L%juNX+P%54w$>IF*x2!~^QCs+VE>@1X;=b3OKOf=ix zEzUAVD*;@vw3F?9riSQ&5^ecJI#Ume0~!oCQz0}kqY-TAkZNJLZ;B!NrG-IA@}iOa zwDIp7Q;nZ}8C?972`)X|lZ?3z{4>e~!Y(H{R7+Xm7dA@HBLd42%c2t54u9cpblEN zTz0GkFYi&RJyZ}f&-pPd6Oa+5WN}%68cLEMJ*`!J;n}Q4#g6llYwfWrFQm*e<@@vz zy@Z*q&QK8x2%E3lU93hw!#g|V^NZ-N z_yXAj?AOb(Oq;rHKChLbq$KWccOs?98h=$xIk?lU=HwxIW z?lJVzC4FY-Pt7YfwLML!I=H_H2G=;AsgA}b9^!PK#~%B{&NGjUzC zH=~@Q!RZy_r`1AC89^|ZZ7-+!b&Vr&JdSyCX7&ABWYQ5n%RL63ZiskrV1us}y`V&d7;U329()|*{W&1zyx=dOSIV&2gb=xzcw9qBltTy7fH=vI0E%40i9(T23hwa{{ zES`5ff~8N=z%OZzb4_j7O{Ku4_+Ae>TSWA>Yh*s(GL|tDd-Of%q;6L>g9f&09-_w} zWW47*d+sbgy*vRiULTc>;Cc+^Nw^+x}Y9!mx@ZllrQ zbsBB=Kznd_xczZ@2=#rfjGGi3glPJPa!22-Z~!HDj(`rUqF!GHv+WN_gKvWt&=FsZyQ)>QVT#go^ z8Ameq&`I4P+L7WP2J|!WM%M#@x=U+ixV4d=fp|VJKpVl}>Met!QANC{ulWXtG?+8a zKxU={y;EBdOh+y}`8#f1`Zt3+?&voJQYS7hir=yQur8Fv=}uY~v6$P$(2NkOtwGBT zX#No}oe)4UrjYMHSd!QxMpR2^TjI<6XVX&g*Y$c^{k`xJBgNne5;+ZB4 zd#hyiPJo#+l1DJ>AEkUTvOzL8zNUcIaHsG<#wWQs4jD%L;2w(0>%N_YA^8G~anBd~ zV@8Zu6?~qVK-1txET?Tq8}kj?^^=Mh^F?%Pt3Oy5v%Cg&h7Ob@z5r~$`2A0$qdQYs z!$tJ)R4kc&d8j+Rvd$9*VjhmLYzK=_4ms@yHbe2{6*2U&I5EaU~mF#*Xzqs#oJUHiFx`tf7A z-L800EyDsuRfA$ML_TW2Xs}GIfA=oac1W8b+L7r3=kS)o(~_v!ZyGO^?@qU8Do~E9 zW68HJ)BU7`CrZ7;`nV5(cA_QNx`{K5xq3~Td|{3NJBu`h<|{+6BhoJ$QK6;GPrqOP zo@yEQGNsNE%V-5cK5^2Wp`L>Glh>5gNCl7hpqEaZw#L(OS%85!MNGVTUo{b?Ll zQj=m^ja|P4gf% zHo`X5D7_`}Wk?@ocGPrRFeBw+S+$^sgA|N}nVbe7j`+soulsnv@vWJ*CN1fwjX&cs zopUHJoGJV=hwTY3NJ`v(RbM(D#AxUb@Un2M$mQ@`k^Cs>!>H!VgQu9#{iP3WrAWRW zc{k=_a;X!g*X=hqr;WkLGaP!7NwL5sj{)5t$BqW;g9+ATmQF~-Lb50 z*VdNnmU~jJ|CrZ*k|oL=cROafb~U;GDvGO_<9fEO_=bTT<_l;y3J;cxd3Y61jw_|C8SDh4qJ`r}eLWTEWYo_)j#~ zZ^tpHxE{qghnvRRuSY2IuZa~M0q9~x8qNF(=Fpf)BqI`b6BAFpxDm%7xDrI|Lgx1U z2SnM6qt)eCj$SV2)nh@-RBpJ%?~zARl1g!-g=!az6H!owFYM2&YukRXHfaJ+^n-Kd zz&uh<=rM%cv`L?7pS`@3yS0n2&PEmO8bIF7Kj6HtI(K*W%ERFihzr+2>ZYHZViXhU zP~C^tS>GhP6OWOghS;Vr&wtI*c(XibtJ6v>s$|S9rnzLmkiqO3WGxF^j08C|-4oO* zF#bY0=D?9g;WEA(@UW408f*~mp@vPz1MCO4GnootcgSMGuHJ$InKHRuzn1bj?r~}L zeWD(G5$6Y(Wpsf0bF*&|QyF0!U{^kmG{_HPE6FL=#5@da51-#R|6j@B9^ySp zQ52@Wa2`z9lhxxRC%jQUea0UvOY^~!mu#9t0OA~N>chFJsQl0p6lFY^!C>RzjsB|s z$AJ%eQSc65ZZBF{fu1n@p`$n82L75Xd?-4X2(08L+)C%qhin%8iA!ncHRsF**-zCa zQE%uP!uZ4Phnl%8ecpkRl?jUr0}^$b(_$QpkcTcAr2~VclvVfj!zB+ZM0D%gTAz#F z?mJD)Ow>>;=xbgS{cfd(N}}-`b)(zMm`TyV2(tCfmk)x{*XWjR(`g}vTsCX$k$+?e)z~9;`w8A2)QH6r$MF21o49L}(IUrM zI?RpFLwu~$4S(XWTkUkye1qv&3a44P8R15H!{aiXA;rteGnlNIo4MWdQ(tnC`jzR6 zEvdGII-Rb#!?el=gZwWN-`OQTq3!Hd0ZJ1l~CMDodD#Rjikj?;=701nx{R>;3#=bW!`q6$P)G~V@%ue zei;H!@=32iCAv26m?}G>~lNLW;$B{ zCshYc{QUf|8`b_ror8-+yoU$0);oD>N;jx!W3=pg5j2G8Fes$;H>`#DMGFjEB#ivy zh6R+Mmm6R2{Ya5_;|cpgxACpFAbwWI^zk`5xdCf4Jk$YMy!~qL(5<|%aixJ{GvkG) zGPS36*$VEw+kFuxV@QFel@B4m0u7&*=Gfi}-Ug@Q=SAuILTu(?Ju z`mW5x1afajI!XmHV5IvcY8K^-a=95?o~XNG9+rXFx8l7E#Y5~&_K-_USZZLj?14pI|&8p`p3KgSaCg%$XbXq)TQ&S0b@R0!4X}$R#uvC_FL_RUc>b-G| z)=F`kfGhkMk&e*r@wA`#!gycmGx5BiyQ1|~n7^!fD8%_6_jX*U%NuI9M>I=KT{r%q zLO5+aaA-*EskYl#x@Y_3pqkZkpIqQ1mkS#ek!tgi9?FV)Tzx+NY@n&hcB#oSx+*$t z6d{xCtiTNw-S#M?n7q`b-3`pm0ZRTImN=$&1^Jl@=iWuN8D<(n!8Wk2f?G8xv?lcF zxYFLrOoV6wP1|v|MD;)<%VC?`2R&B=Pq17jy|xI5LwQ1KtDqni{kTayS?5QsXmQ? zizT!>40_U8jb`G;SnyEwfLxBEYYRGnUtC*dZ$4XMd$F^m>s({Er$L1zQHASV+F3UN${9>8K0sFiY@(IC_IgQ?b(>&{GE=UW|Tf z%et*U2cNNG9-a^uSC)7l8nSU*VAtaH!!0-S1};|1eD13tUdo~R+f&qu`uVIbq`alV zc~*QlZ>C)F%c)F9AVM#`a1kW=Wa{s}IS>QQGeKx*sGL$#)ESNBRKITTyv``w_%?r7W&k(LS>)qdW$({Z^!SW@Mj~TI>L+h8)2U zO~2<4?fDuO=I{q^D&Exio&v}lGKK%@xI3({U)QNIn|f%7h#3YpjZ$ z-f?0sF;%c>krWsA+tH=~7hB1Fy}O9_+ueewl99Hx@#k3J zT0;Wxmmyel*zMI_=S^COn&t`SlHH)374`GxE=EU7FymyXE&Z;%SmZD}zq)(C;LLRY zPL!Ej(9|M~uCj=%uEK{Z&uwQHXEXTV`qT49+hj!CZayp92LY{gPAft!3o+qy=cIopdr2R^ zGsU3VyssV04lpFK< zgJFGA7-Qr7(G0{F*m3rw5xG9ZFOi!)JS8_M2L-;avh?I5>^(B%S3G*@xv*CI$iU`8KI*9{0~rzwtAZS7Cwp}zcM>9W)T%} z^XTn?U3g5ahr^2{NpA)ts1Y!1Mcn+N-@762UEkSFdEzDN0Yf`oi4vtFn%BfO-Y1rnt#Y{NlFOX}vqa{RgBXy(s3hs3SD>ppSPFvcg@aQ^>@gu|f z8+rV|y-{YS*_6q)iE5v?Y*jO+2bT$YW86V$550R`}MGhQdbn6R1 z;_^BcI`qM_Wq2T8+eUJ-fhC)IVq4uCE#HP+f~^PoWC0bXUdr_lBVyS5_W#WSkY+RU z7np0~ro&v|qucd5zE`}+7P8tG#R0H_=)H4``DC$JE9VLeImtFSEYU$$0Ip%1l66BNJlH*U^z4eP9wRWUU7<{5Pk~ zV?%qm%^DeCqPAws=#X143@4Z<>6nkx^hK&M5c%y!i{3q#aq{$m3NXr$%@L{JbLM=Q zH1Fy$Ata-FZ$5c|k+PXIIpXWi)$k+G_C4+}Q;fTAhdnXcXNr5;_e zwe0}bnC9}jxQD#{-nWy{rJ5rGcc4RmusgsXQQZ5_*nvpT$WxbA+`K&0z3Z}Q#On85 z_XBtF$L?W4*2aD(;V@3*MB!%}2sa$^7FYerVV}ULzTxlQ`93l1|Ea3}T@Y2!fhW?6 zq0KJXRy`q4GzPw`@-lxcC`de$oHNKp zCibmcoK~C*|CnUg^%#FNpa|YizE;Osg1N!+&>{Rj*FN&>5Vb22In#( zo6;DrfK-IO&YsnA`AH&cT=mSMQs-E9a0H^Hs#-$O{k>#I29q2M+| zO{^sGs+tK@y+*K7S2yOXL9Hd@dLu0Vc1b<{P!xE(#hbIl(A# z^L;t)(LdBd9Vnzw_&B)FS^iEj2dueQa4mE};ZVzNG0M0s!OGc-_xUnf#l_9Ry? zS20W7Ar|r8H-%kD1C8N-JL_&DfVyhQ|h?fm4a=6?n-$4YTG7^M;MV#Me!9JBd$=NuTZPOV zdg4qcA+)NlXnQJQVHd<-9=TmYXSHK!*=^XL^RBk; z?cJqWi!z>$*)tSvOKVjd_Nkmp=+x%&(-eWp>4OowAsD75` zac_E&*a2y`H+N8<>POC=E!XCo0hTz%WtDLVhhI0L&fYA3w@YnK9rC?D%3_5jl8h+C z;=l)8Z0?UHk^&3MD~pS#jc7I)ADQ|HgcJW(x_j4unaZUSJ+f50aB1|)a2Y_H)OikuquvY=!ZhP5BJH-Jt1p`t5ZM-gApfJqIgKy0 zj%?%Sv`fA#>+Ki3vbD%m-kW{ui9$6)8!R;qY=tDx6Y zXDKcwr=$_?e{hlibMuZlV!PORzhBY6UiBbZR9qmH*_FVqs{lcvvR&z^oPZZtER3n5 zsC!1vZ6+Yxtv+^%7x)#LulHBatC*}8>~yiuK#QML9UbGzDcD-sm7}-33i9lTAPdir zdJ&ClH*U3BxObd3*jov7!c5@UH>#x|yr{^1>9aVNKe5pf$nl93Oa*AKBEwNq93^ki zOrpRopy9(lda|AKsYKpI{!^HbfAKzuygCYWu}Kl^Y0%gxs8BOf$n*WcxesD+Vt3i+ zGSKFRy>OjaG*To?inOr5>z!S62EkOkn7;6j4WocYd?-Tko`F8a*kPC)*QJc-;ek&L z&b^n4!a*1h17@~_3W4m0b6EfBhT|@rZTk&1h@M;w2q5k}If+*Kj>rZX@aS(#Z-T4v zL@jb?c3N#_$fgb(0Utys+r2};5j(b)jUFRiY8MDxu#m;jy5LEy!Pxgcy~PAw|8SWm zWz6}>VI9@Euzh88&u2V`!&>xrnr=9Kp*wNt`Dct9cV!dTO*EbJyaw|<2{ zCPIC`7XGy<`+)B8qZ+TZSUkB6xe(u?wJe7tWc+LTo*=0rRGgi=`LSM~;_(hbm|-U4 z*`cgP;1`(}Dxw@bA=gK_vJ@_;cEKdVeJSbqDjlBngP#hO8P(-CfG9e1E0{3ugS7jR zuPzilXCDN5!ft1A8h>-4I??0>@2-zT16l+y^UH4Oj}H=^3s3ld;$YSt_@jetU%_HZ906CvCf2*kZCH)*DPP0u)(Foc$VguZk6=ps#a=*okP zfg0b?^dw%xDC9^AS7l65uxKGfzefqQRnjz?rI2xG*&cZpC_X2=0S*35UAmmo0DVR| zx4TMI&leKz`O%Tpu1;b>n>BuqSe^hMWAtlkBR5kGQ(l~iud9^4zQ1vMrbItF#t^c< z2bOGi4^q$DdysIP>toYH(d7qxV>Pg3oZ2`nT>~EE!m|cDaUI{``l!pY#!i#O*SFqm zAh=|(3@RT|3vU)5G(I+m3|)Th|K0rUyZIg5O#b>ocI7mQdGOopaO#y~_0v@ZB;nmr zp!>tm@NTa{lPLg`RaJEpI+}}(v~nHaqThGw37Ev;JQeyzc3%UHJ(oP1x-ne5p9k5{ z@^3)BHc=Ebe2uMQSeDK2RyGW>w5N|PjXq~lkUptyHl5jS&pdmRF za=j-Zej@*<8a&XL1vt}f*H$GT<&<@Jz4-J@>|nvdnTz%~_NCEi`rfczPdN{aszDJq z3n2InOhkxsL&n;_yx0QPN?r5mt{0$?&){D$faE{qx+GB}uVWGZ!5)pJS-Ql`w%+Dd zbl$3avWg0?`$PSQZh3x117;CbQ-Y?CxvoL}<@AOy!%DZjInPqvXR3_^^9%6#yt>;c znnsHJ{5J?cJrau_?J4cfKL4EEK~Ca-pU%ynQ|6d3SPj9Fs%BUn9ej+D_5E@`63N-| z%VmC)rGtK+veY>~&L`8q`kld%1)Ao2CPD8AS8cSfnf|HdTcgIQ50?F|;-dg%r8@;m z2t^~o=`stui#eUpoUb9Vo!^grCgE27@%59Jzb#VhA+h^!ge>h zff3fa_a2AvJQ%MFVJ&&4A6>JUWN1G&jI;i27i(L)1b}-1Gx<5q)RIh{SRELUs z3vRNTZuh2WbbZA)?`qlGL0^IFYeaWuw5&l4E^h>j7o@TLUrCboB{NSg>fX$;!*cY8 zlVa7Kzt53p5%r!v8%>V5d?xl0<~Vm*SRm!QrD@oVM?*JGT=2F^kIJs`-fA>=gUJHvIIN zK}6*KXH_SDkFGnqznY$Qdjyr&NkcxTNCDqs>QsRZiJ%{Ok#N-QDmaR6C zP7WU^ak%&>c}D1*4u-z|H(~gJh4@cY1BUo>5adh&y>K09u`#7T_E{l|cwnOKccB?w z<;b2PUfj;J!z(>j``q{l#SpWX0irRm;I)`?ZgcCrh=cgDcpn`FVsv4D!mC%}Hep9| z1-pRe72T?|FRWR2NN#5JMrF!)dK#CaN)RT7@mMF%q=4At(BSSH(4o8hC1$hOggVla zHUI@9nExpjq^s{iV^xs;b1s||2C}kXD;Bf8TD_J`MY_I)DWw{Az&_S>{+<6Q?Otqh zv^RAYAdU_=RWYIKJt+)$Ot@?PTU^N*&*?f{y(NEZXq?EyA&a=ijqL6-2>%MakpM^%dbzr0zhTpSPP zoK5(-*X&gmGKeuDJo3{j0ULfC`XaoT3kjiB&*_6jC+r&EJ)%v;r7GiLr4C;Kbu(R7 z_y(|eM^)X~kC7XkLnrG~jv{m?AJM@;{ZjTBwu)*C^sxfQ+(VE!E^Xh&kV*JmdG3T4 zQGvnhA5U1kAD5y=)U6Q|I(y&P_7X1~0>Y7C z&j!E;0-BpEUXz%;%j)vzZiF-;b;eW<)&u#FXK!;R9@X?r zjYXq>{qYq#EYB;WLald@iTk<)@*k?+@g)(fX{NmIbohS;V{>olbsj57LGr}7;6y~i@ZMuSg+ zrkU+w!maXB-DIqd7|*3WwZ4`Ag4|^n>aJiOiH6;1>)p$tz2|KTGGo3+0gA2xjB9&O zFosdgFH@ENI0U(FEk+w?{j%rmRmOxky_Q#SU#x1p%S0E`&X`UrDK%0UvFBE~qJ_+9Wxupp zx!ynoR=ibAE=MdDVo!(t_Yw-`+hqgh+bnKHAH$ktEUGl8{RL2pyl?y5pE*)?t>{ZS zskgvSRY<;G{ne%OCFOL{NrcH9hSBo?pp;1-0OK`{J%ARKrCSd1q<=W$N%C{_RlE_l zZy^nuUHdYedv6dFbpD9_;M7Taxh?Rmj$>q0ZjK0lnE3maZ0G*sT+)^66QR_Fpy9~m z8`$-~5cP_lH-pV+jY18dCoHxsoC4$Wo&o-;>0bV`fvY`tMq=2*VQ<(nAm>i4$QSlk z^cuRH`!B|wZy8;`SP0_+l>JUvW22v^g=jCd4h2c34)#v2wSWvSk9$NUV-!kZh<}06 z+cB!#4nqY&d5*9BcVO^&hzZ%XjRv=WRv8GMz5^SvX-%dc9fc*TAS!_u6m$mUnsk3L z?&N2C>nL(f@(VdPH&2jGGkO5=Q+I=sj>e1aFEY8_kAo%ii@F^#%i0mHGee#HLCp6B1al}wP!W7+gKo&SN@*sO{RvuSCh zVlqt#KKtrSUF&!DzfDHlU!z>4d^yl;XL*M3G&3eeb9VgsoV~#^t+QOJlX1AaP@iXl zFf1bm$9yk$g>gGq>|RhE&usai8l(t#5&`B1s}HMJA8|f2*M~AQY6c7zGVtn}J3vWWHM0*u zoWZ{=q_RDpWQA{|_CqE|)wTIw#W1EJFky40@1OIXEA;FZd>pLLoz8(GnfTR??vxiJ z;R583*$Yu@&QAK%9@1zxxq&hGBOLg(rfXHvMkRpJYg_8&R*Z&+jit?evCd52#@6Gi z*XVPMvPh1U*o4b85zmy$LhekrD69KuO?WUbQ>)LJh*J1!$2c(QIh@g7z9S4(aZ}Qi z3&*lp6o}SpUJcT$0{Yev4ZVTP?L6^VL)B)@rB4Toi>w4(2?KXp?srR*fk#_71>*;*HU|*T$C12*uK5e+2g9*xeIQEs?6$j_yYaGa5moJ!p-o*NxFuUyGL}WDQ z+^eayK|%SgVS=Xl!rg)WRu!1=ljg@*qjwfT!D07GXWC}sz@9@}$zRxgKe_yLIk?Sp zBHK|aDqs4kaFiD)6eYg&s!$eI)2|<%+nf_9k;jVs=lLzYt)lqp(fly{qyNI3zOk-w zOf}Yx*Ii_WdmKJRmbIo#mUDh*>kiKSuCr>7YY!gZck!k4;q_Yf&Uwg6cGgQN7OikK z!4+%#9u0q_N%Q8jj1d{Of+f!*+H;@h&M>O4-5oySpdz_xw7axW(>TvAd_+93{Ng?0WM1eYd93ta7Ks zRrwYapA5`Uy2g9O;E8GMIgy=hKmVf&ZH6liPy^-S05E^X!@Cyf&gnW+yeOS*Q(~Eq z8S+px$mPoT8?D*UgU&SKtal`xRh86e6PC%vgH_m@hV0V8%foe+fgw0SB&d+ry2ciZ z$EW2xZVEwe#nw{|b_77%!(+L?jj>t3-;lIJgTMWR<>_c7zj!g@8co8OxaYhe19 z%xdy&8%3Q2@j_;#EQh+zbVxOK%fnSi`07zekJU`piwL)RGsrcjKdS}m@kBf?js;nj z$7>0jAD;&&NSY#DOsCzg;rPkz+N_|B61-4#Jz#FNw#whH^QCAR(&8>zWFuFZ){=c> zclz1-D97xoEV;$=KX6`_Wdh*VcQZG4k~D3D1H!{wtVgL*4`VmG(gE;1BazL+ zW?h+YpUxJrk))!F4$UJ$!3QM~1vu`uFvQQb#~lkdvOivGV)DXuT*VqX{1FBgk+HtM za_n4$#ws9EA9C0zQV}>%U7?i%WIR0>-s?|&Fh{6#mp1Zp!eaC;kvuK%_kFQu4vz;* zHwm(@e0r;pEJbm@SH-teJPkKm><_ACv(8;?Wx%JYN0QC8H}}YIVyR@Z z+ylqpwGGtI>>(dGaAqA~Tz&f+sO<-srKp=eZ)8G7VWEkat;f%g*1(Eeo)+;NcVyjj zSOz4-+X1z>zZvlVAFlu6huE|N#&Df5toz3j>X|8eLo z@a4mVN;iZdi1Ifu`;XIs`&vZ(`mif_gbO45?IUldFICdpqa|jd4^-Ss7OTho=c?yh zmA;+kYoBwe1h&i{hvJ6_R&-=PpOKHy{hYr)t3mS8PUYB6EVdxtvW;PPrq$p zAdBdYIk+q3D8~Nk9DjiuF*_{wsujmm&|8R z3E-dg?29Z9Aym`Mp`D`BqgpncYS|q>SuK@6=TMq+kJs4;=W>p0hhV)ixxXw%^^o`C z@qdsYNki(BO2**eauYtNNCoeS(M#kB{V&o-b@A`- zkDNWSms>flwF&zRMYBzv?HE=HTa`nT1q6kO@iJXvMb(S0L+DuxfPY(dyH-eAvM9zk zVGFNNA?q>;4=bcTVL9C0qe`q{RMn--FP#vVamN~_QlzrKftpZh3q8$U4XL)KRX5Vf z-~|`#8=_Myj5J5~Vl1oyTrPddgDe{;h_fyW#jm+6QVkz@_;bFULq3@tT%W(`#!NpG z5ItPe!d@heJ(c|+!kytA{L+H>2<^PJF*`|AacT}Kqabd@cpyDp9?yhbWzuy4sVSR- zcj%nS@0S<5B!?%)7P{v|G7O`$QuJBj)OxRbPT74cj%q)QgucG6qv_TC@ZkFP2%^+< z0*;Sz(g|SCc8y&sVkXk~UzV=bymp_Y#;%42cgU#pMKA==UhXmJ1SnNIg?9e+f` zcCUBPVak+unnj^3#M@2wlLi!c1*_UeU3e#3DM^7qq&O>d zbQ33F>LZXk5_QpQNd+W~R&Or{C62R9p>N5!{M(3G_@gGSRZ5N9-EP zIhw`0e>vuchmMo&ZDljisdEF13p+~}oDKlZzX6yagBuXtPHcXA{8lKD;!k|qQ$_43 zheyl~levQ50x>L+SO12|cw-mOa;hEJUnOM#n)cLX`bj% zoq*lI$HIsz05AUAmHX=%DsO@^eY{QnST{YP2a}I}#~?km%EQOj_6!HmFyu?_m;43@ z%BXPO%fBBSzFf>kzfNrt+O@%2E$NjtKZWoKgGAepvfHmYS{aP=hk+(!G$)8zUK4sL zM;Ig3Tx>b`EXzH7nTW3fE&_E6f2zonQb1*~f8MCYCd)At6)|8@duGn(A3y4KWjr;*Ec5?PYr7Bsmn z&P!{kzJ-(Mz8hkiawd5J>PX3X9kSo>IpU3r59l2M)X{D_tn;1rt22qNaTv2~WZeF7 zz&l`7Qc~y~xjne{P_nnT@#fQan8S0oxjL_yKZc-rfY z&V+%$Aj#H=;hZ=lJ`$%CpEO!paZM;_N%>J26i)FH_A03wjq(|x+KmKW4%O2*p37*i zykUH$8w-zR4+YmD%42Ztc%%E+9)ODY`yZ~D&>7-)nEcqt5;=Qjd`@~lkE^Iw()6t2dI(>|7@v(Keu zp)lxaHRw{O*>SNtpa8L0m(iOAG}`#G?T{HViA*=ZTiz90*M869Oa_lf-s>}n%Eu#* z2R~k(FOeirXa=aT(Ma8~O?5+9tvs<~U-kWuLN6el z@tWv~T>O$QpWJ>mOec{OVP&+G(jNZ6ysIhUH4`;|$+asfk(&KO zcrt{8!m*9BsS^V_O}YS=3|g=9hvjNW7fA>(X&)i}$ixD`iK;h?aXwB&dSt+L+`bm*S5M^rzCv%JjIU3-d;=yLpeUMh=dp5bs(!-{l3;7GP+Ui7I5 zR;Mq|jcZCh_}brz$>l~nEpItJ-mcnO*3QsiFI*BS2nRwlk zba#-lx+Zf(P`Ko~lLqDH_Rl|oWFfHuY4aYZptVc)GM*orq4(u$gZtn>irJ!f74qz7 zw;AV0-jkf-_p{9R7qZMv3V^IVJ5GyFBAsr+Qf5O(L4io(bp)R#fs7;df0u;(1Xra( zT|313>I&R>`1t)DA4(vT8>KAarlDUQB`SW52s(_UKCkZY6*qlbrB?*w$g^$FG)e;N zZ#T_zitPn!__``l;;NLEgg$ ztwf>c`Vyklj>3(XQ?O_7TTJ}jXyac6@sK>PtiB%P;dq#X|m>|ud>Z@%WY@Q z`DMg0u^NEWl61+e3w?4t^9%9G1Yv<}&sUAeRx8lu;?5ahqi^a~o+rJgE_b5rVE zN~-7(2k<08xMa0qf4J4_V4$aeC7kZl3hgYM4Gxa4enw(iKwlnzZNDTnZ+IReksFNTnGC$uW+Q%ZPR60*tJ9+>n^RNW zS_xuo_ag!}hj+tu%F^<%{Kugo-e3t)+#4x0*aAwS&NKIBd1ou#W?VKh-t)L-p*hnv z)<=jD1-D-rVvPEFf_aP=o=96DRPG>2IQD70#B8qCMe}OE37S$s%Kb^<^3 zUJOrdaiM0X@cM?&A{)J8jc(JKGsMN4+xt430HX_hdMEhQ)c5_k=<)oJSU@~SBqMI| zzz|u>lf+&aOVtBh@5FKAZug+e_N)sRms>UR>-C(NZV5vZh!mP&NI=~=<@lG;`0+X) zb_N?XCC~~IpYN;eea*IsVZ2VV?@wk4m-q z5BlrhvyoVc_)B%r+P;jghpPgk`om6iXzPN#40=9)wom_2WujmzVEZ-3hhSy28l|uS zZ8I_${|%f+2NT*t3a>=uW9~pz2!MD`rCI0ryKYY5?KAu#i zTrzpwv-_6(WOr&GDXmckf+v~BX%*r!VNraAdQmOa0T^TH)yCrleL&6M%|diNY)PRO z8={Vx6iKfqXn89u*>i_fX*+O9I>vPdRJi-}UZsH$YUts`H8WG)`O3my8JR#mgSzu! zz+X3~0mlLoQ<6p_o#R)zzcQ!w;o){*XjLYkjh-l=(c^_*m_@ICnOr-q5eKikQS}GE z`MGTT@lPp#T`|Y2Hh@FHQJ0(8izrT>W7^3-j)Z1wd+mwvyCh6_nZe;saptp>_pc_b z`4koS(6#pf#Y5hdjCJoZZ~0r@;z4a-t7Dew2q}|wNo@@#thM%+uEjqMy6baME_<*Y zAA_Tb?@o{MET;l#B{l*k2008X*!=~#Rf_CR z%9$6SaaLEM4Z(;H0JMiiw;Qv5gnxwM4(e{BR@m)&*^npQn&d6%_5ef7zR-L5)tE%I zr!rYwxE2g_2&^-BPP6vir$lCOjWFC`QqCop-e2hR{E+FLWs2HbPL;eeT9R@!k>Du& zn0zx95XT4WwbK?>)O!UBtBDh|yv(#Un%m_F!2yn>NY z*$CJ1o91{lcrp(>Fkwt2zgmS%fsDX45IH@ zI_vm!B&1vWG7gBj>tdM%a8+=AMyK{g9u(C+Y0yjV+ktd!*?#tgO`dgM=xcrUJaD|_ zYpc&TT&itHDb&W$zRjg=V|yZm!xwC6vE0;{`rt%;iiL&&NkV9i`L0Jdki#L9$tb-Y z7+egIV?zIh6W;_6glbmB4@@;lb;guO%=rdGY0#0@qal5duGT!&X`SBlyj<;T5w7wh zb1PE({2i{HpLEW&`QQjgzOj&VqG+O(KErEwZIG&03A<#G_u(Ts>}s6J0pUui*8LqR zV5yxA`$m_WecwJp`VI~_LAeHZ&Rpd?UKc&x;iA>lcGNzSI)xe4>^03O-$BLvM!FOt z>qr0-ot{|;1-axjDOJZSwxwkxjPL#dm=;qxN55<8xWe+ECmBQCo%H8_eD6Lr^@DeE zN_4wj2{l-$J*Hc-`^eqRE6Y2n@vkZj|0yN*Nkf}Epe$u{t?~4JRAgzMj(lKzQSx8( z{8DlP@gps8U3umKe9X7*6R$9Kc&5t09wdrk!FG^0?%pTNi0A}2O%$$WJH2s1_Q2&W zY{XDnnni=onnO9GZcTD|cZQjGWz`Iwu_xRDJ0x%42$&$;yT)B!OJ!# zL_A!$vF^_Hi>mE2{k3myL2PhGYlhmVv*irC^&HMT%|=L`KgNU=GQq?ouzrDsFkN{b zLEqK<@#$R|45S%F7~buc@m=XR8o@K5WS4$f=vNpO@}|n;phpP_TOc03Bb~Sw*JVOO zwZGTtI{5t`(yBZBFVgC(?v(I$au3+ZPH{i@F`%=kYnnk`DhJ(?&X~j7Crd47!9HOm zplv@xL+~KLeK!wF629^)q}H80r3xN19&!N;WPYH~P|T-ygzU&?6g1XJqu`LBx0#c8 z6|Ma-c!4bgYgbalL5hD*j#^@N&3`6ia46~1`m>1_=o76cF)xmhX!R~XMWLh8J4Cj_ z0x=IAf{jd+(}Ze-o`bZQb=wauNX5U)rM{cA;7)f-qGCL0I|6QZ1%6kgmg{axJU}=~YjY^8NNM$RlIWq!M&! zSWyO^tj#|MsM1GxbJ0qpsuez`$ii>n&W!r$t`&s)K?r?KzMX4n1pm%JqD0LYYy& zng{&`F7E}3gO9TGJmtd8-&^YR%S-zlxdWBSW!N{&1| zedW7qlu{U@G@xWuxESc&1x3Fm0@Sy6>yVxeXpu*^^pby^Rf|}>DCrF|C9(W5`Vtel zi7TA>`|%~s>rOYJ7hQu5lor(WTffR^YV=d2QI8lpRQ{-+rFyCH0*efE=O6qkb`CU~ znu+5ho;MbhyrC%R`cNM*?cL#mQ;KH_b}Vhb;p-)Vj;Hrp5X&cJRI~R^O}ENd)gja+ z8r#i21^#xmuMJ-lOjAw2Y51k!ry3Nfc*7(Zc*iH@o8`yrKC0&wY(bk+SovA`#mj-W zz%*5EVaa{HXx*@Id!HQRINWf! z@S)u?RBwFs{^We-794BrGxsVYiN=`tq*o|*1N3U7SOO^^aKWwFent-V zrs-eOkP%#f23?tqF3N~Xd7@+#wyGSM{;vBLh@joLP+H0WOL46dPN<<@>#Vn`civzn zoskcdtxV$rt7}kRNcl%kzi&-0LXqNBeF^+oh#zU|L9_T|C*tYU?fFiE z9?@5TLt#f#45?~>=9GspxEs7vH&mz`TbtlT~?5!;wPoiO~ zRqiv>Eb=uak6r#chGFI9(BqXk>@I~Sv6&3H^W^z2-jnkqM%uDhbX@17nJRS;?x9vB z)eB%X_S;fYE$Kck?D8;-V3m%KL6q|OmU=?n0Iw*QB^tL)X4rD}h%#Dvo%vzX zs8cI|ndx>G>Y+yD1`pk)TzC>K9l&bZc(^q5yASi5j3@I645zF#kbT!m=)r>dmm+SN zF0+(mf4HI!+T_}gx^MFP)wqqopoBA#4 z%G2fPXk}dA#+`Eq((Y?&8qPTt=o;shsD~-CyKjTH zb86}{GVg$gtdd^2>d!8G*dGRLhcTCA&C0@T_E`V=o zW4O6^S%$ek$+3G}Kj~(lDuGGIS5X(=$a0_LxhfZz4T~(XaubMnnI+0Ye&evBfrq{i zips}IE~aQQIul`QHVrPr>x}e#!Z>O`;Niuiv0L{dtg?w`uwWg^wi;N zA)|@GJ18Wn!r5fr_=qeF70-YVv(B&T?^N{{|JIXWmxAa969;5bNp%kyJqA)83&jy7 zI7n&ZA92>)|#pRzprTo9DHgxf9(?5d0guQ7a<1=z``*@pph+;D5 zol)yi)jxoxuf;EZ+;p-8Av%^5v&60uK-AhP}TThSwnPx*Pv{b zzr-CL=026!he|C{fyW07%Bc)?s2zFz>3CS+cYkwgfSO_M22{FU7vOM~o~yaFvr$x5 zGG{!zeO>*vT|vc?;rjG-8eoEJlxH$@ZYp4Q;caMW812c{AP4N{JzQztU`xm`b`Q*U zU{GLeca9r(q$qHw`=cncZ1Q(-{xhJw8Frs8X60!Qk{9JVx7lnsrI3 zb!SU$Q5~Bn3z~>ycZCG!`J*V*X>xi}!}Z;~yj?tUOkxBnU%Fj+P20>wAz25uIRsa< zh_)8LvpotCF)@<(y;i#Je!?oUtaXSsQ5otb*Aw`71A{1@r_ZKxkL&b!ZO#NV3cs(l7KJkoI8kG;=){mQ$vyx0I`yerwv#A~wRM zU3T#d7jwrbAjEh`nrxBq*K>rgwR?4;gnrGJPb~4-FyKcm@4=o6vvSAv2LbpNOiL{{E;i&GmvnGe?GA%fu+bi=<2xc)aBPxsyHt09EP8fY@ zqzoQ30Nqya8f@($%5BJLNjC2Lxzz>!6NG03t0-&Bjv5uiZ-iI~kE>>Ub!fEgdLBP* zF+7$Mr6a~?o28{w*8fA;TSmpztXsHA2o~Jk-Q6v?1}Avq!QI{6-GaM21ZkYc8g~!w z?ta;O-*dRlQe^ zpg@Ptp`g0u3f|aD_U%|cw1o1K0DU$<$i;#y!rmGpWvG?FjT4iuiHAwCL6w4}++ok~ ziAsU2r4~6@v&QK7U>LEWCE;jLUmA)&)0q|#<<;v6cQ+=Tvhc=yQA$ZqJ0RtCy+5g6 z>}jN!=vzv5e_=3MywrWxD+LH$2ZNKKOIce(*3}3!j(svw(uT1|M(4;tnr_82+|gc1 z=X7&OM^mWRM**=MyBy*bV(@0O+WKmaPfMjMAps1+F)6gwczm9+ew4DJ?>HEe^I&(L zgpBKS^~)mA5e5U01c~Tnx4{d`n5k`&?%|Ea1vEeC}+7=CIIj z59D+%oOQ(4cZh{cslsfZHOy%;uok>*G>W1$Hk zdP0JSBU9W(nBY#)B~XBcThR}7Uflu<=MMq`raix1gs)v zMPJet-XT|BPnEkJ7kJ0|@#pTwZ~ii;MwDo(`E@_uT_tMG8wz7boaKEs)vet0D=&X* zC?4U>k#ZZw=e;!ST3%)VpFrFCc!j$2_fK+^TIiW_7f5F@$&z}K*Upg?NC>|U*j!1O zkZ@Lhd~2Rt6zmirEt3OXCuWi>AXy$lokb&y5>mrodxEOEQ|~lKrH>>) zPyJo6KlPIhf``)5Oc_)6PGlk-loDQ$?5V`MsH8=qTny)ADjwbC@G_H)7iy{+Xu;dLqLC3<> z0BcT-%IQddk9>n`drq5%D2yGNk>%uDBSu^Kb0Ldb@_aNGmOy;j%=E90p;*R&$B>oG zt~(QrX838Vu;H{!lM$z{D6Hpfs=L)Gw-W5^t+(m#MW+=| zuvoJZj=JpVW%VoxnFhN42Lx#%ad93Jh#i^iZf8G)NPrFY((t&VqQRktQ$B&MfxM`d)lgYuZ2T zm&#tVo;w2)N4X1veXTc1Qr~{ZknOlH#epx6{=^`V-?#gUAZb8~05>vk2*cd|@q+pn zSVZ>)8WjEgGyqAF+b>F~kvI(*C02K8kY&;ixoI*y&a2( zt=UNFPMTj1(ZFhor(_QE2B8yH8-1(sled)(aeXIkp-CpBXGpNoSRFU`l-9kRdN_*f zcemfcM|#S3#e;>NCk1X)Nv7T_Uc^vf7>;1u&658E+RT(a=&RNwe?L}`xaHnvj5yI| z=E+y|n-#wVtn<8=lPZ4gKZPVFW7Lf+^%%NKT0sv})uW<~;MSmXvR_+~6u`r_3`{qH zIBh|AQ8{Q}d0>|LZtwoY$4PfYs`5%0IKjXM<0i-W)l0?S8j=&$SNIlvig5y~p}z&Kl!Fh>l&}1UVS2 zZ|3&w;3z7WP$QP+sGa}u0$B0WHm@@479Bp90*SM72Dxg7)Wc@F-PXwA2_qe*rU7k)vU*a1HE7^F|@Y)*&5Y;G;nCl_bdK#2l~x0Um%JKA?R-S zT;DdeDs8?Mr>Nae!T4vj3{*gtK<`dKtCz)XdT7@pvi3?%|8NUoZbZEQarT_X^Os?a zOIz|cmBA9?FnHA44@UJ}gtd4*E~>J3$&IuF(&C!)?{Ulo>8xr9O)OCAwIb}kCIT!u z^&HKl^yDQ;`)2vuJSXHuZOyIye6jN@-Z1jelbZD#l-HaMFK1Dc1fV8S!*z#6M$}4m zCr<9x*(OkQ+`9X?h>R<>VFQ$94qe;EbUTpWVt;>aePOuqE-Zf5_1B2wf>px@E^x#H zwn>dEKL#%b`;9Uv>f|fy=;7A{E`ryBNDAw!_RV&#IR0lx>?)2SuwaBz1(Mwok7Ni@ zCK8?cH_92J%UfRtW~jTqz0+judZBOU3Ws7y!^G3uj9$;bNU~w9B|vxNS#M@R{`{la zV8NI(FdEna)5yjfW@=9d>_&rg=}k%=h)owW+5u}{;eaC9avP-9LSj0_witS#FrVxD z$@k)NsyptMHFTBbm8+}x<4J1tD>~3Ct?mNLY?ClI3iS#lRa=%J$vv|o463Ks8C6*+ zkub1&9*c<$Na}~@AaLx5erSmmU5{v_LCY)Yh&7%JwL_eaY-^VMH@u9AmQj zy8mj&x6mMkWM0`BB=-Ca1lVB0ZWK&{W>Zi*hwmlaxAS4BX&E!#eRG_T)L=tb(S6ljhE#xU6 z6@}yI)BFy`B}*Vq{9UTzT3bSto%;se;jq@UBTL|gffEVli5pbOse_0WLDMGQhk@$u zdvG#*1oIOa{|)L#D2e}(LlX1lrje>x7rL0wBb1hk?r-Cen@<&~Hh+0Hri9V~1Zj7$ zL=!j8bx3F0UiiVCU{-jRVs+?TLgz;|)Hs3!#bQMuNW-XFPef zcfJqDuY8(}c~vn6V|e&Q*e4z~*|;`sC7IzUOSC2Et5<_JuDde+fYh=Ch(E*uE}FYx zTaBEk_A}NyqG-dpqG4uO(!;k7rw4o-pSMVpbcPF^t5X=3j*zg@u6&gNWcnO7M4-r0 z6oB*`KZqAGzdfgPo`q z=wC_jeTj%nQ%Sm--yYi5)A5Xk$kLYT_;7F{SS;OXp>E*wI^^vjK5o_#nH?tP~1F$`+RFRLvRmI+V(h1 zm5zt{E&K*0kR+*b`YV5uEq{I9B*ifx^4jLkCWg=&@30~VHhwBDkBze=u1VS*e!$yp zP1F0f-6}F0FAUatmE`B^ojL>RoyG3!@kg|t3k4O_oJsV8RTH3=&%|#{W$hS=0F9q1 z=92M#ZB&+-aI{8`uhUXWEhAf_X+gG#+W{@|6fkaBWKf3>+_9>mWNBwGL*DulKXSF} zs{Pe3Rx6gs@e0D|rm@PqJ3Mc`EL~AE3rs~JE-W0!I{#VqjQI#G9{y3qLbLDKzfaV= zywgR>`)I@3Y?Tt#ebS0L1e3si!U5j!{0&e3J%-YoE_QO2+Zo5W zze|ou@MzMuku8R#uE6eSNm=9R4bO61q5CR{v?JXY>VCuitI#AILUGLzyBYQhe^d|G zz$A|)+9Bj9iq*3Z{ne14ll!Z2Vf0xD+v`5DvkZQ3m?oXQ4KpL@1gNOP1xVEyUWsyw zDX4JDIfB%JCz%~Df^vo5* zAmQ-W(n{?(vJ|@6v1g>e2Fo66j81k4dpR5&h!YrRtl?jed$mFa+#zS<4+aqpNP(VB z^K~Ud24h7V7L{j#50Xf2X*VL~jPoWtxg%P!R)MgANu;XYdfL@hZXXM86@B7>D)!=v z{)ru<9S>QOs&~ua%PX|76g}dv68r(Rc!`Q8B!Ovk*-v5_C*jOt95_h0}UxIsFx z`=Awyj=?HXMFnMY|Cbm=l%#RbFL(Q|i0jZHa2fv z^I;9cWqH=MGN)oTeK=p7__yqzQv_%zKO0w znREQIf@3GOb)g1n0D7y3%V5~OBCbry#SrGN4^rZSc1pD|-2QGWtfON1`TDUjP4lqF zaD!~&x;~vrZ&LrfglQF9@f^|?E&D^}Kcj}>PUb!30|S5oiaq<-Pzl(MuX?6G&`v5XS9u%xSzIMiZQEIsa3{;I!thk8TJ6TqbcZTPmr z6pxkPh#*fBS!98UTYkmK9XVU7@xpb>AeU|(l6UZnUkxlLuWXl8+K+6}b_Je381f@) zKN^7n3L3$?V?!tmkkbC*da-_!T50p^INSMNPbi`--wOO0b9MTt{$l@Rf&O#Nk823d z4DC9tEI(Ae%?SM#$DzBBIh;j-kh9V{a8gSv@R~{xW&5JLEWNR*jDi#6UIce^Lf;O> zFJ$Gro{h*>PLGfgp=d1l=PV48;qgj>x}nlKqjB>3CkKbEyllksa~2=gmoL8Ez9%6p zPYK%~CVv>3=;sZPkvRp#UGl~~c^_TkfPPTOM#zn`x1uuJH{bf-ra#P)s-ak)AyVNK zURl^@)ojxzDeIXqcW%UMcKB)|$19GPHGjnM8%iR8b~T}gJ*5(yt)Is1Xhq>fuSkte z=i=k(SS;Y5Y6OV8sEGp$^tivg9W&qjOg`yJ4HGfnn<=Fb9eUV=WuBeQO~GL{r*jz@ zK`%VT306=L1PLsC8cc2qfMhTB{{Kp7a-i1BhZ z9X&K&Ej}7w78Y(DX$ty9%y&Y)g(f-kCM9tm)UHHSQNz>| zDbqCq{233?gbDgzl&zdBgw&F~XsmPEdxYbzJz5-QuhU7m@u!mIiddT3(_+Eln!iOT zSF%tbv^gv&@qHQWx~?77fxrr|s&{5EZj^&QKrgzth5)o|QNhPRHJT(g|JK4u1qsaI z)ZZPa!6tBn?Hp8o~qg3~zs$`^yGN4=miKy1^}k{eY~=!jxZ88LGQmd(qNz*P}!E(9>pEHe!$%8Cif zdKf&CYwfGd`j*O*{vakd_|(&i&7S0aSr;ITQmP62 zM~F?A*?%dFGdTak;Ff6wzHkeIdi-m+DTqEp8a7wpJweFbR)x+Pg7A7xWp$#hhFu0F zV&{b2Jj2NuZtKGB!`oZ1vglZLqI$<|`N(o2s3UWqLR)%`ZDo&29GrCwoH6`K#@urtIBq(Teb-%hfnm#683S?r(zL-!pZ5Z)#F-0V3^2 zJ#A`#@-Dv4jkdnJQPQpen6BVQD3)-A_d_A4vWI)YW5ylH>IIF$w!pT8Ljx8UA+rsn|qbP5^pUoPKGlDJQHw{B*Y9u-0=%U(?4Ml0JRl ztxqsDLcnR+*N4OTg;<&6uV`ba; zaQD;6Ry2fn%nn0i8k0@b85jlO?l9f+6l`o&m|r$Qxz(;)Qs^VRg2z>oyp4o-z|Nx| zpZ!#T+ukgXWdUV&_Q<}M&u3Z3q>*-ELU?X#>+~dqy1{WBak$C zhj}$yB@zvGuvUW=nvg*VZz_($%ZCyRRn)bJ8$(=k<*>p#?+$BUmplqkU@4w>k4t_A zLr0V#>Q#%&V;m_gMN|Y5tmo!64zdt!%2QC?|)qLKjW$b z**vb+K25)BSRTU++|{Ju@FF7u?NDuvvl2}1zFcvZY(4u}lSAOpynVdxcOCoaxjQUA zSBmx>YWh_(R?|%Qn}A`QkPyVKBdOv6o=Y*AZRf|sO_*<9;kjJvmM!6c@?))1afB%VM7~KEag89cB zVdKk}UgA4#GZQ7r|62H&@1yQlsEE%0&oM(xawI?IzZbfE z)PWI$|NNhJ|Ks)_7>Mm=YU&b7`O z_Wz$2{-aqwf?vmTgf*2e#Q<+MhtJb;0Xu&_TRrY1O2lB zvZXRNB+GyO$^DNBKI+=nwWTho{_BM&3t?aaH4=Mi!v5j^@_+hH=lr8?@pfG#KCg|c*hBK8uKFGm_2s``n4RY1;hitE`)2r$?)^W#wD7No+y&U8 zn0V>>`SB5>mK_HO1*1uy`+h5`ixZQ)a4h8Nk*_eiRfkMPs&3yma;pkELGCLD5ExmX zG&W~%{dK8@bhCAv_K@6vY@n&`1Ha2LZwVN^dht@#yH*zWCq(({Em|?-2Hw5xtFUpz z>hxhuzirDW-L!@IjO2(w*%B?DKee4W&Mmonboc_Qzqu~H_p?P~nJ1Pf+_P1$n!z3R z4E)F%GIH3Y_13aimbh<>aZ{%~ft5YS-?%y538xC@+qLa8Ii4~^ueRWyN`{5|=7`7D zVn3){mU>rH(q^`2CX$seokNN@s$w*w^7-UlA{dl1wRnTd7QJ7glzhQiw@a^g?UAV? zBl${c$;Dd#O>sX(Nl*O`g&HaQid0Sv;d=H~lbB!8LWKIF!_(YOe34n3%k1_>cO*O&_2zKu5_+6QRoldDbHsrhlZG@(~=umt#CQ)v!iP8$p5(L4yB|+$!{)|1YEcD7?Rg9=P{@&9^h|HkkhdYfu=Nndo z8`3qTSs7`iJ^IoK1w4_H@=2 zlAXJKZe?AfZ^Mi3ROlOHbN(%q-`&EpecE9l@{5T*X`F}^I7A0Ysg2Wlz4qK9?N?s% zA2wIXO(auIIGgb+oE=jjU4h)DyOSGe-^<2idjv$0$_qL=t1Bv1n?e_s*wM7;)&~wy zj_&5<_R!O_9FPbn9s}TO4(h+;Rj*UQy2+=f@N4W4f7R4 zr0(Re-A@qO5P~hwvKT7kscn|dNZX}nPqXQb+w!Ttk_pF$M_jhZvI+`=#XmBA>N(5& zh30oKbK^RM5KYJX4tECi0WPa${5E51&VsvnMb(JT)is~~aHx~9n3NaX+)*V}SC9Kh zD*S+fhb!zVoR~dK>eb*csA_A`vq;u_W-%m%CSGuYC@CxC;DGBsXo8N@(~xprj}2wb z88}NA{e*Ba?7Mb&;m7hsN?i&$vDe=sBK6i3{DSd(9sbim5YXw!lRcI|`Gtt#B(yJ) zQ_+j0exn1TAoOG>qOtj}$w&M%iiA*RL;@^Q6140sbn0RNugQfHAW`d2;&iZ*cm-GGV`OlZ+k;nAgXjsGB&O;;GOp$oc?HuX{&}2& z(HJfzN`9a}`wdi>Hkw^PGA%T++h0*_)XY&k)V@V4ZsAy7m(CeQI9T4B*4E3Kry$^M zQ$Up;v`%>9zD!PT#f%r0a3gD|X6=7i&`(_GFSBWTjRgwNZmI=`{&{gG`^zZ#oa3M-SIDeOJEWD-TYEgr*!QK!)Ok%`a2dre}OY)lPUL8Xq~I z?I4&~)ow$14IG(2QLuT9y|}$s$JkYtfbdR;{lTb7Zs_n>UZ+IU&k*bVMtLYqLGWyy zB(K8SHan$N2Zy%sBIA}RE z<~F+)|HGi#Bp-KeF_cS~lJOcKQ@?lyD(-9SBqfM%CI7@${Q5(y@1RlvJ{8_f$Rd-y zdjA}hwUPrO`Sq2`UBjRgT7l3KDzN8+k97W)SRq8_vbBFvuzIvm61^*3V}0v3T_d{f zJ`G@E(Qn#C;QgbF==tHJ6dQQXuiv$gmC-h)hDguNZ4M>>=WKiuEUT*P6r!BVK9SFd zHg;xBnY>E#L08<{AAcG5_TWlk`W@E4d1+>;M|gDj&6LMpvCHoRC%CxhZk8{st1x5Z zb=2~3`t_I<(D2vyzh@fmH_q&OEgG297FI+Xgz+fe zL-}|y9|_0Vd=6et?D@mfd~TV>Uul;GL$rSz(Nu3wRwcMbzEILof}+f1h@@?WxNO~H zN+M%^9l8vm36a6Sr-f?BU=2^l-@3JI39G%++#5%RMekl_8lM+TGr+p(zqrXCXXkmU zp-Bali(~&Z*)bUH#bFn6hKB~_Rv+Nd;H>Lk`7_~U(}OdzmWjkSs)U(nU7u{qV~4S* z)Zs*VTm94WeL|BMM<*aN*C|pZI+~$MjJrBk(SiVlmi} zZK)VoT4;nP_;Piu0`lDf1Sq}|{UbGnH{Krk3|yt31Uo-7dsQXnCu5Z^5(bxgZX{gJ z$r$xaJ-+u>qM)eK{@{in>d*8Z|0@N_fOz7+F83cs0A&w7;A}v}NBkiU6Bz^Yc$3YX zr0oj23WY0_@@0_LY5SDCW~)~w68kQMlr)=v?!a}1g(H?#xW*)fG6Zbox1$?xVj`P2 zi&g5&j6+02Ky)-M0X$iI-$HmoyzY zvk)IR%Om-Was6gf(E3X>YeCH&vg*j+u8dbuK!9`jY!1bGZ<&xojRX%vs`JtD`K5Fk z8pj~QC72%_b2qzy+m*n8LX`4&-$Vwnmu(8aU^RS$DE#|)B@Ikw7qp7!+W0fx%;&eB zJY(`?m<3EA)o4heWJ{K!u})Eov<)wRncHAO$!LIoSQM^b;Udhs5EyBUq}A?#NRh@q4H+FDTytxZ;-u31ip}YR>}$zQ{)(QPFkqH2P`A>VBy-uO z#|f^8u(p4+6#uRelPk1Py2t`xwLqbif0dd~v>Lj*Oa}bIi8lVjJli*7x|ph{=NL$T z|Ggou6Q*dOg|*l*>~;^X@OXn7c5vum#jUuegK9p7gb`q(n8eR7P2-66pecAP@tR#Iq(HM80|UvavseXL~nH8OH!C*q6L z1x&J(HXaXTQ}+O4IObUk|HDMcuX731jha`^ra#YRcf(v=s7$jOi7(#7md3GmwC(v` zoJG9dSS;76&g5(#PL>2`&%Ycgnn(ZQ&vc!VtD17O35iJIhmt@P+qn3Cm$v6?jbgza z?ol55)}dHq1$?rfz7u-d4wvmJ;>k98X)u*kBm5u~9Em;b0a6;ZOU*lFI3#0_>G1VU zegbAj;97oh%lH^kvvtsP!n(n6h-flphAF6^p^H5h3H~$+uhXzp@uF5x`ouB?VJ)?+DwO6g@JV2KViXa$LUQaj||$P8AgW4@|HTyHfnp*S`LcB?HYSIPpAsFQGXq& z=3|zh`gBdDj=v1|#a7uabx@Mppj11}YHXXwXk!{r_~4Ir@&uO&>~fUrkm%|vy$2VM z*Zn*hRJNoA;H`$^o#OvFsG@UzB0m&9b*}aif{i)}t`-LWRq*HyeVt#7ZbD6o;Yj@9 zSmhI5-2TKmvDbTctVb&Wnq3OX9TeI=dxGcE&9Tz;tOmI6VtBCWcMrvr`7ZZ*zeT0L zZQJFKL}<&H8jhc@OV}$R(Kf*MjY)H(2Vo1Ka!vpC`zN<9;_)-7U&`ynKP284#B0W1IOhVqk zvp`$*A@29-k8tv>Z}h`v3c+s>93d8S#5!LRROj##PNxSF5kG`+lQc;kHnz5@Z%jttEec&SzDrC9!<4Q?8eGdQ zx-=pi+=T6w%Ud6!T`|AeJ#nb!6KSdA3p3sxkETDStpK^?O}b)ij0E#;_CK?#W-RkZ zohEMdtTSq}RI&9Tl;++&cdp2Jz0HdzoqYlFoP?}i8DOKH@c$v4JmR7{8;nwy{li7b z_Pw4flM+q4FzN$I0#f6DzZ%7HDIS0WF)(Y=){&MAb?VjHq{-u%#q0uu?Q&AHzK!qWZL;UqINBqc$NguGM1P_0= z`NW#9_l>m63u3Gxeck6@NKb1XCy@l)%vz)V!85~N7goTlUXlG8aNUbb%O*>~6^YM2b`sz@;Bf~Gi?wX4#Zb$u`7eUQj29A4F`x8Cw%JMdl+2I7gz9} z8$7__!n$VtHo2y^IT~ccR$}y&8>_hBN|dAlOs8B z2X6{?>@c`0ulcLOFCt0TyM)OnNFqEQaaLTjy}Zz)N9~?AH+Z?{uM|u!ir7;*4ZMf2 z_bi=YP8c{B{=k{%f{QnFE!FbC+l0H-8gcbX-FtN>Pd8XC+YSinigx{tOG4GuMD|oV zP_G7?j3q30rqG`4QcP#D$0-ltSkBE}iq>_7FN&?!rPcaCfL2cVv;X?$ zu&URbJ+8FUJ@4mIydHnPwoq{AO$Ar>L98!$1@O&8itrtAm?D~n-L!nfldx_( z;<4ZgVn%7w7GiicE*j*2!)qk zkQ!%9pi;q@@^Mk%-{_9iD{q?nfp&#bNr$rq9c+j|HHf`u+wG4TthT~jQLn4XWC>_Md&^DFQU;~u8sj-_q^H%2Do0w* zZv9oi#S8IL3f$%mr0zX|Ym{P1NrnAM-aM8zsVN?{)^h`sJJTUB7zB*Gms&RuDw@w2 z_O4>YnMo>dc+B%&8zcRpb*x7=I6D?%x5d=!-OkVyAj7J7N=0PN!Ym*ZN$UT}!>3C~FWWKK+t@RcP zs_dQqvXZlI@gz7EJ&OtV`37odgIhRTOjoo@{?Ln*P;4<;y0l49e#JKGKU@qk#OOd* z-{c9OhbJ#e%Pii-lAm<&Y=A>+={183lurX#2HvyI6k^=cYIE1|{leXLBiS_fJ!@PoiA5ir5|_ zf$ad?>(b~8GWg#8+9hVlJ_I{1HtATO`L3M=&!lF10!IGO$ld2jUdHgnGKu*;c-45x zD56c)+=d4FqY-)rAI6kDLtP2P^2*yG&a?;8;_?e*dRXaIY|xR+wa6^yS>M@FA1fZ}3ex0*dsEG8sfPm(hTEmmk*UOhkNtXN9P`jJCHL0}p zk(o%LA5ouhs238)8R!|rcl%xA7h1kZGAfATGE{0ZHy;L*Lu6S?0qTX~*5xxsqU7l( zd!0r!Rfj3o>P4SyAw(z*MhdA4mrO1wZFPok@#|0TnG7ctZgHc1-2j9uE z3Gyz~!r>Vs6TIq94Wz>vY70(Car!%sQ>!dLhFKL%+yyRLK$})B&`j}t9lde8&xbV7}xJEHjD_pHz0q+D<8H_ zqHIK-pgHf4NpO!z=XY=Y$tP)cs_@=ODf}72gE&5Mso$pE~Cs2A>)?E8GuoEW7nmyvfJHRl$#G&-pbhDKV9KfbR4TIjd2cfTm7(bzb;nhp9C0)_eS6?BaYfUBLA4Hoq_2InUQI0Im31WQ=Bb ziAP!FRCNJw@O9Jr>I9V`@4Q0n;K9@iv#o+ZdrM`xNFKu{^JCV@R42|A(s?rfD4O(f z_BmINn>q82c9;2*J0JbIOh=)RE-vC&a49C&@h_{fhofe=poq&I`Nu}Qsb1jX%oHcz{oitx zRh2&=_7tjxX6O8pfy5GCZWEVPb{Yl5`ZjgB7^r^n5l2$JXB}QK6~rMvX$<~DB!(;{ zm3pL3X|$8mVVAqr+Vu3`xt_ikssjmUk(%lzCwYwFu2UKIc^?rb0rN0Jd0Mn-wD=j_ zoWkt!smO&AvGMqxEEJ**T;12MzDk@5#Z@|l7PHE9Y=p6o%U)l|#Zk25~T{pY}Y05elv4*w+KNh2;>GbFD4x(DH!nL!S|GhNO%`3$iY$d^o> z4yakMhFQ;?Jvk-C2E!O0P2F%P5R*QHCCYj;@r!RoS%&%*!6yk;CndWzJf_{abwi4O z(L6q9^W?}T4`@B#o)8f1>agk3`Cp%!i%)s1+@i#^EfEQqUzy;&B5WYg8H>O^a@s?} z9(Z&(w@KWGEx6i7XM@Xs#)gVo()qD7$)YHE5G|U97zIKZ$8k8$4o(_hzOlf`d@p)9n~+*2yKHYBZhv5v4FAl{5}CbbpYE@g=W%D1s%{N8!t z{nRKtFDUYzw%sACuM{j)>EAM+FpI&QeTq(OS!*N+Qj}evzM}ph(|ee#!D7|UObl38 zz^irGM~_16__|?Kc9jrL4_EC!UUPwD%-6m2^QWFu`Vz{-zVY^*HN%CQ1JUpEw=bL~ zrrV=LgneX{209?=q8}9Xl#RdvlE^zkx|Wx9 zvnx@3VjOOBOBN(m#g-{pYF$30(4lRA;AalAqcF@1mgqi+l3!a=?y^?2XTj_xEoT`6 z;ZjT}7nfZD;4Q5yn2zY>VuoL~8^R+O1pM`pFwBn}e@1hr%=)9rx5pKB__lS^ChyUr z!j8g`eTAGn4s|_*yLXPe5M!Kf+sVSiZys8R)IS+5^O2sa^Rmj?npwXIn^~)GOR%oW zZu<*V9Q9`UNI#D_eM}ok>>n#6yA$yb$2f2yWCr|=jc+!>5;pG@n>B)#Q}Pj19LNMsG?if{^+= zGTIup*)A-wb|#hsTWO+6TkMWW zG{WOj@zw3sSbka=^YOrq51L<`_zyv*d-or_@VyV)(!H;nRr<8$>0|P**CTFys$F0!|Z@{=)KHnRU z!xh~vwzTyxq#d<}5Bd#oV?x4F2fd!%g|(t8L9d{pWofA>0?6c2O}@1M>2at41$`xt ze>?7m|L~ynyt)d=o`=LqKrH~}3S~LdXHk_TOA(Y*sm#*o)ZmRK{#wv5`)4 zkXk3{WQN`S7rvw1{HgBv-MLtDp%NXiR$`ZWlA!Z1hGxTQGIv`T7iMlTVUpmw9T@Sd z(uRx(4=2&i5OOaN1M9Sh3#SHoUhr_GC(MT>0Og`_*Ky>=KbJ)*<50@*h`e%_O55_X zfW3$T5yd10J)t6J0LrZ8H{Xl!^QKWL(^czXS>|N^715z z!M>k7?!qOBo)+j<6-bYR!ShM`-K@X9wuM6FKMo{H)d0b}tju1-a(pRULG-e6lrKY~ zOr1#XyHk(WR{7}o9OzVf8PNhtWbS&$3GAQvRIs*I(duFbAnv~zo&4@e5RK@o>(7>v zD}s4C){(Hx@*(pk7?lcC?iKMUFn@^XjFK?#qpPD1{4r0%%u}2ZbaNt`b|ajVP2%Jl zju-}nPBg2lHyY4QlQWgeDk@y&4L~vf59@Skq?nx4FMzL62_r=4Pv}^@Ig<{o`*BOL zu#EfI&)LN{`C2@8v#X(Hr&P+c7TeSu<8_6GPf$F)@^PZn{$C)NB5ekH^2~ezLuMVP z5kv8f6PKC$?0F^eH)})F?bw`27wRX6xctB)3k&=OW!AAS8IO6ag1(AcYT1;5Hl|vu zXK}HXMYGJ;Zj*Qn1BN7 zLf`bac)ES zm7iU~It8c;>JNAso9N+X|Gg)LXw(h>&Vr8?P`F=H9Be9hL*G_wNUvGs_<;DKhZ;ey z*+>4dOT;!-k>eYk0bItqfaHeHR0nacdTTt{gx;r*YEF2*YwlPW>!my`3YmFrS3@!4 zVYsin(+AiI)o;`Mi+M9kymKaiQtf8I>nyhHf|et(8}|DNda13eO>+ifMJnZkRh1H{ z(2gET<7ziMZIZ()`5}q_3H4e=@!p2!^OC$EQ-K6TXv1#cq#6!jH&U7 zH-6RWF$9M6g6#jo%?>M#%ztbq3<)wBUm_f$r*=54Xk_DBXafQ=sBDk^_RcHxCd%S? zv}idLGC+?RP`?J`c!JFi50M12P_Wktu$pUlTitVUQ>!|j4<2?qI@7+8yhH%|Ay1Zc)AIwKne1gG;(bx@C_f>Qge`pw!kMI= z(y*k?1Pl$stBI-PMO7H>1RdHBskht=H`e{y_aUAD?O-Fxk(^5}*wzqKrpSBSJy76! z&9pj6=!{DTMFO{%?*^QckFsyJY#r1J+}s~Uvil#0-})(t>PsvnLkl{G*D`IzWjd0L zdOD~7gpUiV>>GKtLs=e%YUs#>+NX?vzsbgVxlDFpvv=AzI*>5^dlO#NQ2SHL+5L9% zSNpD3-Zq$zzzUcKA1^EDge^vGFc8C%=6no*|H*o}F)y{&kfu}Ke%a7l-G~?1r`zf@HW=?j~)U!x*H z!o_7gQG28`PUR_l3yN|_v7fjy^gZB)gcigfp=y|S%ps+4M&TU5%y*pi>UjCCkdP_P zzqUPFJuUp?OR~fh#I1>Vjt|5=cZekgx|MmTU%Sd1%0}g~>1l*Tv|$mb)gOpWz@;M; zOTX&Yi6VEd`_Yk19pIzV$LBVfGnlZbe^VowDM^;avVYN1mz0!>w9!YQ^bbNVo3MHt5$A!1{ z!JMC~8(beTDF*Y9Hc0AO#S}s@umy=RCONZsx3N;^rhvO8#nl1Mo=Rso_hco{67hIW z)(Ks=S@Pw%W39o+0Pp{g3y;vX7|Y*rrQ<`d-+TnK(#0IN?H#8855B{u(oc_vvNAGGAI}1k{*uH zwkH~sp}H<$Nga`>+1Q6wQyO1d>zqPJr500WYlLHkiOUDNQ)r{-w!2!NYr&_!(>M^rd(HyR3@ zdz-TuW|t66GSNVzczItB4cix^UA)Rw#l`KSE`vB8%n8JYPmw#ZP3{Ti+B6S_hu^&ty4p{mO0B33X1WXa)I}#tY@NN@nzsWMJ zVE)UI3I6hlf1rs~lB`gT+3VmbbK4P_i%&0K)^WQieYyh>k((OBtFc!o7}h(rVva`% zRLt_mh5*|ya@#>5GE(N$;mNWPd$eTj6$dyyR`@6c+qii%`sA z{`_S1KC|XT!cLFv)Z+yi%Di&!c5q74d7-4r*$T$vg>SxtMBW25{xIQWklRzR&fe5o@CAxzp>(84r zp(4$XVICXB|A)P^{)(&F@_q;jgy8NF+&#DjcXxNEarXpwhv328T^o0IcXyX=uA( z)2fjXD@@aG(hCh<>rV1bHKT)cc}7MutJ$txGP7l*veXx7+Bt_5EMlnP(Tj zJJBVctn(*$oj%DaG!W?IYg-br?ajUy)Y46iH<|5Rj1|;=xkjFhg|zfMxbt`6(s?p^ zYLCHRx5dfkzunWQB&&P67Z!`Ah`zFMo})>=I(n6kZqO}PFWhgR0T4;dY5?atm1%Tk zOSB@`5#K4==p;I=>3Ju}x5C6=UZXBk$KNf-M{U=t<(kc8m{3gY;=;YQ&=9aPURFqW zqiovY-;f?nzUdcJiR!*ml}V*U@|W`*o?>5)6m{E%N!{m9uFw3cdd_&S9ivRb;tb`m z%|@Ku@bj;;0N>;zSIeyP3TV5EZg+OCNZbvY=i9$qv9j%@2kkX~ZCA&$W=!@NdNG zCCWRTs|0aZdWEDkC!zgM+B*8nZ2AumQDn`42Vp%fXrX|2gcp|j+R;9O@7W+flB7{g z_}cNR!nNYF@5i47LVg|J(=#Ep?9`?;0I5-Be@Op@`F7eO{MA2eGh;|`C(^%{TmIWs z{KfeCA8Z#mj8|I zZ6g0Nn@A|+9;s4G`&v&mMo|$vy-=lX&=Yw~t&Lw)@~!pnM8AFR8i2s>cSiWw>TrIE84>tK0&3 z>B|!-aLOre&5!y#OImd^t?=I*uZtK476h_v1T|Xc0mtv>cH~W8j;-MAfOt^;vR3Va> z^L}%4-qto#Bq`vst4!`x7ayL?OeOD-pUi*)*&p+$Ov<~uaWXasPV7ZqdC^~PhJq+6 z+C0hO4A-|v75~lrNMDdXKJ5}EX4T^Ou<@61YIj~h2ZK5fZzw)JrBVidcDAfU$^yqa z>mzH@9BM4yaDj6aLrsA`$T#+v8PKN+7*ZK5bYRqhz(Dija7P{@*&^Ctc!6B)T!vr2 zH03dlQn)Ie&J;1jz6ZJdvF%sXZ{rM63V`|f`g#iCdCb%_A5UT0HqHO=r>k+aQq@wm zg9bm!pSqfbJ_^OXb?~SRy_L~^j2{oNy?xqBZwMJ=va`o0r7YNm;aXEd- zPXe{G>7g*`eR|{?f!$dUX(P?l9*H+R^BCTpfrsE5(}#oWBa{UOGdC}m{L=Bu{?sZv zSffujaE!y!0_6zbReX5I+7C?iRCUeTcj&qmqE+AsPwsDzCUf-Yq%i)H2{d5Bz_(B2 z79+r-&&GpLkJs`OoSxxaDKzjNreqf?p^>Y2_$qSYrmV>AQxD3!uIqBi4bXf_tB@;I zP-~ig-D@%@J=lrk%Irs`(1^#8OQVdQI{}uhEwMPOCfDJ-^k=3XI1j_|@>Z;1p7t8A zi9durml8;Ll@L3DE2tyy^UK&dSH|0{3T;8^?^zHY(w{~C?Is1({3K0|Dih;vzJ&e* zD0=BxQa)tdV+GSb#7%@UH5Ge!d+0Hg+oKt=8|vBID5Y|486Z}3Fcm^7SF5u(PQX7O z=6W@%xnFG}(A6R=EGp`#xs{Pw!yrhePq!G0^wlu}J64#6iy3dmH7kxFmVM0bdKrtq z4RSBKm+gAKh|WW9Uy9mwB{W=7vt(ol-5;sPJu0YqM;dL!>h|mPw8C-saB|y^)E?tO z0YhuJxt@IOP~z7NUI_ePj<(f*3LtfFoe3S`-F=d5B$ek4(G@1_MFG03Qf8oTFhj}O z2V^T^?zbDBGePw9kRV|*{le&i%LOx8KYxqriE-*Kd{vTWOhZP-9l6>_&?B>_8@O>H zqTQgO6R~_tw)c21&;&6v)0{B~8@Oflpi10kG}@yeZH3)_PxnqRHgcEh4P7UC7&KJS?h4#^Ugsc^0;>n`F&V!DoKQ%v?U1w&m2j2P&UmkiD2Xl zpF5~~SQ2hyWOaijc$?Z7cS0Tjf_)h6BYV{EvPaq#=4sV(Zmyra8fD__j~UWrZ@YJ! zxMMSE+#i&8D+OAsbq04!GP15p=qeTI9`%+y%@xi$(ExfO+=}s2NxY0MKO_x#lT4dE zP&Dk`^=z7fH7+Ye0Q81TQfwBIAW$YTgH&|-j)*!9zbNq#VYr#MnJU%MS4+f&Z$pqL zD~eg%L=T*;2wPmlC4gr{a<{B1 z7%^e5gjwk5p_UMZs%k;wObkL1?=H{96&nHqIKv=bR1aXfAMeCo(=B9@0{+L%3Amqm zE6;-5BzSC8?LoTApw8$m1)UnDl_C&RX?$L#k+C;^sMz;*6kiaZj^5?3o{?zKr3S8tT9*}a!^I8z9nDU z&(EEM@MdjO2%In2t>N6?QPXv`3vBAh`nK=e3o_9s_n*b^e-o)Hy=tJ~H_xB6N*|;O zt=C8U&QCW^7K3G@C~m5ZjcivRNuyY1uqRlv#d2FjGb>RGmM>vn%uogXJ=te-nMD6- zIBAlq>%NanY-%qJywu%KP$i+Tv6SR`tnb-4YFMkm*T{>}-skc&)A|U_H0{ZvJ>h7Y zjI-Q7D1TRGr88fIM-H)e>Hg?5S#ilX0_UNIm!I-0v)<^6zfyrq>LA3Dqoga-b7RlF z9qOZ$v#f@z46dbhhSHsfr0Wbe#{n2LDT$GV6)tD->K7&QEFjxB#`UQ}=K1vJ{%W*q zQ>WT?uU}VZiZ*K-?iz~C4!m>}FlhuX>#(Nv)qNLnPYFj$ClU{Ejgv=94jOvgc8*(M zlr0m-P{)c9)wE`%h_jvA08Yf-lRrpWv(r4DyfuVYW@(`80N9ZgDkn}`OpL6iQsr^- zInA+LX?c)6z!Tgq3syZRickW)(cC0Fse7*6gux94(9{xCJ7bj%j+3SJMh9pNEekN; z%W5y)-W)c@=E_Q9k2|~2|2!9Wso#ycxeZj2J(uXvUU^q_eke<*=h;El0yhsF?Q^fQ zvn43R2G#t|N_zP>4w-?bt@J}mADSNuNvIF-=7(6EFLy~JmdL-bJTU1qCPG$NPZ#!Y!arnUd) zzJWtt1g-H>40QT)ViHfw|&ThR01z z5P_zPgT|-3iLeh1N#ISg=Js8m92K#7dIa}py{I+6$hfkEvdB8;74bS+-{jrpYq^#8 zqHoe!Rc4Uu@xxQ+RtbmGpI1Jo9JQ<(A7|+~B&A3LC@bpFX`9w6#N0JXO|VUh#R*Wk zq8d+VG8JBemrb#bIJZ9bi(VGdcQAQRuUh=p z;>C&2I&v#;U0Z4X$tT0r3Qd!S)tJy`#4^*=b;|$?2WA47i1&*s5sq%zOCKQAp4>>y zQY7?qo1dW7WR4K+7%&crk==d1b0bETe>uGKb=3i6zh2}`@ZP1}`ZUO{C9k}y<+5;G z8dy_$$h9(1MtH>e^8Piy;C5us8kfOTgpNmVtrx+wPR3G4H z<+u+p7358EfAHufkWhYf6Ae%Y)98i_W@~>Pr2E+V3-jAo>SUDhKOd<>D?aJKe1$oW zd(=X~h%X|2d}H!wep8zpaC&f(BS%8ptB*UXsPMQuR;tuhd;i>MkavFi{Q*_~qqH9k zBLulT3q&*pT#7%+9xVow6b1D*TnB4ASbzmjl_z3JXl19AK#9@a32M7H;7jY6Gw(hx zUU)VY%pr>fa*(MDb2~j*oZA#m3KdXIQEW8;jGNW}S`*(?4l%a=Sd9sCY0~6Wb3yWy zjqb9(VeIZdN> zA}nbGkzLCyT*Ctiym8D1v7qmuug(hp1x15gAoMLJv67bsgfIUY3E2TBj#EqSSmGca}P58=5@xEe< zdmGu4p3pAn!bYRhNs`2|6B>Z~J1x~ZXoF-lqpK!+Max$RcFCKLZqzf)(q=ciZ>=AC z2&QhGa$gQT8INUB+vjIOwW_|WNvu?r=4##MBnGSQ>$_lyD)rd8pB)DrGqBUbb%^X- z^5yfT=zUtK{-`X|4#6(lgrRir6J>>PA>256^~Ls{Tl;P8(!?_MtdYo9p6)l29W}Yi5VYh{7VTVG7-nB@5dVMwt3J87A(EZ*f!M!vVbzhV) zr4x1o@g+8|qvP0S`q#7v6@bbCHkVP*3U^8}?OAm~c!`R}4Hmxkd|^eqcGuHxkK|$+ zF0SGhCuu5JIOoNCVLQ}&fboP}lEzGKiWa*ju}q9B=O-G4>7Ti}L}IPwMoX!446OM^ zzIj5 z#!A)P4TmjPyyesbqPkqQb-vZQh|>!!Sqxi|nFs^LD(=F_y*PK#C`Ue$r zkd_h55L7ocl64?6lk3@dnUA^D^>AE8cb>$A{=}xrq5fUCbAIlxz}NX4nU)@8sq$Iv zD9t?f$2HAHi_|^#U#3rI40qcr^|o74oQ`&0)@)IuP1x>MKH-_JdXYK#!FES#R!lal zY}5-1XaOpQazhezQjf@bdw}lLHR#Q9zF#cmP?Y(u?44ci-Z7$LwHpkR04+|7$CE`L zt)A0TD)^<)sVry!`<%fc7b~nxWP#z}JP@~yj`Hf)60lZ>-O0RF?w{;y$_9HW5JY+aNQUkm$JN9b{nxDg86N6~ONTQJpVs2uQ^)&eE4T->c`+b4@{ z4E-oZ+f-vYb`(|U9+tlpdtp)?MeA?JIb$XNU>D!g+y0~b$HC1y&U`6!;}M+M-!;xH zKRp}ntIZ7yNNjaALhJDvTfH4*O(0`y2qi%0_^cOi{{4=@Ot|sSkNH6b@lYgos@y|< z_S7a>1Aiiwu~yxu<8<8_`ZpSTmpf0`E>QIyQUuNewEcwil48Y{DDPSkA#yQLF?W|x zUC*@LQc}qgKV^@TaA_$!q+HFS{5Sw5^T@9?^k+@Y0%i4&=mZr8_YVknza#TIFx<=& z)E6rFf(nxj&u^PK#QjC5md7e|K*O#vF?{{&xTBVm1fR-a+ z-)`^s=Z)P1CJ#lPZiHv32SP=wUp^J$C*kue3!6(BBuu3vbBYa(%bKQO+tuT}n?9l- zT?>Hh{WK371gdJEzR?zwlet(=qbN`u=2%jU>_Q))_(+UN%!)go$a?-sieY%k5@8rA73(GO`jQG~$)Vt<|1{ZF=)? zj1wm+edQNX+^TbpuV)&BBxNFCB|liUgXYXRe8>yw?bwNe%f?c=-yK)iQvm-<1GQsj zv^#wD4czZO7Kr~^XEqIqHfKYFJZg0`HNQr;QpMGp8irXt1dM zv0cREuxw^L=RTuun~@kDZZKL44)}FJ%CMd-Bxxzrh+O=V#2zD2g+x@v2tzl`bjZ$|Vb11s z$xz~PGkRkJ#r&vy#yl@z-4u2cq%t+}t?13e#fn@@p17!mQ&vDzbG+@w{7xe~RA&7k zi58|0GE)O8!06Z=VcJeUXN!~RY5Iu&~rS`i~Nyo92%^Ag+ce-c2aES`2aPo)mN=?0~q63C%F?yn+Nr&)9 zd$lbl-Z=NW=CB)Cl8}dOA2PHj?`Om@dR!6q%M(n!=-^h_>?itRa#JIVwBYGCH!H`t zZ-f~|lm+!AL5QNkirnP5`yT`aY z+kGJFoO{9?_P4Awxy9l1!<|DKDtZ4buPT(Kszz`tRj?WFiF)nRL1`hwM&Zh?oQo2Z zWy94rl-}#yVP|T%qEOKtb0@@Ji_3L#;Vj0SO$&L9(yPuRpc)_2jbSrz=mrhLekMg%oBOBV#*hod2$gv zBZa!}{Tup6ClxaBncpA1?9NH8WeJGQs5UstDA=Ske;ScYhkTu^aTN1vD)_=TC&xzQ zyXTVCxpnG+#Yc%+J+;N5QH37dfuMAn7IC>O@L(_<=NjAm1QD_1GOAAd)*%F*BUXRH zdU3CEA(>v$6;kf<;Xhx+_>NzM4pr@2XcgkP;;fKD0$j_lfH)RdFTu1cs5iV>KmO{W z&iuJF`K&Vv-3Ymq-{jKjM(Oklt~%=%^Fi0&)(Aaph~x=$MvC6WEc6|*4J(r*B}kq} zFHy0GF>oZ@oemS;Qar8|)2-f;%DwV-ah>#&M+%3%PCpNiF&h0x67NTIWI7O^2sUGj z(Uxf)s(r6_o&~ia?C6rTzY_KtlV08pYuD-6(sloPP>_WDoLgEZv`_%wBQerx`Sl)N zxq^o2`M9F)@a|(6VfbzUhc?CZ^nO@)&%+5pzE}9}6~5!?H6Wxe7;HGMM?F=W!6i;% z1b(Az{4`u$ZSG@}_W-gO96ZiDlwt2SOiDM>5KmAj;HP-gJ?_RIB%H;Exk=FSBee1P z`sUUFt(aUPV&mZZRV_1dB*k;=H6SzDY*N4bBTow(qR^pK&hR`E_N|9J)Y|Mso?m|* zrE>s7Tow0hWh*z^*oc_ufv`?2g@vg;L(gbuQQc=Zu14IwyS#{*q5)#-BbR!DjX^P3 zC)pkQGLp(IzPW}`s0?F11Q+$n8)acLxF6jPprWo0mHMLig5P!S2tg*RVZgZd(6i_n zww=#c)VbWLx)6MU!^&rK3YtB<+3f9__ZThpbLt#@I7$pV;RjATbGpIKwfOnVJUpE*d?IJ8w9oSsD8hpZ4*J4bz)RlYv z*ir`EswcfhUVqD<(xv_c$XPc#yIzr8?HyB}iGEzNmh}AAo^!C;DvOm5%FbHB*ITH2eg+!ru#a3F zglC?Y_lshTV|$S+~rfzUk6-2p{AkSo{@&bV~2y!I5T} zOr%1q)%2MKgEVqF?J;xxWmhO*w%T(a#`-mzr5VjtAwAQz`XLkl8@-dnZ@TEdGTALp zB}_9Sz-1&_Jk(fReC*`01LvSxbW~4CUyL&D=n@kyj79O{Qp1m|$l@=^zWB?w6QZw_ zLA-rFbAI|~K{<<0;<3{vcRL6GfiaQSPqpt0;E@0}XPpi)cZV4^sF-boIc50^yjS@A zv&@#Rhk6aFKl6fQD_u!QPi^Z$ju2`t+kr2?G<}ip>kTIZ=i@w|x9)C@{C};A@4K&` zH^M(Mev&TqmJq>S!Fbr`0@@2P^xU-8%s$$vx1-t5*58LvJhBd=6bAAXdYz3g1s*Mh zID8svG}a-^Bk;l#QL>$kPd|&wAaF6r9>%oztW3kwYIoq3u*3<$^BGf-^qcl<{OEjY zseo0=d_@PmeOYVQbckb+Ll{H)-9}ObyIA8?{-H@h%8$Ul@81j-SGVXU)1hRI(?4*d z?J=Dkj}CuRUMrVb?VP=Dz^jqI7&uJe_$arJv6&RF6%zvr!dtA>nqe?bfg%%99h+zvryKI`v*$bL92i#g%6RO5 zQg_i$G=FL=%eTibf)do-l>^x};&qS{02|8uAOAKT`GSU&^5oC57r8^!wX>w?bqM_h4c$;mpulYldk4rIJ{>r&yd z(OEuN6X#qHU5v3=e_5x+hV_&qzaF*`R;f1)+W(do|D=bgBQwSYZw7}%OmLXL(#d?|2Yz{L9`5EH)Of+V2aBdb z`_8u9O?Ub$wLk4qdCGdsv911PlXB}ddjEX1102K6sJ`Fr1s~>OH+C9#R7?B~w(*!y z_?@dV(xTYD259r8)e%#wd%UbR*INXqk9B$I_Ui)yI6~#%#J*qO?>Xw8%O%R6G@{F|`s}MX#t-mrYipcXe{g#Rky*LU!1aTQcrKy(_g)co zQwh8nM`b4*;dihN4t<{kfjbWa7qo^XlS(l5F#ff z#;s`;)c7v9Rh4{p%dDZ4mrnsQ!`AsyQjH)0qdcuCvjWQ?0NATspxA=hCbou4dZ!u7f z;{W&a9-R8Wjt{;1N0XW|9Q&a{^mbgV4_11Ahi~i zq{05rj`&v>kpI7ne@@D!O60$AVBg5TZDyu_+5X=~eKUu2vdW-`i|(P);YXRtNRso{ z(7^wx@%!z^>r)gVziwg54NbgrSp5IeQv2}T?@k3PiRPpKN0a}Ng}L-o&)7CL_+L!M z^_SHrtwQep=G6ZR-u}Zkij>~nOSO@`8J_tllSxVZdlpKCwM3gRN7>a0cq!mqYKEOuk1wf!^BUm_azhj+&Yyfepf zix94}38EAnPOl)_`(3@3xC&k&q**kmr`PSG>~=jst8sr=skSJ~tJNRH z<|q^0Z)6-m?=-3p(PJuO z>^^et#F535QtyO6nY1kCq{Db*-1;7&t|6p%-vt2YGmc$joOVbg+g0&JicRyB*DKk0 z0}{o4&5pSnIDEWVd!Y{>)mk86R-&D~=N!AMtO5UJq=Pl!XkkvhzLT zGHJJ&x^int3ORB5!%tyC&Htlt9@VZ_q7s&s$5_`)%`eWmM`odWzMcJW0VGfAA*DMo z*>y2T9jRbrvhKFZxCtB<%hDr{Lvgw6);Wic3#L^Vkf~_Bxj^>98JJ zNS1muSzIB*^`iYOIQnpKg!!9sx=ZfpVy+F&ny zovC`2pZevTCUCc~er&Tckl$v;tY*EDL1PVah(QCqqA6IYhsYM$Hh%FgTxuA(%usQ2 zf05VS9E7`4l3!^_!KKVy4&WY7oBefu$G1>h#`oiH<(TSNh?@l?wmsjIiL*4(+G;|0Oz8m2F7+KF-bt&AdstdPUgn^)9zGM?^?77@7k(v@)p9kH~ap2A>o%(4W#>5PdrJIPopd@UZbaa2n<=!Ov zHe1DfASCYo4Br}w!>JQO=yfENa&fZ&4Dn&0!u%DMgNVd#&zmS0dnXA@3i}XUL{qJW zcxMDMGP3C?(Q=gb&=3FF2+b{OlJmhp8CjD~{bZOvDozGwX|j$O^GZ1?(s#s#|ECzg z$A{)$FZb`;RwhD=bCd⁡8vqPI7-7@vQUzZKLRtnV~V7?`we#r-dM^$rcx}C+vTjE*XeYt}S(?>)!m!F}dTS->xKb!)aW7bLU z#lG87E%<%ymDqUb*T0@~S)g-;9p${_R7C_c;MMcABGtG^;{*-5=S~XZ4UTo#h-7g7 z4r=D}pKZav!B-!rK`BNYT!q=e|X)Q!*kH-nEFyFJN8CQ~1-z z7g<uLEr?IcIGucYM57psKYY`#OT^#4{ z`hkr`=3}LHTik|VonI-HyV(9)K(pb#k(aMbWg}J&@?#{R(V(&7Xp<0P*Y;rg9-Wc( zc<-n5cU`wxc@IB&>7Zp_W5{DET(-gn^5a=`kJw%+UkYqZwtXknVolnf%ItDYaET_Z zhFM8b45$*}Ontc`asu^$DRmH!xTVj}s=rO#3kgivb#Y(#&Xwf(xGB+bO)fiW9TlawQ zV2%FK-&U+{zd-y#px5iXT;?F$rr&TtT3FG;0D`C<9+n(UV}CE2Q&DEsP|_yev^M*= zX7k-*9YTul8TXhj%U@`kZ=~ABSc;UaU}Qhp- zk+1axm#NIHfp}5B0kg$QJc^V)ifQ0#%ex(BUCFSJMqO{g9l=HZEMc5JDU_?jqY+U6 zl*-+J1G$!=W-6SoiuW(YIxg78C_E~YHAemLCkeS14%)Hto?~pItvN0YWkWS5ZYNnq zsP#>RLWG*=)h}b(sjHCC9iA{clpA8~itelMc6RoJPB})!>|@u4ySxNMH`#@B%8)SoWbHu+S{1(Wcb>nH$KVCmCVul}KoC(nJ1z*N5&f^ z@S$598esjSF*?+FG-Tw@sBKOW*7P1lpqIm%H=I7=PH#`jJ?bqBYlQ#}!rG!f#S@m5 zKiw4Y&e`Ojp$2=-77me}fWGZvZ{a4Eo4a#+Ow&45)kq22z8J**Z1jPz)9#@}1Yndk z-a=+Hn>V6{2L#`5w8w$f*n&@zII!1A6(fxwiL`!ac%o*WI@H6J@mvNSVq zK(ol}OJSZ*U(c4U2Pb}J{{|45N;}2zQHg*`gld4rOv)7}#BXBk%VRl3Lu_zd0ZlYE z^4{OEO7vh=2D_7lJ;nd{L>`ttz7#^chkG2Kkun)!jMu5!M5K?18T}UB@6{jk@%Sy2 z_S^Y(vxZ@>!#gvx()=N8C`jrQkl@$7b+F*;I$GV=Zo!9ZuX;+H{U`b86c-~1S z8zjN{#AIj%8Td$)>T=m?Vx~b)(m4HCQ>ml3Bt9{#+B(RF^*9+R+&+7nW2E_bCWy>9P+ZGSf@G-wRk!9$8G0_Wx_9q9XX{yJ-r06Z}NScT!4O*ui3iOXw=^vNli$qc%MeI$gxxwWP3niPyy#?#igKf1OQQEonQ5wj;euCmU z#CB)JVU}cKm!WNFp`hpM#=`aCMu&Zgv{hTl^MN;D+f>}0(^dDtb9aq7rCX`3Yk}M) zcC^(E;2Kvy_+T6V%AEQ-p!Aqtx$p}TRK0kG=e@xW*cL8UTjk|Od*OY%TuZ6ZT*9;u zQ%Sc>B88EWgDb)l1u2tW_!yY%+T zlROUx4SCLPb)?^2x(tM7kgMa;f&hUHV+ozau)x?yftY9hF@c9G4v%#c6Hr*=(eSc<8nr&mtP z|3o26S>7pz!CUN1m>*S4_vIdXPN~p|Ti&q<)LLnj_A{=wNNTFXh;S^H;z8!E-S$zn z#(9pwB;%`W*3((Gn~H0eO(S2QuCQmlO~YBxu1nstFgL~uRq-lSR>;ajIWe956YI;% zc;j)Dr*~Ec2lbg_ua=}%)dMoYMvInF;=LR*b%to(IzerBpTMJW^8l zjbgjr;t6N(TZ3=$C>p=5&5Gr^Q%0P2-(3@ik8D`7?o9Pqco!5UBef4}gdC%Djamg24 zW6k50#ew$%uxJF*>_Sm|+`J-sOqU=x$p=*Cb{kv@uaTABCtZ24Bzh}BK}X^C!Krsb zGvUE3!`z8Ppm~`U@KrS96v7YU$e zBMFWf*j|?QmMur58-CeW2-`hWQ${|H2FevL?qb9yHEf@*cO=Pq5wE0`dxaT|Oc!Jt zx0k-yP93Dkdhg?iI&q8-|u z0f3(c1q?IiJo47}MPgQqvS`lD0%S#CSDtFVZ_vHeHz5+gNq7%=wYb#DDtHB)XNmAa z-Bv3%L-0$!@VBdJ)5txA9d(G^b|J>;;JgF_^xiWcPA0f^FDQj(hUnKg?^No2LYnm~ z&S^Mq^&~KNUVb~ii7M%W^LdKpNM4#SgtY@R7MbQxq@%4GjT(5@T;*r|Tx_M!4{cfL z*%plJ$3BDL?=ltI5vv~VFnq~|*C>L{?XS({)=p0YWm8Ui7ky_?aC`vIf{cWFPVm(y zLZJ?Kp811nlHL?MFO5X5&I_An)-NRW5(X2NTGP{*^d|xjoV_ozKyOc%^SR2zVfS*~ z(R-YhGmGX&-?y8rx5t3WoF#j{$^|R%#qH4y-_?X$Cb{5KAl5xSn5uu(hsxdS`Dy@* z*?3T{z((PmNEGO9{38mP4^6e*@F{Q>*$mzDq%ig=fEpRsfa&c`&>ZH;+6v?uX`#gSVUdWq1|ByB232Ps$TpPT7GJ;V4 z1AXf7akttDrr|1rN8j%52C~bOE9EUuK+r$nHmQtkvRe3~XqvXq)66Wf>9bff6l2{D z+i6o$ZSWWc(l5z~Cr8Cge}SDuh<+g$GMCQvV_<6L0f#d2lc=jJSd zf{KGk#h^}{w#Od57);M*qVKnBzxkR6&mco!^vT?Pg`&@us$RmE%yCvAkXx|WQ_1p3 zYBf-ZOHGaLm&KuMBuv&RL$0Wsv&-n~GmA!lH!Co*J|{F}Qn|8jBG52p`A` z*bBEYr{bUN_J$%d_X2B#X1w_GsHR%KMr|2iseT{B5=~7s0+(1PxOXE7XnQoUuH@v7 zk5guCbV2&)T{wk9(lMCpttqD;418b0kNWDQhu+^;>Y2ZEgq6@wIr zo_Xz-s5W(k-iV^@8c?@wVXF#O#sy!}a?B>b8|_Qy`k0q4n@UU47N93=hPnWxsh5`O z?W`+iNMdsMoFgSq>Aam%%!rTOkFzfr>3mI+%og4m(Ncf6BekVdK%f_YJ&AX2VOv@f zzu&IFtWSZh!ZTIIEytkmCAhPpVC3r}XJF+uo59#Qjy~A$qpuK77eb@sk*($%dW_N@Fn_Wp9u%t`C{u>doc=TRW2z>5;rl11^!NEUea7 zp@|66`tt9SFNNw>MO{_kTjr3Ih2%0tGfR%di=Vbt2e()m&7~TcaIm@c!WL}J8`l{( z37?tnxg*G6r=hQuF%567txp-aBjeKFvF2lcngVw6x^usTN1@+M=FA>0QB0D#-j3cU z-n5p$4UXG88@n&Sb$rdYL0P%h6OwPHr;7mi7%m3%MqV(CD333V3xA5gfn(uFOKDy6 zy(A1&rtHhK=k~AJ`idYGio$ytHG^ZdblHqw2$uYfWt(*0M_cq7^G$~yHiyO5^EDJ2 z1>2}z+B2c&zK-cmH4Ike7UiWF%dG9qIxze+=hbZg3_@or95f~2kHHo7uKJ5y&iGGq znb(E)bgxzL{9Q)y?9f$%LeuDo==ST1KP&&LKhNC8lDQ!b=J%d8n|KrZnx`5R+>QO% zj(k1tvBswtN8W$Hy!`kpe8AiISvmO97{0Y4rJ;&GC;l0v)<#<~lPy<{Iw$s$mNl{q zcWpFZH_4ocb!O*}Y=HJ2ZN!Qb07zZ*Xy4oQ7Q2n7j6}CUUvI}oUHoN+Lvf8??6k;R zFY5f~^3t7|PC4Kjkyxn5xX{(@l=D_)1OQ45W2id;PJ_8k89lfQI*N?mM9V#SO*kDK zi+>mde@hCmA-d2i%HUw6pPu==guI|aL1=67U`mDXI?vsCmFhL~AnTJ`O04;hm4RY( zX(qPu+11UuYMvqY1Ggt~7s5-a20jk-VBOt@uGz++6QB`S>@rMa>IU>J(jnu;=jS;; zWCG*o#l5q9pJd!vJ|>}6VCYh)Sf7^mIh**Ab(>%~hs(Vt?#j)9W5>PQ4{0*b85#Di zqrxmcz4R9c3;6gY^ec7Ly>5F=|6Ja+#b~LHun1TzR>`&odrrRVf%}Uo8VCLcf?o`T~ipb}91)of}0B&{Et` zYpzj1k&*AHM%`fcGn=`jlDLSGxFGC>jnmpA@X(nbUlb=T3hUF&!(w6@X?RbPd*V#O zgH{!-5xN6(DSKjtN65`oouy8)%20@0&_Y&L5mxw`sxPmJ1x9%D0n9fq0 zNwEB%$j&L5m;&e8UHUJrPG6{bzke$bQJoQ{sPk`9C7pt|*L`O6;xqoB`?VFVBNnpy z7oNYH3MQ$hh}Ka;?;E6zClo;l+5xryD~{|@W6;Gc(x3&#p4 zw}s|yAXzs!Jh6%#K;V!*#N6uB13xKk3JE=PL)cW|3Y zq-?Kp1pj9d<#GAU55HB)+ z>@G7%!nY48-Qx}#-@1Zef0N|bp*CJceeH^n26*bdBc`od zr3ZSd=5y{z6hgvFFLX8_Dn217P7nMOR<~mf>jw4;xFd)3b~* z**=8sdGGQ^Xn=O?#+lHfv@Wvjeoy6gQ}@a@>07Za~O95;pU2^9J2Q*5N<>+p&g zPAV~B)!m~$yY?iSvszWJZ_L)r`{3_Q|4F`(te49cVS8R)Zrf_}RlA!&$Z4B{0-7%z z5Uy#W=R0Sz4vAG;YchePGbJkJRY-^dT+911h0q7CIs6cJpzX`!j(YQxNy*XMv z&ad0BkyFkR8B`#+emR5*cD?6}g&R~0Ut@MbI8?1@JGc2cFTf#H92JDoau!H`b84h} zYZVeW6;Hr~b-w_7MZY_KTEOG<%=<}o1QN#O9iY!)V07^an0Lfs$a#6JMzA|$h{JCgkUwTWukLbaee8$n-XhSa=D{~C*Bh+s|pL3WbTMQQcgHX2cn<&JrQ=q(S<%=zVqfy_a2wNVtI> z6o`g^JqwFu1(^0tUEqh|RHE6ML3(2IAYD_gvEkgimEP0A{UJ!Z|A4VqmLq#S410F5 zIoOED_-lXg!J`~|1-f$s6>k;aa7L98*$<{>v)9spPUjb^bXe=BzjC)SQA{8a7AqV`WW$6#A0&{oz@DW$MlX4C!`vSGI8$o^P^yhI)&HyOEQ8|Mwl*9BL4pNK z2p(LA;10nFHfV4U&OmVY0E4?bLm=n`cXzko1oy#ZaPpCR&bjwi-TL}pS9NuD@7lK3 zexG;As)-qRUCkJ&UqLjvng}(BylS?AH4b1v;V&+wth!6$O#|bhlMBE%OwS?s>bxBw z+5OHmYm3Z&7KIn0o!e!~YHT9<4Szd!wm~MJI>Bhhr3R$o9c(_6DItsQygK>GARNFC zG!Op#tX|MOvzmM&d9KEZzZnsClWRaypIbnK=}sU;%Jhwo!Bb@#$7;-Q#u_1vlJ69t z1X$&6p+$P;?+DplKRj4c5v;T*EHn$YZVN@sXjVe?CDbb|fCAs7B4$7g$eS5^V&q%T6}-PLh)u6Rf% z!FB)XQq9%0xFbpaUK?5%vjH<%o@k7^UfRIM(-~Asw(lEE+~H57Q$Z#hbQk%7o#u!8 zQjxbG-;zmJfoCpYQ3~g0v7+I5R*UiTcL^Fem$5$fOlus!Y<7Wt^vdVGXqqCA(J9() z3?qJFJsF^q%~jETv0KK?oFkc(!jvv-9wv@x31RLBMHbJ8U{-6gd-*&;d%)?owbI}}_H zp+{M1^K#-SJ?JkPPckq5A`aR~Sh2%7jp1n0H~huG5fk!`lwnNXrF$MX0F}6pkaVax zRKBG)Axl4&J6KUvZOPOE2S*aBudf)s2<+P&aLwTm0^x9+SC0_(rPLxg>*wtfOwn@g zZnE4EZqSW&mRP=cDtd-_Zg(i}!XXz{AHJ`yCG#8jSwJ8*cVVqY+@KrgAQh`xUm$wu zTX+Hb+EJ~UHy0OgCuS|~EVhbI?}Qn4Bn4&25wQxv5ZBR znIQ`nxpF}iOO7#o#G%4rEX`Y>3;r3|`y#mrO7VMjXNzTb#yk#W3L`$2xn?_p78#>j zPZQ!ZI%J#0k@XojMi$jpm3Qm<$!yrz%F{fWjjtO9)RNo>Ilz5IhgRruM5bXO<@T9o zCicg?OK>;-m*)J}sOv=8aQgQ<2!hKT%k%+PW3eBK_4HzaKK!%C@x+&!PiDpC1sTr^ zC&JUcKvNHCA;Qb-J|wo<(+Jr7^ISBz3~#VO(M6m?PqX(_e)MA&N&7bg=A7DxdVFua z*WQvz`X70=kDY`pJ>)NO_7*Ez`|xkqXIA!{H*V|A`beItnYW~gbFYjm`xxrn-5pr9 zjlJVabdiASvy6%nv1B#H1!&XKQRPl=RaVXAnA%}n*M{T?C{#oP-vg_XUsT@Xm_DVT z;ge@)(r`TnxaH~gzYvecV1-Pk3(oa9uUndKw;Wj_5O0&EG< z`+)htyZ)WfHC_XV^4#MnX0tB+lZ_ND!zDK`%Xx%L;79JhouBJi%+^PL& zA7T(*%;!pF85DQYXI;1s;W>^$>9vL)i9l@o&iZO0*&f~&@yp0KW%t-ChC0Fy_UYzS zf#p4MeDh;}$RQ#?n0cxAqM)9AflnXNVad3aR^(pIt?Pufbr{-^Bl5z6fgm2CzN5xMwyz^byFbOTIWZ^r1Hgt_dhl zhALq_sm0D#QT!FEPM%GN&XGV{5ClnYzl~Ubw@yWG@gS3+!;!RHVXq7gq2DNQZ}7JR+7pRI`6~j>N-6-E8FTpk-ULT!4e=m^Os+(RJwrt~IC@;r((EmtGR`BSI ztCzkdH9NxPl+C2Cqt0E~^2)n8N$jrXst)k9cB~!nL|h@1a4-3bdKXyDe{Wr0hb}9b zMeN0bi^^L1Q57F}glc^IMtybeYrv&9^nKP%3gog&t|96g%KO|YRVLiHlPVQeAb&67 z9;n|)R;I6$USLPX-D&T#-S{U(_T1ELYv4LO7w3d*arKyL|5E-+zGh!%ao0X8uyZru zc84$ioMyQWzIRS@TbNifO2~Gxl6Vj5>Y37PY<(etrDw_p=>@c)z5!Zc!igJ|SZDZOjSXNP*lf&g<$f*N&7?x&GcjdM zMb#@MU~n#$bc+!T%)-6-8A}@KRl0S)bEqWph*~p;S7|f%m7-%5Idi`qV2i4SiW=tq zc3;iQ^sx8BVUyIO|0lxBk7Uxtv3?-E`JdvE0oAApGjsGoUh(7wtj(AQzk$rYRoEl< zoP8|XSwYwfZNWIz@Z7Bg+F!rraPnE%=VU+VKh8No&2F}9x0%NpNaxS0cX7U0s3!UG z2Kzm0>DD;M4Kdt}o8}B>MxMCvuwJD#yCm!K-)S@%btaDG(S3_QzD}ySjOG3KKoV9E zhCpwM-X9V$R_s-K_WW%aYY*o96q?<53Eg%x(9k&>t={NTrCYgdcGuNuclm z1&}Rb?bz_JmV1z?pk2sG*<9cgr>ZR=0=TR*!j)~1An9xVDkP(>5S3#_%=Y zEvsb1GlS2spa)@<+0MQl?+oH>rcY1u(%&ClSyw3QW#c94yvlai%qY+96|{=8i?B8` zWC^_X(9`h}b|Ehl(pn*z-tJdE(ppG>2&yjA{h)j_^QsYi1MElPaCtnY@9ithy(|E- zQTOv(&{ov&zVc8J=hRnG_k;$$l2c=tvI@t7TPC-?GH2?FiB{zoPatv$YSA3hs{&Ty zF*>nbijGd29emd5N^sCQP9Ls#e!-UQBIqDXcV0bHm|zTYOtaw7S-il4=X`u6WpQZ^ ze_+~o#V4csZ85hLTa6_8m1s2|@~+i>w&*CMvqo1oI%lqOTkK)G0%7Rc+p0-;33js| z{J{eBBM{Htlexgu2AmSbEhSr;YD z)V~YDyt^F8oLg*-0fe zOWJPqZRYVa43STwP3%5i7t=RrnVpehq;S&n$|m6%c5=FT|21xIVygzLqWHIg;;r}t z#U>9a+}E>&x2r%W?601K6_#gioXtClj*UJ~MSecEvXy(k6{H^?=~)9lhS9YVMjXDw z2xb720#MBdrnP{O8BDe>ea6H3s?UHb(v{U8mY3rmt`F-IcTC?87cHr6Ixg4@9kowz zmt&%oh$-%so@PWNf*x&5k@FqtOR505*=YSkw3hVtHgPYiomrx)nm+`~5;@j`Zqo?o zGwKcvCScv<=pX}hLXP(OW$kMQ%QHhz%}3JhFhrojB?8l!ax7<-&n)HZ~P5VpJ0l+AT|7wf&b@`Cp#RTCvckIt}{7HScQgBRp89HB-Q%JvDg>R0gEm@PYs4LfR$e{-7BP z#XA9iVMibI@UFi&FkLLV3@aaKq?2_HQY9g<*}dzNO%feL1AiDq_)bJV(m* zzNsHrQ0HnP+WAmED?T&oWpJG=3rHR4_Lr)k#iR!gQUImxU>ivQ0Jc=IVP^X54m>|9uru#OWa&OCYV}^L>64+|8J0`f3VXT;O=vQroQ4(FC zF6OKG_LEc_XQ||?anpL(H|*0Mn77ig8lm>Gf&m*7{Rh!UDcz2S{ABPyH)`|8mP7UEvH2%wo- z8PR}HQ0zBBZ%ysN%A_G9hk}S9-~aSfN4h_t;AjlZU(i}RG{)~qjhKd(2u?`Ar|!Ax z$x#HI7>8iw66)7ed&TTB@RHopUCi4a+bDasNhqAbU7lzzVDzS;o0R2}0{ zDUuz$;;7&DvUsNvVLX2!$0Hva;(^1A(WZCDOV8O_Z zvuffsdy$+x*;Kxbq5@?AV>I|vo0gr;@M6&0uHRsX*ajnXJKQ3&hFE?P^mOu-G7JjB z^^+skkPj34%+%ek1zJI2nafRIxM-&^BrIW^h^GWPizH>WA=K1Lo^won0fL&@1mV|; zoEu7Wg5SKIAcSt;Mm%2yTF@HP@zZU^joAG(BV%OST-is2$~9P8hK4QqX~YTj>-_*gOqkl7p`+k2gDg=qwf15S5 zaX%+J@Nq*T8eOI|7b7^RM|qK$Jl@SfWOzm&DEg#~z+XI+nw!;spw&t}w?~RU_Ie34 z+ZnjH$!7k5&Lx`PM3OxW?%3rR%QKYq#H+8&@I39V^Hnvoo)|7QSB&ZaN3J9PVzyf; zpgZ~5eu`ggQ%(y=I7|;9Gog%qhz_-|in9_vNoo$YB*>hgDQIPuOMyw|PZ$PXPRqDO z8DCz65&{uP5eW7}@M_l-Y-#N^<(495U;)djYY);n_#^>0yDhW~=QVJ_s z6e(J8M#zG}-@+5VBQ|b5IVF7pnK%6o1{Pd&G!e*(O-%LzeoMqQd7;u?>Dy@4h3gNr zIMSMdSlf?&q5QDi_I-b?^}9VjW}Rg*ES6Qu1j4^)?{pDzQWRKE27S|dGL$&H3tfB= z@B)z#zBV7MHC&CiEgc}JqCr2|8$23pXD8}BWawG%CcAdI{UjLcPy>+GypQrkfjBg3 z1JV-R=OYjXnNo@cC9|K~_%xEZE}z#Pi3HrBh$H_O_xls!Y5gcc1TzQxHFx`fkYp=L z-oK<$@qywq7b6yM3YRTaH)2AOh{DRSV?uva2F{&#p*mTT0Zi&G$K`E~zL0NUDRk*U zu{##WT-EJLw-|0WI{XiwV?60Ih>oQ0Caw&BFSAQ7@3A!s{>v;4{vrzOkLZd>k}->7 zDb8aIzpJ|R=TRu$OExRZHyiGRz!KdE@(YjUUnUjt+%b8yMc&O6BfdQPvXnA|CnPm0 zA-j2}S*e%Wpqg<0lF{cNxM6CC@|P>Joc@DSTPn}imfHuYYp^;+_t-OD*)=>7a)jtY zG7mFadKXz2+`Vu~*~MO!T-plI=`U-^+hHjMIiT~qnWswb_8YxMMv4TKJ*(^>{c5R# znNdpH&WE3)@Z``Ac2?a&X^L-r^XMSu&=wrmy(W4Nto*o#?cgAzp*(w)qb2jORgaeT z1Xsz9Pn?9@YM?i^)R<{ua;@XYH6x&T-Y-lX-$YDb2&@ed1@jUe5Ts8gz$T6X7>XbJ zCV!friUFsA^vb(-43+44Yz0+BiclCQNCyvbPuD`YbZM4q^73x8u7RaH;gA_X;ydr-mavw=;1E=~;7Qv?T6q*9! zODakQp7ZMGvAEJpK_NwV!D@gaA!7x%h;ryByi-LuG*B=Lvd6~ivKRy)h zwc;(jON}9BK4dhZkX226VKC)uL{Vt3*(1&uc^K#nB9KAzS{ZKj5E zLM5F`6U)PM*5zDZCAa3;;yL??Jj#-g6~5F&TWE<31zjD_&k80k1w<=;ZGAH~vN3z2 zptFz$BQgrrQKVXdw~DuQ5y4hLSjjEm$QOz1Ez)}GiyLTNIkE9SHe0mj`1uKRYM^sL3{(1Ph22KKY)oT4 zDxxN$_^e}NCNaSEQn7{QBWilpm_uG=iT=z)IZZC(-YM0adY^55o|zo9I(#%pC6Nd; znw@0IiKdnuc+uaJZnQQMcQUqxZ3NYI9SFoumJeYKLmt|79#~faeU30I-?HmSg+VMn zMWBy(3nzRk-YFikM~&@e3rYjE|4G+(gWqFF{LBEG=vp9=1c%C7Ssf1O*dqxaQ|+eW z2GSnA+${YD%`4{U*5wpT$Yjz-e+}hnrCQVqF}vVr{jQ*Q`}!=LK!<6-9U;VLH;5kc zOG!r_+mrlG&Npy(*Wy+q+eTS}*Z=--(H@-e_j$^IHyb*K-8^SYixka8kEeV$@raAhawa0ywlw=IK3qqU{C z7-OXZp$V@qaVDArKk6%w3VJCRI1-c`@ZF*)F#l%%Hy7_IUZt5kPk zVX(q?R3&)Z;WC`hs!!w1d&ra&pn+V+Q5lk+F}H>8^^aAH{xVwtK}HZl*65)W&lGU* zd!z?*XOivUf`lXYn3R;1r(_ls&CG5z$vP->fXisw*ewrp`yeIqYqi>eO%t$SR)3m# zFg5x)qbNezLyc*GV32ihd7n<8o#d!v9aWiQ9>#serPD#mou{^qFB3ZlnJVSv3I_|v z>4M`RQx+sCN=(~~y`b3qIHgMKhW#5Eanf6UW85g;ZH2!)YO+b5y{BILWk859#mt;7 zhheanek@x7^Iy(7Y9f8gUWVm=eQ|*ktVvDRy~fYtl8;T!(ipyw%I@aX*EwQA_ch)K zJvBU}w(qBG+M49vwoN+i;WqJ0jWfHjkLf#xn!RP$B@1G|c|jcdGQV-od!xG)O86#afY^>C%xS_o~ay^x)APC+nNH#eypYLKQxa z8j|l$XV=LW$S_)Ib41=9{|9}qp?MWtDt+JbbD`idb>nVE_<_T^eg3Zqr5zgX7h=1S z$VaQ)&>ivWw0C{G6zSglRyab*fCt~eG{K&QL$=y!0UFmDETjGTkOzD)zUh9VeNXhrg{mpbPgli<-y}3Y!r%8*K0N^?c(dMJWp~ zImKd{RQz%7e8NRoWrf05vmrRBJ15|Y_bW;|CG601sr8ovFUu|DeYRDG zC{p#h7lLlmbba+VXB5$+M*bZ@KOK`_Ck~+JzSczfC+7R#P+j`D^TXigZElxX literal 0 HcmV?d00001 diff --git a/test/packages/parallel/system/img/metricbeat_system_dashboard.png b/test/packages/parallel/system/img/metricbeat_system_dashboard.png new file mode 100644 index 0000000000000000000000000000000000000000..2ff6ad8bd0224e21acd6400be49a74739ac2fb85 GIT binary patch literal 575772 zcmeFZWmsHWwl0iQKmmoj6C@BM1a~U9Yp@`NJA~lwZh-*70>K@EyA_h40fM``yWZ;l zPWS0^`}W@ZyT9+h1<$Ir<{VSTcxA2#6(wm*bW(IUI5G)TXOB+f^&HiWg{;J=x_iN)-404w)m?Lu`R-YD`m)Oa&~V$e$pvahMNfS3Ga)Z=rB; zbQ{&SZF_iTnU36M9eZSQA&z=4o!?%GU99cjz>8LFKb)cpc`0Qg;Ag`jGl{{YtN8!% zWuh2%D6u=&pWXJ)=ZsMx5kq#c-UT@S#TTHfzyUc=82<9z*?IsD=-4YZL`LyHZ~cEY z3k+;U{VSdQ`|Ue~2tdw{QG=bbf2q?u0s#dD46WxQf;Yb_eM8!P?p+rH_|D?AvP(+P zy{-n_2yx`we!taF4hsFe^cvUK`uF4^=X_1S)UC?j!Vq3joTA%A;@6$!8JrXau7-86O>Ow8Iv-bweElyg-0YDE zf7en{-s2*+FP@Ajzj8SW0lqlaH~g*CnZ#KwYX5msbYjb8D;0t%jGi(UEZ=l5vct98 z`8wJMo7bZwSCg8)y%T?EZ8JitB}owdHadU!-kh$4<)?~{Gn)O;(aGg$iZ$o5ItBDM z@3(f{Fu6>ul(fZ_qjd~FQBfxAH!8)~V!4Vvimay}pC+SSipGA6=Ws0UND))~?%&ww zr8A6@F+~0tLb~(N&AIEvR11I)y*=MvA7t-<3STb-@h*GgwRv41wT5Nl1WUN8s^VN7 z&WH8&NiBFCx4EwbpmG>@2lK>PluhMGts;sZr)&G*RTkp-!nY@1XA@4(SR%DPK8)>J z@vGk-d}8_Fj8a})EN*Mdy0^Cn%^q?d6`o#2eCCq?D&~jFF!xswDk#UC_KW#ztshNqp=KiSEOP)cwKl5Iv(_FeVSrAgQ^i$ zONjN~0?r0s8{uhkB-7{;M9JOI>7_?yyDsTP{|*_`xT7=wwB8w{nu7UR0B?4Vwtt<3 z1ymjxAW(=@4PQ}KMyC3yJiy^&^rB%#bB1LR*W?&sZ}Ul9NqyXGgkBeS%gB;!UXz=X)su@0Xab$I=Va0p%lf352ZP=m@dZUyXDH$Y`Tke=ZwON`~s)$6eq(bfe;yZ06Fio^b6Tbtt^Z-|X%-=+Gs zQObQ?N zY`TU8=SCylLIA&Y@`cjHB?ZpS!QD&y6XqN&Ow)FOJet17BrzN>@l`qjZLMu#-GDaA zld3svj>z?BW5WMlY`(bG}t>`^g^nVx5fK zTmCje@to5cjUvgSOzqD%(wg>fYMVGYrhda0+}4gwO#jXyv3I<-=V#m%N?%-9u}^al z?0_R_f9h;&yevPQ-29e^n#_e?rI@R#xC)T7G!8%XwSUkh z-ZF=-E>5)qd!{&OrqreL?6!3W;O1OjP~IG|ukJmO)ydrSM~N^+&-MTfWC5QJu)vF348eg zjh1j&vJ2(a_d2~{!xGmm(sTyP5)awRV)>J+&w>Ks$AZI-HN}c^QzGTpZIcT?-hJKt zn>#zzni@}s-!>CCq<(0(bEfl0ymqb2{Jx?ti^Gii$4$=La+T{!NF=@*G@*4rxNvOi zTIG8vG4GCT`+jNu0_-@G?halXooWtB&Yfu!uN|Gjr@gGY+C+5k+H10dIIaS}X^{s? z?bJdp7w(-B!bumY);?hMdx}4n!;^YwU#2Du+;6sxckIcZKHPmMr8rS$jhH4KU`ZiwkX?IhN*>B#E;`vcENQ844j=c@=940C|cZP zwZ5(ZukHK9w_oZ2ZTBg;wT$XtlECA*43sMcx|SB#B~pG_&0$hm4Ec$W3I^VxV@jBO z8m0@SH>0J~dQlfDM@Z{7zFvWk`HB4nO#v&yuV&1Fa(p%1*)epqR^pi3l$3S_L>JrF z3OOV2QNc+J9C`$Z%K$%oe1Kpi9Yp=fJox8h$;&sg;j(NTRP4-LRMjtY5Z`i-_s~_( zzI>6Eq!T`qE#Ra;Q$`~!k^Rej=A-G@=1{1B=73q(>#rpH*|IT7YOZ&$SutWlK>L>b zjJa%7ID0R)9-%AJvai)7=0zB?!x&^^HV_7biR^w#dl&JZS(H{m9q@jtfj8H86DaT_ zhs;Rvdx8E8%=ml0XuhDo@6`Tu{GzQR>JBHJYS(ArYfrI(m}wLtcKqlITqoMK0YZ zb0cut$!_c952N4_-*O4)#}obr_B`i_B3cz4qhj{Ad6w}7SI)OC@e;t|0aoUq-`CRl z>)~}@h{@~OWQ^dZtloTJ>J%>rZ({DwZ&Gsz6fCoChsIgkTG42ObH>{rg{)hhm2=wj{xfp&og!2qDNkqb^_4Xtn=afUiWIBk zs7no1E2kEnvpqeJcBH~u`*_0*!2sGj8affw^hMsFH5lA2t}*nv}naQ20IHFZYf?Yeq$)Mn&#{uo|1gRqk5WX2TpRaI8z0gg@g&Xjvc|hDW4l(F%cX1RODP#`t>jNqlU|i6GN-O?30yW zP}udsJ;mysRjMc5ILuHEQ_#qW7og#?SXx|4gw_T%$Lbbbgew6=tuWHFB{oO7%U+$a z4>rr}YMqf8!a%C89O*B63Q`e0rg4Y;<}}$mnCdv}j@#ND-jYu%GW5xpm~#vd)6h5k z>3G*k1pv7a32Y;+2r6q5w-t1g8r^Yi$z?!h|v)-xJ?>|HL_ z(upQukp|+(M~fW7Z0*i+F`%q!B5N!ZJf)6)OY|(D7;!V$+RTBR5J50z+0da!|U+6YbL*UFaPe z^SDahoz9jY;b0-&l2CJcJ-+9^raFc+U$L++YX{Q_Y6_0Gts{ zDawTjIC1fOPNFH21CZkX+00-Zf+%MJM44kmMwX}V4 zHaNZ#WlfJP87UrS#;*%SV#-qq`X%7_i@+g{Jn;{*d$U$26XE2`iL(Uq4a{6`jvTK5 zHbGM7@(#sUL~Dv)*###eaw<$o7>2KlpnQXlOWKj2}Oe+4<8YfDH>DFrF?e{Z_wNWZ?*k2ZyG$r`qs4 z_tT*CUpLhUx$sV?9xfI_KsG&+3oa?5*4F;Ar%_c*Jd;NsXu7==Vs@iOKD4nC;S8|J zipQho+0&ox*O?uvdyk^)gg#tMRod0=-5AgJO0oN*=>&Xw?ZHfW+t$5wznHg&e}7!~ zD*a3234<+(DX5u?o`FHY2dPj3XdK|S);s}r_3fFcdluKUYg0#jKYD9&KmTJ;w)Oz( zU!aCmn6&PZQ`&85{3XoB^5%|j#D@h5@YCrzz!wrO?y-k=;l7VR7()^XwR#!7!`|Q= zpOTnLat&CMk{9LjzE!^XeSvdbikqCsbl!LQ8~cZ|ZTHphW0P`2YB{RopztJcxYr%d zP%D_Sa#tRyP=nT|3lDI<`y%F@7rJJhVrPC0ac(hJ7;*5)+hF3*9d^5S?HE2amwe3( zqy;D}1oI6h3QcbFgR+xHy$8_g)A@_?)ERR!lwBgT+Lt6&a|)Jp5;?L-=!+25IbpIn zOA3vIS;#h$=xPW-VrbG3`3(zPh#ti_WGmNR2kV0gg6<rsbpMku{)`GZ@#)*kU2BeG6%mF0QrI8{&+8tFz~D$>OO5M9#DQ)HZhn~qrq^LhxE zzEmjhEu?@$wC+Ya6;w1Jdm>$<3U8uAx~6`)Mx~3cXmh>yfb^E_R9aStR%pnE8?9a7 zv~^Mf)+*_aBnA2#79)+u9M)GT#V&){!&qWvFA1H`2SKwLLDZK-+Hb&7wvwcgpB@u% z@zMEY-q$}vwg~@#v>FpeivEzZ?8&2cjksFlk)C|AHJY~RkSkc75v*DmAeR{(F1a5M z5=Qeq8;4hOgTKE-$Vug6Zb3Sg*i>P)sZ}ji0Y41QA8ju*ja%#&ykLiRUFZgf6&MEv zHH#NkMpR?nHtlNDx+cJx!*=iw(Q*~&_V#f&-g>+FDw}CG08J&UB(7B{zBRAyTmb-L?g^e5C&Gu9#)xW^D=2$h|iTi=(k;LYIya~5q!Tews2nBgy^$bYW&QhQ zA@;6Dcvo?@|3sLrS5MzD5b)G@MfT?`|nO=-i3n9^67Ai0JI zOsBT~oR17ppXv4!`oKlAL>7W@T_-rM5S89|E_dHYnz9yjg;O=!#$)a>K^9groL8=p z_*g*#rvQl?1P*PA=}DIy2`p7@s*e1p)5B5Y&7-fY?CIv;485jR*uEDgZFa-5MIx?` z%D0$4Tupk~v%zdaj43rn6jA;kyq(L23Nq-}yu8%ZJeWTcd?5*oci5>@IdJpAS%xuH z?eV`#%p!Mrvq5F?82j)a9=i6h(cD&JSS~pp9v>BJ{KB+Gm6ZlEa?lXKu5N=N3 z{fk%Vd$@TUYnWlgdGTHOK=p7Mc-a?{$!u6sG>656%i+O52_0V^wPaiWF>MBj4ujf| zUpRe_ucHKMhdCGxcT==o!6BHxS}iq?m5aPOM3!luloka!I{hqxbnn$O4nN$})7fW7 z=O8kK_-1~caE5w-N$L|QN?OgAM8Y~apUVH?yXlSY^S8^=g!y;3J+I5igb*MJSwd)O zjs)#8Q`Gh5Y><7P?6>bjRa_{}Fu)*wX0$I;Jco;J-dTT?wsZU+np|{6aD$bA-D`&` zojqXPpN(eWUCk4fT$#kdcol4e{h>)OKw62EplaYOGv|qYg8?;rgzXVhJbFuAq-$a6PXMb}v?&HN(XL9Kq$@6#1ImN?-le z;W3)5;|6b*R$iqq=~WUh1Jy@g~)a&9hahT`5qzLp?{QzVvrQRM%myvoOcQ5*>^S5d+3-|BZOP7M){t7 z=p6|qR$#O#o1*1>O{tv{_pyVv`e~)g!00^)UyzfpNHeuV-0s-{EO zV#54Yb0h`h8heCct?gn&j>~%nU6T&;)jck}j?*lo_xe1`#jXOJeC^kIQ$O{El_%VJ zxd!6nt4{% zt>$1uA2v59Ww=#ZT;$I8CqigYP9IB^_A=PovW*^>m_w{suX83Nx}5B$mhP>j@+t=% z1m7VM2g|yYf_gF(=i@cY+Gtp}!N4#Mb~YsA#{lQLW$NR_%F{sj8A3r4E<|A!>R{qK zEXl`K5Ywn{#P%{@0Hz#l_8;OLlpaPIb<=hw$oE5y07e@-qB>up;)k)AQ z|`w$DnEQ(6|> zZHO$2Ev7HO6-AFmI?tApwCTp=2?9ZNP=6R;H%=$Zhj%c6Fh*qig;)J`|U9Vl3WFwIF zYGq=gr2{%zLzAk3t0mg>TlloyqZHkw22h{y>g` zD&eO5lyh_vgL`OeGcJSSG*eo&H!xE8<-Cx&i!Uy1%1(U64=BATa&4L^l+mUfH`>!w zI*e9PCQr&iLiKxXay*+T+TIJ@JW~rg?_j|+_TOUf*0DbSe1{b`(~NPyGx!~cG#$kV zj)#DdMgw3_Yw1BBDt0v_X5L;^PwZG+fXj{USM(rcl(ZNCu>3g=rIug)PECIVcchyf zR4&03i2YBk@!#dk8+Z(DKQ?<^CS3uF%$cP{#4jPcDotdnsR{nj;jjc#0?2^McDUh3 z+eeR?b!avVo(cFW&Qvol)d5^T|Pj~RM2gcyp>NeuL_ znidIYLaobD42d64Yv8CFTi`Xlc<5Yzn3uAP)#E`NRraeIGJ1z)~R~g&?>wSmOH4&S7)NZh+I6FIoj(|Gu7mp7p zwNfZBU3&FT2kVE2hu3)Qj}TRo$@i)X-c5Hkr&}Quuwf+o2ae6=fB-7S!Eu5rgVpVW-1_q~0-RRWfR(T7Hn1Pywj;jbHur-He$R9=^9DM?d_eClcL0%@P zHv)Z+C{=1z(=V-DPkc-2&lNY77C_Ipqkboo>dIeI;&)_FQ6^Sf6vK_3v?#|#7kqkH zVf!Ua8||Lg$}J7U?3BBFi*zr;Ox06O`_?S8m(3%6y6*y^z@mA@^#h4z+ia^#{EWdt$w^M$U>`3MvI@Btb`K-+DJ3$N z$Mv7grfv1u&ZHYTpC27RuD(IKI7ZeN2&~)3UPbokD3tQZUUkRQii81EkqQn8@GT=C zF$D_eNox{KhWnAy5_hC4*7kObuT|q-&-Oj7%U8>5nx{Y|@yHuYzrhdKvoD%JT6`RJ zmk9!JaMj>fz5nn6NW6Z{&qIk!q)3O|DWC`+?E2R8y~yO=3sBaX@=x)!dz2y!bFp+| zt9`n1H%+)09z+RLy0!`s+TL682<>bCuJsU1+XW|N?;%^LVy3#X9H^5*hnAh z9*~eo9;Gpe+!yUankR+s;4Z+5p=J{I&>zB4Vvrs&c7yq9YwGBIKjt5(_St&qGgg@n zX@%9KU!3Wx#h=9d#Gv{`wWPteZ2l@-gI`~jlXP(RDc=nV2}(RbzA4g~H~CwLT*lLH z6!uG4`W-bIWcLAc&Z{-!F6ylbVnw&FaJC!iw1R-AT*qu!oEz-mjZYL>?>yiL^Btrf z=tZ4*5%NcA=CfvQL{s(h^O~cZNN&)v!oxa!+R!) zTIsMrM0g#nM2ep7)nQi7I<3@z{%&MJV1UDVlF4?toxB~$u?=}Lzm1s`MR0zsEdtI)16N}-D#4MuG5XarFMVXmVDxYzbXxbj z*`5}RB5pb9-q$GXfq5ZL4;z-halxY)D=pGOPh6`Bozm-F1_p{jK@)VmU1O6#Gec!T zFa4mLUA^q3DFp2Lp`LJsIAb7+5)VlN3NgdZ3kaA+FsjuVa3M%USi$cj*$v4 z^{-1S6QT;~-imvDTCQrqTXuQ-C3cpR7ha6k(no=DwC~6~w$i~uYP0&IG z(bZ^GIj6npL%qo05!+X1H*ZRcVluvx^jbeff##5!Z8y5pBJUnad_eVXC*UNEecnlxc zQk5p*1vT89-{hx1lU57jh1E$}*_;~KI4#8r z|8`yW3SU*x#0*R{*gZjOm5ejEYjleSReU^wv1&*@($nK?a$T_AAS zZX?|vxC;K&J(I16=IuZe3gZAE{yDWJ1?to=i%n#lp!$C{n*0wXs5z$dnh??`xcgZN zl^97fl(>1g4I1&UZ}_7J3A{LI3nt#OoeM34*cCF^&wZgmN#Xba`itG~yk>Kp00YTH z7Gj`fLMfSiU?5xWhS(oWh<`0i0**CT3POpO*rsUhCwNk_IAFit+%WpfzgAo+2qDJO z{7r4Uxo>$hvNE0s!^`;@-U7w+tx1vhln~2@5o%W>rt%UeYYE=w z1TLD;yE{+LP7e1Iql?3NB4N*q#$P>-UVkyfv2T48g<&%3qf%3{%30 zDRnwXJmxCrGG(NB9T}k66T2Ly10bf)KVvCF?^XY34*W|$NX=XAH4#ONFkt=r-yCP zhW%+Xn$U)*y72kh@Ozu{-b+s#ZS_o21W3lTJ9sd>OSwh(7H<$ zF6J_czV9Ll#F3vFHSaGqDS)a74h($7wvbao3L_5|8LB`+-Kdf*S>jr!zGXibH^(^; z!9dZmcUXmr|FJFqBcyCZM&VtNwWorJfzMTxnst|3U(*nP29I}HIrn69yd%`e5Ozu#I3eEg!L>q|0b&otqoNQ3sEVf zsCO*EZRxFBfa>=+CjP*14CX?S>bK7NdI}vUoM%e0;**cy!=Zd~Wvs98mxZV&P#NsP?YXB=#)K5Tn4+DC zLx($IJ11H%dWQB!()<_bNMUSU(w`YmCen3hj$eAAO**bQG@6|8cx&9kOJ#W=x+#ow zOPlGPT94riovgw?c$TqLUSEI2@zDOW1r2qV#R-+7i}oLOHZ+Tc_SB`Tp0~D%1!%~`;Rtd9Oc2qPjh%Fvcou% z4x31f{UsKr#>$Npea3NJ+L>g@`m=l%Kou^g&K#)zlarkX_Z;C~k6}?Gl9G9o zFZF>wFyH*@{aKN_n_yqkrS!xeGb}?!oWx*y9@QwTtP%xQ&9|I<8&u!33^#_E;oP5Y zx1Da!%uFpTa?8pTfSg4dFNe~&73BC(!8GcvX1{Y)ne)rLI zCk@oIo_Z6&Uf^Ae*Rt_L$-|1J9=gQ%Sb9pGj4HYQY9d1DfmUuggDw<_?cjaf$``Fy z9F)E|(#si$kForX4yzqQQtCWM-N__wx{I@$sa)PDuE+>XypJ7tJSoDUYEm9F%w zt0B)-(Z<|`4v~pY%j)y2>%xts(kX~04D1aL2dgf8bxy#oyV1^pCX(r)5`^LL43R`i7Qzx3r%moG)K5>n>3l^VoV^`ADIIhBtxc8~KNOlkZZ%ki zZ_%d!=f2ED+|_RLGxHz2EQP{T0>7Oyo)dPtziT1D27U^pc~#jnr;NSwj_%T(>ot&N zXd27?u&2!(avI=l7^l-0CJ)P{?yx*{w0NV-sx1W$&5(I+^HXNy} z+SS6l$P`Pd0&x{N^x>0y%KF;J0V`VB%IxQ8q89QnR+c}tenvI2yd(UXe4oB$omR+^63QSpyKK$I zEn}z~?W_*2;(5C>=kU4%r6*s2IJgOI`;|zV5y;iSiHf+QaaKRE{^)0HDDl>CdRWVG zJK65;E}!S5nml1Fw{bVp-;ABTy}dK_!zFA!LF{qqxDfXi?Wjh@`oy6$Q4Hmf;*7Kk zkSVMXB+!UpZzuEns1t5%%*^A{NTh0l`t1}ddU~_*_Tj7t@#eQS@|iC;;W^@j)84I> z${M`^l?bw7ngm)5Py}y}{&ao5Vro16DSlkZCKSu@& zlahtR5{jARjtzIMqr|-k7AGIQhsN@!Hl7%|dz!E%j{t(z4t^RvRvkg%HXf~oww9Z) zq~8glDDRve4~3oH?0sF|*~Mpq=F=pbOoa7@lM3R;5RJeEg?8gfW$>xR2ACWZW_J9{ z@(*ix($fEgbOxg)!^N3D2E~t7R}=o!%4D&B;O-Ru--@7rugIHo{E4;rg1^{>5|gUN zC&UdnJlTi@Ft7LLuAIVUx8q0b4_0?w43#4~y6)mHgz{WfL#nVivmd}0!zgJ}4-!W| z$HET>-5`fWPE3!R+Hl*|KI?_4E>o}lCz-!(j@}y`uUVyXRI$ITcj!+wu~#7jj-|Si zy+%^R*xY0xAL-bv6NurRIuP$}I2(1)lz=$|xz-CHTb9%|yGn1MQnadAfy6)EavZKC zof)G-&y>eR?*l!?3IiV!xX&q9KWuF0&{#5X1(1i0 ze+dkFuq^4EOTk_VDNUxbi@Ik<|K1)rodn7g<-Gj(<$9=laWIP~D=S+bOUKGw4YPN8!yqK6et#!-5XPpLSc5Vy zB8MOB={t?)s&59+f-C1HbIuQ7`~OFUq12GH2gXf)lHS0FuaqOb{c$WOd1F6}*0mm9 zjw$NfuariUq#Ck>U_v#~fpvUNQreL#xKAP;JfRWGlh^)ZIMiK@SXBM!hlIK!3LzJC z?vOkUQ(khNIKixQLX1_5V0#2AXwFt<|Bzs0$XOzDkq#%0M+arpEtO*L6t-X3Np&(7 zw%Rq)%H%Hp8JXIAe}b0I*m`$_?v63^ot_0Xqa*5*ITq&wVoUEPWpKaj5Qzvf&R5;7 zhs}Zn_azfl5nu8{!8)hj{1?O-LdmlePp!%a?&Nq}1(C5lr822;4g?TlPpJ$yg&#O? zF%x^RP;$JwZOg{9I5z6FQUFBR?>i zSL|efI@%K5nWNF5OpN2ktljA3_U9OFX=}8mM{%Nh8XpHbDxB;_gjTZm?7LFkZrk&v zl}U*$OW}7k;jLPruHK!6ZERN<4Vut|w^;B23te-M^(?Ah*uPwp>N$PL4eoB;RBiSV zJYw6A%JoYP^?w>>T6|Joc<+j=2R)Hi=Cu9AG4Y)~Y;}flCtWiv7iPH~)7x{!;ZO~! z!^t(eX-4u{z9F5@%8LBbGeT|OOVb+T%h%{m8`ze_LB1T*K6}Y$xfiI~LL_W3LF3m& z7k*NG!+r28`+3Bm$dC)u0Oo90FZ4Igbv$Z2Bv!ZA`39alA|0vt5)I)j8bd`T5{fpW zQq~}_Txn<_kxtCT8M_wxp6rL-GxQ^sXy=s+q){zsd_4sR#D^|7xe~M4>kh_JPYooM z#3)#+U%Vw&pCYoDE^20e!rA_`aWnlNTPUBG2I!j22ru?UqR0wls| z#5+i-`t_2}ls0h#GNVTG@)NYX1YsZG~i;Aj4&lE=&i z$=uB*J})=$33j6!{Z@=CqUW`^)e_Cn zYoNpg2AFeVN#s>_1~w;f#XONu9_n*b81i% zAebqAH?Eu$9Rn5WAgu-mEZ(vcB{y&g=P3br`ss-UGD|F2nXA6igUTih`P)T`FHa80DM{Xt_GWW^02dK&+(S2vGmq}~ z`T{5HG=vS)q6JRimxf|g`2wtS4 zc~u3Fvvv>4;e#rY#pXgB&deWBWcWj7ahiF0^GVT?GgJH{Y)l)PmWq2v( zmXDT<`qUpGGq#Hq2shRfGD2m`(P`U^x|oIiDT0K?cM{m%zMhCE=$XWX-6a^}di}Tj zQ$Xw>h!>|ptD$xj^38Qgf;Nt2TSjnV7eW(W(0fKkwu6`uVxg+m7>{L@aPcE3H4>o$ z1*g#sxyVz^sr@V(@UH061umND?ooS)(z1y##*4^!$l4X+xTfZe_b1coq=VT}5}oO7 zL?&8Z$Z~I(cAjW-U4cCucfR|28#;Z)Bm0YVH<0;2m$K)QCE=GXe2d}hkdDF|i` zMiOJf?!Iz0tr`6q&>#2c_wP10yB#`E)20@p%JOfEQu*L_aolQ~QAa-?_szMD8U?`< z^O}Otw}gY|@7~Zj4Bu;e^t&gOu;)t4y*MKR1cW;1g%R6UIGdDmNJ(a)m|Pj6cwR%l z1^E0@@gmtqctwLUc_bA#JpyL{b`)lQ2sNOiz~n?iLZas6#QD4YmD2IhOKwWcWe!|h zUtc{sVq<%eGqG!LDKbUorV~!%z4=u|-*?=*Yy^c^0kQn&V#w#F7WUF^``o z91dLo463cKh6tXfF+<~F2nw66=U0j^mU2Eq;|XV$#v`WuVEsyAFebP4Cy8C345~9?=aMp{c3dYx(58L027WO^#BYnbsVAdqQ--sF+3R3 z{vlo6!V0Tcg|pw(x{xzN{b8+jnNhhV9^~BoOfds7P=b(&lst&-sToF%rUh5KpvZwh1wf&?byHZLc7if)z{-%WyfYz?3fdOxr{PymU5S`8A6IrB+^g% z+qU&GyA}%AsKDKFZpsnNAp28B`hf#EuiIsJ<8Kw-f;alO8oZV~X=;|0K*%B4wJ~An z+Fdt1gfXbG@N4IgpeMhG&%V#6vW}YtS|~N;d1R|lAcsC)eWkCVfs(`#6vRh~%vGM^ z$>AcalCyHETE1mO@hM(_MVnx6QwexDVhE6{orn;3Z@1nv74rMKkiQ1Y;56)vG%k>$ z{$Jc&#w{`-%&Z>(T)iA`{RSU;vCuxd`~IXJn$xt<(d`cSzPkUIdfkV%5`Z?4=86h5 ze8TftZVCP7RY~(8Cdy9?X%PzJOM;nln4_K0Bjm5e`MHs7z{=D?_@4F> zx$l=ZI6mIFSQLy~r?a7P4$anL>h$WKcfr`AY|CD*lf7;4`^fr{0>6cEvc0}B7-Q(* zI@Gl=8oKs$X6Ih2pLWRQHyc1ym@2@OA-+`7&*|r!d8?7-;YDNsBnuC$tKsBbFSL?oQ8n~yqW$w?1fr8n?1h4BR2G=#s8d(Q31w}&cB z6&{9ptg<_cweMG$@fVwvfSfDo*DH9~f8f{Fmq>R{qv5B?9$>I?R3 z&gh($oa0NFPC@+wzxrB3_C1y@;&QfrTW!(F!sF=Ob8zO-&V21!_M-~zJ^q<4%7@Xy zTVRy;F!x}7?76^uKDt#M>?n^U(zoyeq{t)M%f*^0{#2_Ea@2l|=D3AHHEv-V` z^)sL$AbD`)s7P<>d(WbvJ{pHDZ7ZFS$LV+~H_`4;Ca0tHniEoj=+O7i{>vShFozGk zYR_GdV=)SW#XY23*li$_a^tj@PS1@@rJmETR4ibIQ$l+jen#+^MuB)ddhK8lAnN2wJIEa6-Z=w`*OovxqsCFQ7GwK0Vfb2zm&mi0EVUmFd0 z5$Wn6VRrgXul9uHT2PqWq5Z=P zFq#FC4qaP=aIQGsA2#H2iKD<2kH6^>5jq}Q6K*d4;>3++GT+*Gvnl|bGvpIS!Q#bL zx+%SPI=K(n%pZ+>Yir`V;Fv;`fD$TQMsJ?|ytb`9mrg~bwBzi!^2r2Z*PSvla}Qmw zGJ;K*vTIr0C#rMou9~Yo8XT6V++#<6e6V}(C_x_hXTs77>MNDFwL?h&J6Gx`ByySB zv=>bt4-j&M4lU>NZx|lE693g2hU418=(ver-%*WSGolNZte|0hxM34}UHu(5MG+(c z9E9;$F-%Km3B*_+D!CU1`wn8eRi^`yxSqt5x$c9E$=knBrQb=?Wh>)d*^Tx;YMoQ@ z+A_)EF~|+RCMS#D-@*dDN)B~=^BkW1o?^u0zE630oBwD^gzuu989GJ0eIR*K z6{co*?m!OqdAI?Lm^j7XO+)L#;LJc^mZ8B~3~%KYOd!gWn0j;jpvy|8cB+io_i+Ec z@i}>>IMuOa=E1?3Bq5q+m}$q4=!{`1w}0QzME<}Oij2OhsosG;m)&Q%~z# z4GoGkdy}4hlcc`A1c3Kop$SjW^`LR}U7LwnaJa%E5eeLersza&xViRMY~X{Ti_jCV@MnLg-~}>uPSs-)BV7WtFHQnmW5GZ zJ%+#z$4tf8zyOXzE&=q_<-fw?Fh+;ZH1o6c}^L3HtKSCUPYssp8hLwiy2vc9% z0_quqd-kP52~xuNg5Sd>F9>4UAtafVih7N*i+lkY-*``{jTxh zP?Q*Axg4(d@0{EJiInS%1FuLEKpIKlQC91X!&m!H*H(4@;5!fh(j9*rWZyS5p`U-L zSJ8S#+FX)H*RS?0$_)K<-qSw#>zx-1pbF@WV}ODP-M1B6GBB69VNQU);&pyJ2+UDU zEbx)(?qYX+GIb&R&o-d{5+zT-_&XIeC^_a|Gcp#~tgzp*w=W%OExIFGNC1i04T8Ij zI^$`;V>K3|_TD@hq{NX!(%Rh^J98x&tEn#Fs-P-)ZiuZzi1eM zNB@Wc5A#R#nyt|PpXR~8jO%}28ifa3|My@2)B5r64_TD(rwO%pBH=^(i-CYcCWfpC z|067a`XaFgkWqM!o<54wpQfUJ%G0oK)L{R$g#df~*sH&NqlPdgAo0(-`p=-Rpi)7K z6f*luW&VsO{6{xCpZzz+ zKBE5@>%q|@+!)&Vq9|IKcZ-~3SsOX@Gr zhikf(aS+&3KZ)4LazCN{oQu_0Z~c1>%*|t#ME;leyf*YkR;Wta6?tFG368SVPGh`g zD;4Zq$XZ8`^bIxJfq`?U_|8vIyLFr2usSpoWk(@=)!U4j6a}esS#Q^o^0S~T?d~3vB_+k8b$Wf4%`=qr^wdxk zJh}Uf@FFkFLKt<9O;h;|MLF)eCkh*7VP$C{ z<4*_v|GQz#1tAlQGn#mYs#)|!6jv)u4QzoK3d!pB*cODliFT=cLxZeFBj)dg69Y@; z?vyg$_k)1~4-A)}daSG7O~X?1k(@Is!IR0~a0gMO|Hs&3TSs`K4I#k%6%)P zE(4GIM4fpN;q7<>zPIYcl$iY!Pg#71+QE-*|BJl03ahhOwuNzbC)fmnySuwv0t9ym z1P$)aBzSOl0>Oj3P2458ySwW@za`JJ_g-hMo&VgPyIiCvZ+BOZsv4uZdNt;thXkH! zQ7Gv*9D2tU%kje_1u5ZH&~g81TbzCq)1Ueo1z3I(6IK^vtA$TpIC?;24RZJ3N_VV? zn#)*bMlLo#yeuS*rUD`f83`2dO?IfYXM4!&u2oP8Li6v z9xLy`kVtON;^qCbSvrg7Op}LB)$Xy{1;;4i!x=9iXf(hcHKp>iq-3#xYlc?jDqT$; zMf=53l0j5N?Y{Sx_Z`rN>mS!H?w@+pCvrAaF}+2sKpgo`rsofyjP@`^u&|qF9MTOB z88>nW!-|n2Q`kh$UK{0?XRO}Oyw5NAzDY`Bi4-2XxUcR_G+894(fb3U32oK*d-**V zUT;~u7(Lha3b|vI{p(!~MtPTbpfMz=9vK0)*G}BB_AR_);TsYRT1FQ(yhJ_$*4KHz zUe!L1_J+;74sVPgFNH9@%M0TVN9mxqx4DCe;-@hLGB>JIqDSltOVd`N##+fAr{brI ze})Ma82iq^4bL&MUXN>_$E+Zkh8vu*2jT`f%)7tp{j^^j&N;lET(*PxaZHM*^VW#) z9jq5Vpa|;+`ucI@crHkscT;V*Khq6Suf!xg!9laGZ$-h%-lBrqWx{GN^o|Ot757Yd zuMy#JRs)A4$f|^dE*d*`%yS{inpwaGlXa^FxZ8muFr~oo`hnHxiKS8|6lu9DWt_(Y zaUnRi*?Gm`kM3sVy`$oAfu3v90CyzQG1JQZ8U98?w1M{*<@0jbAD-8B_5d&i^x=h$ zum}DYzl8$a(m#Z0rY(D!wgJk*BwZO7of--odBIsX<2Vomo3Bzyv8-%!XU|A=AI;3;EZ z*Hq%hXFrvk4c3{;Y!D51at95XAPsoR;t;n&i~Oo=doL`iK5~a3hkI|z>%P+Sb}2|d z`_HIR)zCucI@`R-DzYD=pO?k4?m3H(n^C7*f*RK-l>i z!BC^^!_s=?U9R0;O0VCc(M6kH{ri&5am8fMTN=EB-2kCkD3rUyv6p5Vp zWy9??M99z(L}}_B`!e4~LcS;bhi)=}853-bUA4}jP;@s+HU{(}Kja!Aecc$r6Js;n zGnvmHqaI*>?T&YA7}KZR9*m@}SOLZKRyUw?p}QrLR09YEd1Ii*m3kjKeEnq$S(snd zVRst(V-pObhdM>ANZYVm)|{_1sCWS(*pa+-$Hpjq9^38p_>NivtKsBsFK?D-t6O;$ zm%{#jNI+xEU{P#!Q}0?x-MH&qPCe`v1aooxkpxnupNWf_iz~G{ObWBDwG0)7r}YFv z5zL_r9>*y&X#l6nA^@ww%dJvM5r2YO;IDxyBhBB_4XKX9NjF{70S2?-t?`Z0V7YUB+G?YpWN-aUEAS=Ydu}e_1B-WXU(4o2&W8Fy$LRFVcRUgA zSMpFF2e{6{`)jvpj1|>TSijP~;ls(tu)Nc1#QVLarSr%;E_c&KKbL(vd4(^0&qBT~ zFMh_oOnLLLhJR{95fVB5Vkn#JGsnoNOyxkoQ}dQGLJq=Rd|A>VDQE{aw-d4~yx)(;2naJ2D{7#Y%(Q5VT+I>0t58=fD6X{wWBdD?B zS7JxcKG5L+OX>kZjb5CIoIDVJca0nKE44n2kAdnV?sqNQW87$AWRv~G*$coQP74yr zoqhtmRhz-q(xK7H%z;GgPW7IP?aB?N7!p4um;Zb8{;%=pKhu))c#Qqu06529Oz6Nk z$ETBzgky8YjQsPzG{N)N zN)u_3CjQ|m6AfTSVg=?#82xdWF8cqrk?lKT^n6dC<8?bF&hol?K~pKW`(Zb;aGPb& z-^Ap1>8xQV^Jj4)PEMy3xu57#-_*HVw%KRomS5xRfjQBr|o7r4t`nbym4`kBJps1p{x zn~c%XAAhONUq7-8%K!#7@iptL>_43>w%0|Z!Kn7e){urT|A)KL z*a%Aia&TNDtN&96bx!sde!QjVjw1gl66!5OwUL6V-kX10!DSg-qkCCec@o;;YuHf{ z5`ww=V{}}nz}UY5gkJe5p_uTlZ3>e8;j(~H)sqQmJeZVcS9jjTvvxM?d#DV?3rsS% zqCZ4tJx-`LJkZ1nL$leVeRE4`Em;tOC#XO3PazaPN;KwghIBC5%Q(2UkpD8Sf)Rw+ z-_DP)HHhc_bSI-d@30?sd#2X%d9GNJ+e;tQ#byuG`HicliBZu<%fN<|pgLz|k z(w!B*A)7|LFiP3DI2u^#hPx>_kD5Y&I~CEtllvcxa@`x@dF}0m?Dlve2+aS={dnqS z@eS|=>)IDHcr&CW!Bm1+5|5=Fw!>$sk4L%acMYUxGn17LyO$diVf)SQ(a}6->1&-{ zb>V^pe_#3aR>Xwl}wwk2~_Tv&m7UU(5nUp zqFw@w5EjCh0+F>Z<=bo$>5lmIgg1>|zgD+=n(K@e2-)X+5aQ5Xhrh-k(d3IFNC1 zWv9>X_8;_%0Aw1YYVGqqkvGDRA3v&7`aUhKZ620Zo|**doX`He;l*&}VAn{L``+iH zeK}{M4b>00N{&z5`fb$nbJVJl8c}7HJ1=5y-~DR!0ku^t9TfBr{9#Vv{IveJi)4b!uvwbFL7?tlwh4z88x3A^m?%rG@^PT;w10ca~ zM?gZK)cXNz%Y=7-e^l1Te^UMQSh8{P9}Y~XoT#GRUwxs#f|>vIr@KG`h^-czIDNv< z5S3+0ris!wC+t^kJ!AmJ=NKVImdMhD5UKRrtywP)R>$IdwS~ahKIx3l0WW8Rvug`& zlX_av*pH^7ek?l;ZaYFXJ@ymSqu>IbCjmPK=9#HL4H}|C#jzLfHlxq>VGUbnN5?FG z_X+{o#hsJ+GKGL%u-3v3?3(tPpGzf}0fc`3>KArY`w@*%=3?^@YQJwa!cd8nf~R4J z!K{Lz8wgrJcof7Zdz-gwLs>a5N!e*bUPyei^rB>nPHWfmMVg3LIuUyiP1{w(?>yzz2#8U@fJ(`fY-%@qKE<15U zFezTCLu5I__IsvdSwk3kyZPXKv6p;a@p5~ML)s4^_qAY)!v;CMk&5nTlv~lU)aZsDc+vGbVa=&Yi=W){-N2?Q0;%~B@ z-xIQ-UCigJE+j@BeH@qC&^JPJ`Afg5=HM%HE<~FC5DqRVj%XbT`$3Yv^lzQ70z;tp zKWhPS?hz4-AyNLi$V=*dE_S@yM&!2YK~vFu_>8aP3T!5^1!|;tHaDV z#vaD`$4|ER7v#%NSFgNvHk7l+SKaw4BhvG3EwK-MzA0svkA$abH>`cZUJM;IZ@^+m zCSHn{3SpQl?6#_+a{{=B`mNwkD+f*^-tHCGx-A*uVy~#gLuc2g^|r$5KoL6;MstVR z_6jA%{uPlk3;u292uJw8=ft9G2tbHX@U=SmF66ELn0{~*{PXi3^t;hPP8oCR&@mvB z^cU@yB+gV}YiB{~{-{0(KfaHmQm@uuDo9PD;1b`geyt~Sgl@5TJe4mHrF95=gL@+< zz{-=5TDATnCYUq=#0CyqCI^NMX+ti9Yc}^;?(=e)BkHLtz`rMs25tys~@Z zON;UK7qJsU7#>GSc^ejB?exYWn#EneJ}=RBwk&u_lSRoVOcr?C7`jZWML>egDX4AB+ti9Sw$_oURxPkeH7^= zCbdIHI`FpY!^q-?b==c0X0vCv1~976Fj{YZfInu<|Door6XHzzc+d;>Y!0pSna0A@ z|A3*ju^s_cgeY2O`a5Qk4QT9G>)de*Y^gkhLbQ&PpDfq+{zGiGE}sK#UsVe3W@2qk zFC9(1!13N3bHiVkwEH-P>|*n011rS?B+9}Q{pxMBjK!h0_xBfy)vHHX_B}oH6zi&v zU$AOylA$qdsP+qEdgG8j8{WCz|!uzkRs_8v+gv z&iZ_{X$p@$X)D)9xW{H&6q9qw`42&vXLuW1hh&B2@aQozi@$IZ zA|1id(Dr@b%}A0eSE4xrBv`Lz)7jMR6*kW65WKBAU==KYa=u&`c_KwhZICY`c%6FT zqh3GR=-Ei7TZKEx>d9(gu~O&@w+^}dAbjGkC|0Mbv|}vWh`F>ks{7e4W%$Zx*Q+_$ z?47XLwQv`cxB>1E9Ic%itqVt-r zM$9i;l}c!mzuHdD&!pW<89!-74pMN0R9Hm9` zvMVs5>pp?Y^eghJb{#1--F@JvAg^4?bBw?5Y5)xQd+ggE;KIYh!AX!Fi%*A_FB^DY zm*r<7M0>sLO|CXH8eOgVPopot=QH*cnGD)8Y1dW|IEe=FEVeWBBz2n*#|@Fdm@Kx{ zIIO7p(GeI$Py;uP+$1%jIh+j)5x{)3e^zK?&kle=mH$d4mu!iBMDEoLqt?5BXsdJSzh=%&1{ogb1Fd+~?Xr zDCpc8&W+$tgGuWX!YzPM0f7FVt@=;aoo@*cXqb%-4XgXx6Q0{j&&C2^s-p09BJjGz|VwHJn0Ewcb% zWboZ!5ASt8{;B7^<_`0; zz@}@K!`pcv)R;U5-}!Cd2r1$1GSR>6AGblFl!Pc? z=!-~p)Cb_O{pCFSsPETHcE@LCQYBr@XTbZhM+lRHDiIjCCrVK~D5?Gom|&0QskpthsV4G&~= z*YfNZqJ7Qo zCk#k}2>6@k`i1@QpLDMqnb}cZo&!v?@r|##bRs+Uv>Np*p&9>jx_IsQ=F~GH-x;~? zP1fZ0DP@fOJ7BZ7+XL^?P~30l+}4W+>{Q)QcgItK07Jh{ZQx!#Y2W&Q`?7!|uh9c$ zUr-bQ8z0S#;HFY!E@K z%vM9q)`orydS%-K8(5!ACD0kFGFu62!cL?7Om2e-^WcT^yF zwY*(v)Nw{uOD>$ zG2Ix3)%NtvAyd8XVgAXl*AR_c?1z~SM#p3X04_4?o1t=aXZSCQ=fZoU>j>G-cp)T{ zSU+gD$4rAy8O0WQ!hZ|6YS!y@?L=d7oN{|&2V`MbV*}7p{+9PWgJ2{vdcgNx8R~Rk zXr*Oj467KxBqYss|LPjBgBa&?@t4ZtY7I6Ur-GZPZ_jn}dZ>IY0SUo5SS%GQ(Qrq2 zB0aWuBYmizew<`e|HJ&i7zk zU{w+KDwHCBNyXx4qEU-%nc=3Bsc^R>;r5%ZsQs7_KMz##!=Yk?|`+HlJ;o}+GUt;AbZ=ZkdJ-j*<4EJKmx^7ZFh zLhmWa@B+mS8<#Z^Bm2dph;W)%-b#BjW-cLfka-aFeZd5=;;O6?BBn&TQ$8^fV`0{9 z?r=eHSdMoOVAz-1C%lt|0<$pqUr;u}{~a_2yom;I+01sDefN98HK(d*+D$Xin$Lcs zSQRcY(^HM9Ftbt}rif_h@IB*tKHJb3!V3U4x5D;A*~bMEEJpJ`kD)bstLQ3=KM^%H zM7-E8q4m==v23*I$WrAqotzAvJsYRIff!NtT`);w|4uhexIr2EK2Qli?o%GXbai#P z-*1FHotkA5r;4GFPU=oruq$9+`@UXEw%^{!jYYVR3&N##Byivkuplq$j8t_ZgOgSA zWISx0(M|2eJ0&Yy$kw*jjeP7vlCiZ?a1x2fVtDUz(^^znWoCwOBFN_L#HK)Vg zaM4UU9AlfEmGsqVOglDwFUk2K^E!BJ{}Xgsx5Q?2{9&Y(9E!D}vp8YtzE`ND8;8yZ z=06HW0e&I@_4&FN%d_?lM>DAel^w)INjl!@jksiUk4x~}&rkaNmH#M%nfUP+In7*o z0L~MczROdgL@Rc-3iz(BP`(u0ah!T$r{8|mRgi`d>AAlbaCq`Ve~>f8CsO%O1m3=O z4rcatN5I|B^s;o1H%64{Q`x?hT*aQwRf)fk+phrAqsMc?qHbXBa6+H&^pB}u(aOJAcP%~-)_)IZ|HE}PGk`JhbjVTUk4JcZ1RuY)p}~I= zGynSvOz8h5IA}%xanl{ziPFFJ^rJHApEfQM4LC)*_Qa5oj1}4KCuIFRj|)UZPFnn^ zsT;Gh_Ug~&RjRr&F||_PynMF&E49s2@c+jzBU4V4ilKaJh)IMZ;P*5?DFt#zT)0kH+H zTVr%lsn{n~$fH_gKq4)Q!u6M-L_fJC2aBPsByRcskK^?34nshM!e1&yptJD&%fzU< zE8NA;3i~c-d*5#>eeteZV}Q_zQpzf>Km9diroSfK?}W7(C<%~w;h>wf!45!q{0KYi zSGw~aZFZJ2bmu*@GuisXzjKlQ6aMf+{$kL7*^xy&IKq`J=!Qg+JeA@9K37C~Jn}B^ zd#lNX#bmG*L;1%hW!xS_gL^_c%S1gne_XGfMED9M)q-<%QL$4A$W9S`X($%l2^lD@ zd<^G$-n2TE;?k^r@gK^+0TK`*uJm^GX#StJHsFfdNZ2;`qL%O+RjNREX4GSp*QXWE zB6xks;PFE1S=f2;i?qKmme%9#wbLl8<~w6Je!(ouxy9*vXH&l`#}Dt)1sdVo&eozd z#oH{~AwBoKe5aeIgCpFsi>6s;Q!%l8si1ryV;<8UIO(H)K;Babs>fV$ly7<%9u7aP zI6w0qLIfLnP=U72;^un2?pRKfT=?6aSD)LDku$S1b)Bifs~!pj_z~d0m)ip$3GyN9 zqr$hW0y1Dm!o`%|_+Ud~ylM?A@a~2I`7gZrL?rP1oQGgyRoZnL_%iVDh@!0B%1V3B z{yvf*ayz(M1l)&FLy7Rx)jOiqlsW?fgRPT{kf+yVYT%r7r6%j-8TvBo4MA$sG&Y`i zp+>@^wSjP9vbuPXscX~f&ak1#UZKiN1{vHPB@ltnSH`2xA51qhDIcdvVdw{vVjrv>A8m#~w?52+1=YCB?9`mReV zZqL?FcpiLVs^u4-s~`|HsEwzpUNe7wv}5YL)bTSbT#E$MZq~HkRqMLpW+_G=m>G`u zA=Q#fDcixmYlV!L5-wowB#XBrh)BtGqAOZ;Po;P5W@$i!#~YU%3Gv?c+A?W&kNnlK zx3OrNYvuE}n{6j@y2<5cd37a1?eZh>|4>`D&ZugT62)XV3*ZEFZuD4W*v(SYCf!x0 z%_s~5u!EJKqY+=8R?aRR(gP_QA_8EV3VVU4j;tzs%~^MacB^MaPG*(MQ2F)+obAOD zQXXP>NJHty+(&Wsyl4!j@l{%z^qr5ALd>(48n{9RzhI9dN{{=dcBe;yDu(`unNeZ8 zTl2r1D2GNx18J7re2H3Wr7X7;_TY~!4ELWqm-CWgJc&Vo#as(hE7nY@X9luQ(1gTG zv`_@!$eIzwnuk59kb`(%L(om`A&Igc5DxGFpJf49k9AudrpN{y51oySu$V%PYN*-v zGNEcQ8H97!>$EFNH=xxMgr&*%C#|gXFl@pnv_GvnZ8rJyLrsrf=3LG?g;tN?w*|p{ zuCn(4p-dOmRtAQFwX%0&D2W~(KzevI#;gri<9T4KrK`~caFVvAgXh#7^;gzfL@|BU{@UK>Hy(fKI9emK;w;hkBF=U7DSHjf#{x;im{}Zp* z*VJ+ln=Y^mp$UXVQ$3A-xEno5UlvkPB1~z>|aTj$f%P zdX>XcuJo%4VM<7zvyLY-*|aExT$?%RnvE3b)G77H;fNZXealHRE0cMC)!WQaB-lB% z!?&HTmESH=AIdPz2P&29*<6@4yjyY;;7X)07k_unfK~*9y%pM)L_WL?${g-3mF zhWQ}JHj4EV^K`9NMuRe6r37ABy>zF{J@9rGdX<0Q*4@-|#~Et(EbYVVE(60DBM%=oSknDnm)N^c8wK=WzYP=7D%X#ihLyJM{j|2Pj# za+?3#bTD&gg^~RPOHQkODsu?h{t-iCq9@|mlKGU}+FTDQr{=l6BC^UIK6lH+UG|7_ zV9DGY@WTQ?-8ow4wnO^Ur>&e66%~pHga7QdVy$PE%wh8b@;ZK`7&K?;q?Z%A&F%X4 zTry{21E(;xnDP_h@+el1mW95Ow^x}@EsqUN^k7E3}cA||D;p>_yhv^d&i_w6KChi(ZU50haK600li>@38d_uj& zcaswnP}r@k11nrPq`9b4(Pz?O2sc_SHO9OE+7Sjnh7Om@1t)E{rvz9v&JJ+h~a<^mNW zr84=e$r^B|j<(eFb*K`}5x68JSS~je!mI-)wWBP8J2B{f_~BO;ZApLlJ#cU?(bI$J zYhFAIKrlB=&)lWR*slL zhD1O|?@!DP@TUeEe-=aBWGR*Y7)6MHAX8h^RzKKUNV`A~lXhvHanpvf0oQ*ei~pk* z9|4s|^h{g2XE}I_i_1wDbaR9{Ve^h*Y9~TPT&nrGXsfuaB*v;nk-s0!$Dxa@O<_3M9dTtco^IMx8&TRk z%9|k}myCfKh9}_YHWreT7GKo#=oD%~<;q7d&U(n)jfthYLgW)p&2HM85C@R7A>GZx zRv-NW*9UtoQmHmF$ULPVQMCBx#NHB^B;^L#RT|-O7}r*4TYUgpqsI`F~rdkNWcO=~50>YiuUj^DJs&`MXCVu)BUs7=+MkGXKm-QG^EMkR) zy=L*>GFh8?oOqRXno?rvf7uRHqJcBNlSO~#D3;5hr7m|1uiKq=hy*R39<4*<+wquN zLY(pB)trXtjoqTH*iZ!}KinU}KF^KUnfX43Pb*jzf*N*V+`j$>$lx9>f0fMY%^jDE z_eJ}(N&9sL5h(k7Q_v);emqT&Wt(-RxS(avV(v}Dgv;WjhK~ozHuN;~=`ZjuL!>+`e6wx=b>~J|~V*B4B)z1fQ?myQ=KS<9} zUdFqcv+J##!hdmpq%6220)AClLz$lQip{ucJ87K|OY=@1A{-z@8mb^d@xBz&lnuk+ zNU)9#wxwt}{yo}wTZ|qp=*BRVblT}dDZRP;;$-dCu(z)jl2V8(+vtOp)IW$_oapfY zq_^)W1$zq)b>a?^mbs3Ad()qlr4hSmQ58ij|uSHHMwsA1Cs#t`-M5F6cXH;%J>jy^H#KXE-fq2>b5#MDkp>{`_>( z_!U@UEA}bjyRihK)i1;HHDHFN>pEm%$ItjVCr>}E7sG?F(M0WbPm!#t>lm%G=$?$~ zJmNm|0o^Ce)6(C!P$$7HyFOGvNK=#Q8`6O-%x7covD@RN2022B+XmxrJXO<+Z{Di+ z>!Y#+)NA9|Z}ZVrnNCG`H|E2qxiBXv=kU>WR#`q|-jDbC1U#aO{@)bImoWW4j0poe zyw49Ri%c>i6cK-Wxlwq?WX^QpMNe)GDhCp7+x+a0GpEx>Fj4If6eX7XO-?^29Mlz_ z*MM2yAG~R}5+S#dCZ{I=3r=c&FLR@nz<-vSTy%@oX6WND+?KU84Pl2H8+agvO{;I^ zI8%O~aw`umcsXW8&F%NMWX|<<9rzw zR)}pith#JFkjp+^Z;|viY$6gUs&67L)laU*SX(2bm@GcHdkHl1e&&|EC+W@jp`eDx zg=IeEmfonz1yCZ@di{NI*Aek_L*uv3vx`wH%<}51YB2hQaV3sRQ9%^c8n>p9DpPh> z7bL9qa5oC%-;8-QmqWk`vu2XGoI=9chs(Pmr1~0h$rE>V_kAU(+wWf!eowVd;I$Q> z&r@EYy5ihYQBrw)81opnn?5-^wI1Tqp*6IV!WHI;jr2wy4CC@{>~5D5H+)Ss2BI8t zApogAnZLxX)d3R=|6AR{Z6z!?mV8HqloF+#5DU|<5v@}ToBrKs6twOP(c_J?`$J68 z(Wa6MW}?;-=a-vpAa9gAA#yUs=iFAOQ zG5p5~F&8~d7}|nog7Km^=y!RS^yFY-vhgYZwxwcK3mJL7bna=ag;ZOSpYt+2bd}9# zDE0*0oBEm&895L7dcK6k^McAIBonKjjFOAaVP3fGsJck(8!1%ODw2tt`=IiraWrHP$z-7-mPRw~_Bm z(*GJK;L)7m*fmS)D3CGS;l6D?iZBiC@c<+W`PsHOf(WOS9yP0oaT^1II$lgbGAEeu zHWLZ&5SAP5+<-BC3ta%hR{v^ybixNsB(fE5*?i^TcH?Y!U$q_yOD2LJ+Xk_Vk+q4xT| zWl9_aJPTv%m_JoRjAYNN5CTJSJau&gwSWk*x!+o(O;nm3Vn2&1o0>Z2x7mJZHoMAbZf6}V@HP6$2T4Jx4L0cc_RuEPn;eu~d7A_;~7W<>mm0>NbroC|1? zvthu(C{ zgD&n0wRBY|6e){$j}2mXm5Gs@L~*-06-rM@0L#ZI{CI5qqM3fP9u0sqdtBOgB^D;d zGOJf1jpN%v-7~!JBhMuk#)PJPGJIADw%^MP#fRyA=tK&C7Q39>-J2 z!sqbeTQq45dV$l@p@Ow8UvgGqZp;38B5bzVAw9xv z9i^{i!D3yiS;!>c$Rc|RSh4GOeZL7rbq3H_04`^g?{{W4GQpEQ3M%+Qnw{8SG&OUS zQA1UnN+69Q>2xAjknM=(>cGgC6HT6f6I3n0h1dK@Z)RKEsewmgoxDP2ZjXUI?Saex zewi0aZ1qQ6Lpu(7h8m5$?c7Z_DrKBwJY zPrb{kl-@sWb!IpM&uzqZ=5BzIM97&s$|egak{^zP4edyZA}8|qA=yZO-VM5lL?G6~ z)^;wD!IMUI0qpTVd6!`?jP0TS^2GyE9ykJLxQuPG_J`koCGA!vonh>y@L;lamCwKI z8i2??OXMPe2&}s;{no-SWS)(@ttkQ>=mMc0p~0_h)!e-ATj9jQ>=OOdMHN zSqFYRoO`bEnk!5PRbVP}VjuOSrSfw=gt34wNg$EeMvM^Yzc!axSMID>4)l3|djh~g z7ZvVT^K{5&t)r*LeBb1}f7bxurqkGVjGbQ1UJcm?p&Wb(O^`~lDemeUiE8|!2Fb1D zma%Rl?)nTQB!3=~X&u3-Ao7XH*bnYt` zJ$RJt)b^h*=>26TORT<`7Tck;V6n)bVEJurONCOvm)(i-2e}YA9+%Xod0H+_rUv8m z>zP%oxFo+eV;1UyK|bZ)iyu;1ecW7DowgXjHowkQG)7KH`b!nZZfP_lNO4vss##aR z-{E#jZ?UH(3L;BG-c7CktIhl*)`Tddj?zv0$QA-%P{G3o+AiG=#V5y)yS8N_PCI-$ z;I=X$#Ne@gmsW2ZFP{i}rBCLp>HzyXEDU_@Z?;oH@icdH5mOkM*IkE92eP<@T4wJR zIbhbmSV1LOfO2J1&$Sd-=7qHEp3-{0!j87RjskpHT#U`j=`J-@+-P{m+r! z-~*Gy4#)+H#$suqEbq#>L>yD`nlwamm?KwQ%KC-Z3`=DG4(g+u!}PLog@NTSIF>+v zlBZ-Qpx9G8WGSpsHhSqd*VL++zvVM zqlzrT;h{L2Tdzq0jdaVXaE*ka1MJmW?bT(JTI=cJyGhnwqlExyV(N0Xq2pMkKy4Q0#**Z)DjG{KY-t z!=dF7youc5C=g>1&RX7KP+`s3WlCwF@fArll{NqYkTMk=TnHb485EbyKS{3CT#5y= zX7Vtdy+QZlkl`hpnji(HXjh{s%r8~4{994Lv}?kLi}C^8TeQ=f;G7#m7pfxf;~lLS z=>-(qA*V@CmnlY!o8h9NQYI3EOTK5-j$`U$g9o%z&IKsaq037L+XwThA-7D<)XBh2 z8Vi%}>~6FwI9Y1cX$gqfE%ha-0MIwXCepUFCh;;xWm3;sW}sLWtD_$p4)FGVkW~J2 zz=Bw(4eF3&oRgn{N*f7>Cofxx@@umf+{~a|F%_C!b}&sM3Z_Z+$`KD`yJi+b1(-Z) zRpq5YL(~!|*m!%C(4#n97U6-8t582G#SZg?9uqPfhA^>7c6IW@slVMO^(2$NtbsRn zO7Tvr@o;xSr%Y5NNc-IeA&edGA-y0D#6_yHu4%~3whi1)@FX#FzJyEw0Yj0z$@sHKVY$OZoL{7jQ=x7V~CeGO;(q|hh{TW z+f2zND<>&t9$5_KslMl|oVxXDJyUizacD=CpMc@r4BLd%E-@FSl%qN=JCZfzi)w;U z0ZbU3X?BY*H5Av(F*~@Cll7MxVFBhbzr11yW3S_WOWFWa5BWYwE})peVDv5v##J}Z zfGYd$JpB7cLgS95AO&vkn7O^>XhN-s`Uo~oobvGq6v)gwxzhZWGX@^hOk#&!i?Vu~ zpIGNscQ2@%$4sKUryz zOGfnl?I~JUpEiS6uU^~i38J{FS|~Pk*L;R5uM;9*rJ90)rE>1IiK=Su?!n2I>Vzs7Cuyp~u@+03enU&~O zz%jjIwTWRWBc6@zi6(XWs1^HgA;QlHjyQUGMq2Di^0e@$#s`KfTJv9AA?@`UlCnem zI4oI4S|;69M#z^Mlw4qCxe8J>EiLPSb&`J{|S! zc6hxkU0evEl9H2ddTB&lTC+CNb8KZl_XZ1fiq@A;F(6qFxVc6tAzvh`4MHbO4%_ZyClHh?d{O5Ak_Mz+C#NN`GwEb$x_O6gS=B%wx@a~ z)Y3=k>|Af*l_U@s_92Cs6k@9aMKL+4Qbj_{gZfxJm^kaG@n^^^qR}L(4G`FL=>g6$yxaA8)a_QbaR2c+gVir9)wLZVSJCpT4ULe$2@p5Y zRcn8O9oSN?E&tMAi#uQ_NC;^`iN{bFwylU7Y2xtP?XL>n4j}*P{0EKjycl|iJ24Y!Nsx&T(YE3=@dBSlu8o>3i$R$%uY-Y`eW-#5L^{v@D^!r%T zqTQzSmty7Bc}>w4!TOt&llhk+uw|bBu!9gxXweg>QT%tD{LIC1Tti<>M2}sMxF{E=qjVd(=ccW|;f%uz7|T_@#}nbgj(Z!BnWyn(9YYTE z?QwILDG1@QlR1yBVU`!2_Ysn#`!#Z;5WAZ)CtH)cn6&8;u1<)iCSp*g`rCsCuou!c zJAz=X+6R^lD5yJKAzauM&CHt8Hu?8#bvr)A%-(XuI(%gUNP{lCA}wq0Iw#8&QPSGWNM}D>kUu+}D1;Vg zE5$*vi&wk&u$>B0|CskP9#I`>@_~XY>B7~KHQ#K@F$8?GzZQFr<~JHp%}~&)$>6=C z`FyEmrlU69V^hKPDfNTh{iDYAmlqmR`-!55J2j{nJy;{U(#PSTM7bT;52s9hmodtl zT(%1tzR(-|s2xsfH)|$$GGVdR9a79pnC1Q73AZviRC!&B-fc53MZxPOX_v^X{t{n? zA8jhkLG2eM_wX(y=77`H7uMP=5JETc$0=}D*EtbBP1r|v*|#d|)HT7vtlX22lg{`nRVxl8&Ns8{(DpqP)t&kV5!+1Rfpjg=3rtwNI;$CN!obIXh94bSK$2cWbrQJS>|efdG+L_YR{tbm*3zXVr&S3Tiq$wkHM5H9>+sJe2-;l{4wW zbVij5FO0Q+z2$nX+L;dsg~3UvOrVw{nO+u9u9tq~&IR~DCBW7=ZHX6=3%IeFNO?ew zDzrSV)(?F$aAEw#Q7nei*UdPh-#95Xh-gmnE>W3^QXC79-0i?wujE0|0GCleWV)b* zi?@fBjOxLJV(dbPr#odM<8s**)k#%GQi&XIOrN$g*3F#{mhF9+=);htIYW(Y-7gn* zeUP)6aUcTRIV-k=nG7DcnJb z_xu$2ze^?|H;nI62fJM~eO=n6ru;RvXOhny64rgl4-`v?Wy||X2o_`lnktBGc7+2e z=pMdB7)2L36{yH2va=MFF@U^%aKB@56ja-uHbad>p~~bSEKjyd4klMb(p6M4A-2qX zN7W}VY<9A98&?^WH&j$*pD!>=HmVk!;En3~o8G%aK3MM123Zn6{XV%6won$S(viL+ zm+SlRh2-7&@cG(TH*nEpmyhjy19q4F?@wC6KjT60S@NLpn-JOB0Z7zYtt*j>1rapx zn@y-wpyeYlWzKe~zK7^b1*qX^UAF_{|t9h`S0CtW9Wc&OVV zM`dIB`xwzWHb}3(Wusa9OVsO++HW7mQr3TfFL`Zc&JcjymxdTRr=oMn;|OpZ`dl!e zb#{&+l2~hnF+&N*Ph~);Td`ap6UwUWTXed+PWYTn@*V(vN`&FSHe79C$r&Q_p35I1 z;yW&IBYYo2?ma!Eem*5zV#jMX^wI%q(^Xw*>2eBOv^1Pr-0b_qEANbt#_VGakVRA1 z6KP(E)mN6d3=s7$Tsg?gt|@hIgGrYq^b4^-u|Ph`x{^nswy>a`@921O-+bRYC%G;q zYPVvrIl(v&NqQ%r<^Cc|_EZ_O%(vpS!7ZM&AByY*bF+ax)N z!x|>XbHFO<+6|TEt&npDh+p4$?g@cK4%zmY7wU==Cy95*+;)m>#y@u`JkdQ_4%A&X4|M8}f{vJL3H>wY7z%(`^Q_ zZfyzG>rP^Aeu}>|Zg<3yK#k-Z?}{M!|3NU40sF%AWl%7*UR!>Ta5c!?1bnOx?w&ib zmzqou(GaFw^aTuNV+Ow?pPbS*Gqh(Y z&Mr)zg)zqP;GwO{*)m2-31`QAFFaGRph-DpLRPL@*<;k5!1$2Q|o+R3^uRCeHC; zoj?h6*d9%(2_q~QXtN`}#3m&bzA}7g*tO`1yAg}FjzS)|859xIpu|*7)`}3J6pJ4b zqyqZ`1xNHiNfo;BD12qs1VzkG6Rvxi(_+O9;mLlOHoJC=X&$CTMmW`d+<=~R+yEtD z(X9G$EW;>msCwfEl|Tp7uuf`p{@y#|G5PK~UbhsS^mfr`?0j-%aR=Dbr+rsk+Tn!8 z(1bzH25%n4-Ym&4p0~XieO8Ob@fByDp8E@pIzmFgT1urB0y%!k#n_~~p>#$bttZR=sHi?wLO(hSJ&V*zUt$Y>Qn}`M-y=C z#-xj!cF?!gB?!;&iy zC^?oMv%7OHAS1_H9a=4(ZVvF&l`Z-4;cv13Mwc-08SAc<+EU$GuyR-?6coaHl;%xsr9NIfhZdt^=IOzP$9 zm6CwIxGFhEZDzCC$W}%n4xLldA`%Boy;yy<9NKcSBSiC0HgciCBlW*G%ttx0*IhlX~7@&IoR58N4|KUSD2JS=~%}8ocO_U0m zBW)<@ANBCmcL6GO8{AbJ=-a~Jl^;ES5#d%&5n7JAaa0ocOElgm6Cqm5WFb_(BQU(E zai+{pjO(B=#LBk^w4w4)SNv1|spCvmR(*rjL zZMA+ybC=K$cLmZ*1p8AkVD#Mr-e3sUVEEVCYIC*Tu@O4qUSk0|cr5*<&%ecVz!=%s zop*KtPfBZ4M6jrCE7&WkR;L+^9MnA<%UEpEai*5l#EH{W7)t`3|Cwh;4n<6K5nysAc{Fr^gFSvtLSw$+RB6Y65?ot zOR7@6L~LPI@)8VhiPNb6qZa^CzR$oK$#+F{0P8Tn!kRH@zM^0|X*J=oj%Ib8U~T=L zGmPAYGE@XkP?X2CXOI%|Pb`)nVPc&9rfTfM@$P8b2yDM%3P}RXyPdome#Exa3oa&h z*5vPb_DQG{l@l9ciiP^Uz z`lErfE0S;~1sczxO&t9K$6-%yiFm{FR+d-&nYH1h*Ry+{$9QONEnkc}e9N~-a|*rV zkg8m-P@vT?2))nXYZpuUU7y0%G&Grk9JfE{d9IT9mhjTgK?9ELpDiB-t~EqM)Vg30 z+Cd^<(Z{b?8e^WpeT*GXd!5N{-THfS*K@7aaL9kaKjk9OOhWy1z9n+yuH0Q0_&l~e zMx3?6j)uB&{Ilc^%LFGl^4A5&*V~hvh)4|E#YGvRe{}-5M?|8s;sj3h50rL&q9URF z#!)wlB7&BXe0k;Ff`t+Ip52h8|3aY3v8@v>!Uo@^>#Sn~H`IZB-VV|H7o={3E%#0& ztVDMTafOGS09C`sHhyB+P!~(T<=fEf#3wnzfSGlRx$72Ie(-=tfQ&3{1DQHVh4TU`n;osd>c}8q)u6?8 z5kLFr27$<_BBNEP>=IsFy@#*1zh43bZ7MDw4}DJZfR$uMHdj8xn4J zIV>%nfiS}dC3<7POtuo77h?=JBH7z4CdmV3AJG#3>4irW+%9#zS0hf=L zpqTJM%4K44{FHUT=vH1WCnpy{nGc`fW6Ru0+zp>B9(2Tt9CA8zk1X6YeSg~vp-|Tn_+SD~{ zvcBr06R1TVM%~ayiHZ91S{PJc{x)W{Q2klR?KYuAi!SWWvq8;IW~K%M>j!pm;BZd~ z%}VkCa;hiXXCKoarN8(E5x$N@2r?Nk&1zFq&7+`f?cxYmoSj`Vy?naaKMrn7a+%if z!e6e8tv@dqu)I^P>!sUf^(?JjCZv`a`9~A=_%-7ta7#)o;&b2RfczYrRo82^8@0V{ z!u89YP=*CxO4*cx*5sr~(|92~B}q^POlK5^A5<+4M0o&B^jSNbc5Sro9d2Op`=1C* zEV=#J+5-i2B0a$oEt<#y2ZT4GY1 zGPj@8`FY}YJ=%~#C`B!~xTvx0?EQ-p)X;vz3R6WOiGkjPTm9pabDMAI2TPSuvZ@b6 z-fXS3?XEinpqN1tXao+Eb|?w1m`p9^P!lW|J@DeQqlJVs?M6AS=;+%-sVY4yOE5^} z9;`WudHC^A#P!>mB;qcsQp;agn2M7T-6uYHr9)KfwIO97RWh4)ciK7*nbJ=lS>nor z5|>*D5F59a+o$diR19{AW)U&<^!IbZgO8levo$TNZUZ(e**M+3knm@IWF5i+p`G6o zhM1DxC&lX3E%ww=#Tkk)tRJrb4je}4!1DC^)gOsE7WzYdG&A?Qlxg>#vc74Wsto_c z2WyrAANrMCZNqUoY=?k<#;Ke@oLskZnEk?svEzBH49U*vJ?pbzpi_CcS*3bKHY-~@ z*Tzd`t$GtX(H{D0rnDC?;YT6BX{I;$l5g23NX&bp^Bo_#cc{VsM$WyBPVk7`&T9Sf*)siMW_^xmcO8vvmw^{C zbFb|R_wZfCC2q1$C1GzIR)>=dN3}Qw;k|vO-eV7~#{jjXxmGd)G;1U%QR_=KZPlr# zXd3#Bkq>s6haLzMxUKyAVPd{0`*_2?*H?e**SLUcxBGxE{ z!>Q`fL~KQZ*i}i!*;AXAZc9|VUD)BdF zgZ5kE3^Nfeibbh5Bb*WGO0EZIm%b@LciEcQV!?hH2;;EK5lal|t4H=qGwYAwzYba^%W}*6kfk^KZ;9qxTcI z5#y%FLK+!o;aBzhEhc*v85obM&h%iFp{JTngx5L~TmX*%L33Zuc0csGjT}f8!tUv@ zheZ*qlkIV>@fMchySC584U*ZP&2a3;Y6#Yn-mWP0@z++xj`2gON1gJ15t57I957_X zXB0JSU&PAn#t_HF5cUyH?dT zisFi6^10l>@Y~i z?sS{*^%6qyGsi8fM*ZQN7&sQkK^{}+&7*F2J7nJM_TKipycqe}p6YIA+a5$C3#V1( zal{-H4OjV9Ti8vrZj=tQA^iL9Pu~sJFUj1go|+jJNOOJ2RUyVqrXejT0-gsHk%d8A>Q`x1cNcI->(n1=4sKyOrtR(h&W^w-?mqf0}H1zAjF2rWn&f)R^F|@AlbxyuPdqq&R1+VhpMs@CD@l^jh*gnI^ zzfWn(G9;Jm$HW>W zt%ZIl@+Hi=4kp4*l%Skj<(wPiClX$euw7LwI}4pOc&03MSkGp+6b$$gmGIu;1zxK6 ze^1Wa)y2R)EIc-2()nF`w4r?Vgl%(r^TzFR7_}$zy$JFtxSl(MD z6Bf})fBF^gLl%Bplj`B0Icf)Q1`^?uTR5IQ+I7w43u%hHU^enTF#d~cCvsdxkpB(c zQai)>^Y0$|)mxp9X~=gDQ{h9~$K;^mi8{CsS=ErGAIiUYwS)7GS32@|7e^YJ^WzrV zwjru{F{CS#VlCxXsfI7y;0|=F*R+MP4mx-b6r3=xextu}ULvS&zM2WKUko?5A9?qU zs1b8^32SvF|9p#i^Q5^wx*!fiEqp_O-fU84kf?eS*sGznnsYi~gB zL33e^2JRP2_85CYG_Ooa2#`E8Na8zG)4bvK0@BZqKrbk-+0N3;A9yY{Br+NCgY?Mm z=K~?NV(!>5v5)9iC_)9=P7)1}DyM?_?nI|qHM1JFc`=nQaSG#1bFL9@0**QB+}cInx`#FaCgzt+Sl;Sdl)p9gz{Tz;bS zTvxY1ArW*4>k#%9@VV;0gNE{La&V!I$eYOB<^{g8xyA7k)B**Cr2lSzk^BJd^-mOj z(PSnVLTI_gq4?^hdC=0VvxyZwvsr|+Pq;ymwSi*aM{V-*vocWXtZi_j&S6h2NjGf! z)(KW?MtBL@2Z7+%Hczgu>tby&yfTrArL$V*)N-4%Y8@+Daw3}$xqRS|)Z`!X9FITc zT$}I;wW|4@@<|lrB9%HNd8RfnZNL5+!-Ym7kY-miPoUFX71we~({n85JAR}_pllan z8!6Qk&)q~PBH!*H?C|sBjl@?=y$wpNOMJwEVvRS3Ap7-fq}ZOAukuBO!w-z#v6Jm; z<&mLGS^NU4)Ez6oSa{8@nDz0#yT8pwI(j6OKP3YX6l280-_ivc-CK7PX2K!8XgG?A zDVS_c^p||@Klvf5U=Y^!AMJv63lPuvvAxBg(-(=mTZg(83)N=mzgk6ZAq*!>Yt{t= zmv)4i09J&43Hn(h@`&{B5~Cgs_fz)6v#jVMWyhQ6c#u%`uahQwUV9ofOi@MTQ|@fY z^v%LT{#vU61{Vw*f2hrPX|o-k1?OyanC+<7odWB@){A)|^Ow_5@dPn@Vd-!Q(VB)E zb9u|(-Gu+;j?mlHc>O&Xf(|k4^a#FO+SRc}%(0bb@PtM-lu-owg$4I+F?A1lj_2ob zT*jMtaEzb2eg^7aH_tnlS~tHx)%d5i6Te*Jqa2k6S-g-T!s}x$C6KPvFba$r>UXjw zC-<6!>cI}4ocf?7{#(TyH=Gg)HNZi!1?ma-&lfEJSC)={qeUK<1$ZvL z4OD6W1r+}a_rSm1_;*ADXnGX1`IG;frT!%k2G$BtCTAxx4E?nR`qy^(e>~{_!>=J+ zPXgsM#SuxY%3SZ^qbKC)m(g^!en&1eU7(HiclnsJg)JcAkPIuBQX?>j5<8Zh$-tX$ z$*v59QcKOU4V<}sNgvRJPA}SMURx|K#P7iQ&eX^7&&qs?vWeJ3b4Ua;|K_+BjGs7u z{sB1P?Jc;~REqt@Vq`Jve^iAA4wv?15DaNTzf=D;D*iV~`nQjClG$q{!Ai5ptlsgY zGdVtGK2oED*-t5V+r>YQDHJSHvG~3`4YwThK^g$D>;Lr%o64HO^{SX6fFVX3hvunl zsMSRrgIbcINide~`p4}mbt&%Sivc?xL`*ONA_$P@=f-~%4#GV!7zChkYn@=|vSzXZ zF}2l8mZlbgi!r{`jCsn?ylM}CtF*Eth><14h*3ZK(9e9LB^{c2H9VgD#f$JY7jImI6(Iqd)b zv{I=QeNRX2jGk!3NVA`?KJHlu(Ej|1S0R=SbmB5rkao zkr@;BwI+JQ49E7nrgVe#=?|M{a| zI0_9w9#o@7mMn6A0U#_1i9J*V`^(=}D>RM1wju}x2e1J+A1Oz^{TqD$w;vw>x+W1l zy+noo-R}MSVtpk6D`pNQ?viS<}k87Py)Q>(U$BdzE&`0hCsIpn78e&=iclAP6eaoSBAe&K6U}K zhX)#WS;oAJbxB!b7XZf*Zv<4(SWvent+3w#CO}sVt?O~j*%;vB;&M0FC-|i`!({AD z1~HU74zF|D+x3_n&Nq6Jd7Mm9WzCe|ko5bL?``HZPuUSBBu#evyHkPd52lDf5O589 zb$z{_VwTx?zS*}u>UEVz+>^`-To2AWLIptXM+P6tNq&CY>@J_di)mWj*w2}dRiuRy z(BE;kSKm%h>@c_enj>olfE=FwZNx-yMaRi<^Z6$6D^8A*^q0Hoa&OK+&N-JiX;^?H z^14!X=O?-klx1p!z}EAuyovkz)|%o+O4s2rM#_73#05#CQ~@jxp2`@|w;d=L+>To? z-Z#}*1^{cO<7xZ-h@Iif)4iCIzs{RYib(@_{P&KIKmZB+_Sa9tS>M{7;SJAt%lqyl zc6t}aNT6CnVz=LLP7~en^89!nm-PhE?0OsvZ;T@5psfK1Jnk9%^{!8-;@h=lV;+Lx z&zEykWMG>&V9r*mxuY3^z%g*Xfw$Zed@~v)0)8k6KD4J^@AY9;z1}uM8z%q--3Kuq9_#H80oKCH&S$F^-bmy}EAc7VA~*Le#l zV%mM@WItJVSG%7ZYCBIz++%~--=ZG`R$y^Rm0)IWz^3KCZ5mA^13(Ia;}8CLbKITb zwh~rc)&v)U#faw*e#G{6*iR5d9!IR!i*<;MjEp#fp6=d3TMmhU$s1Ud`B{5hnfXD# z{j&Zm2cI__u)Q0b18)Ls40evOwE0~qI)PqokXRIuhP;0goSLJ!KkOH=e!Vbe(5MP@ zDuQAr5`D9Px0x+aZ1)Poek*R%yy%2!gpcnBBudo7MC28hDQ*4j(}T%I5T4Pn=flXnY9sFGq)B#gOX< z{|Ck@95y9++(nKSZCP;6M(n)fw4@Oxto)V%Bsrp^0Aofn_#A*C=q2iv{#w#oy?uGW zk^WC))@U!^{YNjre?}?h-NI}emCq>;3(LF8clGw`U8HoKwr{W-XF98Ie@3*LDG`yE zN5o=KSGr)Nh-YN9L=kIx7YxK7(12GM@$7}>=|^ZUxZ&sa%(u|PMle7UoXb*$0wf7w z;KbXdv2GjQ{AS-fGL7M!JjtjoKw^jARV=}Ng#yk60@D4I2Ld|d z?OWkwz~27PA9^DPOl3EVemeU?d+R{#zw{=KN|fMaq3h*7&&5mlsPF2W_b02aOUy+O z_Q7$=+I9_`zj`!eKI;0u@Yzryz&ZKiS!& zEc5!WqRiOusVoNmEw-P_)Rg^k1~EHG#sOcvOg7~D@6ApJ-ku%^A;fsz<3KNqoSS%1}|e`yEXJW%L>HQF&4-22My@FW`f^B1$L zlg3*n&o3N(uF>bcV9Y5%wlY5P5_o?({^QJtm`Bjps4x0goz8F$Is!Y3$(6Poo&fx( zzLD|yC6WKi_MREoij1W&4Npzt&`0#ge$@CrCj$GRJto* zlerC%@T5k2VDqr_2Y=ot^O}+>5Y)q5Uu)-2VP*vZ=!Jwo+FvEej z5nCMhxN7wu8vQKnB~RXqoaGlrZe|c`z*HEe8(w%`WHgw}lg{UoV73mRg%uJ>y1CNi zRCdng%;xB1G1BY37AkKI;p2DfzD}cu;k-O6g^s)RDOOw1XSttge!UM=azvca)X`f0 z==gFyM?^#a^=u#J?^|&QLD@w1E%T-{VA#f|467e zg#mBN?XYAxoOy>joMLYZMtSl14FmV^)`vPFHm!oz^Roe^&@-fSuT)5crz7pcgrgXK z264g6pqht*WX==k;S_hMLPhn^_3n^ECH#nd0L0lk!p24OHAVP-gCwf+YKbb}JD@DwA(z9m>JhGfsobdgBr{|0u(=sSlfV_SHXW z^^u(G$Old;`W9I;4;3dM<=Si`ABrAJ{sCe~UJxCyd-yfa2Hk*W9>hd(DmwN0pu5nB zXGg3aLEcv|Xk#6m7zN^%!)=6_I#BE^aUkwol7u%^(C%tF+zZNqwX&@pJGq0GR zeu5O-TMYKGd3~?Dc!}Mz`0Dursd|^<(%oxh`mCYOHW18i#?7)~FB(*zJOaR0bGqm+>>op;tpQ^-M-|K@`3H%rHIc*Q+B^iw*@q@*82TR}cG~7Mp^PmT2p; zS)$r-iZaeL(z!Mbp*Xf&@6XKP5G=qPPVa}C+k3Sh1z?D75M?4#f~yTOopDD~t|@H= zSSiZixu*VCiZT$0i96{1z~TH}#Guc8w1~vV9+3?mb8HuAAjBV>QO8NxIOK?%cJQ>EZxj`wh4bQ+k-}2Mj+D z5Y=*Xyy=*U;gquFz`?SxUr^rt0>etfMKrPO(=X@RI}K(=0mqZ8&`5>yaO0@ggM%7h zUPkm`2@HmExW>`9X6v-(%IQR5rouSOYhDZyrg2Qq0h7OQkXIroY}6%^_Uoh}f%H7P z6JwD^lly|7%DukxAyNfpS(jK8EjT$Z(6=0adD%N~{2l8y9$q9%$}kHpGZigFdpW+K z-n*P&sC%c@&N+y<`ADj5PYfqDPWQTkk!ROn9-!1VhsGBM$gww!*k1{Ehs}FKQy0wW?m-Hf4{V4^H%f8Dswa?j>37ivbR=TF?}@yLkJeY3 z4?;F(^ykqkO@pKPi=gVD=;n`GEq9(ec5P$VCXa78cc@Pnesf`hNvcLSkc3W0iVF_k z*eqVxPY}b?=SXzB7aBhnO_Dls862882$a#yPFQoQ?JoV63|p$e=TG!Od)XU@5s70_ z4#Bej)E~#uOeQCrUkXZ$R5}(y8jXS{v==6?5>~R6Y6LuA%p04x3!UkxR3RA`6q97y zzbh(btTJJ{kbSS-lHJ*2+V84GS->lP$r7ONLNMo7CS=24_on?)r>PtZ%k%cl*~ z1tC>TSP18twZ$XNUpfq)qmQ!grp|M!$hNG7tIvX?Z_e_0&r1@9$qZ09vD-LTos*-E za}}eWfQZJF6O7?sfiK>+L7q0ZcUk2K<=)Oki>zijI%k)e5-4OjQ(9lP1<71H4NgGJ z$biActFN_=^PO2Yy)P%SH(0y#Lz@-6D=rQKi;&U_RvdZ3+R3zESUW}W0K9T@thLr6 z)894FnJgE^+APmd=|YdGUGPS*7&u4Zq{Qij>p?Jit&ohSUS06G}2Zm0fwHJzbDN@s(aFBfAw(7z`5qNPNCBe8dr82L->0WH$79;@RVMV`8if9 z6Ij>HPZ-Cno!)fVSqD$8pwt_Y$g>6)9t@#qC@wJ}`_F%~tjg)J6-hDjLes>(Xr5Sy zv!gBidM=Y#Pki_+7%rIu50%=_*Wz13>E7p9r(dk z8Z`V77I}U)ai*;hfsFzOqG)C3{ znfdF>h9m~rG-z4AA^+}=mv0kdGwu0p&frQ`?-7VrFWy@xX5zJE{Om|f>t*UIxXegi zwwHvgi=gsFPgA>D($4Zy3?cL@a#}^rg?CG zG;pDj+iJ45LI0!{=ab$JM|?teSE7>sIQ-elr&m&pd7H%OSAxVbtsq=P>O(zJt88IP zSis$ll_Zzdx_A^-ixtOv0_7q?k?dW9>MSZa>pQGD@(G{=zz{dqs#++V`4&+}yJNgX z7|$bY`O=ZDhf#BUkp+EV5UJRQDb=l+;Bo00m4y9Qr-|kts8r%7{7su7+{3LR>AVd zRMMHr2Et;v^*S-&%jVx}Sf^^!*Cv4>)3K1W5Lsg(D0uo@X)cSue>atJ-%vFRd*6!8 z4~?9|Y`0dI;=1;v2`@PXfrGg(g{64XQ70EY1%ug9H??#!bWUyCnMJEXA`?Tr`DYLT zASx`Xv&otEwJ^y%_*_Iqk*(la=}zQ@A4ZuCMoNG(GEJdx!>#AVGGE2@xKj^9qKOG=vQ5QC zF3$&}fj{3T!okJF0KX)_JU!wusLYXcaN2Nx0CQ=_Ss1@NkcSj20v(u)$VMpKyR1++<#{1Jl*#%=4%p? zEz}=w(TeR0+vbWi8yh5;Q$BIs5gGbKrwc3;Q%KxezYToZZ~AVvRH(}%WOiE%VvOFu zV+$4Dp{GmFaD59tTnR4%@B^-}++8ol)T^(tjs%)yPJgR=L-|ehd1Gd2J&{KeFH2Jc zv2x5?`h^W@kmCT&)B9Y9B|1$D7txTOCOb)Z2DoYbRPnRZ7bwRBDzOAAUD2upfb~M< zaZ?=2y70l$2I{jw;D|&0Lh*&dLCsD+^J2FSd#lo1?zH*H77p!q>+7^_!)m8k^ww_h| z-2^<1f)odV?!iQO=El-_*C2roWz3O8Pqq$=n?VvWN`A?^%iKyNV(_bGdFz!^T%d40 zU#37o0b*|IUH8-Zq2_ZdVQV4c1s0g$%pW#2({FmAw<-Y>$r|9c zp-bEbf+-2Wl$-q!iBQsJJkU>ZXB4cytY5>`-h@Q07vqgi7Tl0to zcghE!@f0=v#50bt)Ro-xIAfi;d;6Tm+GkrEd(RL{k}sXnH1KJ8&pv1>uTR$$I{n7H znF8Y3+r8EHE)SWkP?y8JQY*(8)#9PKxphy$BbEjP9?}idK8vW=RE6HFR>>)m|NI-f zQrhq2x+7x;4}15s=}b6Wx)zj1T>P)AoEz`4KUsm#6Y}O3P88ZxgCu2GMei-d$R~&8 zMcT15%G`rtrVDAx4nYj`HZ0+#2(hchKSYOJf4~WRs)KdVhY?f^z6}}(#%iX_89V2q z^Dk#>y%lE^#O5W7*t?0hf%CWL=@yZv`Z16#ao$I)kI>C}m?;suN6V=~*1v@Q&JMIT}ATJ{{>iYWj1L}1D1 z^##yLk_>gZ{x}_)bma@Vb@F^sYxF@m6>3M;t^aWR$UN2RQsZUVT(Wf>g|=Yp&|wj= zl4gR8qy!Zb?pQKnQ$baL6ASWkm%{#R29bw5g2Wfk=VsE<7sdJIYk5X%#`-{&Z#(qX zS9V`pMeNV76k#<(fSYG2{}ef7iA2u8MPIW2g7qu;_RqK_OaM;sjJukPoe%-cx{t12 zQ08-c*?~9G&1lB_ovL=*mTM%Qph1OO&~cHlDvb5wBNdVE>*-sRK=<$|DkE8)k2ovs zl0BXGvdi*_=uzBHgdRvC4iYyhbH<(hLbvM*y0rWG)LRvV(XUD}gk3qvtjCFIQoWczyC$(U3|!=S6HfGVSZs`Qs1 z!XWh&N5bb|lHfUg$@;XQ%FULO%q2JTabl-&8HCB(2IVu&*c z%Oc^w=KkK{D)L^0G{^HK$`A3qpuKXQ$C#X@&uOkE%A@BIST+jT!JuT6uh!VbvMo6ggaP1aUV((AD`i7 zK|w<-H0vFJkFaeK_*AXb@oC&PCNy0c5z_PQW(M}MR>)}cGhL!AqkY-$W7~tJw1198 z&s<$Q(r6t;ui6?Bxt4FtCfF|c3#%ZiAX)E>oPN%@hEzvy#heIZq<4Gek8O)naM4r3 zsNgmvRJKy_rIX<&3=W+h2hu;{!zyTTs54gQz;KzX4S)C|MPDMbxN6>NR?Au6iT3q1 z*fV1;2 zjcnU&9#Y~f9#-v8ntJzm#OL5WrRFG*&sT&hLs>?~s~qU9f(MW98L%$OK2& z-*;shK7b&5RMQ zJ=7L;F{WN@$R~K{b=%W$8|n#5?1+-e^z)14!H^(~MVYx&gCwUTDQ=_1Y-26yD4}ga z!6^ujYRtky`!?_MKqrzlF}IGuL~wR}d(q!=VB6OjWB#>{%H;Rom^ea3LcMU918WTLp0TGwQ78Sv zaPd{gp1R_8Dn*vgiO!(d8MB`}lr-zH%GzuE$y;H`mWDDe z4)7qCA(I*G)rT(fMB3NXk=#GZDMwyJe6DTXLdWiiGPkvnk!Hsyj0|KpR;@y$!4?E1Wg$g; z#B-Km@OJA}St`u$oPOG_cEpc7O2LVoF|ARbo~)wB2LJSF1iG1T0@o{W(OAugOcSna znn%HFvo{Fh5N)Z-tnEX0YS)*euts)oT09zX77Zcr6X&AFHg4qp-{@e+UF0^lvK+$Vv9GrgI-WC7Il8zy4=Ap(g zKC&_iRXzA=ZXhCH8`)5LRd0Jc#d}a*TTb=x`^=&2&~J}4k#g*T<%|3+q2cIFHaS+PzC_woYV5fr1U?A+1l>xZp}wxZ3w6Yqk~k3;#+``IO86~;w81_$1*=AZ!cagEB>O^kY^PTT>b9~D2%T{|oku|pH)UN4}4 zA7~hNR;40{w}}W*0Z4xMpVQ-msBd-8BXcNYWKqQ0ZcXsStC!qDOIUyuER!O`6~+MW zH;zBCtmE7UOhfybNbFkPn-2QUAYBh8 zYk@ZD&q0n}FKB;~X`ie@vy5~sf8Is8Ge zp+2L5`i?)}{0gT%%S9 z4_k;c$}G4lUW2JBN<{a0OD2IiTf2fQw`V@rhE;5ywZ|p-$@zC8_3UZDA4qj=p z4xTCwCOF*MYUh@|jw1pi@zk(>qm7w|M3zTrK6P>HIH;yI7BT8P5_&_&!b&niGm-s= z8}-k*HhM~S@h<4x++okt&Z+M%l`lln!z`x$c|BMwWz?JWwDd7^;G?Dra|=?7+-E-> zVK5j&a}46aUE1S`tW3&8RGWtIo)kqUKpr8;Z*dNY4BjdL>fkgCh@~HZne@A>h3s%_ncg z;hu@`%WGYK75w%tB$^P^Q5nD;_+E9BlsCAu1?oR~0jdmVz8j?7j{H7A=M(dDg!^oC z11To|zIR$7B*&E?7?~ZktJt&j^-f&~iSW34-N@^r9hva3dwuhHPpApmOX@cF^=@tT zqtU}zwE_MmJCAS9uV1j6eNG->j%~B*Zr8A%H(QI6h5G*BDC_ZwY_ClD{;16(-5K*E zhu-!WJrnZ6;dXtO)4fPSxT>c5UchlqU7Ph(P~DXG_iw$UVHDJH;5MsGrHBWLSTFUr zIIODp2)RM$W6ib-RVIQuZo+ek0RpTzHYP#3!GXH|c-M2*5VopSajp$WQ05vgqe`t3Wrj z2vJnY_)ljN=#s{;b<%U+WS5!-I`Qe4+lAVmabxR@rueZ7i4Sw11!8Jil^Uq2<_NHo zQ&Y!dsF=iYQLqkM2M|Jf{0pg!1`|nDFK>$dqcH&12MCrD7hPnhsj#!QMwyqsuZ@g; zefOczGd-7EK0s?nL&yD4E(9Bp6@@DkMbw#VoBjT%*ACuEei6+ZaKKq;N*5VSnauTI zEce^4D<6oN2{_;C+Vr4z3E&7OPXq(}Gm^sYB;VYhL67gfJ?+h>vX@W2 zU(E5_ZhnNYT8h`vG>N#-R#alpG(v z81CAdsNQaLk`!~Osts*)@_Drld|2uBwn*alIob2T3u*_rzoIhvELkNwRxD0=J#; zaaIhX|9Br>-|m&`C}BlnZ`}0=&)sPpiYJ}-g^nW&;Dw!;!R`qSQp%^d}%tUNH0Nefv(-Yu9iC|asP`&qHE@IL36YRG1X@*34eyVN>xN(j3R5BJrRJ9O z6r3u^D3MA;$*#7w!FTjp@S0U}4TCS#rj`@Hya6pLJb4j>d7%i$403i|Djv_1P{()| zGeWUOLm36V)$K$#_pt{$V7_Rf*GV;3Iy8a<*fH>Z!7=!6KJ)=N;v~MxjZ8+qmA_ym z^HAkAG7pe}nxQig>%8oTeDFdMyJ=*o{1cip$4EvnmG7=GaR3bFnN^&dk-JP#f09Fx zc=Qm?>--;Vy;W3Q(XuTXB)Ge~y9M_EA$TCT1%d~6cXti$?(S~E z-Q8Ul?(!!4-1|Px-5+U$)<~FhtTC#3_3G7!Wi5%GGx_UZUr%RVZ3Rs|junC`br}Ss zN%x5O^DaOYPSY4UxqPEJWJwulK9!@AZT78~BbnDbR3fo{tCeR5Yu<}LM&yilic9Gz;(?NkG- znAoP%NyPxX8weMJi0qf%zan;)->1b%0(!V|DfU>$L5a+zU4Rtva{gJze0?FJ%ZI3q zx;=7oY7EoRl<*Z|6yN5DR4M`##Qu0X{H0aLf5dR}mM@H}E1EWk&Q_kE<1ZLu5{!%t z-qP4F5k@WeYs;<+Vayi+wL$8gV9=R|;A#9kVv2CfWqs|%TpZBd|Hm%H?F&%jpJ7ap z^d((m>GGw@fsZu-f+n*{3cD}M(CaD|iq$}-G<7RPC*Nzny}Okx3GrhasRY{+6I!Im0u75+#R%&wQT7|guuD77G8dLJ3|Hc}Ut2WQTLtoyfOWC?9EL^t z`~)Q9f*mWH-Qk0y@sytmNf1e(J7}bCan~MHpz~`GBpM`*yJza(Z{#y%BKE*J^a=9y z&_1Bin-yULO|@`L!b6$BiUV$t8sv7lqFT|753QY_L*6$=E4ngO@cELJb?lw*7retB7f1Qs4zAqVfrsE zIri_NzA&4ox(TGv=IhNaL7u9u+qI~ju}R%YCwHeMcVh%0Z0yLRLACdATy_#R_6u>K zQ;LmppMl(VrQGIu;Z>LUGmu;!rx}u(ONVYEvldT|{wus~sjV?c)7fppZn5bew@m0l zRdPVI8B<|9SID#tHdEdGPskrb2aLh5S-T<#!VQH|=vYD;X)Ixd{e3M>69Gt05AeE- zNA)vCNRuz0&5)9Du3l^06)dS^7*WJU8*2%-D%Zer`+ba3m(fj^eA#MV1r>b&Xsz(q z7Ik47p|G4biVIC1_Y@o!UP}E=QU2@?3X`$%sp;}AkK9O(m2<3;!RH^zN_9+Z)CK{A zSOf_Q#_$A}u-M~BPEDnFcXslbJi-9%qVSH>K^h<$X1qqj0+x#9PZ=&t(6vh zA-(|ovI~KN5Nv8)g$QL=BkkJWl^+w2hhv6-{b%iI{1Qm70zYiUwiWVuz{etY=&4Ln%U`4~m0v$0$ z*$YW7xlI&F%cLw*ImTjknx^{T@}xDRi=J=Ix%Iv{bZolH`X>J&aF3Nydz%#lXBr&e z@tyeGZHFDRHDR>u$qv)*U{pjvW&8V1qT?It$-PU}^I$6F$p}n%_ukIC|C3&X`U#-l zB{Q1HNWbMK0x8&==%b(|7=aa4t`nzkh^&IPMU(-i-_)*Jq<}f-$*>{N}N$Zm~zl_^IN;F6Piu&`-NM}<}s2Ld-h#&nQIG%e`6{7 z`rtXnlJ8_q1eTYs)`#}6PX&!j%RYmk2*qP52HkR)vwDtw$1%U zrVn#fZ59zLFmKlp%Kv!e#9PgKaU1$)EO~%I!Tu z%eHzDthvyOC~GK#2JXKYqdKPRUu|3dISE6)Gzzld3A|2n1cKNja!pbhd;<%zpeGHP?u&!+AsaBcT9$z?gmptzbw=^~D=gi z5cZqFvFdm&Oz*f=nP?yy_BquslxL&ME&H)F}vXn$v^Y|nJN zer7dzF_&!OtgWXWfLFin(QaDR@*SNv?pA1Ey{s(&P`3A#hfxiEjn}T^aBonK@a<>T zBsRzyst#3+EtY|MD#^5wQxiK1sEPbe-f4WOw)Df$ijJ?8Fv@UUOY4}lyb~l8W12Pw zcqe24gg#@$xanCsN{AY!RG>I?AamEqkXTyo-#B3W81K_S>Gt0Tkst~uL~eTd&no8sPI_U|tZE}$`IDq8e*s`I*${>;=Tab2EZIlFjaKShCP#S_#|aFp0Fxzg?^3Zit=Zqh)%VG7(pjGWWC!7QbER#mV&y#*o_yCQ>V8Eq~_rQW=MN|8qj_Y<8l($Qj*| zY1pj6Q{f0@$$jR2|B;e??l_C7uF3X#! zl4@C~W1QK|bCCs5xBP3_!d$#9IrxRax1qq@@F5_=E`vWly|F2r{JS8DZw4T{=6!~h z?|Jm!(o&rT!gy1+s`88~V4qeG?St+ygQTjyZpSqrtz(lq1Kkk$^a3U+YAA@jkv{Z` zmdU*c5OSp|3Pg0%ZP45lT&dLZjc_Bpc81K^&}GdBeK0a==&53)FX^Oha6d=HoxN8} z^7|QG&`-(F*fxG|>#J0jhA)o$<(cdB>IjurN1i7Y#d!JA{^RTjd7R$1<1e#&qmXV- zth&0TX{i10v5RljU{HJCimqNW_u1K3_eXzghXehvJ6ybJBVp;pVoA8~EP2h$(L&b( z>D35Gz^sWnItIYu{oxO^|8suwNH$OCTttSjAMwULo-!X^YpkP;dPZwZ{`CBO8714< zckOmAa=7@{mQ%b!Gf(mTI96zT7rkd?;X>Ren+e!CY?Yr_odlbY4xByZsqe7$&Ix>` zn%q}&iz<_oRD-^S6i(m9bCf5qn8s%?k$~KK!wniVe5u+$|`dQ#MViyBB|Xi@=d?f&xd-wYej-A`HiX ztF5D(a7aA$tGRktXFvH-kYd1zoW`6UL20B%a>&=)Sr$Y2?8YzW$V=2Bs@S39^?gBr z1q5}1mG~WM(Q)qmdD^4jB|R7ujf2+klArTPUUZQ8LjsBmE95j@Fc(a?ab$e`p&kXO zbjLiocyrvY#Gw0u9?u+spafj^##x{y>sG-^pl~vwD2AaONAIjbJhq3Zh}U$-)-kTF z?^^m{_&5J{uhMxi^znnaL~l=yHa=h98&DU^cRn z(S7dt2wi7Ka(2WDi0p{Z(V4;tkgOCIx{z^*jGULrC>ee)Ys-S@iuo?XDi%OK8_0{AX)M%zXO!z!xQvdA zj4=}suq?y(*BbjTJ?}&p4!nDeJENR@qp}hl9R3h^{@Puj08P}v`PKb!Nd9jS4zg8C zV=QSy z>!URsn?NXZw!9|3nAlwV(A^rE`qfNNaK0jBCOv};t)TIR0kX^boT0Fzp{0NIvFGo% zi-~*BK*FH+{4vXQ3%5(Imi}QAe=kopQU#Dz4hHO&^FwW zTXXcP`I7oNqDl>KGTpFe>;=*aM#mVs2ezKQeH3Vg7rKyfxm15|Cy0Z+%1M0UPkv;l zS~K>465Q9Xyml0Gs{Ot|U%LdE$^6=uE=$qKN%^;6v?7brn~Z0XqTWKnrCXN4By=%V z--0^ky!HbFykuB6lK+LFKr}iAH<3H$Z#sso8HEsUV;+%A{3>uX{G(%FW?Y1mZxbGR zw0OdB+fh3C2ld!$O7s%-vliXwHWN_j#1pMZ|Iku5+ppsGAau59%Cyq9f#G#I!!C_~ zmr~dF-nJuoG6&Q~IMa77R9=xbZZ)B)KEQ}f@Er}0WOn^X#DJ?#qStHwbz(Qbe9gPm zlLWaNHl>So*e2MlcTFK*&Ya8ZmEO3k;~NlpeHLsz3_{SEmp9oNxL=>_&rErgugB^zsz zal54bj3*;tXePQ1d%~39jY(d1cM*41%{&|ikoBGfb%Onjq?_nV{IiMXvRKfkxY(sU zjX$Hj{k=DkGXZ&d0*~m;j7d$8QN37AfdQy_5MxJf=!$HDyNai*Dk;1=ocf53Jh*ut z0jI7Upr~w8PedUo$>IOGqksyjNG5+g~H+~ zF{xI-nl{5cg78mGmtK93K|G*F9`q3_wu>d}m2P;Hzs$2P@EDzm44Miz3R;w)5VSH$ zCTDjN${-|rUHm7lU<5g((wNlR7LpuH)<3jR{L)O7gq?^b=B-2c zk2-10R>4TQt9G}6NSJ^}$&>j4gO_du_<#C!pqJTm{7?_wzmY5>?X@b8bqk$SkgbgF z#P}EXIi-BThp)97OWU5MD>DJRQ2`g#REwIYEF(+pebTInMliv$i;CYIR)R+FrGZdV zpG4~0Ju9f^>&eWkJ#?=@CEh@9afYGpdiCli{NUEQ7Ti~oKZz&HxoEy0&zRq*wQ_b> zGNHMhv1S(3uP@g+7C3+6H-M>|1q{sT9NcnyO=-z80^$!?>{Z*S|DR1scz%YMwp@Lz zyskQs{QHf^{?T4Y9D*>k)^Z#TD@ugjdxw>N9P zP%b^xbf#cW8%rM0Dx+_%0_`V;`u0?(_E5m^4~q|}GpU|Ez>++s0(?AO{m4Za6VCdL z;Ki@S@w)Qjq4gb^n8>ZuJe{ZYlGlCeWu#_qB9vBv7Ce?BAeHRRkcHwrwX`~>nvHBA z3}d;uokA>?bbRFXWz}rNwGP8HYVe6EleqU zpgkIt%+kJFbDBesWNzae6F0aD+}TE%pDE0Emn*o8J}%;s=;Rx5{h&D9jm<9(aIr^t_#teWcjIEww)EJ z7xJ!?<@N?L<|UWE#C^7_8ZZzzDmznk9%;2_;Cx&{+>5=KJi}uK4YZ!r_m~2~p z-2P^>dDu`hE3{?}RiX3rsUSl8=ijH&;%Q(&bteQ-s282j%E#V4^IV(H=0ROeaQ^`I zHqE*RHc8N<<=mkb94=nd+s?T8TbA=}ShL;P%Kgse*~Zt6%QaK@hR7DoYYD7|2(gwP z9w#g-es#q?c6s!X{h>l*|;vrY+?A(xRpOJ zpOC4^GXZz18I<`f7|`+CO=>+H5NX*gt@2r)kM74VXrE!8gEkNsPPlp&o;O+?9Bj|@ zwfOHAiuwoRd4cOr)uMO8z~|@ye9QaoE~^f?f~zAW@m?sJw-QkZzkyX~rhW&QWZN^` z!X)c@tQCdI8611avclK0S`FrMegC-|TaS4^^}YO|ht|oIFX`KVcevQ4P>3gi`jHD` z0NCNM{?*PtX`#QMJYj2QMRs+Ybf4(GddF7B2M2)|r9S!5L;)A+L^v%WdsaF@EW7>P zn!H?(ZQL6T(e1~S_6luTW~Hojqfu_!dOf(7cReDRdy=q5U*1-up)AeiQ~XkI;N zFWO}&^M&MgQknd9I2$k9`W~>+e!I80TD-uCW;S-PT0E0gvlxo9`J#^6oArl$eSHlv z@!j>5|0cBJwg~g>=t!uqAHGBL%2l28zkO0gjy^d+xBII)_E^8h!R=KPv-R5ttUA;m zB7xFYbD+KPz7e$a=nnTASf9y%u@8_d98fx`fv#s@tjiCLH))#(78vFJiSjyo6VLT=Gd z`|~Sp8s8U^%V-hmu1C8`M0F8Ftow{8(8ENm6>GKaoxsClS|#?ZW5$2?SBj>|(nR@M zoQ2z`KzG!0%;PT8Q$CRqxE8cQSC&OE@pg0b-UF;a;*L6hn;JOr&3PBGPAAyO^R@i7 zCYL$CO1KBgj#1>q2I5Db+weVugg_6xNW`F# z5L51Bo1w*xtZGLQxr4d+c~ORca|;Ux_C&}9!uhZOu&6_&wQy^&SP8t}@ai;3usvtM z{X$RY^XXs$jYQQN6S@2uDr4pOI=12BPuM$L?d5jt{Lt`!IlEcH^?>zEw#K&x->2J= zjEU_C2rnk}FhRBsTwR`5pV+y9&^p+*+GoR;;|S>~H}k><^iNtG`#LiC9WvLK!w`VH z04Z+Bzon(6ZT#Rn22JCqgK^s^VZ+&tm6b3?&4$g3tzJq~l!NhDmRhuQpu9Xr;Fk>b zdTsaGbb9lmUs7?b?>)BerIp{w`&SDcf|3f%A_2PO|Fwv8s(|1=fsa#psz#{eQGg%w z<;V9YMIm#t3jQN7cY}ZVl*LgAyG)aORnVQzrk@+6CX59hf9I~S8uwAx5G5XY$B=&; z_CX+*2&X9`$dK_-1h5%Hy|dwh)6L-zo@l-Iw^vG2n*Z~VkZ%wBPM1HcvVO1>tk&7R7X-_bC61dWe#PqZ>oA;F-gcG218O_0^ z+zvl+a#bvq@4M#J`Tj5lMa9LmQZ9fygDbpq;|tzL zRO5zcE5(X55c6%Uot@P`OYwMJt=E=)O?TQmS$9LY@4R&(5D<)Z!qt#Z6LRITtb5Tu z+2W7<-w*kpeNFNmc+xhCP$p~ZU&NjlFK9PJE9y5jaqurUvyNJAhkPvyy>K_E&d+`a zHlWhPtoH|7`aOfxd`Av zNQ6EABJf#Rvff1r4#wFKSV~9Lv*NF*K>~I}8KJy-GtkVNiItvs)0ZACjVC$i@9>F9 z9ffWJW&h7^{&?J|Q?dX+KxZsS^&>&n$RtcZ1VnvMVd) z?<;K2XVa4~F@PU?jJwbHjPx@gt>d|O?7?(m0F@VSvR!=tD{UHw8GX}SwF+(>rWRaLeWZilF<#>EFU%ZeTt;57zK}PJZ7DiB8$WOO_X(Hp zMzJ#MZugY;h64B3m$~Du_p5fD_Z`=k=a1`lQqVrY!C$$#I0Oa)?e|+#zOb%1P9tt_ z%nO9IJMk5z=vAat*PfN76z}_hv#fXmA))2(5+bu~-;-L`tjN3LjqU8)poJMRLmKKY zNE|Q;@BjCUkCce_cZ3ACIB|l3Qeyt_)(yda4#X#Y5++;02|4Z=6efZ0_=EH`n+^Bt z2-9J82CQ(rFT)&<3`wYyU%T8_)cwNJn5)iaQ-k4L#~W&Wsp5iiLcAaEfYUVB06FA2 z?&88PxcXFL`nB<{`gf#TyXloW3wc&R*Zx>)LY;>P;Ggs3tQFMJYuS1R_2lvMu*PDA z(|omwwN&Tv@apw`BUe6C@ZmDbi-98W_#Nc+uC#1G?>~jaclt?6)}-!mNNzY+Fc1OP zcfH-M(BX0~QI`(#-Q2FQ0DdUvX~+u-0Y@SJQFhJ>@DvdE_m}rB`)g2+YNd|E*4|UN z_Yq9=83lfckpD2Qvqc#9qE!QO4&%K#3(AM(Z)MCRc{miUTr6cV>1c7m2Wt%uqv&J4Y zt=axtUUf1K*wnv2;qlS4*aw-PM3N?M_@^M3Y@)C zYdx^Vt20#-9UC0M$2-KCPuyk~ltskX#xuLMza&WT!2y$+Zq@+;Kftm_3^NOpUWEoa zGk_^u0S1_LDzJC!L;d#a@oKN6&wo}fH6_J*?8}15@#TTgJ8q(uZHS(>xIx@x`~5n; zRof+$nVDJ3Q*ggN4wogty8E?k@2k-t79cecIB)udj9+-GE@F;;h968=23grY(z>3Rf{ys~@PwKmcthShW>>=0IidAR7KP>vi#`~LU zt^5y{V$lZ6wb1WzR9pFpI@A4ks+~`mmYuJ69AvZauN&`rz+Y!9=oJAfQK>-Ys3skn z!1~kOs-1jHfy+Yk``fe4KV0LYVN!uZG_~VKa*&+*C-N?scu4Sg(d!RSu=)iZdIR`4 zsrS3a&i>EXTHdJS67hZ9YOoR{x{yhI(agTe>u>)OsrA$#Ybjhpb5 z#s||Um_ZhOy3|*}6>#Nvx(8YPb^bd7V<6sTzT$GF)3}v{%8vU=C+=-woFM0(fUsiz zJmfY(r!Gm?`@(ido3f(4c=Os?0A|xK@~7&62|9@?^D{emG0Y*)W~{>yn8Tz&(2}zfi%Ym(1SBKPSzf<6y zPHYxsC<4DC3t*J0R?a8HNPj-Qm-l)?m*YF*Kp^7h#zqyjNJ&k#Su#v4o~P^?sxcga z6D>kfOrlp70Kahy4VJy}G)b@}XKi~rE)A8PqR-iY49##IBn>)5D;L|#KXw3Iyte=0 zTg@tcp$7}c8=_z}Q1XS*^Lpqd#<2BMHx9+1Jsl*Enzh%_aawa|dbt{Lu-S$S|3t2! z1ET;*A2krSKxDn%=0YO+)hNF5O4PUB5b_fh>jm8)uFvMcd(T-q_3o-p66-T0KH}W^#wYFi1$ZrNPU=8Vk zo7=;NzTQh8vBI|694Q6|5Y3R1bb=T4YB8l$^7|K2{*JOJ`)R}#-)HnQ^ ztf_s`B`YtF*9n?#X0%_#{>79>2FG0!zdt~a^Iwl@wQf3wd;f%_@#s4$%#5Uz{(Csg zNR0-OUw|v**~YZx4aN8*i&Fn1=PK5F!)e1ql+$PYTBTegUo2sW!6*(V_B94cEGd=O zq2%0^Rl_HD5l1}ygdIG=r;88NmMhjg6`DiEJ6$^=i0`y&6Lj;MZt|`bg&OViDGtXV zOD&(x=yTxK2uO&-@FqwDe-poP5@U&>?gb@_SR!7-7injd2BW1mt>-=22W*6a0NiMK z{M9KbRANCX03YH0=QK>!8N<<$-kz;+m(0iRC7{alO?Ai74#U?Gg50p&FdwEVJiEnq zme2y`U$BN@+ySRD?ze{>hhDcrGQ-(!3i!PsVow|Z^@cLonA!rjQD3Jsxa1wkns#peLn8r|thh{_d#*11UBQ z$~*ocM*&sC4w!ji`u?~{B{9nt+l#UNnV7>D9Dk7EhV+ft!+yRbfQ*%bk4wrP9hdl9 zHL6I+2@7~aKo@{b6ELjE+$5)Blnn4|sM}p{(JXpyaeQJ$fka68g>Wx-G!F2#J&LMi z5#Q3o!e+{>>iJkOchraD(#m*#DGZ%=y zW$AC;7KQeb>c3)8SY|$wvSggb_FBhPx1Wj2^Fe{hQssiM7Wa+2cvsXdH3)4hgtX-`ytk{sO-N#p-6&2{AXzL+KP`yR7bcRzM1 zx+uJ?J_$m-BxWEM)~87Q-x#bF6EN{Y;Px(YWbvQD!H)d0gIRBHZ>RTage9_2U|2%3 zQD{`vh;=Pq5mei5(A`^K@sG$$kJ|Aoc*@ZE5LuXsbM5ohe|4igJnTe?@MMqD#6#Fu zw%@URLoqU?7Vl) zCv#-5;WMxudpVIrmKvZ!4gUUeAY><)hT*_6B+-zc|JgX*;jejhXq&#c{$wjpD#2-n z+j&T2B+_Ze^Lfb*wgbvA6blYQPDKTiRW%vX_hh-wHcTTh<&aN25fvRzW?Ejaw}At? zNEA@yF?z9|f<4j2EaHRtrGmI^w#C|Rrlni1g@61ea^3_R3zO_8VU5<-ZFjAYm#lQ{ zLyy$YZIx*PCs%NUiPp}wmoUPR@~Cw@(*Sg`qX?G_ai}bqU{tJ0a8`zJov)q7BoBM9 z1qkO{xtYC##D>V9jiiDY>P}Iz>d6bEHP2OUq$)Zr35Lrw!-< zTrfFKLU~~VcsUe8a;OitNXgE#gNVR+@aN$29VmJr3CryCAVYnGnU0(kZyBJ`{DM73 z`gHzhU+snzw34(|+wMte1DYC11b=dI95%cua&)gqeIJy240_Tdk-?bBDpr) z(XaQ%X8K9$eGzQI^5>E`Ok<5CcZFWIkel{X{vaIvOTYzFhf$!2hd}0MVYbPa({~24 z3+BqNy8qdB8T14M4#=2!`UlPCRq0Zmn9+ZEh-`@PQB ziy_IF-XG=&BI60TKB2;!0M`8n;3WG2QB>Uw=WW<!NYlihcXlLVD>v;Y7|&HNj+96>Mr|heG8xFx(M!w5mFg8sg4j+r zRk=$E!@p;%?UfJLRzE< zhY8Zm?HE8HpDQik2TpDWVD*Xf#Vo#L6x8`n1b|hr+gAYeYZh4vB)f`=0%2%6TLm>l zB6}`FvW25T(Bp|_?&F}h-#g>r^l0O7f_EhxMQ#EukDJ6gVRJa8q%&fy zaCy!TTS*kfBoTHI@`3|2P}RAt*26!7%R@i2C#iov0$LJLvENMrDB_2&E}f;At90zk zA%1FIF4>|jAprBEqr4?K@X9&ZavElX2@`~*{tm+I1_D{uwzr&4v%Tq!xXEh`;RukP z{h`)!IK(^c=#|eKG4e?W^H%3shep8hhCt%Zvh~@C!6X2yH8&mKMM z{L2g+_z|b`k{@=p|H1M$U-pFdz3fN(LMO0ynQ6X)fBPMcWU35<;m|duN6k}3v&*n| zq(YyAM4!AF%H0{B=Rf$Z(OnY3-t8VxIVlcexdvD+GU|3{g~S4H%|gbLbKU50qOwUtnJe2guR2A>zI!2+EqvoSWvr)73u;PbSFHMOMiYxh>zSnt(}mNmX?;Q zrF(ii_>&uKBC<8PP_9{6S~xYxNCt%6Yiy(-R`&;MZGnivQL52!8cs1apuJ|V`P_Vv z(cAfUTS=rnlOl9ANY3hdV=_B8NBchM%!n0sp41EuVE5giF5u+(eMRCCOGJ2%@_K@f4zqnryH^Qxtf9+9Rz$ryL#%Eu}s<>&>c@Ao=r2lr!%3K zcbTgEp8Ud(Fq2eiYEw1v7PA0ORbA3o*GVAz_4kbbks8479>yxPCH$xEC|R2LnhoYd z-^At{%=z-aYTSa4)nvBamp$btuz#ur@4eW&C*EJxDc`zj-`{CM#gjuQxMEybfmL+u|GV?&cU{(D^MS zY;ii-)eo4Vg+A zpi^<|B9L<#KmwKOp{f|kG#!RdfTGB0+x2+KoYxsg9&=riZ@2^A-Jkfe3;pB6nq;pv;2&fdq$6R=)zYw>%U?tu@G zvtt54p`d4^hm!Qy-`Cyt!aUd#MbXBl>mI06f!ELVda?8YW@WS z6kwm&jgNI9A67Qr3Zl)Ccn?X&XgKo^5kketh8dsS*YT(Bg^2ORV=yb)?=;q$sl$i5 zxtuS4t+fbcvY?D4(d9X zq+JcQp;WChL1ux#dK)J*1)?drO%1!2J#A-B*Yh4xH*PL^c#;24+IV}r@1*A%nHzRk z(1so^mwv1m()$+4S59_Z6&teufwisQH6j~;5><9^E2&baIT}Z7=u;j(k68V_wCuY( zfxj6WEhR+0+9bUg8xD_co=$z)#O(zJtRaKcJZlNb7(~qPq`qGm&BH~^u|}jvMVKL2 zah1IqoFyEBpH)+xOjR2SJro)^tgnIyzGsm~3m8vB%Wel#_f3_2Hpqrv{8AEi+O!I}{^ zYPcdSrmp8B<-aK6%GB1R8>+%bLZ{W3nLR|*Ago(GgSQW0Ad|`|i$3j6P#eFKk%MOz zqeLU%Kafi_x1Sp&2p%BInOoP`NUt~5{F50x{(QHp7wH65&u3mBpR=gET)7L?<^9S< zbu?3$^c>BIxN2tB3f@A~?2M!oBIhQ#mb$d4vkE%AQYa zk;_!*$tPfT{k?G;>=FgtvX@?UU52vZXeU z-mB&ni=Yt@6W25Mz;w#Syc#rB2AfZ{DpU_jPBY#D>mR5fWn|fqrXoIN_Kh zrCtS=+KlGiT`_BYizf#CgDz8$f~~(A5PJLZ{gI^g6d-z~@WMJgo`_K-%+Sh?E3tHq#6eIeO zI6jbikvU_N>yqV@8O6D|5W9tw^kiby?t?0>uh(`GT_5oA7gPx*#r3OfDeJ*4?-BXa zSdk%)X)4V}7|?+PqOOHI@Cy~eHcb!|x60`BjF!gj?(ToDW-N0RmcW@1nXdyp!YIBd z76~rcf8Y(JJVw~p>#%Q|?d8l;;yud?kv!kZ6Y1gtlsUnNRu7zv*akSaA6X`dyH_Str1takttruXsAmN58R3*9KXaxa$ z(OyzAAx`Mu{R_px;rM`ampgBz8At^g3UvPfKXW{QE@Um^5`W6U?;82bsAN%k0K>k$ z%Te-6u(2iLuK!k=7%cQg6iJtCRLfyb`EaICK4qE=l!;2+lpK7xwo7?633#1j;;YL5 zWl=e0+F%AV0JccW_cQ>A=|A#8;QBy7mpIny^+NGKZ2Fm)o6jl-oC@-w+%NxOUTaCl zG!Uyswb8*-VVEMx#Q55LH*|*MVey&8uk|q5KO4y_x?nI+ zfbtRp<<$1nth-cbAf=KhzU0XhqHr_kQeHY?s0RnECH*UKEh6?XcFPD;>mb(16&(Q> zyZM227=EIhn$FhX>0Odu=$6t>~e|?1bLZagrer!m=w;J??H?BtaOO4lb)mDt( zfkcU6QmX}0s3g!M0Hq!2`TAriF5GAO69IT%^0CACSoW*!FlH>?UD*Ui-yhP_VcS_7 zzoP{FXI;;m53FydzQNBamr`ttghWCeifhatMTaSJQ_~|^j~|jQ^<>+9?wdZ))&Prj((^SB zAtlUUSDhC<>(bHD(O1$Oqnf;a@_w&+fapZzX6h`Mo&`MIn+crknTUJ?FSN;ZQUuy` znTh<$9=Zz?#|Qi)ZGd}gRcMCDL@F(hH1ywGbX@mz*P7gPF zAEUYWbQBXseWTK12m_i{XfVNxbmTGUVyCvW?yb&XEZ`C-ztH?p>q^SbU%TNiw~ZSm z3G4qXK#k(GDwN1z{ez)E&04|6s8MpnWjB(MDuYR0m?zPQ<4+?}@}JwQpvq;zdQVnGEACGkEX6 z>HWW20J0*d6ON6J4EL+=AF47@eK8g^G)S5lutUdtZ!ie4)S`KGp5XD;IR8()B=3N6 zK1AzUMw}$7HmL1d4gjP)DOci1*Fb4tr62}v8ySiLHzRjVs-Y`JwNUI1DK>9kO(+uI zV>q4nUFs&robpQqqyV+?W2NUU{VD*sQqXAt-ne^kP%2vzGD`5ND2A%ULEJnfKJpVK z9Rkmb)1qEbnpo&z33h)VFBU1QmUZ{%roF$K@xkb10ZjY|guEC4-GNm+?f~=#yGX#v zKtlPfx$$abpzL66tdLWEYaFfg|DVx%gxh#p<4U^iAzEyCg*Wv(jCf0O>w`L7^inki z=A_7@L%M*VO%i`F17nN9HfvOiYue*biUBOJGVdiOi+MvjCQFE+AY?De-KQ+|X>zyuEKL+~%h$YV(CdB9X$8s2O z*@zxM(YYLrMc{%-ka$6gnJ1W|L72)W3Li~VVM}BY06Xz3&!{4*z59Oo%Ee+(XUy_7 zso!|FI`lfNG8O!9NH)}myA`Wy;PRE?uF3KUfCLZ*_NYoSkP*v9UCIN0RG*avsxzIj z*1R&DJ?fp!qCS{kLpRy>>nM^g*H6G`9e8Sf{DXFwL3_0!(H}RQ)*Y`QdCXaYVk~Sq z()(w|VGhEOeN} z@b>(hV%C2rF5WQvyNnB8Y658h99nSk@wjAm<6(?s<$3ZbeqVrK|6WUs8XiuUk{q;d z;#R_Ji;^CuRnIBbk>!2^n89#SIL;KvW^IgQx?hEu@l73K#P5%uIqm>0NVYtPHM$Je z-%!9nA!7Z`aJV-faCCI50q`rF$!(K!?3RnM1N4u&fImqK+ZZ+o`*R`^ zzsYnJ3=nc@DRn$jjS5dP}5L7F1d_dL8 z%L@O_-Jv`^F50JetFw;9g$sJ6I77vjkfl>;_*1Qvl zU(P@ccJZ+DZyb}RA8apdp{1S5_XpE&YzN4aAuNI5adEDC&Rv#2R#pQ5iyP1%+iSC2 zXIgR_AyF_1A5)o+vld#Qa5O;ZM6khxl_64*ga{UMU#Ug`)qVq^kw*%gShH3!mSIDO zp)Tb<)}$~?4U0PtYAx($(feTr~?aUL=@@R)mB+S$9DFeYE1{a&fl zZj0J&@qa>G!*DPmO7#dqNcSd%&20`ju!K4CB1g27SSe8hLM@Ud`iYU+AzQ7-2RZS} zwD6^7kn3LW9)KX>2OdzN$e?W0LL$KT0%$ zi<1+s^cuiezG>2C;*jK9 z4JwLy5L?=r#1HqK2rd?YT$?j8Go^?{6g$Si6;s6i^^)GW`eiV;R?9@9qxTPNK%)mD1S1X}Z#g0qM4!?(C#ejkT^DF(+R zvk_>Ed@w>#^?S$R!ZsgK(#D$kNavu zWAaI?Yg(#4t6oN&z|S9hZpL=k18CT*wb;{+3qG4~HTv!gQ=~-bV5Dj-EPT{4EzRjx z*}(|+Yfi*KIL~w!w{Zg~Xay1BS(N}$QUp8>N$hVi?Y}D;#2f8^!XU{X2&OXN4O;yv zsN?r#uS7khy`Cx+(N*h);awl4NM+}n#xl%d5aJrrb`OjJSyw~cf*9oo*%ND2do$2; zS9^01`~|q)XZYZLz<8sbah)W0pQ-(9(W%Sebj^y*@u)q~wrJdKB5i9o5cVUeN+He~ zXL?`(?TWGr4OcO6)bQB!NyY;};JgJ$HyUH_MDrB#LbTQmWBg2xb!WFE9X?7oV31EW zl6xD5L9;=I9T9p+t;w2nTyTcN@l;zv~T#TNHT{Ms@~-xx=b}F?ENn4|XHo4*@oOE{+CiGqVI< z*?mB7@Y`(64#*%9RhfvjYp^Yy7to+z96JO&=7_-+vH~2NmWPuHEOEnoPEO8tH+F^* zcNF`rPJF;O{<62Q%;0i3(R;qy$oVM>Tt7-fFvvbF5HgxVb5=$FD_4~lxFJrXlKG$G z%>-ejMI%WXOx9v8kwo{absUdeKL`Cd3V08m8l_~{uE!rdZ%Vdh#LY5l8Q=?&; zh)3Jp2cRMyM7-o^m8FW3eQzq_#TP^^O<$z1fRcD;%jarwAQr7{)Qbm@BNx5NA5M&G zTk}Vvynz+>eYyLk*-&Hi$YaZkW{UTSXwzFi2%QutNIl4iMFGqyoFaQ9chnaBBcPrV z)4KBVF51}GV5iZ>^@+k0mzH+SG61>*CUg6U=a|WAd~fL%7L;^?HkBAOW)#F^pv9s; z$hj*8o zdRipFcPk48=m)8NjH!`m1r9F=TAx?cs<|d39D0~xY*o$1FmYhQR-y*msdQ_&v}-ma z%4RKLMILsm1|bsDKNs+dlW0XQG^TV-W@(Gx*lK=y06|m+2DRC}FYGbmz;BRG=-x%i zri0<-3jFS}n#eAJUAAuh;oWC}ZDV35FHzMbjfh@*LmhE|#Hu8Tmay&I)4o zj<2M2Cr?6UbHWi^;o=K;wY*;8s!glK6uI5GX0g5_f*>(DR-_X}EAX*-%Lvn@ybhM^ z-z7bVMPh#73j}WoqgymHQbr-TjnP$%U|49!+hT;wT5`SiU-sTP3!+&Pkn6|iSN)mV z-}_9=)b7Nu6-9|OFpiLWFG-4|*Xt-RL(XMiY-qfS!hQfj9Uq$AVroI*=TATu2`uhB z#zya3{}Av;Zo_GqSROJ1lTwg@^6HakRndMU|BJL4SRs^6rH~}Z1phr6u~s&PMoAfE zSA-DSxERZnj*Huu#938pc4-fO7S9_8zVr5reV^D(;o?Eqa?*1l=edI@sddQmQP7%- zEyo6204a3Fa>O|VgHLDk+G{n5xqk#r@oTj(mQ;O{)=#Az$!h76#(9nQ#$ndC)t=+kAt4xQ6YY-|gsj%b*IV;F z?Yq@FKqq)}#`{SQUpMK;32(?v64_p??4A^wE7IBKC#?@;(h_EbdBW&NBy^QjT9iZr zn@!Z@AvyqmY1pfwWe^qsXexaMjtFMPmDS&hM;%98L92vx+e7t8ee0l=j% zF?!{z{-Kg7$*+AJwrB;eSDiP!rG=~Cl*QRsRhMMeA@kbQNkX!4485>xHw@RXGAek> zkZYBvK+rBt3FcjQC^}HrASx*qX>{zCMQOjEpQ5q?S71g=4*qz=A4jwS`+sp0f5B;D zm=a*nx92`@`JLCQ%^2;-f)F#GLJ9(-TmGOpb@h0kKU9p+0uMS8=25sm!Xvjx!W-?w@<-Au% z==kK{ok3lj7>vbF?AG_as@Rmmfz0YoWc>rubgYcAbR)it_)<$8)4A!>SGG%q^> z1<=_Zc#n4Q?c#e@NNAz!7tI=k*E&G|sQ9Wz=O-0EhPbK{#jGu@VB91%&c!k#M##v$ zn1cZpMYKYT+Yg`+GX_Mk-zQ1|^i8%rWuYK>{U~&n*q)!$!tYwwYgQF0--eEO#PG2; z;BpG!*#qTN;A=VcrkO}$F5&Ms^E&#raU;j=k^FBw&2f;`jVXdGUqxi#&h1xM`{u!S zu1N=Q+H+(p2m6>jmYg{QB9yVF*0JYwA5zsoV9Yc|&D&ILs|Jo!C{}RE4__kP8`B8` zAvRjO5x}-hO^9r2@j0)LxPC`tmDf<13@+5SwV;oJGMF`=Ba4#=wp0i=ev|dh)|8&& zs?&SZk^>!a7^0!jn_~TuHX=cT`-69baE#&@%0*e~yC~6W;&@eP&|v#%#T(X9w8jfY znMO5M*|eBvMy#Ep7Mvyud{p_mz8BWrmf$q{11TW!TK*!_1xOpYC&Z&!=2l=rl#%O{I81TI zg+}z|#1)V;N}8KBTx`Siui8mn-bxk*gMR;-S7NnZp!EebiRzN#d!>Yt#o5^);HXu; z7c57X3xR+4g%s9{HZ2}_(e!@dZ--l7=Fv9lWY8`~WJgkno(V-?z?^rmYn zm%7#y4xPfc*E_zcsY1sDG?Pe4&~+=B(p5(}glUK~*$ zJwh@1EUulKzKjtUbi}taOZi)$HV=Z<$%dktdqO?jL{;#PVSpMXX#VB#>Vq87IGqXX z*q}Q-C0yH%7{bLat-!62DVzyHYcnaxsple^Y-Wp{Ja&Y?Kz?w?l^10Du59vi|3w&# z@o$(YU+ky~!E+FAK*I{IHu1Ih{HTTOZ?_m^5-Air1Lqo^8Jxkhr1KUbf}8$rlCXZY zcUtL@SiDJilxw@%l(8)>`FDJX=GNKol6XgtZXxSg@4PoO-vReZ6?lJ7{3!q|x!s`Y zvaW>aioCl1lUOo5c?ECtu=O*zz6*rXX9EUkB~>3MjF3t{oGqVV^*f5hmOo9sCvSp_ zq*s&iR{Y1j*tMgHV8KMc{_wah*M3X@3QKt5r)!vzBmuyuQT_$0ah!J@k@d?5NcpkJ z-}*>h7Ae#Ub8bWPMGh=L43_K^ml4b|N5L9NBtkRHYcWMMqoChKe!78~CrtkSmFN?T z_wTbi7)#S3b_Y7PEQ=cQ>J$<<$^3Z&0iY-2T!xi`umoGWEn@?ArrYT^plc>2l&vbM ze0ARH)*Gb^y8eTTW7(-{e%6M{7*AX3Mvz<(nI`E3*kwSpX1rK(nHG!yoIG7z_*KgA z58Y3yG8Upq$iI-{s6YsX4%^=ZtF!S34*_OIszAu^*TVQiE<&5`wv6>a5}tE#Iw31` zJ3^!+PRC{Ynd6^>42v`xF_yCM)Wb8tP8eU+JVpx#>;!7SGl0VsVUkL+E6VxtTPki& z{qISBz)D#=3gNWmQDm2%O?@Zsz4m4M zIIQ44ve4aQYFgTdx4W+V#ubSJsW>G}g`oGUh{U7oYiO^6EVcpopYgY!8 zoXRV^;aS$*!ASNSrif#m^kK?Fssrj=kvrF&0ZU2~$*I@cqgP?SN*n9K4k{6uc@d53 zg25UTanuT?#TV-ecFec|qXD5|wVIPFL5f}+TG7DI zXr3Er+8}YBm2jhA8olaA*(A5#J2hCUFKPgLO!Uhet=!hzdUNB|(E9;sq(<9*_mg~J zZ+GC}Vwh&`IA?nTfHE!VJ)F%EJtwEUyu4_3nGciDi&Pb)T?sNY##~|ltm8!e?(GCX zu|ZZiTWhvqb>5erYzJBhaw~v#sv09dB9t&J)SCd#cg(q~NQ(F#0PAbu+XZ3|?i?H( zm1CpBv)D*sjteSMMP+3Yh&B3ZY80go4ap<=)e@O33+P&3Jb_ZRTVDpnwEy*H@gQlG ztb>g1C#n~K8a4t%9T}e{;G*OwfUO&UP>fcD<8AwU9U*+Y)z%ICGMoTqf?uKE-5|{Vg4yqrh>2E{e(`7yI#f91;HxcNO#<;=&mprV2qvt zjYe{q?Bpr&EwPs{fW@JH(>cd%q89KUn9EQ`rneYn6I6u9Y2a+@`&^Rus*~Ee@{1|*1c(o_II*W-GR&xf#D#hqGV&b1sc5}~E(_R~ zbS`k?if{7|EOVj#UwwCKXz`3xfLB2zPL5Wtt}s$Bfo5Kl3cG(!D)oHXaW8E#TYDOseU zrZOZ^nxZNRy~TEQ?%*i^ARjl%ca@jj}pUi!xe4i1O2d z1B0J%ZQCA_rvOPq?SqByc^EG?+#@vB-Oc4Cbmc8#M+f810bB zIkAJ;KGENmNtGg$IrpumiG@b4YcO;QefW$&PAQWs-MmOX)mgl@%bXmBD`asWd6Sjm zyG_!P_lJDsViEMZ2rKbRD;ZR@jTAP-6yqQ%1aTsE!uYKYfx|};DS`a?+0C$y9yx0tz*3j1a@G zkCz?0KmT~EGpO5p%tpQ;$BP04(!%0+_G+JL!TTND?%!ebvE+*CUA!X)Uo`;%(RUnZ z)W10E@nsZ;Z3ED{5#&LH%nb;e^S?3Uu^=sXOGAr zq`vR4uHU$|LW+QvBdS-DyE>&ci;gq&{pLx+h2z&e$5Ik8DT=X+7-b|x3f}XD{@ujx zw-+i58zik5L%C?p;!wiJ(9Ipdg?u+I7*ZM=w$~2=f<)0_S*90;hCUaZR@O5?QM#V$ zR(W-W$&!V+ubl;17GE&~z1W`l=YE5C8F_ul!}D0KWu7e8Qy$F=g z3mlL^0X0pVcDUZ>>pofpb-Ae=N!Gcv6aG)$1_pDkmp3+&pI_W!r{j?L~f4&A1Xtbt5wqbp#(}41; z0r|!~GU+aGh)LB)8mr$m@#=rZCgaiO_55q9w;w-UI0V3yr6(GI&+}+cL|`fAKB|*Q zG-d&8KL(U&?J;`tL<^Pm!z|Mg`b55^!@n#5h2$?!TX!tN)0uMz8zB|)Uxz6L?9j1q zM65z0E9o%e$Z$Is&efP3+E6K!rC)h`=_a|RTCFV~1g5K8dWDXk))|nAneU~*9yemy z9&&y{*>FnXI79F*=2M=v=zv#wD4~1Xu1i^{sTMf{7#$HFU78wQk#7a#>!plC#5iii zWOX7dWR~>F%6Mau*u*^p-d<|Y@Z)k&JF=nHsX@2BX~ThII(NcXId9lw?_1bcLOa0G2{>{^JDW=N1ET#-U=l0W( zMv={qb@j>A=NWayBq?~;LSj78_@NfEzH9n7YwfGRts|{Ukg9F7LV%)aCz#ES=D^sE zPp$ZQL^;tcl^A%6a15%w`F@zZPyRx!G9?_@BV+shXK0L&fAVFJ?zn^XZos#}2>Xw} zy!cjPvdFHbBn+#h^QyRY6>z=9AccCG3aG8g$t;w&KWU$2yXnW%A&~J z(Jbul=h~n3Do6&^V&0GyhXZF&4FV>4yHnn&n8^M!yDWqh_BK*PCN*w_h=QF0as`%o zRbK6jZz}C+vBd1`YGx9fidQqOO?r!G zDV@oYp+-(*@9wj8Y6R^QlRtRg{?h!!V0yItULQRxb^_!fOYZcEkLfu~l}QdMc3{%% z(>!X%9%EwF)gb5^ zRNnJp@hfv+gg`y!KE)qj3U=6L;clg3@rBA!m8KLr)jcnKJkam=eKn4f*P{7kqa`41 zK-S9X`F1&EB!wJsJxkCAGd}v`yQ*oIR`PxW6Ni%fMJ{{=5-|YlUP)k{`AYyu6>3N% ziD!tV0LQ^4`KDQoN%?mb4mPQ&F_-@6*Vj58Ho)?qU@R^}373?XQE_l&7bX>Pq!D;C zdQ2`}lp`DUz=I}--FBspq@Q~}-L&8PWUh?olIIrL&)azKXB4GIUp z>?hhay(a`Z?}h%PAx9RorBcLAz#x7lOs#H!3h({k*O4+lbXuDA)%lY&QbVe8W==7& zX=&KKE8i_jxB-x*mBzWg`9ipWPdG?JKr_B?>UN>>SjwBc+-k&zt~mZ=66ZX z3M_>bl{wq%1)4~`F%-F9%HXyYot{}m}cB))j_aoIudq4+>i}=v15CX}E)biHKkeL~y zM)mR+D@D4oVBMl0z}#mTfK8~i&f9)EZpLx?;k|A=1Uu6z3ic1SBJNLC|vnR6ZE zgcV$j9@?LTHJrtYA+8(mEb)anT^qK@2tlQco#xbUiUfWkt6v6{%D$O@r*0h-6N-*P zsD2=#C6Rg9A~EXFC&S<)5YCN$a;x zUO6#nn}uP|qe+D@jo611U$^N?XYK~C8v|&MUHq8hSLcR;us7WQqgYK|25y>%3}OI{ zIZ3Ne9ewG7Df9<+85Cn}W4ZDg8598=s9Zy(Tx|yH0@QQCj*FTep=MBuvDkZCVTCto z5(L2JuvDvqMlD+hK*B=!;g#whQF^cxBB6_?)$KPjKueI)q)5iqzv zpRwRhv?<(@il99>eIK&on{y#!jVzU0@ww^(AR3240FdI_Im&fG15_Ypg|9%YzEK*b zG&d>nbQL&mfM9Mifw2siVeN65QL!8NXWsZdL$d=pArYVvd!Hf*(;OXPYv~8QlEH1L zTBZPJ<%Pib@f#6%q4?PUYpQ-^*VkYD0PWHU7!x6@2pMfp3Ez$f3N+(W%MV64E!IW^M z&;fFU#WOMXiQf=nj3cV1xdKGUzO54fnE9a&nN{BNNn;I%UISK^nR%(K_NH@V!P_9V zvksIMBKtOd_tGI>Hd%;t`Ma@L`xK!srr^-?5(PV8DTUqTM_m^0l0F4tVbnAzHIp4X zz--()V&>GuBCk)g<#!^f80;?r3MH2FK&co&haduOf_L58(o#9kX!975e-X99Jx=dj zLJi==2c#6Pa`~*{<0K^{7<7z&z@ASFF)cX&43Rz{=u^EOo2v~3RDvg${Os$1pq?^` zvor0Xo+b0$c0fQZ5idq6juSBJ;&oCAHKXPrb?CU1y6X95AItY@r#5FtIOso@QHsaT7I4?~a z7ML0`)|x!x#edmWBJEO!mUKs(7phxy#UbI6sKVv2_1TyG6^=dVuwMA%1z^?m#^*{r zyRb74fXu@J#Dk62TkN9!^qMS_8ffMinmz~t^Ka6Aak1T*dO!bg`G2$L8IJFJ6AFed z^3=+#JXeE0)h!pYzS_!tWT5V}JgT_2Rf%mX6$NM|jt_@x^ML;Pj*l@#1(?S%O}1$I zMkkyN$lT19x*h1>_pDe#VQeK&g?wJA(SC#87=D3B76LBQ`_c(cm=9kQbc6;&wWxmN`xy5H;-6#V=5;j9)r z>(@3697+!$0~U`^(Y$}=Uo_Sj<E3}wau{g&$YP9mCw%NFk{ zXkd3g+w7GT8nbMeP`+LL`^Z4z^%t71_|X`CgN@FAq^Il&6nSI}^k^U79qF*8b^b!2CZWX$>(aX*8B#J6 zW@k}^Uc2$K;;(tRaWm3D(Q}ug1qXyT0bc%f{>uOVKSQtEmD2=$^S@V)-J2M!q8l)YkXUh6TYdu4g0j7zW0epr@b_=$YCT4pt-ogQAEWnvy!Lees>&+?5mlD1f>f`c01lcp6xt3^O2_-JW)3EE24>4b>BOM2 zidX^GVN;1X$!fTBfNHz|^WtmJdM^J;Sq{0K{fG~+7{@{av13SQmf*r_6IIU9xO16( zW`}xP8k?4Vd97NnyKl9h4}{AqCw!FXSQsq;RKL@Z5Rnz*!8&LpQs+!h7skcO7jgg3=S96!B?`5URh7B{JO=DI5ra8vXSn{+_ zBg~r1peNbQSn?a8?wRq0s17bnD)2r(Y&h5F_5AuTe1{o%WREE<5C;c*974LTSCU;k93_c7CM@;cYl_<9i?*5x(hX9cJJiS@cf%eep=G~|G0GtDDvj);=o8dLh9=|&E}^^X{$SSjy01aO z6Oq2I<#(?c#$kc_^c(axo*J2IIfpwV(Bo3qO%YNefahp8bD3sQ|%vqoxoJg)BVrm z4gc&ESbB9BMmGRi?4A)Zq|iY5_0?|Rm?RNw7s+BeQ;mNpxh#V=BUjtm+3u~UQEPUoA7g0xAAc~T2#2}& zciZ>s8n7T#_}N1T2^&2YAub6OLIJ}M0wnKJ5DkC-qNbDO zbLWA=ZO>07|CAaE7P~-zU7Ot^k*-g}(H_m`SiW!iI7_PgOeWILF*uAHvbY;GTxAB; zNP&*p()&I-+7&9If<&jI68aIC9%#C*2ymjZ483LEpvuFpid>y|GAvuEy1a86pA0{$ z?RFy%?k)vO>KZiL&IEPtN>yO33N~>>NbydSZJgRvu5SCz+>h5G z#>8VK#s9pFn@o?TxNU1O=_?l?gkW)e2{^8gV=dzi!d_A=t%ru^b$hu2>zf>_xEWG=9L5 zlncSN*etmyEZ}lL)Fl)Ye3wW8#S4< zheslN-uwTC0?<>*Y|AC${~5OS0U&DW?O-q88Ajp?cSuAhmv}tjPYLgn(KX15N>i>N zZLiF8oR>yFBQ+OmU08{UXLio|;#CWWHn`pbv zYd(SZ3t*5f728zJNR`uoLsbn|e5M=W+X=4OYKfUEiyaxC9$}&x!>4K)#)aVQwMOR| zS2n(urm_o}ke5Gr{LkdXI`egyG~XH1csqviijLoXzv|gUbs2xo{tB)A7iQK)Od;u|vRAMD0p! zPJFZ$D|YiYv$TB)!ujrn0wzv0x~FmcD+@!!h#V#(1LLYBO5#U20qOlGc)DGj(m!Vv zIzT`5xds?T9wjo!7X7riYhika)cYj7A9)kpdg8cZ3-XVB)*!Y&mMzGHe$U!S6D_y% zj-%&ZaM>W0jrjpoR_Q1qr!^L1`W&^rG$A8$UsrFI=by&6s)=}wKc}6xdTUfovGt@! zgbADHF>T93+1%!t!6D0ta*WZ+w1Ho_DHsqL=C}yO%S&4|2$eSb&|nE;QwG-v@-m$p zwPDl4h=JEKg!PFT_z|S9xZ^x3FkHQSvb&p?<_cPOxJPJzcr7 z%rfLrXKucK?EgF%qW&4zn3E`0{XO6(0psQjW!d<%`}Gd_G6r3PJURwy54$B~4C)Gn z@g($wv3Nvq8pH{;s#oIc=TMw@FR*d0ZUclSA^|%S-11s z&Nz!PeOV0IB)ntI+*mdM99URb7y%8kjlBsmUZ;Vs$;e*H(ofSMH196oUHVmKu=iO-3=_>>`RY#I?1$;|y0`_gzpt zq3)W}{RTB@|6_r_-cp@A4;Gz^A_xwpAlXR06kXrMGUuW%^{Z2HU+y5o%#ItG#-uh+ zVE8WP?BH;lBVx<+y)?MGN#e&=W7APYvk9yzY2t<+Tdx6JHe(2|O;sZT<;^0;x`5`t zC6x#fP|HS|XgG1c_xdg?@YsD;8arO!AJsN<8;Yf4jv&*~%XMLId;Qq3e>J(~lI`-v z9*qmu!orTw_6Owi-g!kNECVR_V$6kBrO6X+_wztpOFN%Ynlp25-T=t@w&TAuETg#EI|OxVbIDk$NuyY+m~ogFt(})F1*cl^^F}LVbwBV{epCP^@$Jmo zVj#9qSbK=Z1Q1&PD7yRn+tBf5GtctpXiNEtiWS>^mmy@%tHAL9l7DT$pAL(4`)NeOOD{B1y6L)5n(9~HIA7^rZ#X?RR%hrQ-^dwZNwXS35OdunOBE^WqjH}`Dfh$rpEd`(>V@fdKQ1sf5$E$F! zu8@O`G(7@`65|Lb!I(*Z_V~;xKsVe)oW~;KYF*d(WvhJHy8etrV7Zw0NvZK?ggG4d zoncF?&D|U47WZFaSA{?Q(8IS9kC!y5v)0EuX(+&vo3?Bh>^W;m5ekq9I=6x+5{f+ggfV9v~APkF9&l|6?`qE^{og!}L;fBAH zNyQ~55mmqj3E2hhT>X2`eiOnZb5^ ze)&9?{I3(as3@W$SY+Y4(918E0HmzVTgaKfU7Vojg~|Dl;cZgK5Y-~;x9;X z5HC3z(+Cnl*}daxYATx(>wv$!dDwBnv6+;ZUE>fw^ItM|={fk(W5r$2S^al2v0M4q z{lm@Uga(8ItEYH1u8ol?%}jr7UngdEPQR8T^I;BY#`%V{?d%_Q2^J_Ty05G$4Rl%6zp;4rO6xHMn-1E8nq zDCXOsgSjgJteC0&*sY)KoWlm*`N91+v;|d5X4dyAJL>nd@p$P7eS9LGt{P2V@0E3{kyNlEeTZ+;TENXwtzz*d_9E3rye zuqoHwgXSrjg0+eBt}hk5lDBd1U&Yn!EsfIfItDW4HXXZsTbnX8T>^@BS-B(-n=BL~ z7mkmzd9DC6AYtuvHjyGqloz&{yKs~$-7clToe6Lq?|lw6w+_3 zF;tQ&jdeK`p4=6b%#WlSDez!H7R@2gldiRGLU8c70oYAuG(`Fi6eO zzCZ+1mBB#EY5s5@oC}BWFAGrn=qyc4t<)llcm_f?IhhL;D_w{kt}7eV!*S7iT2xyj z2wlS|;zU^)d8;T#jdj|->)^s;6i0849T{pgPN5sk_*iunTW$N8MG3niAjHuYeUQn~ zQXaQ5UAk{%LowuDMmiNY077i(OCc3a)Nk(cx5knorHFGpRGw#kHaksgu&B+6wg34Q z%j(bts0GJp>1*p(57*vGkm3Y&d#QM+GvvUKRKVa2fRI|;F2bz37gtDwd^1Z1Vko>UWY&t@w`yaH zd*VLynb(oumh{nUbrMlhGd|f0=|;G;Q`LmpGc8&bWq58@vvk~XAajM$eZti_B^>zan3Gb* zH#7Eta4j(liI>23u&{nr{C70ZiMgwtqPXR`2I0H+wLX?)9+GC#kN-*B;}>J$n+(TG zTy1rgjhcv-#q}h&z68?|QMs6ybn#@a(*&bI`35kLi-+O1i6?q~e{!>DgkHvJj zp&8PYk>wKpD*~vNEPr-%wQ2IAC378}BD5LOU0Zrm*tF^$2|N2MXuDy4O$i+n71zJb z+*B`6RE}!t=eO(><4{ymNmYc*v@7IZ)~V63{+eOMktl3N$HcVCBw4Q`-g^2i&`=(6 z09XO}HD{V~`4hReK5ti*8c=^elX()DS4f#8wZrWru|tH@)NQ_zNoQs;OZ>7mZy#c9 z`e5Dj`zOXg{eUGpxZ2h1569+J7em+)@-L_B4QNev2=OiBL(!3YsU{BVmG zN20O|wI-uOjS(NVB}@w`+T3oCr*^@|y)O$L^%x-;->9rb5JiF08k@ zA=gu_yaDq_YI?1~{c zN+43%MT}0RmG%~`;#28Ql-bT&0|tk#ctY-}5iFNYHYuakj+krZOfI26xOxFJUxbP& z0z@T}6TQzoZaUGLIQh_H!e_U(;*~RRmXlQK`Yv62zf;4xwP5u69wmNR;K(C1he<+6 zUPdv&K|Xhf=TH?oO%S>b?*(?6qSYv1T+*k>U`tA*m_fLX{&Mff>g@9poJ?E(+YEx` z8OcKWyZk|ISXY~}(TEe5lplr%QaqLp?hs${WG!aXI!Z<>x=3@z-a8y6RuF?{fvqqy zn%AIPra;}oWDZFTDHak#_qgS@S^b((>-zk?it7r2t+VD*N;_|s(We6RUUA;-8~Ewc|g8U-{1kvoGlELmZ4I;GDxr#bNcz_R& zB!$Ia(&@#;e|{Ic9hrP#p*Tfr@Q5!SdQNrXP`2GccF_8jjk*Ifz7)N}cQ*-ve6;f? z4l?apg5dnfk)?1+5=)Z$5IszmrhRAUA%zKE@RroPw8tEioiYH9yP^k&P^G`gYqABW$r1A8(s&npx_sS~T815hZ zEKQ}zBdO1kbqE?_>|%7&7C@VKH1_w4(8tB zF6=t)^R2g0AHwPU@%gsp8^1rer@ErFFhM_aNN-LD`%BGuQ0@;uEg2=$54y#Z$*Ux^ z2l&!<3%1{lS*0XZA;%^BYNiWnXlE_-^BFVTglOE|bLDU*RO*Zhek4wJK)7rBttVRx zb2f+hYH<9h_I&QAaXQiyP7Cf)?26b6k9seYM5QG?mavWQVItv&^1Y&x|Gfp%rHD%x zyF!?H#B);z|IU4x@YNS0(MA^pjH3=gX=w8A(QoyX*||g+vpPXJYXt2#Jpim4dC)P! zPMKuEGfNTnEJnVeMJ&SVcF6cKVHMwNT-AZ4bW=>)>4oWhB^VC=prSO6KFmNrm?_5A zvJ!tC`;?V;szb{*uomo4YzrjMfs6pTTCrXPIm?V4gn2QfM{d{0X}hC4k!@%5;W9y( zm@1o0TQ=%KMxIx+Akuw@(Y1v4g}ll^*7y{W4TJR+hk;6yV_I z?#YU?D`&5sAk?*9w3zTgnMB5W${sUN zxZe^1FXVy3R1;)xuqnhb>#%A{5b>GfuCShtYQgcwapN$MX^z-XsM+eU$g9l`U3U%B zOMvY`nOu6M&j9{1i{6tUyYLBX3MDRAb@sbWC_@+rMt2g*!ecIw5pfUefd@)GEG0G3 zD#>hIs+-{ox6{DddXkf>%n}5SNhu^}!9)xhnxdCzSE)B+d2eQjdD#Wcz20v!li7dU=(RlCoJW4WN`{T49iWvl4t*L;HA&x>8&=@`G(!<^H z?M$=A_K^;jcYY>9#m5vJ&UQ|#V~5k~Fx#b#v-9E-70zt5k{EkY;Y#{kUzD0LLb3Ta?LYKE~fnnW(vz}F4YT@Rcyjh6SuJo&28y-ldNc4 z?&NhZv<}K=ba~3yZP#J)KiesFA9d0D9rvteO=r#|8}&ZCX)WHe(yFE$eQqt>I*B~T zml6Fykdt=&ZA|6;WNzA$00FqMQ3un*Iz*%FT)$Xb*hwFl?T3T*sa#%pu1#>QAh8x( zVXf^WKTgRgDQ;GyYU=9f?smWYC7%RJmH?m0`TCU7$Nq;_W|q=4X!*hL+FJt1xH1L$ z;+gWNacj*!Rk)_DzuKjm@ohG%56e4Mwb25gjz1bv3Kuov+`Hgt79ToItGmnayeQF| zq83{Hdne12m|tKN=h6hA2%=23{%mt4CjLZS{G{y(^+vm;o;aV+3~GEGGEDx}B+avC z99gXqJI1t3lB(s8!SyP`f-|v*nF6Z20B%@f6&?ONBA&oJeh-41>L~Ba;xGKQ8)VlR zg3~)md0O~$yH>-#Q1{GBe{bxiVN7f(kF7*bZm!+cZA~~CmJ3mYHvVe=Hm$q)Gn3u2 zwy;-4Z1`vkPY|K^s6){ry(vbOe_+(!%fS6}CBTN(B*%`ZNvTj7?u0z@78a17}&Y3fb~ z+Dx)T`TbsMp0y-F>VyWWh1hXSWA4p^hk=vT`G*cJ{WbOjQd}ogPLQ!UoTSEOh&JGO#Up~ZsK&|hY#P!tq7A*;9iBc4U zX2Mih{Cb4Y&0W2U=G(w1pGSy38Ql%}8-Egdzb6f47U=b_k% zn$iBK=kt^uS*a+JjJYS9_DTQA!HY_eQf*P&EVQleKWL4)4e<=p*B-cLBvQlS~ew6iD@PO}|+oa&ty< zVdZZ6s#hpqkj*>2^M`$L;|ntH!4rPX`j;0K5xeH!Ii#Z%sc9$k@D?e^Tpi+5zNG#* zznY6BHU(nP-B4X#VkgYftrs-)4(8j$JPA=eXHVJ3U5YZ_OQaWEKT)+su!AFGQ6UB{ zY*PgkIINb2p-mDfIeasLlIov5QPR#@de@bSfAWPju6*{XL5?>P9QzQ!cp;C%dO)cu z6!Q(|@&94(Eu->knsi|xxCD212=4Cg7J|FG2X}XOhad^=?iL8{1h?Ss{%xL_cV^9b zbH26a|5^ z(dG~6$#Y@9U3lfDnIV=uFFxuoH6BG9wqNNjJ5ibgs>lYyUSAu7z(Nd03k_pFmTLU2 zzn~R`1Xl@A*Fy!WJyDiBW)WOB7`@%~BC9PHXap9#NV<1O z0AJh1OcyQV=!G6VKbXTOzC?PPA6M0SRs^e%B_gzbLB1sU6-A(XRjmSB9>;&$z+G*S z=@*g+%QT*-4)MQmp%+!n1)_5xuJ+5QdXVHKw(%pTmeH55PKS$Yl{+%>AqNJ{|AC~{ z#XpH$b1Pr}BjK%00qKxi!jAZB&Zly<9)aDh+Aa8ZQ-<8WC3~T0MW}X5Cw>Jxp>%Ia zHHS;yfPsH$w1#S@HgZV$YDmxEq97OQS}eeI(GHwn4QW-ai*wF>#?xoO(aJ1B`BMSWEOyp9A1b?UxeI2N0Aef z1F@y1&TXq@jky?S+IR=5Rutcihn$-V3fM45Ye6O-6YkxQ4nZpxP0hfXlI7k^VhqTRbC8DPWGrp;WO4l^QlKg%$?YWg~@c3l0dKa)WfkvDIhh< zKkxd@6ep$0?ZM{a#7Kqmk3O*QrY>3HDkc{&dbz349MTU;pE}R1 z%#w-%R&X$r8|%J*!{=3C%FQMor_2|8He(wPY-$ar#zux4?QQP%OF&tdM)G~i&&+qF z%Nsl#CX7Z>H#fgQ!Q~Rg5o$lsLTVk0{FbCMgziz*3i$b0%~^JC&2wmNa!EK7GEkO; zf^=A2*IekAjmDb!IJj86JRx`uj*YY_`ZyO1{27Cfeh3UT>c z>C@em#9)#@I=fAV_Dqu6DH61E!*&kG1bca(z{|+G{quDqLLEm=h~Xdl&s!S4xW}z< z=u@97db@5;bV>=wl?!V@5hk52viHkC)nXg zbgH=NuUtkGvV{4gcMJ#Osc1oEO5cW~$KsFN*V^Ql@n>gkbn^qxEZ>YCi8nP2tCWLhfD62x6s@=W zb-v$7G5f`;OQnn?#3Yk(-+_oEYn~thx;0+SqvhVzzp}>ztt@?EOQl@GTkhJ^w*H>s zYAxOO;k!=VRNe(;1& zhn-|UuHJ}I)ev?m6+Th9H}BQA78B(c^u?@D`}N0HdQX?i_C@WFTLS&}?QCBG* zq-e|vRT2?@sd1!@8!;L1qww(1jM?xK(i$&IaUSyk9&(Q=&j2Y zf_I_Qh_Rf3vop=xUK!zez$AY0AkX zlT`+jtv2u2g%wPZ6_aaf1HM+9Nd6GX{S^~|zPWpZV}0a2luZHMGxIremqQ}8IkeaX z)7Q+)+#$llZ$vzK*f8~IQVWdkXPG+r8*Mw|M(wUaFbGCdDV;kI!Iwm<|2dlY71-iI z43w&}`f0`Od25}Nnu`0+GUmr>kHqn|jvd0~x!o(U5yjv&#^||iA=yU7`S}_BNUF2~ zhJ0_G_RW5&5dVDkqslX?3IWwAnZHnW40UWiWztXo2PSN3;Jp3I(;cpG+qZAvK*hN1 zEqoD>o$B~u0#Es!$wszihfbVOFslth>*;9fnL8#du9r_a*x~m?i@(FB2bv@@X6f^a z&m?ZwhZk9%hU^PGFDEYAqR@P<+DH+ zcm*|$MSih!2Ica~%n1`ZbJk#Wv9ay~v!TEFoNYK|*pUBYgxh$EZK~J3K1(E_NkXDu zzsku_lFLjK(j4?@h$1nSCXTVPrGbo{O}p4z#I^8k@P{ z`C;cFn!S?}jR|XlwTyPH_Js2qf7L8(q6~vKm?76#Hrq`E4@DeIT3X0KwbB=1?a`Rc zi|xQs!g+)vW8B_cZm6Hnap8}Jv}*Z43Y{vjGfm=n2P$}J4X zC!2U#EJf%kzh7#xSGZ{cG2_G|?pJ-Ra~j>$yTFc!~vW9fGBCGk7)Fhy2lW95cT&6oU9>yTlzfMvSz;pnQc{I!G0bkE+B z#aWJCYoTP-Sq~0S{-$>KVj9EA)zVqL6^xW3MUb_5cDH&Gm`EKuy6^Sbn*I9X$#b;6 zuCXm-Faz_JpUb}cCPoUel0eppH4#)JL8+IWIO;s?P@+iC8%~ZNSs`T1cvpIS4m(3- zf|A-2g%7Lb13-7MxRxZJ0p_Z<%x6mexncvWLi9+xb^nou<&Cj!<+K*=J?w=uz+r#H zR%F$%sz0bj$PyU((!b$1laJ~uCja~?X$*s=oJ1>N7(92G&W`aQ0xN{e7dBs6D-+HJ zhbeI23tVV1p1dV;-%h#!#L?#~CGIotf)@JcXgFhP3(&b4;I17@W^f>qE3V(chFEN3~)ML$@6 z|4nS5I~gfX+^AUf?ZWw!L)Kt(4rhLABf*?W%@Rbx9fBPJeok0V6t`KntrWJmLByv# zCwEpu$ZlON#Iku`jpr%IR0%YhNF-64jt>s2c!O0b;A%GLUw9jhjG>M~rcmtIa)5?WGVbw6!Le{#T2Tu(mKsTL*FveSTFKwd6e2Q z4o7Wa%{7pqE9~m>Wu+jQ@VSW8>j%o+nT65e3=@F4KI_5VBD9-@^~sFAMbV7ktBF`g zw;{9Hl<{U-ANpz8#f!RFUXwtcc%|=0UYo<1zkd8ieVJi>WyBm{*Kvcv5AYXF38&=l z{o{eKGCvqigyUnJN!A7&wBpf(sW(-?AmI z@wjwE0cGWABr1iF3x-NVBWeWJihOhX<1XR#+R|qd$k;j<8^*%QeA}NE zf80Eka<7j*mGF93ZtF++8AK9B$CtwtJ|QG|(NUpb6B>O?=#Ru=?QI4;L3`;^_4-c~ zq&t#g@cHxNNnue!FtrXbm9AbMTQJ|KDD!jf>lY6$I-mN|-4qE5Ly%sQYLnQ;K9x+3^mIy}(|o8tVkB#)d<~^M@miXF0fzjF z7UZ0~(lk}XP)!V?x6Cn3P$#+=fuUc9bbj5T-^Ef!0Iq!16slc0%R}FLq$l2 z3>|4}9KCsBZEo2rc#T?4Rz74AH$2)>EBpPyBIM3i>_HG}EWxri2ph-2rhaVv08oY% zI$NqHa-_YYhuQ~C>r(X_L$W@%jM$4tcp^b$5lHx6(bmcPlE`!a>mS7QSxhgmEBDD} z@HHk`$YUXB^94@TN^1BNO(jYtF*|VOO~WB#9KR%jY8(>@={|N8AYJe!Zq%YvlVgj! zh1a5g44Vy?{vPTk--TV zMua-m`kmo{lKCi^QE&Qgwu1pJo)}@+=i)tz8QDQxUDCH z4$Hch+?lvmkZalzWwMx!kQ6zv(O66q+nr+lIqevKYlZ8y%OJ6~XBe>4$JOqKSJm2d zuW4T`SnyK|i+cJ)sSWp=_qHM6j{y7%lr(a7dd*r~j~t%#xQwpcr}pk>tydNO=l8-af8xi@*+Ec>CKZ^gaCN>CD?8F#P(T(P7j=|^O>L$5 zHH!8F;<_ovsYFs&HIUQ%yl#Ce zdzm|5tgZ8vfSHS`wMW#gfTTFC;GW$tCgB7zW9>h%!v?l`Yfx*v)%3gyAR)l3#0#{b~&5#^r2TmISL zLTx$ep+yx`L1SW)F$WyJ%m0{0^~i>4V9z(c7#oo=a#sFPF%@!U zr}o+8Ad4amFu1j;rBzjk@5NaR&an67`xH&H^R>hHC~Xz%w^ny{2NIsJXlmzjW~Jvi zV6j3_43EnBIkR%(X(9LbcWy&}UKL@u$YF&$drUFq*RQ6>zRbuvP#ZoPG{mr_I zBW&&hWZn>m=t)91T-b)OahUV7g3!#x3f24BmnRi5zMbOhP(Z@;_yuj% zZl%ec#7zWJIBdz)<)@!t=c4)5DItG~L_56wv6#`7uMeW^pkZ9D9F9feoibERpvv^% z9NZ;@mKwYao%&Pp_k6J(;v;Xoisu0|NkD}hm8#MCxkp6Wf+0hqHkgWbMKn8Y=Zn~^ zwHLxEx6-(ZaON)rm1H`0)#~yh3o)AkLyfd*Ya5f&z@#^hY*FaHELkbp%nizskfuP<*;b*b zEg7-Mi5Zd69O4{LajL`it}epgP_N3utHyXNZgFhhQ0g^j%bgb|Bk12>IDd{p!u%x? zKqj_bp6|<1z?9qA4;jJ}>!D+g;`^a~H}UgF4<^ebcdsw?NWZn^94$C1;?!Uvkw4Lg zaN#kIG>Sl*;gs2wCJua*=Cz7JPZkFc1>$5|PyP}CeM-@_Tk5+(RShucmb|!xsHW#t z5IQO_iv4lhRlSjCFL5!l zaWL0ljs}w~_L=cvbmcio-ZZ+5D%+?sQiW~^!fiW9jxZkqR*XWP+ix0CQe(a4$G#2NKp1TEbfjb2 z6kGDQuG@uL;s|@K6igV-;2%SxeXBr)aTB=3BOHCzt_eyR13WGWN&%CQ0ZWVrr%e@v zB{u4>Gn-gC8!2#0zxXAEst(nxb+*Dbgl&HpB&~$4lyy>4voJ}T*Pt7yj*P}{s&r&r z+8IpM>;yNME0M+MeW^o9sWk-GJR5S_-0=Ci3FVC(czZ7S+$!@4S!7zR){&39<0icB zYq3Y}gF7UuqCykJvU7xW3{_W&>Rd|N1DQ|V`cEK2J2A(Ff6(Piy*F_!ZB8|lfIf$T z8c<3jF~s}GsXUe3$a-lSgS4hdxT zgUTKU&6GA~CtG$4xDy{A@W1bQqnd!&}fZY<4$O<+?#ciTTb78iTXt`Me*d^p^TsauBopSh= zp_Byk!#8XNxGDcKC1iqMbwy&(JacJN)}bos9*3{1lh61w5zHYhvEsG$!_itwCJ9J> z=q_Jnde!xCQ#0sPtJBEq8$+NN+1mn|mSA=j0wGi}>J&xt=`Q)mwNV(tOwH<^?|Q9k zdJXAQ#8h?(eycxxFe#VP9x}3F~m#W?4AWP*d3L{RH zAnfMJuDBm)i$o|qPjp)A2_GoIHJzXmv5{kEi}W|FFOMXOR4&Dbvi<5 zE1bKGoGQ*3^u?7Xf(|2XOc;TJc>k)P$bsv0>JLk~JDQGdcDQ1uqxVnhz-y0mAXI_C z-8cV9trFO%j*p?yQ9OHY{X@@xhy)Izo5Gh6FWl*|Kg-#z(Fy6RQ&try$K?n^sxKAT zLSu-f`&8Mrm)NXQ%PE^1ZvR2#Xv^*KQlNss%Pdl84BxGKmiwRdki~-dW0Lb9T@VWG zRY~?tTdh~WcnorCx}jB2^+_9TTkZ8%i|ML0l3Gd{2Eym=B-Hq=*j>6$!eBAH=)Qjb z30q~NUN;_d_=#p@bmTh+^?qQ6_A=tQI8OH8Zc3ZxNQLhP5yIwzg z6^PP6n5rhzV0_ccDl_~uXmYf?`CUPGM#&S!x^^^nST_f#WP#*)cgnW&vh|Pe#Fju) zQ{wR9+i-+p3%r#TercnoqA7b}^CGxI!ou>OURWDi8ncN*;p{I;?0|*H584rL4&DDrmd z;_qg7zE!o7nauzbh%<-P3+5IA)bZSaxsA2Bq!o{arvY+cF&#Cuf=r!eiQ0Dh5^QLP zrtW71y-kQMQObuMxA~I*&5!(-Sxd?YZG4)s{MMA{63A_>Is`5vjE9*;n%8_D5!zlP z%qq>jEO8w5xH!pIdH%AT&ui?Y z|DNWdtU${()xye=Eeu-k!E25{lWfdxx@d(j!W@Rhp+oW} zdi|qzA-|QDYyyGlYLanJfwSZnOUw3;nq?N4Wm=J$Z6vA!D)X#c)^7uytX^# z{`t`3YEKb&vxQ!%cvI9VpYz^;hKrElOQlFj6EVf@{2k5GvtD=xTSIA8nVg3r8D%ln z*J*pOd_P2jSQ-+%Xh?Y=3PW8W+d+foH#8G~wOX+hq3Ox?t&yTRpk}E}w7B%%O|2?P zxc>XBlU2D^Uu4OySrJk@0pg0Ls%@6NNIJ(h%Xb*1nhZMH%44n8t5S3R9V?MUnPEXP zy&oWq8c{gs4ZYiz(cv;pcXHu#B;qqXFsND3bJ|uOFp#nokt! z5UyT%^d1rDsoDk^JqNK9CV!i!&frjVd|JpatT5QOU>SzeQVJeVJuPh*VauHSy)&s- zf&gS9epuf|T9Gxl){}(Xf7Xpqg*grRq)jkh8wa-5YU9HiWc7HkT6WRmc*5?6dy~|F zveF>dtj$s8L*D4(u7sa?-P=rzpHH4U5xTavhRl!uv^bj1Qll@_Xv>QmKx7tuf7j*j zYb7vI{p$N96T4kzvd%QRc8?32H>DXP`E>#OBdt~w#3`hfZ1=uZO+LxZ1^s~GnE1Vp zbOh50x-&=K^`$vR@I5Lx-8@P8G<0*q#rLIVgi7uPUFQN^$^&4dhm3>-)JJ@7% zEi*__8dhYkh6;rtlD+nS7^e;&ZG2{jhTIMY3z)D+r(<_R=6}mIz16U}&v<{zJT*E_ zmn&p*_d+OnN|iw@Zcg$nw6JVwqI{xFUUhiVrkhBU*OS;$X?`voW^ENy=+U5upx!39 zAs-aK=E8T1zeFrN5z*8QomIwj`0h7Q7hv)&t5^zS`+~$@mNZTV$Zt+u^ckdI^KCq* zTXa!ehk_60_%%M?R&QYOK#ay?7oSsewU6%7Ty9f-PHd>ml>qqMYM z|M2|;kyKay%r1~S2Bx#{+hGHqUC6K8bXh9-Z62jhna^HZ(2D(x4#zCTyS^)5Nj~De z{6zA_And|;vo|dyZXE2D%$o~t9iVYm04ZOd4e$t+RQcxmpg&QjsGK~c!)C=%&^aG- zXl%)7^ZNpMUJJhYP^nYcI0`z~agvfO$wqD*a;1>3rM#uV^n`+yoipyoO5#7!1-K~* zgx_r|BGY{mav>W(ss>>jFfuN$aDX(izD&Zd0qr0Me&%wMox)yY{V6pa-2hO{aJn^> zLyjM;>@Ceqy`+LY*HPe-e*bn6IlUwC79$qhoR{U?lx_wamTw)2 zkr>;JaE&;IRU=hEZXQr^% z^r(aMsg5g-nIh)UPC}Z=?zL`1UC&IKuD7iK4c zXH|XPO6>EMbJyeMNJ^*g|6SFYFkYcy9~-2vI9k0qT+6B4N}POEtIUoTF-mR-Nkh** z^o>ZySmaw495{K)v4Tc|icSJr09yL5U5r6zTeMfxzUMS+YtdUAhlIt_NT(7dvbqI% z`oSFW=#*35bX!^OwVG0;>~TY$D84$k^L=iZIFNt4x`R;i!VH8j%*3~2o7Te?Zr`Sn z%wQFR5cF6mR_lpBPC>(%Lwf-QW`IJ|i10>^^BQIb0M~oSQei%T8_GC3BRSgMW{^q% z=pGO+J{Z=$*5P>p&>`WNW;>M_P}R*N8BLVqb93{{f<^I#!T@#K{=E;tH-6H7B#@o3 zi>*&Wyf;GG24r8<-0bJuO@QYRqcBGJt)C6OzC0l?sVOS@jf_Z(SWiiQMRBuOn7B9& zwSsqgl`yjr8CbFGJDx&u|4|V zMB^V}dDqKsHLx}TPyD-+Qs$`s;GwzgjFFpvbz z&ZEl^%Wpuh8R4z^d>y_{LWE2o&HwiHD;}T6ERs_e4?<7cjX0L4=?hZr2MZMa<8%tD zHE}R9!M|J%;8cbiG{knY45e{+X}$(en&N>mtU2 z7)@+mY_0ya4`g}dg2*4%q0+m%UM!fNmCFoRUr&6!L$HIL{uvyjCK#dbGZQxtkAxM) zH4zX?jk)DSxrLz>5{mNpVOW>%;ke9IF{$-YT7Y4 zr?31ivgzAjl++J=FyTFHCB+eG-M0Slc42s~2Y+?HtoNwk)o{H0&s<>9f#yy?IgpH( zS^?#fIsc>?MKMe8Xh`Q3y*#;jzlnsnzh$fV1j2Q?MgQmX^8h;O(2w{y73n{(zLcRq zJUsmKM#zCT;yDzPQzGG4W9E_NhWT&$@sG6bBj<(rp9Rb6->r3RbaweHG2%p;`rvY8 z-R1sAe-Qlr{XqfJP9s(d!<={45qZ9w&+o6~7RCJS9)fq)A>9CfW5ohX8i(1>Z^~)! z`e4T4w?zr|2DY3mB%m3TeN?rG;m}xozRb5fZGV-HI4eLnel{R0Os{J-jti}Cyec85 z>z#Mmiw~1?o(0(%tYsxim_#Bb`YC~Xcz9G>EzlQ^ZvLmVj1nN2aQM&pj^esN$!9nc z%QL)E?2RiWegh?iu|H)^ps+bW);}J;Gpt3~c;?cONO>UvMIrjP3ya}>Ck*BRt@+-b z%~$7ZehylN5`FGYbvI&+@lG_e)Za`^-<;Jau1ryYTP0%fgw)h9f%-VDZEX^B)?#81 z#q!zQpK!h0E|Kn+-e`NCyq81fh{v=0dIvHo<3RStVS;i$$g$jx`U{P3(mTG6ZuXch zNd3Dd_X8J~^CJmSBF*B3e62o8b^FtYtMav!%I>2)J6(^4lcoJF3>(rxzI(hNJ2Fz_ zi0~+pC_*1Pt86+mgju%B7j~D_&KM^D^$u4=_O}jV6Phd@6_PCkY-({_-zY zA$M`7(Hx+IIoonsCvs^1Q=_@SG+E9r(*I3Hx<%j3D9M4D`m#n90GVLeDZTW9ckVCMG7|ZMXNhMDwov5Z@m6 zV8^q$SpOV<>TXH2^G60$21h8Ky*3(TZ^9av=~3n{c7u!&84!*%=tJz4KPMHGq|W^e zo}85H0V*YQeFY5KF)Ce(!M(k`@V8l&@!k6{fMsG$$S01^%WrSTt23J*@HVPv{0{x> zmWkaVA+Wi^^<6wUTPhWp4`-{x*I=WHA(FMl)ACtu04~bO}f9-Z9YF-%e!aB%p?%$sFH^Bo;7V~>t9h(`+Iq-kc z$T1se)ba{h{q}dO`?uwQEROhH=i~hIaQ`=rj@}#HaQMAY{+j~-yGsA(H~#R%K+-A% z9(?uxddt86n7=k9(5SKt^jP3;Z}+b&JqV03G~fg=8x!qA{x2Hsa087TUl8=){%Q{X zx{yc`i2y5l9PtMsj=%r^uk%Z^@QxCX>_DCr{-$YvohLysY+=A2!DB=|Cla7)#yp($vHlO0ascOl+$Vj$sq#(s)dV(*lgp&UA^&3w1aZJMwX~)d7AV)< z2eHjIz9q^_Z-2knf~;=p3$3)+<-GZ3k%0&`xm1G-L8-y0_Oy*$&$xp;9O}toE&f1W z=3o*$HK@YlmbY#4?0EGN51jD@4Ht)AFYS?d4Ny!*3uwmMELM@>7(k$-SU`;o74puu zb_3hs>B+pGknN9d@sRrLiCp{kvZFu-LPy2a3)P<}5z^nP$#5g-(J zm@1-T&YO!*Q*6F2Bb z(C(PjU#5n+-b&B45gmGlyLgF=2@Tq2@?E=!qgHMm#s%!@U=-j*Fp0?Y0nbj%@?)x@ zJU>;r+X@F!^cqaQzZlqMnqBj@hbp2wf&8$jo@>CdB&eMbVa}i|NRX2^ z7bRGN#1VUA;q=xrZRe2)69$7@R@Ij)i-|VOl2a34sKtW93nfoXilq$_4*$md*+nqi{UGPn7j_A_8 z*|_J0?k_C&ZSsw@$anb1P%)Vt3@8gO9T&JOO*S9`?FX7k7-%36k2SwHZIL6#Bf{C9 zj6J6~WiXhIxgY>NQz72rAnb zWp9lY(*Osj1f+5CQtw=NquV&F#Na>dAK?qeQ$V7hQ1?bVKJPRxMj>4Ih;F&d;cgQ1 ztSmen0L|gm}CxE4JzDamcsVe(RdeK^aW2>1Fekjh^fD2k2Y8@D<;S zxrOb3#D2&(kTvg3WZuoA@aw(N$jZSvy>!G~<0YTZqbFiRx);Y@?A0t$CJk&;f(0{fD)yfp6q#+$+cET@4M(=IKZEX?)J-8T zGHA8@ff5)zP!6~y@pi{kxKDZ-P$g!`OsS6DzuDY`V(+WM9uq6L9+dLD_SI!V(6Q_C zdunXQbT4SOX7YKiaEhCp2T!`d>iIP+A=zyYxF-k_(t*HB;}Y&}UPN7dn1$r6@x_7l zxZRe0iZ0d2gXTqa%kAf5@QpCM7Wq`S`H>5?kDvE$qwrpaj5aIcSLF-A`0?$==~!Fg zHJn19f^AytQ%JvM+0;e1csu&=F_N7^_#Uk8Z@-~CG(!*HSZzmH?U_BjFfDw&crjE! zEJ3ohd;|4t&t~tHL)ZjbVWITgKoFmLYnT{U9bx8^&bn8%ZZ}4E%N%Zc)#Lk-F8r(= z5D8wF68Cv`QC1vU#K!vVBWQWMD^nd}J)t1$Yfj`i@>iUao5XG?p=` zU3C_d8t%(X4jw>w0%dq8Yh;YhMh6x)EQwK0Z}K1f$1>Elcd1hy>Hslx+HnnECHog< zmy{EP#$vZ#B#Oj*XF0cC@5JX=u@^anl5mG&VTwW_B7FB1{D(z1fQs(%!EhYwUM!{) zIeh7@gPrf-uR9GH3lA^p*Ljx1Aa*mrlqRthL-NJ%#e>%437NOE4QajO0E%-CjmB`1 zn*ENAvaeS-$gzb?6g0{DW1Yj;U1#LX-u2c%sBf^^-G|5&-9Va(tBv(XXo9u1NGsb` zm=Y0WCcG?nocZ#0G$***%>g}u2(`OU2i9<+`0HbB4*9^7v>4$$8~H<^n(j8*I97um ze0Etzc@YGjZ`qd`@W(7E(x}A-9}%iI#=G)E^o0R|MS(;VL`;VJD{k{ zzQM&@XD54t-*3p3Fyg*r;R)>2_kr&-Z3n@E=IzEB0znWX?t-=_ImReP$?#)hBgc!4 zQlc9N23;qLS`H7P4&hg@p@~qblTckknb$q!m97pXE88{nnd7XzW=|_}QyIxqS9~ zq?#uCR?$nz=C~GpFj*wQrNfbpTE4M92-f*Qzomq6kL{4xz*^gcZ8vHgoWs(b+V-z2 z*lJe=j)-4-Jq%4VgyEoV+`5A=nXdZ&I3FSwRT<`69eY^uUKc}kI#?VY1Khhi7aSHy ztHei&JB~DC-+B!>@xSEHK=6Cxk4>Boimi8Ilnkk=&R{Z?Vx!(>1@QPfQ$J@M!<-*oX6?&lqg5e({2^X_EIX@xB%ODm+T{c9>aeb z+HIK)fQF+lhtE?{O)V5Ge#|n9J_2hHhBcG;U9x2(y3tr@irk-e5R{44yv2;JN0nn?4WUQhjfinvYuH&POMFkf|w|jFnXB zV2GKSppgUHIkhXZkW?_l287SOR@^gnq#oMrXinXXp(-DG#yI)jY*re20wGdY!pdl7 z=SFlGHa_0jJ~%z=8jGX_|DtaJnR$Zp^C8S}BPYsLZ=-!PS?O4+TAV5)nR;SB_2>?S zeTr^Y=9>#$JF(}lMv$qj91-}+cQs(x zsOrrw<~h{S391k#wx>lO{e7<7*lY4^8$DR-LgmhraiXf9BULx-k_)!5uT6LIr6nPo z#P14YxmwUznf@Ma!pw;om{ zh-xj8eX-Qog~o2tQOksexr@WFMs^)7@GZZ5IMEO0xV|y$Zh&*8jA}S-);5kr;{F|5 z<22y|pNCmx?T*eeYi%kL)Gf6ZCrT3Hn%j!0aLk1u(6Xz14B)W<0Cx0s`h5QEgO90a zET;bLM^fVcK*98j`B_%Tk!>sJE;pDzuxa)c+=glut6TTY_V@(i3;e6w^Co-MaDbX7nfYJBuqPz`Jq& zC(~{V;9KZ@r_nI^l@dL=7*}G*LVxYj?$^fA6)N_tD#+r91)2`I2+eXJbAJZI|6*~d&Z=>*H>Q{clXNHF!DeiIIpIY)tTdj`|~1b z=sP!uIC-A;#87&J$JB|WnUkK-LB(K!jlJyWxmu?KXL9VECyKdq-`?b=*3#_+f+!y` z`yOnp;N8V`^4Ev#=+i>v&wja?9(@Fl1%Y5u=y9Prxjf+N$R#W>b)ot>A)%g0FM8;t z&;q`o(@vC67pO~=LF^y(9$YsH4T%8;Zp`Ul6V0cJ+!w!V&uv=pV5XoyvZdPW_Lg|R zyS&?clrm83cTK12oM-$b%t}v-sdG+-Bevhm=QZT-#AGtlBZt88aDRI&Iej2TVJzshyXz@xz8l^y?*zW)f zKSi(EzfxrW(*L*=>8kfTYW;MPG*yTt*O9og?U}|e<3!NHh~CF-Svu*E6$=C3YFn2p zCU&^Hczw`Mb3~Rbl`4k|wb-8k{7Iol!M5hZ;T_D?vkIfYo60l!WMBlawp6&pd~%k@ z`(Soo1-VN4uay_;1DN52Igm2DG+3~Q2?yMW&~18sB%Q)A19-?ZiuY(15ia!cN{b2x zLs;txMIubong@-Hq;X&OlmuY7U?_?HjK>PRVnHDih|0-DgOZcg>qMY4g(eOiF59o%k$-dnmePfY4$wuB zY6iP46xpLNY|Y!35Zn%%ld|w4+q~Jb@FuAnF?Q5TeZ8r=6d`7xnFfBt>TRk2dSgCy z^ML9kX7=F~s}NgI5nWjPo^W)};LzxvJO`T78#N?;F1yUAEL00rs8 z;#CMPqAlFUbD3>FiUrH*+DhP2rz>$I|0Uit3*b!Bo~%Qoj5Umf-!+CAln@8o%L z?5DlC6oHHHOgB34!TP+>v|FMqEhkyS>1Yx5dM_u-!i$}6ujTRu9+YH-JOooDX)$yk zTqUImtYW!Mza`YXW7Pk+kijxJ>;_ZlwCqQjhBoSFy{NXB7KRc)6F=4viAE8hI321#arNr z`4QzsYR*IRO=Fo7iVCDiRaXB8H?KQl+R}FL1zPI9bv<`TM7y)koLM`mGOGQi4w7p* zQhec!8+f>t_ak0-&u)kxWqBZWJC;#yr>-xS&EK4HK4B#F2FdeYbhGT&&u+{+J-Ya= zRioVxgzTL!9naXWs>;~ok==W@DH(G?QQkgY=e9WSi+7)|Nw3L)r7Hj_yg#wXd;sSC zDf=#5gTOd1zN}nia)6HZyKt=gU4m8Y>k~hB`9dRh%>-Vh=!TQ;))Bj$`M=Fr++Vir z?t4B-t#lN<13qpWk9~S{*d$lm3~*PuNcTl7)+*osU0^)? zsj3}(UB?kNV0qQ;JlPNBLyB(}GNPvi)=5>U^^t(+3?=KJ5c_P6bekK-gCdbgi2w?fsjL9eg7&%E)w);ln%cp;iz zf5s$)DZ25$hdMrbG!4?REe%~ z6a=V0j2+z+T=)xY0I}RuJ-=<(r>UB`=)Di2_MP5rNyqvgHeQIusRTV`5XsFhyM}1a zwnIh=T@m`73E}yY_%kdM58UItx}USD1f?FRsj^LaH_04;vK`MZd20V9&PK9=VOY9u zn-DGN@&23Tb>leO7^s;gVFtaEbq4Qot2A}6T(3)*clxxJlz7FtRr@{!T5_fuk=}X0 z0@em~+xb3eg=N@pq4>9#!kMki(JVj`gh{o*;hncSO#Esig{zKxz8@2r$Sc&dXwf&N zjyXE$f0p@DSPXW*Iw9u0iSvAKXyW8GA%nQtgFi%?ki$-a8i;sjyBL))oqq0mTdI>D zZDo5;FP~dP`{!#XJw}YH$hT6}%BAMh;^o-qj)($nm(!=`*J7b`7z0ifmA|3L**;4eadd;Fd zL(Rj%nG=C{$|xSDhZqn~c>o_|zx_Od{*0Nj^^uE5h(UBXtSRP=`!r7BbtnQ01jg6r z(1Di_dMHY;=UDoAr?n_;`lPQ9(I!NX2pxA{pn4-!#IQk^OWxb+mE0TvRC@b^G+jR0 z7~7xJh$~wTD9}2dK?t7gabkGtIZzbD3|Ww_Bg0df+b=cT z++Vf_1UYoFw~s%sqj*UEE8Yie!QfbP`{4V$O=#joPELN=IVGxt#w3g8-uOQgsD)(q z%}tme9)hWu2XgRmYnDJ^yk8^~S>>dda6P5=k04+#;TTQGPNX{ac@km^EQ;$_6Imqh ze>v>YeU*(T!wZ2?nfB(@@ce-CF>>w*h_?0T$xIIUgI?dGm4Pf zc8)Nc4(Y@F?*x{90kkB_qbL;{SqhGzo}BQTN*o!)wl@d4;a8FS(rvX~c2PWB%pn=OzLuWA zD?`z)r}M=L0*Djo)GG}>kO~e+{C6&l2pveODI;&~{g)#D#|KnleM#&nn2UgD zV5R==+>amzN}QMZN;S6A1OWB46(O(hdf!^16pr`%gVk2UOk|tlf&-;f|8smquJ6e= z9;30G|M??dkk8*)EdJ-vHf~7@VVd_QL{UHBD zu_og2uhkRie+{pajB-_a1-gD$X!wm9J|BvDR|NjZ(webNMMsohpdBE#MP9Jy8r8wtVF~;u=pFF< z_iOx*&)qwulS_4|xi>x_78@Y^0@I=Xg(x4(-uMX>Uw!qf2_HByAcoQuj^zYhI-f}Du$eLh*X@W~iSz$8AN1fzLi<54rtlyWo;sv+kVdaOLp5a zq&vTl_;~G!oBw1rdgAeUkrD#w(F;*H^loEA$*8L-^HQ2|I}MeQ@6GN1BkU`ns$9En zVY7ivcXy-Y7U}LTQMy4u>F%ygm(mR?BGTQRQX<`r(%o=h&-squx&MF1xMMgRAP%?h z^FC{?nrkk6DnTlS&{OEV3+|Q@Ti3#y%~Zj4`bcu8tzk3S{~Ezxy`mQY!-j@{#!m(G z6Pxcyq;O=~@hXWopp=4{?+Ejw52e!ffMb&-bsKTcC?8s|^N4r{QL&mwXDD;3p@7|f z70rJeDF11`0WOCbl=l#KROjm-*0#%Wbt}#xaJwWin$V{DPEc}An8zNeRn37>CEbrw zCEFEVCBvIW;iEr%AGxzq@0HxYjO6cLmT@z1n>h^&XGaQY9b69Ge2-#N&`ys;H{0sUW`e_9`F?+QZeR}jEu`J)FmOxrsT4x$d04TBl>-Ga*cL6M|uHS@-OnQex zd(pznoW2C%w!Vs-n*5ccCHW!obVp3J3pRY6)|k7WOiFWpm1h6rUjV*M3U41TkR4yT z2D$m1fZQmq=p+yV2PXJym^4ne);2oJ@=of9)cNg!btI|KpEv!OzmwR1{|W#`T@jWM zaOK2S##%4O9}gs%A+50d;HAtB`e8n@U?zju&!5Wjb7`2C;oSb$Njytw4{T*`CiMW@ z?|Z|0-^@FJ@6&cmIH!Jg8RRLxi_x816V^fJsl31IU%srPf}dG-24^|J2k*IH)3Dyn)5bZY+>GKK*Jr4F^s=gG=oOy9Y{ z2X`u|Raw>bnNiU}#%Zoztv8JXo|X$iZ$9}mnfc_?{ch+;0D?LTtwk&rf|;&UCiRSY zld~|*VLS_OieDvLCNnEv|GrRZ%3?vIL|>;3S;6*Orsx`{$+HH9?)15mD+O^Pouvj% z4m)Zug|c&U;_y_3a0mzpeiQckW5BdvOoe=XDYS=^pJn5oSIUVbjDYsHah5ALJO4Qo z=cqpCw@;q`i*2Mt4qzN(tgv1-H3%70wgS5}g0}3&;cawmSYMoW;yGR^et|A};hmsa zDz#!(%F=TxfoO8bl-cdSX~ZHivHmMo7r70C&Ze-TT=PUxZ*3o^c*(Q zQAeiH!M|m&NG7*j9*xay4tI!Ac5r|5Uynuv54(MM%zDwu`5eR^W&y2$aOY9s6bYnO z(VbryYYnkErrww9#Bfy%q{j-Zsg3AELysr~TT#)Rvj2<0!}$?#N5mS<&$H#hUQ7NY z!At%<)d!Cw^mUByIb>tgklsAhFbiDfIPQJJV|ukbLxM|;8R&r%+@GUn^Ch_8X^Rpn zd>kH|?b=fALdl(wG98xCApXpgPGM`}y^|oo%t1Y%9rIx%?b7cgZ|z`cz}~Sb`Y_ zZ$>nvQ1)1wz~8eu_HFlWN@&0)NrAz^L35K}Y(AJGgakMop^eSWm^|L+S)aid=YI52 zL~~94G4N-vi!*fgwSK;n*7jK&u0Jxjc=_#DVBzWig-4tN0PTiz06BFL!OKkqtNGlY zvu4|MjhG1}8}~$F6lGa*b@nlYq-r}xQB*DPkohjI3ISZ4U5_LEviy* zm`pM5xmU;HvD=k0sG&{7+l*Eq{0j5YZm2+55*UilnHIVsU8s3gDb_im7P@)42NSBY z(Lff8tptnK!DQ5oDj_&TZz-ieH4$!w)S5>im60ocWkyYU(kd6M48e-|2H$0&d@EYwcSs5 za37ycaLvBDkpXql9$n1#VeR@Y{mUDyiyNE&zQz891L735_)w+ed_4O!(S<&bf8kemK!u_;h9S0+abmO8JLI)*O98rr`4f#XBU0 zle}$@rhz4GVYi#hPnLT2cim5ZxooLk&qCllSJX=QYqIWmRWnCoPw@8NsQSoe6Nsvs z%Ozr?M{3L_q}b0KO4@zH++zTkgx!{=klfG3y3$~)<|5b+C$MP_#oMFSc36w zq}6|#+MHl@sxL$W(sdqRt+8MA(9%g_)1;cn1mzGZI?P6vcQzvW#_*(Ki+qbTMeh|+LI)aI#wWEqFHF#Ojld0e?9F}_mybu=bv^f%8oZT}d|x`MGbAczIm zn%h67gRYpSxxz7JED7}^+Wk5ZE&&Of-sg7Dh#Y>4G=lB31gB(yHu(IOz|=tQS?D2& zmQZ7idN=2>nHUy2qeD>@1;V4R@JGsM_C%5e@GwSF`?iL{xci(gevU8Q$?0kM^>cfs zz&$!_0_e-U+NtPd!n*G$Q3xusm3W_V=hDem6S%P^i@tCbG|YYwN-qKC;w3WX5#ydF z!x${WTBhKw(?-}|^rKlOtz{G}MO4OXUA#)r?>0<+3rxrnrc%?aoagrJPf`#AT5fLE zI^V_75Sx#x>%+}6Afo2ZKk^3i{cm1mKC^R*5+We{AxOcDdA;)1sb{uw%`}RrO>07D zW;g4^!e~t~6nzfgM8-h4YS!9j?Zcz{6%!rkYp4I0mxpb0eD4 zDG@QP#`GzUvtwR6kf1|(=Tuw$leP6pEVXyC2t1%478{Fs9f*iV*#FqgP{{#fML(V{ z(WyF`Ec4^ONAj?o!oi;9=h?3(D08(f^q`THIYiSK>Euqf$n?6qCRxK-qz;sOj$j{! zMw5Xs`2-UY#`HUt0tmH#2bl2@;O_)b@Vu_t^bS&qW;@H2Erpfi7wgIn&6(YF(?+f3 zy|DCLu9H(>1IVxRcfpBJEd#uTTGRUd8mq6hbYs6{e3Qr~Po8POott9i_pnj941`3{ zhA9yv-WWpy;h%&cJl@BpR%~m9%@p9QqsU34ah8uotc6Y!+uuD_xHBFpzxzq`c%F-4 z`vhJnh#D+~L5mH~Flf^Ks=y=K!^UlK(&Ij+uW{UFH0LQ z2?kV{xB4Lw@lB+ya(+mB#hILp-dtI?HIw4!y zxcWN`a{Va>Sy?n~a)uo6ADv~sTOH_$NbtsB!g#0*KIm4#W_$)44Mdmed3WG{J)n> zx&C^IkB@JBd$A9Y2sqj?tIf*tB*QyRP3Tm2eno*r3{IadX?s(+)!OYvZEpH1%W7tZ z8>#pZOAdx@`?9?hqoSckJvsvMg}>_ckimtXB^Z2q27|+)21x}#&iFwmQs^cxomEn; zo6Ds!ap@L^u{}PN ziwyw@!yi(r6(*HU0&_v`Y$D`E(zewY2z#&WQVZGh!|aeZX+7LA1hNZwXIH9$w9>Z9>RR@R-_Ds5q48pclbleJQx|zJE;EaaFIAi=WeO(?pSB5x8(MWN_7HB(PyIM6WvRm}nj)2wu?ukYsDhaUHHIIy6iq1`GOyp;39g&+$bbs)(` z9=KP$S7!>lTd*8VhhW3gih*HbMoiR--PED&vn@rNi&Q%R=g0Atza2`z&$SMj)z>gn0b*a zbRZ@wj|>mp*xi#GJAd=QP8-&(x`#lsgkk@!8@_50vD8+?n{{qRa{qvi+*Fnajz^Y& z6-D=j+$wglU?YnQk)#U|RD0El$&Xg{Xu5M^>bzsE=&eSXTLa13#YgK;f%v?!q_kmt zR1u8~g>8V8&I2}s7RJ1+^q*4r=i_+K?w3zMapE7nu zg6Iw&o^|NFj>AzXEQ?`@(L;>WXIKUBx{5<%iAAnT}-Y%)3Dymp?#4L z&#gn1z3+^B-4x8Zn@>mGiNzK${U%feT`~ZkQIfbc2zs=9hU;U8c?0WbgB!34odvu< zk?~u+57%Fi*FxIKX8QD!e6kP@ncHVamqK1=6u0}~!z3Uy1CTE|DK5&(%ZkNnn7mr&G~MHX-{PAVTC%bO(EF8H(1Qtn#Iu2lS^do2BJ%S9+Q6~Pw+mpz+ohn zl-x|HDd(lq>n%!n96u~9x^1z1l!%BE1{}$QecIPj;D1mAu2Kr!mX0EmQsg8JtqJVU zt=~-G6T@)Q5MQMk&|@mYhpx>pXp?|5_L&{Wa0Gr}KalPuz7TslB2UIC0Ig{y3{NEl z8~+U06*JDBrPC_c9lwc@dn8PUO+n#^fb`Y7(h}3^)d=>>fQi1kiKNFI_qheshW?zobDlB*xIY!I`99rDub=^9o+mYw&uiSxAN z*34m#1O$1tbaTEn@h;a06}#HN9}0g^)J6Pi08veA?FfN^3=JURwh^~27UYP| zYFN@{P8%C?84O$wZTQdyC?Tqy3iKm_Tr-U3B3q8J7#^HMmJN%{Yl7vSdIwCZBU&et zJgIQYtU}!)zuMG-mw3hiBEp~j5V-%Bwt>Q9bnW$qIf1d-(n~FWZlD) zg-yTi;tC3_20XM;76Zg8ZRK_gq-^GQUMlUvfwThmqQ znVbR4@VieK^4()v_DIE1|6qe3UOba29Eh8|_`bIv!Q@3dTAUFa>#LP7tb6jfU_=zJ zDGV+Am9NDz?Yf9d?|sM%@YhVrOxGLqZ3`NtjxrJaV$GbN7`r*GSi`4C1{hg}PcXOZ zAbNP}P4yup!D!kJul>^QFYJlLF0Xr-XKyvyO4`Z@4Mf*opl54Dt*x!K>e5b5#zE+D zq1}=A#;)zQF^63gXN~jO>2V~!@xO92Ykrm5k)@0+HPE1}7lIHH;Biu*ZV@s< zE+NVZ_9dKo^V(6Ro{FG_$?P4irXPeX0-V|u4sNT&hYAw8wWPLq0>CfK zLDTMW+@_ZC>n_n-74`e(MDb9%RZihJx-hEcQF*oNGt2jd;kCd6@W7dyiiJI#r{gi74MED(+^oh);eBM~-gb;Q$t+Oynx^jlO{W@5EiO?-G|S7xiF z2w!h^khgoT@uAAzyav|uLkV?jgvj(=sM-x?=+~@$othy-!O<5#iH&=!iim|3o2WO^ zAm#yLv^WTBm?dT*sH{0NlDFD{lEuMJP>8#-w>#Kv#y&D5a0%EMn^&6v+Ou{HpLJXV zGi5rq^>+tE4tE^{33o6@z+5AJ1Vi!PG%`t11iDXCKkLYks;9kBTQGI+NM=o`J^K)k zHMz8-1`htJ7~@EbiTTQ{%E$HdQ$Q>NlboVk*=XZl9P*H3;~?Ou?N*J zS8NxyMzIo({E@%3@~fdC@WXnqB9i2pnlP`0kwzP_5D^j6&=o6S0dK*$QN-H3ha*sw z3bv~*agMjwMc=8@`g7;u9Tu1&*Pofrmn9t~^v!i>!`MNwA)ou)m|=(b*es?yOFA?O zRh-QSwXp;+s!*JvMbomN;X>n)6a`wO&%zE1j-6eJk`tOMLw;~b5=0UVv zzk{XUk+rAN%JBQk_PXoj<}bO;M`FYZaow;;d19V1*!^JiOxXfV{YJj{$H~OVVTI>3 z*31;M@%#amI@3L@@#FbS>!ml0E$Auq*-vxx0T+F{i?smph@8tob9VeMhq%~?qF3=a zvGr}z-=`I6!_K1ngZ=}>a5()!@SC(qIPh@@lg)@VKCh$-slmYkvI>T*&*+ztj|glqD^5R|3}6gnSqkWV7QZgRhd43HN|N z$-5JNZ@w12M^8lTdSujz!i>JHSA0Uv>m-Bus}M8C$p`ufG1fqH+OQcF#4IyhsjCHU z7^SrPoBfToN8*#2oyV9scUYTxV&fuza zIFifkSXY~!`fGDeM!bLCvlO*G1QwG4_5aCH@$u(<=BSPqAGo)YgwJD4owz`hbUlnB zO8mp^YqrDv7_#H@t)O`88NK-OaS`HpO&IwTxLW)nr%r_4?RbKEw~<-?{=4oS%^!c-C8drc}0G z7T;||WS+aDR7jsfb|`F65LFqX5ZEqsL>Hd_`Jzli4eB>gw;6 z_#x9Lk=p1c8UMsotd42(^;BLE9}RnAi3+;d4JPVIuY5lNv^z?6&tYEKv4F#?Ta{f9 z&Pf_QixtmRr#yeqHU@%EPZRJqu55S#u4y7cjU0Qvh8FsTbKzjFkXP}99lK(kUf?v* zb2@?KH`xB=2FLm!B@0)S*%5kJ>ztveXCtgw}*;6iL}){ab|6N?6_?k`o zph5YrFIIkMRlIT`*n?m%G3L8mKh*7ISVZu=-2tbfKW9$Anay;d6%z#fR(&_BSf1~b z-tmO6qj%CO-=xS_qpE2qiyJWr@s<(;WYm06h-{U$V6b{}o*P1#^0L6qaAw> z7eTxOw59%uTAUJqKX`YD3jD@ZKtPH&QT)N@5rBU6A!kK1}(J(ORBw>(Z zqa(7HLT~KsJc;@G0Oj3*PKpM}bWAg@2F_wkkLgtgD z*9yl#4FcT$t0<_(cjo=VS9S4BY@(;{+Z-(WP>A_n@(;^n4Il!s{EiQXi*Vs#8Vo*O zLgc0Qe3%;_dBA9JQCQw32s?Nf#j^53w;~9g86PUu7|@`;Yw770iD*hffA|(h@FSQ4 z1RJ^kwfE7ulHWvYhEnOMX*FV_2U}pJ_PdaI1BYNG-9HzU2qHJ!bY#3@USfUo{L|n# zuw&452eCZ10Yt~bwDr>NEqzr}17%K$FTA3k7ozB%-Q#N|jM0`$bua}x)D!x;Tc^cc zh7u;m0f~p@5gl1Q`E&PkNq}q1EUQS1wE4{{Gz{$K<3%xVmAAAXW6)o~Y>&oQ5G|t$ zl~6Lpa(M!V4wT}4#U^cRm?6?a=}~CmTG$z77=PQngI0krBxqnOVDbC?iXQs4`ns+E za)g^Qj3RJO14r`NF)YHlv(%;k>H4g6=1NgzpZhpWjOedYoMQRoA-ie36pDcFNj5T# z5gXuaV{zDdzj^UwmsH_NK7$Whx$Inzt5$&NFA74tqeD37S1Z%vX=4sJbmRk?<|d9^ zqZUyzp3Ii(qU1w%2oQI64{={o{pVN$?-A&b%obgW% zWQRwM6MS+{gA?pzQ7u6SIzN0M-6YGN?r(Zl_uY>ve@6`&Dc$dbjR{qCa;;zR;?RNQ zY;TJCk4BbV0-m3}xjTh*dGlpMc)L2Iz+e$53;aET7<>Lbb>%lu%6yoeB>eYCbkjb1 zsr3w29_??vvFynC#9`RzG}x#e?fk3J!sV*FZC@E{_PVJTxP6$IlQ1y9pdh)`vqeA< zJ&tUVFA{Y5i1zk=h;038fWc$m)f`oiT3DU_EOKJPrs{9VXsYB5sB-2c(P_o)lz@no zVI5O3xf4LE(NL7i9W98_!(V;EsE`5#Q;*$k87ODz35l4>2 zRP2r!R=5af9)T1 zyzy0KosI{GOy5qCH!lYJsB_|TwVdl|0xWRp*&i3gA4s*Uxw5(vVP&(JKB*w{Gq$JU z28B-KUW7Z= zvYYl2wB2--o!MM2G?1Fi5DEYrTrv=Q>g*1|sC+*z}vN}4k^n#AW>rfGbdFNl|Z&5fio zDpn^+>UZFVs9|@cHY&*7gwg)skuTa4xL{l>8`_K@=oCJ!W_BHRUEQnpBhvF{Ng7BJKi(gh__XemJm0&0V%?xplp1dRu`Rjg z3P1Hvq{1mFos{+-OoAJotZ%b`DRwcGbw^nTy?2_MT{w3+f1|J2E4Q z%0%mo2w~ob4~Tcgg5@4V2s(JV(c?PDw`R+-CMG6S1&W*hjVAs+&|C(izQm`PFi0_oGnw zJ=0^cWz-u20PXL?#B7L=e>aV8)_16J4BeHh(Sli#OzIbF#=Ysk!t$0E6kam_;}-lR zS0q<;ny-A_q}De>k&TyVF4ybT+YWe}Yo5BymtuIl`GEF?)M)alltLRaG}XQ9A1=Uq zrH;cmgOI?U_c{@(;{RCZKabTf3IY=CHsPV$=t~>Juqk&{nd7BzqvJM|<)WPDB0Ig7 z+mflx%gy+Rd$tR)S@671r-UOqrxr;#T(_YdCjDUV-t`w^z%ieM284*&a{Jh70F`&L ztqlyw$%i7!4U&nN&aIGnQ@MRQiw#Hwu~$Gw@}JK(1KmyAHCG*9l)U8h-PyeADMVJ+ zeVOq7$`=T5Gem+e=f9LUc)spceEv?UlZ{KHD?s7{#n7|tr-=0b6CjX*=z<2BCr|Xl znEoY(?t|;|NL@FJ=Do!Nj=tPkEKtuG4J`SHtj;gIg-So@FO`jBiKU_7)xSujbtFOz1+{XG@Z>Ro7`5L1;VJ@;ybEc@CYT$(3-;Q5}ltH#Z_a zjkcG5XXxBt|0!$5_kkZymAM~U9=4*j+A$kB($2^+DTSV_SKMl}Kl+{W`H(GGEz~g- zypDS!NXbjNJ8Gqbnk)=TWCnTpirzP|crQG8_MdnD`}WSEz)awSu){`-Lk5U%IWu5@ zR^Etl5Ok}{L>^u8J4x;+&LR|uPz^_j1Cx7)fdLp2gbSNNZ6(5@&rYZcasEg>x8vc| zX<(zay)tG4N3=*ick^egg*x_mrVAt_G4dS%!uAV;UhsveX-jBB5MICq?tJ#$_|;}W zoPQqf!Q0%SLTN#UT$OO|RE$86lFuvwL0rY^6${3AWryYqm*!n3@Tbl$<_a<@@yAg0 zcP{}WrGeelV@+?e(*4)#0-Zp2kVGzN=`T3eOak~NEC;(IOfEPaq3wX> zLGhzghsmRInUCyf4vy?I!a}V4C*))i#5cDFnV)a;==Z!_QC(t;ET5Xvt4wq^sfp|- zNB0&QXMqbFYvS*S3MBO3L0P{dGFWBb3k>#-3~MW)0=)yV102XyV@I7UHf%Vy5rvbK z7PLfqWy+2Eq;|}B3y2h)Wdbw2-O2tuf9@gnm7N|Ow>XRL*t?2+z~gnj(lF{WHb{qR zkqj02BYH8NF+a5Ap$=Pp(_XE*Y-4}M9#Yz>D2DH|BFV^Slc3t|?Gr(R1kBX!ubpY83G}qH_NBYGifsV9H(xh=eyKBMW)5 zTVOCOAl#nJ6S>_gG)owh`D*pty(D0Ku;cBwggy}0U{VmypW~7eqX{gh%G3x+*%lDk zMJnd^V5=#DqOC08UXik3UvyAB@3O_~aI_(>B5RtGb*RUTHO7iHD@8-tz1>Sil^-*O^(yGxi3s{Lh`gB& zv>~~<;gcreJ-I_(S%4R~Aw1g$yZL&dx#W32dtvT;toB?lTf8R^SlmsCsIC&=%lzVT z=|j=NRmn+@uy%!aE{ebb7y8(%3uA6Jn*RaFfVpCU>imsmJPuEy@vTdn;fPez;u7-% zNg`y$-{ENAtj~KKHz|&lA2Pj0^S1IGPB=8_3}m`+;AR_=2Ce2Ii@3xFz+6lr=_@M& zvWg)>lmX7|g+!~TM`L>Y)w}rJ)L3oiG12+P*7vv(#7>SmPniDk^-|RCC?N=Td|%j( zPHJOS(6eZfC_F~sMf>1|u&R;}jL_=IL3aXznKJMrPrJVkYkmM8o$%TZyUt{DS^Z{{ zfaG(vx+ofgsuu~uQ>V}4@-hmeL)3zrLMV&ht<~yPZ~4D8g=NA9xt67Y5W%oAzwnPw z4SZ0{{ru$oPyyg~GqbZ#k*i5cB21MT#no6(uk}&+cgIo)j?K-HM(FA4Mgn|bGk}22 zcQz(z!U;@sr`tmisXBjq(X0s?SVya{j$4#53vP)AM5s~ zi-4GY(4-BJ7y8)ZUKLeTjM_?tfM|B2kwS_M;xlVF zk5piolsuBecBO=vOED@aZ{1MoaU|X9FRzQ5czq(_4=Ga;1l&o=!X85Up5aCX70KrQ z{Pe-<`tT?7Y?Hk3CwZYsG6Q0_PRaDXJh(q$DIAVkFdQEGw=6*-7R^G+E^em{xe~(` z(qJTv7j!n6agB`vK1UtM9$RUazsITvFZ|o#kyo(%uMkE=Zf(ecpH)sL&;YJ-mgeYW zFr&iCxn`>anJA{yRfA})T|C^1G73~AyAt|(dbMDm`xn2`+UH6u@Pp7U**n7b*1!*~ zl&Hx=`jGj^w_?S9N}-qF1rHnqK*jskF(1eqr0;C z=A$w|uP0p%;~vWUhB6#vC22fbIy`fKAoOn9zeG8JxC~<=yJsZ=V4a48{y`FIkW?-& zSmfc#>{}+kMlu>BF(gz15ZZ&Wdh^S~#Kd^q9rrnQVes}tRo^%dFr-L|U!zcE|Yf{2LOY%MK?BX|uL5Sd{J_qvFuRcRvA*b>1 z@D7K|ubVw{5q34*dBU%o@=oktkEy^X&?m`4ZZGio7rbGHas><%{p$FPUyfI zp#vB*EnWe~#)c#ha0%g>(toWym08Oye5hW#II6_4tgZxn!OX^Cwn_rD{CU{6X2>Ymm3Re)9 zYkrTj>KZp6F8earx6e3+NY?5V;x)s6@lh;?nmSBvzepnYE3st_GLMEO5fW4lA$%Fs zI*40?9qhorfDPyHs>VUPl0$+CM>3}#&-oLKLXk>(_QaZ7xu`}gyrs%W_IgHxJ4SMZ zOEzHmCE;=l42_G3E7m=YPE!W}5a!s(O9)Z#kky1J8<{n67w= zJOfF588WRf?g&C0+x<*Ytr)ur3du1Fw5=j=T2MY=UF?>$2jm3pP z%GRzA{X+?#zezTsQE(WleoYL$f()C+oBivv{<^#;!9bz(#4P88cIYFUQQnHEY=J{g zp-wAM*&Fv-1EG^UmRLah9WNj@kB6H@`j3SlQRHsS)EzIF(tD}5{{<8AipGnLt_cUo zU$n}Sn+m&B*l@Z4f_^v}#}B_fLNb=)%@m_zfd>ibb6w!h!!2EJ;T-Mye|ZvtLU8IZ zd^Y_&Mtp=zb>&M88dS8~WVAIa9g#{`2=hRP1)5u4F#6S^q8|#t$iF_38q}Z|Acfx0 z#OwKf7Fc96b~W0i)_5y8e6j=(JR)rl^ISw?~LwVcrXfm_i7 z23iTPv+RV$PO>8LGyeA&#GZlxg#y0P)<$>dHg7-!sKN|6R^S&iz)EE-$Z!QPX9cjS zAs~H`0Yc?>?No$Rk^94Q!ake^{tV2& z#fW<3WX$^sbx##BuE&j3$XS?}fdR#g&l$kBu(M0g$Z#AJNB%6Jm)c`$`%U!m&bdUt z0oQuEbRVV%ND~6AGhB-*5?~6atKMHhyu+-?v0`R_9sx;8d)Gw(=p|q9A?wNkC&UDQk-h8G!0G>RXK42GD{M6{oU-$L+Gu%K$ZL%n z8)AHO_ET6#!5WC*c4z`ElMQ1>cdN;k-L+>w*B{K(d8bma4e^2w{k5XBrVT&q%t?=} zY7S}f<=$cczpT$G1+YFRcl#6Cs$>f5@o%b9>QQc|*cl~nxkGad*h{MPx+LKi}t5e#{ejn5|Bv$f79s{CAz{kvstu}s+>`F-^tmC``r zU4g$Rh1UDxQrJvQOe4B51xxxI&4@5bpF=)ndp!k2q)BHH80|>-oeH0}4xr%daDc($ z?F$Xgbe&M{(xqm5D9&UE3SPPAsYTD{auw79**GM;?8bA#I}F&=xDB`vLFe)p&so}FsUwiQ?m*N5@cYkl)98h9vAg`P6$=K_B}a~?dC)P8QC6VoyO z@KrwFrbMbEjfK-#?jnbEx=_q1T?;&O?{~Xjw+;-^D5bgEW0sgwJg!qcwo4Nk{4kT* zJ4zo`A9b-rl24>nJt)<#$nR@l(kmj=+sbhjHU7Hx9wN0t*nM($n)8U>w3uBh8JtcV zCUp&U{4H}xio^Tv-MfCaz&)5)8-4o{*Y>xxg17rEp35g5Lcg`V2sWMPZR?~3cwcI2 z_I@>^2${KE1TKDl|MKl&TbTf!G)g=aXNL)VQO&cq)g$w~)^5CTEl+wKP%=r*EunvC z5l=GSc)kt!_IN_e`t>o~!t>r~K_itry;s2sDV6-c0QcL51Id3^1<4mvedMe!(;to7 z*Cx0XU8ix}B}MNohVPQr@2Jb&4-NPH)`{P7gSq9kNuMJUY_pGd^YSx*oKVWUa?sf8 z;m`64jXsb?~ddAmB+b}r;A-n0h z=jX$`%Z2-uxizr77MZCJs~=JfBZW*N3I#m`XtDT`gV#Il%&*(wIbVuJKmsf+?1_eL%M`&u6 zi`u2N;&%;x7EB^H^qt&#Q1uHtbZ;w@_iXH>skgk)-HAkcvzC+j-*o*y&<4x^cE@Mj zCKBmzw|Z~_-DvB?-4S&abpDEM+d6Lf$V`hEv565*-KF%fL}9Y$19@-0w=m}@m@zyL zR8*P3)oyTN@VltW8L-=4oIv<;AvGfx{H3(JX^BDN z^-Fg&GFVw95≪M&N@h2T~qj*%dteP&tc3LIY1*fLiVU5rA^MleV&-h}^$N2-)9aJXqN1XBvn3WXHmptWu8VLgKNw7X zszhhv%gqM+12F2>o^7n+{$_wh$L1|oj-A%d?R_Ymw-Mj{*+hlc`P*TIgP*rk-iIyW zNh$*Jnuaz$*k1x8rZ)6ThPqIgG6Mi_s2$7ySCHxT^FyW001WWhn_$Z8Jtd!(U86yw zLG5GzkN&GgICHL+?-D?18`yza%JUAlOn75sH%W{-_p3YaiFG^+frtHX6IASP)M=3Y z9dOh!@#m-y9oSlVdOk9u(g+;EIc&^vU&jLeP( z=7x`d(7$m?uLA>KuVX86+4piW(t77-;42{YjOE`V9>$!oYdP0k0DvfRSG{rNOId4Y zcLd&h_N3R#8nwDx@0gDPC`M=93V=uWKJ^|02SM;izrqv|(7jIN5q(At@_i2{*q_5= ztGiK?yV1CjsCcwf5GMn+bdnK1JM;b0*htE|%xZ5lkANi<06@N>Jc$}@A|J3OnQqTB9-+XpzTG9g2}r^rC5I>+M8 z#82_0klRQN`4EUO_C+vJw1akx?}ul_!GB_X;6IfeKukytG1)YKY{89y2ap)(NSjZnBRI95uLD_vE;oqP&l`%@J0--gytee|hky`qMnzUxKWfL{;e zg5%xvAYp=Q8{o&E@-AUm)7jO=`QrA)00-T#G^anP_fUSW&Ipj+6TG zv`E}3>q3$`D-Maxin~~elneXkz>d6pCpN6XN2fnGAX~QV4 zQ6W444*1Tzd<(xwC@LyS@pYzF@toP1cP~F&)bRy^=luaeM}L1$il~i9;+drwVkl_O z&_qjKUVdXagU7ZLc!gox+1@JZF(ur0ch{%tYHGPw6eM_otuia`wG83CRTbQYFJ{c@ ze-(eBEhA|t)7z?I62+SlxS;G75b1B2@y5ine$rysd@OUf$>E<+!%B>9da^O_9~kij zFWnxLdD!lApF|UA6Nrb4DjP*0u=GCBmi~Aj)4oVW5$>w|D-MN1yPWDE^PFN33H`uc zu1cfqKczykqd=^*mGX1L?)HbR@t>xYhe>eso^u>Mb(LKq`Tz1t)Ep2gM3h=m4jUN? z>i>TgS%U_MA}v@>=n@RdR6^~xUrZ+17N^2aPT$qczY<1qO63KU^7ur2caNK*Uk=kj z##`Q~_Q$*07JWo%T3oV*2=kZYg2ksaS_X8(s=B!$0o=DX&(8PNva|p(Ii~>?+3a;B}1VL>S#(c*r=hjv_Swi6SZ9r+nb{( z%q1l{6AxwwJpiR4HBHUrYC^`NtD`O~Itprlx|&&Q;l@!eDL<7L%uYMDj8g6>2$+rR z3-rV0Q%n_+>y6mMAJK>y!apJa(%YDC@w4C8R-2F@dy4%HGubIdl=tgop%6|C`n7IE{ zznod&B%?<4JMs&}NDi2>DCX7cNSl|&pbes=?7-xenc35nYQl>;^7Pn=4wDmH?|)t1 z{x)&t(!I3Y36pp}`vwn0c_m0XKujkQN$yD%p zaBDAWh_3_ku*1BRLncv8Gg*ZsQ>6iO1aV~xf+xQJbg@4`QkO2aTzK&uBE6u1uNAAg z$jiUi1nyRSjE)?$EhegOvJpbM_o?~)Add{~jo}L}6UxTn)1TShW|{ysO&E%`XsgQ` z(++J_%#w|0V>$PoW|JlquDTkKUDaOg`Ty-|gI%n04&URvjPrQ4Q&ioS1U0 zF{xxS4~ZnG^O488*Z{({sWwzjn3C@~lUQKtYZ`7)b2;$IJGfhZhwt)CuDfAfhD>|H z<_q;#pVBs)?dH|b&T4vPQUj!JzC3v9=J{ucKJW{!BcpmImWImPq z&`GG$-!1HqjYdv0yeK6%KYfKRCP!a#lvd~BUQ)E7Fh~y|))yo1r(jB72@6Hrb_TiO z1i!E9>JOt=H1TK_sYb&B=OFvF5MV04{DF;me1sV7P+h}n(b|nUF4?rw0Uj}lfZ@>w zMU-=Y|49QV_KcVuT(tN#5WIZ;uUY~=ZoGuhUJcR_cXI4|lQy!+L_BVuC#86jF&l71 zZXFm*nGhQ09TV3XlZayVDldRp@#X52#bX_fPOZ|i;FtVitq0WVZuHfqBId0~U{;w* zS9_M?OAeRIaY}T77rq^_zakR5GMU;jOG`Ar>;>DoiH$Z=6ncF(_!;;6_OM?xmS9I7Asa|gL8^EB7&$7MNBA94x z4>b%Fd@a(^dgwrDjODJono2n$6xLHE5g{Ug2_1do8qIBPZq|G1WLUQ!<#nT*B&ZT} zZB+A?;9}lhw5R_ajJOCd*tEGi07B1D{yHT<@Bi@i)?rn)P4_U}(!y4{I|Za$x?7qJ z(%sz+(kb0YcXtUWsdRUXfOP$??UVO&f8YC;ha7Bezh=5wyOoImw4+RB~=rol|(W z@L`bI;gE3izi4y_Mq+}6gt%<4p|ieYLzD#q+C+K(^mxF!6PwZ?cH!Ccz}>jGa({%$ zR1eo-U?@e9paf4sSsFOE8sB;+F+B>+$S!f7gZC9ZwOzWmYy2?hJE?;6n@e(QT$;<^ zPnn1U0=jjp%M=}F{g8)!7Ly~8w920>z84z}Ms9DpBoS+Ia&WAt8OQV<&V1&Ju5o|~ zBXZRm{g~in?+4kA@bT@cu(EPIbw>8j^^YHq-8Vw;m9(@v+{IKIs z@Nrn9UllwV1!ltR5QfrsmTVKs(O=S);MI}A+$tC@)P0Co;JaRS!bqDa{;u{fEr2=G z!hKTaoDE-8cGv85XX;Sh6VR|pE|ig^FPG$YHi-XKd&s>IXJo`t9HJlTss9l%arjis z8*xPK8`zJ|tpRyrI~>FAw`+Cogaaw1;fj^AnyhdbV+&O&eCLV&P&n8Fk!S!T1Gfr0 zvd9en)xWt8mJl3pb&LbrZPz!_&HIpgPXi1l`zN1%=O`c&{btoE$a=N^FZ%pXHY_DZ zdJL;s8GAH9dZSw^^3u}U+Aug=i4^zM^~=9Ef4INp-6>xnQy>pLwx4J(ZSM#ZYrfY} zzgX4j5Rzd*vhtiPwCvkvq(Qd6KZZurfApGhvifufH%i0v$E`@9d9pB{9#8#@e=fJi zQ6j6BD9F=sD|s4H?Xk-J{N}_%L6x*yvK?bcLAX1X5eAu|eZXG%4wtcp5d8$X4)z(? zxh*N3UbZ;8;8)}|biog>6URv&bupl?sVtK3-~}o_ABHB>chL0kvKJm%lJ2=Ip^F|I zHT$dpg=Z*$e8}J_QqO}=J7t)!>SH?<3q8AIE>k0}ZK-Y(nXra6VWwC0S~h}Ur=lg) zWoyt{QSjw&%gY2u-anIJF4sW$p=K3(_Bu(bZ2@5#l21hogNS1>xWWpIsU1DBU@=tX zO5m@0TfX!+-zotu;Q~nMCp9ijF1a>;VeFJdg#jh@&BjJKuXrvrK4SMu5WQ?PquP3J ztMj@C0SqBxZD`n-6gdJ_sp{fSFP_V2hZ&elW6AceXAEbO%qrf1A-cxWOz)6C*9LhH zI;UGFFZ_oWU)7m9q~GH0bl>Q!=WJIzV;inu#_;`Yu_eNr-$(=&0N$K!QP`)22Q(6B z*5mZ=<@gbwr5`4Exl;mTt~YCDwENh*RWJ~ z&3@ITudBC3 zregH!zW2%9aNJbgC!wAeTKQKH#;c7Q7eTL7?E$D@SmGOTRPGF9 zPbo|o{TnenZo=Z>MBjJ^9J(*k&aU9NV5p8K){4v*5}oLA;^7JCo>yzm|HWHFa(Pk- zNeS+9W#c!1*m=X*OX+0CDDu_w&ITc?crYr|(U1S?e-Jp*s{vwdbmh-eYQ7sBC5=7J zmqBV=#K2gMl||hd|LqDzoOwFNp`Lf=rr#N$YrPO+MZ!j&q4Xo{>Q4Lsh%KCet_Qt0 z$M4Bw|1xV-l1UuRQTzF;%@z}I=1U9NO~i_Bn!_6xv3?J*-A|X*Q^2|npjC6Y`|Ic^ z`LmviO1_L46p))Q*(nMIyK4sY3gcFsg@FPPn-|0$+gLzH`LLd-D-eb#Nq^nH zL(I=pUlCjRj?sqi^kq$|BSN?u$=XUcY)Mc6jVaD^r{rkUqkyriJUd7b7~mG$m-64>m9OH@6PCMO1Jw#Y$b($R)O4|1ZLTCwG z0{@X`k#>C$8*Fk@gP&w|$3vL77lwF?AC6XsJ6nYYgKhf>*TaFLpQy63G9e~U*l!t( z3S!TFGF`vNOS;~P93hg5#+J;Z!}98(tyrP#>E8=xIfEhi`m|rN$O(9|KxzFK<9ry9 zYD#4-Ro4+&f%kwCpq^oYw^Nf(m_{2|`GJT-MNj5hS{WN98n{pD9LU$aFXY9K4G#s3 z*U?iL%oFR3h!l-aOk})d`Oj3sD+3rIfIXe=*MnHLI3ffJOUueUIw;8*DoQPW^4EkpwW=xx7N*WgSrh8P>iT+;*4ktCZ|W(ACcs0xZYcaUPkf_R}r`g%TWK z5nF`LP_UBU?N@_e0FX}SFlY32HOj#Afaz z8%^NJj@IDH9txD#&I`&geFaSgD~xxL>(pP!jsL|Wf&WY<0SFt%V8+^bhMNtX{;NDs ztV%PVsD!+*GTRXHp!dN0%iD_1<*%bNFTG&2!$DP@SK9n{`vr6h z^aq)wX8iAfma)ZNejtgs0j7{7UlHqe`*v3Re4))Im0^evO9gnj4^5p}SpI3}wZ1r% z2n2H#pvc{JSyIJ<{rYX|Y#qogekvybke$MIr~Sq5So|FSy_+5L;lLz;XG01S6a!aR z5KULg+w*tKEdBl?EjF%7RXht=(C^^{v7Z9)ySk-PDs?HuB3?C*X;aT-9{=y-4&y+m zuEdX{5}z)k{G!e|V@qGR88zSp?eXUU377<+p5p*^NF9|+;5Pl#z#nZrQs$TP5s7V+ zPH65DCeGFAgyav6s%}k(*v|dQVxKb=jKX$~x7rI#o z*5q(9Sa|agey8d-8Nmj&PEr-6FMEFxZUZrDb7BHCEt)1S~ShDG*@w&sOTN z8TAG0qhkJ;AJ)b4{j7|73kViS?Vo9AHtttWKfk_nOB5Pxd0aFtC_7BgymW(6_oX=0 z`9Y-Wcr-CFRa{A&0c( zmEBTGisv!}v|-o|ozfSu`zv^aU0C^pyAQZZU(bP*=fC)8n9-(AcnW> zt*to|@ZN3Uk~(a?D8PmrKif|QAtmE`GerP=vxBAr6p^ztJ|XR?3Tlmk{iBM5E_kn@ zKhvu@&WiMO?@B*hgnd<~V)yDkI*S_l{kFYKY2-iMQ9y_R)QRkX;?~3i){)cuar%o= z*TdVg;yLa^cC~D7gFj)ynX1OkO+ed#I3j;mudMg;(zEWdAMeK`r5Ch3GBS|YJQ#&< ze097~=PEJ2aSvqJ;fIHZNklJ9;E%w+0VCZEL}lI|QCYA;c=0-T=W8lNmxDYvETAh# z!y4DmrZ;^6uDNu)kjH0OxqdGh&Ue~@10-&iysCGCz_VK*(R!?0X$;f=!i#Vyi?L6f z?^p1FZ~RgSe!>Z6g1HkVfY+s+sEyhuy#G2Ueb0pUQI|T`^=;^AetgSZ8*{2`@$&y# zwvrS82craB;$Pgojgf4<3258NuE!fpF8FaNy&5hI1G9Orp!RUntY2$E&jVTtbC?(0 zM&rQ82pKWS$2;gGmx{le4X8!ZcvSB(e)wHvtgXjO zV#lf`c(tS{7?J{S*o#^Ztx4au>i|6R2n52MSbzcjw92vrL%|2RxfAAW?B1a8E=r%AH?(fP`6LV4;!F{lp#h!VH zry!3D@3~(Shyf_fO8U(5m>U*q^yhRSo&BG84mb$~VC2WO6AQy$u8+ZenrLOabMEWu zrTi!IK-Tq!JT6+;sS~Or`-bjN4REf+yIvZJ0o3-?s)=4FY3Ocl zEBlK>LF0*c5u{qNLtfq|3CLn1Q2)B7>j7QGedqD#`2IKqKyUuDg}x3VQ&`x^Nt`-L z{gLZE=u);j>v)(-%Q--TQvTXM6Dxoj&h=prEy?DonUT5OB@BG8gzh4?n_pB)zVQhl zyydd_-zSQ_e=nV&+)X;EDUNorH}M51Oo|V(L;8&%Q+~FFKK9ob^{Wg4Rao%EUOxbK zMvP^={W^LCu#kPP%rd9OG=6S?SwYbqW|ZxY@&i5S81KKN@9yr#BmvtEqVMkRhM@~} zZBL?3T=^i=!~t4rbWlv05WyC5pLR;N8+@W;!}#TdZ5P%0=e?$fz| z(L#VIjJHTgqrXhOyk^b!{*s=Vi5liH-rsB_`9`inz4A9Ob-;cN`AGdjGA0~QEu4Dm z!1`u+<_IL?scni_5j{RhHxmKp{jWmf5eIHU2> zeIeOO4q!rDiM#L}d1 z=48QIEU+dEyLtd|~h zlm-q9b0N4KMejaFaM1BR>v%=lLjueXDNd zplnH|BMM;VzJwmz@$oWgw3`6CrO;ko;q?_@DnbHa5sMqCV1X=k6S-7CX7hLaOq$n? zd@wMmAiC!g_4>#uAR;Mw`@?x1qKaKgV-AehkPxjc|QhZyc|7;`q6e2XCl zTA}0R2N;osD`c2<{dBaIs+$sIg0IvP?acd%B35|{%2~($isKta?9BraE!4?=dT?Byt~m0f3h{S*Nptwr8pNLuI)vw+Li zU^YEHjs2>;pSKpWB|ZMSzY3qAv%jsXCLRmW2JBO7xkC!aETU<>AFWhGWI*JWl3PFe zh3IZFb5^$TN=Yf^K6WiSA)kH5I{^q&F+D<>%W%&r_tWVkPfslYG#hSTIvJL-(f)cD z1GkeNBnMgP9FZ}-G!XPZPwv)aa#cMrPkL5S8YAH$hmk=#*1F{w?drfC3rQ{|aD3f# z>PB2RJtd>-T+f*?wt~*-wG)Sj699tbVDmVQKn?6GGcGeE1PM*pB)ttt1|t=FXq*rg&uCd_HU<+HnqA9;i(;(i^p3V0@&?e z?l4D4ChF*HT$el>Gsj4~be3+pQABYnIylu_x*H2v8x=&*Q|o$WP}6yCCX-Us@PR2d z4DD6^ANKT+o_hvsy=rAqoyGrxVTx7&VL*Z_XgGu@_01?* zdU(JN%bsD3KwgLU?fEe1Q?{-n*hF@q=P>?zyqI)YST<`ur+98P_OLou5ccZjVorN+QR` zq;|niF_-c=<)Pz(yB35(SK$B82rUMQ&>Pu_${B99Q2IolEp6Wktpx|N2bBqWZOWmA zkwua(K3mQmT(a(83OKy8I*;}zMVfE2$*_EnLBNG3LE+O<@>gh;L(bf?9@ubsxqGmw zi_bP}Bn9joZAN;984wJ&-C@_v@@-}=ov;=Ju-sw`6VX7_m|g)c7=IX;yd1%SeuFWM z8uG@204kgfU`S`EBIlkZUxIir-*W@vq^ofCoJh`gl0HhXJV%Susd=Sp1rz%_+(Lq%VDpu0w~GGZz*-QL4>cJwQ^%P1c{&1A^4HqVa2Fg91ChOjKNn*%-MN`Cdjd=`IV*P;Z>XYN# z_TA|2>{lLLS>W(G#@`+cq)S%k1J&M!un&HA?P&lHoy#qs8k})o;!_?88wDrV_ml!_ z-7wKT*HK~c#-S7CUIsw~{m|n^VD44BgfCrUtW+9`)eF4t7xb!1;C4) ztrK1nn6tYNcakB85RkSGOT^f)8vVxUkC={Q)iBslG+fXb?Y+W6D<8nL+`J@P7U9beu z4gmPycdGdK#9WfqoH>PCZ#vcoC=|cDx(x3&2?06@Lka*VaBU}I>G%Z$3}$Ojul4yP z;Keo19p*d-OtuaM)CIg*@0(Be+QLN?e1R|8aRP7v;z--|;YMp+J}vwCQNNa*CPo(J zsW}9WSzXNXzM=rFilh_&E_^N3mpwB5jbJ6qcNJwNl^p_bu^5~mI9VbvMMdD?*{~PQ zcMLy1>KLF=;HDUIydrbshKm3-ED!$dB0rP{tBdv@YRxArp+bZ(S@h@PwmEv&!7yEXr%iZ~%wtMgsB z7Wr+_fQB-*!w}FK{3#xtx087zj5C2!)KXR_2izf1!QxZ4Nr`m=Qn@|yP#4g7g&tOG z)E}D7q)=ly5RSzPsuQAq*BCggJdQajI?xm81E>&3eNn?PbO+8Q}B2q7WpM=v`IkxTU3~$upWE zk=?5M)(hO1FE10bir6FkdEo{^nOb=4{dvcsKr+-@P47i!9xP61lUszb;oaZg!$E1Z z!wxw|!b=CvUm?~il)&DXJdT!zlf5IZ<)@%vUr6446Nb*W-~04!;!**vq7axI8B@|N zAlbOIw+*|(eLuXU2FcO>H7(?y-Vcm~0ji~J4+RP9%!3B ztqxC`akf@`AB?x4U$9tyc|B1{aNJsyKc?M>+65!_!uxHh`=wwPBf}NYk2ZRGdVAm{ zmhZ$oUD!i+G&LJ4l=$q}$uYt`su7w&?;neyJDPRO9l z`5L2mHm1*}`Sn-Ze$V%74gm8)Gsb4)2xSWl;ci*^*-(5Cj0lk(h#(Rr%__DB0EstU zNhbM{pyoR?Ik>(yHAWyyvS9);n{a0+I%Z}CD_Mj;8TGIxRzH9NR+V0$d6CpEST|e( zKc=PpmHz8B|5{GDy}F~*l1TGb#n~;JOrUzaf-dG`SI;6_kCDyued@>DxE`LCrk^j! zMFoii;8f`rpPv+QOD;~$agNbt`w-z5w`gALO+B98{r0H&RAi5|TIIJzz*M6nf5sCI z<1YAg>ee|0mxU?Xvh@aS#+GP?s1*-ggq?m)31QkT>>iSHjmw8ptZhH{>&Mw&c zMcn5nzg1Pz7P0c{lNi?Z8X5Hkl`6rQGRR2?ILDE~`5>YA_m1|?QX}o(kcJ2x^hxN{ zRLhdXJWs54_Iy#Fz1?~)WEv}+LuO*P5TQ0afTK+hoH=mJ$d4O|G!fP*nO{-(@R&}& zm@C>3^C{U<)!AaS?8Os40q%*GW_qMmn4XQ~J6>(l?~Wr-G6?fc6b&Yx(vB+AyU(8E z%j1+z^4W4U2YVg*9S!MDT@y~LZ(1{ff3J_uM3>)A{meiie;kc4&zE>WkgvE4#?r{( zQNa>Tn*DtbUH@X&TvX&ZGa&<`4~)rNUS|Ak{!qA zUQ4$DuaDH3Of{d-l={eSI=ZB=!&f4}`-^1lMZpW!yQ96zw^ai5K`|QGV$2R94|N~D z{=h>CBH?v&ap|>e1Oq|&)mknpO9v*ff;>d(w{+v>^|e^VbSEJH3+>?dxpRIvPwgI% z6uO&A`hoxh9j?I)cH+%C^wZRJfFE#ZwI+7}19~NQz!mC$GK0H*Ps_e9f5E}U1?~@h z@qTO2wdMY2`%EP00Q+4-07}*XDep4Tqt;2VQ3U3f0%w;L+pOmjiDtY zJwCyZgFKsQh4O(jbn29`6g<26fFw+Q=GafPx%y2RjI8O=tmZo8;&vz?M%Q_{_^MAL z1_YZSC}?=xHt{m(GLwj@Z=vePuoRJ`9G1vch>V8i6G?xY5*#miB2*J77^FqP#N`%7*DpHeft*4qId(&~nxPDiJ0r3-x)$IxTHhW?bO+|%I{-@Ko!^g%l~jXoyUt#CKOUujZM*XpoH6{B@-t80#-_3@ z!3}6Kv78Q&62>g@e@8Ci=GMH(B}ysj4cunqw_?-@Jid3|b4)uA(yeqtdSTaqRbn>- zG=c%LES(%rPK6~Ui1~{H1a=((fQ}Bjva<61UWV*UlrBkVBt6z*jzym>usrXOP@FSl z2CH4XqF|J9c8>fEMA4 z?{n)PyGn|}LDU&%msX2K1N3TfnTa67z!i%rN+!w#5c%BPXL=&)adL}HB`6z9s^H@Y zs9Q?5ZT8sVKxhGLbg%6@zP3R;>;VQzaeOmSrK?tBITCnohv!?T(y39KgYW&~^{=S6 zr*T{#JrfaUoSdqIscj4q^8alx5Zft4VvP_%*_y|2^genwNmnh)6Q7;_?Ek9yNm_=H zM?~BOj-(@>U)1_dnh}07$`3zD9OzAH#3{dw%9=x%Uw63knXchqF5)xL?ryphcS~rM z2JmsGzpvcgrX!A(6$sgUF|b-LL2Jx>R1K3tnSEvXgGhi#|# z@=R9zLp*QbB;G_AJwH8i12Pebm*)Ul6riP-VTl?d%HuN;t^uF_dH^U@68g3;lf%Atm{&pq!ogaAP^xE&^-q47fOjhwI3qekSSakm{-cn?H={f z7}ynp7X>!R5K|K!_AUnAwn>g;{&fCI{Bjrhw%cb^7VtG_nnrwpzmCQb_fSCYt%BwR z^uy85*6Ctp;~RwI)KwNHVpwJW|BeeGFAcH9j5?zn8?HT9-;GR|N@wUa9~`B%a(i_< zSitULNiks^oQcYtP3o*SNYXP>>iv?`q%WPpbIx}zz@RRN#iLlaaw5y+QJ@rt^Y*=g z`2-g+@9iiD9(GQoz@xvW43+u-7t1$YEV>eHsx?;ZeuQ{dWKRo~^Cfj&(l|}30ZEcx zW?#PMJ(JSuQLvb0paiA_cczAX`WWsWNz~`&J`0wZ^Fr`oZiRe>7Tye~MOnDG$DEoi z+{1Rc1hM#I(tKtgG6?N)2XqY#zXp^=|PE$^`gLTY>ds)0;2Jm98j5_k;Y#T)fJR#R;UU zgkXFl7{xpb-U%S_@NXC4RBVN*jq_QUAvoXH-V8rz zldaZ!54D_LQxpF5qskGR{;9*+h;C5VQZxX@ghcRv2lL!tFmhnp4v(pi?u@^jl1}ug zZS;L+OIRDvB`nUi5hE+brPS2IEB$L0i6#*R?C-HEn{qAY45#wOc0}?|#6ewLZ(*R& zs8PRB!~W*Y(vIlex+3*%O915?ZrEdrbd&f_F{my(MWiIlEl0EUfI0hf=fp}70Xmxh z$zG)~ob0V_ek~IhqTCb}ZLJR)o{l3`=nX+hkf06^(yg82X!xH6#lT_`x&rx3ZYBk!<`|?-?Z5g^XX-XRA1BqVYaIf6N$D9F>d`ZP2IvZ6 zT-Ko{n1(@M>h8xAyBSy9TkAe`O7@4FFGAycHCU%Q71C&oI6|AvDbVBg0p7l=BU0dD zvyS)v2~x z5w6&07wUaTks;{%Liw6wzzzKg4|inbjyi*4jMGk(b&V3?a=76_N)24IFm?uqdU9Wc zGk5VyM=7R~GL)pzkGOqpg>i@CbBS)O+A_`)j!W@KQH67*;!D)Sx8-6$XT4O=DfAS!eit+dbEDFr zGnrvilhMe)&JlqzD-}KOUaOA1=!D|FxQ_aP`6R80qYyiADLIpsZGb@|ovaO;N>6c2 z?X6By90s!@lxaEBW+4tTa(o75Et6~J!mc=Wzj=oPMKqmfTleLx4n=eVH?S_6Me{48 zQ-MEYz?1?Q^Mc=bA5-vQ17quQZfAKiL(qpe+wbYNB3ateN6Hm27DhbOf&Oc`2vGW} znR5JwmBIaMfLo+F+KS^;V54T^zx<)vayA53F!?q*NNjVMIn*tAl;4G;Wt9s!eY{O{Kf7TG^>98nI-Prj{n=WUwkW*os-2z)!o68xzUlYp z+90*sgcV1Xsn$*>a~&h*p(cF4oE!WD{sp+6H!tQX>3X&d&%3gGb1 zgVh%Wm8>|QTB9>Ee8{fONp9@;ryUX-^17T{K&rB4GErZI|Ls~3FB9H?OB+z)KFTLL zm}kK+I3E6Wzi6o_m+pyN%;fdid|X}m$KKD84D8Uk9St4w0gd-iwW#;QRq=UH1AP z*ainb*fx3wx>l&&K)Vrmhc`@wQ;JiTDTym$6Q@eru*93wK#SW3n;c}ll83?)5IsR> zh%DR}9i1?=vtxm1AuMtxqL|yv=P~$;w41>D}%S} zM#S;~wG8&L&Da}>ue5J>94s}*?#MOLc9=|ujrXxmJ~5MtAcw81>X1Y--RAjSQ6kiy zljb%hL{sfy2vR#3kjjdRe7c8|nZ!udT-F?R^bs&8jz4niF|X~Xzmq6j0AHgau+&L? z39FBIet{M|*Ne%J6E$B)7u;)S-45z(=H zw!nf8Ubnp{HNbyK80|^a2hFl+!>QVk7(Vc(kDi``R>a+BN{5jP@mmCRShmVYTh%lil63D9)s}$dBK&<^F|Z)_3uUzSz<}^qiZWF^YdWsg^A56 zNs_S}h38HD?jC?Y<24~+TMHxhM3R@6pBAL!s5!VOm~1y?W-XHl9B5-fER^*{Q3RjTj{TYtS%) z2ZDyyX+FWpzy`Y9%?#D_?o9iy_B7k4zy@~;RNT-B3gX|AZ93Fku#6f}cX2`%sJBzp z^vve;v;+FFmA;c2=9txV8>Ah!)!MzJb*~H?b^QGa^aoMQRQQnLH8Ow+G;iB@#gD7Q z22F$LRAIz89J%+ybo5&DUVSwU#s1Y3Hm|jrxe~D*x?d$x&zVq@`=lc>xfk-*7YCj- zt)eCkki-!vf-(1Y9lR){UsKCphTB7lTm~m%araw$}83254N01VQ&FBsXv`1<#6;Ra>* z^AVaepbZt2FE1ykV`IZ~?8;}`vVj0J6YV;guii(t-aY!d^Aq!*4^wzdsH4#?&W7{& z?TeB01;V5L;Mr4UBcDS7Ehs2-T+iuyRq`S#dx%jogUEM$Rf%Ri4Qv!rDs9x*4<*FEI?yusRP1-n(!5z@ ztSFUUY%%(!*7U5p@NY?94J3Y5xJ`YWy|}Yuy}c$$qa6wgX_3>(Uy24^+ldV611TYH5xhc)#qbiA6^W4x_slGwu>~KH z2tiP33stI9%oh-Eg zpC};zWx%o;wf6X^qXIVIFT!(Ue)^cCg(eEU0N9>q&Fzjhoe_;O0+-Kr_@5vD_sxZ? z;V+FAa>?8_6(iV*r>gIzG}@75VJfGy$V@fsj>>+O00JiiyCBUGjaY>l^)L#cI3Vz{#$XVI9e!R6W=9HkB;k#{LH!gbRv-$)}H&%EVL$i$`TsNXC>VJBq6l z)Lvd)m8rip9nbtsO&5O11MJZ}^pn#DMV)f*@oT{Q{yG-QdmP?UDfV08F$mZ?KmBvg zaZL6P1MMwGvGs)^k5}q?X~o6~SsY4#K@)@nAZZopKA32CSoJI0rN8Xx@3x6skm>4g zE4tbtojCi+7tQ!Jd?%KtU)gHu$lL{p(Jb3PE3BB;^;xsUWI0XwM-iN#oSY}vh~IkE zqQw8_S^l700aMuSztXApk1u7A{l4C2*l!IQBw$C0(6YXUF<5Xx_f#NCz`kQheFhfs zn8pA7m=z$$T+cijA0yzvIoju!z~1~5^^oo2ZcGLIv6~d7&q%nM#JCfGfFKXRG5j{4 zkDMoShJ4TK1o442Q~f|E7!B1j;5GgW^=5y&9)Rl)dHMSOmV5cR3^#LPd@Y7yy!}1I zbbHK^9+pVPkh10(sD29>Z1;h;O8)Nr|4d$#V}3k-mr1&UFZx!wS9h6KTdMqzzkw3I zI z(jAX|XZ&)kW*uidG0Y4(YY1c@{XWE}938tb)JGru~Q=s)<9 z%+B?DP?d+u^qTyo*2Pr<-U|Exb5oweWyeQVAwJE;hC4fNgtpeGB1nc8oznC4c#nk= zQWy+01iyy#ivRu5L5!HkmR~~ms^ef(weuyvUOHm870HE*(8h_bcN;AD8$9P^%H&*> zc%!|D@{>3FZ|74oj7DaSFpBOpVlVO9%*DXr$4*2~31PJ;>nKD@-y7A!okZyXq|ELY zV{eOc_nmnmiPGQBPdK0#X5wj$p{rKZzbb|Hv6%T$$iHr=}!e`tS9!F8gy9LVahs$ce}v@D%k zaM0HIw`cg54eU$scAaAFXP2k4R}1P<6*K$k{lf%NfB*iSTTmc2$_jAT0MMTT@x6Zr zn?DW;4FJgY-4Ax|hlYu`X&8r^8&?c|wEsMW)e|4oYrzX&x{Zl!Zj7~tF8aT{#}FK# zjNYh-vMnr_5DcedsYqsL`EZw--mEE6Q=RY6*uey-n zVE^Ym8&!?MXou%$bw66W=08s$liL9X;GqK>jM4^3KPCkH7WCIO$R17^oDaarE_xFZ80t!tJWoX}f{1qw5r(ZAS z9+$*ac4vIX<T<3af5pjVyzJxpyx4;_h*A1#bC5}PYU#(kz zG4at0Xl{h>szFC$sNvw~v6K=>wC@Qj9>RkgkPd@#@}YQrR5@t|5<_<1xC(=MhgjYp z!;x1%UZ>@{e|q|5we#E)9O;UkUkUg2FD~K_Q}>^Hp>Os4NxsElHMMZy^$h6-DZeeg zt}Tn`6sl`hFF;{KXN+Y6V_TecGs486Z#wkdeFWiP@`eQvvH$`b`QzAFO=0H~M*rzq z&yHg+37;|)LgEY8uoqlWbXx+UXWl;DcWzWFg5X3}_>2_7egL;E95DV%z);F%h2%-m zPRcQk+t*gCmzQBctX%pf{jK7$6#!V#^5GVhG#V{IVzarObFlT)ilpmx1(vs0nP8ir z`|mpGtlGpBY6ld^6e;K}-ws@_O;4ekMc$Cvq0*-;^KjUXnG*i~K|}R{(iJ7IwGigI z)IcjJCIBzZG5fv4Pxr$gbPdhTvKh<30H_#9ACETwU+zHQm15$UuhbKI#kLjtGrkcF zq{4p`qN|l)km~s!Shk2eS9u0)RnxcvAI9TC?<-P0Cg#h*ix2KsJ>ZM4A5!9CJq*u%ytC%^o z-^^HpMj~*p<{_Qxi~gzlo^;N<9@2Ev)I)y-U3${+Z&nQiBk*G%MMpij>7Q}t^xWH% zvePoojeYZXRzDHj&-*xe;-cpEAi%g=>EJyPYM6+L3DhSW{7o=cy81%W$+7^&N| zM%~KXh6c62dmRPD>$vfEXeHfz(N$M(0+L!?COTidv3rOBj0rtIxc~iIlCZHXoWHC{(wYNl5YuSaY)RF}mg-zw#boeUCx zhww^AUHxUTT>STH)gfOxT#yjV^Vy!xuXBgyBphwu4Ln_)gCuNO&$t@=-E;9k z-<4fG`xzaaxp5h!DhYy=FL)SgcH*hsMw6VD0aauD`tzfyr12WH*nGU&hHrLKexF*< zirAP`Le-cupf_HtV~5)YFHJ$$4l846zO4*lJOhh8@%uhaI8ajF5A12CZTI!P|th0L3?Ap~E zZ1{A%Hz6}Z&3;Jadxw=z*~qg&plD19io6SbdYxk19L72;*x`@dOV&s=))*c!n- z^qOyGqe~dag&&aDVsYD?4J4r4rg7o-qCtFMhwzss$remwKYSwjd&Sd zx)c~>Yxe0X`g0PDeTq0fs^JS>L~TR4#*C&z@EG22&&;##`|;qTdp@^hF`kzx=WI(g zH>{>|JUaiEk><4GtLopTB(+{QO*nL#Ucr;PDgj;t+g5;? z7F15N@|q>7`PP}D@@hMmMm7yeB@e7yH5t{K6S2{bh!W5oaG%hpB`X@{jtTP8IKIwD zM?+f&RQRb}=Rn=f3M3j9XCQNH09CzRvLS9(YoHF{Qe4 zVb&$KK~74usyc}fZ#DLsVfr)^7!T5MB?+4^Y(vn|UgG$| zV81Y0!!Hl)cm2d^Zf)(~|LL5|XJZX2M(Pj$jSHfHi4}C?%YN~!G-`b`?uFEJ8;{~M z*l6(_Q#w=?`;l?X!F(oHHLeEj;BZKvqI z5J=vSsnV32Rb?u`X!%T+Ev|DS92i|0`6rUCricjI)&<_LML3ew$TcL5zw|=SCyD0| zPKFtc*if_~a8SK{DRle+bq3K`htF$+RU&1_lR&n{Brn?xGLzSCHK z>*U%9dJr%LEdeW%Z75f`=R1lfCTqClL%ydqslS#&kVu6y2JGQoo)T235e-}LhOK1) z*v_BgGm6}kAyC|gvl*|^HQh;Qp&g{0F#Kxd>cS5)tI54scE~3V= zrP0y_`^g%37;5M>e7W1K+9(kQ*Fx(;%71juTH8oQ^=Dqc4gc~!P@7GE1<$!P>n!s1 zDjq>fc*59B#?(%Ate+kqb=e%axx~U8CJMlx3H(P)XOa|RR+Os6zWDQ5yvxT%@0nTe zq33h}Gw~vRQcaZ~zdv^WXNGF{fNJe!#N^ufn45(2INbUisi=P?Pgh%rFhx0sQANz{ zObB4vM7*9WQrpfkSB)N^%3a3_4IGa0+VZa$BURlmu5M@OdXrp zUF?0AQlg1;udUR@t^K5`s>1Gs4U2io@~JTk4!G8hT4~4p_k(Du;Br_n51gvr^jNcf zpc6B&J_Vn9+Rm0$^w1;|8 zfd05{=)-|R!{f8A<$B=>8+|AKA=sWaScyB>o*P@f8tsd88XysjPuqQd~50P~@ucj{_s@WO{^`ZkT%nXwcM&(1*_$2v|H+ zMB*Q!=6T9p^H_iL5{Vj79W;{VkW&Qr>$0?q)?SbyBWVk{6A`M=Z7553Vs5K`67)oy)ge(sxvJ8i zyfeRCu#SoiPS;iKb2{<}gJJ)wX%b5-jiWCtaoR&Atxk(Jk>40jmO1;alHm5T2G~tg z$NShQd(48b0?-=~5fP~j;lBilQz6*mN+E400PlX?Hk9FmCJs*K#~AZEVWdj=%Cjq6 z>Cq-nj`ssAi>&z!?VAuZA~i%uNDf z6F4^~s}9Z(*D@|MSjM4&^TwLB5WME$c~+=AE#sI0EYo(_;u?HryU00}Z!Fu_xieYX zUw&E#^UyI+sJx@FcIrW4(XD*~K?%B#QMq5mvcT39)Q<2|@=y}m=M7Tro(QY@>}nvB zb>kZqsCP;e+4CqjKGgn@MmzJJ==a+vd0t^HT@;n$XhLC~#Unp!H{oVLrO`*i zqhmnN1kw+Dt-zQ&gA6Nek&5NO6?FJ0D~h>^&rOXwOH-M}2^#Zrk>`WugLF_+vpSqE zobHxh{9e$d3*icG{c+-(XTCnq3KK^+i$9|Zy$4JcSo1xkOa6bs!?yS~gL^8OoTuO< zk50GQR$3jl-vJ3p>m_VbxnnV9>Xy`tmxDLMLbX`_0gYS9kkU1rW)0p`876p>$~#o?BLnGAVVOKm^&og{aQ&*0wQa zjC$p24WeJIOY5qBNuQ=BO*9#@X=Okn-H6Pwv@56nW4L;z#oxa$Aj2)o+tYDzGfIHa zJoo#^+_jg;rD1~>g|~AC04I8BZtDPDlUF;E@Eghi*>h@nH>6i1*3$_jKNbXG?LU3m zz;Xh1hdZausGIZ(Z)XndT3bi1rM*C0Hjnt=mS$broSrvFhvcbe|IVH~VY z4!-$LyHEZYJ0s)fxh!j;v?>YpW_junT2f5aWH6)c-CFy+kUST6)cBxwNixwY#Y`FGR%4X4(1)QCnO|6cQeG20RCmo&r$ zrVO3}F}TS*gwJM-=x zU4AG3kG;2yiYwdNg#!c&?(UZ0?k+)s2A7}#5}aU#Yk;O7Fq-s^S~37M?&c69r#RYDJzPdFl@qiF?zf&69Nh7 z2D<_aRi8epY9=b%A6c;I(;|1;d?eup$7nx|>u$2giptG!-rt`HdGvTh^(9y?h}dR+ z{4prC+Dq#7hmbcPMywq2BrCo>vau0E($5yvYlWGb89@mFnzI*SeW7q?Smi$P}Ld z@sgad;}9x7dbT_*kOZ)fb;AzyXu(=2v;e91PeZK&o~CDKqEMSz&B{NeqDa*j@%s|o zef1L{3Kb!s4T`jsmmR}QAo9S{(-dvbgydk%H^WxfY>Wf=Ah5U+fB%t%Idw;;Yv6M-`dGd zMp5(n%qOBZjME0oy_EWPCa=IhGb80`A-K6JBEj9~IzC>EHO@V@7^q@m@9aXg{dp;S zHbnznfPi6N>UU3sKOX*WcsjVEswz&>!Dq|#W@mgz4ooK|cf`}+G0^Cw=mkvc7m9=A~vENr(vuwRBEuycb}i$?(_KuP_%xQ1dQ9kpG=PTJVOfqNRIu9c_Ar*Lids{ z(wKe@>`b(q{OCtn>k=A>jf+Fj67~1zy$-dY)ry#6N~F{xruTA-0tv9Et`w0b(r6wQD zt~an2TNOPrUVD8Gm3=Cca<$y@1;`=3?@MTOzHwMNO0Hp!0U)7ws=li4Bz7ZK$KklE zdg2Lp(Hu|>qY|SOkiXC|BFf2|vQsUrf7zCfA15TzL@xe7u!2XN3&xqD4USoSuNAw7 zY401GT#bE{*Eo*$CJx(lBbD)xGR}`mlIJVu<`?f>9?u8WVz_%VN{9bcf}5uvOpI1+ z|4y2sw1<%c)wVNdP%x2@^QlGehGZGTqrd^M$BQxgo@j?cS_E4j%4}sN(NC$7ehyB| zU+7PR-LCLFV(Xv&*e|wl5)wXLr}`8Y$u@&nHx+rnovPMs!e%OuHUkG+!K+a*k-!&q z-{$bVjFDCwRY6|$6Mpk-YH*9Mz&po3VyqoR&z8gvNQ8eJay;9p%z6Xyus%$jpzxYc z-_9@7u6#e;PIYzAj!srGqhmfyJYCm_xE?kGDtKR~;+#93c?A{o4M#(PM%?Uae5xVK z42CS4O3fIKmCJhSi$oxOou3QUOsn;Es*v{7o{cHRUA?@z>+9e-UaugFxcV(uSOW3 zeVi}5aUnRn(4{*u3Wi?^X6i-h*oStede_{6*anW(-@-n7;;BbJXu~a?jfS_X9*lk2pW|J>L!Su4V zEK<9zBnDelyq@rP6BZ5eGtYyT-&*-^qQ_YoPPdV9(s2Z}42*2^KeIDng5m#OdO+yM zLe}b#D!rGLqc04mQX*RQVg#??*o1(3`V+U9azC&oMdFpp74i)O^e~8{aYZLakTHNaM|zc zu)f!D8~DytJ_Yk{iAMn-e@4Ync-XAI7=4lqItop|(Gb1JO8&g$`m9FTEd~;p*EVT~@I12u@V5@fnrxv#A08&qOWthF5zj zv$f;u72?R7f#JNjEjRp2?tdhHX_3qCUV-!FI)cj4r^0GP6H%vn>D2TIdTXM-U{ zcU_}LW@;DQIEh>5qH&+YRq7dGDr6{o7W_>=ck&|TZvEwrLn4btyjEA@Ge@3F57S+v zMf;QK1FQ4wC&ryO+0&>P+50aAG|7Sm;K`r=ezg6OFGH0A9PmzY5|t3rdtE$d5vy}3 zmc2;fHHXo>0<(r%v()w_b326(G;|ZCZb1 zF&$6=INUB_km zY3llHMn1n{A=~ji%&F3;Ulm?OCg#h!_TDv|jAvjfEtwpTTcG@By!HloYQcglaV{P> z${h2&MS#%t^H~dsMdF)#%omJE*ZOL04lWZ`$cNay?sOcq>*=far(54BR<}{K{|S`&(-t7z+B}Ok{np$b z4?rP~wM^I1a@#Ma7I1x;zKtRBo9c%L!VLtHUqvk4NRlULj6H|_Ii*ZJY#}vXx?Ck5 zT2ZMaw3AIj_o2R+P5Z&=F|(nQUkU!cghw%>fO;60Ok@1)BnPN2onA||0n{-h;CAW|G?JBm4sRMV1N!a8jqA4;40txX>d>Pss z9Q4{fT;_6KRzIX|K27p{El)I&dj+QAJwLG}i|a{Bg!n-W)a%?s zuRFrJ>8-i@sJ?p=WLWKre4HZl8-h3LePn4S65*c6fxiqWZ%RWt22G%5dg=>C2bBp; zckr2h(usLY?PaR1j+Y88 z71gHBpK@AA&aw}~vVX|WJsIzHSu1%F|1|9)6kRp!GZg9+Y&rkoj`k4>8 zfL44j@3myx!t88#l97+@OblS}6DhoS0RT0!4=H2zBpP7t)wx=7F9W+^iUx42urblE zhJUQ9Vbx+RbovnJ&H4WM@9NXa)g9t?$y)d!R94OFMZmjy$Zc=Jmj>GJoFXWjfW~nr+3ti+)E5{|oqCP`0+Yba?$|^DKrbhe;T}PGZS;y;7ktm0gasT0 z749#K0mZ{2SKd=E=>Gu_L%8T}pD<1P?EC6IgfiFnC)rXrmCulvDa!tQrrFJ+#w$ENK(N>OsbbSbC>Mhqhv{u>g{8-5 z-EKbfjpUg|L;5VOIKJb9EtZo?q*m=7SONFci}MLPo)>vzril9 zy-w?|-o$-u^1O8($w-}x`YncEpXqx;y{M(V-3$q_O>h5^s1g;yW8d#I=@Z!APNny!o@T*dt%Sj1zC z(S^cUIe>Nc#Sn;IOPJ6IilE8q&16@sP?k#6x_#kzL#{9k=V@+x17)#w>CFBP{B$Cy24Aj^L-P)3nmF``8Ez3Ee>m~sPe@T@bfgR zHZ381S?$R3#rXm)FTxkIK*b+0P}D&7TLOT6jetkNe>neE6T|7AE-Jr|?ts-(#x^+*rDO zDVeC!g1PwdPDz1zOX4d`Ln~FXBK;n-&DDB`Lx7rrJBCEisS{KUykpG$P{ZtO|PW|T&JDxAu zqY_w?$ou$!WglDZ|69U2)8F&PU@?5h#c@7!XF}+pGIbbJ#f~3O-fmO$l-EKjHQHtJ zEnC97$Zxm5qO3+)fN}$fv@Q2@W*=Q}x-JHng7aOh4_{{lM}Oy$;~=jzbIw=eGTBzT&bS5}|0B>V zwXY**l7gFg;CF!-7$K6X&Q~Dn`K8GZ4mt${X@*(W*r@>y{H_Vgw-M&M8VNlDj@o}B zvfklL9Z#?wc4~{o&JGIfo(|W^s<}>_ke)H`vMOYwnQNADqBmJs3+a)T;FIVpXEO3f)#$f}4Sf^bi8?-B%R@I;~XR@`Fu0X(MBsK>|vBjvqXcK{vke&+-kM<6|=YDm?mns6>CCFFQM7%&PT&VO4(#;C~7r{o>&qFmZD z5$z6J_KqpbG(T4Qp5!YHszm7q){$g52=20*zgeYQoiRA9&$ThhAJ3Zt4s`Kv>Aq^M z!#k3!mJ7Xtyd93Aa^3jR5A> z$=R90rQBiat0y$Sc+N|;0QY*iwwhovyT{iqcpnsH4wQ~=t-m2wtiR7`P_FLyq^A8X z_`{}xcFj9Yj8=)P&Hyv`FXE3(WDxV7X6P>AeVa~}%+Wyuk)Z|~XhSW+^`<5PItLa~ zFB6^nhz!A6OmnsyB8q}w9) z%$z1y>DBWhRDYO-ep6e1Q^1L3P&6qe7QqSBxZy?o`sGmo6}(40ayKdKpbSsBL(8zv z-DLl=!&5y+rmrQVTccVFaWIDEljm@7a3G+Xqj`ERap2_ckEcYTe+4kX696#JFMZ+m z9eMZ7*y?vs*_ZULR+2>YRSD{)M!)5HiT%Aitt~p60n(x)P>#!dHnIvhCRfG9kwL?| zM|2tBPc?59wepD&?GaV}D1zYd{E62_O7x0-YkT~={ld3=CIcZ^2@eoe$`?yO$!`!q znR@*mu4=kKjT7^)hu9NVU=atz6D<1m+}^{yx=zYh+Wm>vtm8UF~Aae(ddV9f0{_*ZDaPvlbVp1}Ezs&I;< zdW&P0&7~*qs{2jAX+1kPcO`;%t?yUl?Ry;lxnuhMS#SSZ82jP|ih9E%wBK%(28-YQ zi1xDeI%FDNKDJUYttgZ*%Iz=De&=r8iGH!yM@4XX2${XGB9=hpLuvME4@5`YeoJ!98{ zeW*c*P9{jpBK*(As2mPpiIh=157B0h>lrvMG5B7j>HNlGT#f!+20+h|b_$?y3YmOp zzFCn{TJYuZ#*4o*Tpz)|!@9_tB=5$tuk16QOh3EqZ!t0+xwap8YqSqQ`f)KQcUNX! zb$4645`{%b{3W#GKg#ql2|Gp_dFS@ehz`A?l-r3JHs*qUU@&(@oWJ5<0ilY+5W&hu zlXqEHwbIih5I=M=U?)WVt$N3=N43G@g{^(aq!&%|1S`u(-bZI3d7~N9)vY2?G`hyg zeV)@%jQmhK5d;(?`fWLz9sG-$eDa_sj|e80dVEf?637-(Ci4MWPw?uMwS(1ukD5mg z8P{NC?+$2R(O(idUDzEP;4or(^G1^jaORqnm6o!be@npXTKe*f2lNO&n8pDL-B_N# zYhQQS9E)>uRGXGH5#7Mo7%EviRW$UNYs7>F6xsG^Q-dAB?8)@TG-oRx5ZpMYACPprJSF6BM>i)Jmq^%JeePdFONmWf%O`u3at*XX zqw=tR2UMQ3Y8kwABx7QIjkk*4Ma>=;gkboI;CplLpOL}e&$`!u79mVoY!GZ}-@)s! zRd84KjvtaepQh+~yjqcLb%XTn+qdrV#^cw62L3vdfpS)u_vW(}1F7(NBgwXWZOZ>y z6`W5_;K_S(%`xbqpO)-)FP5M5YjTl1@SbqxScZL;d1V>G-ieB zeVx@EHZx>)ckX67KmKWCacf)qxvW}Zm z$cmYwWL(_7?cw|@JHUUsBY+}UA|6OUiN5ZWEiP%b(2KHqBrz^Vc~ZkwO?U^D<1*0^`&p42d=AiaW6NGaQ*q6pu4!4;~Mci`dG zo9^$1vjgSFIlOq&1>uhfKRnMUJxtWJC2|kN{$Tj)Azj^rj%I4i|$8O_Ok!rN? z?Fp04vm!Np0k~^7QNNksN1vgW$c4~Gj7eV~Ue|r=4x2|Ifh+TSZPm)iQtc{TXl!#y)YtGr_8U1S+d{cVQBbj4}8L#@w%uCuEEafoTX zRof^VTNr801#aJ4fGp7xG? z?Y~3eOI&Y6UNJgM(D6g&d$op!LZ~L+=4>EcxLwb!(3#0#Wr5CTZ}_vD7S@t3>7~O0 zowFq`;ig;H1oEBEpKX>kyJv`w=buG%^tQj`HeH+Oe}XAXGK~KArdz^j<7~_bLpVz2 zJ2?a{+OG5FWw!GXm2kuEF~9R7uW;MuhlHNqBU92pU65auJkSkX9@TQtbAYShKN{_~ zNtUL32{xhN6>h>Ez4mMTaI7Z4Ct#9eH%ng5E;GwfERR~|cs|-({dB@Nw+biAP$Q&i z&$D_{h3Ozg>fB7bb4}iIs&Q|$SpOUrV0}^CUcFZAMlAVcIf0H@@O3%lJtF~MWn~NhH4k2@6`#Li?WPF`h zrl#wGGz+cjy3OPPc`WWdjr{C)q4=HGYrRx}-*xGcvSJk^-At&a*p9`{XGv|YRa(Q0 zKUn*Wtox>nO?E5i(HU8C)a9{d9&SjryBf=xa5b4&ODWshq^~L5J}@^Td}4k*(9b5k zSHqXzn4V^|BRMJON1etuDQ=@P=$U_4Z*A&;7& z(^`zq2b~Jk8=0m0e7e`OidF|YP#IzCHwv?jUWnGI2_DQ~DYm{a@jAc$4E@46!f86h zTi)PJhTdb;NHlw1-kA;SHn0~IbZCsiH|IeT31)SnQFZJhtMk@a8 zHh!5XW5Ndu0)ZIgR~q5}AY$=0U={vMf5doFpo7vAZfCFixsYFj?4av}GFHJ-U1>}kR1?{t1O zR>8&znjR}jzHNJ=m_;m5w7>@k+IbDnTA7~0Ep)n5+|dP9xf8rg}_Livi3Y(Bb;_AmGd`k82owUKqC1uPbHRay%0b zLgaGnYdH=f@I6oqF@l_lwM1Hr`G|ZQHE23_6$abiU9rraT@J0rmAnfk)52Y2H(Y2Y z2x)?uk2qhxaio%wJjE$M*Zx#@t zCG1MmD}(m%hiW$#pWMfWV&qYE!Oe%C?CrZz9^v~Qp?j6T^vv;nEOvc%U(}|hd9CYp z^-%(20kKERu#+v*3x$uZ)kls~+Dm&)hWj=I@tCuFr<;v@CW2tFKId)89BpvDYtxAC z+s-=qjTD5EdzPEs*sSIEnY}xb&uKXoIm6sFyXR|VwO?H#dtF^AwCrA?`&=brSwpXA z3$0y2mxs`$qKl^!6@(|t(6hX)>vpp3AA3FCi}x&cw>R33U0W^B5>A~UWPjg<#?>7_ z2bVyo*M<;MNayy8XrR!^K}?g8^ys zgUWDEp*xht8yC!a@4K?MtEa9FhXY1#>)aMT4D*qeK6mZK7Y$^(Z1WiRL<3?sG*RK! zXJDM1bYbKrukzL%b@|Da#;B}trOF!4y~*npm4gAY_+XKtxpj7rbFFtIS)PBN0uoqi za86wv-b3AxE&`*7Dz7!BJW)q_j@NYi-De@ZW<&DgZg<#o8x5R}khJ^oYoE{Bx94AH zhE{M6X%XOGAuh;>6|STUfFZ$^mc9YLi{sI3UWcQ_$=t}vW6|eL*Nzh!WD7#?2$$`O zuPKD)BDX%(B4gcd3LfxYy(p3tbD|$i#cdq+u{9(kw%*9z2@Q~MN;zaiJVa)cJs6yo z^-tMYO8-*EoM7kdLIFdc5qWfBjd(Cs?;EzjB=-Kwn&}Zo&weLA=ruMY_XZZYY6&CS zhv5ErU)sQF)KXO)FT?)a#My-YThUpGJnC&-+2PjrLRetGB;8+8`J7Hn>o`p+IE&O^ ziCtOK?YDl9;vDciI2z(Jo$VtT{z;gSp3@S#et(et@$Az@0uDj$8vnY|bAq=0_VTBCT6yb)ukXE($;8a!t3BBg=2xA6`csQ;;?^v1!4oNItWnAKOE>PRI&$~NQld%pk=Q`F`<%i z%%;P!Ge>gcGHdkpxLG+&52IlN5hE)ey=5?^wLcsWe(z9_7Sg;PESC}F2v$yii_m?R zZtXV2G|JAaiW8o>Q{A18fjd|+?YSS!#nwswoZA|hHUmv#0P7=QJJ{C0D@zbOe6!pVyd!vq? ztsGy8p!T!BNsX309cg#5o#LU2;mE|qbMTi*h$~Pqqm37>I^zXlvHT1Fyan(z#ht`? z8oJSkdxV`R2I{ucay_twcf*2e2n&B70oksTp9hwHF{Z}qR$Wo?EyP1uyrU>LZjif}SF~fe7_Xmp? z4W4>p#PwAdqLmrtaOriROTL|&cEm`g^|`>cq$~}1Un=W{sF8;A>q)cu7qgG*7)_xB zuxGd4Jca_4hV(i)gT5lNo&)&8r`zQHMrxsH49)f48eRT+bL!QY6bZJ^m7>qISsF18 z^^NxHEvlVMIhS}slW-@dv2!|g>#XwlKPrwc*X|2Ux_vXhn1-uAEqlU|3~?y+z{#Aw z;z`fE@Zcm1on@}E%Q3dRq&T#&jed_&L(eG_RUru1eCUpk9P{XxS5T54CZSf9VZ}F; zPe6F9@>O&7yR~lz=uiAU5C%){&M3nk+sTYh*!pecv^t6ToTg32@@&xW`nn-S0-?W_b*F63-{PGjoP)ieub_xaLNBQe9XvK4ND|}7{hP=D@Q_%i=-v0X} zg!20}-%bIjQ8l%`hE}NTZ3uq(Vp_!Yll4zsm)i0^@y-y?RRP)d1nzgG zo^fI2bSI4cG#;W#kr%cN8_OXaN*k45ImAUnT3n`nUBD0P*;pLb^K4hG>%A9F5>*VVaF^3TW7pj8yd1|H57-b`&DKnSdhUr zDall-0#sr`6h~ZkcoGgZ9r+eAKg&3=Tvw-`-Rv%a?^#Og@y1mDext?%6(+GFg1I_f)qUb|^Da|QCuhS5{4 z?vy;9VxehNODD96R^JX54p2!Z`y&b?+Tcl_Ygkd+$j)Tx?2>U!G6`>|*AuTB6!fm@ zGaxb8Qt8cJZxj&rQ+$~U%`=%OO3@cUxYt%)yc7c<-|y%Vc$(Cl)~Ywxw#lt43_96u z$!d`+9dW)+$zb(r?|SMXk`UPSwi0yvwYvZHr< zQ=sg;oTrQ#0b>1(AnYVEh? z!u4fv7{X`XuN&%DF?Vq86K+H^KYF1_b)zz8y5Vs4cuvq=x z&>okD&RI#DhZ?%Sdo^TeMxL1s!MuS|dQ!q*|Mf+v^;jA{7!DELc=_x5&F$?c19S5j zk_m*tL2H#ys}DkSVn3^UkKR{)z{tH@BRF`w{t|b7BCN=_ahi@yvBV|GB_fb@aJ)t* z2CTxdoD<+~NQW>P=zczdwGxzx-I<`L`9`Pqh#~pe6B=gs7BaFLo&gzeR9-y!uhgj3H zK|<_}Z$E>fxmu;a(6ulsnJV{X@4NQW3`z#bY>(p5zj&93k2rV?l+N!y(+V#qya2j` z_j2Hc*H%)Iz0It0Bz&%2hg$#o$7ASaK7{=z8wSbWj;k0yh3vLAa-c!90FaM*4y?>p!n1cCfmX@jLI zFUuzdj&u7eO9Mp6%RS={JONa)r0JWCz!l%YeY{G(%lm{YN$K1srJu9=EMx!>2?Z%s z_Q}4UJH-!-hR>n6`t+OXFSDI8gXeDpg4(e=8w-N;S`O>A4<)=?%C0C4*kE5XUsCN` zd7};4*mlE3mrFkvR@H9BtFpaEJwvAyH3$0T4Mm{7TI2~_-?x3%`U>vziI01ZShT-U zKB20qsuB8D#}K*x0!utZL{EA zKqKZ08RQ^Q*>-u5ipdumG*Ag7rtW8m&VB{9R5!M;<9VY3s>*%0Ce~L?a1Q>t=ou30 z9*)%BEZYi37Trot&%RXCg>I*-@Zk^3`45B!;XEsPo=NX^-8jOgo|ti^!zI3Q)~?

smGx$6STFBu(s!6qdDLl_jl)IB_-k{@m{Qgz+|-E7kfyZyL4U zBK%J*fb|6~*TGNfr4nti&YQLO4VRL!NqHCZY?CIrP4IGz+Y1Jf8|SoUXD7~(=po3! zWQu|5`)0+pF_@$O;?^+wdtaZG9DPmZFv}j@I@rvMMreO8t@2p}-c2L#=lLvV7B*tf zRv+l3W{ogUbo0#SekoPfBaJH@an^gIOG+NqiVi`aUKkHi*u+Jw7FsF%Xzb>ePsfw8 zQxh!F?^`tI&#>RW?UeKsv~#&=5@JW6+2&h$^+|o!2=b}q-v;McW67XuVY{A z_6dm|TPM$8)#2Mx>$LDp*%t#Lpu2Ihj+26mzFc|lsRkw@P%FYoS;wZ5=_XS|x*5Z3 z_y$Im6Qp8KwCtX`tjnK67h+IBK(^lxFDd5?J`i#q{)~S0feJE#Q+0dgHZ{8gkCi3= zk?QZqA*v8;8lQc4B8xsI2}$^O)@H?H7FrM30$>B~jbAGTHtn&kUcNdN|As1j*&$4O zf{lfJ*nQmIiD)_MF!@m^<^w*4>>kV*gYuXDa*bNAM)Dz>w-6DgL>ev@B6%_`muuv@ zus~T;2Qhv(Z?=U~tw1ia^Pg-I&sW}#O)&O;%Z!NJuOPP5d&h?Vx@$GB{ho-#c0cTi z?|&U~iqh*%QweQxTL_M|!RP3>Y%KIg;m{sCf>2BXs{S0OBQnB zOvs~HG5>DI|6HYK6@x`O?)a(bj0A+w^QtLaA8T_~T5Q82@Rpm5zCSHIyAn@&1W z^t}FrS*QPKgQR)-?##J*N`R+b3M_wy_zLK?(tzqYB^h&;)Pmr@9KPAu2Xd$@?GHQ& z^Y4l86BVl%y_F}0p|r-yZMb3v31CBvVZ;uu?iWd{MV?!So#9hbA3dZ=O5AWbFq)uDPIr8YVlOc?-fP5Xzs%I z7(_)fBT96)hI7z&eC~<272UEod8s%~EVvGMUN-?o)SLmE>xmb#$&yt}<>!G0%jp5a z9p_TKXP8;R{SomO^Y(@zG~V>&dahi~Jz||Rr_dGYrs5zDZ&f=7?Sz)?^@4`mZD&%S zd!F)n%@7W_wsfo+{e;%oUwxn$zum_{km|Ri^gN1c{>$H(sv>lHfshVcjg8>tx zrOOqAu8fKD3~UgaF>`w_1OHf4TGi@c=DQ>+|KuS&*M3Lor7l2FxKAU>q2xj2Bs z$uw#uQct?Y4Ck7^W^Q024YkEd470^atpK_2S?s#mzSd zUUC{vt5@CahP}sF32S9D&0sNP`Mx>bd2EoRygPeGJh4~m!t%5sx@>G}#GYcLtyure zzDMu-J~>DCa;m_0hn{k$5BMHgqoEnT`q6y08%x{thQZgz_EJq98x|XzqHnqJS(-5> zEyMO`4Zk8Xbm8OV;#vrz4!98V8QH+R!)B}ULA&lcBX)FjaCI)8#Ln`;3A?{+`T_)# zTK_GW6wpy))^h;#94Nbf6UHZ~RcS!fR6z@QR0=s@-M{+Mxjpw;Ur*-}sj$G~t{vpJ ze|72Sv|j$x=Xk~1+OT^@N*8pL;)O8x^iB(NMxi+S`@{6JLc+G@DtIiS*EEevnY}*UbyH*F^q2uEFimM@^deW-fwbJ z10&owigKuLAo|uuU(sEnNJ2dKvqI3UnJ}S=G=uYwPZsp9g?2IZna+|KhKxSK@~NEK ztd4{NCb_KFc6#oah*mj6@#L9Hw0Z<+>CU`&_|%9?$H#rnZ_)uY3iWifu9^-gGOTN2 zk_g*JoK^l>wO5FqPkIx_U-@3dVJ&Z})N|9(3I2(cOJZ>9CnRR znqwgkmRUR^%7ly3ibs50s|!E>Ypgs>MCmoeEcBv)#0hjtRxJ6ZHb;Sxg}En1NjhVW zSLvUi_U&JpdMr=$BHn$-jexfHtovP_JTv8`{?#4^Y~z@i4soY-!(&sURaeG0+7+Nz z_m^$SmTsu*mRh*Ap`%wBMcD<7W*vA@W=_42k4LRrQYD{9DxO;VmWSn2K zPD@VW;|c%E$BdJ)-YhmFtJvb}KZh)*zCT|P^?mjw#vWk zr6X)WGfUe6F@RUit|j)4b3jwM2LN;wsX&14CySC+yM-1a6ny3m0wXW~lN0CD7izdR zi)~~NQQ7)MpKyR9D;|oOWbh8m$ir;d!XFw6V*EEbh#SG?Qg?o~ovnV|hYbX3Ffsq_ zDnH1Bw35@KqR@4i@m*kk0&P0Gc_t0=6p&3xkX7j3pD+3vRX`4a4k61k)>WEJT%pI( zb;0^}jWV{rK=bn@fJ-G|ZC&PJXJ9}&D0c4^K`zoH^l`LEC9kH2qeIS}_}5VZ3yYJJ zQ<6Lvv(i0AoFCc1`*eJHS2W)nI@hS4Q5K$raz&o*6oShmMDy2U!r$bDpVPTX+Kh>} z$q2U_GzCck6=oq((%_+YFVL`t7D;y*0O0ok-EPJ|CIH2!H9WmHGTdS^G9pDh&nOuf z5c8f#zN8CABjH^-o3)pfk%5nkj~|DI1CV``hl;eW(1rOj>Oe~g89B^YAG4pk)1UYq zSArPzkd^~Ngdayyh*c)a<9Pzbo(sO=%=bp-fBJ+20Gu_CsoOxkQrV4-L@O_D$ncGX ze^OCGL=K^mQy%h2KEgjKDMdR&hiGkWZ6A8i{X_~=D}F%cs~H(pJ^8c}9zyyUV(ED( z@Q`oco^XUC%bkB{q;R>G^c{;okJ8^nPF%wTlMN@dg0^L#q{|ZHkWREp)?<)GG%IZH z8C$~=Y~3~uh5+)|*jRB^2;?j~w$1V0YnZ`04o=4r&_odLpQiOEo+@U+#z8EBRWRV$cIf)2!a=UbbAjz`A05bk*$ZS_` z)J_gG1kMoDz1=RWa#(&(P>P`sku0!`eb*BO1i!IYA~C4AA}GWRKM+DbW4XJ#Z~KPJ zSgMssFzY?xko0PAYSOcX3J7BdVj@zD2;gIUfONidY`r-k?ij%7R*xbRDpc-QS66?Q z92EPh{go%VVrYx1=|PeqXf_;vrLd4bf`}^^r}ZHBtl2FZLYXhFpzE`WGK-uEt}iAx zXD9s1i!OAQgCNrni;=k4Hu`I#ZLI1_xP|EYuGKBTH(^stlGGyp|UB z!t?d*f?|nveoLXLarxLAf8j~6#q(AGSw@sGmVzoRbVwk9kU9&)9xHT1Mv@!L`q=_w zKp)X*Z+Mu~d2EuCp`$Y_?(ei&jmsugof50VAp z(EOkv6hUD$bqx7H2;1QP6%;mar_HeL(VE$aOk?TWjPJ`}Wot29_56Oelh1A#XU*2{8P(`zNIgEr=XE(~QagEk(%f;Q5R^(jYh%4-GGck43JGGK{?IpA5j_!0#zSz5OLZkS4iCre=I2rSYewwuIIE0kHKNc-evTmFWaSB)wV0p=z`g4-x9jY z1CN~l61WLAYDNXrqxE1wB8@o^N=rj&4dAv0&d(SxD49zWKJ>$4| zp?H0kKv-)@-W!_Uj3^no5hH%_U`LCsX3GL{=l+T{0z-!&FscYVYfES`Fnk)x!|)H! z>W-xb%r+n2vLO-{-jb=A*&2LDuNTd@k7w929`}iT-nKZ5e=IAEQ9z*Dysz+F-7gHBG&K$RwxoQfMpc>}pfkkRroA zvEe1b-8A7Q&UOmPp0ceLz}-ZnCp_6$c?Z1ly!3HH2_XZTkPEiLbnoMkRqK(lr$)@* zhWjR+UXhc@uKef}rU#}Rjy!l?9k}_D|MEO)4IBGHZu^i}8rg>5dtSj7`d^&HBZHa?y>+CbY?#>z>T^3 zKjgh-Se0AXHcT#R(VYU)-QC?KC0!DVNQWTZB`w_u0urKxbfZ!tCEXz14SsX&z3=

qE^qX(tkd z?J9R9SpPL~u=&20y5AYA(5gbp-;zH%+SRfGY-xXi8SQ#n#>4^ds&4qmA+$sYrA7~& zr`n;DE?&tCiW0+8K{jH=C>l0H*%=Us2`f-lI}nJ${KYvsR;bLwHSP+3|3_oH<;>=o z#qZ$q=A!rSF<1NIPE>8CUy)s^QjSinmdjK25he$bTBAr62x&cb3c?g-V&V#mBNm;E z3@jqs2<9Om*pNLalXJ+xeUj#P>et(0rX8!Nr$At{v!r#(wYhnA-K3Bh{+vVwYAH+p zIi8t2G=ANAABJW>Oa2zSz|enK_%El=a%K;WWYs4?1`2Dqp~<TslLc`rUy#glJjOtrV7gL&nvhbB z0l%k#Ac8Vl16!NB10GRr#e_;4w~UP~y!InWUvBF(tCrytnRh=U(cNg&(sa%?&(V2R zPM>MbbX(Qv5fpyajrKD@OjkXvNg>m6tS_8SiYPy3SzEK~w&IYlFDbhal9uP#`~o~? zFlG=Iq{5}*4s{Yc_4SZ*zMwu!4W1LbaQto=K`G)P;bd?+Ff1Tb``C2iHkRQ+OhV+C zZ>;FF9?PPdDTu!rwMpE}hy?7N13@kD50On<2%g}D6D+d-0F=KlJ=Bdx&g4@&Z8v;B zmRR%727Hh@d0s?BUBl^3)2B*=aD>-G2U7AGls?E1-4s3AS+=$VEn?YN2&H2hkC5vi z*DnHH!}0`U3;o572Hly&B8ShR zA!k@URHvX1x7hDb^x**Db^>U|-@xrZco$}Dg>!eq%H#MPZb5{bt63gDsL28GZZ1eA zhO)`lfF2Sd@?eT)BpWfOh%8NoRjtX^W@lvR=T&CV;Ke(H2-%=+qo^))%CFJB21aEp z0!2KfI87pyrwsUNa~d*LHn2e?S7d^4dnWEs_-(G;B;d%(|EnXbLRY?q4b)h6L-_dl z-w~3gf%^n&ty`zk{2I<1E_d18`NP z0Jl#$-?X;Aew>LL)~S}oCtax*9D$wM@G(gt2>5Rlg4>M=bqO}Q+sZ46HK)#T;`hgr zqTl0Pg_R6^fs~hHXxVaKa4^4{)=Dx*rDr6c(3@alu9GS*Ew98O^h{*bc0lC%MM!cy zSVR0cfj5?w2V|rBVG0LvknSZ{{|oje65)lA$U34lxvVNgZX$ze48wZIpMlO_gxRVIfu_*7mFh2`7sfX54d8Z#LwCwN0P?UkExOZmr- z33pS8bk~UrTDVZe%{iT?9dRmzM5eXP3=yoANslAG&tR}}EBU>6DO1#ggRGoHEvEv- zqw7>f{UhT3WFs&l@P~U7;{w$7aVrYzvG`;JOIjW@biBOy4GS+>t*oqCWQ3BGb;YTEB`~+_tuHf1d^0F1U>sr8cFzP8KjdYF-Gj)cfMQ4C|_0gHJ}1=(#Kr* z9^eN-z&I2};&ox%^1pB`^+sZuYjo)1)vy;1IjiTuslU6Y$5K>)N$jKd5iJ6ZFN{cC z#}0Nbc#WTsrZ`S@gJM)xm<{+T%|U zjk$5FlJXdRZi1}GlTbg!=vYh71VPpXmwI88`{HL3?X+srmLG5#`iCkqz)u1S|5t3j zM~Bi<`LZ68laDSVo0~un%W%{Ao>JG}H6#lOJ~+7JRe^q3%tI&G`pn9yOPIOL^nrS0 zX)AY@6+PeWjjdKg`Z!^MP{U?l@(1(Pr6X;t$lzPpA9Tt%wDb_Pq$PT!|AkPZZOTNp zBZNfgy!s}1c~)g2WQ2Wz&>(c8%+}O6EvgoQ`6Nwc>+I#$sR$ESXLg0+lMG~mRw`$q zgyc8a$9bNvf}8aAQn{*G2q6gL6X*%8<>%gC|uzqC=8=bAtYAi=840`{WtU~2m z!e$lCQ+Cd9_EM6rROjc9Y9Ry6az5Hl)gMwjP2wHFvAzlH50Co+SNcbA{)3Ftb~z8t zBjS>X^#HDBCNXAggM-lBo{gQJgt9u*JQFjlqI+d&VSw}!jsjr*izk6^A&FsJA$0&y~K9-9K+>t>t~V#W~uRy@oa7A zaL5o+NMyQQ=*|FDzITN2(?7`dfAY^Cueh8-0*7pPUTql#g?2)Jk#F)k^LfWnyPzj=`g z6o@02Fkt~4zku~QEVRX)gcOWs1>%K>HASW=!Cag9|DYWs%cg1nng#fig24WnDH|_j z>jvC8Syo-$U-HI`jFO9l9!*IOe2&}~5+(u_sCEJ!nhbarX}p$DDcB=`j3CGfkZB0> zFFw357YZzJQBF#VCieim$@e#PN{T=_7$YTl3F1wbH`*OT1)4bAF}nK5iX>CJ*cg;5 z?vQY*JiPAFSR4D!re^443n<-a9vpo*QzI*ky!?-fgtl)i1zOi8<8~8?Lw;Thyo8)5;()M9mOd~(7_5qv?4&uu*-yn<6p`7@3qt)r91`= zSmVS*DNXQY-jbK9zzhGmSa%ChEdEc4?L+<0b)O2AKUWrEnNcc=<~BBjDhN+@6jf0U z1vsi2@83M;e^Ot$mozq0Ri?*XmNwnN9TNuT;%rr5oUul!=q<4{xMpMy9upKw)Q*|C zppO1;Kjrl_HE#?E=l3BMdhCOwxk^r-unhc3=J{F<>?O1R?N0?G>ef5jyOqW<)9KoV z&fiB6sDRecvDNjGmOi{@1+&~u1uDIavGXO-3>9ssx7H1hL;*N8w8-YEJ97#N9|C0$ z7qDhv>32{N|F@r(-(@#HL(P&+4153!2zXWdeQ2#Fo zAB8IH^*UaR`)eXh&mmaL27k~g2jehvD{Mm7*fWAzTUxf&%e5eiII!XAeanl8g-aJSDF9G7T8QIsG39_a9VK zk{f99bzh6pju!)-R7kxE`$HKoR4Gb2n9dt52*4|lQEGwGeC02iYpQPgDwzNIPnU+5Vy zpNMM@lOh9%0qq2@zvC#(1w-KhfZ<%bztS=YpE{R}9m~tg26#^`bYCNq8 ze!;T`9vgg{g}bF>BDmBX*9{I26%BkMO{Y+y2#mvg2I2IN^(BDe#D@yPJU~{83~qV! zH|7BYI65t>Q991<bRX2gn>HF6lmxhW-47Z0P60-N&GI>I-1o|KX1{Kv6O+u_0n!$|7?NPK_(RruBbZV^SsA2QRz--}Tg4&X6y z+b0n#?pQiXo>DA`-uk+`f3lpp6k{8{73NTB>N_|BR5VU486W&!uyDRKh^A2W-?=xCf73c^24Q?*#cgYd^hannpq1ka1A5wHGH@p1(sCxfdq|mvd&}HJz>`jZhyF#Gj8vfPlv2iw37OQA#2K_813waI>4)(R ziYU}4In4pCg_v1bIlWc*&(rxW37p#P`E27K@N?<*!bhy!*J@z5+PRWYI*=S`dyXu} z_4zls3GHf$H4zrOi;&EnxHk{I-FQ{g6!5XD1ehh`e^gZ9q?fYy@8zF9Ex(58-a|t} z_D`S6xVrN6#gabMw9qE|k{gchD0Yd2m9tP{7R2Gi*5!%F@^7(PjIsUW;3=-<|jT;9Qr64s0lOS=2ehqrlOJw?zCrli5)Xn|PNR!d7x}u@Y`G^z~ zOm$l|eL9g(-6YD74QNJ|q?8>9RlcfPk|`Xc!$?oq-{a#i85YKIaAxNG3@-v|mpiP5 z<~`N+glGiNrb+^^Re53(Gt>8{EI?N7DtT-TLbKr9m->&e-9`FIB=b3YuZAN%DE<*+ z3s3s(gWq8vpCI1_yp3!)d9IZoV%CDYRD-w@FwagYkahjr1B<*;fV*O{+nx{M{HY;J zMPg2JMcYr#8Bs@l!##8;1AgqvC!F2_eT-3N&$FApUB@j#14)rqT%gBP!Qo_PeGkX0 zL;iV%p71DCtcbE?!H|qIM*SgFPFe^Cu6X|jR|gtyiWi6r4sf115G!jKeSRTkp^}#O8j1^w4H}G)ei#tI zA|tCgU}iM@nOXG?J(sr@b;*7h+p>M+Fo? z0577_^C5ZIK)j`+M~sl}qbKOh}+Z4`)@ z_JL(BQ@zHJApImRkjbq~uq%Js;+;FS;1p_(8FsHxkP1Dy4+CZ8I?>i3GFN9fk1DoI#^VLo*jMF z53;I2>jiAt>-Bjwp6*2o3Hoy;jv@Kf5_Cv1<&z1B$FiK=K=`{C%qTDGBCn=6bW z65;*51N~7I>CczQglQ~mMCmAV{#;`|qzI)_8_O;ytAS~4wX}uFH>R6I`Os}=%-`k>U5+KC0!>O(`^fo1R~`a)I7gTK!xJh+^~a8CGC&Z&Y)uHcnk`@uKoC!IZj8j-vt z%K?!6a8z3Y3TQq)NT7dK$sim(z#ikt2KvjMHY!Tfy?M&l(d2Q$q`%`uIef^tBTsxl zI7<|beWU@I%H`&-<(x5ug=1boYzT4;iVZBSH*Pga`rb87LuA;3BLxLqV_!~Jd|l#N zmo+fOTJvU@LU){G(bfN%@Qet9220n7Vn7cWc`9@+ofQdL-qi5>FX(7RDoJ24fMi4_0>NhypAbA{ zsi5(>Cr=fti7`Wa@@uXO+y&oFJ)XNAtUNO0d zVH`8n>44X^LM6%ZWYn=5jrZVt4XUf*-Tzc3-{Q{JM5o;kH-)AzgDUQeZj>S?EYp^o z4U?|u#@vao#Hi^ZdD;#$33wrI8}G}ZuDBsx^NA7Yl@AZ(ucIo9fuzW%`6SyHh8>~!G|(GNWlYf915 zGogc&*yA7JL^Tl9DWzN~oYxJP`dm7SwU2p!h{&iwjqoo5#DIFi8`DGjVQ9WxY$Cpb zUGY0ZY?Xwf72DxY)6LZn=q5dS#}xal#(=0u z?s3?d7~-ygC{*E1Wc4&lg8AEs5~0%mV^uW$)Xn@B_e(VB3N5H8++JgmpaE=DN6IGIOa{i;|LCyGyvcg~`VKij@{l)M=c%s;899Cg^L18@(8*?_`y53c3MkBZS=7nF zx)L;)hiF?JV!U}9_rw?#mv~X%I3(n^ZTN||DJM~~{ykE%{@pmn18t`r(z_w(Jy6q5ennjCK$(0=b0Cb+>0?hst`3juRyV312B(#-p*5UicgI6r#I zF2{RxVQ@$?d8xRO2J!XG3aM z(nk5kFz9>}G2`09x3A<@E|k`o`S}UIeEBki(t#U6H~RDEJO5$F=g;*dMGq5_13BHi zaIXx^Uxj_+Y&S`cnRYKj{Kv2H*k z<0D+*irMRiYyKu7tg(o|opr>R@2EvX5aVH%O6IR2@KxI}SNmTv^m=WXD%gY?9u-s4 zZ|Ic;YnvL^N~_IJAWtL<&#|DnK#&1V#RQMY@8FB*RfA0Vj}IvM}gKj-Z) zj-J~X|7c?l?}1HtQ02v{{0IkPM(^HVY}UcroJgj}4*4iSuObWwK7Vx_EqkGsaHv_L zqwExe%hr=aVWe?VQvjXi8%u(z#s1M`d!A{HFj{Cv2W-?2w0JPUIpvHitE&^g%|5#` zAX^1_FaL=R0OC+RSS)Uy>QYkOo=XgViYC9Wc`nGJNtm<-z8M zcLGQ~vf?h05v#8PHa|rL7D45uz%WzrV;!BO&-2*WSE$}pE$F1qHPH&4a`(@t?00vw z;S>!J)VS@q821~E7PWsNwRvnGK2amvwoam^nv07$=%VLVPhZe}-AJWJ9YQKOGjcW{ zweo_pS46mu8910<>HGKUgwK2il%>{`mC7GKejEZ}lBjql?6o+x)kFTtuJ%Tb+*Vz! zr!bbzro=gbQuu&Yfe;HOUrO`$yaL@5?orDb&@K|jhsivDNX4NHg6eyiWtFCJ?<4%f z>f<;3bK*e~G#(B>Z7@B?h}@(169x*AjPi{DY#wEQ2S}!V^d+xEAA=^Vve2%8VFin& zV8;9lH>BBzBaA_ZI5^muS(%w!uddxa0;8kRP27g~NhJOKs^P@!e*U~MClof`qg}a(5w*Ni-QM@n;Ri&_^rNWvVg6enBTjXl({atghGc?cb^fM? z{H+f|!`CG2@A+Wi{=8jF?;_y)_le2sM>HIRVh2uaJogmI3Ytd_T7WWGj$<%ZarH3+7>sCXI+A0cYI|9q41?abj|n6a zPDuBjP!fEUIXruY9F7C zm?R~Mu=4!f^V#}$i|t2!f;yS{uJ1&vRCJ1ePf4(tw zWUoD7JG@u!m_&$F*%sUiG9C-`w&agp3IS>KODQak%7tb(D=OxatPg-8d>V9D4e&=2 zoiy-ZI;G$@I53qBrZb0+uGwB385~_8$_srz9txy<%b?NMg7Ki+i-Ya-pVu=1gC_Ig zW+2^CY9JFfYy9-IVYOswPX~GbKa1e68tKC~uq^tSEsPNpa#07#u}y?0Z#?Qf5X||S zW&}RMhs#;)dsF)cp3nS<9t6)v+dZGB4J;_j>iQh$q!hmKY6u~?urlNVu(yBCy2)9; zg|8J`J|Ad*^vou$>DG4n()jB(wQ+C7oSNHdFaZ&?R`9gt$bf^Rdgeh&dY16tM)Ix5 zD9P2hY2h7afx)!)#JEc!rws&Pz-lx_SdFF)9{q>L(%mB%xtF1=u|RNseB5CYdP>bA z==cJzM*#nEQIHS5$!7dG%3@nyy^U4IdNWbX@YqxWqEF!8svGfr~KpI?k~t4_4b7gJ!^A)kqiU z(;J(n5|)p^y^gwSxv-W-tm~jO$4TLta?N{14fa9?TDRgkiB=1ES|xS z;RTZS!`Gcj`NiI<$x?y}TMHlaRRCyMj(|gYL8An#d^Z^>7}h9(3tuT%d#j$s<#TMK zC*=M6?xNQ3%Jr+|nEB{{2%+B~ygA?NUVmfG zp}7GEJiiXfOnlSP-wU?>=V?l4Y+Ftd>W+M&f*74rX|9YQjsktwwP? z17*RGRgC~*Ry<<=OyILeK>@CWtmnV%x8XcR0{1Yb9HCsVpj-iBTrQC+SP~vo@^P@1 z4I7LBD9MpHfc^**w+h~9E@=8vr^ldN7k&*c>#4E-PKz2O?f7u{T`_eVCkwaV>37A( z^OAwFJ6*_iW!&!)VI z70!cLxl}Z5X968d9&90^2awvcvwK1rC0l%pMk1WIIp-L;ddf?Og!wf_q&DzP&C zr{udhZs?#ZK18Va;3oj0*xg$c*E7)VDj>>q>yiETH94?|Qb`kOUksaz;p`v_V3&79 z9WiLA7L#YTb+dE(`9o?bP~@J3?VNScO1{l7h1)g?@**?QBTZU`sWZZ>LB+TqZPcS^ z_%2=w`GT&V#^-_^@HtzCA3g?IIsR)FfDsRs9xOck7#R4G^U<$O=Unh>UX2&kGB%EJ zS?%-S+-*M@79AKK?gN!kLUMA5c9Ft6yl${5#2LhY5jas0)Fs;&y);ywW-ou0Ot<=a zRYyZtEaRtHqy{i^x3S^FDNh|%g7OUMi1lbL^Tq75Y4*VJNHWp9HaSs?&ot>FH0g&4 z5rJhr)NMVBmPftak_hi9)h{FNILg6oGjXf)%cp-|-?M>!Z&-Fo!YC61f5Vc?h+}b{bQF!NS4TZ$=>gVK?2ohaGt=b24Can932b&C%5x~T#j8bi z8t5cGBX){fUR79{uFg}%y6Mji1*1h*j}XHZfPoa8 z3dZFJ62dyI0sH-*TrV&?CL*aY#nsBH@MV2^OSGUuoWeti%O%9YJW2C;Dl0I(YzXQ; za2G`Jz2EieuWf|7vOzAe8|2KSmOo_3wtFyx_h{1ig=J?j^5tPS_QY4rTp<3yDU$`2 z!dlb6U~Cw+y+PKwN!Z<1uzp-DZbY*s9yDq5M92vR$?AS!)U2(PaxqwT1#SW$K`Y$= z;AS5`_h&uJk{@nrnjIho-oL%U4g;$-K@rBVx?OxvD+Ky)M~$J`|P^ zm~cXeH<}IT*-)b59bnS5Z@RE4I+_`SlEFDNG<|0sIxW5LHHCB9%s2c{AMZ&YD% z-RolJ=JNuI5q#n2=xH+B1@EP=wLzv8m%h~Z9J<1R=_J&$D1#5MO#~34oj_^0oBRD3 zK(EmlmLJ>jJfdAcuQGKujQ>a(+)B@WbVz<`hbBxTE=~z_jJnV4JqxYA6X?(t9Aj{Q zJ;Wm`5?m&s$xhFD&fEsTATcGS*gs%r^8FuROw;AI4>o>*$wLEoMKCK7NEg@f2*$qM z|21?)(>Uknv!dQ|KeQ?|r@QB-=)#Q#$_VTjj(cGaGSO!pCm>>Cb^i|)VBLC^gYQ$0 zR>cs7!!?3k4x>w92_){hr@MQ70X`*;tE`$D+uM?%e(bsi@4Yt|G!iSeym*mZAjEJr zqzJGyK~O8tZZBvQenIQ$hs!bL@L8^p>KNy)I*0;Gz2>^MGXN`f37b5@l$M5Q(1j*^ zDq|3aM@KMPkSa=Hd3UK@AZCAHy~flz!PKuHl(ZnK#+P!y0;Wkufnl6ETd;RO4Go~i4ptgN6-fon z=PzJ~&!2)?@Hch6`ES$COQk|TJm)s!t#A-!k9FA^%TPh1ulk}r$COfN-nPH954)zp zU$pOaX0S2u?^go>g0HBuF+&&tjk6E6+yNAN>$|6?hsEMMm0O2{_QKltSW?6yBH;Az zp?)9EVjTWlUrG$x z>IkiIM&SCX$CnE1rL%SdvzG#4Z8)&k_H5uDBYds=U`bIBee&?#J;b%sE*n9VH-sGM=GbL?v3YcP>^2j6;&_ z<*;vO4b}g6Q1JFhHrxIR68GL?+u%I(iDB9qn|o1L&B~HN&-X<`u~@>AgB{~G>CE9s zH02C(lD)9;v+a_&n1S?$fB`n@TSiRSMhx2rYajenTY#^afG_$I zxql!;F}f4sl?L$4zwRsX16Ul}m{K18B&BBWJli-oQ15u79_Ssnwc*m?D4u`^b6wKo zS2my}Ru`@N%~=JiXbh_SM*o0PQ0!;C!1~<1yBU^W@~q56$W{>U3}}| zc{x=mkCO!SuikFa z_IGnPfI7R)QoP{547Ji6&Y^y>@ZEERiBBLO`+KC|RCJfDZdgR$D^N)K!j&3fFYE4D z0$7wc?tgs7zG+BjG1+s_CAKbEps8|E5g;I;DCLsd*I?&qx%kdYPg{8k>n*?{N)s)v0`js5&A|jUL^~QjE6GX2i0$hc1SGIs(~i> zle%P<%){`Ggj~kZ8UkBIHeGfInASjEU*?Cvmhq(hHJooIoGfk4so0b!Ue-4Jk?lus zEuT#vDSaO2;~q5r0kCD8jxO{N&329B)pQ)#&~={@{>ZB46I|hkuYz_#yR{vrn@#mW zs2ezWGx8p3dze*w^nE?>Q#(OTG;{h^=Dddu)*bIWsRjD z|Eq-WCV7VEr}QZMT7NG(MY6kzDf&4=C*QY_d71zCO^^O5Zbj-z6SBZsetyTA$dILc zMsN78BVs;Wxa08hLytU6u`0y%4TNcQeHw%6{Nj($-X}yh7dV6j706fe`jsq$3VOfD z*2>(xYe`n6o+!hsRKzlUO6g)+>_sNT1)Jjz9o%^6Ab>c8V8x z6@@+TMmbhFJu+)J04|2ppNCrGZys<}`6I~Ok87wk zwP)#$v4>%Kxbk;bHirLnb%7%W4JBnqfH;IN@5o=h;Ww}I9{XLuM$PQR6c9Jb33AL{ zshSU#OdOEUrIHXFLE16V-MMVD#`9RQvaa>phb=J(Vc(gOEKt3FVr%He&J{z5 z)f?SKi=v{6$s}N`?Fd>xK7_8vb(Y+3XlHf!c8O%J$3XLK;pVx}Inbnd9*h5gzb(PS z!N%>)nvG#Vz*lHmXu0oao~p+)h)3Q~hg;DA<5_BHe&7bPkb_Fv37%}c?x`UTcx5G& zsbT~#^1x{vld`&RXM!txkflh3>^G=`>OkN?TJ&KI92tSz*$MQ#kd@aa++gq`Out+Z zRYj4^#|9fW4&ik|vw$AtjNnIMR^N0}8bRhV#JK>Qi{Oxtgys=#t{k8ApErvb>k+y$ zJgn41cMU7yz=|MD#d_#EfwHiPH6`|-%BO81(y@q2pn?z!+>iHVtraiuwb)NKA%s8Y zBur1vz(LF>aIec%7B59JQk3&f(Ug^_ab);U3uSP6Q6sgbYF9t+ZyO01n|z<(Pn+)@ zzJFf1^SRbK1ho*A2_B;$f{Gdqjm~n6@k!FJlYll~e7fR!QMZFZy6h7%F@r#8o za|d1v)vasQ0|@)3Q4Vw8(qwEn*yWv^AnsQciPgD~%3=AZo|Az$`@__b%_{mgA8m0$ zRBiSzLbxJ3c^eX>p}9?*e5?>|p*F#=v#i>xOSJ5#GrzPL(f22id^p?#KL1o*j>Fv+ zHsqosm+gKl%-7dDsq~^s(Pj0u(9ar7LiPyl7fh=Z90Pdm-ROBbK5DN`!|9n>DU%|k zp;%uwk`$m;3Hr9p^Wh&h#JxR!^V@$KzxXNK`S=lE!}74Uu<7>8nV5vJ(WW~|K201X@X zg2=<0WWh8S>8B^c^N4g{bQ5{K5Z&kTV=cRCN6DWBz0reWb6KL8taU1htvr-hO;@AE zPZJ;IFPmkT@i{29E|t8AdAprtNz$`~mw_@)4YhI}@zl=>9QoMsPT+p+d`^ja=1l~# zYsJ+#o&-9Tl@iZ{Yw70<{1D%Bm4Py-6;5H2@6G@kcR~^Rd;>d?GknHQVTp0Y0{X54 zLj5E>g#2LG)dLCVpxD=tx1?eeesSWc16i1R)Hn`_&{+?Os|)id7ikamyvIWWO<*h4 z#|}4V9}o6NDkX#3*NM&>2MA*nRuX->eJ`7^e431k?T$5|pLMRWsue^i+45!4_Iywq z53aTy2D0AJ&?&<#8JLeW&!#9&%{-foL4f37iI~#pKUuf@wY{z+e&EI` zDT*=hG=fAcdiVTbpK^ZvNwt*Dd536V2X(l=^Ea-@f(MRCC~Aq)P^ucVd9|Rw`$_Z1 z2UgF&KO7}xr8p>_N<*iEX!hOGXj(ari)HkY2+a#*l-HC#<@d}Uk`7tsgQnR|TkfnR zE$^*IL~#pR{VcnnFcJ$Pp-38{k0a@!em{tGe`|7uB_Vmmm|l4;AJrjviDb?;fIAi!BB%x(%3nJiAs_$hKFMtmSw$x)hyLjfC zeXpL3VtLk@{PI%xmE9Cg>ncgRG|KyUUW3qjYT~PHD4Xh!{2v#7rZldq`~z#p#9KAo zj1PXKJ#og0scck%9}_1In=x5ix3gN`ej@anBB;ulKTTUC%J)Y?I|~Z3!?!DfguO6n zXw?j3;_9^ItH(Am_XauA(7P8SbKKSt?nc?OwtgEN*+sIZ3J6%aN4deiv#k2d-wOLJ zKAI(H&DU}?KPOz3L@;0!5C0XipHMRuG)4G$fmpY?H|+@=IEG;8szR>s|q$aXQkTrQE&ze$Fa=Nl-fx=}Ay0_h2?f36-Si?-Y zsmR;CSM6_qZLd-J`@{E)zDvU*cl$Ijptep85lQKIHBuUaVuZUCFg=9Y-#+xvTRDUvJ{pK9e@VRZj2=3_DMNxvf)dyXlzGz~U zy*kn>=&*ZyLRHCmMXtf;NcfRhB@8;$7#eLqMaTnt^QE6#}KfxhJWFeq0#B|2|moHBGJ4& zoJ^$b2k#X{cBOYDf{5dwS-2kZT)gG_cBLB!Mp#9iwg@|UPcey#pq0ZUi-i%9KBwkp zHW|dq5~o{gPS0lwn84?3@12*((XA}vs13YR9C9BrqDn94r!UE|8gehHkjvGiiW>;0 zP z#JoKT&Lv-4lflBV`idrgK=EBkgHyW03N!C*m&Gb28LCZwJ3f>29phEZulb|Tz%@)n z4L*TDu1N88$_B3S=%6Z;#J=SW*@(^G+KVwE2rhgM9CSNC(UWOMwHthhmxdu^S7`uSrKRmSDHC-jA%h=emPXa$+kluJsO zay&Wp*+&8)MmA3tVoHRY(!>31*o}j9t|0*jDmFP@k)e>U-^`+lcPrt&4yA(V1Gb`% zBNHa)^?>)xP=cU%c1FYtptq-N{WI*@b0)16L5eo)y}V{5J3gFv=SaZs7(sb_hYn*G zk6qfk3sZ=tuQne4s)Q?vpVqymIG?Hv>Kvm}q6+K6K$CVbOuuDQP&9d1HgpBf7NR!d zdBYFB#a$=4=u6x7$dTpp3*<#(zRzRdhz+pr5qXkDH=l0p$)k$Pe#^o*+`fm-;oj${ zvN4OMj0qz4VrkCARp}xYRQYijJTOP*#Eh$kmZOBGI`YY!i%4T2#zfh zVdV)e{d3R!E>u4Q6bdJJnbsiH?!XMozy_(ts9e^oxQ;$D>gg=aSBX^j-|i=}e3(LV zH8-WAP^I>Q)dXOlcoPYDTe~8ktY#=l<3-I3k)x1d*sCXT=_$p1EiT+7RQS`9a!=}P z(3SGxLP+RvwD&nOGc%<)^}vKsffnlRp2}Ng5aSG%^jm4tP`pScSz>KS-r6NL)5p>HPRY zRQ;_%WGA?E)NZlUj`2RyT=9NaCsJCZ*HBX}D5wBDIiyeGvnwHRkdm49SozZY3x4>Z zg$^A|sm_u8uL}$os+3yKAbx}$9^a*mxR$<6+g~`EU>EU3b{5qa&3+j`=GG; zjD;c*DV)3`S!1ykl_Ziz#k8g3Xso2P!Qo+$##tPP3wya>8I;S6wkb`#c5ddhlqZU$ zC5)hgnxW|B0qTb`*Q#gWjiwy-29#9|tmnuSFCn z$YO>SU>9Mwz0{B+U+ae1n%0%Y0d{{Rh-%#>mfXj~a~(^aQ+435&@NpxS|hC8awPWM zs%uoA^=cPtw31YuN5QYGxmfSL(k0hkSY^5Z#Ql#yXH|mJU=P$%_zwst-XWle-Y~9Y zkkaS3d!;Oxg^u3c+}AeOs@~x4$1H&7)sC+Fss`@>OF|!Cnn7D(e%pNOg!~{f_6U)v z|I~3xqx5Y+8IOfsj9}*O0tqRS3I3NklDWEP;;%u5*PKnPI!VL;*M~3t;G~#Be1n82 z*mL-fbd7C@NaB6Zq)4E@=>uFilLv@$r^{(liV!S8#5_HCB-U8$4VrL_0;Xh4q4G`X zsFxTxJ1B!_n?DQ&9)s8{{XBL$L=ACpPiZEGa1Xra+R0;HN(X`BtS0!T9-x5g`hG(Q zcvjv9&;$Fcij7>%(vQIcCR&*tBg~h|%LZN=nvB%qS`k$hTNqx>14_@H@r{ftQkv`?bE|B~GBkHq99jJ>OJWWS z&UR_%!(>kyHNt?Z=La|;$RoQHF;DN5=ZGHxv`&n!+g5{Th8Z&DsTsv9@Nj20j{#GlDZIy{3#>{3qr`E_swDhqKz_or$4g^5cM5bEk&ub4*K>^wKGlAq|i<3}E7 z-jR>s-;@U((H!sbhmfrO&@aygevz7Vd=BV<&)Jh!UStZrKxt?^%Vw7+uw}vYoi`JN z+k0b!pNvIY-v!+Tw;QJ*{%BCythf#s`7*BBfwgbr198pj?r)3Qj21fvW?(h{_13%x?ZT*Y7!TRwr4oo;28HvQq9NXTZys z-ubtkI#U%tBozTxZ60Kq;2?G??UVqP~)C?h|K@<{3>GH~A3w@DWR)Q~UqlnIm|-s|c=4QoZOo-HmH@1tyGK66n& zey9{>6J)44Ll0hYF)pbuueM-~nPWhaF>RgWsMEn@Cgfw;&N|iCqML^9@E_{FM|#Qv zrL7ZAp5ARLVVr&PrZKY$_bBiSmW9`VyE8SJ7-dL9#|G4$C*OV`yu2Q-!K^3&V zC3iq?{L-z;VzwG!towv*foa!WI=4U zp4w}6ERU@cEi0YDq3j>Ziobrzqc%xYa{3@-eKQN4cLF7xY;>K18vHNVTe%yVv5CV# zL)5fvb8mBm%tzD<-7ow!i7c2J!ou)d%dg_3(?vY5+uw{1n^#LJiSPnO5-+wnZQPrv z!*k*~?2PWIa!Db@5f~Y9d>&gukdoSI-Tu-ys3-8YpGs33okLmvAI82iD$1~37X}z= zfRUDvp`--q6c`#o=>|z@kQAhZp_MK{C59Nfl2`T9grSrUe`|Q2;pR?BaFKapP z6ZdsraX%#GD8iYg&b(0MW>0u)^XAxF^pE4{zvm{DV(lU5TB||V?>MS~F29p~+ZR?MbEvNL}Kl&rRpU!%4W*4WxkvjdhFBLla3?2e8jsf@^i~D`8$a9`gS^~V3JB1kg!?JYm@L?Hc1NWg(c7mXeFOd&~Lb)*Sq z5WkapOL(1UK?@1caW}X&-52$BKA9dh+(|Qz0~v?oQ$^T^NkqA*Sl~o_74r6aI?e3Cc@GX z0Si1FP1BXmPwnj9A2@+(bpiHTJ^{Y?)$7?zjOt$)r&gx6&tl2v8w7l?JE2rmctzvb z)b?J6A1b0eU67JH#sCp&U?#;!*ID`7>xe-hwhr!YGXMh@l=5C)#bKBuC%Gi~(UzwF zZ--S$ZS1x^c=O`pBziO6lN@B7d#gIXY9MEG5k_Di4@0V_1Jt1RIP+I$jMNC)b1eUR z6I%3Gz921tLepSlGm!*pfvO>!kB3laYjcBg-S^_M1JbRsrG>|xqeP|F0GO$GSroGr z(^0i#x){sC&9foTrS~fXA2>=CJ{cJ|B)x2zL*qCgLe`%5p3J>0#1R_C-JM%qSsF?J zy~gA_|@h7(+BoFRuCm7-juRH(L(V4`hEAetd>@DKH-^6Q07OfdH+5z6K2fj)z*O=&TXmMTrEi% zogP|Kor+F)TU$uE)hk5A!_hKwH#|5A1RA=^;4HBjqaJKhw(<|UMoUs7|LDPVbaaW- zh_XUNybf$KtR{qx1ai^47g?T*H#3E)=LiqP>kY>Y#i}31lCB)(asVzLiqHGYYOZhy zCc~pxS<~@R4{S_VMVI$KW)Yf>jUCD^9MJ6nG3Hl)^xvlP9KCxaS90^BEaFclK2Mh& z_W9nd0nkYOc|(KqrItO*ljSjw1+cjz4Gs!`&2YZO<)P&%12Nwm08SVeIdG&$i9Egm zRn=+y`0DV-Rp)KKEvLNEsPH`ZjTcjxF}R;>(F9mEqZYTP_SB1#9ztij{)9?wV}_Y% zd&L*mE^_UMa;U_af?Krj{pm7Ecf#GW!ySS2v*AQ4Znx&Y6^i*1+ow68ZO!WMz6WVx z@P$jI#y>530>IY?F3j|2J=px{Si{V2ZyzY*bTH_a`7`$sM>Zc^Nv%dKyq`+yiUR|y z{t+QE8DvwmL6ow6UE04MbCj2^;Z9a1tq_qkQ!F7`$pJjes`Y$ouv&19rjF#gP|}m# z5nqIR{>2Kxt6%f&QNK7lO>11#W+>!{Ivn_b`{Z)pLYy1RTRQ*^tDd6Z;`-XnpX(XK z+>|0t@8Pc2;o00RD?|6#ZuNSyC=o6>Hg8x5HAe<8OF@5A1%Ua8q@Ze04qjF^E9Tea z0kBZUP6mz-&WPf*&0q{%u2P&m!1vZI+@H|{R?<2OP3k4~_si>xIab>=+|J@j zQ;c3tOHEE>4TufBwUHIpPa!-ym=}-aWh2#tPBmOBtFCJ7-~}@EdIbjMH+r$840O=! z9=5vx|2eCk1-yxRDf;@cpG2XP$R9DR_yZ3BhAFZRWhj`oX86m1L{{@J)BWMZewt zw6tov@2%(1ZA{UXmzWX={58FZmYxzWUj7=ncxc8*b4S|B6lQd16x)4!?@`e_!}9h< zQ?KOp6EIeE_r;dntpq_t5iImuHN!!acB21J!?V|gQig*9Gu|5lzMfZ>eKhD-->9V^ ztJzMiH^7D=q+HZJMZf&_Ggn+s^TayUX6EVaRj-%L&kddVZ&yz0e!LIZ!)P7c@z~en zFVVa|o#M4Y_2yHcUK|dEaQ1GmeZ6tX=Sy`hoUD{33!%tU>qDH2~T%@%GPsqJehUVjMYgIvWv15`cNLFM-<=PwKVTX{)Lz zOcD2$_P=erzwd8ax-LMva)0kPYNgs#~la-p)P(R2BuF8x(L5Qm54po&cMn zrhWWm==DgwQ65q)>SYjVF8zg0+G*Co^b!tAjdE*=rc8pI>^YD1%Hj4zd*1?~)Nao_leU;7r@FyUQrqi6>VMpL z{Cg9Cvc30tpnbJlSf>T|khTe5)B^R^P1F0*+;@^dPw+}ytyS9wXbRL&9}9FRbRs=t z=KD}I^^R-5DTzh3eOW*Tz@-G^yG_oo~R~kBR9hy-p$7wtI`Z$ za{yW6w}*;Sj?_f29#BS~zC|v)3~y9CB{?}v#BJlm04N)K(!~F>5AL;(qQS@P%U3qA zA4J!e2Qcuru0EYbhUWQJY!(W6j1Ei1L%7sHnLR>0>SnG7^SDi!N@(;uQMhs82It=M zU%=@cS@IHrg_7)_n*w~cupSL#6eA+rE?yZQ6?u{SrA1QUBRpPGZ4RvU7%>UE`znK$ z#E0s_+q1*0p2Ao|fyod3Z{6%QCmA4}gSH{itsmU;4qc^{za z$NLKSw3a)797s2BWu!}joXqf9Wq|iS#e^&KT`ZNpdh8w+OItPhc z20McYI68Sf*Cvr4F(3H$GX~&9X3e`MS}!`XSoen`_TY!kgRi|YCoB%7k*c*tx%8L9 zt}>944e*03`j_2U;k$lV&S*i(6CW0Ng}1FshMbq)YX@pY&(}1*1B{R&w34yQcWd?q zzq=?lPh?~Yhg|Y)A(5-atl{Zn36W#iW;cU2eYlxJr|N{QTR)`QN0{m znfx!zYIR)7GvZJdjt}O+ffgjQW8xi*m3H@poVVFbh)q8x4L?%toS0B`Z8e*wp!b-p zOj^DapAc@1!UN7)Vyb{O-bogkU-BLB_72bc9WB-*CCHN(loAqevY|lPNdBL)v6C<) zCc=|CiouBC)o|WC4nM)~>43)2z~y+g51of*0^^~vC*gigFb`$?Xsl6VQvve% z{vi)DfdEis?{_z`25~S-A=r(i!%=qFYS!S74*qwnWH9OZi?&li5tAntm6M@*DB3>Y|W|dM#!2&(7HIcG4qh zjV;n=R4Q!DRwsq%SkL-G%z!4ztX$CTeN)p-E!s>{(0#DteJ0mf?60b_9X?;fYS20- zwpop#2;Az!%(G{d@lkK9$|otgz83dNt%Xt&PQPoNMvY_@+Y0S@P}lhXKxA`so~aB+ zF-|(g_C9W?x!TTcx~M;SOjE2sA|+7D{sX}n7k8rjYHWU|kY3y>^=Sh6?}4Sx+@BP+ zuv)FI-vbnk?Hi_JM-+AT8vlK*C`5~w?WJKwEJWIV6LX#j*X{CTKt7iO7P4Pl zUP={BtpH&Ky~Ynbjg6vV?6~Gg@8jd+cNCSt1Mva^0!DKY_?z2jeLrwhHIX?v!OE({ z(B-v92Dt?=EIUr)i=T@Wmh#Ud3Chhq!XL*;H2Jd>6cq(6yi>5Tv7z`-&|TcBOE5{7 zp~BBR8oe!L)p@P=CmX4j?bd~dRV{RBsv98$(J}SN$4v-&h8$C=WGio)r7)<77n>Cq zp9%bNM~>-TcOdq~ttg?is?8Kl+<#jFkMMvl>{E`R-~CoWW+r;2>Pe#}Yii_5&GSp= zA|b&oU$cteJOaIe9MVHi=;cfF5sp!d!lP&S+N6i}T~nD)nF>?=xkeebxu&VMFPEdT z!E~7Hh&42^?hC`%oy`=&O36x9dU|>s2;>BZbCyYz1I{+IrEkqoRp;}GY(y)dxgkT? z1;nTjz4t!wL=2{kwf)tn*GhmJARz(LSr=$+D_**PzUXLQTGq0VupU}^li4~vI{Mhi zltp5TIN9(F|BY=z0Uog8%e0h{WaU*2Xrl$|`2l8n{Cjc$GQu*kq`Uhpjs5ntUVAz0 zv-XVE*^P*p4LvW`rL37tzp`I$BC_?oKAy$7@$TAfnq%Kd>B8ad(|e4U^ndl@O=?3| zx--fPPP|A39kvstVKYKhZY1~PWeb!*784*;Ob51;%gc8Dxk2%4cTs8#qA;uki!Tp! z34nRH)_xv`ivmhddGneR44YV&+_kR`(2W5;;R{FDY4{KJ)39UhK26qq{SE}T1{tcI zT1Gn0%(8x!TFZWHR)E^6mdw_Up*SC0HWlBD0MR#()mlt8P|~`*rwDJessZE){}m1Xv8B2Z zFsqBnD|DYnD~%V$*tzfwJYOIp2E6wO)+!us6>ZWx5Y}I^X5rOEk|enYrUu{@faG~q zFSGWVD=SHPczBM^t(WTFxS(qp`2CoIf=Z^aZ6&;4olP)yM%>fv7mVV%vXjpIJ3B~? z9+Qtn(Bmi!p>xkPA+=^QkE_iqRjK2felN!?ULV*GoqEu%RbgdMu7ue{pZlKgULkv>1FkY;9r<@WZ!SghoF&98-#FXDK{Kj1@1&&F6Tze zjSE{3O3au++V#KFHIlXBWC$9SjEm%8EGSf}VuE4iWMgA%@_@%O0d|s!lqz#P;Vb}7(x?x0IbKnB!t=Us6Qz&=MJ!2Gaxu$! z{rA#NxzB%!lT^C*`~Fuubck~d7s3$zs?5gZ5swjcJXlAuOlv?A&Le1!j%_Y`L3EtM zN$Ko1>%3#@z~N83_L;siwnM@D<~Akm2->a{jF6feZ={|o9V!0be(FvdK0MOWK&u9PaHoZmWi&yA_&e{y! z^23|3*x==3!oxTY>LS)@e zV@FR&ONaig`papRjFGig_%=Z=ne2aEuNQ#Z`cVkM(x0@Bnsyt(>7>NZOz#!cOv2iwY2!5#oDWRgMf0a_-Ol?yAp*G)l>&|bmc3~p zk09sVab^Dw3k6;l;$;a%_*5x3^KNv)>T;SqJ`}(Hbol*7&Ei z*5iC==ja=%uLcc7g(VWgh3C>P9HUkklX&>@7hk#QXF^#`dM1=_=5u757b#u~GIJ6A zFttPCN^Od8R?Z~}o1b(IKV`NXg6AYZ=93vzBq(p2t}sUR)sKLoTzW1e;j)(>8&Eqg+yLR7ElZRzVtcIlV@gK=n(eDFU7xRrv0I{`gJ)Z z$WdZO?XaUMQ{}8;8F*}Aa}ZWN>Nknb!_5Nz0bolBw}+N;IGSPd69TRSkcmZt_9LXw zQeYPc+pkxDOUL2qgnSNYD_wQH+!=Zgu#s{J`UAI;O=wRCt^p1@b-$5?R228J?S~IM z&p=G2=~VE!QWxNe$#B_5nsh9QY5ii34LRQ4@WVMFl*ze=emIZs&Kh$k|J}c|j0UFN zY#qJb4uCFE61Jy6n=siAq57NtJf3$zZ|asOCpIpQGZv_!1i?+~mwLK(HTH&n^l6Qa z2w<*)WLNRUsZ6iNCnlxPxbY>Y!%N5GN`rs(bnw1WMPOgbukL)@>xN->!b@4N3tL)q ze{KSTt&?dCqaAUBjTFJ;XQ_Gr1@B*eCD8Dw4hsa;T4x*nxfhJdyczioUDUcx^}k%9!G zR@le4?*ez8AN73-s~!2267Z;&ZT&u$>LaQ)8gudqD-;8zadoqnQQoj4(+Q63{>#>a zd4<)xtVUKp9X;t6AZnH);6$sqUs?Ly89&mUk=IS2cSvbB`3jo)@LD2_mp9%`C`HK0xCRND%9aem zK8HMRP(o8;kt*OMCLz%m#nt_E&?-zjOpCETxjRO_T!~)GL>YeU_Ts}~Kw{vxJzLD` zNd*3dwLC_GG`jX?G54FROrLZm&uu1A_TPK0`Xp+jn0rnjcXFT^hTx;+79eE(TNRkJ zMoq!LrqFWOP!W32uFa;rfUQf^Ea)a5!$SzfNe)}2QzXFb#ty<@=Ai<08>F!oq=>(V-N&chre=y1ALLAd#Y)j%yA(M6RG7GK9F8ah&tJ+uNsZ;?F zwOxR;IPw^SmjS^;NEtusCtHpyz6*e7uXE^7_#(7Ik&6mqC=)%Z?h@j(5Nu7&p= zZ)AiKt36V?_v{f9oJIe9+IQ^Ewf^vh)!V8PT$&KCmoaWEi|a2?%IGW4Bku4b7Q#(4 zSPz1$pE@&T-Go)i5cneN$MpKpA(sYEOt*#%QkUb}=o8A_JMH&vd1&BX4UcMat8l`0 z1OxUK1kek@Pw3c-1f|cW-@M;i+qhQn??Qmx=X73W`sD`f1*b40(e^`7iZ!&m%IUIk z2R&{D(xN*TY(aJWgvmX(;KXsMXzATqfazOG`-nC7%R=1P{&pcsiZDF0*z0*S=Nm*v zl?ftUyon5CaMOqpNBII5px8T8!Y^_DMkQJ(GjIRf?Ds6s-TLDpME$a!bP~5sl+WBh zggR7mr0zyhTj{&UpIuE=fS&`10|$V6WY?aKKbf$zUDg1XaD2?dA7tu6LrDCg$@jc1 z-^BC;`1Upp7cxUmQJ{x3;Ud6CB_K&L5~?=6l zll00UH;cH6(OPO1@sQV+&)qKv-@6-uO2JrBU8|Zz?tl%+Gc1AN_tCFRxwLc?R|sXX zmDURqB17eKE)BDYMcL64pN3~|@}@vk1e0LeN-*4VG*b&Z2lW(v-u6xdp4KTtxHi*j zimmXRF1d`56f-FO7?Z!zkFrRQ zlT?~l@2lgLD>>{<}d@mb(VWT!)8#EB1!g3zGCZDIdK+5_u#{YqTHfP%XagaGja8bDSlB)!s z=+7(E!VRJVDbS0W3NvWQEEgr>s(*QlHU8eblHZLb=Ulf8F~v1}6|Ks446|Z+F;h}< z0Tc?UZ6^2bey##l9GaBky2rXKT$`p8B1&er5I=qy;}Q)?*V{^8GQN9?&684G!j;Cb z@I1l%%R|!*-Jp0rJ0n+5Cv1&-^(s3NZ%qk4!lTMo<;ZNLmQ>2}Gb6cv)EZNyeqLgy zC9uJRtP?J^E~uRCfc&zIC8i&jTCnAHce|}yJK_mq=uub*u*_ca{JB{=bS>5izlt^d z#nMC9SZ=vA&5C5#fHzCBv=+JO&e%W4o=$ zm@kEr8Q$^Dv9^Lcjxu;!JjqoT_nIZyuHIodV0+Gizq6O5xO%1(LH5+e|$0~`z z$5QmK+rP}0Qw(|V4g?|lYbuQdFjrbTEHvW6%Gr7Qmew2zH&^Fy)*wo?TcyR>n&erx zYGFwad;FpR&?47%(SitS-Jsk`XuqF<&5>19j*aAE)CdOg4C6qWN5opKGcbwKou!`3 zSRIb?=1@-$H8w9;@I0rtn_IphIzYCpdK(`fW?*_wLQQ+J=2w-0&?^FIM?)TiA<;G%IPGsP>^weEmm6pii4`L0IPQX+loAk(vf4r>TzBc{#V51BCzW1t5vDSnAcduORVn{Zmii z2flhvlYxfJq@SouSf|KMgni$xk{kF@v!j{fuz($rAf4;#XlsJv0-`eIfCpMwuR>+C zNyR6X_)GNV{L8b02@6GWg@UUDVsjWal~N7xZwB)1I7t($H*VgK-tziyB^asAlHk`V z0ewuB15{Sg9t?@PzVX;SJIGS0xqj+Lili_`Qt5$V!psHO_f(nU`VrK?eir6TKg> zx?o&}zvTkQ=V>U%#b98JFPzHjyEgdc>dC>89(I}T7KD%qV9VSHF!>XC&2q#hF8nD+ z%6V839t^#S9#4JdFiAX%1ViA3b7-&SpH>dI@swnU@t))YGWlA|26ztVmdxB{FMz@T zG2sYrdW@twr46CMA-4^vG;J-5aVIF9pBO0$@O#~;+4h>sjHRYa8dCWLB*Grm$Ol5; zV0y-`VqocS${nwsJ;k4GcPd`r-@>h|6(tTQfg;5x+p#@32wpUD3&neWKRQK<$6B-i z286J}@iR7oPWX9uuBgNUUR`SJKlp_l+TKYe2d%ATZxeGnb}a)ag`KyE2XHhsZLDua zNkLrm+5IvAs?k{U7o#Q|??Gh?`OJI%2Nx>iHGtmefATJ|hBO>+*o&=kxd^iIS8^n> zfuduo0&W^mgom}z*ZmdL;U2H&kZI~BJ&Jk2WSS%SHUIOgP*zho9;FkzPqcF1m?r&D zv0#L0KxQ@_i2kYlyEdRVJUHuY3D|yLD9uK=#qSYOw`-JS+-x)|g@UxFw)w9)^sg&< z!aNpTC!ae>1XOhmxHR7RjHy8Q>Bg;&kCM41yj}9p7|?~NmC`|2+}oX2o*{FKfE;B+ zoWwRezBS2#4oT!iBCR;7qO7q@ocQS$qyBKkxLD-di6a30MEC=npfhQ5dI+-c-^3$D zTprThk85Zd7N>?ZKN*Sserj!`S9Lw0N!L5s@Lo%52_3S0-WxxMtPz-S6P8Ph2FwK^ zZ%-|W`z(463a2i%W|{z3j<7YoQXC&3Uvmqb5fU=Ed5Rd+JUXPkCEILfRLC4j8hiB5 z`Cs_7h?3I5JP2j!;c-TV z2Q*1RGp%Fs!*!A}5KK;*(rc=Wj0?sc2x`;)_?&RP6y5bne9`FUvpT{iFH`!>J9^8^ z%caD>>`&#ETnWvQBRP40HPxMjCu~`Dr6IXLY4g3SthdwzT+y=*jF;p-4?{7^9Uf;G z!FB5&d4<~cI)qVHV%3c@Tk^7i*`7cBdeuMBAN;u$lYju(^|=`Iwqy{^i*pMC-ukPP z1+#t3U!*IQkVf$SBbU4FSIT@~+^Ko&wlsC?0`R^{W-$TsW)~GYd?cMOM3+Kzyn%84 zHdBI)G==()KBCK$BcOv59!Xa&3|1sIMcW3@l1pDap@Km`hP$r;PDo%F9`Gb!kk&#F z z21uRL9#q@3UxYDhxX_NC9{;d6b3|t4{P?bBwa!13p3_0_n^N)fRmbKT4DCYy^`Ms9 z6o7ZkbKX%u6Lj&o-#lMEEa`S+ybt;j_s{a{`OfOOMc&!1ha+wCD{lwIv)yST|0k;q zW$&-nHnDpS+R_WBn!r4`Zy!7{h6>Fg7f9tCli0A64_Rg$&Cfp4BogMZ%phwDT-lh3 zpS12>go&a*1?-NY_~b(0>qoR-`xQ0@xpb6MaBI7XS*sq{{Fs3l!BBt~jqFMW#=YwP z&$x|ES+slK*#epHmqJuoSX4;i_n5I7%pJ%?0Q(6H2>*%Sn2nNpMM6gVW)$z=a!uFw zQ(+a2QA;7DaPWwi73Ml}Shv1-ZfFBG4hqf<(Xd>VYehtT-6#LJPJyn>mnY-l^SaHF zO~k)B7TtTNx@RxdmObxcTV8?>V%@r3W1Y9B<&#iC z;8P^gme)fEN>fYDhJKLeVvh)I3aCZ81ct_9n8N}Jht)!Z1Wa5Jdzw)VrqxxhBh`I8 zHOpTnwF5UcJ|z_z#H9+Uz6UqxTj#%lYuOCeiJ zLdBzngv2invs>p(Q#&`qTjw%YgSS5~)bl>-?!5~Ysm zy!oq*z_h2`ic&bbAP4(B52?<=_Ph54Cf|ZuUwV36>Z?LA+(UZV)Xelnr3k>JYsI0T zQ3INsqE^FEXDs0W9(8$BC(Eq(Ae`h*kJ+yAVye;%@CT^8`vM8bwmTMp25vdb*|xGW zu+m&W=AAD)ZXru$>@G$fPb>ze6bWC)1<5RC3S{y>GN^t5eW-=Egdbj;l)K;aKc@W= z4YAkw=xQgC+16kwh%}9ns1{%z+j$J?0J1^xq@-zTTAwFi=-*=?&E8Fpk~x zn1!fs)#fw%oe5$(TbA$KTe$(>-KUCh!gK1uw2w(evCNX|#M9q*Xel_r!2z5JTP&<8d-&O{IGLm+ z%+uUo=jK-Jx+}tfJ?&koJ;%C{HXsUQ<(6P-U#$Xug_XcMQnjCMoARAWFrd5dEEZd! z1bj@Szx=~|_pe#UZZVrs={{Ct0*9!hQ0YueTZ$d(0W4ySMh57i7*?`Pshn26Fs;}m zeR;%kNXhy=HYkq<-5~$D$#eg~$d(wl$|G6qgq>d`srVSS%6YkO-T?kj*VrCQmvcp4 zeko~5t>X5FwuTVRR~U+E8)tP_Yr7s&+R7>40+BW6X_>v#c^8QeM$)VbPu zt3r{00_>$OX=hsY-Dcc*aO`W5BFVty z^WlRvW71`kZWL!7*X5yfJ=7?#MH+JQwK9{5+Hk;R_pigBvN5)cft(DiU05}P-$9ex znhs5VAKCB9k*gDtjI8t!>hVSzSQKamcmNUmi{%Y*KiANRoH0F8rzkU&@a6Vb#ViNR;t#d|9d_a$ zaxXSYdp~TM>HJ<$DbF&fdRDFek#dC&`ozz2Z!gi!Np2|6+k#h0`x|oaFnNkaF-RxM z5#ZP30wYi+k#lxsC<))fpC${)t`&07Bx;L_&%Ig}E; z+jdwQ!Y?(xqD4)_n^=8spyJ#!=xp5cPYMiz;!xUFpaX_vzDeIJe4Y?kypx?*4TJzy z9*(II>AE<6e;E?JqFF{0`g`(m_*n(7z(0qunc%&wcky=$Gd z0gPqD;W-7E!y6JQgaBiD=XRGJ;H*Re=f?}pQtux({UirExN$hZeHk6$#6 z{rao>1GOhNNnJ15$NKgT=qp(B`?|WvTh6@}G~jpf`5`GnYfga+Tw80GK;zD8JCE>| zd0crV%}+VvjIJSyyRTTE^lv&}>jNY69^N3`mCylyLlJ(7CE)N&wRmMY5a)rDvq{QJ zN|TK|&5y-O5jw$z;ASk3CaMZL^Z){~^LYqgEQRNa@P_$reV{XDO~MofGJr&#m4%dBvt+C!0bc#KVKs`TeNl+|wp zG55awJXWW>0DbNadKQKTw^J`kN>-h=nx_V!KFumX$*`hhfLH*aPH!%UM1OM6F|IY6 z`KO5cozv!Hy4I(3>@|mfWw*LnL*wr6?A*&@KG#y6M_p@-Z=Wduu_-9){)jcpeZaS0 zSzO+uhmmXFDt!C70EUivswlfcr-E?gfGR8$e_TwFF9j4=DEoqEomC~BwXIjZ;9~6p z<05mVgsU705X1%_top{!&i*#4DUBS>12gC8BAl1SmUY(I(GB zX2YU7Yw1-^3mgKbKJpN8S~%FnGI~T9iMygHXJn&mY_`lf#1YvV4u1j+oW}2MvNd2l z@**R8G}`Cb|5&wd^_pD+4&eu*KEVPQ%AT;=u4~H0PP7;QgM&ew&BfrYM3FXZ{H%aP z_^}H4n&`16Mn-qmEZ!@ejcIC5w7D&1BGnrapqqBl6&)$aZARyGlxOPfZv8!QETc}_ zq)|^+pAnSU_&Yqsv}v;p!6x zkwo~1QUH_6)s}nki+m$Fz)<0i8gLo}xRw!B{scUXH)_p=w~NjW@7=E?#Q#WfmB{8F z!iqUQ(nxAGPjy+<3{U!-Uu9?(dO-d5+>A1`~m@o>>1#FdxVEZ5e zxS+U@FO0+|GV6M0w}8xs1FIKt4|R3F$g3E?YqlU^!?QuN`^2}tcw8h*&b1yg$#+{` zkJlw5-MSx=ZSPzXM8;ynV(<@xs;kuEPtPV_<}bmF;*NZ{qCUkkV0FUbWOZD=o>t6C z)Sj7B0n0PKZp|N zFLG0$j+j*FZnC5UUkb9;{ zmA+(k5}7%z!(cv$U~2`G>YR+w2%kx^wJd%%65GK~ZC(8pe^MW!LBs4Hj;juzLp$^t zkB;>N?tY^`Jt2h(%?1cewYFK^t=*UW@P!#~`_7LS;I9QgxhMp~2Hv|0*J=&rHEtCt zV)2X$WAY|G4oDMyq6M1?fP9lG1zJA$dFrWTyel~`(C z=(=(s5}At@qRI#Gv!EXM9>-x$*E)FEMov0kQXb3(-QB!M?ejAWi^l$lBg+5}Yh}{8 zIH6kG_*sKXxz>}HooQYD|FM_f0DF06Nzz+LWvBY|s|0+neJk;9pYb05r}mfZSPYrr zvEOwQ8_{zOCc6cSL3#+!c&|CNH8D1Htv`Cc(kR+EeE*N^@a*ob=c zN7wW&mW79Z@^T{8ujG>vQ?GvDUL9~{0$zFP6F<^}@4+E`{ymdYH75c_HIhrNSImUw zu?%SB)WV-9qG=w#D2a{esgLhbUmWyOX=ohXJ{?&77$MhTvYgI2{H6VhbN*Im(G~f- zbj#~2Deq%|eKmiz2C@z#nMxmLqsbrc3JYmj2i>@mE8WVBj;;K8j!z|z7oN$OguNi- zS9b-(Y*yp*cgr0n8;ra^-D&kUeV%{6RS~GM;7;mo+yjno<1BDWS7v7Fs(%5<(Tb({ z#|m2fbZe=B(%M0_q!M?FX-g{O)|)jbj`GVBeDS;JmjwZ=mc+IKPhFcydEf5@9aI4w zpm1zf4XMg7gl3N<%20DD)N@F!lR$HoPK*UPYqWq;_7nzkm!-zPsoc5qCou%q103pq zL@zwZvh&SYx9>o=Smwg>AYW~Q$#0kZ5I>YKQgi(K?uF^ip7Y|bR1LM-3P55LoH~}0 z_?e#Zl>2p1B2=d53KyK2NS(uhfRH-8!biucWVKsw3&9#|Wo20=`c5kha6$aGFO&>< zgg}(U+(+X|Kxs(x)H$~xX@s9kz8O(4_;CKn)je|)?k$E~-6}rSxx34>|9+5G#1Qb~ zFJ-BSs9a4IW4MDqAK-ikqEWfQf1|mi0e9X1o(N+7;ONv7&keAD2pHO*df4!LN`5i(TNlyylglap&v& zdvoWb4}GmfKmL8mmOy7ow6av4vdcryh)yIX9lX9fQPSEW!pG}Os5)z3%i|G0E9Gj- z#Gig8CF2@BQ*sNH#~p7!$+az4B`sAkh~5UG!e~yH(PqD@la_53YGzEDz?MTkrsaa4 zTurz1f|MQy4zBr|>$D%rny@D-`&rCNmZSD8N4H(A@!#P83%iL@wpg~cbeduTLbH&Z z1~I(4KR|{v?ROD811B#}O|1$1kgiJ8w)^31*-YGuEWyet^heL|bGum5sbP^RnxkYugqb2B( zc3VC&Lad~jP~1#Y6LmwBb%P6YcciB%!~oi3!dHM{8!8}-z?am$BLbwtt&@3Ft8cyu z%?6PdD7ouaUMr(X`;0Uk@zMI`r1MZ+ujTQ#R&^XrX6N%~x47pK3c>!w=M5&>yST-i z-k91YJw8(b5(+p6_2$lB-Wt4jmmN8}r!ffZcyFS-=&2CaY>eKk=u3m^h`)>~=mY|l z^PH*tNEmo_@+~bN*4o2u{&zI2;77+CoJ4rm6&t+YV_>QZke6jNIyPpuZ~5E?=d z4RoPyG?%|`(aC)E)x1LplY_qVzu;eHTs8tc*%+_C(au;;ga8m!zb zG~urCEvROjLk}Tza%yfyNUae;K32{c^jR^s767WT9i*>Ghr=j78(xy~pS*zO%V#df zxT>>%^NNG#1WgN}lx9@U-Na*&D{X~Zh<6z2*@?bCJxpcr0Q(rfl8K#9|tQUSf+1sOfWVieLXtClfu5Nxq;!QHByB!1M zXI$!^6#Qnrkd;L6CwDCbiQwvoAJL8PrqdK$g8_<&9Q9hvvMytUE;TUPJ>xBtcz0TR zQsL*Q zEQ_m9Et4xfKzU-ASS~rmy1+dDQh};~;YdAYOWN5?4+UQN8p{nWWG4`WU zszC&)IUYK6ZSp5-uZt_1gx!)m*XCWvP=QnU_Rr~hK;q=5;y7Me9H_JALk$DokyUOz z@7%FN-;-;TaudiokZfowpMf-$Mi}Yk+8(r)FfPTv;@IgWq~7ve&^;THkNBjK+o!oj zr4nHjylot_>Tb#XuC8CHHl1Z2%Xsz8X9TRCL> zoe>4WE4(=Q=Xea72A>$j>3VYl4k_pG(b2-7elIc~FmnsOcpLtS@{2c~kMJbYWTO}Y zf^2Yd>4iuY(s9>v|GuFG9xFkY#k$ARctaU;&UYHUXZ&xGx*difu^X^S5%Uc|vTp2e0VuU0jQi zNY)ZV8+ba1vA|5%-0W{f>b{?9h=wMBiK&1oP%rULPpUTn_ggQ`nQA0n%iLqz+KIyV zjwmAo%KkK!DM&axGBptu}haX1_SlrV(Z@6aZQsCdUg% zz{ik+NJ+#Ed$8DE@2@+pL}Z0odV;rX$4{PR?tTiK#UvBfgnW5=<9^nnXEJ{o?Ca?_ zUf_jFCTbMU?;PH*n6lblgTdXXA4??r42yum-w1P|9%oI8C$=jbtn9Bxs6ToPc#5>S z)RuJPK<3EzP48`Z0Bz!$D*9T)k8qIEUFaR$ZD3|ud%BCy|1jZJ=X(Eut*J7BAr8qFiYE{XVv zt*B%2SyH8!1m$m%v|VxiU30{oBzd^KZsd5eJIgx!sVNh0kfe0_r5R1p(!Aq)z#&s* zv9}4NoF8iZ4HZ%4qbrO~_%`7p8#cfiV)~oDgkY{$Jf8#%@0Sy;34lE0=}PUayB)yZ zNZRW71Fp2R$0?*OLJ!`_0R2qd2z++lhqt(dU#rfTCf+m%&?2dO=s0bS# zc_T)DTl*j3iAOws6%WN_%a5@xeQ!osOLjYXP<{RbC;^~Q9gT2O%fjoo7OLJ+Q*vCT{8ck$?4sbR6x6S41&4dj< zgP`EAe=NRn!$8QKV!OM-(x(yN_m3_(K}G~TYG~`g$Ihy+QXIv%Qea~8S(a3pkCsAY zOSS104D4dztId?p+7{j8Z_2Tt%9L*K0n0(}tg@KlqHsAB7#-Dj1-iWvDQuKE`p%O< z&+J>h)!KI-Js%zTO#pUn$s@N<(UT^KLSstH-z!oJIBu9IbJjT^v3Mt)pRsxCszAtG zCl~WawnL|FRLW^Lmt@qVA*z9J%RPToT5Sl(@NhphH;#E-SrTFd+jridjvv(SotM4^ zoAn*(3V-)jz{3*4r>~eJOyY)0+TN<2rH&8D<4M>YN9^} zGS1PLG8vsfkc?(~#faKfyie>ORqqc4JZyq*hCuWj=ry>xXx(cx-Lkvg%YbMbml_pi z9li(;M0aEjEwZi6uY(?7)-a!_Q>8q(2eEN&4~K6W6CvLr;wISN|ASH=WB{vqufDMM6UVu@hVZ~{z zO0QX@qsAPBxXs(OGzbW!Tvife4f(|bFnt#FiRcZ-QNZO)6aPA1{=^8Ti|J}d zzsXA*M*J?z9d~K+$dpV3G7rVT zWM$SL4%p6VM=LHuXGJLxw^>uca$`b7rY!w{c^kS9^ET|m>gz?LkrCnH0U303sa1N<@(T+CV`7K^WAw=B;@n)n z`f_Gw<~$uc@T4#>w|>-yfBycrgP>Xy5;@$$R!a+G0l^L%HT z2TWO$)!U@Yz8}vaskXD5Cv5xp)2h!WwkL1OdVC}E1O6aMJb<3F_ipK~4j>8XZPlu4 zF4fR%UiK@!3OB}7I)zon<`xkek6>j4i(@-HSjfnSo}RE8OlMXfXK z;w&iQ7XBb@^4jRmP4s0QFent5F0-+W0l;yE6S>&?9oEJRpCT8F{uXXFE4D4!_nzwj zA^4+iPj0vm{<#kCE3H22xr*0gAm#+Z+U+E-XK9u=pEzKC8MRqhf@E|I7Ub`bwZC74taJHH@5 zm}7yV@aJ1ji}}wDa-O03Nz}wCwetO^1#P;QXOE?}U3>pZxXs{Qu+iREJN>LOk2$mO zbzM2KU7dMz%JVDzM!Bru#c&2rTBj=B*Fb7b9flti z(_bZ64&fnxzknL+B{6sq1-19_r&$t0MFy&-Q*EzCPd&^smzd2#8nq)9*0lDbS7(^v zQck5kVIk+H{-;#flLyVXQqt<^eIH=^)OnhHsT2KHtu?6o&Kk>+Iy44tXIuW<3&~*G zD~imTNzVo~Aim+zS00@LB77LU5Qb{7p+3V7N2r{9d}v_34F3Wi9L447io-e1A-3`^ zlp@Z08hBoPv0z#C-2|?)Xi_R{^y4BK6k}Toq3>!*Nd=S0=a3y)^$yUmgR)As4bDDl zKNF{^Eso)H2X3E} zr$2L&JOgZg0-@d)jT@!bcksrifS*s&0|?{YT4c;TdoJ-nIxeR>&6K0Z#l_LY#%5&1 zFe`t7qcqHJuTCi?e1)-vF|n~NZZ3{#ijVI1(r`a$Or zuU`4C1oeH&?!N1to$h2|W!2|71H&S7L$VU(c`3OzGCA0u*=xn#=GR|lYwrK0e@8&$ z2h-kK5xX~U_Q~|7`W)14&ih!!AD%ZIx{Zj3Rg6ebTUuHQuSW89{y1#>NBFa%!i<|z zO+zDap}{jk0uMjtv?k_hXF2Ma`9;m9!j`K*8=bkdKw?1-L#x2*ldhNB5h0Fn;h?D^ zB1aLTs$aB^Ue3AhO()%8Xlguv9DgsuF_w5#jn~IG#ug^dAXb*GH!W|QBd$|PJf#- z*bIS%<+&W0ddR4f;4!aOKhG)6o8h_<7aZ@Mk+Lf{d(Y?k5ht2wlGWb#v6J>4`c#@F zeGqMCdc?jy?rX#73Er{2)i*}R z!9{Dwwr$(ClLnJCw$a$OoyN8~QDa+88k>#X*mvIVTldHPJG0iz8k~Lhez2eW_KF_^ zuS0=^no;EP8L_T+fx+G-pN?`Fih`k9sPCP#2rmO3wQ7~nP|cNI{4NI-D8C5jLV~Js z)l0}vaN^}S6L6fyr)#OjRd_+4je(I=T{P^enk4DNP-2{M1Q6tU7ZA+f!3#}nRtP@Z z+VkT6cUVQ-WDsd>44MF=u=->bjDf}if9&8jT7`UzO~ymieL2s|>5l)zjr-nPv73kZ z_~=7%bu5fBg3xr=YE*NKT&UfKMVBaY&{@71RRU=uLP%fhAKz#sT=oMuTs1Mb_7g&Q z{CEwU9OdqtanYmxg=hVhRuM%q+EBSt&fqVS#spK&xfP^bKNlzJ0!))5Q?#LIpaP|B z94*9fKf`(AIvCAJ{VWX4F!+xwcf3^pFC$^V0hEGb|H$b;O)zDnL>OHqP2((#VjSde z6=;r7M4^}>DMZt#VfUwtg}oFe>de&^pI{+KC-G`^_P}CUB-5x*1Q*fOb#T8Q-~{@~ z>ktLb)r^2cDlk?k8Jr+IHO?mBR5{uivb!>w7VDbAO-CxBy1I9(cxR#&H8?Kmmlaco zfxpGZADIZ?SS)hT79;q#Fkv@Hv2PDNs3JBkltZOM_vZHFXE->CrF4?O@SnwLslLhx zAG6*@Ywq}G;Ui=bMZb;R5&E@2JKRE1N_|FSTkf&GizZp;PW##RM7!$v!ndDhqi&?l^(vB^=DLt17Sx-bsP@I^X~dEAVHOjog> z&G+%B*T8pPI}zQ#pLPs61NVn6N_eWi8as->{j=wQhCr;2*IszjW>V9e>OUY((5v-; zTU%!c9$Vt5bK;aot1Ze9j#FXf|D9@pBkmx<)^NKM$5C?=U!xTjCFBv$>UcY(qa=Xo zn}5kue-@KfxLr<(z$#YQp?ipY2F@3_tBWHJJSYD^%)h0yr~S~g$f0aIHmh2<(8oLboq_ zI$H*0k7_f+icaWDn_liuc%8A^o-eUCTGPDQ$qsa@znf&|?fLO=KQDfG%W6wdo!>bf zuEMg93dw4UDyC|=I}AwX%z{6~^oCr=hTZoH-s0={!`O0xnk4WsfBW;>=SN19JM9o; z-mn#HHk)K8`CDOA=177TdtHMLB3qO#+}qjC;6?^42CABvx&70?*=VX^wnhF}V$z)8 zhN=JlRSi=Lk=Ft$P*K4XfeItGsr^qbRMe0id;h>$x#f6JupHZY^s0X&AI-3|1$JCo zM-P~j*b`;~N{Xd)(QF>Xc8sv2f>$If|Hji8_bDlG6wI92-9zc36@lNgp#_Uj zrq@vl3id#&poXBOmea)Wmj*N4-D#;4ffi|#LqOT2q#1)eE(bg1D41Xs49Ykw3wzI! z@8_rA>!`PW+W+^`*f$g!uf*c@5kO^~D!0V=vrvP=pg}5G89GJZv^H_Tbw_Ut37`}S zgu}M3O#LG$6fnVZlEPD1JCrCD58;{|yypM4);eoL0cdI@)?Q%%cSMSpP)jFgO2gdl z9I|FzisCmyGR0&6#=a}|UvX(vZd48UumtT*3p1J733#*5^;ox&@DJv}0H+Q|6@3TL zvHRVQ;O@JJpll*lEwfquCIV+y%ooCkMIl1_g(aj}rbbRn3oCP=S}LH623a%p0vo95 z7|CEOnrUOsakgLF)emLLXJ)%l<7INKGIvxNlbH?0*p{LAj*5V(LfS$+dNhiAJNdcs z$Fw1;Qa#|hgE)svYnAIh?f%M<`0LIEimmf#mnFWD_*5GJAy1j3dyR|;Ri1HHvsKn~N@`fZ62mG_*IBNpuXI|{@$2EV7xYDrKFM`n?0$HG z&t7$)^LTn@iD$Az*?Rgcw>jzD{uA$OxU}&lolW1t)9j~MJv`Nb&;0qotj~SbFpwQH z%l57~ILidiSX&7DU=3JmgjczK<$+U*z}WmgN|P5)jadLw6l*-tlcgzejv^Z3D)WJL z{CA7sBI&@;(@UVS>K3}Y<@#6+qvr&*sZOyw0Qa%gKPu3n52MBGl(BMK)h<6ir@WWN zcL)E3;=dc~jSpK-Q)?44W0vHfAF3Nz!N=O#&X~pl3BFoi*f%)V4>LjyJc%yYNH^2l zNHNIG&(CAfA~_^?P;ly)rSSPJvF-# z{G=Pi!^_61qaZLU`=W)F@U=t}ByuYxis_cBoq=gY4LXODs5ZAI;FZch%Tj_+H0Mys zwHT}jDA#FV*rnWj5>IpC&+PNm1_i;`avfllmBBDzyvltfkPyNpD%rYs7zWTS|(a^|AkL!rGo#35*`Q_vKegnc-KvDtD4BL+!cUS957$~|zo-XPXyq1@#7ciw;I-WJ_D zuLYl%!wlyM>I~zDvn94H#rC;E zOWm*C8yPc&WpMvp))){T6gAoYtdjGY(ApXpF@w1cr7`>6Hce)F#xN$UidU>bA(g%Q zAjfa z)01fQWy}oE*E>Z`9pBzKbY<(Kb&E#mt9AyVJ3JA)vId}1ru1~R_8zJQ2S4921n~3N zU=dvdBAJF#lOm5pVFj5R4$>ss9`$-iT`D+Gb_0a?Pu28wo}UU8s0^-XE^I!)5DH)x znpsl*_|DPce37)1@TgdWWvUfPq&s8a9KDm29L%D)7>W`Qb*bvQGZI|B4GX&l z{LUj!zy^A602{r_o`s4uvYlj(;xlt@IdwkT{XH%m0tx*ZPE?|US5oaW;}{XXB9Qz~ zfLhnVpqK(K9v%vEa&Tv7a_i2?&f?v8yKPM&BX7t@-DMa@B2&cEH37sO{13G#S(1(1 z*)Q6e#Qm+Isgm+RCpW0~_wBFa3cO*q(z1ABqMTshG#GirS-MB&d{Yp3z%h!{QjQZd#T-2DKd6AtVNKT5HR%jMQ}#V$i<%eLS*-V$5^Qu zN}ZivlsU=(92<2#S7fz2U{yGvh0o9FEis^+rxFVSW9~jVD*8KPQh7#)>bO2cf`wxj zEUV_~jcyvU;QFRh3egEImjX0KE5>GjgIB!7`&5CmolGl)j!YWBd7Ql(fY%@b!3$i0 zR74Sjnv$WTxh_W6f{%n&n@j;B7_*S5RJT;_aSQe zRyY_ZWs_KejILn>7l+Q1Ws}g0kT`9@Z;}maZ86QN{_iD=WHR&ejZp*ZXtscL7vi%Z zP>O|~9=#_36tX#}yT70!ip?gepb!&;XHD4Xv?p;Z%y?Y6$YwK7Ww+U``rchztJs1H zMGli6IdAYY1W!BfaX2^@V77xGI_Nksx58ybSiYYFJv&&5&=9an*xEO&ITh<9%Qui) zRS?A}^MP5_NwK$1^rPGG?wg%sAU=zcR%IkgRgZXDlS&U+R`*Bw{QqD^HvUhfL9b-`7RQ*obj0cR=UoFS&td zJ4(6vV-5GW#^w)qHgb;5qVJ<70Y}&DOMcXglO+O<7WT8T=1R@3M(SxI5O+U|nMdEJ zcTDsLLz2oXw+uqv;{(xWWm?E!XfVe{S^ITtM8Th^`3D}1cAjy$1f~wTGPY#u=FDPV zTylRtno-#zT9D#SM7)85>EDp2RBd+%CKjMB^{6&5S%=o}+bG2`y9xRlP%gJM{nlQM z{1#g%F3=#Esi(7rrWJe8E6V(6Paf_ajGum)xNf*=uXqIx@AUcP>s1mB&yJPxqlQ!? zK}y&86Kbw7Nhb54W*pYRoe~HK&_24=4%Bdq5)Z%SLpYyt_y{zE!a zwyCJl9(>6J$Bi)>YMpnz=ecPld`Od3KwqS#%a4rD*!cyj-}p&EEHo!a)f3HBj$(K& zmYK^Y70*HqUYks#LaJOfoGBE+CSqVs2rb{M?{{zpqrJA?xme0jtXmI)mDM>Ly*y&h zSRzc9*1Mk7UEvTjI4-e60bZbycvNresC??*?y6f}o{;eC*4hjDcLdb1cHc6-O9QaUffH-yH~*F!?WtUH}3I zjpzBIc@}C>tm<&Z&=)xtmsLhX1N%8LDjJhECI*3o*Ku3O*|M5XT~pH(l&q=UY>E6| z67sC*mp&aYRLDnDX95ohtf_)JB12>uf%&}93&@bNu4;78wz+a z_S*U3pj^-W{aCm+yNUl3D5*Ng#O7@0yu2HljZJ48fSz|XDw1*u(~6&g^Nzlt#tM75 z9w}IRh12bIL%aItpU>h-eS@u4_>ImQ??GHGDTQhdb2cFS?`3t@jl}_{lb2wm#bn%> zxxS{GsIq()P3ax!)p`i`(vzv@Ms_8GTwF{}Lb!L|NLXoj)99P(*3PZ+gNs`Sp+#%P zM%1iy^o!6msXOey1COLwl&vdqvck`KQ_d}V;kj<_nQVq zDK%8+8ml?7le{3dg<`A;NnTvlwdTdzhemM8b!vqn&(Fn z(sWZC^FZ#?FZohKm&nIiVUDEpeV~5*XgTe&zp!Cdx z)VHdRgsKRNO|Dyes?!9Cq@vvM1K0h~?8qDChaNHj=R5@rdt3{4bo}u-A7mKb)w=0G zOlUIIotSu%iGDH6_hfFof=Y4mZUSn{(>EtLT2OhwJU}5jMH^bjsXFUeK-ABn_Fh>y z7Ft}jfZn!FO+{1wmWq*9#2^sn^E>}C>&ARPWuoQ0x$Hd27vD%aD%f?1iso>q=29$1 zGen&R*~LGyiD!?G2Q+P(;k;dkzPM^G-r-a9_d`9Tdcpe@QAg*VAe!zvD~9y#K!7&+ zz{;TYoA|C%#qmJkmdmq2mMmNj*=l$QHPv8pYc@QKl1CIlfy3$wmYz_*MJPgE5~)Lo zjK`*c!S<%xBr%az=FSO1oFTGmtlzAY6aH%JfEMCnmk%9*meJ349ENI^=|_x5fj6ye zlRt2Df1NvhMBEJ~3w?HZotyuV288awE)qSjg@6s^DhmJpJ#VJggab>2P&6v`X%`1C zw*mpRSlQeEky{P_{UF${j5wyA$L(xp^@Ph*E5n>q5<0T^6<`i@gQQmXFp1+avFDx0Cyk! zOlCxZpEo;m zrVS^aJ&Ov={oZNBT7!d;k6f4qoJ5hsvvUG&UbHck4LwGHi&Fwzx-cx<1%h zEg$aB?~5ACEVqS{Ts?FEU*}x9eNR+E6-HqM2P&UaoJ{tv*|{(0jg=&QdW!ua*K?Qf z%tR1x*FpHNL!~c4!$lu5aXrl1m{f5QU|KFaHa6x;!g;?|Ja6C03V*w{9Z@ewfzl;V zb;($9o=9KKj~4+mVKB-CX6h*v_vr&mzrq@3Odm9KOOHGiu{D0NbFzQgTw;3N?QYR2 z?)DFM~46 zA*5rMcaqNsPcri`t9Y)KsP0W)5Ye|?(-LKmB6n&2W*szPr@2Jx0`@8nhD2l#hz5xs z>fe%P4PJc_q(ezPZSyjZ%jUjH-g=lhniKSGKDgyd6x-h3eea6-l8j00Ip`N+7{Wdm zMpS>HwAAifezWD1Lcf?wcmzuu>XN48(`+I&W|a#YgEF%?k^lq>#(4i%1)=)jI=Rzl zlV%3qf-kr15-!fsnX_~eyp`qIu&)o0tken0)ahmJENK@S0;LYL(GP@5{P{baj)PlE z()XS83napNoc?Mo(ho!SD)= zZ!O(iCE0|tXDF6ru31ca)2_O8h<%2xUMt5@**H}{n7|SaydfX<@Zc~e3M*Ct^1ljn zll%unXn;a2Xh#J`WL_R}fcpb^AU2Ox;pCG)?p0}=5?Jq_3 zlqQ*0d{JR<;U=Y&LIBj)F0ECSfc}G**OcF)uIJ!2DM2gau^;^_1XI>CDHcsWN%Amz z3jf!-Gd7C5AN~UsX9~^n;TMF}@h9Hx`Yr<=6z*r^rAumCFYn(;FPb75+L-~~(R#6* z5&}n(ZbXf|oRG(y;#m*`^%-$HaU2X7a*~mLJNA0$ZvgK6Q=M~`wax8t{_Z@o3d_b~ zliz;5Li9>0QW=2fM-ssZ$Idj~M+^eOL*yxUIF3@*15Mly{jGnI#+}W%S9|H}`&D?c zWCDrk1h$m44V+m;s$XE?sKN!OJBjoG&w{yGu9DhamLWf*|K<0`=3?Fm7;QhrntXpa z;UDdOK5Yk{JV}6Cu{Bm)`h%N0UB^q!QIM@ACA!LN#Wc%)6kL1EwtOD9mfLoMn?=rvOeuvZ?( zVZw?VyNWbyY3%jiXi*>G!FK@r`B6D=C25fXtJt2Zx49pSv4Yg2K#oN)4Pgo(etHU$ zir)JVqYt^FhWRZ2L}I^5_iK_#PEuI_Te19>yc-(- zq+43Osf-GwBj%%4Rfv+IG^`ZWJ@r>gS09)ugO7#Hee%ur&u24<1muKmHnu_uRQf zOWzB?4`YylvcV~pLjdbJNFvtWV!Hg+!qUzJNx`q&8hVVnelx|o4&^4sw_8n-0!F^i zrLL01las&mbdjTpi81VirFr7=Hu5?5muz*g#zYNhIDHS`fRO)x_U!FT+mQ*OX5oTUU#=q5Sy6yhAz4A4Ai!mxadFEf9a+U zSIlyY^6BtH*n+y-qlB;lvDLqs{nw3<#@gZF^*OH`GxI^)lX4@alYiBord3MF_cY|p zUpF^{oSJt5F<6pC7dAQu-mKeoouoXTZ4P-Cl#$DT8m|4#_kz9LZoPpXo5ISrtHF)5 zC*$u!vFMFdh4zy#;eDg;-9{0}H!d$1+IkPT>Meof$^Fpq|7sbm$$?ilJ2z*+g1i4B zNLS(9m*$a58Vh%MoE?#AD*JEV^GRcmsnm+TXE`YxakqCrtFZlm>CJ#JD-7w!MV{Rc z^vxJNY?c0D{qgvX%u#&ca{r^Y!5AaccgOXR7oIQ118{uwg>@&xoF=TvpeWRMKmZPn z#1r-*vE1f-xQadIKJfRxKAn5Nr*%t*(U8_J2{#aQy?5D9{7d(wfPGViWdgqPlF9bJ;9S!98Up$?FP6JDJVc}7i87MC0TcI zkXq7x<~LTpn$Z?InkApX)WFNW#C|@0WE7)L|4A?e&b~^lQEBgoKVyGx%=MR2*jt1{ zjTLDYi=T;Z1Bhag4x!&;P0*PZ0?r3;1m~EM4aCUD9QDD!N76o1HPk`%7l%hksEvg_ zJjB6D#Uj!Xj2(e!UK2W5$c2N&Fx}NMG|aEvyRxC}-yOK};6-sK2`A9D#~+TDxS#!7 zM&($CF^Q~*2j~d~lS-aPtSce5N|+E&pclfyZen3rrYptAn*fnkcLnv(+AoR?udxec z7=TdF^4=TM|9JIL{NUJyGIMRN5H^?;2caEoe6e8g%9H!uhAsi={ltzIrV$-|AlLr56%cM|NoTw&}a zM2i>M_?-C@{6?g14lZ*Tp`9U`GFF58hWPze0s=DlLwK`!H7k;(20W+V_TS;NA(Yy> zR5_W(Axdzw3B-QQABP4jv2FSi}jCC3Fw1omh*MWR$y6yylE zT(zlBo#2OYfv_c{ur!|IAN}_(Jmmb@PyOX@N!b|B1y{GdK>uRQ?WF zizGE-kAP6qP1w(E;d`r}nHEhxE@#p%=~9)fwKbnLK|Gn(q*rotmT+_C0iX8dsNu6i zqpwztKdzYz-~CHNqVN73aXLBw+1fYaA9$*DUrOBlIKy^&%XLA4x6R>GBKSSoqq_QW zj~xaf!uJlhtSL-)0nvV(o9@kA&-@Zu>+Ez@rEoKxP-AlEM(8*x@NZQ{eILI-h;%3a zhD$N~ubE-#AbP>Kbu;HUq+ZXth?Ay2fk+ei;WxiUreq}yf}UbZfvQ2@Vy>>Vpo@=< z&uRs4=hE-yu4)Ny7}i+Rv~Y0V5v&fkxuWp-ea4-{k-}sr35*7sLGH&&T||?WTlzca zyT!R$UN6?0ZU4)DM+#GS_EPC{XQvkO2$XXaza|?J{VTIHqZpYFsFb&$Fo_=JZ#wjo zoVcbkuQ>~t=Wt1Ug#Ei!R7l{ck_zWdaZ-E@=S&zx zR8}=ms`Ao|fklKj1r+g#$M1V_BRpeQjGjQj{~)_rOc^o`@o;Tp5~`_&_nKSjUG-X| z8N7t8zU(I<1Z+cdwNo9!IEY05uu;x(BdG_`oS`}1BC)mQ4V1%RK~E4X0%%yQQRe|7 zFBh{Mkl*)VwZuu0ObdI!m$0oJB??DtVJvCEIcLVI{Vq-*3>~51bZ)q-I|1Q)BM5|7 z&+`;PAtT{3Orj%k-R-?QWbyTRik2;cM)aD>s63%O-taOPfxZx}SJ-53C74{(V2 zaeU0mGxB1pP2x=ndsZ0X7$^;>zS(xq?@of7Bn_)p{|+iKDsj#LxhbJ}B;c8Vy@S+T zD8;D++&7uXnP|&cY>zfv%Q}gRR$)pob~J~~+)`{0y`P3E_}@e>lt8d9kTtj#93;-w zS-`Tz$_cKV1=Xpj*VM>>K{-jJ)K&lHedX0nMW*p8Lii7YR{@E-x&7pQ->^*~Y~(@o z+Fe5f=h>uWs-grCVjDrKxaRE?GDF6NbpYh- zMepADF?==i3`h)RGR6UL`hbh9UlmeW79nClo8Re(L^LH!9ke=2$qo#McDuNKwWgI= ziZLqag+>^EtChx%!0{~unCxc9{f(j--hJw7d@a#$-;DQHo>)xoD*@#q92mI*1^O^h zPE1(nPU_b^3!A$2D;cp;Q{@m46MSm*S_v|FAgQ6VDp{GObq2Vmnd!yEX#hs3=9bwe zd%TvyOowS=16){{!LO4p>dVayiZMJ<9*t3(NU06_VgEYHwAICa#6HqEGRg_=J=J^gPP$pl%LxF9?OT<)U5mc6_8&4G$uWBDk#I%0W+ zbrGO&!zf?mZvIXxsnGMLgM3(Q=S?U@myQ^OYU38PZnHtYRSZIgPE1SHK~(uv3lSk= zLj9JEepO;-@mu?gF^O1PP17yLXQGy@NhSWWsrHyZ%WtvaA0P?>RkVcz*eySE;Wc3r zOIkiwrQprU7Ly#+5XXz?#N+u|)u`|~wvAf8&3~r)R5%LTQ^WB96#}eq#ki4OuoUf@ z<+9&lO(I_C)g-c#?}pI->$I9bO$cvfQq1?nfZ_asgOE_)LGZ2qzi(ie_9QU2gcwMs zyVy=ftAF6@*?Tn^V&Y zsD247l@Bs4uPv2LK2UK3tPK+3i&B`$2UIUa+nkz_h|K9MCQ9Om8I92dSfe!~xa1K8 zIk>O_!mDP^2Y?J%oCb(;KFmd3WIG2|4_@8IhLH%I96}V8ogf_Yh^mSC-mzI0%$fN< z^`aL6ng5z9P2vB`RKWv}en#MF+l&uKuk5t>sZ&)%x_o~IRG&T?Rl-g?`99Br@6>KvL(;F878sRz2#wjA z@|_h+OgdnY-ld$yI>&(ddN)31r(|1~g$xD)!zF~{!nTIAzoJzo4o(ohRgIPj6(_Mn z)SQq)b0pB~S+%w=%BEFFcMq{qCDY%7+-R9Njw)0d`@YWh^=R zD_FtVZV3_dwPjCRBcK_mX?#P%tei`2NBozr&aIQ+7NoTkhl@*l3q@wYr8k!XK~fk>qk1m{&zkig2%QH>(`Y<>V3!hZC^d2eyw574R*){VNcq4u z@Rmsf)WvWlJFa24chOK|XolxZU*Jd`1!{KC%PW|Mr)?ace6~WC7*|Zzi^JK5LVP0e zp|gBI)dqfQQ#vypKDCY^-1`qkY9=$Co({saL0B>b=NWHmv4|^+0>=ZJAj3dLIupJ4 z;aQrtmQhegY&rRYU4+GuLhbVG$P)ED`#FF^4#&k{7wU~}oKqq(>^@FxfI=vXI{}ETJTrz>t1RU-#+Sy+;Q)@Hs$}L8!e=q(e zOVI{1JnCKC#Rwcpab+J+CNR~UZ0u~*I+V%aiZMsoi|lC;0NTK)OIeQL8?{jNqFMFl zCzl`!v$ooIwEB)(Os@)jYmaaK2I(w1xKbRX8V6ur%o-@WEmHE}`)mGr?SWmTgHDq2 zLcN@$P<0ByC>f|T%A^7YB8%>lNJ}_5ax%Kz3|##0)=pl~f9Gc4h_a9&5TJ;BB$2|1 z_baouk+FbEord91@oGZ8VffFSx>_wAeh`Mwg};L@?OEJ9K4f>H73K=^%EtbhBR>yg zsF4AO**SIO@!yo&px77Jg&?d2=1xZkP!g@jc#uMHYOO6T?oOcMD|3(fbmIxSE*OYh z==${;j~V1CHAYB*ka;9Fc`gsh#BduopS#`4F_6E%rD3r|P=flBUCR$l#2ZTx{eGNN zsHVo--`|RQ>`D)7x~p*`La8Vz4O0yk$1Yze(LZPkQqwhxhcF${EU4{kV@FIO#%Tvs z_^z8?_Qt6R_)?lxjw6m2V!>&m#ElGqID(sGtSAw`*bj(BKi@zqit{+d}0|1okP5fk<_{d@H)eW)N2i zuwq&k;eq^<^&hmI=S?!NLjljOy~W%fxPWgByn<$2E++o|ops~^Gao7iX)j9l7gImU z&wlst5^IdItJXI z*|LN3S_$50oXr_Q@Ri1m74FO+3W@M-Lp0ff6Qi~dU{s+2PM)Q+wsZajsDC?~^u4_* zdZVnwDH0POq;Ch_JY{0h1pb>n|Dyc6C}^N0LB0zTcTXr}s^J8>AG&}vrvXwy?27+> zk9U*A%ItXN=7|9x99k~_b5~HMiclcGuuZ7QUF;VNvh&zn1xcELDAV;cughIW3KXq- zUNi>ETf?`b=dr|4kbxmhg8w8Xn|Ak>)ONv1eD6A}P6|ktE1rhE?v12j6B0BoZ%GUiDuOt?5{Sr`xjO2<@!+k@7%y16r_k`zOF^gn}iW-P%l{c63+A$XZ|ZBS$pA!h3Uk0QH67%ZkN#GfkHTTj4- zIW1SP^K@p}fu^8A3E^~R-DtvZjI^HFX38G(@l33qsI zWy_*@?M6qMl4+DHwapjUxE3vZNpfN9Nh)v2F(FwP-1PFEIx|dz3GGt`VYBrMQ=m*j zJ-4|t?Q_vYbNcIt2p+lql3X}m=1o8~%&IM<8h5|@+MYasGx5_or}W0y*>gj%6nyQq z2omE%>5ZgD-ClXZZ`~B@w7dQC4yW6Hl|0$>i;of?H=g6(7FN}8BTgm~*P|6(iAA2G zXXF%n61Mi21BlVSx*xcNv@?{44wjeXM+Z0-Hc5tP(i=y|D0`xMiHCA>K4fN;jm5d; zU6>P#M-1_xK6;4Wsk>ECEY9uW{JW|J1=nkk!*OBJS{E)_8?)gXFWN{+i)i4~l0^0W zqxU!D%X28L>>i&}m_(gHAjZ;V#^6TKPhtS4-|CLYokG>i0SOS>tEh%=WJ;hIbMqjk zK{^{zmxN?Qb|7nYV683mFE=nO_M#AkH1RlwAhUoP5W}t@rbZ#8-P=m6a&d`q{k=^| ze)uU;HC+6+{=MD7!^@w;`~IVQia(XXs*EbkEQ@#JHamo-C;mtSp-RMPU=SJ{a6M2L zGJo%9dBW61et}&-J-4c?$G-z!siMU9o(8TDdKtu#Ha)ZJl)-IWuJ=hK$y`m7OIf6I zh^~rC_SFX!BHzxmui%1CjKkd z3xjLXmXfVd^F(UNsUKBjQDkr{e`54o%qJPc@nL1^+*G~?+rzJaPN>qFfwe8YmDZpD zl%cbeUeLKcn|upn1}`|2gMPxGiLyckQy&-ReHwa*{EAsY`9v`+AZ%{xi@ie(jF+<4 zoMT}S6v17_7tGlqNq>skhWtz7q_%DfV$yKckfp`PcACNK&nCf|up;u4w$!@9>t@H({$~ zK<(rdrrObg?02KcP0_|Xep)y2r93e-9=tq0y;WJ~h7;EI^35qjVW&u@b0mgSbG$Lr z+mp9QC}w2X;oX0rC7A#Ad-e8iq+U5gAa2*Wz(?~KAanQLb_K3{VFNh#3x|5I@~kD0 z>MjfRN?5HPd{M1R4a4yFz4=9$(hlhi+Q6w@aZMuDLek1mimJ&%f(BuXCkD;Hp}o-{ z(@1!XM==erK>U56xpELYJC4^BL>3L0CY4 zOX@gdH)qjEO3^0YbL@ z4|N|HM$nCecdYO+YYT@ua1+LIJj zm<^woUnh29zJ-tRdtw%OKjMc0#bzLz25NOmeys0`*v7JcO!aM<4Mw3v!}z7iE$ zue^nLn0SQ2;fk%eYY4Ev+BzF`{343x<76)?{DkFYy~Ly6y|_6Z7{J-gbJPcAA|HjJ z*k3xR3!^BX@`_KVY$w?rA>{!Hf@gz2ZH=pHM(VZL09}u-c zBtKfZe%#)qhZkdTu1Ay6)WDhj9aciob>2SX3k$q#Cx{g2CE|$^FIzM=yi##;_?%5D z#18DZ;LPmzu{)=@u+t&daE}eX3cqNV|4)A+oyM6W`X>%W3o?Jl6%pkAg7E<+mKqnc z0Mdx;qbmBm=c*Jld4JF!C3IT!zcD!p)%5IuXtUIO(gZT=f!q8PPusp~hRCj82)@{p z=d$x5vJDFTAg*k{`$aVJp0;uTwoYYPvkq5EaOT1A6AcY6Y-l5zl~8jp(AP11%2wEt1uj)lsS62&R;vRnav?7Z zb_+J@(fa=aLf`b$Z9>3GD@jzBI^bt7U(l-sf8AHnNk1FMd80UF>k5$h&AIBUCup}G zTVDLoas4|MMvH)Jc4lqT3B+*MLJLnDvXOsQp6dxsO;K*U* z>v4;rmbdt}cS!hkv%3I(qrh1F=AV&ZJpntICh%4U)AZ)8$LlGDVl~fyBTT6Ph*8qi zE8L%S-sn;W{Vm;m8+L*Cf3*OnTaz4$=b9=&_4-km>HfixZ3Uzn)vOLc6Vr)SG`K_- zIATT=R7XiKQVmb0nFq#zLoRu*VV?;H3)8x#C zh@nT%7p!S`AZw27PR0jaTl=ki31%0w!_S~Y+_8;6d4R*G)N)U+L}pbuZB?l5Dq2rS zWSIwms0~a`Rm0UeB{nF6QQW2^)!Y>NUPoT+z0tu$Qa3f!1KzyS18jm|cc05Rm!3o8 zT|L0KDcyLK-;(vSrwh4(xM`qLb3b??1=!wC$3*xV+Y6ckSbP6mNoR}&LIsd5iro~= zOa%H%ECu0Us|(;~6b{rPk3y`#sXWpH7%f6dG?w)QtEQ-iH_+VYpw?K*U%!1BwHX6`c09a1iW+3v48&;{Y>r zBN6Ir0QEON)$s!OsnK`F7fQP8zxRVf#YSL2A*d;i&Fks5LPWzLBlTcmK8xfpq6!(i zdXIR)F{|@z02_)BVRP*GR_%t0a0u6HuL2?`*v+YkY=_F!z~EuHlYQcp%GAjW8)Q6+ zNlxK)sd8Gz6&5L{YB3L#q8DOj5rdt4{H$9$hl%+04Y@ozcU}1ZY;S}2{0Z|)L5Hcs zu(=hW!$ufBRUZ?>6cNRy>bAag892Kyu9~9Xjq}KXz4YL%RYq<3QO3s_979=P4`#in zPU_`9g50D=Z8nUtZdxCqeC({4p=%Rh*Yv!P85Jwm&UuE^)Elcb-&}Pfc@^?JQ`CG9Hc;Zrc`l>dvz)EQ5 zbH?fA-jiQDBZe}_Uv=h2@w6A@AR5F3shPqs`ZG)UKTw*tbYLNh_4PUij{SeEQ$KH) zYPg{C*KawAA>kaG2(_Quajie0`fL^vjko6J`mhJ^9hQNk9$5A3o+}Hr9B!I~?n`vA z{EDX;?!VKyguS^f?{MNnCFNXn-fW0Te_;1RT&`o1F3b8v!ThXn|@99v#9-8@723sb>ud76E8| zrNwPPaz>0%^@vkz_zNmAt?{cvyYa^Q9e6Ru zoYLz;1;OYl0VcC1uwPBT&+}UfqrcOTR-p~OYF4dh$y3uL(u_G9!1j{R{FHLpJ{_vO z`l}lF1Xj}zkINQ3>8cnH3vz2=@9ibD<&>S-Gx~2D@Cfy-P>7LKv%Lf55~aKb!bl2` zY0ff{kivA!f>xGMdSu+=K=PuoasKm@2s|}+2E5K91R7Dn3zEe)!MVjljGeB|f~kBn z<6@u{bel|B(3)JoJUtmLjZhZgf>C=$Q6t?Ywsc-BNxWi3qD-^o&!lVT?$hf?CL9P_ zDtv&Z-stdbdF7tNM+W>4PjA5%N83c};tVjr;O_43Hn_VJ+}(rQ;10nFZoyrGdqN-t z37P=G-QD5L`<=b_ADF(TukPx4s_wNGBi^#!QrveRk}o+6f;8GO+S(t7YpB(5hzM!i z#h`T2jY!KM#5$MEurMw;b4g|m&L(B&1BOEnnJN%GX2tE`{^@Vip`%b{?h7@`tH8ur z%&!a4&tH|8f!TW`?%E|7A}mH1cXx86&TYedGO<*qjcLWh+@G#AH4M%406bo54UbV`YVh-@?eb-BxmXXgDsIXuqB zSuE}-bm#u9XdoY*86FsuiBS2kihq0Y@K{Ec69+*$jxC8}GpbK{_N*@M>DFEs3A*8v z*2yPXfX|!dBD(oMy6q>yz^QX6P<>Gl_b!>`U^y`N&w3^09eRd?&q|3A8^43?MRF-PB8!Qa?J)bUIn9V!D3K(U-q5t)E>A zQ45sA2JBJf=MoM;0Zc}<{53n}6!7T&u&F0_rPxLdED40IEe5O6&R2%O!x=YPbc<()1|4)@(S|gfK z{B!hAm&Etsa5FL@7Ce)OkXyskbZSNMRTyb=a~(Nhj`RH-kt3*+)9SXp(5>@hl6{9h zslZau^i)z_v~1b=w}+j_*9OE>JcDYpfQ`E*D6oLY@Fkz4PS{k)y~i)*2=n_+Ad;>~ zKi6GJ@w3JTbyerpQVZJPv?65VE!CNEkWSVY^WmgTkojBwt&Ru4r_7VRb(?-0>ZCiG zk6nezSBlPc@kS~7^dsv!DoK-9it4P3>0!Yk4_UNeWqd}dv&P0uFoG9Jor7zUsI)kA>@!5_Ce>jWPQobmYX|KEXY=4F?0{Vg7 zg;%(0i;6Cp*x6Lau&=7wUxwSkxO7heJMZ_u;343RZfGCM^4d3Ra(78)PBB=3@28X6 zB(2h{%#k9UHcRb3-BtB<1^D?a3>|(WS*et`ewjYv3G#@AnhZ|HwJk%g19S}^iD z0!8^@xDo`Gv|sc|8fJ$?D)=oDDbq1~>;#{MjqOjo<439ALpy)5_uGXxal}G0mm)LZ zhORkFCOkg3F<-9oeEP9Nk^ZR{sON}07&CYu$=_zgXJi~Q|Bxbs)l0p7T{CaUb;%?)IsuuJZRt#$*T|qY8811<>sfpkW#i(Jwk1~bZ&~xsD z31fSO?qmHxW2P21#W#nub0s}>}2H`SwCWL8OBEYnR5q;=nezs-|SBcEV zIW=MZ3*q|wODOFTpRiRP(ADRHTwEVk01JShF^@C_DU*7Xu|99js{&d=`AntY4?$$-?TnU-FG#y*E4K%$a`a z!Ycai66a0UE z75Oku*^%G(Kk4KKEv3`u9iXZGqbis`J(m}B(6PM0D~&vKxk6+>M^FM&!9P+mo` z2Vp5O5ZBgZDy(u}&=8NT-f`m%Ntz@sud+|5m{uhHmgDr92;-wGv8G~R^6QaDD4y2V zPzJ}aKgWz*xcFg=$X5)OFzhL(cyBWmK{NgUe~m_8y`TYI4+4IHe%?AohKYGIV{ZX9 zrGb~uYO0glvl5BT(}_UnjEUbt{%1B*b$0BIZ&e3MAM(`m-7Wk8JWgw(pG$XG!_@c( zV(&+ZhG0@?k4a~*$fZSHE%GPC$G62~suM6Cq;=h?;3zjI9``(VlgJWTfv{ho`_yLl zP%u6A4`%sE}(nFvEagD zxY1rs2`oL1SJ^Tb4)XO&^haO`y(#O!^ZHY}Lfa150Yzf{y*xj==Fs1%9Wh;9G2RIG@LwQYn;3a>A&0yigMtqvs=W*e;m(k*5 zlT3(oy?|)oED$5SnExKEI_{C`>YDRkg=#Q}m($Zq6jY<-YQHxSqjfBPEL}JyP_z>- z>ym4)3Lv*zjI|S(E*FR6iyYymfeQ29=zRz2#RA)WpvTcpPQKnOu0Hws`QP!-i9na3 z;g)zhiOP!pGUWaoEfx`IojpSH&n+-|WE+neq0rQuyvVSI9?O{0*&q!sW{VdmeopnrK}Qv5Jq$}Q4Ux(s9_`d%RMY?--o7--*>zB|hzWWr3BBC(&*$8x4D-x@(4mh8 zp%0pxk`l(xj%HRgFFtow?>LLdo@EP~bahI8VxLTV3azx5<{1?P(b3RCBJw*Gi(9@y z^=M^(LSX)3ec6+`P0{9Q7!nv$<_AFWjY!n7hDE+tDd#rfO|GS+ce?>)$pnUQ&Pa!0 zJk%&`kI%TYj;)$@E9i}G=7AK$_|V@>`k!@M_|iExzS8^OkOdFuNk1Eva-H*gnR^OOATapojW zvOn}3*}RK8b7b|IU0h(JJI$6Bz474da`13>KJ@ceg=y@CYqI-DISiZuBWMXq84p?l)0gwEE$((O|}KF%_l_6+&Yq@9yPy& zVR0%~Iz{mq{N@mbB;IRaF>k4+d?9^!2XMmfF+vxx7b_lw?hmHM z7tz!`^>(!_%2wE5b#~181T(Si@7?9FIR%I~V-$Duq<7j+I^gR03I6?AkN>R4!mE3G z!T+IHAC6&{4t3qHCWmwU`;IlHD~wMi8omgQTW>+iKVzRt0x}GxUd$^h)D~qBC#5mi zfSN`#rVb&5qnbf*O`P*^i6_VT#5-W)m|PSmzZak1$}@G`AZ3Z6rnHM9l1Fa0!t#!Y z?#H;QT%Z$!__}6<7@JS0x3J?FMJw_J5qoTUF;Y$EPOi?6-%On1iV-geY;9CEA1;I~ zLDC1cP+HcgeqIE^lOC4vyZh_OOwZ9Zpl2+FK1QE0V8&<1T$zBlUd@_;p_J2<=I+us z9aV8C$g%2W7v9Gk_PiZN^(9jk*17h0SmgObu}@Eli#??03rb|9+LXYyh~19GtYR*8 zv-rF@c3};pSOkn@&o7z`&4B1%r?OtzIP6cmHvlPR|8Y6oN|LAwsnA7sX)>qtZ8F!! zu#&1RDZ!cslWvTDRfYpT1ulngAK37Ww6=Jq`o_->q>O_^NoN4HC}(6Q7#sk5P>#2c z8HuiaT9Og%H-}W`c}hOhmb!zbj_=0=AcT9yv)p`m=b$eNv{}XMzNWIh>h6weS$#aff`I&0bl^-5W;9)m>_&HO?fpaUQ;`b zH>aRlK3Wap_mEnR`1>}pyIjn-sY$VO32I;v87N0H2lWw)o$UP{ko0R%!w#xh27W{; za}T10ns<2E(|L5(0&g(L8#I{OI=yei1X=d!52UIDPn>%HGpBt1yNLP0h9w;+k$=?^ z24_I`*G#ngmKwT7bTin*N>0*ETuKha)k!^Q{Cf?hMw|C$C{jMnlQ#rb-23M)KQ2Bn zSpSTOv081zf)*jSV$vYionJ8NAqiuvDNud_9;f>i(M8YRUt?}0!t@`}@Jc+24E>m) z%i4$E1!+%C%;zKfx9@RE)S}-sV$sk-V{#3Zk%B*w7b)uu4tTf|8JpG~$d~bM)UA>r zj&i2HqOUZHya+(m#rv`0gyom(v}Y_`g>!r+E0;dI6ir>5->TpZb$q;nW*$35!mh#OtUk4S~g+1@o=+<(6Jkn9g<=*YA zCPW`Z=?MwFjX>ITQ3 zzlLa@PP`{OD;xi`Eu|tbpg7yCECm~zXQ~=$SW)D z-L=w)t^!-W|xjLLMdT(uO(=i@xUf~b}vqJym;2SZ5Qn-pC z|GYm}V7qJJ*@XG?jjn|K`H5W52wIdJGM{9Dsg=2#`JOxN5*OVjk@qo4-F65<_JL82 zs0KQffNlz0E4ksgkz$DWh`X_@Mb&oGFIQX0y%Z3*cNt@4;Xbox%M_pbBYrPnaQl*& z9yoNIzr?$Q^tPuSiU_Cx05Ek@Q=iBp84xB745C|d5icHJ9@g`ao8D6qVNIXq#EQ?O zi2PKK{lsdM8&Q}X5tV?btW&=&Y+Fzd<0;cXGFg&o6?Pqh72Ez~+G4hh=~U4QQ@w91 zAkx3{?67bMF;hfu1AsDqwdAoqwBaq(;(z4eR&8cBZM*vfZXO*csvqXJNETWw8il1p zCpzJ*#G28u8p;!x^q^NKw7)pNBzhdtAn6XmyR3j z>8(`G9L~teRHDfkX^Da7H#~tEbYl?*g0uZZh{q~J0rny7u=K+MP?oj`Bub-vJi5&1YeL^&hv&obko5yH8_|{BE^X=<1YAtdCRJ z$dmMDCO&8_z_}Qgzh_P($G7)e3*GCg_9)S_-zUIVSG^n?zjJ-1YIzeox*pz|ZdIK{ zTQJ7Dzsj`*vkF)iuNAA|!20Gje*Ar=S(X$RQjq5%F8<+?;gjJs<;BnT0Wz%R&73c} z>LV3AXEGjFTaq!w;nO7zY<}j`c%`D>tcj?`(_1)3K6>#d{zd$E-oY;xX_vCbufP>I zK}QOutcxhHdx6m}=0sm4g8dYMN*|a;g+}ZWhRc;;c{Kcos}ylinS0MK1-@>oGggKD zI+D_SBHby^Ocb8FbOr$)5qO{W#j@2NUQ_Qgu9X(!Zk>uR{X2fHg$4Q+vP`tA&_N&V zYTgf?W|cL_|AMYnFFlKtfKXpP65d3aaKd~w1|uUQsBbgeE@urAJTiE&#BC#Ood+;6 z$R3fmIUPwz$Z11QC&6P6(hC559S1YDg3ELR%)yzban7E$?mX8fwX(=Ok|p3+NsW3v z)W|C@zq|{Gm}!-m=}wLG4^6~R>>*MLOSOa8#FJH%Drx3O1#)qTwDqZrb{jc^@bG_t zoGQ2{sj(pVh)5tlHVotSUGc*1h(wJ^RXZ|>x^u9&WDe0UC~Sr0_3rsunn|j06{ehC zIk#~#fNlq_c)57=H;@m%+{r=;=E)oe-IQ;&+LqCqSVbU`lji_jn9RK&q^B7xG>3_^ zO6nkHk@bkf22Mg-UOyV_up(=ss2SU`-k8f2>h$&ySK9)1ulc|RYjVV9AWZZ2xDXuTs)Luu@VQ2|?MKnFmFcum^s2hh(i#DV-oQiNt z3u}9kERm8NgbY-7%q{PR$5aHuc{#TKUlt%gMDP}=En3GOopE*#UKABiYV#RZIjBo4 zY>q92SDeBVUFkrI>Ocw>H}`f6D=HOF*Nd8q*+64~O0iMSHC}CypOtU;ws5xxXjJha zmOl=XrZp{maj}lIxY`GwK~5kg|9|=Fg_f_2f$tJl+n*=~nU3<+*+;>2VNQ1M!OP$P zT5aoF-VIEVY58=o^>QX<&f+H8edZv?r^eKppCm0SWM{-LAI~$ZPXBOGNzQx<8Y>=y z)*`$im{#`CAFA*D=Z+_ifvEq&SkfGFW?XJ+td04v+4J+g5WQ<2-tA(Bu(DYF*RL8C z^=ET5|d=sNI{OwD{Lvl6sSv@I#y~=U2v)9(f96)hYffz z2tTW6wS-V$Ep|fivoqd<&0AmHQ0!;ssC{rw6}K={?$pD(#^I!2$LyChezSD%|s4Ml@CkUANfBe8Xh z_N?<08rgz;=5sR#i`F+YyVudRe5iRfvbuFdTdhg#fI|QJPV+7j(v|)^lMo+BIY4hkZBDlDV%0Y3G*bT0rK2;f-H$IG?DafNMWX8J6WzE= z)6YxARG^0CwL2jBU*A&?dneKD{2#$Ku@=;QY!t`a2auy9$7N^!jLgi<9g2H<}-R#LTEF3@D}Fn3@a?gUQESiuM$6s8ADq((Hb;Cpc18~{FGiQo0es`1|&Zi zDu#Rf@Wxaw_(ELE@8O zk*&W`tEAA=hw(83xlp11oe$`|L5j@Dq+sWeq8#3iqS}ye&`d()xrU1Ws9%mTgU?$J)yNs!O03)GZoGmRRT6YE59H=q+oF|rJYka{v-N)AT4Mj?q12fANq;NT;4 zdz=mf^SOAW5#;4tlQB?AZQMoiK_m8Kc{S_4Phm>|-hvymgJG1Yq+|*oS7hXPOBj&w zS6s9}vyEv-^F7dkr4F&d3$usniWD<~-zL|As$ld|L)rb)$3P1pVrqj`lX}Dr6yQVB znh=+*3^OGP(`<}#jn$I4ysB2CE4YSNHm5z*-Rf3YWd0^JF)dwfFj{L?)_xoVcfQ>2 z*C&rwzn&oKi|P6Dy1pdTD|zE54(DPpTt2rO!&45TL@kM$3d6?dFu!Ek*n8IgL zqE{k~b&Ji2kml?k4`sG$yN@dhmF7d7t?t8CPNNqbWj#GThZ(utd4oFaZ<#MzbR)__ z3K#{vZ`9$X_gY)mR~_ELJN6Z3|;1fksNCV>qGqTNW|$ zfX;>nR|Uo=nVUFK`ake-8?Z!{3Xz6{6_}S{gygHwL?@2Hj=z;SZpgS>1>9;@5tLk0 z7NA|*7R7U;e8TYz6zMz(Y;eHn@38s4Gz>}3#@-SoI?zDko@RTLpkk5Wv40djIUu%cK`}bD~L#EWaQ*_l$z=PvwtYluspcq zRaYQD31gie=qKQ1CYhJ=gGUA#8~D6;6%|GD|&rjYe=A^o}JB3FUq8*^%>-L=j)d!i`;UmOgP z&}gX_r%gLN3IM{~iZz2b3-$)KAFYlVbbm!yj*h|KT|wbp`L=t*i5LK1m?_7g8zt@OH3?)Vj7?{<>g zRecvi4sv~YOY=nzK1EqZ1Yb!W4`AhwYB^YW!~?k!zd2orw;)qrhmC9wIyLr1qjB_t ze0s>*+uKK&xj0+KxyHb|J4**p& z_&Oyl?}uQ(kI%X51<-&b$&`VsLR-+yyWE z1Q`YetC%V8$3Ts_Ls|2`-c^&;2W^2DFC`dl!ml&TQU;$%N5>rruG*+}Xf-iDgdmvugtEXVK78? z$|iH`4a9A~EdWGD$WCq{rKYoH@|kbsT=QsTi73`a{-OL8$2Oi=mrKW4L3nBELSXAJ z>|ql}%)`?L2aX#R7OA)~L%M@@3)U&8SD!Bm#}EQFAn9!w`E_2@hC-b;tP#d0z}Ucu zgS%*rV}zq#B?CC-`EE#rn54n#9sV) z4UH_3%*?SQCt;*%r98MI+@u1_Jwv}MwWR-;9*=Z5p2M^eK_VyJ zLMO6mb>ka)1v4uLmu!$&$~QBL>|g*F==+XQHlw-8@;!o^<7+_giBdFA6*ze!hUZr7 zhyJsbu$Zyek@4VN17)%hp1pUBh70Cal~}CnVh4a^iA)M8D&TM0-KX*N!pRiA)$m0- zvRD%axOQyl7$?M3*A_*YUrMSE9yBpVLndB=YmPn$T*4|N{zKpHC;o%Cx&$@AViA_; z&=%IllZ<*&b|cN{7r1O#El-u1PlgW_jx-Y8(gJ~?YC`H8T8L}= zsypdjmd{48xSv15Ve>g=Y(2&~D#N|}t|_+eLND_++i%4k!+V=-R>Pwi9el@}{LJSx z%C3Frz-aTenp>@_s0I1UXJqJOfI4YVM}?F_jjh|#z5FrnFXyk{F# z=G^{KpiuC|#XImbJ>OjB5b1!l90j3PUJGJ!=_uLEGHMz9p?-xmJ ztNV`4#^;9N%?36=q~&!g?$4h|Lwj^x`f=vh8br;_qWCK<-6WR}C2r(%&M>!X4RnE?Jt_GDk z`e=_p1OxsygREimPJDp>D>dhy9lA@5esAR0 z9{AEd{+|wswv$J8dQ|YBKjWXbD?oC8Q?4^CxhbceL6V)geW(s{HMEKv2o=|lT1DSk zt-|4he^u!wxF8{c5oLzLz(wZ8(-gQv(YCcDNhYpse?_Z~y~}2gBvoV3p%Xw>u`Xb>VnAm% z)Nr_bP}IxYhS<_X&62f0kNLUnLC0^r<~vn3w*P0CDXwR(5l%u&LRZl#=q+=RJUIZG zH!h?^tc8$59V+*-8q8!HrKErC;+tz}4I;Nv1M1h28&?v*l-@4^ao_D=86)9jsxWnU ze!m@QTy*ZC;h_$<+|rztX~jC_8UApfZ-1DCA%j%$()|2mAIS}PpIXnTQn#oEwrd%0 zZ&I4`ZWDL1Ewx18i*$TgwV$tqJ3Op%IT>CNahzFQq{$30|IVw6$IBd65!?BuAtu|H zj*A=c6DL;(b%zL-Q8{Y@obw`1i)9c-QSFGxtwP-V#e=NOGkR_jJ!L83q>hyw^+8D( z5})&7FMY-JNjY+*GGUqT7$dfXq#FT}F{xn$D)FfY9OwCRvY^jkaK?nm=UxrjGFT+ zz(s4v9AXSZEPh^jld$PF7b|~t`LaRM63LEu{foxnrxv>@GKz@-2) zk4KLv&j1Z0z035Kd7R}Z=$}hcjwZymS=Xt_S1QE+F8?#c31q&aG ztb0zVl^-Vr%Kj)V!bMVK%vA$J=YxDF9C;oD`1{8H&UXVk)larr+6SW6mSQprM==;2 zxIL_PuNhShxqsZN-Ua*JY%GB@(Q3G9OEW82zh&axqZ=lOExx+6oeyct_oviM>0>Dr z*WDPT@Q|N!ZQL9Z4anInR>nB@ckBm?ngxs8`S#|3_KBCul_x@@)$v14{X)t5)u;;I zY)2>Wc0Nj2+IaQ-$x#^sw6O*n_BT|>@eU`9nD_m;(HvgeCz zvFxF(Dq_zbT2*{K{7~(T8A5w8(*%tIzt&5Rbgh~MFD|j$^oPBzY^sTz(V?oW)`4r; z7nkz|93<~sGAPokB2Coaec`Z^yGQ;W{~FNq==N}4az01`8-#wMdgGPOL=*r)0|=;;)B$3_z4}rO?8aEO!VC8;fBrfODt; zIkOJ{ke0>Xw!zZbBbeD7FcYvmt)GTqiHE{UxLL+L#TDq-4Thz{k>Y>fZbb!~Z7YXn z4HX}O&3-B^##7o8hHdx)J6am$S4ag{x4^-b%JZF=@WdH`h1#EDDvENFc66W|#=+1h zei3%o`E8NwbS^Pj8aP06n~yJe5-Vas9x4pDhf`!4pRr%qVzSQu7JZr|M!h^f*vw8C zw!RrXMrE_DZEISIpu!ApL`bW`kerF2jQ^Q(BV>~!&L)rGtyliw5fF`C{r7+pNMsos z^xdDR_cv^>O%y<M{{x8*rNR&f#s7#pLv=cY}p_b=k9b+Ysu07W4R401vD`+QBYM?RfvW7{-MXb z@MdwJMDb`8=YSU!;^W_@sK;v{iU|x7{JSk*ARSKYuZHco(O0)dCQ})M$~_{T(wlsh z=*aqWacf6~Z6bZ1Q<}Nx_v&uA07&X%k2Fk1B+=?Wn7^l{4q}^6n^#aZN6F7kk}E;r z-F5Du^E`kue78Ru4hRtRM7KDs%gKTJZDjL1_BihtcLC2YpEn(!+zc!#JmsI;#Br;8-1mNO;*3AMbh@pJ6Il|v{N6dY!5p1|=N<(~+kLOCHjoD9IfX!e@eSl> zWKT;!#=?%cu?3(%etDFxA&}Wx3O#ujt@7mj!_i>q`+O755odHQojK-Lex&TTeq}%W zVA`nkJsV$?3QhwUa?@TjwREvgvo2j0d|z%mlg#^G-5nHU@vlsZUi6>O@)J^_xF=do zU3m1eOK4Khg*cqYvRM4LVGB2oFqnof%AXRr$EuE%?!`liPIF$(N~-0=&v9M0a!{xiKBj5~pS z8wltm?%*Cx?c|w;S-!*I@cHQH(Xc4sXO6qiuon}r?gGc^wRRpUOs>Yw#MWo?0zic!YHG#X4=asev#|h*k zM~d=U&RpKt8O90&9Gti{m-NrY*~Vbr!FpxdX$)1tX)R#?Nd2NosaqB{OcD9*EQ(2l z?9q^kvkI@X9}M|Jfx;cJm`OF$617CWA=yy!v$2g zKg+^2|2vDRC7`qfilx&LBY~OaGU12<=zz?Ky^_TdN6c@ad~v1?!haIons7`;bQ5Xw zjH-HNtcFq8>BNt6e4dF)v`kVnG2!k#!KKE^$|)pdK1BvNMlJ}%009L_#o7^HQrC_3 zVW)A8SE@SjAY>3LA}Uvr!iI9c{6OX+%^YVFDXV_N4GH6(|L?`s8^5#IZzj0X-Q7Qe zr#P*t1$ohZY(Bk)R*2z}T=YoD>AXrFWV54o^*1~#bwi}Baxe6g#c^o2s73SY)_Knl)b<5C)bpWmcAD92J(0B9cPxstzbYviKN)xVktm+eA${ z-|)G6&D}p@%j;v0_Cvx9;*wJT0-gOhUm~@r1!tm@!vhi1-+nJ$nuk=kvrz4=b)Gap zvRuR7;M?rIPREg538;Hb{3YNceS^sTjztfnG;nsRu($67av2DQ4#Uq!I=_OPVmAv5 z>=K?1hGu^7(Qb=3{ey2p7`gR&k1{+2mdl6C9j*-Y_!cJ7n7FA;pxr`3N`+yRd4Y6> z!RrlZ8Vk2d!x=Q3RllI)zcoRo=iibOSary6tIf9u?qtf#VK7vQ)6>C(*WA;{JTBV~ zA|Hxy4G&e5gD*uVQU35d%{1oTDF>Bq{G4I@81enVcKg+@dJjV*KpZRaRjhC0r(n;6 zh`FusDRdVL3r~6yfL?-9*RJ;C_~kbRN-?#O73EWAx5%a5b`dhHDRHJGm@blU*ot)d z?Kvwn?njduzZ+-_IZIQ>^pyMeJB zy{b|_UrK%ITw=*PV_*x}u5S(IWNNJnQyL^*n)HXUsjmE9fhqP6|Ha|{Th*aI2m7h~ zZ^lfh%Ig(tiv1Dl*M^H)Jljm*duqU?@R2_44%>p{f0NnN=L?VfFd&yo5>FU-1S=0S zru((Z7eNM`0g1JhLO-MYYyzt(BJ5l-DXg|&9`YG!PMgqNqinEBs{g+<86|{QBx1AS z58Z2J{q_u?^n!vU*G4I8Q!Ts_H89riK>Vygb0n)}LKrdtpT;8ulGsEnmqpl>;q1=T)tWcS67js z!6|a{Y;^l;?hfMcm|gfFaxB2+3rO5zkp*6Ea+Q2)D(@2{o)u@3c;hGt(KeB4h7S55 z{t}Bw%v*uDtcB^p)=ePbS4z#tq(o_!KqSF%ijl-QL?%wxD0HxH8dOS{GH~?e&|t}< zQ(OrK`Pm_IGX-n&l^{v1j501tMH?g}I=k{JE)LZQA|_&;96m-REi!$FjoS$rGM-e# zjTtsX#*tL`_czVOb~A)~XYv~1n-HI8*$rnwvEjMYUvY++hRQj+Tgm*6ol5EJw;JFfa{jS7k z1I?MiK+?2N*H9D(S;d1x1MER&#&I*(Jh`u7OS$)J5L zMecV1%ndUl{uifaPLl{kA|qCnx%l=-7#lOITsU#308w&ln|)M3*s-i?kM>|X0xUpW z<6~TtwgbJgE|X@KjZ_-o-|;uMaKuY)SY|;KQp6}JXpJa{4=cg;hvtN7jnCAksu5Md z${7r8W)7l<>~$;9k%*6hwl;*npLZg8)_Xt0HyMa+1=gs^I3fT((`bamw)I{3U;~GK zlPj%ym?DV>-d!kpLHnC}-`!K_DPkSk>u`opeD8}gkOD%nzB9j2CSemk6r7yBp9j;E zy#xtf4TStOezXicBM$;A*=SHv77P!eaZj@+PJ9~kP~DFvE=KR^DKCw+0>RuDpk6)m zD+F-V)FxwAW;6yxI|lb$;+}=X7vV2fA8&5VtQ4p0hNdsu*lt4ySw0S^=70l5$B2(R za=Rus_K2bcFse0Ls-Jv%weEW&0p6Y`z#aC9e%$@cHxQ!Yb(BcQS5c(9);}JUi)Td5 zVsLo-xS{ICl}A)Csh@mo<%AY!pbbqFxN6{r4!#+!g&iyHVX~BB;-71PMuvt3Q<4l1 zoC-_4>oDD12$$m$hIfDDJNX+qF*R!nr(*=e1=6JFelW}5z-l#{;c+4TEw5Gz!G?}4 zl;umwpP?7$BLWeISLrS~^bgiU*&df|MVKpi;UowgZ~f=Qok$txDCaV}aaZ$m?%KQb z?yJG|f0`-o&y1296yZW?GsA<7bwWh4_RT1?vtvM!YbzMc`=b62BJQeN`JQY$!S8>C zLJ6#Pt``#c28I*b2UG|Zc#Zadf~4EX)4yhmfdVmQP`Pd%AQ=xWbE!WSWyA-7@!Y9{ z=Jo|*loQ09GlPli^ztyO!No{O#DoSpxiv$RxQg{uE5&eluveiG5=pPhMH5mFWDS2f>rk|z`z!`J zBG|W9Aew9DpSsn|!|X9Cs5ZqymUND?G?B371L?v?zMt6~7TotHK5*KdcQVjOlW zG#V9~SZniK|K$J^BOMy-m9F80B`|Qb1}~tN%r~*h$I#^(HQP4PDtAcwliCwbQ1sf; zRY^XfNMi#3MM-#(F!OWzjZ>K7Y))rhNpo;j8Y<5TvU%|lss)zR2L$x)U`bdAHY=^Q0%OLsc1(|<&j?2tdirNjhE^TKIIx;u z(_D*2x)Onk`zm$qzdSxf_i1hc*=SlM7Z78mv&(@pO8#2-y|JDUu=FS)^|` zdp2lu3TA&W3`}ckm32YkYsSdE!@w;a(Alpk{9f}X6f14vuPIZ2tFq83vTXF;T@}2{ zrw0qx6;8rd(f4b?ffN4n!}uq@OXy1OvT%1Z5+IH)z(29U^Xx0TnMCc5qaJv-?BdtD z83IB`V-v=_AeP{BW1C`nWH%r$Y2>nhxS6HcN{W`iVD<;CXu zsub@>9Tg3oIi;LJE_g>o=yxVuB-b(mw9-JFQ;$c#7G$JAbKY3U zg;XZI{Uw}`k+~u>HHMG;u^aUCuxR!AwXylpqiQS$I_Et(F4bwHwIXi_CY$P~pC2SR zpX@Bmt-){KN>E|`)SU06L8Z%rsM0qC>W;MbeBUN*Z~;4*;w$}%V2ZAw2HC?i^7O9)>lCslLPkdj zgLa>k2^r~Z+%1&|y)E1mC3%K{&77vv8L4*ANT{v|;U0wLrW;sgefN6v+~_V_bhRnV zFYUA>>QOkuI99(%D<_l;hNys|Z6dw)hj+2gyG=L3V~XvWJa%?lZHGin(HVZ#Y>|!w za@IWh2d|xVVHKQDc0psq62U8}RM7^3ymzOn(AaI7b7)9+2YlcOOfDVLoS}(z7D`SL ztt9$owCtD&JOc59@r7E#ht&j3gKE$&jycs5E4w!9c8j2Ng8JT3RE=_+W?Wq={8K7{ z6@;*p9E*E-Wf$idKdFMF)AY6-%ovH`3*t9Zs6&tBdH!sKl0oMX8Gwsd2Nip*(D^~8 z6)kXV=;w{SAnc3p2Uf<<0B(>gBe&+Il2$h}Z_Vi696KFqX@NG&5x-!G`M0#I2!evC z9}{E5?aa7e&`nt4niQcaetS~|BF_3YbkTm3rK?{~AfLqk$Abdn=teI_H{BAz&eRCF z$?JqAAefPFb0J8J+sTW`J_AXiXYX)ECNVg0mNSg#)W`W(=fO@|6z%-e&KaLf>rW zRp;sf{S1vudN53YIWh_t>#rXCqR&3a2A)=eRu{Kxd!bvG((9>>YgJQ)2mH1|MOX9M z9)A)=Qp~np8fg6PmQ$M7uI!~4B{YMr)t>wxj)v``$w+nO|2YPLs~Y^^rOl3k#RRl$ zgS$Lu!-;J?$zQ*Dof_Qht$uwTR*ZVrQDU?GQa`xFBA~5L(;Y`@=@f1|*1bN|^DD(X z@VM*((Kuba2$d1a35;m_NY&48m@nb44m_u!m=%qku8O1o07AGZ*Rw8nKjkA=|m+j<_ z|9U(AKbo$BE$S}H0|P@1-3=1b-JK%cAsx~o-3y6qR{Lc?&4&QNPtP3$anq3WyXwUkdE^vQjiQ_+0oTl2Euw<5yBtopx^2<-iM-DfcH} z`K9EUfna~vx+ul5(ZhU0SHaB6&JCjP8F)eF#6&7u#=|2SE?dvlh-$pQ%Nqtt&EU61 zZJ^%vjQr#Hj3Ipv$ax~yt#CSJ0o-1EGGgOIm(`Z%eTbQavF!LnJJQ0~5=@)dn@73)&!6!TbjeVIS+ zO~>kuO_T@91C;6@qgQicuv%tFs5DVnrLES>Dqn{YlkIek_NoRD=}2MBYaKrl-bz;-6ZQn3#CGGyYN;w(7M)}aNZt@l|$1fbOsK)0EV+40_*gXtAMD^K*%Ag74g=B~rxM@#6Quv#tR3WJ07*wbG+}%0AwT z6PjDFmqleW3kWIZ-fc%U{AMr4J*#ictS;!CMh_vXrrTVUBO91BY2|c)THbwsHz4OD zIUyjZFtWb>2m{)iBUwv`rK&qlz0|Ug|Jz@e?TWj%NbQma;gH@f=5Ubyb3iSEJqt}= zfI#Y7;3Pk^r19j6z&5|Mqkgd3QpZD`=6R=)@hO&Bt=j}96c^%xp5zvLhJ=|gabE9p zA>Dw(#@#HfnkX@+@!MTjFCG&20prWZV3j?XXpKTn^h5_pNZ_QtUI-)Ij}VBv<7OFt z?m7#?q>d%bQTm}QH871oefK?SQaCn>K|TBjvaw~TZRXcfzmME2OQy%{6<6Vac?ifL zSXt><{9<7;&BmGCOZ(pIbWC9erPS0hy>MJSH&_Cy`_m(rc+^hGaaDgWNT*=1XO%|H z=&KV(XvZZla6p?P1~*T2!JMYB8n(zu|dyj|LiF<2EX$ znxMI&IZQ|-VW#xeB$}k#p13mfyo|s2SAxDC5$8>++N(z&d<_weV!TF!jWp+_@Tm8` zw2Vg7PhXSd37^ROL(E7M{T7&_8i4xpZHjiy(3(&E|XSA%u_o@F`-JWdUKblSB;&B2)--Krd8^#qX% z*5b>yu1izSM)$?ePty2LxbBC0$3>6McoESKP>4E#JQ_rkFJ2>mVhpUXf|N$5MFkFq z1C%(#Z~bmg--QbN*kl9?OfVU~hkIs5s4LsITAX{_kV|_rFh>|?>r$ExikmeEU^1#| zLuFfd@mT!svQ9D1`iefz_JpO2o?GLL=2i8|+P-vu5XSsIPurS9XvYBPmCch1GleVl zE3?7vMu9c=ax@6}9}k=v9R_{>*gP0RON!t0+%hE25pNAxhvjKPE=jG@QjhnA!`%EY z;|>2hEo^s1bfKnD68%AfQFE}-I>LziGVs)Qn=*K@n|Izrc9>RAg=03vGlow|dwy)r z(F1dOX8UU&%jD2W>pkw|kQH8CCyb7caFD?c^J?7{=>?G|V+H`M?JXrf1>}2CLO6B_ z@S+p2BJS1KSP?God&2&>%s|vJQ_3Nb@f5-!jWKA??qUc8Ks}tTv~(@DoNClT-QdpD zl0Hu3=eo?WH0)bYUrcHJX8p>h=HJP`T0xxG@H9Pg-{1*!QGK<`KYZrog#Lj_rYj@E zVc6)=CN!X6MMg@Kz3IkLWRMu#t2Af~Y1Ii`O>^sNSwjzsGn|HiJ=G#8&7sf(R7!dF zJ}G1~W-cz=A=Na?*|csRw=n1K zpeiHesJsO5f^Z1r7qG5YB_ z63@UyGwwSP#HHxYgAr?9{oB3yA-JRCoOwMo!ETV-ftAmZRO{sAflnG(W=L`Aus6yS zwG*r&o;==^XBGzLrSNt1TCEu0jm@2&17eF2M2$~QF3fZybe@Y{)EmYSqZJa|QJA=y zN8^WQYpvaTj3UP|b7*x4~jn7Z6s?Jm!y_{@z5i^J4W zBj@hv^2s`YL_p;(jagf(cous=r^Tv?u8U6h<2zassXo1j87lMsT@gjz3lOG^jgv(-`CzBhBEhfrmsh~~LgixXc6X(~UbtVsRl0xbtibsI zD^;Y5y15sXc88AIS%8`~IST15~j}=5IyUo1PVt9-N;X)S5W3gf5o$o`0{z=Z|$$BX)8Z zDacJ4C&F^f@^No39q?{dHEl?!sZnWH^Mekud~a)K4jT0~c@KI>caR(PD%lSPTIUEo z|4BQJ+e&D~AUsZ^B&GNMz+@^fucWV{@4xKQtzyqmIq|kV{JoVs2a?h&h9SJ?6oIhe z9@3bY%0(6SUC2iy6^(8(@6G90!Coc2oA5ipK{jT?xNH5d1-r|y;|G-|U?xh|u5I1Xdsgbyz9*0OG~>K)JO{0e>0M)hGN+soDcMYLSC- z*5L|MAl-f6v;Kz8aZRSd&y~JFUE>XgC4!<#DXyk4LM;B+{%|(gpEywsz;~I`$Kun|6W7`2hwZ34)b-k29IKpIA ze!-L*`CEfx1%oZ)G<%qg5i7?Krw3Klt)H`Flu+Tb*Bza=vcMVi2&QN@Ux{%+ukb~< z@Vxc%nERjacc0VGGW_-dwpd%cU(I8I<6x%py{-3^Z6#-qzC+zgp5 zV80G4nV8=Q&eW_u9+#SbJxa47h*Lh1#sbV54KDyrS1uxKAVtVSt4;$c1)(JA9`mSN z6a=~&zE2uB;DI%41~s!*fqrHR`|4s0VfGR#qk9u9fp)F|-sSsDFwQUELd@QY4I$(t zODo+=M*X~~i>HhN<0%RC+GMU)yO|edq z$=J2AiQL&7r7$)|MbjzntI67_IK8txd7pXZrEMZ3$7s43;2ffy#B7w-qR+d24jGO9 z)p~-@y#y?Eyis}2GNbd~#>eS%bFDvuwd?*g+G|(UhgYw$W4+Z6#6{!)HV-YI){i&O zT&h{}Sz&Egy>dNq^kt+vCpuw%noyS}NZJVZn`x(7bE$uF5ca>uCq46_#%}tv^1T-n zHl+J+w+=55S9R1kMfT$Q2SpGH0zhpTyTsJ>zc>OG04a}e3y(RX2B97czp&aykDWZ0 zmzsb5d)Qg|h1*~JH)ks*{E5!L*+=U)%m8bSx2LB6B{=iG_Js(RP1C(IoqdlwoESbY zO=jt5H;z-3yKVW3v=rnCLvt%%#V|ZJc08c^Y51ojluWG4|D&f~g-5rc-nZ3M@W5*6 zl2+*IFv_8+j8+UeUJ-`~R8x#+dnNFgxAK!OV&`v1GLJQ9M8@*~NQHdx*zq}xw&vz5 zOVMI;0Fi1Pksa^8+0Iz<<>>@XQ|GU#P%?BLKUHM@V4^R6&PI;#`{_ZPJF=6(a~SQ5 ztQHVKIQ8PqBb$WTN7YYzTY1i6!@DaW7~=`-So%qf@c%~Y1eI_kjKJL?tlfiyUhAY; zw%#Jf@>c)FwJjMmu@V0j@XT{uf(_*UXPABkgK3(Yyt|J(r>G>* zva(?aM^Q4pKOaiv<5A;kd|C^(4Igwbg zL!1bP^N#gGtB2E8NU6aSC}DYo*I%4IPM~s^;f6}mb7SiAH$j8&ynWQ7Oc{w}rQAb7 z+Bx(!5?Uy5AkF$bTTr(m@%cHIIxTzX1P`+v$E5DN0;j@=6QjLvy=yNDitQv8;zik79aw;4b5kud_$Q^#cdZ*oDE*BRy z4i8Q;X7AYhj;N4AgqPp-vKi#YlQG6$#PF1EF|Z&vKV^v>HoO8RO#W=2FgYE47c!mS z>m_j7$~HWRJQ)v;zK3#E@=}cHqP`A&`0a}zha!YH9BbH*7w|jlk2*#*iznq{{>|H z!iBod9Xr=vHT)rTkska!ATSrMJlqLkigqN2H>>>t;PX4*dN(91xPAdUHi$QIS0X0} zzy3*XE`9dErDN%gTMzlT5HWFyML*6mC*Y7LMMp2x579RXm z1y`B<&N+2ZQ;Q}X`Kq?=s?TovP3`<_?ttyrb%UrVb!6d&S=}G{wjahC(H7OUqAZvg zRn>?)I9I%$-<;Q)Y`9iZV+WSKG&<+Rn%OA9=KNyPWYFMH?o2TaX?OZ@QBcF?%`LRD&JFbGNyeS z;>3Fa>%A@2F`HB`wVft1fQoolAZm0j&L&`{k&YzNYg z-xEdGK96LIX}M^N;BozN!`PUzjOTkl@Zc~Tk+fqhaF)-sub|Dg!dNQ0Rx2yR7Lx?8 z!!L7?*_TT~{1Fv$gQ3&w$~j1iXHAdNyzIyQTu(p6AiKbTn`)?(8@zCnuLxXuQ?Mi& zksyQWgG3vF*v48+iCvc2itC8FT0&YFd6y)-J2Ho27!VF1?d9z^$p3>9>=Uv_bGsNs zAXIqpo^$-?0o*5KltUR#-!MYm*3q3yN;Wo?lWnx{+OBBWfU;fq&?n|z@lu znr?a(4s9vja`U*(5^U5vr!0W~X9%7gSgCS^IVCQlhaZ!5{we_G9`p&WVLir2U{HtD)6@tzo=6@HMh{(UA=WkXx}wikfmq3?qOcK8%fD0Q=Ik zKMXMI%lO51tzGA;Qr3Fw%etAWxfI2JKH!;MAbdU$oHSYCNz-8e`wLI?oy^Z@T7jH? zqOZnM#d+-$qEzi0{|L#2yr?ttzbDvV-ohy8WNG!`aGKec9?GsE(?%AeMMq&M>p>L(RoD9W#&q}>=lPX zROz==CG&p}YPH`pyHAYQP3`=W{ykFYC>8llUOnuSzr;e}EiFD`&d12Dtg7?v=jf-J z2me8*`C&Y-f0u!1#M)!wXihbsqEYJbNcilf_tKeuprVqm=zis~)9G&Y2Ca_VcaW^` z3Wt|RY3a5x6U>*#EEXAm#Vc~0oo)V+VHa*OVh*Il_y0C1tHQHefa6)I?N5lt!)sxu zV6($SJs);}90arQZ9uLb+te7muu;!+>ky2WnjxMW2B9~eHPFVGm3V#A?r_5vIJe0I z?d(Z;B8>S*)pNC;O0BIEh>13KE}0BvJe$`iy^!g_QzJP&k<6@7mp%xi264+2^<0vb z2Ni9oO&FmyU2@W#!4Db+F-%J*fh=nq8woi%Wnov2eM(mmkY;T+26GJ7Y$O1Xi&OLdnl_iD zYE|}4&=-cKQsEpq>hapNHn^*IK`hiNjHtAcbEFb$;gKoEQP^#fbymNcp3l@m4kgx$ zXIqb|QrgM!9q=&#fV?9#@D0o{NfJg-Iv{RA-hs`}gU8S3YF{qAbLD7%OO9f8xbjSJA`_5Q=U@vZpve?v+$v1kt8l=6E0Fv?B;NY~ z^ts{O+T}z^JQDU@!F4(?dt$`Dn!nxL=iZ22z@L2Eoi=^y zF&Ue~3zYcuce?rdZmzXWTHE<&2^H&UpaF4KvPUrzxiVLvBxGruKj@(1%V2e53ATD; zX2MAh{r$UDSfO=?*TKSIe8|UfdHrvIHq0#iA+aEvmD&5B-plzVpn$solTtgX+$3lf ziDANs8&fx50W>rU4AWE$C1`{$E8$6i!`PH?gyI@Sd|xc0(_Io?0LPzvQH-(rzw7|f zA8!`V=5Nbkpf26N--;4N`JTEZ&OTH6eHldc@_HlKB$aWeg&+g$FY73K4%M=)$H|~S z@U+Ro8E~CYoBy1PBU-Xl zyAqj(i&)33t&sJZQjQPavMyg!zig_y+t?;AODeqL;>K=GIY-OU)?jj#ZK9>q|DDf0iRX%G?W+#HccHb3M#0RyltN& z`9e4V)v?|w4UNBl*C*~2Ws#6w|8YV=v+7Z?x-f+Y&w)FVN^PLe3R$#kUFUrn)uneT z3gORvn4<7+!5{hWB3k`-JdnG$m__Cs-XVqvsAy?vr3!hT)eZu^zq3lrYS2k=>3a^tp-BUBKwwuAJK4 zByN$97u}PSJTr7XaSz2Uk{qVa<9G$+v42s+9F1zaJZCw{;CTS~hFB$QThT_tmGaC6 zV6MC~y=si{X_sCMl2}pn7f9JNjL^7R=&581>RpKCBYFG&pX~mf#FF&I?)_t~da2rv z0AA&hF4#Ctf1BCgkR2htYu}1wz0omUmNQS#*xosKE2|{dkK$Q4;m6Dbd(zhSzZ^5U zGcB_j@RQ?e!;T{VOJdDq_vKIk$nAjxguOwnJCFrO_+_LKS>HFlBUIWVaiFx6HCNK*)KL%&Jp*b0Lx@9ZzP`8W6Z`EqRaeDc)<0KxuF2j{w5C31Wn!2-bQQ$l` z=t`BZr$m$Q%U%A?c`Xla6f!dlOFPJ^23$1!nm31 zFd5}QS~*^U0R^w3_SGGr*IeJ(fcG}PrH{S?l?qoPkdgJpbiuY+mO+NYwwGf$C}`RS z!MM+Y>+E}Jzp`i6p%@GBS_E9=wsZP>mM_Niig;Rq6uU zJu+};A_KS@8!5+S-NmI)zQqbz^F{~$vCeLfVFQ+qBXj?NdvZr?Y4@02xzpW%)?(u; z`fjx`qWvmN#y>@jZn;t%+x-FzQ^C zk>+}RHwlMu^qng%I)GjmXeD&Rl*T`Tlz9~7xuzBeiOdd<-=A8w1&%A-kt*aG|~m{o&x0Z%x1W+srVqOat3DZ?&% ze+zx#YJ$rwHDJwh;ou~C0(lhngw0Dlp5U53GzLkN53iKv_SQH*WpW+w^iWxzp~Z9_1`T*~S9l z*k+&Mg!IT&7K13M!U63Wo-5aQ#N13!1co0LFeXrA5_kE{Sc^vW-$CYU6}zX~?M$Z& z2lM~zIIusx=Dp+$B38YT^H7q`fO3LjY_vZ7mmn0j+a;gZ&E)R64Fm$^3rQT;aJ6le zD$BC(l4u!;uFv!b9S`S!i3(yEIsg7yv(c;b@jaY0u~OcL3hv0`@Kg04U-6NAE`53_ zE&w2;BvVr;bQXXQ{!2_6;u!A(jz2E;gJ$XvmREAh_|)G4twoqGtb?wNgNt)NI;{r(85fWn&e%-Y8 zX7TV?0VD3EsLsq4`Po_n;}$gW+rNd+6jtx3z_AUjtzZHJ7l!ooj3>00r;R7xfQ!Hl zvS~6NeO{Pk>`Ife<&d!z+dhw?5p7eMubRv~dNRr37P?I8PgRS*O{wLHu6Z?nnUe52 zmSNMP$P*#383yAOK~vD$ROJryJfDa)O~#fjm_JkMuZo!T@88%tzp;{ABb)`C?C&t5 zYQni(J1+lAb3s5+5}(IKVXi8(V;mmCVnw52?Z3`aKXW z4@&V$Zg@>P5P^jPW*GBOysniI0MCskt=c9JCmN)Hm=(eKs!Gbt5w}NZcFqf}L1}ah zszUP|Kzx>8iC34Q-WB0yJ_?A6IHmtvab*~U1CmXhk_{LT0CRlqP@!a=99lG@R||+z zSdyY<82+DmP8ZiMG5~m7cEp-ZJ$^&snB+6%0ax?D3o~g1@hoYm#86F9f#Il`qi+?N zoS?9Tn$Y(%K?r}KD~8itjB^9JtPaj7wKVSbe}#VWZ|p3A4{W~7Q88x<`7ZVj?a^!t zfLvC7BZlApXNd^rqIQWi%O!bJl-0swTG+zZ&;{>fexP z?F=-rZGSE1zNgkQ#t)v9&g#01bAFRS*86+ z!Eg^?@87}X2uZ0~&glP{jQ7e$WJw1BlKS#wiXv~$-D~#p-!heWW9tc!eH_03PhW;1 z3J`uKPr7ogZt70wQrf_xBr*a)(NvqFOLXI)uwohFfhv z*m&9pc^Uwun%Eu(13Vd7B(E(!Xd`4LhuwsgeLiy#=Po(QJ zoM7F?`i0GRGwf0v&=g$?hOr&z)ZNRJA(PCSsEgR;u$_)MrAUNd`tW-^sqpq~qQYYE z$kP%gXab~lP!CQrC-F`_022|C5o|e*j#@ZHPw#{^Ax%l^YXgAsJ6DeeRIguT{M+#O zMKA|eaQn!^VJTGML;Kd8O@cqDz~F@p5on-3O>z)3i<1niDsTTRAvT$riFY}lV6cu5 zEoO{GChJIY?pOAY|0LoHBfHO$HL|kl7-+NTEhgHjOundK4if9LchO+fg)>+HZj;28 z*LpV8#gltB7ZivO6s(|}0 zoUiMIEtf#l-jr&T;M=Jqx9tW?zFWrW$t{h@~gR@Q3SQ)QXX@hJb@Wrh8+geF` zb^`}{m#0}nn4x0uC!R1WdN4XL_kp+TAjQ~9(Yt^O*UaopS%C;GJ-Lc8fjUBVRKj*J zWS`jl`-|VbnK|oiL&rVWfPuNW@iS4PtL|dv5-F~>O>*6bX=|6iq+JJ9Gb}NML`t42 z5r5O(maMXgPBpVGvdd?9Zr-x)HmniXSKvpbbpBX%w$iZ!^aLe> zUZB%~8p_t%636ltoDnXTBlMaHw8Ra*665#?|J1}O!~HawE(MmPAjgxRx|Jc2`?tLT zveFrrvG*J1J%)*Izpk%*y zFl1Tl33+Y1xL)$VK1ZYk;9U7-pe)bfQ0re*PzMG}g|a34^94vCYKIRKYU*pfDX;R} zT{-EMUmpJI8qi-8yxI!uG>sr1;;|47EHOT3dQ!cgL1Z3xlG%8xUuiXpX?0Q9;Z+R zWd~yeH!jg39|Y_Ea!a7~z;-n~uQ;VvTNKW>t0!0a(f8B8IZpH$6Dn z2+I4AGu(o196KQu>>>q$(6D<6lOmqkY0i(2V2Pc~z9{g?RQ2KMNeq0Jq*C-f#hXVs>=@sn&e>8DZG@p?qX z8q?k5N=$PW88XOYhwJOcaoaA1&@JC0-$iBKR<^ozf&xkXQP;1RIJX7driR-D4Wc0b z+di?Ky_t<6VsR6ZrioWl$DEf>9i20;hF<^ff7W&!9E2;)B}QAiRMN9+!xnpQi?~g+ zcZuG09hpd)oZ79N4=uNZVoJ4H6`eI|9;8O+P&{hbpFb4k^?B&FH#gp3Tx5TJ<2LO& zv~6fRSM&2cm&KI3N1J;~n`uKB_LFWe*~#8rECf%t%Gj- zbX|1OupH8fC}&48uvt{e8(Fcm5GV(K!w`afIe4GH&htBcOae}mq(8;6#@&-r1IlN5 zEv(2qP5Fb3aYY~k&iIP!Jdd0*8$QJ==qZD7Fs2(wv2Dt_-+|VF7mu^Ia-F7E9u#dnX%nvNe z(JD=ImbuWOm+K|{i$7X%n`w#0-Q(HD7Gy9yQD>0(=kbIuChom$;)vfRlldkBFybhl zgs$N+@XLpZ3{|SkdDlBGM%a5p2IJno06NpuDW6?IuR6>Alk%Hp^V@^k->>A8k2*jXrAldkP+l2|lNzr=FY!3RYb0QL5!8;5wytH2;2hx!+89 z6J9u#W()`3vQ071H{PDhAC=)!C80hC2JPnS8-HUV8|zOnvFKgdb1g-JkrV1}Umj-v zzK6cX>V*7)752IQal4R(sWhzGx zCY0whG(b#M$P$=o;WpF&8R(;Feq!B-kd%PH`@+cuy&R%|2791Cav%9n*X+5`axM7d z92!B#<(fvG)rOFDq6W-PFH;z=e3hHzpdqmFkq;B5)KUF-Q&AcWhbl?Ht;jO!39*(V z${&q0b~r9#MDo92bTBL&oq=Rpc|_2n z+1;*tlJ<*&{tls+$W+n65;qiTb;2YpH+m!%q&1SFyeJb)I4t5j{i>)5)E1P~8+)p7 zM7|n?(|9KLrsm%5-WSw2jB5J;3PR0{O5iUU-Rj`OFDkf{XYtY@Q+H&8^c}*kN(uH5 zb?%q)+TZ=@Y_j7i8=iUpiZ$W+iW=T;*+!Xw{nvY$1&Q>@Dr9q z6}CVULYFAFL3I0>?P8$TM{P9s#t;okI=CkR-jCm}KK!768HCs=7n{;4JeeD-II8O`eeuSo%p16OAw+77_=vyXIAb`3lU?X6Hq z;oxzSCB-3YYMYAihu`2L;Qm@wCtE62$u{ujilQ-I%LLb{;RWqDnu1s6HHlV|gJD*# zK*K#9bLgwuamb!X1m*(>X7u6ZU#nb;#UYT^^Q($_>|ZpsP=wVDVF6|>-G-}*F>6ea zDQhvz6z-c(92(I)mV0&y^S3Bn3!0T&J~1jx0}1OjqELqc z=cQIu1jlG0lZw<*jQnKFamq(98#*VCuagcgqo>5|)tqITYFUzm7%#V@XT6f)p>nX- zI-R$7b;q3Mgsh!pYp#9ie1SbVDKZ!Lnl>Nt4l1_UM9iFu9#N0+91q0ImCYP8BB+N;RG-TlP1NXNZ%b^jqT~&=``$#`eOThBP7tiu znE`pM+g38y2D@N}AgdZ-ln( zKhvhKDO_q#Ok5mO=g6vD#A8LU`C}s#7s8z9$nfxO#%YUyMLlcbcceBuu7-ZFQDzR2 zfB&qP>8^C%J4Ti>ptI3R6s-G}^r(H9n3i7A-vOb}do*s<@9U>cli%DO(taMfU2!4y z%zI+EnIc~NE@rdJfSp6x+ks}w$Ki>OL$~R; zHtI<}L1sA^0!Xki7?Wlt+cc`<4a7%?@?sDf_vCaQ1;J zB1yw=FO0C+&gD1~W!tYAP4|%T`FWovTml0>GOr$|m*=p73eUbo2z5q&Rj=fv|9$Iu z2^`1dfFDgU6nP!P?|1;3IRly14HC@IV?t)cG}|QpNODb9V0-%R8tNNqH2h`ELSq@?tZnK?Ak4`wFtktkuLC5-n|$g z`Kyz|3@DDZj`PL};qLvaM;mHc$B|8gIs%dhBBD7AiK?sB#!a7>=)b-aC(3im6P_ij$>uJHgpg(xEX=}}SFNvFH8)O|_(!xYp&olzt*a%3h>|Q<#nG*$n z8g$=8KnZM_k2=CG*MWQR5$vT3Bi@2(%%z>m82h4b_pXHBvhnt0f^AA*G>S)SI>8i1 zul}=zS&APDL|S*o>)v;TcyT7&q;ee*pQSy?_&Ge0Mef3ge_k8HMgNTQ%~lriEaR=I zx%?qm!8VHK+3RMM@ABfu1a$(EVjiu4dpQbHAG;R9o}Ze@Ulc+zvrQz#9cY0F9y_eG zxC0FgkeesOEeeUfLG8T{|3KG84WTVVr?R^pk8m_P;0Fh1gizFSH9>ZE|q zCsZH57RqqQp}a}-xY6_YL1ckMLpA2vyOWz&{9K=eYq6g=VW*g8l%!7E03OREjN(E& zsXg8!N{+@r4=f+KzsyKXy`*607VXi+h5&y9`kwICn zj?_s2!HwzevF)b)N;cexr#&%B%_@=i5^emU*vmV{IC#b;oT2 zMFIIU-OT5DtGvf`loual5ex7licl6B14z$5-K+d`i@6xUxb=r?dkn~$X^!C?IGW5c zlZ31^I%J?@{~?4_LR;OBA**dCZQ96~p|5Fph@FAJMnPD@KJ%8v>o{>(hv}o?cvuu( z%`!4)7KD#1&b;~m*1H4?gOEE@EiZzOsGps0c+yp!K(MH{!E8|vS+S6FM|HN*meAh` zhD5^%9HanAbW=*Ux61QzB%p^%omC5HJ^mTsDKcF$&&Y@2)w*dlz!43g#_xeRCNKXx zX_P&hkkPqMT0!5-sPL_h6nlKFpCVnFx6VvkS1+{n4nU68TH;|?PUD=`|E~o=33X5@ z33YV)ZX%eczJ3MALAb@(>_=ewj)Q&qqTR*$ASr<|V?17}90E5^7PbjP} zz9=d->rBqX^n_(EM>1SU1m^XlNkvFku^wkN#BJAf8Kb%a-uCDkde9lym^{G~wX>0< z?A`YZXPpx2q$9!}IJ$^nmikwV@*o%{a4^u}vEI_r;BdAN@T33hRC!tK@ z0Y*;bD&>hD{(08Gk z^ZNvYc6R&^9yuOmyh|BSi;@n?HcosM{C3oi>KesWDp&;sY#Xh-M%bE`HvtyTr;L88B{Qc-NZADf#`?nsOZ zWw^_DfQQ2bV5;AoUMU!k2@ZB`16Nk7-&OulC-|P#VI~DhyB2h_d6a1iY2%DF*fEsx zI~#6h_sgelJ7!)fXl8X?GeaQ_`RO;bLn<;^Jgt!Q8?%wtFC+N46i19M#RnID*lIia zKyF$t$tApyMU7Gj0T>dMOB7@W^~{g zzyI5I;0#DU44aNoB(L}W@>Ogar2Qx9RZxk|ax9!tpSs%G>wUF#GloYUi3+(d<`ZJJ zj4-VY28wGktdTwr_8N+|ga@85B#6mIu^iikeZP~x;Y&229lrhEU zK$!W$Ftln-OoBTt10>Jtu;#y%GPem{ykL5eJ@h^k{ z{E5C;lNM#SOq^B%Li)~Fbwr(I!* z2p0=Z1wn_Sw4=Ea6^48H`_U%L&2c*S*d6clJrubR5R7T!2Id|dJQ{Y=j%W$pO6zfP z_JRlr3GZ)hEWWCE?NL{W>!+QjUA6DYyQGUlXn%OGez-*lI(V9~!UQ~1wDM7F!q~68PVG~=GW)cv;Y%{$W zE-VD}NyG5B{njEO7G2!cVJqh1mv{Wb2V#GF&5`n1yPVh@&j^7L+=Zn+Q zLnk6Kmfr|H$6lB^+Wb5oo5(y(X_m7z?vA#1e$5?^qeny-aegMI6I9`D`?(cdw9&_0 z<0EQ8C4CD(tL_KM@(2X3>CB-N%$T9w??1NkQR9{Z%A%ige|AOa!o&%wbmD_s5?c~u z1;Qpiz!sIg0VUc*w94drNG2p3Tty8%stx)1*8vKqs9i<{FlTWF z{m9^PuKJIG?wI`8>aZ=Jl=tB37PDRi-CCxcVhVlxx+%p?LhNRg8W@#i1lG(B+yCj- zpiEaLDN<-pMWvE7ltj?tEeg0Slf{$zN&7NTR07n!Bd?(yJSJ>`> zs$Rx1+?+gH=D$lpwbVH?NU>O!l=s68KUJj|P;xF)jZO}%v=|Y2+h)<)E6ThWoEP_1 z6(vyHKEMW`|8jbv@l)VqHzEl$9AE-U#P)DJuXOP0f5@BX7%Try(N7~mL=IA6FI5%l zAI|EV=ZAf@-dC3Pi?tG-mP5@vt4_UWf_=3vd-9|LF7Q8q&BzP(yaiQNXsinlhPz>e z@Jgb9y%Jjd+GjOMiHz?8+nBxw~NPTpd*0Mcz^$rV)C7mWQ#` zcW8+mg0JZ>s%njg%C3qcNq9^m8b*>X7D~Kw4~T;B`f5}H@Y^0K(%lxAL&f~+QfAjg zIf*P#nIFGbvR?Hur{kMFW~JB~tUMzxDjBs;-mqN^`nXol+q#%3t-a_P-mQ4~USQdu zzPuLR$&SYW$1g|%w>G0gSL4p;dA>4me&Kc;%KN+!ydg=GCe$niGh}5aV|-sK@xjxS z@4n@%u4!ldmd(U{?ByUp09z>Zocw`O`JsvA_Xby$1^~j;6aBm-Rtr7?Cgv|^nuXDD zGvc4c!$(@JcDsmFB|dh-TS7191se)jDK>*zPKccNiPc%rPB4s1 zk6TXG7)^!@T^?o)hwUmzF+uLWjm9l{?FAADVgEzfdqBhWwe7&F?x#-BqD0`PL$|IkKRl461{}zCGs7=_j%s;{nqz<|F!;W%{ptw;GDDf zU9S7SuDwtCdYdp?9%;Dq699Z_;d@khQ0&(c)n**M-tZcjB!+$slc#t4vmr5BTzpb) zY3(Q7WwsfJB|C;2E)n(7H>p~lo6bP^1+4P5CEDy0JkP>O5zoh2i3(znMWfk=`H6+q z=-;L>_6)+;-je|>LT0Ze{2~2FWbiR9eNdNQ=mig6$mF*f5Y2g!Sj|r<`t>wpU>DqB z6HhTwBJdJ|JuMys6Nmlihm!$W<#>+n+vKJr=hr@%m#;+J81S=*=;|BFD|cRBdVdOH zLI08dh&>sLo-mlp^JY!R-Tdq)Hw>`Do9KjdMda~4D-dne(+!i?(7>mnnj|>d%J3s7 zF{Vo(zo-66;2N>r7a#_Q(^QiMHAF(9ginYuxKMb ztg|nSA7Kgp`1sDR%l+@3@2jJM?dW|4U6Gpi3=sV~jG7wPujQeN)j1rEpkw`Oo^RCQ zHshr!Tg^l<3*Xiiwhi_PC7I)m39kFHlY#9&cs83{I+{#dkqYe5*6l_|Di?Mz)$v8P zZyhVuQ$GPyQ@Zt#Xkk>IS9dX6ef8MI`8IgTf zh!vOCBA1^zO(4+c1+Lze{EVijpz>nyVKK-I?0Xg1@cGLm3 ztU#J@;;M%tvK?MM;1!035u(;SbHI!+C#xL8_9dpjROSwY!&6RKCgV&F^B4Jwb+_G= z-NA@$R$cbwPT7?!bQ^hK_sU(WjldPI&Qt~8{RZ@vWZ9tgmKM#tBQ_g=R7iTUH8TxJ zvkT!fco>?^t~;|Gc2xPCSss1*dP6@&9(~L(z==ezKhMe-@$e`2_0vaYndyDfbb31X zBl_`!qNA%rHyqzW(*{LYWPndja92J?>C23(E4gpjFXUKg?gs6QrE`drtozG2N|JyV9S3 zfs_d0;YQA)-L)R!$M$b=H^cJyh?u=tf0vut`!12kR^-_!GlwOjYziCBpLc?f@d zu5N_;+)O|lJwJIR?#P!PW3zFj#Xez0`q=>$V}Q>sN8XOnldVh*f!CiqPMWy>Z_&u(9pH-)t01Qck|L2jil%H8-`SM zR{?<+TXrgKm{uwDBwU?>H5dZuRx6lCOusr?P}xDjB*lZM+FG=9iWG^Ia=bq};$ubc z`yQ&d21#tWa2ySb9ll?Ga`_Q#0BlI9WfYD*M{1VfTpaz<%q%Y)4qiun)8cRpd~tHf zT-&7Gf8Vq~q?Lpq^A`ha9a9?S8|q3=G4|3e>pMG-8q+HMiap(sNWXFe%rtx1VgCzG z%+K)CFCdVf9%%_LZx0$hjlFLhAI#evzcOx^h3ULtYZjMpbSU^j%ID)q%c+4wRqp5> zS!8zMZ}QyVp9uK06{HJBccRMmLKzz#Wo9NU9535qo9tsHi2qW9p!1D}?abQ^OK7@@ zt--fM$>4^&we%Ex_2vAvojENKl}DuK?S_clLA9hGZ0iH*#a(V@^|(sgG^_)#m534>vbA?zfljrRGiKT2g1EhxO|O&A=Cp9`gCm z3HeIp3*IOz%0m}a{eRu^to58f4qx0tu37;A8$ZXRoV4#s^;l@m%JErHf7RO)^7mTQ5imnHx@IrcSu z`WLxIKubk~?;*~D!;tx0uN?akisJY}xbWks5*DQzKA+P=^o(sii64~TpVQ6Y7>x;Ugno z^!)Z!f;}sWa(U0_SMD-D>O8otOrmTK$LA(Ie69on*ju_^@VFU)w2js#$pKR1=EdjN ze=zu1@f-4C-)}V@SN2w5Ec)kv(x6Cuoz+*K;rx;fQ+g*5_5_2VTFo+1iw(0&h9cyR zWc~u4C=>%teWZFe(G=Lc<&I*FTH0frYdsI0E>$1V7h#ed)1?rW`G8tvRT!i0b{|27 zKaBgBg}il9cXksPF`^A%lbYZ(2SGgk^u^=BBNb zMpq0^Yhgj?k*}ohOw$rp!9>yDzjhg~z#`*2+ryKfbhrp`{x|n4RQ3UE75_}FZzU~K(Is*vGXP;=LOB{V4xdv;IoZ-PihUYEg^iHvak87$x>8d zAiGoooMrK{ETqEgZw$|dJ?yAK&;6?gZ})D8Dem+%XcC5|x|=WFofo1&&pazs3d-%j zY7DuEey%$a%Lg(PjbQzQ&&Z@@M-VyXLJ`A54ZMIj8EBZH=k6IFUAOr-CM6CBjJ%RA zuT#z4Uc4TaN$Ja&yIzatt$_p?T?geI7G2QKQ*CQ^2J$C^eD3%W-%;?1de}a@qUDR2 zf}2Th>$ty%p5mFhHR%rW|Ed=;_{<6)fR;RUUpcFYN%EnF?5MDTQls|v7+hkueev_xstI2i1}AduH8f`Cn_?y zK5Zh4nChqP)HX%mP;bX!xDuc%%c*yk%aD<0JQ@AK7QQ{cE{v|KAr{;6O>E|e*qde< z=#?XjT{K4bJ>khv_*tDf+adK%sE&6kwEN|iR^xHpCt!TfOmyB5N;mIIxS8&8kGeWu zXdR6LBorcr8%h~6z@VO`|8xv8+P+@*BeUDfIa4ONY-hpPst*WiUC!+}DSh26MzX>vMpTyX}!^hbM{u(kjK4>;B0@B$hbmkza{< zfD){JsMpI<@&MDSu!ckJT0)N$2FS{7U+2q050<7bPj^{XX-I+ydXV%C#GLt~0r|{(+>sEkPdsra9*@3R9yGKM(3*;z zlnSEU?L!M>0E|#Z#|Ico-`?A{F&fI&Z@(_wpKnj~?*!6H*-+tj1o#YJJ&_E!eR#Cr zSHX}#Y*Zqd%h}HcL`_A*B7M?PvhCg74%fhw2WGD}lCJ?_TzTvD?vu$+QLqpl9wM;N z!(Sl#9L@OEX>o*JEkqEG`<#`j3-$4`ZQJlezmWmx+f=ehrQ@XI)>uZcG6M z;k-L%e_-j-(V8Q>5g@FKs0RG(;HQJ*$jZQtNl^0O8|N&#imLLAlNO@L_Cf)V)@KqC zYodJAU1U>+gU4d{^Q-c*E1v>ajJ3Voos)y3wk`D3t#eD{P$u2FE@OlB{n2`p-{WBOfOnC2 z@~Rch{m!M+V@N`tzqI6r%UOgBqz`*8&I6!LH?$vCoHjH|PMg0&>{D^choVV!UjiHa zI~D#QDD8)qa%(Ade$391CkA&DlvMdi%x&9_^YX_v%nDjIXyS|&h|QHY01LV(-ZYP zwIN}5CL(AC!#g&g^L6}6YdGVkDMKX{W9`qe9Obcv1!%#<(@95Wbo|GMJ}WA-m@LGX z2zku1y1|mWqGzrX4PYcZ_Hh%m^>=!~z((-Qo{&>S1K!PBA`%PATKdvYmNP-MOQgcD ztdAHBN#p5p@hf6Yju$G)YBw>KLiR%n$qQVG+{x^&b8)^2Vv zU}c_L(;~wpCWO~bQ~42iL@QhauJ#l*zKkrgk|jRWhf3>FKUsiSAYkcX4(Z-kLXwZ2 z6t$~&(a+{zBpSQC+uqVJ_-_l)UZafJ*6bDN|~`gOf5#4+Ww(zZC!VvNl6s!Z zCa+Jkijw-s5Zdp;+TCNqGH7*U^U*@qb8>RTq0diO_A2|3Atpiu-R9TjP7jEU8g#pc%P(7 zIx2{1+3r3RVVz20uA`wvGG+;Ec=!^gQA9Vm-eveDmGVX>lRCNj|C&$Jhupr9|4fop*8_@j;dX2C7mI~FYULFrRqDcKsFb4Dj>{UJl zrVk9#Z0&qcxMzG;ZMG6oRWi`8S`O7(PI^%Cgf$t4Xsy_cl@ZQyK}k5Y~MEdzR3Kax`C-KlVi|d-;x77y`WkJdLiXGVrzg@kZ8mij3#@z4{$!YuZK>w_dCi5!+LbSPg|e+=YkcRgmBayqQbud_hsFb-U03?-C0g)LnT z`@{kIuXrW5tc5TbNY8W-XfXE3L(^jHA(svml`LpoiR^FAYK8hYKV7~5^f`5hnUjf; z3Ii80b39R4RMsh(394hT`9s%rd{T{aX~Phfo+DVaYET(Uz8UB7y#X+j*?6$gcTZx< zNTlIqvNpV)(fFvJ4j9&9u$dlyX_@YxPImt>?8x(>8}C@vy6FDp(ojGz8$K0)#?J0Caf^r21adiUAiN3pOJvt>NC6S7GKCb!`!UszO zI=sH+&!qO;XlC`z8>@zEK8R|0+M2fdUxmuEkha*3&;k zgkg>i?vTPAu`S}e+4XUZ zLNYiB-AUOd_#a1sVf9y_(E}TT5HG%69V-7tFD{=U0Pk9VxTqVO2LPm=RKlI1Q{AlU zY7#BUW6a&Xy)#mLPfIwVJ_4pe2VNhR0);J0;-B^eJty9}D|YljJ4r*CQD{HOYX5?9 z>*+wZuN^B_xl&8N(v2kTz+Jhs#gCB+>eLst!`VEbjRF;PpwFZlbCvE$|DhWvrqe09j|eIG`|szw0R3T_2RMWb zG;bz@uJZ(h`YbOah&wqSbVIeXos}WW&3y%!Kl!C4g&SjGP?1&*NN9TeolkxZuz9Td zCkINqJT^L*Jl3G`KVqG0A47jYuG5Eqkl7X8=y#L|%9ML!YzAjv;TJNa*wT0IY9hY{ zSxB5L&n}&uP?BWvFDR%){4w>u3!!jk3JmSUw2;N<;>RWCD_6SP7Y)gQ9JtVtEpR@0(>n7j9Ng1%MTu z63Jde_AZ&)Xng*CI9A3s7T5~)wiYFYzwzl2AjHk_<1T}A#mAV0Nqh)uf7F7S&ykVD z@&yWp-Tb*HG>N~F@JoLWap>)hY7j1C%Gb3=&S86Plb-j|gzpCQ5V#%?4`Ri5C{AB6 z%RvYB4l(sGfF2fcf|HUicBgTNu9NquAI6)c$yL=?p!>wP zz_)_m28$j%*GH1nSX(YB0Msn6JV){j{ux}iUSj_37!1M-jGI3-Scbfhke!A%VRZ7+ zFnQ6Uv`pGx21SgArP$>k^ohehqugHr1$E(XwT&+_OF)M;{+nl>ggY>7Z_5>rl>N@A zr`Xa(k{BRA^U>&23@=`uM#NbPPJf>7153^&jmD4bs;FY0lDE;MIY`qA5Bh_i#etFb7Hy1FW)_KPFJ?yskd3aT zq;i1J!6r?Q=Rl_l2E%)e`e+(1*o{`UQi~v2%zXd)a6;pG3sK}#PdnKllcware`)_LWyQJV)f(n;An5Y?flC$`y7$` zaMhiRpkK*A->ZGe(n~h50cMCPk(v>bWCmE98uzP1eB1wOw)WPjuviK;#j7YKsCRo% zs1L)i&_o9<%p>giBcHP$v_H-6Ptj!-%=pUiQ`IV0yu1^t`>#NkpC6R}2{Bz7$?{0A zLY z-6>j&Ly#pB&v^53G>5Iwx_w8OQAE%L5nY<-ul~v^lY_2Y4$vZ%F`+EBxDqcu*vH6~ z7EFMZoQQdoilm@AKvD5jcH{(S>HfY)KDVA68&4;IwbT}r@v9rMSWHzwBJexkhF^)4);z!$$ndP>;IS-Gh+{1 zGt6K&;wiz(`RnA(XlXC@{Ub@ocu|K&Wqq zf;|>OLz%)tpPIb{ut9E2A}gwfxX9y2jUu;BmgKzxl6EoAKnGC@_?mjfp5;v8SH$L_ z3YdZt3Mkoy4N6eKpV^qd!hd%YKnbcLYD9RX52KXzFx4|JtGM|fpX~J z+eItv>l{e&O1av3lncS9z^Vu8J_+s?FkkwZsJ`DYfGHv^j*ZZuh(r?q&S3Th(lyFi zuqesI&v<)y)JabUWNz@H3}Soqbn+KBcL*ODEWjF`vWMwX0U~c45YPeAsq%%H30WjP zMQyZ)6LT#lQn@1vGhw%^KLL4B&h`l{Q|M6wj){p0^Fe6t`xN~zU#J0h(|Mk(rif(Y z0DLfsi8BxjfDX^B9b`#)zhZFI8CVW^c#B#YIyDK!29zifz2qe-A=SyMflQvwj*ai2 zRJ@>z&O{2-$piIeC#9@q_gXWc!Vg_l>ASiZafE1)I-kJth1T^dzl;#M~ zb#_XzV;O*-*H_@C*lE%6zL)Bf**;dbLw2HP4TEoGn}RcQNsR!9jxMQ~1}=DJ5BN8XaeN!K4z`&ky^LDa-s;5x`VlexkunV+vrLqv zC~INzFPLU3$UEUgZU5A~kA*1$o>z?k5YIdx|H=wTdx557&>qn2hNLj=d|}mQ#1hwh z?LL)5AV@2*EVE3FZ|ZWk{__^L_QAdGoV18X_h8U4E4w%9Y~&U11y`PYmt9YSm+HR7 zuyv%ZV0T2QA6^ayKd7v%A=1 zKITwzK@}5Bv%RwNu7vu0&wq;s&cFT{$Ljm-9mOKMn}aa=fEh%$@N3~Iv2{qY(xhYK zsVV>yM}B&S!?_JJ%b{i@-Zx}vsPyTvTnu=51v+{CutXI#4w}{(+hw$a+o6N@4okld zV4D%U4Yh1Ad6(B@H``Toon!HhBaU3E3&1*mEOgHr!Dn@Np02L~aC}RR@;+yi3p_B5@dyd-3M7l)p6hv{eIKgA`T9dM5C zPx-}UNm=WGvyhtU${YIfV@ggCroF{bmmf(Y!lX_aw=A9V%RgbppWW8G+WsVG<@5<^ z#hZ&JPzoqd;BPtrMLMsy@OI77c-GfwLMG(3ry6A=H}B9;9MMXYG_V3Njq1>ab=eGP znM)s3J3plhcS>eoboYNE0RsVn-uqo~4gXZWsEgZmRcX=n*CKlUB1QtN$vL_rMl}&v zAf#zJI;fIhoO#tQ*6scG)2aqdxl3~DVkLKd%SD~sQ)q>*0BlUJFUU`?r*bJp7req;EK!6{P|CHd6vx1SDz z0c-ar%~*>fye!c%X*?+7se5yP7iIx@59}pNJg)`;z5OVH@bhS37t)|Ybj;sae#8th zkZzflvPB_d_i|?g2gr-ODHx#?W;x84;WQ~{b>RsF64#EP*K_IhLQyF+;<<`jK+yvg zel?y>Sp-a|z{|M;L3@CrWqhWp2`o@zh@#s1K8+J5ulhVg_Yp{E<#Rf2EOQW|zZCSOq#0ssUx~gc*e6rD^ASjJ zinUmmi^7OHYc-95J~4nZl_#+3%l;yRdtbZ&Ry?m?2kZPOT%lM1^l3P%(^w#IHDsND zh12UAIF-$*r9J%?$4iUdzWc(f22+b!PpE9w~;8WTy+qkR^R?;lg-iDmyBBS zLO&G>Kh0WHVAE1pC6PpbK;ClD@%v-h(JA{jz2%gfeE^2*!j3YEvhS;nnEF5E)o*qg z-}W7mY}@Zqd7qt)D;FVpp|)8v{Z>6IPI%X;kG37PzIJ6imcb*UcU&X%2x`V<1m%fN@CEzJ%yp*6L_D zBLNSg)hxxdo_ef?pImQ3qcqD0S1;>TTYPe623kEOsvsH>QBctTW8RQxH>fo{-v-{VVB8b)hG*keP~diGq8tN_Pkq zS1xK-j-|7BiVr>V-!?R%1E`b$8~M;1T{AxoAOx8*dGCv#20>QH^LwcNv`>F2p&%AZ{Qe|G=AT=*{S*PK>=w75U>Dr z@Aq{2$M0fD^DlicxEew55JM$kg%$pSDaOnb$o4iAu4=h6X{g(m#GOd}`iC zvX^;*xZCWAl{^$&ALL&-I75dTDf8V#;&D9t+CCp}mENzeQMHxITDQQfKkCVrp9JYS~xo&Zo>-LjDYcH;rq&83GYFB&xzBW7^}c;c4?&~jaurlO_} z9oY(*KM)R#utN~`%0cfN%z?G-qDLKQl^zOt@4l0gpyj{6TK^%SUC2)epag!cAVD68 z`h7V|=H~Dmk597x6^*8=RR;(0igzW=CMUc_vbR+h+fI=O}e=vCe>yy515^8 z*cr_)AhDT|tsJiX6OPzK(m+*aT5bEsvJYWJ{G9?g#(#d8uLo4?&c618D^p;_kLL$! zkRXom=f}Jk;tI(-kC`kL4u0ghuoc2}Ke5t5;D+cPR#GIL_+!`0t) zsv=G*gDI8PcmJ9Qtw4B=?#S2QIX0eY0}x+0hd*QI%l+;1CjJ+xK%TCr!jhdQILkm~ zbx!&o3y0VssAjyIvNVXvcHGA(UyyE1o!&)tla$&9mgIeT9-sefSluKG1X9(5L=BE? zl3qUJ&TE(tDS2}sGmtIm4-9zLbc%cJe={|%a(yoI4jvmPTWIAb_8>E1pK!ai)Bozw$#2tuQW;HCKIm-*@RD? zl5+!=H;0Vo&KlGxs50)6lTt4ci(%`kT!%x?>IS`MZ3N7%WG|zAH!7ORC0NQzZmN>T zgFu|mwE!zF5(`O1qU5*+KUUy1`Pil6Oq_Gb`=u__#o(bkGmDoZBJiNLVrnItqRb6n zT}sq9n6C4!tmik}@9_sVBkA9!3&D;GA+D3iYdvx|3-D(W_?ZH%mKpXfH@;HtZ$|F7 z%aji5S8sPdtncvLr3s=R3*sa=KVz1NJ1{1O)bJ{2Z`rbhlDnJDRrKvr-S|ycd)ko+ zOCN++S5$IC8&22PtpA)*c`w1c56>Q{nC1G_oxOCLk|!vA-5J7Ek&1{ezQUWfpY`w} zZ4!xP*jJ;17_Lg1t~38hWem!$&>Rd#XFX#7Bk-3{wz$6Rh>l@KN_jN)+Cswi;M>mV zOclo(yd3gqSB1ePnAD}BAz2w>m0!{gDcZj|@6&cGw1`*OsfYWyJ&5D*!*luMzGUW{~WhlUF#Y+3e4Yd$FVNl%a z3G&+*fkYhF+m-KYI?$OOB6r4w%EI)E*D$^p!BVB!S2ZMf7q3PeMX+wZ|GZGBpAMez zu%4}!4myluwVIAPdl`06zf-_H_`{iPHq6^U`Q`I%hjj7pD72Q0U#5EKjXP^3%$(F-E^1$$ z8Lj0F13AiXm*DTpXi67RyuePc{|z{Q>(fmvhqR`ZQ{9!fesZGoKS!=;SH%q_R#0RW z4ON%;0_s(GpkG84xDmpPRe$DmE*BHNN)T7IdHNk+mf0V8T29k95vVh9rM~pzW8-Ca z(A;_4tL`3q$sj7h6Gh~z5CLn@-15NJHe34jp&o393eM-oCU>pM{*$#~mijqTS$>P1 zgy0#Gl26Ms?ArQPjRHBPE~-bYNl0?t>yg$Vyd`=8{}w9A5UTw<#ts8=%td!hM-7}y zT^wI498reIr)%PqGAUeYD3t{cs9%)Z+cT(X<@ppl=bP*<*I1wm+4rKS`78#+ZC;Pf zM(sy{z*k$1yaM2=qJb?rUI6&}KYYySqYGcF&?L#FI;2m*%2$k3jUCiuo^CGnbBlj0p)6>1LMXg6c`cD$Xkhu_>{(g)3;!4|!(KG&jqk7?(*Jt#;Cfk7vm*jNNT@h$G-Bj=1!;Pddmd zt)_{v$@kr|Ha*uC4iC((sqO15XU;6CEhHgrEW+jUpw&o@%$Hf`o|YlK%0?_ze|qR% zn{<5i`n2Nfsg0z2B6q;M>0?o{DT;VEzd|bnvL(44X8rOZg*NSpjW>yD;0!z?U&t?GzD$-eV9B_msM)9R!vF*|B8aGDlsQi_nEit3#X&+ ze#mG!lD0VWL8ld9Ro%%?us@E+Otb%4-Vqug`I?hGAJvm+JL!|Ua-iBl+;A#R>&&}4 z+Ji~JMQD}FUW%<%osPE{W@$twEV&UrAOq+f#jITf&RwF{hCYMO+-*!n%NwP!r<;Fv zbcnDJX!e-dQa=MZHMx_9v}*T(hWpLsL%5uRT~WbdH!UgEGXx_$`v?0u76PxyQ{9|0 z9-4btH+Dj2_-O3EGqk*2im1nRX~QZjFgLz!q%6Z`u}EAaAbGv@*&U$)W3js-@*3}E zd*jP6FUB?PPR%xhjlpR4Yfh_vbaErqbrhndg%Q`fzZES7-&?*n-`nNMqc;8Vdr zm}V<19A3XSOUY|_CCpRqI|hD0!fiu@7v01uS}RKM#z2m6b`KUpJEMXva*ApR4<+w) zYa(koqYvGG@$qZxdP>s;uJH2-S-d)F$H01 zbe@PPhe8NY`Y#06t!oNWYtWfl%ep?nY^e^)*yP1HjBFJUwhkBxOkEEppVU00YI~rO zZYY>p`Q?}u@lccXTNpJ&mLi~aetkO~bSfCW;-h$KzOvw+QE}i$U|zqU4ORD5J}|DD z3JG(ycO$TS+?p*W99pbVC`R6bs-<6UWje5>eoE7O_!j-NR)MtieR=H6RIS#O)$s#z zJPw_4A2eICG>4G;zD_KpLhM4t;*CWA ztp&I%O=GF)di4jcO)!;0bi_n-)OEJl+fGFizWW7UN2Hfyy`MJ5!&7MLQ9qS9<9#wbN% z4kj#=#~`Ok&n-xLqq;2@p9Td@_$nef*dw0`AbMYbuSGukQoJM}nP2|URcG2M+ANtu z#;S}H;Q#|1t0$N%@g0Yy!0O~n#9o=~=`>b6>&xQM*iPIE4WrTE4-=Z4vl}u4^!Oi8 z8`&v+&vTj-X81|sxS(rJesD`=>OQDX$`#H`TS*$J2|JeGWOSV#Eob0RXpi-eijSU= zaEEC(Hw{b{^02d;XMb-C95LIrK4Con%16F?LAiz3SSaW%QHA&ha>mxEB%t8VQya`) zon#jvupsLALEd(FsRy}$1VbQMKTSUB!kGRJo$>C5y3P`4J%d;T;+w+0IW(3id@pE! zh8J3_3-=0#@ke;Ez!syFBWA{n1aPYP0>JGlQ_K!EZ zz1q$@7Rk6LnUYPVfC@hUBQ+OY zVeG5-7Q>PN?kWrt<6-Pt!TCHkxjwc?u}i4%lE8S2-6(4;x;>u}Y_hifYjo6fPkEMB z;+HWBa`tg)=Zgdd@0JgQ?T=!^*TL4boDc#sn0}=Fwy43|t0qqS#l%q`B|B4i^bzwUK?Cnzmc}y8-a+&ZI#TXqN^flW6`LpblQsRD zNCLrJ`vV#f6}F_kn3e22pG2`%&xkB+{fvIpNzwIlFdmMG0+;Hf&-~cS!Pxv9DziVT zix_RAHkF;R6ES+*W~4nb8aS4IauMQ%C;A}jk9&I!GSu=fRl#zCHD0ePHx*f^;_|qw z-tnB)SC_fk$B{|6;H+OZ>x9Df1@lH{f3?@Pd1h_!OJr1+z4@}v80!wV{5dDoPhq`+4z+UhGMtFiGQ9e&tOun&t@ZBNx44-s|$c8VP7Nt}6=s zD~OUyS$$g+fway&+LO!fQSSX@?fBmJYza+iA$!1Z0O7p;6a&gV=r@q&MR9rM;hh~` z_6^g$jw!3@e47dXPvJZ6WF>{aR?P+zL3}QfjS^aOZzFmq&=m-2Gv|-X1M}}f7fj+z z`Rp=5Q!E~rNByrAWa|4vt78N)7jzaKf=;w%u+O6$9(i6Qt3Za4n8nuxn_zjL@KpkV z>jzeJ>Ju}>omssVO@cc+Je=%ILsvo)W!6-=DvzmhTP(*L?POw3B@3~!Hwtqd(=*aM z{%VeN+c2pWAnAV^OWAiWfHVULiZ#i6SOUk3v)^Qp-ArG)`^(Bi+_cbX zo4#zPm_xbd^PT6lh>8afGGBH`D%#t#2LuDm`g<)+ax6$Tkhj9L-EF7n@AI4KeIfe4 z^4tHoS5*YC4O5S#DvwL1SRE{IDU}^4%#u)PA4wmr9Rs?XBLz#LD>(5ndX`)#(O$0Ly_8a+ z5y%ew9@5anneuHO(kpYQi9xZq@~d)v^fzxDC*k(hAtlw(Rr>a@i(4&^O7ac~T5z#nsXHBx|~itWH% zIroqRZKC3sbWl~m372Evy^%6^)ct$hE7y(9R&91?D+>++r%0<2lgHsNa*P{>A`IH9 z+83X}BeV3^Q%Y&(PA&#DSGIRChX?bYD4$Y~ep#U7#w7H-q$6RS4(TMp)SEzm4h|Q) zm<}ZyF2s+EryLFf-`GRS>9bl#kd2xsVY41ZSN;UGBfsI!9YtKvp|>66)mbmTM;BW@ zXl_vzz4rQv<_@TxzDt{Q8j zJ-LT3b4(9=Q=-FV^wqRht>c)^-s}}cN!oU$QLV*!rZSik>o{T%c_{pf5!oI0D(H;* zMzQ7H_JGe>nQxPOQ_#|_4h!^F2P(`+bjpaB=H%7W0w-B};;0q9>D3jlu?xm}jr#OV z-7)8l7Iv03Tke{BS2KB6DemG`q=#lGiVoz)J#5$!lBT?AIfGjA?&x2j_n& zoZKy>X+pAzkkoH-D6wZk-92%UZ39ixM*?F|JWkb^jPu_2{2Vx8Y(Z;5V(-cN=1#gT%~ItByUS)~Xq_?K)&UFwCpvwq0TvwqtjBLo&RhwL9V8z~c6Ni+YRk zczAW6_U`7~*@#*HJWiWf3kJ4!JqYNbv_47_bi<;17E5U6nF`4G@kC%>OU^0gvx?V1%5WbRX&1 z1)b4`&;}CDu29yZgfQy0B4Q4kwK>Idq&bux48qIaT2GR+y9Ge%v>_)14LW}HqAobN z1(XHkT`RF-+CGB$*rmDZ8t89g@a;C0#)LS6Q|2-4nWa+NQG*S1Bq0y_LTL-Xj#@ra zj|r%z^__A)x3&$~%JmWimt-(2Oq88}qRoYu!}T5<|Fp|Ax9XWU!m4unj8%PZ!mTpH zd-WsPOQCWpSZ_dA^ebcJ*skb4?t?VTlGc+CqeyE(++J2sSUasD`al$2xIRO+X|{wM zvuOA_Z$tsbtV)cu^ZKETCbAm>i-p=8@pr+^uQR?U~%krCd%N$B&mcuE1b z9c<-sVYbBW9pu~}z$Bd5 zHqaPhar^P0K;hmWROz_+Hy z)$YWRYC#O)g7u=}99FYlo!$0VGa_piDc~F{3e_M?PmHoplxoeRGb3+(Eyx&UFo2iT zN7M*2S8}+|3enGL{Llva^HVlmOJJoDr;eQbgC(fP`vSG8@rW%f_kt334IBm@5RD_y$iX|Ab zTB(Fu%p?J~=_txF2T_DZ5kG%Ltb&go4cF}yDysE1>^eGI;23T8kT?<$kxP7mW~g+3 zegFL`Vvr${FaG}3f_PgH_#^SR(JWvbZ2+A;K{9~X=Oh2aLFKgyk^Jk~sFwWzOyK;W z&w5?)V5NVCLL~_EUoSdZ;0C(n-`c3q72W?9`>=%$r6ROPL;yH^Bl^#W9m_}OUw!VU z3V&adNS+EFWzL9BO!wa}q%Ux3FhZdZ^vK-%-zpOIQ?w!FgD(%>AC&&{Avfaf?7))h z{RCD@C_)_&jNS?VzRG_tca0tx0?A3^aLo7j)114uPnN9Hh42^90}c=F-~E3N@wCEL zJbo;|h>fETN%?Y-3A2j->q60qBO}lhp~u?Rl=tJBITG>b=E52kg#Nv+FUmNMAzX9) zXB0XxLh!%3SwOui{N+C$=%t*xEY9yuAs4yG1`PG1s+j+tx%)RTLf{J4vU~U$N7*p& z@$m~wOS=>)%tNL8&QVrXE4L>jkFx<&N$==O4E|?U2mXI&HIgCxw35j0hXk&6*QlcR z@;BFqw}FpK4LPpQ4`Qr)@Ex5jt>$d-U3&kHp=TfCwRIu!4it02yHq2qJo$u6w(&Xh%BAI=btx#Fdx z6Af>~@x&O??utii=4MwTlBYmwR#H|a4s3M%u*;;WW&SZS-x?s%^Y+0yT2 zi5~F+JIau}?oxrW2@{vF{I`(B_ z?yl-kHBwEydwdu9tL-nXU7C9jE&+l0B1IiVdJwl&ynX6oz|g2>0&ZlatRyoN#*4PV zKaqVwfFtr|>2x$I5QQ8&|IdL@YQHpcb%3YsIb--K@BhQzTSwK=EPbPa5Zs;M?jGD7 zf(1(;xF@&-cXxLW4hin=8r)qr?(TYrbKd8D^qlqG@6WsLT1m6_%$}L%GE!fDfil^uNgCDavteqQ{}e z1~9|)ZT-aafkXfnMk0mx$aW{FGhoW?oz<$K4eRq~t0)Qzq7QbNDLj(DUz0!q% z<&M6fpmo*qc(uT87axcXBqqjQ_hMAj*QgB@LFkm1&tl((KY_oJfG#yTj)h->!bjr*lr;oki!UtY@x-V0LQeJA*dV_e_5`6~z z;K{MdR5DRw+Z`TfC)-h!N1}xFmVuk~t3*o#|MD?zgM(&bD1HQssCsRU(3^(9@;b zrKyl)RZWB4mJPcU21Z8FxG<5g{`Sw)3y{l^dh3$dZ(%gK-0r?z9Ip^sHeX_P!IAOs zs8=`HAAZ)b?#6iEN0d21#^U3P35&&i^XR_G*5UIf_LTf?jDkFJlA4;D&PEmP|L1dm z;N&$jKm?_(>QUDKFoEO-k?Z5qjOOPRcTe}n#4BOI+TX-dZ+5P}yZ6Vn5d8S@Bc1Gt z#-F6>A0_PHKTEp2i0&vD^5BjUf#)I;dQqMWNw_GRZ}titbMSu~J}@DIu+V+Uo;h)` zRH1i3sb3(eM0mkPG$0~^XMb=CNPZLlIThUEMjnPRnq)(bEnHflsOTCTc2SL^+v?F8 z-(Wjirfbd)?QeauDirtj+sz4xDP@Q_H90wX^7DtA?PhQzSjf5Y@vP|?GQLpvK(~$a zOpyR_87$K4w4B(ef&ym)Wop`eD?rI|I$uzUhhn3Q)c}u)C}l|+;jZ@}Qz^|^!Dlg$ zj4+;wdmXy1M)??`EQfb_ce$UR?!_A|Az0#ZdkDQOzq8{+S=_76;KX;#$JTw{6mp@C z`Cw5Xad5;(ro=IBz_)+lBE5XOk;Zr9Mq<}&JOqdbbmo({f1kpaBVOpJk+RBCjMTjc zbCpw&w>9PqA3l8wU>)H_1Jqby@M2<03hsD_JpZj|ZfdNbV(mh)qKd^zOLM0UHQxJ( z;?G^MQ&Us3%`P17mp`=&hpd9)Z|6-*i3J3-=Rg3gOHUZb@+^fFGPYhP693IBEDb9# z{)ZD0Lv1%7P4-?|8X6|u4v19SVJ^OS%})q25#OB0#IUIIZ2H{nUSy|>=mF&wOt=M2 z3YN$H!U~hqnZe}byT?TtiseBh4{XXY>9}EdW>_kJOBbLn7LGGnW2Zp&hK^b?I#*JD6ktkvV?3@wN(;s%E7T#d5%W-G;V z@_xA+OS`D6goI%W5X+IyFV;Z1^?Vg_$$03@!gtoqamZjW?zd87)Ns^iillI)V`r2S zXVYT=BJzE;%Dj6e)OlaC{v9x1lZJ+%%)-u#@y>-*o7MJEPr%4 z&$>wWo+A=ft<}#sGj7gG5FGOe=GeGG1*UnpkgqvGMc$D(iH*U%tFO^DC(}^|PhmIj zD9lg)0RgR)C!=s2XY;&&oUrzlF6A45oY+;O*%&KPKX`3mE4lLS8L%^^DALVl#c7Nu z%k!mMMMH^NGoSBfT8UCNNc18__$NqpinLn^5;SaroS~wxXSJWs5`Kv*<;$sDp;{Uw z38cDR&HXs=N5GwgtRJL&F|rt_;OFG$=pJv@BXle0CY=Lwj1X!g%$EBpewfkq@lkFA z|FhoQlA2QMb$*@56FQ>gvfSv4^2f7mu%~%h6$xbT!+3c%-S4*ro`XzFo7pwTu=7?< zdH2P`-sVE6gGTxQP*T_HB?nHR`%^d5MQT1jOItpR8LpxTfZc{gAt-^UT5p|wLsnNv zADt*s-fwU@EIVx%_Q|EuQ;vud1fc|OJ5e4(M7a;-P*&uVtTjx?3ur#-8pL!R0Bn@j zBoJuc;a3!N8JPJif-4B1*d$aBP^WFL-d!%1%coVua*l-R4b99!HFg_r~eu%~W z+jg#!#k}w*b=uzv(YSz+3U}H8i^dD@FCo{8GbcNyRx5D5ocd%9^27QO^qnp_@EXw% z{#1>AoNof>xKna7%SowwhBZET8=q*|C9H}^o@m*@Q*!g-<1ON-)6-!Z&Ipg^BvwCd zu-5nfau`!$uW!UeDP_kk_a*bIFdq4f<@y14GEJeEV%9LkkDCeFKV)sW$b>!3{6l){ z+#wRAu@J?N^P!Qv#o(PiHXpYyXS92Z)GAj`9hC#`ne}@L#LQ1)<8FOi^A?I~YCZ(~*yH=i` z9LR;E*f3EL`dhhXq{A;`E{kFingGNd8Xk9G=m(Y%_kAD*5jBumK2dhfD`)n*76;%!^lJF1!;;@hs zP)&O{xGjFe1w3|^uW>?4jzYK0k^7~+>Iv5y;Yp~ueN0iONxmR6f~$?1jHpW>35m%^ z-k70i1QQSivC60*oEDg6JIM#pXdcn3okY7F0+TFmZOzOFyT+td<&sBw-1!Ceawvr( zV^!8}h;628j1@EJ8h;f4xjL-MCs_eoYaD)AuRAh_aqB#St~HW9Jf6Np5gQofBdpF| z6c$+1g5bNtg6!>v`fM6qL~z+87RbjXt4%W%ZS<}64N$F3DeuX!mj(nr*M9@)PP&V$ zA7Cy>^?j2P_)e%d;qkCeXgAN8 zY-TGr77_w8$d=zCw`@9v6zw8fLz7w|NvW&=QLgM?f3$I)cQKWku9Q3CKw%EduWynV zN@5M*>Wgty>pm-jvtX}FUF6XtbQ@CW5{h;Yz}@I)R({7UT(zCHY|^wDJ+Z&6B3(4X zlO}g#nN(!_9u^;EN6LUwohXhTD~-*LL%Wf7Q@;&E5WJ?h)qz|S~#6kP0j^kkz1 zz{b?ktqLXZ${X##oCxKu=n~i0@tlHX$o3egC223DiyOwOEA+H88`65EQed~$M^fiI zYdWGHkWO^EK&&X`>`9hj%wifMW{5lF^1i8*Y~{NvBW`n+x6#v3SJC7$A6oxCQ?jro zrg%qlVb^__!~=w$6BP8-$$WVt@d>qa<%@ir|7vQob z=Bl_b*hzvpeil++DL}PiZO9A{F%FbL6_n?ETm}m2>6EBXEzLIKMv;haAs6nX8U1-0 zHx#uk)C|X2XT!ETqr`EDqU;l!JTOr7wlE0;xv5AyDoHmO$Y14%!3paHHnd@>o=Q1Uc#`*1E3dl?FTCLxzU$ChpO- zK1$Jrw!rQMBF7FuLmg)(HARUlecL0>ENwh$h&&M+YqBG=B;yl`HpVIp0<_#_(%`%v zpykffqqmcM2{3r1!zI*qV6Ph98+o`$YmOZyg*QQW4v3xQMf-UWoT3G8;uFn-e>~X+ zG~5biJGs6a)aZbJf~kqg8jqlj%=ky?qT^RlnCO>bjKG?i<17k?fR`b9xTPCG4YJ~N zxiYH;WlI!Bk8D1#?QVYKp6dDG7!=a>5f65wNpcgO_o8a=^Nq%u4-)?eTZ_}#8FRAT zlnpKh;)zXH6#kIjoE&Mi1*tmSpbk>pz36zkvz`!#Tr;^7$xy)?%QD9u>8=m;^4@RY zos*&G9Fbl6dpfUIJW7YtSPX-c_xrhn0=>KVU9OM1yMoZr_VJ`?!TX)3%>f+5Iavr% zR6lWF%Ed|PWiibCN;ylex>RUS{<|Ggaw1e*DPOcxImB?9*d~JOmgJ7@-Kca2o7Vng z8LNws;n;n*cS@{lsu>PRNl8CQL9K=)a&c5;XFL@41e{hx_=V916$ZTf2C{~S^VNH4 znutzF3EKpu5fuHBMg9=L%Oz1>Ge)q3N3k>MU9yi-x{m!qaX5e=G1m$76vC_o_Sk1= zXJF#z(^1{%&fZppEs-rx|V0=T2HyxCDFAOId>+99TjG~5APLEJ6c~1qGYb`U9@B6KHa}$0b zG)r!l)UCm0BMF$_VLiB$j@*CJc2hA&3_AIU2t!VHTo%12azI`a6M0>cl)u2_$g0Vo zHtMzgTQ0y#r7_Zk6xl8;a*E`vIZ9j~A9-tTMLkhUo*rDid>5@o(`RyXU+52Hn*k4y z19_3N@<&{AR&i8RdY`zAdqQ#0lgRqT0W$6iGbW{k42czxWT6rC6C=OSkj)j5N&$l$ z+y~EQWOob{Ju$GX8NypjhZ*wuKJ2O~rl6^!o@V#sw^K>uU(9ZDHYLT5=?>#ICzfiC z@`-XJTs1)#gL{K6npMVWfzn;N5{Oc`?Dhw<8}_l)QLkV`f!)+=#!z-}5H5C96N2|t z8qgYa5ESAu_sSEwk_uxn1ww_(z;o{xPt;m!1GKaB4Z6xj{v)#7bVjZ5E6%#hMle=kxOnOug9l50%<-J;UKs4>Q-jeT>_|;SCiM zgh*|_mU(wSYO!QoI?TWSCHtsS!B~Boudj2W{#y<2h%~T{&Kb(*Rk<-BIx-vzzxdeY zrF+gQgs)y-OxFIwl>F|1_B}AuVL`y)qMc^w%a3>crv*QG44HWs7X&*#iJd7%mId>! zks_Du#4Z{~V+zOa2t1tloDoH)dY-AdEOWOPPoR(%<{*LOHcF*o5FRZ)z91@B0pbZ02Wsj zrdIgztJ4Ld&;6<^U=@{>Dk|;Q$qyNT5mt*}`X@*8ADnTL9xvO0R)j`Zh%}W-2d7?V zC!aKxvTGZeC6PHgcQXEb zaKJZ_)Zi#*1M}@F9du4tzo_<)yZo1Jt}`%e#Lb7j%Q1iV0{o{Vf)Ou1>!qok#hh{3{a)2fY&Zsm5T#Y8r$Bj`to*8JrRptrUtu;yFeqrMzEx_Zu; zhLX-!0>9<62#Rh3u8>SMiv>W1f(o)?#D z2y)w2Ns)Ih6_MUa!v`&Maj7T@nUngTA9e=apAQ3d2wtepjeZS5lpUOqQ2NE6w+7%@=m<+Rr`yZj9#~TNr^k(L?1)RZt&mkL~fzE

EPL;ap?HG=J`oc2HoTEJHxOyg;Sdd@k;%kYZkCaHiu?ZOJ4m}Vf*`bf$;{1zO|9^SpRn@v-$RI&qC>4vK zs#QO(R%Ef;Xa?afB)PgcjdnN}U1nG_qZ?iZW#x~ZdSFfQ!m;S{-^Ue{>s2_4ZpEm6 zB?O{meq{;IkBPiMXDcWu0@LxD+Vh(`63j&S?D9j8@eB^XFCwps=?DEB|BoL3m(lDfyiiSHYeVPvj{MX5{?l0^ zw-=9kOO5`>fA8v_F8VG31ZOfOl45-R*y+D?=dWMAF317xd^aD?_s5C;>#zPW2`{I- z2*d!9MPMk0_@90Bf9l%520WesP=42x=PLETF1tTZjx#!-ot|Cl_v3t1uV2G73MVTg&j#Ejm-y=7 zgowbgH$yqhU-@8X45H=!h{yG`8_OgV*tsUM7`}I1zvRfARtd>gW68&L7RENVkQ$V0R}Zh+ITjGizXtcIw2XPl^Ga@mQ5 z=D!)bB=isZ*rmMvui~mCe&jwb|fGCI^~AG zXp%F})|(!*lwwEr->sT| zTM9V>U?|LVnhog1#l@UJgx>o3@jBo2!@r3^3xJgJo4*;Xk2(Et+OemQHukCc%qDFe?+#d`^5mu`j>Tg$CU5G z0!^(jKK_t!BoCZ*4ulU$YGnq-*%?x3%m;7X@G<3ZgM7mH69?z8V==a#K&GOdEh2(f zOz;DUw$>*A^r{l6&ad{!n&Ydr?%w!pr!_pfIx`3&H?#SOJ8?8|h%k}Y$VgbLCr{0s zpQR4U$w$`yr8~5X}aSYj4LqpCh*oF*sct8pDQ3Gy83m_ESZiU)>GCm_qE$H*zqG( zkrG{IntM4~NQaY12SYBoeoCe6le%#F8{Apf!C<5F&REPx`1fEYR@yRA4ZzEGm0@wL z@DSF^hMlzg5)<3H4Vj^A_k)Fqr|KU)Vk8Hzn%y`J(%rUKJ^Zwmj?yQ_C6h#p+p2K&!L`vgh8$N&6E@(cigbZ_$K#8 zgI!#S9Aa?Rj#djMyyZtfYmVt^`frxP=GVFcJT$$lFMFG@A?GRdL1FfBS!+r|#KQR7 za;<3kHM}94c7dy!sH9j2y}!1fyyX`fTu_aM8!@oL-$7wQu;}(goV=MQFc-jepRu3Z zOT%%+e7X4G0o!sE%@nOv4F)WeDHQ%*=Jo9g2NZZ=wl z5W$Pq#W^Z&EDAr=xZM5BUE8)IPK{=J+>E6!Yv*{{|EY|2hXz-`iD4^M0QHNF?k=mT zw^>2jJFD27*X8R2Q;a(G`*rxe+U!ua40;8>I4xB%N&jp=Nuq%_cna}yJw2{G<6~f8 zP|?zclwQ*;wKrn3*I`uC8?RqKGt(2Lu0$jd-ou$d8Fx5HZq+0Q5}&1V{c3VtI9GMo zAv;Un`#?J}xJY}tTDRo*EiETFvJcVSwf>Hr&f)91GnYZws(O4i`^);i?`g6m$SRDNw+I+cyOm zv~dmOP}KQe*+CLp@AjHkwU?SxH8F`l}~t%SC$b;Zk0z}fOq zkAMvyNz)Pvd<@$l%wRh4=ocL7ig~-@U%5Y$3JisbPOU;T2#cZRMh|#ZAI$moheI6-RSiy>AN8p4kSbMw9BGa)^D#y5Q+Hq58LJeLU!ufHhQ&NSa63l?_ ze%b1eu`eZ>5fa)fp|H$^3_H`+J5t5>|7Ue5}tkYgY%0D9orlFpu##;aZ7jK8*Oz7ejKCL;-Y>W85j^M7PQs^#Xb`O)9R=YW*XJs0k3`D^2=;68SJXwIU zXcyevt-!^0#XNetR8CFR?I@X&7H*;dxW-e!;%q(qek;Hi`!F;R)M*%@Z!WIG+`SSw zKQF>*{*B?TJs>Tkp2&&ooHP zai_-`Y$SClaib3ZQ^c_N(jC@mYD?s#mis7Tse1Y!GKK$5@*avZw|jeXjXEG&9T^i7 zqiQ^5^a!cJYW{9nwe}6G;Y3E>nXZhZvph-aJ)z)Bz5CJ#i^6eI@ zSm zYiGj^q-*;$EYd1`OkFwRt#9Vq^6Yubd-iZ&X9TES`NP5){q71oCO{<2gu_VN;?N`b z-Zi1F<2$T1EY8>11ybLCT#ZO!c^SSg_QRK16*#4%FYsQNL7=?*Bav2z^xlfY0H&{i z<#*@nirEhEWALxC&b%QH5hU57liffokQjbE-xchj5HcL#b(5-2l|^#dmekd zx1sgt+xkUP(h0=WTygp^RcAwJMxgYNw<26gpR-EmWEOvpi)*l!q9=sD1D&L6o)~SC zI26bXR$pLBFx(?pG*T(vg>*4!##8)RiV=a4qN&!~knip7mFcvDCz1twVBrJS5j1z1 z+HoD)wuK7;<5ajJ?y-cj2{hVKs{?qtdWAR|{>BtFl1GReYRRtwUx7|v{C(O}r;shX zS8=RpCi?2Rv>(z*;`$JVi?LNDKcJlmy6NYw_^9c7J5*IuLGzq}Yk?^ytoVt^mni53 zA$LuAGj4l3Y!I_pUg?LoF$wMEyV&4ujUf&Tp$ zy;YXsoIBbMpZbJNuwn|lxoU!+_O&#O*b_XT-v+D*tbRymk#OKTEvv+|UFgs}>aOUG zHx0q&M(gEEWaDnj`HJ={-HA|XD|XF0kBxE*55ZAZCRr)?r~I}4rjq>nIcPph;baU4 zMdWagTy@K&JrU;9TJpddGZ~$ssK}wkyLVs`CLB6(v=Va-HEY&%mb^$2i_Btd*SQZX z9^?eKcJ4&5V(dn8tq`x(9|S|-1~}@NwIaI4K$rb!f89|NHA726_}4Bw!~H9r_Z5&> zEWh>|+H88|+i~%1!^X%gh84xE#uMif`r1~)T#njKwv*>@FoyiIuc%_^yIwqG z*+k?Zy(-%jlMh#eF4&C2;55IyMQNMxISee?I)_VjhSEGu^W}uo=euTR7?-=hxFGU7 zu&wI#rq$Vh%PD}+C4t1zA2#4sM2$^m9UU3+aKrm4Bi5_L@oU>W3e8Tzdw2zDUx)rM z=Q>i<8V_J!i|*Md3M%8*t?b+U4W?`a_K?$@EFFqE5PRWuMz#s~9x9+8Z289El0G&K5OnSsr(C_( z(HahTpXAZ`z%zETR(Zo~iHSMX#ykl;kEn4mNXF3i;R7qr=Z)@{yuhV^^Z{wEj z0_>>Ij{U3MMCKq0Nez@BDWdD$on42uwKP=zrDe@M*E&!atWC=w&RPFXF2Du^aQZwCIxl5JKHZ{NN> z0aDgp^80%MC~+_;;#2MCOYOelqc2Bu{h2!{m)A=Hy141RgdB#TCl|){3UXQ|=c{9@ zw3VO$Q94Evf4x<%gNATlLop)bmAnc*G<`(SfmYYlqwEJw1Z+$U7Z= zF2}F6kT_8m`NX)wB`*STm48L7hm%PlI}PmF^duVS^fvTN(%6z;}d^_#>7QxPiM*)v7IYN0Hx}&VE(!^AXu3PnmS}KSBo98) zE*J451MgW5CW>%K*N1=(pP+)*zEGf4N9$?1(gEtA!xTHnw+QpRW0Q2fHvxbDQwBL&9|FC2WWpnupA z#ppWE=_oKHYC7f3AE zA-u-?EifLgT8mMELSlMWgb@t0?7frOY*k`75GE_Gr~~%fCQ;Z~!!d4-_ww=*8Txzr z2tPRX>`+cM2mxdB9XrA3I13`2R=@{poT}{lEB%Mv%dob&%9BQF+4nnE?FaSP7ZIC; zKcl37%LPzfi1gt(YGfl5%l=3+$(3b)$*Q`=0;;*+B4u<;GB|dQZEnJGit+GKA4Upx z9tHG#U1b0&a}^inm*Ow%DB+dN(8)@@pi0VD3$;3t1cxlH2VM=moWP#13ZbbGllIrA zRa=?15qZZaQ7m-e9*s3Iy&`?WWZ<(}hXui~%j} znCmaswm$>d`Q|3CAmxFZB?h|_$2`h3UFPSXjzw_Q>0a4kr|EmwT5!B&kpMM~&3#$E zf+f(L39LWgB4VV3d;M9H=CSK^F$|Q6_8JBLft0D%k=uq9DYIlaVC)JYnW zLbes>Qv^FGhC{oD#(^kHxQBta*?`==j|;ALDBU{-BvNe30Xa+Aad8UgXb}R#F_IC& zJE^bI4eRPo#flsxG;pqJ%-FG{bjCzP3um{l-Bp3FR(F3ihmF}mgUK*gp!suiut{f+ zPNsjrtF#=k`o6*nbnB!Wf`l3*G;T5Z#uoz=LX`A@085tC>YTpPDz6@l_W2H$pD*?& zX5OF>F<*p)USwcQwd&mlEQZ%wRgi6&&ikXFc*}9jhH&WGuL-LggO~@Z$6Ykn5$2gJ z`=-8N3K%7Cv`v^?CEvE(sr)do3?_sL{3356k zkBY&MFBB@}>s=kp^&dJ0&NLGeGN^}EL%rIctF#(nbIL?{o=;-kHXP94_@;%|pj%?c zqw1PbD-qJd;jD*ZQAdR(aWxIHnx@)d|M(*iX-jt-bhI`wsc~8l^i#lu8&k{D(m0)0 z7>!vpMITa8D3!;Y0Wi`VNPSwK8hVPDEvlo0^-5m zAOFi&F`u81mS%UbPejH(cbAN-@+pX~u>Bj48{d$MGNBAp!;Q_Doh6_2=ehM&M)Z`? z3GhGcXOv%!s@*(#NCro8)43dAB>E_MQC#mCn*Vj1r~?g7qNfU!4eW)8>TqtS+BOtx zzc~A};H;^}V74T`fv>Q~v5;^`&M`hGKttPh0q+b3AcljPRvo+ZW$O^(O5P&8YbZOo zWh;m)HSoD-;CZStK*hYU>Xe3JgoU(L*qvHyHQ zXK#SuQ<^E1%l3-J>a;4w`jB(T2egwOak@y03xavOLI&7Q&W`l)eAgaVCQURp5W7f z^P>H+>yD%ygmy~}#K00XG&>1yi_?rVovj7pTD%t=#Ym6cwrLjBP>84{cG*UHzzU|k zmt`;agZ0prC%xxbJy*d}iVr|psHT1Go(%S>pC57sX&+FNP}>Hba_g*eU@i%HP8a=` zXk-fPH&$z0Ecr5@@wI;ZUH-$rU%fwW?R|Ow=Gm8EiQb3X^O%J9!aYUo`zyT&G%9+L zeL7EW*eS)&+FfV!*9zN%*_CpMSlX)hdVQ%X$vgmt$mGk^DB5n$Uoz^?<=wI0z4(<_ zW%mJtpTNlnDU+QEgMBkKY-O1pL1Z#%Y`gz(h#BfTiY2297%o!Z2Fq((%amY_c$E%x zWC>pl@Rrec$Y)D!c(_J#Y2oGh8Fh%6m$yIHRZVYwWAGjs?eu!klF+STN*yClq*Ix~UsVjD*@lQkU8jnC45c5Q}g8iU?mEJDh z=mRTl(z|%hWO;=SKQ;iBiuzEqT9u-knsbb!Fm1+Qs$$B#ToaYyYihLOEqzu2?j5&u zm@~?>Bin27*YpX&P>7d2=ZD8*k59S&@HkmpM@x1w3v|=?vW&xe|{3eAayokD~}?PrDBw^$;AXe7iI{6WZP|Q zg$Yn+VWy(>AFk=0+!kSd71NJ5aYOo%`q6Bt&9g|-hqJsZU=#2O3^+M%AkuG&xCB_C zDR_xybAnFpM;FK6w)^wHVbSy|5X$ef#*u;;VuklH}HdGIL~ZG#&gG%eSq@fEj7X%7B<8;lPw72+<{F``-F; zH`8`cN6wi(YR2q=bAA%MwJ4yfnDwS=2O)2`n4GLD&F}BA+Ib++pe-ab0PSRbb=mD? z+AYu!cM;hV8v~T}6EVZ_XHk1u&;;`}D(>jG?|cMpxvMlE#ZU{>r+|QvogePy_U7Se2BslFkU zBW=}Q=op&I#O!}a(D~oF=kshEo*G#tm%2@i@~N*~EE<ZPuG2yKz<3G10(oPeffvuUKcO9 z{&x$Jr2la8ufCGshV4c0QrJnLD~{;>*LcT&>F;>POX%EEB>X=O;Gd2=L%f8}eQ~&; ze|z|U>eL^O|9_WI-t4@tH%yR-c!B(GcLmAe1bo4S?l)jKI5^nsW~vL@?L&QB_g9A^ zKshp#>&;0`DNtgLNWfdL$GMvm1JrI8|B}W%OL|x^V}B`@hq+4b{`-0dNEnXKlpKnZu8BM2yR5(X;X7#eo6I9-PI{&$`K@dJs5<9=~%tfLSf3h<&ZX1BYGNUjH9 zXLbry`>X>cH45Io4-c;7+^RKZNy!QFiA`nm9C+qipibPMTYDO5+4Wp@@!NzfP*L?OW zw_@w{FouM}`clFFe$r|^jN?ar!-LD_uQ=p@fc=t2Ik&3_kB8TvG_3t-C=d}y{E>U# zaG98z#zlgFnj!Cn!;dKVhJ33Dtq+Eh-vYD@krCtnf#%?V9F#m!ME3Fm>gUDaPS>zm zjY8jp5raq$?OoL21RgJ9P>E83^0OPD0yYk+2gn>yh7Gc8xy>_YCT)@)_op*Ul%c3D zBUT`|@I&INt*^(qzdrs1`kP+JA@o{YT+DHBp2(AxDviO27G&~Tb^6L39kmmr?Rxr# zLN+<4p%rklr@Ef?6O%wDMTFD|Ze5?H1>%SnoU}s`0x;+-`Gj0HIl*g0;Rw-k!da|= zfx1J+VoQx(2mQ10V?QRbv?My?uJMKGQQJ|>zxr9BW z+tOFuBaoofZ}7=021x&4Ay|^|w7ovkABmUxP718oZ=wZ0$39~4(VvC2APk5_ut@u| zd|M*v7%foc6fqe#kcGVI%sv-?#Hdk3(xqOJ;)|{j=H<)@lV+&Tk;N_pDsjmpM=2#5 z0^5x$?e;tTc@J9e_Gm*1_>$ppVYEK=)4jkbyo!}oW3VENG1If#9a92Q=((&V;SCj~ z2Oz)8;E~W1QC1Uwoc;>Fwo3))W7B6FDshb#DfT&tgdDh*X9 z81f1+?)zOTLltk}i6|Fc&h-qq34Pf_%C+{}hR zp)G_ZyFORNr$9#^691!$j#K+hZgdnMXxDleLwJ|INBV0jG594*K+^Q}5FL&^)J7wXCzqT|IN zT4h6_(;Kz@yhlxTF&gFUK3G&lw*wBLMuYR7~e&l>!t$W$&C22jKz1`24jaB;=VLU%^VfTYc}=DWYu2+ znvehx6Pf$+Pt75ogDGTuIf3v7uVs$3rAUcwt&&0p%Jq8@Hv@@w3G7fhfp>wPTrF7E zim5?kGVg5nx#WsI%-30Gqf$%y`X{j(|3LUsD4)^makrb#c~~_u$?fG15rW;Y|ERnb zQ^8E7Kn4uv>0TI%*-EMG-kg{Z*#&quy!y@+Fq*r{1J90KcM*t^cUDbyoNa zZ-eiJK(zt9KfeL!Cr7*A1Yq&LDALG#l<3FX+SCk5V{xajdmj| zMx;w9?ZJe1jiw1WzTB2Mw}2CXF#%7}sRq76Gl_Krm@X)@5I=GQiNPGHU%+UB+bC4& zU(#x26s#G1bD-&dl6#S%&Q^UzYq{OR#Xxii3XI;@A@c^zY_Ff)Q?9*9>Kq_ez%;aA z$SBpQR}4Zk5E0ZSMJ~_ar0pZ#e-(|YH(&MjeIMOd>}~}iM71VN6kpNQXsYmNcNRx| zFA{&Uw~YbHVkkc4@KOL=%YhJzkF}ZbOGC_;3B1Dm3cw9gy;@ydQoYi#loWh1lVMBV zIIRK>{&zxN>H3t>P(HD7q?pH$02Gu?7lAT4fVuRJ0%)q>fTr?a4b01@pbG%yNq^oC zju<%QA_m?LVc^biZQ?QpAy&q?-OVB&;b-G=snmrG*S~Dd09;XF%OVO-$nkFVe#=OP z_tqfQd0eXJtxoc#_`iA?D*n<-pugp2#LX{VWe5FFFJG+kZwLUskWXlmcP6l6zzd`b zqJg0b$_QZqS;wzTyj2vtB8l42(end|-+YMq0CZZ)Gtrx-4mldUpeP!`8Rx~`PHN|2 z)&Rh&zzX5yrThayg@+5}CL;uk0`9zdY4)G7u3EO)US`hhJAmVeqsRWi5EG4<^>YVSy9u80}~6P_`n8` zzD-(pOqtO)@Y>!XFGiY}`=cxX!9?^@+2!}bo!I-ylFD5~3R+Lb6BL}!myClob5{3i z#-IzY*I{gZ@AeRYPOxD9t0%uVzxN3kSz9$gMN-k0@gQj5V` zXG=>70VDKgJ9@9gx zfWxu$CoF*}@d2Mx4L(O2)thDuIvQ#*Hq5qNI@r_=vHEO?<#E5VPmIEbPkM9=6@JPe zRQ3c_++og!_;2WLsTjr&w(LG-<$R-tmB#$u2Chu672J_4hpxIrWfx20(GITK#1Q*Q zInz;rEBI@XfqIqFB~aHyEz`V5_Cl8bg37FUe1iv?h$&DNw9P4qPw7iOP5pY<@D2O{@YjLk#FHqe1?TZjTif8bv z0)~E~)7@_2n;pB%aeXnAZO^o=gAzKiT}7R8TV`S7jn5eT4&=eo33}~{l)*)w`Qu)1 z_FRoeZ!I|Sa@)MStuW_S3+cMO_gv|y%Gy*k!+#{B#`55Ujd>%7%-Qs=&X`{rr8No{AI%aaSARsE7@cOH9hGkY+$Uj4(5fdO5HK?%cpEVu#K zYCq&pT)~=tR*+^2Ak|ReZDCa(ni3jyco(&=ea0vCt5jNnVw=Oz!l)dWaZY7rMS?%O zm4e1icrbsmJAPvW1YJXN-RVO1iv)eI+;!45U94JTOL)Ca%Z%Ax~ z{|qKV74U)~!xc|vNWVZM^o|1}t$g(TV?8iA>DF}gIW|Wv0FFb_`GAYI&;**Yh?f9WxJWzkdf(6Qp^^ zpa(s|4`s+}4y%P)zHdT)fT(CCq}uemlr+QNV923!#_Q>3Vx<2PE9loQ5Jj?4j*o9| zsgwD+qK?q3*G7GAUy2*2GIi1cuI>&7>-+%%;YCg^iTvNm$?-!~KX?I)k{*udmB9j1 z0>^&z+4K@l(EXJtyoE7W(;LKUl%rF@Anc}+_dqF+f&oV-Pa-VleTIM+OcK*cb(ES3TBtm{N4N+0YX7cQ>W zpRe^5O+#)YYA)NDFHA+7V%S=)pG{Qzp$5FA0uJ6qN6_5oekwrbvrt_XaRV@I@qB0~ z%y|6H=&dVFIHiqCU%r~FyvEgGX$RnP>Rbk~LkW0iRefZAmI14ZjuZeXqY}+x3_f;2mcRaUm2B0w{(fSJ-E9C_ux)&cefBAxO;GS5+t~L zkl=0)5P}ARySuwj^M3Qqow;l7tohR`EJ$~s({-wL*{->o(~eRmk6v>|QPoZyt!P-g zOSd}o1`Y~yx&VJ;h!yOd_&Q&b=&DZ9@gj^ zWyi$sn0RzH#~G}d3g~{k=h!uhGP5KQw1_rg*7ppG$ZH*eJcXh|T8dV+W1a^3>9$MR z7gY?`)h~TG+e;n4QTZp5B-;zf(O^nUQ);9~Pu~m2BS#Mh{_L0fY=2rsFXi?^iM`lC z@4_U0KFOiuN80SGg?*LV0&q9VwyCsLQv&BA-jBZ?V9I3w0g%|S9|Nf9{OIlShL6r| zDTUrh3qp_ z!E0i9eQ2`W>sJfw^t>n2s_I5)*nB3O&_=0Pnz-sbzGOC)1$lhEP6w*{=;W~n|W|dZ}cet9orayFJ`d7@py-P(y|4o9t z7Q!3K)ZYsQNCwE3CY0@Qi6ILd)W1!CAhtrxZhkuO=E_m|2J;) zoQiRL&X*TmR0T6u9S+X(vzFZr?+n!E#~bdM0MwO#us-=efd7A8;;YiyhFdSoH7kG; z9QLiPEfXNOsY>zmsSmCa;JYhbHTHPe_k3A>VLtK!v1{Z3L-+pLg0{E0>0Pl)BT!f@ zX_z)layzej4zGK5%fwK@kUj7v5jaqPZhcP}G#)P26UK)bOq1loGqrN;R)-!mxl;6^}KHt|WKy(td$TOHF|QEY)54TItUo-7PWQ22BCud~S{T znr{2Bl44>dmv_JMaC@OZO5X}3rA)8#CV^=-K~nVZlJPD4evuOQICG< zF8FsWC5ci!GqdrAat|l+62vS%eOybQQtI>1^y3-OyOSV@2E3JsP_2V;!1!Iqm|Fwe zqhnR{0zhQ7ao!YMH6f4G`v;MibM&L77InA7jcC>ZATU_qejdNrwE1c`k9qyLn&ZQA zLdZ$`k0=!6N?!gApAB^`fe)2($1xpea&f7^an$VHZ_H;~g{x~KF=eXq)Ca;6E+iPl=7WYI~#-GO=D!uL)T(ll8J}^_nPSN50TJD zmV7GsDGa@bAG}ai)ad7l{7Ms5lI@Jh2kLX!eQ?s1pnh8Y{9C!*bJe1vXAsL_iO6Jx zzEo50N+JxAUMzMw!N!^_gKEU&{;gZD5xf6Bum-hXMx45K zmJ~=rJMqLo;NN~M%WNBD0BT%Lt!%-6-3}eOFv{L}Vq+HVKigFGlwwUPg+}6&zgCNh zMS7l)i5P5e*L?dX+P_utPP$V&14C}b3s?|-S`V!TBX0;5gu=;rtc0Vs8 zLIVVt31iGe>sFWFxO-WsA>Cd*^$h!scH;N(wy z3Y;~Bw$wxgm`?bO{a8SR4CQ|S zB_oaO#Q3HJRI@A$RTRd>)m<+$iUDBWx2z@mT*n^DZ@Ax8cS?K2 zOQ_Z=F)+knl=Ny!+nHl6Z&hUMD*%@})w1a?;AA(MC}(_lXU0}s2EdpeCxBlFa%kBZ;SvoT;5D#yo5D||M zixLQCbYudjspAPMqF(TLy1j!s)%o@18L>125zJ_I2UI$o&jGGbVIJgmDficx zyXx~z)u(7<6O*nl%Yu_vR@s1KI3M|T3I1OfDoqy;FH4`}hFKuAv}B4DDI?h_?2CW; z<(8z8ls5oTB7Ea_BGq}cSa1w%dSzyK%C@13i31n zUbIg7S-YMvfifAT$9L2*kzpN_K!-Xt;27{Dmg8j&0C5ct_jby#A{M-CmzEd*n@$-1 zxQdYnEjRhk$ISAL7W$3bhQP?s44@POiux0>8DiQp+u3FyFz^Thn$x7Q$2QnB0I@D0 zjQLYQE;S6e3MMIyIu2*JcDuvQ%X;|d-vxa&k7@rCZ3g|M>E-E+rIb|xY3at+gK3{z zpHoe@<;Roospn^qz}5`c5|0h8@K0~h7bK;I{~h zx{buK)03>MEMAWj;uIFcblohiAF2ojkO=gkJ{*if9Yqbma3L5j=P-gKJ`EU0;&X7a z0Qd27db>|_Byb-i1>ioM=Dk`)mr^o2H+l^U6uB5OG*G}_$#Io@FnoKelY%6;`)MY} zcZXof|B610_LrMbYdFpP{9L;;4G)tZOtte$1c5J&Sp?#rLegAGl&?r0Bhl|b5(*Kt z*AO&jX&TMuMhbo&@ra51q7;t07%G%u!%#k-S<59+%KBZ(r;8;~z7wd@nEe`QrUyyv z^h*IR%1Zn8qU@&8->`sJm+C+m8fh-odIwWQ4MQsdcC0UfUtQ=T%c-h@J3bu5OHwg3 zG<;*DHei`ehFSe)Tk*C>I&YBwT3eLJZpRGKS#pj(c`(V1J6U;*wyF z5O{87F7Vt>{Sv@)8A;!ke6F&(%*jYv&W!{~1PQDF%3LfGzgQGwY7UmhOopmiR^x{x z5J*cMP*0Aah+U)AX}|=coCbu->HsTxP=@3*a1$6$YeCHp1X-%)^3S2&nnB$kBk+am zeBP6u-JdzUUk+LPJ)Br{Xg;9{d<#O`x7D7nT{;1zdCtzx#M~#^KYrXjtaNyG)?pO~ zbILh8pS^4kpYMbss~(*5@@^goNxr@9&40b^zr^CN$1NZspJT&}FI;PbcOv2p^PGqATaeUuKa9w6HGl91tlzoK{<#e(K7xXcE93{&30?4d&F0uv+p_2EWYGnu0PFae(U}2Y5_c)E9Bh|VBgh{EGLtt9#52J3#pcu@AOE_#7 z3Gk*FLc5bgMERvq#@$@kpp}IqgO``t6tG&0*Ta5tJe}G#1>Rh{znyVH_J8CmLKZG&Z2mldbLR6l+= zp9%}G1&|Dy@4UDlJ>Y9u&0dG0#o`g>@lkd!$ zZ-Jyd^k96jK>RTWGabDCY?ah;yVozLmaTE%5j*6Ax*eG8U__mCbW6bv5c|{FnW?YO z>z6xk@9wOubL>|3_Afn9?M>xK(MZUfeB3*=*xb*1XQoUH04il*te)dS8j8SATiI-b zN0TX!?^Ho}Kb{td{=*|P#qJ*D2_}oTCtXnCgb3t_JcMw)+{ctv_?W3CZ z@CX+z>%;u8Cii?&1su!>KF~E1 zKik@2a3@Q^sjx)a0RKq*eHe}r>&t1JK**dKAS9lYDKF;0MnB^Zx`YDQDaZRpSLIhX zHp@9~E4#w**Z^Hs3tY8+4MYo-c!B33f&bH2JG;AaX!x@`pq{+hpxI(aq22BerPHS& zr9a$Bb_G+HUxAH&`TLHdBAuWAqaoAC@7~8$)n#8_5h;4GQ)bYfdrm<|ILWHcHVQ5LXa-?``h z(ID%8BiA+jMTA%XQVa0I)1~<+dGE})wR_&!`g%??7<`4Ay!R+kTK7jIg$Y&k>+1_B zMl?0f&WP3?$p~*^(xbL!s`{2x8nN!`FY;1X1S=x!46_V|6iunxjMJ?<>q%yu+R<=q zaTJ=L4L@zHUkjIxBbT3|mKs`RHICDyp?POBNv51Lu$!Jffr&sa!iapUp|wF}Gh=}9 ztLR9)oN^FA1;OT}wA-S)|Prg^K z9t9N@$aR+EVKzu7A3Bo;pcmh^5~tQP6QA_@@q8Odmmb|;VvPyW2^A!}l?_s%K@#Dz zz^HdqtBHpN!YgNX-=dR(F9QJvbAqguphJjd9j%maGTxD?BiUJJ4Vc!(`McB%W_R1? zn;X53rEQN;x>A+$fEf+MVLZ#W7#4*b(s+kmt7_udULxJ9@hvMhRZ}A(A+Nldci&!( z`g|20ZOvcWKssW3BcIaOWLvJ?v?r+WP#cH(O?6X;>9+#(xnZsp89E(#j`+$v?>7_I zO}Vo9f;avAQkN=#1I2DTt&0@+@l6arP7EiwWJTdC`MGn(baqDY-HKZ(_XwHe=1O_d zlaWIG{0T7x!PS|zcTOVKvm|H5;(_gY*I<=@`9r;s#DX(W#w|o5pq)2TO?uI~S>95z zvX2-=e0VHwVRqu4r@3Q_a>n%PR{VAgsx_I;HQ&tDLwuYy#y~n|T(@L?6`A?B8_(9?5+OC|DnJ-}8b^Jj5ps*cpow?1aEyhU^iD|Da8`=B|Hfk&j9E^T5&RInwd_ioI1UX)SB! zZ6(zLFWC{2=oI%yJf)|iW#YZB?3LR)QUkv9RwP)a!UTRZ@<9=P+u;Vg&3e*%)qfUI z)8MYe9kv=~xGKjfV_3`j*gl>}r_}@8CBJTA_T_nDI_P`tV;%8}t#w>j)RrE60w)~7 z{4seHC@!O8Lt^eQ3Zp%cj(!uD(X{PIyGg#JcA4mxX&Chgm$FstT-1jKU`(_glyItn z6_lGkgqyzY*d&Kobe~>{b#GL(H_MS-KL zD%v^2=v{_9Y@t+RM@{QHatL{}vO>rkLu)Qcm97eQSz(htX}}`JCHzoYud4x9ycblBi+G!7svDO9L{Uq_qkq_mHWkkrmxl?N6RDB;K_`_17!{~t#cpe zOtF~_2wTt$C2sYF6H?mK{}5FPYa-CYRKdVZQkZ$(8owef6f1A_nwa-y%~5Bp=xc_m z_;&$@ZNdaFN+?JJ5vAZVtiGn3V=SBJI$+?vTM!hq-mCx5RzlV^f@59FjbT@G)b*0V zxX42Y7hm*qpGBDP3qvT6{qd2}e!J~$&%=Bv9d$jV_gxv5R{QIyU)e-QwEPrPRt zm5v*x*%A&#!FE*$b*?Odzip^rE0K;jGXaA_K+I!f1B|<4I26#Z@I&8>n;OjyPnLQA zEc%$*{+YM*lY%`l>>!l?S}F3q(QtGZFiD@J-h3-M(sp>#y(6#y5s{NH@rTp1n!XpU%Ot4LPWsbHby7zI@L?i^Y*6&CDMAcnuRl{nNSMlDQ<}jtxtr_ z>~A#F9~t5&_$IhipUQEx z@%{nm8^;=8$1P^o{_em}hZda-NRXic0DRBIPyvoEHWct<_qKF^S?uYnQ6xT#KeYxj zHWWdmXt@-Mga4H(*TZw1%wJnWyr28ampeUsr+}}9LO=l^f3HAZ5nhC1<2;uh z6+WJ9a1Ca20+*xx(~EDr!@cteW5mvam$d_L?G8O~Z-)}-)l6xh_R-X+G>BoNeid5=Anh`j(=mD@s>a~Q^QnCgMpHN(+|2RF& z^rQwobb^!1)%0mCMB%71!?GjRSVE0~wlm{M}plMtxfH|J?h)3K$?3(JTk`qqPh}1|?7< z3jf9NflK&hgwv$TnQn__sB+%R>(1Mad*_gUXY4z)HdAUQxb=HdomK41;a9rzF&g=| z@JBA{lLixj?OsYrj}FB9hQ8hbEqT0?=0(u$E@Q;)KKp7+gqFdl8ekRwC*DSpS3y0f zzz6}s&12o{#n@R*Ei-jZO$Fzy=e*5s&g0`fd}4)WRBYvm?`tH{c$)wy9_r#O15=sd zbD%tp_XLX{X+*#hq9viuHIt_{QoPRwe0c@T`k1 zvvC}sSK^d)oCAau#j59v7wETwB-}-(T0%0-W{T&SOwXP5@gY_%XmBH$DTaJrDN)># zjo#Ym1|Eu6h>aXZa9O`KER1>?(NLA1!wc}=DH)aUGX8Z@!t(;=P`1jH=E>|ES2Kn~+SMGL2HX|E(P-3@4J)rmzhiA1k)}C>2 zba)($K1AWm3^;l4$u3~|`Tcaci$%s=vx~+G1IMgR85m{(*ev6vI(RpDbh)fD2I|?8-K{mivp`r^ zQ0=>$T$+zGzVqd{^%D}>U;qu#E?T$QO2dt@7pJD-zz-c?5k`{Y#Ye2~yX>CD`aMo~ z?kFgD#P~MpPg*@aUuvFW&6ht2`P%jb$T)%KT}hJAkT(mVL7>Zg9I7 zsTz+pjStH~uO1=!E892#;%6chS9deDu~~et%1Ub9V>nWqnAos{NA%eG!+kpJV_WnP zV{9XRXm1OgYd|rfM=epc;1NKu?3u4HB(Bw`wIgmIzqO zb?{R7XhVi-hZB`xPXO4$Z+cD}KQ_bWk4^_@I-5Lb<+H7hG0iB#9bt{rrC;fMGvZ;p z=;qC%ii@$(OfqzALxWZ2a)jFoxjV-VQDfehV7F|BuhF7_-_~Vs*DrFqK;xCWNyFAM zb*UbWyPnLbMQ#a|l>+By~DU7R` znQ>yWBJi!?yWDQ=hkHfPK#5<4C)GMX%`nYRkMYcJ--|+YUEQB)_z1+gdqjKot|T56 zuILP6pjV+%=dJ#9uhUYKfp)?~v7pHDM zAOO)+RlvrGJgbmFEB;G+BufBJYk&qHN%r|^ADkTBCZ?>GqK&>_fENU92<{eR^+0>YvZRHI)##O$1 z-vfJoPzp&#ZNGLfGq(|!{bJn354Sm;8_G#@X4;jSNh(&o=L&Ga3uN_|ZI} zX4G0+a`XJS%(t*4A(uj+I!d?7!ud7t~Uiga3Cr~eH}o1_Ctj{kH-qVU5|b2nbJ z>SM9k=DJ@8nWt*3z1C@*&Q2>Of=jeIt>RfBbI<|kK)eAZC^>%`x|f}3Go z!mxvkn|oXQ#*?vP;7HiY`kZ3#92kX#d5|UBKGhv=r~f?n)6Ec!Mbu<3Jv}puU%-dh znCsq$YgX*Co6%P`0TaAj%+#LfyynbU(gUW&R?t z(u>#F^zGYPmwlHZ(*S3YN}3qso#l8A-lUh{dS=1lg?P3k7_gR-s#-IJTv_*P(Ld`{ z_uP>oW$8kgQsuu~4*swfmrG)jEmWX3BS(Do2WE=yKY3AXv_z*CQHqeUR+J`W{rxV^ zK{vVUnkj)9ERfUXf0ldHyQO4x;vM(FH}NmCV_WFjMx5`-9O})L3E(*bEl9s2*+lSj z?0jz4hUzRgDdjV-GCtD&n3yLm=I6yjiP8y@Tv73?`&0dH!S>V!vn*bu#DtjaJ@0Riu@WUK z&Egkh_6q^F@EREx3}#P>2s972+u-kYJCUQOUM0JHq%lNScT}OrT}2>U zl;1dTYU_^-wEjpxLpe0+WVcG!e8aBQjw_&1{Rdr44mP=UZ<}IJr=l7m#KZpU1g##~7?050rRzm(7 z_buPIW;a)FNB3D;61AOrwZnEnHQue^)>K}RPsc<38n=?Htj+XN zOT%vUb0jI0fNC2_>26y<06J={04M-2dHV3C*Lb6A4(zy2`azpADU??382 zkBSk3w|!Pn)d`yBZYbRtdwGDY#BNm?}5l6-c4@w6>ksnGc>BNQZB!oDz|eZjyH&ex0BqxPC1!cbtkL_!WEU zeO`Yo$9E&?zKYA9uaiESQ$f1Vs(>t2(rSXQ(+qs z^?r-iSvuG?{X!2!TYrJorD$FKO`*%bo3bKE$uftXr9FDY0awy{kZ#`qi|MsboT zn#?#pq?Ts5FOJ)C1jtIrhIo6tmtEm#h)SE)gWRcU%!~}Z6+5F}uQ0J6sP!Vq`pLS4 z+>nrwke$#Y+j`}ty3S|D-S!^C(bm_o=o}f8AcOsweT06RU&hhM=OfvEh{ktq(jS06 zC4p~it!b)LAD|fWjuTk9+~2CB4em$D>{6h)AY*1G&ptmYjmKqev9w8V_Bs19_6U85 z8=egsq|0W#MV*oaqC?FtaU9DSu&Bg~3KCd9s42~I@sq3Quq&K88*Z*6n}f_Vdy$Q9 z0S{doJ5QyusiXkfm*+`epC~OU6pB;7on7F)_Q8hU<%VvZ;J1w|3!{eOgY+A7j!5ljmBfBA6Fv`+_0d|IXxj>*EmmYR)Opg$>wQo!NFj$dT_k z^xW{99J(Ja$2bgrI;va=L)C<|{jnT|dTS@;H4&d;!Z)K>uTJr-Qn-x-c%8U9bWLhN zK*FGXditM$!oU0`Y^Zk^xSha(>PkJyA~aErW~1w! zs&*UVHN=cv3%dSHviWYK9+#HAWb&XK&BlB^iT>S=WU{O@ISyr*x}Tq?wM6h7ES=t+ za|Y}FzO5)`{C&Qx_{H{@%HAyd_@)L^51+QVq%O~!qvlATM?z{bS#aVW73kf4uQ^u$ zYo;uJ-EqAy?ROE*_u58tCHX46XC^j`r2I}$<5?mOiTPB$p^*o4>mQh8!3V2DNHEPcEk>#LO!N{xy|A_8D-iuOXR;zLE4+(6MUimkp+`+4u9Z@_+w5`unIga(r|MBe$X$V0gBFu* zZg=s}NLMMY@)1b=uwf|^aG`K{xc<6+Ik*iDA})3;&E`Qp+#LZeVc|%tSY2iLJ)QxP zo{#p_gm^dMe%o{8vX8yrInQrsYw=ExAjf8-?k=NupR_qgnuY;CQ18k0c<2jjD$ z=r-|+>@ksBe}{0w&JRZKS5wHKKa&w3t#FEi=V zuF@|0=cA27bzuPhF?IJNCM>+~imrxE#4L+WfWGAj1_-ks-Qe-=Nwfz^iYx|kaAj|o zzVYiJ>SK=&v0>#~(Cfh0&cdR1+(F4H=C;{LI5>+pFo#Tl)`tIe+)_PGnRmP@dvjZRFzI*E`t7`GTVK+Y{WJ5KJqfiW7*r& z57p|tN?Nl9^18=u&I)VkDVqhD@nUcnr{pfkc7E$B@}99$Ki*AqTe~BeGUvUHpb=}3 zFj=!E7+S>Lb|vh$o!cCnlH|l>4Kyk z`(C?sd-K!9gfdM`26!9ueJ*EQM?8|mnlbfjF%Cg&G!Yxazjl^<5uh}qzkQ#(V*IWR zBS`GxjMT|Zg~kbn@V$dnksT|a828BRyha1gp%7~64@T+dl!IvLd%~KAA~~a!7)3e| zIBtPiN4v{UqiPJi=vkCKKQj}iLQmb6a)lW2I5wtqb#-L|G)i)$=(aWwM+;cHk$8D| z{Tdr1o$@2iQNG}h!T>ZBT<2EjOAq{4O!hg{-C_NtB5Ii`X6F73z`1a<-lsW%8}#uJ z+lXOZl6^X};ER+@qM$C9(NP=e#(T!8n83$@!0PpxG8IZ=CzXD;29)s=N@+KPPQ$xQnG!-uA5{Fmz^-KWL| zO=sR5y7iCvak8GB-8o-V!_#%^YOLouDB?1a=rH@~zK&7xJw zYCT4-634?geM>R3R|V+>i>Yvd4ffkfBl%@jA*rR*20p`!&R; zU!dpO5(0uVVsVQNk#VPr4kV)*n)QilMYxU`DDPPBtI#q`Di08tlU zYH_-^lj*Vl09zZG&>9^4^Fz{{8^4kc89S{zHkacd*RGqQ*FDWUp}AQyVt(o|ETu_7 zaBm+j=|tq#iPz=X!u_R%;>(lE_)vRPYK*1d5wxsP)aD*Nru8lVrot`(=IkFBl!8am zO1YnPwY`VQ*jNphJCTmGGk)Q{RK;F*(-HDPe&g%>2LwG?x1z<4YaQUSKGa!g{;$54 zuV0+#)_G&_>SWj{Q|@(jIpFrX&Bq0z(mf4dYRHy@gW0$hcY+kR;&O6s(#4;6$BqnN zY=(b>m(7xA8QuPf1$}$~MICs1e`Kmtu3W^`JQuczrUH)!+%ivLt9>7bjzJIg1%ItV zZ-4K!+ip15Sha3Sk<-%2VS%|z;4h=+l3j$J!$Un95Gjy^(7U`5LrXma% z7n0z{QiRW>YRh)WXqaA`H})?#Fk9HDO+7wI4p5r&|a1g zrga)V+Y*L*KCW$fnvdg|9z95cC9a7&k^H8^2mMGT)t{BVRWnM<=Mr;o3v)dTtDe{d zc|3c2`l4E)RAH6Cy#q<2TnLHu-d+X7+oK7nYN`tqsp0ZQ4)vQuSmArL_6ejIq>uBj*+}{o%>K+Lb|akn;Q8J@6C1xomCyfEZTxil5#`xDdu~uH6*A(eXW;OKv`~La5g{f=zhXZm0L(Z}2r8?o_{< zR>D!IsaSajBJmlT>}w^F)f`B8X5+V36!IIi56YB505i-v zFywj@7-ioL@TmsQ0*oiWe*f-$zFm!mI3mgj(-^a;;f?EGfoh`K!eXgfMeGYHL1X^QP+kwug*I%5Y<3CT zR9T}KcQ36sJ^wld+V)?+_uuEyV!854U+QLbIa#PK~H`v!U>6{gCQ0HWr=P476u&~M&z z7rHnStn1LtfdTrJ&N$)hw&mB|Zb%@eS%?LXUNUR`*siN9uH=##Wn~IAxnk|7ec{wN z*Nv;eOM}~z?QEEv8?hM*!}Q9G2D4;Qb;uEB+k_a$IKM9R6Bi}CZ{ve_p2q80jno84 z#^qyC&8*FUMaYPpE2?RO?WRu(^Vcf^V&(D1rszvJM9r61L0G1~J`P-4JlHl?!JKEB zyiZLQlu+~gyyQFBK8{st82t_3&>*ox9J7VJcThV2E-@XJPI-b`c^-RP#<+84H($xF zA1&ZrDMLN6EiFvlzX<;Z6e{tOc#`V^7l^mUvE#mFoX#G-T?9OZX9hl(02=LeUOKDl zHNdvRQPKTQ-7E&i`!VMb9&JFf22bpxNp%tR>a5yClU3r9d_K;`)E=M({$}Rlk0W+A zS`7%#D0y|S-lVyxjqjNsrA_e#Ls6}~dXcO|^PV=}{ILssEm7(DBEG@RH$yf0UUyY` zDTudPrkRrzo5%6VIrC3mh?xQsg(ve0-o5|W<;NYRc6@5@_TzlDJ@?_v^}B-Rwc?)~ z8hChAO%=$=(YTRp;p2S1U(CGGktF$p#Cno9b0~j!8oJy13fVVRO1GELUR3sWF5a5m z6y)cM?l3L8(2wNSm^!Jd=40>)$8ScMRZ1&mWADPop_+YKbs^FI1`hnX4-OdXKoD{z zF;Q4^EZFTfd?Z$BKT2AGNk33s#TFe6y^7UJkBB{F1Vu2ISp`%t$sr;Z=iqm-n~o$u zl~y2^Y9vsl=@4;LzTOe?6pYou>f8KYzr9yAlARrjHlAO1kUZwe{o)f#qf)vMbe;Ug zwt6|_gKclz!}Zx6QBA|pf`Q{X{tT(8#PNr|AIixM+ge}5rKX}lO*D!R9`ZW$QVD~T{ZO2wetK#4x;&Z zW*897D%B1IU>s~A*Q99XPks~r)$pd#-i!;&O8U~PuO3b40O2M;!K$=X(UhgsYxCUp zr3BsRWl=vkmYcys%)orI3#%cc5%EQstj1bDE7`aXhzqAT=6{iIxfcJp6_BpDNYhmO zEf-y&(RKihOtP|j&wfcSeBpC-;n%swI?Uv=o^Uzag+|!JisCW*I8QcGeEjY{bdeaJ zlNRX+x+o9>0|T4igKJqB>+b!%yzztD*3Qnx(R`higTvrYi{Z1qg7}So)-Sc(C(w`p z2Nle$p-0x!>s+ll<;OKA>uU-ZQ!yO=vT_%i*iW)$m+t`=z=ZzsE^QNa! zLfNbyPHmxX+}+ux7(7lP`9lpfO;V`|92?e9OYV(zlXXJS5lB0SUnf+q$@^mBig(6r z6~vXC{)uZ~{(3K-9RfAP(HJ;0PQ5GZJv6ot$_w-p^w4>|A0Ys-*4UMigK18Aq$q%v zQ@S#!hnMum@LN;Vs)C`y!kKnK5lyHJ6$5h`xVhueJ zA<~?rrDR=Dfsd?uQ?8R7O%+1Z#)d#K??~4jqNr>qGhnzpP97g0L%*%zQ>s#UwMxTq z5?j^}?WCD5T4yQcM~8;IU$nx~8;E#>T>NFYfz8hL+8~sY)bH?gPx(1Y{BO~Nw|a+g zT=er=`CiO_3T0pgx&fhm45OTyr}GM2p{KgWnAaXYu=A3 zbkC&^9cORc{MIqH2*rAHF6z-VLgBSy-X%Sw@si=Pb3dl!RGgceEIvHUPD-l@?mi{> zfll>QG8>P>vB&4wQAoOwd5skw0~PYH7K)0{Ily19F=HmwRq{yq2cweo5NuN7_wCXh zN|Sr8c}$L#{l=#iFV^k)YzXfbV&=zcK>3A}R;&{IA8diKmlLMdQX8HE`?};4QiBgDKKRLEK=vg=p4|vtUogZKR2Th%X~PzzS=^P(a3Fd*J)g5 zO~g}uYhq)E)%bTd&ejqiBo^bl+q8gVajKMHXm!D&3FEM+ zf|CpJ(&H#*UjmUm#)kTtIjdKm_Oy4q)jQmyAo}3};<`TOrX|V}VxZNBB^4PNmnq?u zvmY#hE)=q`py#Af6W;|;l$}=?KO?bv|B0q9f*H>k%{;x_8S;8MiUSHs0ot62KYxIN zPOXRpQ-FiOd{PPEuI$2N(|&@v|CV(X%o=>^^U}13j>^yXlw`g|^V77OgyuNt6U_Rg zYe)l=!BX)4k+bjla>aJHr8oN^H$wa$^mslL)K9-<9(9=4<@d>#&N5tyekI|ZrC0@a z)VfD4RDNDGL6}l#Wd8;S?T@;AB978}k${7i|7$OJ5hZqh=(kQ<7{%rUt)uxht7guk zz|L{j&C_dByfZHcZ;a%Eww709#CT2^nLgjB;Jk9|B)Y+Z^O5eFIUv*nq~ zjEjXE(f3A8I^taa&{Pcx!i>AF+X{BC=zU~DuZ`8YGBbpSR_mtlZ(49fI)DhyW17y zszq)p3J+hLmz$7RQUVWfqEVl;Un*q^c%XH?KA-jv^|*WBFRK}4Yy^JH#K$<0eylzX z;G0XtKxia!Eo{HKz)T0%3y}FH#^$kf$HZF^hQ$d_g%XcKSYWVt1!j5o@)1IqTH#N) z1h&sl2wF^VrS{Xuu=FjnJt+5J9Rv;68`YQmtZ5X}77oj$8b+ZQBo1K#KlUHa&8+!W zkSU5L{C1~NPsJc~^+{Nr={nv+``!v(hysR?X%Vc}-Yr6NB96hA;QMUehjU)?bv&V~~(BSi+{Lze| zpEPfjbW+Wnx!!;+r47U^?u(-WA+`jK&aa~u!I}6N=At%b2tr5bO&208V> z%sR4t&L=aQbwJU7miZWWCa8_p&5y|^vaiHj5pa(1JwRacIr#b4xp;;aYTdK0jRD#% zZ-p;r{6@OWei<{k`R=dt`8(^6p{-ZKe9o`m_!Us+7v>s1KKXGIg$Z&NR;VQ49(&=X z6D`jQ3$_3?vEcx(dve$6}SHUouU@d*jV{rox#i>&PJKgh}=?u=zIx~cpX zP3!}vubijPw!`rixCf|$Me)KmHa5T>Ug)=!SC^rpX9nJm<1Aa+Rpb9%3lP@1vpMl; z1#apUf22SJ4sNWM*fw6qwy1plVg%>cBP8168_kBb zp`A(wN}Gu6!4ErcLhlj0kC4)`Fmu|5q+txmgP8CUbXoi!Ij7jblc+IzBhIJ``{RnA zyas(>Uqq+Sr9HH_mY_*o|G{ITeOTI6iKkZjItViJnK1_X6|wHoq`hHKINK#Di1n0# z{4a9dapd0^yA!Tm@67ke3z@0n8P96Dj_eAr1#H=mf*7{Z%Z)nH2tCJ;KcjMSSc7?X zSr|#NH(;~Fo$^U}o3OAU)L@cSrCh`c5~A&SP6VxD#MUVTMDAT+-{S|fDf4vmPD7x$ z)ADrE9&njw>!bbnh+04SIgLb-ZCsEc4iPbSoqcxVW7e#5RNzmdym3FAg!jlhiDZ3i z4@z|JoJ68jJ^dZ=proR6N85<@gkd)Cphd07XTGO?QF4mNW`^REo{f7&`ZI1~j6Y=~ z0&O=idU0f$?TNn=32z$q5C9WeR%TBt>&M&%L2E8afqG7OqI7S;Q6%0fO48gZ3wQuD zTZ*_5zi%{~?$AzX=~DY!v!lK0q)VD^2PJ!|J<^ELGDzj)aVSK4%_pdJj}} z71ns18iDvmazx1f2W4*o6j#@*3*$P-po8n+nh@OGf(Cbo06~MhTW}3d2qd_>Lx2E5 zf;$8c?hgOv`|I5Ee&?Kf>)t9-m4YeQyI1Se-OuvB>7{T4vg*j2yz+7k|Jz|B$wJX^ zfC9fm?{D5TxBae8j^CZlyLazoF*Idesb#I>GeAkh>UXwxo zhRpjTZD)v}+y-=Lri(=p(K%XDf)Ck303@M#D}b3|FoTXZh0jqFh4vJ?$Wc_bgX^%3 z2F$gOxyyVUs@b9$QU1+_xF?vyJFa)``eXXQKC2pQ51Y9Ryn#EqO(m<(>pDb-kZl8# zdXp2ukqTdqxF?F3q)xcIvA%YJxrxh3*ZA$Bgk-E5lDWv&$dL+H-bcgv>>f002B>fQ zr7m1$q$jP651y6Y5B_>*CT1dki=MC5j#bnN?q8>n*Pm23CAu%(DKUFL?ZVQH>Rv-n z!?fOHB1HRM?)_rxV>41bWzwny?h#jRh@mb5@6WffwuwV{Qz!`nj(ZgjVl9nnO%A{gUTep&&Od8EJPmce)FFihzzk!34K{a-1ePPc$*hxeW+NK+{%Ele3Pf zQPk+ct*aHT=ol8_-4V~5z$$R;(shq2FH`ngp)xd83v)9Wj`q-|c;(?ux(v`Z{wUcL zk8X}H&YX^Af0aFMS%!O-J1Q{Ka$JKz1aB{@g+77{*yE#jy8ecz$mee{DAZg+$aDh| zO(GZq&oYA-OBq3}+>dnN7P(BuJLer(JO!unO>(jRrm(&S6SL`P;Qn##52VwD{+c+N@%#xZ= z^Zf9;O+&O>AM94+YdHqaGh-ijC$&6jD~x~TX|#3@GmGuT&2e=Xft7@U`z8QF?{X|_ z?la&S`?7MF&aY1u5BDr+nG7qICSr7235)B?=1{ z3St57$0{vMD0SR}5dF){+H zrPAMz0Sb~EfTK9NrsfsE#Ue+H7DaN9hy(8Zi4;QN&ol1N|5Y3YXJny1H*A#ffX~7# z^0^x`9o`D&C`ZUkMD$gtfVf;kI+e92zUVwgO{Ti+{Za;j4r43%ZGrb7b+Wxu101at5@bUrs1jy=U%+yfnUhAzg|RYNC=3w*=iNmcds=+ z#n2&=ZxiuZc752VMK_+IfI0YCRbg#i5|5*Wf)+(~En(?QFleWZ_)8# z50gP~JOidLV4JOK!AJ!akG7+6`MzvG4UGxPKTOJS`C|%MT(l~m=&33*h8L{wvJM#1o{C%IPc{Vq z#F`zAe{zqZT_leRl&{3CSvgpOKle#`leWQ#haCTnwRM8}N0VWE`X<&+)PsnYtR>Fp z?fHR#C-qTam|&F;I_@mbDxPSo&{pl}nfJC6yim{xL?U}|qaD@`bg^goH|^~PDs zF<)q1278@bm`nBuTSwLC38~Y^`RC&VxwFWVjke5drd``7otbgjA9jnVQ9g=CgUSsk zHW?V@o5a=%tEj#+(ZCc^5atmGOXQq${xV0!iBOb&ukGMj2M!BoPG6ZVLMxro3M}yFczQu147F;!frXct169`rF)ZpIJVzTh3DH{8s#4iK4rr zZ!Hxa5QLa`6}B-gc+CUp$c4o_{vpuNA56dBfIL_kAY3`){B@1jw6#`7l5hfM=d%*0 zejJwNqLB%?zbFE1?4pH$=H^&<$Av+S^yIBre-$1s3Ze-IwD)=TER1>ek+H{ncba)e-WNl3dhEKUoP? zKlR`Cdt)P_u=H0giTr9eN@&PXA|;Zom|Qn~vb9irPr4zt5}s+2^T_OY#m*7VU&dWX zqY=u>F%sOcjXO@*F@aMW!*<|awTxqZLt=902U}~#Q)gHC(f=#Dxcsa?8X;O<^BIeK zbYjYQ6oKBgw|fUvIQb+0b-^x|AWV`Cdj!v{Y(xDu0tYDsT%`KVvUs{00fST-&;gSM z5&OswjF6vQz*0651aG>KF%FmvR}92v{@=|d0zcNzcG7C^_=BBy6VQV|xMLTBgBH5x z7Dt^&c9nQp^A!14DKsK5#Bw)(KU7~KG85L_;tcV*J~vSKScAsA`=;y%O*RFZ_9)0c z4*r3$S=#L=v246Xp=>$yq59l5&R^BxxB(M+E7bRfox~#CP9I@L(utBti^It6m2F)) z9W0c6VuL04P`oHCvlGGf=wn-Od?AXv$6tjNR7ZDiRM;n0HIrw#rUsGF_0(fATYnt> zpJd+Ge`Hf_k_3qI#lGkv$l1SUF@-BX;13{J`=JpKE~y&G8-g-{C+IN0kn0QDZZ2jm zhDpTaMy0;mB3CFBKa1VOKBaczJk%YI&F<6G44g)uKg@E-?(J!akEgUzbS}M4H-@&3 z!QYpWO+>GNJT`FI=Tua8O$DEF5|VK+5BfJiPU7K{1k0^BcYothzthcy+?gEQ(~Uf? z2FcY3OhX+AE;J}Yw}*n9PW&Z#6A6Os3*6MZRGz4Jhq-mQ&zEJ4Ngq)ix8taj6P6n% z&;~$}3(f4|ny2ys)Fh^ERH1_?^KTNRB~k1X``QOW-f`*qBi7nJ_Z3phspHri@>4A# z+Hd~~C??$%LOTcU+RJ)sKVRO6*)JoMFgnFbo;#?Z<5Ut;neEy z(>ddDVt`H4e;I{2Z7Wwh0i>+F(P`pFx60Io5!>%fb5=3T#yZiOv+%zE^h+|Q`z~;- zadsRn$!(03(|G52P&|6a;l+YY)52fUZS9?M2cVwZLS>34a4U#_ZzCUh;{CHg+0g2h~t8vSs586S#TZJ`4t9G zD#}x?BQm4wGArA@eC!@04(Q`1x zZqHd0x*uk>85KMpWu*|@{S+?5x{(nv+MZS7#k*;ai9B6cz+}(;d}1c3p;~RllC96D zpYhs5?~JcVYa{N>MDU&977N*ZaO;{YtBxEt5K{!x_N8QSW476Q?H)h6%AoaE8Ixap zJr3;HJrsQ+Egf)vBu@{9EzJ#lqy}|oNZSg<%?48A#5Tb9er6pfXtNm+Y~93bh&FHBXUHh{0EhQ={ce0#D5aD$K9#-O?F9-`Yos9_8F@%WHf1be0&^>YQd8LZT zK3Pc$pVast2c`>bo^G71KAy_O!+i<4+UGy_^wXG@ZImB@>wc>VNH3ekDKCM|X^F)2 zSME^vcPGQEyT4~=>Deg-a}+v5oC%SQJ|w558C8ASY<|$QvZ4U0e0Q zn31s^ngIAr5DxQ_TLB**mHZa!m}?UxG-D#MZGSPq@$8X+PL-aU`hw3GG1>Ni!s<`0d&cI2E;E&>)+FOOt}19xb7}s{pNJzfmuj z@xdKJOz?AxcC4eE!CJ#$%DV%@Eo~-!l-bX55}D6lwgYtr{MS8mmrjs6L*;6V22D5k zi~YvPdLH*J;&7YJCjqB3*~|L=kbqGHeD^jldrKqfy~W2J?z0b47FbV^g#Q zQ|sCf;SDFOsdHf)-QQ`@I5*S3F8dFV&)eAFPz3WiD%lOa(VbGKedkA_Qs)sOc&RJN zF<_zQQTBjLr|+1p`Zx!6vRd;dQ~ej-n9X)*YsWoh*#;k$bzKTB2nAmww2YB1 zn|xxeD6b9?q){TQDN3yfHN5o-u%SsGqFmg6AP3`%;KB>p@AB4Dyp~5_pOG86*83nr z`b_G-#JTFCcoa=N!?=}|wf>Ov>tphF7KWA$-*}e{TK-U)#4zZv?*6R+c%2gUbe#<> zf7(&HH5SNi|Ed1NNe~uI}97u>M<64in7eli;k2&Awg3yX4^8y0) zN4t-8*x-NizCOA0#Gkn&?3~8&;$;kyYy3!y78DQl3^YtBy0rY>pyUuBd?bG%qDgE{mN`HoV75ttivv{i~MWN8oz~fIY6B!8FkBy_#3|)ovTHFIM&7w*m*P3mj=i@I;!2}G*!A#8flE^1XZ2k$ z095$(HX6{P#sh9Rk<42=zoo4#%BD!tOadxWva|E^iKQhLg5j(7L=a*E zq{xWCgm_WrhZdDeVAmfa`SJ6=@8JZ9uQ}5I&|sPX+}}I2z!>Ql+x;N9bdL`i^CgE6 zdroA_Rvs=l*@_@%3s^GBLf(eat68<}xKfDT#MN`OV$yB*=h=*>w$IA1iZXi?o72uSkpgrZO{ah7s|()VbjZEZvQY!7AOi6+-}dnm=Shh z7X?YzHQO9`;`!N-@Nn#eD@7|B*7`$C!i_j7#L57V4aE>slDYas{&XiXseP|@W^{=+ z6y;BlY7_P@pD8M@X@WrYLJkkfT?rQY1Pdp*fovh!9eK=7Cu(h`884a*`9A*_5&DUd z>}^|N8?aX!=7#%roH$$berO>&k=#01d3hoh3M=$nuPL8uLwhxF=(xj+c2H|~phpq- zbGe(;i1d0X(8vw<;)g?0_I8beKn~g2#v;_bjKbF{lXJ-v#&ZSDJf))MH!}NkoUBh8r>Dhvk{idI$= zMNc>ECW80uGagZzy#1EHx7N+ZEteBoE?49f4&RAdJ;QB`U(>l+Q0|TLNs7g|e}!)6 z1H(1oy0$ZgNfh4Z4>4vQRe82p?oB?xg!tX{;JuHTX^?cdHZwR_B5%qBEf9|y zP+!!b`Go~0&BPHSIk9eQaIaaM5FIrlKWCY4{ofw^boz7P@|%94>m^|Pbh*|2OF;o# zXlUq7H(4unw=+(_Jt#(w{s4Z75d2L^{XbTP|6__y{{zBr2GhBE z+u5z7?3O1ynE+}Zjo<%T9P_Cr_qzC1W6J?XhIi>BU;VgD*vGxH5b8rTX!janBO|Vt z_d*25K77N;Yz@ykGPAEUvjW$x!+Oz=&l3zV({&qTPZoWO zfS7W>|4Y&Jj;2598RmS-;SVlV(|I1d7jvDIL&7`a?R@_9W#m7lW?XIa&~dE?8m=hw zv-ASg!1ZUaaecP*o(=ZnehD&dAMye>Ql@pY< zgvQg_hMn;uHw&o*Y8Q=POy%d%M+;H*(!T8+|mfQ@Vhfu`1vDD`4sNF5P2!SYX$EUOpMT?G18SZLFT4n zaK{6MB<%*u>(OZ6)sTrZipXQd(QH(J*&@I4Np{LmCE4uYk$9w6#8J3{@m2cu`(0ZR z`tP_|1mKv%`!FeDnVQq${kMB>#v^7QW_2;C(!PMMhe!)a!aNUlG~bgEE~A`L9x>vb zsHhCoiQp}bzZqa;%oX)#19Q@<4B-2s?daZ5a(wPY$$G+7MB`_pSt;L$eBfAr>J0lcj)}^z}dt)UXl3Mm^E_R$fRi5~hYl>?W z1RyqZm3ljEOXK*}&mEZBq#fWuL;_YR24czJCq>3t*LNqr{OLC)^qW{}bfEaqyhU(} zYe34Nc;eOWY*#4OXUn43py+Jd(AfB;vC(~`8n~S#3*nrP$(e5 zbn9axq+}BRW!3#Z^!KIbqs0nmgU6{~pI#Enj8KFP$B4@ra)<4ABMpEdsE7UBOQDXd zr>}SMIQoVRvOhcsTvI;m@N^vr<7pYyJ$Q~AUC>xh&O%eQmTWrBi#^@mA9T_;6#?ZU zOcXfi^gS30Pt1%__tG^hl}8sB$tj+@@P);3V1FH&t6PMm zTPD)ThDi9tgNEFFeDY({vaq4|p%pZ)bu0c=38dHbP{~g{&P4fnjNOiTRnhqw-5A<~5)+cwDX(50DCunG?3EeCY0(ys0FuyeF_tdU)5KKw$@g|*@ zAiOkVs??Twda>JKwwK}gzdSRxI=Yf6GTwO{AJ~TWCvzvLjfLES0eUcSa$#v9K!IPu zUFwAor^WvQ(wQU3L_=;UPl`nz<2PQ{CZdP*oMC?Nj+g6-lxOoq`H(4tol^GO+FIt~2L@oa5TX_=ke%5Z<# zUb#vqQ1I1J<|#v@+v91UV@znvr=qF?dK`bcHMnKQ0AqHo2?^i-gKHp3{C57wxWipo zN>5O$7d?}~J$R*kS{J_Qo;N{UZMc<`U%h6;|5FN$5V;lH;zHI=p&TfsDk9JW1$B>* z6Wz-AJV5I*?5-#YoT;NVSK(>BML^HXZ<)D;a4RO>(*CU zH_#FIXGE8ihe0oy^&pwwt`X-E?ug=iE{+X6$Sx%xf^$TerBq|TduzdBw zgpzjzPF#S@!-6@U&bT21emONv16lyBp-r%+Mj3WQ1OWQb^6>(TNq*O@tC1)sD{Y>C z`p19&4thav)A=U7jQ<2*s4EMF3LLkoKluanAi#VQH9I@jnD9NzQPV~&dimb&E{wY7 z_|L%EJa2da9>x;7z&>i(uRv#HVKC)&`V&%EG=7OYqhA@xY{*7+B zhDd)HDn@_sYDYq-VWxZ`>z%&iLmx+dE~?Q&S#294yo2IT-B2$h1G?v~F{n~FN5~E~ zw$UTi7N&QSjlVhKhqcdAxu4o5Xf*Vn#yX#0P#7QF1{G?_N@{Zzc_XGcE?<14+Mp(g z@^|x>mOX4*Vv^QMKdg7#V)u6F$1wmpRtFuJh%o%GH$7mrK9nUSw~Wb+P&}{$%?+03 zHFi9lCjbp@zf&KNO6Bh~^nlrZI_{c#v`GiMhsabaWx8Qp{Php)cO~XTGY}rxY3$`a z$*oqGj~_9p0axsICRfS!fdsK?Z-+Tz9}i5?u-#z+%%W~Vu@PRQ|AoZo%i5Z6(5TR! z?5e2PyOXSs?0jeN3fNNa@J?Xk&x}QxOg(w){ijLx+HD?A@06_6!Z@WY6C@pzeh1*` z_d&v{uS+>{9^XBDkjG@NlmuZ0s)aKmsQpV%P`9nY@S*4u5)yyH#;2!4Ut5hvpa64@ zO@XGNcXwV+?}5SoewsMJAi|E5PzDBu_|8g$R?XikRaqkbhWaFS;NDL>D-7J$Bi=Va zD|qc=rS~!f9K3ogV_{)2MY596xDpzex&!!)zV=|$?a#PatLJ0U;dnZev5!3b(eFcH7#AR9ko#kA8@GNnbF@HT z|C+YUz=p}76M3XU6;>yXmjaY}A4sWl*9{?K{ut83?iSb2Q1M9K{uu6a?%i2m*o6^7 zNugoEGc(}KdH-mF2Z$-_-;WoqBKRKe;4Jb{$oMDnaX|s%HRAZq=Iz^MAbkOyOSVH1 z#+S#7G$f2JO%!CY<9-Mn&gym0jJ~1Um(R0){UOZnP*ctVTnmxlz*W$qU#|yWdUF&Qf@q6Oh;UTd!_3ubO0Yq24U25S>2x=iOZUS`^ z$ia6@T3TCwkOh9HNrww!C*Q5>;sWEbR4sY!mnRYjh5iZY@0aEaKLWwS!~dBRHR%E7 ztEoN$8=+u{D)JVgxlkq0OQfQl-uo{J3|ioD;0pkaIW_$T2xuU&>j@)~#bRn67-u)o%IL( zR_(ICrK~+&V2U(;9#^+VDio@kfzyeKfekoTd(N@!ICr&A+8UdEP3I!-x96#K&-3JtzU9VWQ4ae z9=A7L<>~Vj)2k)|NIkNPmt?mWwAPvdnd*oEWIlKU!EnnJ@F+sg=p0iSe}>Bc0@lP@ zRU(fMrwRt@pJ5JB#mNv82(I64v1}kThY%jCc2#TSTDt<()B?KO*1;#4|gTe&<-%vK3LrA}gJb zU$fAMb;o)r)y7WO=Ks=hh=j<`@(Xl6Hbrbx^Lr2cgQB}^J9eWHN7D(b=p zjOc$}lz1Ua;@_z7D#vz=5FL^N$sC8@PPKC&r#mbMX8SY{KC*j2mhbdOJ{u(HP$ONf zjpP~&-gclaL(*MJvm9v;bauf4mkw-J!<8@?WEcZ zpof~SO}7G5oFfG3J za?0kOM^;7!2ZMv0?2u#HpOM;4g)ZJuAlIPb2K^QUl5b^yJWJ}3oMCwTmC}4IfBvH3 zfzW=UUXHjGhp)-;T#OrN*%AyRP20HC@v?HLmpup9@JIT?P^pxN7pU420~3JABm~9b zQFxXx&zDwzt26_2Q;6>XDqc#Y7cYev7V&?YXOoaQL2zpn3JA{r#PBOSZfo+W?{AHk zWVc9!=-QtO`?y*3v1y|6;T79Xk$^L2?{E`rVEIGLLsdtI{0-fgF?6H{6tAImGQz%q zRV?LZ4Xn6oiKA0PuLBF@KTPjm$inE{Z@8CWpOEa`&Dyz`Ix*U3eX*8<=K%(9H(<$R zw+p){qWe0!`UB`QrhR|;`0S%V9YBZRHahUvrN|%P#GRlqAD=cp)-sW%-ZKCeqkTYk zHP^bMXmY8AQXty0%udjkt;Ly9RpfJL*QEL^wcY)W$mg+@%zyz^gS~qrjmD{RgB2c* zGo-T*X2_&Hrm4nB*p3|gigfEDujPOyZ&p_T6)b2z%RDi?Oz~9`Rp$suK^(hv1H$1U z4ly$$X&dbCe-);^0##_x{d-jM?DC=1;;^KmMdQ7kkx(4DE#LK$-tqT}57)l;hGq|M zVZ2t@epLA3&ulyNR2XjPe~$lYGGAl5aL6G)B!qL`=-C+$K~O!QJZNE}6R19hqM>;^dtn_---Pr>bOQMk*gA1~pgO`smCLn#LD4IUJY_ z@oI)SY$@(rlMqV$RQ2S5T1JL-8=r*}%&wA=jNorD!?s;Wkm4$brh zcL9x6zP|4mjVzo7bDHr_iLR(9e1>QZ)1RLdIQLV(GL-5>;>V5le!)i6jooXPIMNpczURL_p&@fr+WW^r_4l1Hr4u?ve4!jx{xnd(5O2f7ZXGrM zg1b+Bd8l#i$3*p^5x#Z`+e8wc9CS})BlB2YgOWFqWFfkz8;8g6Kf}}?iIHLoP&ta0 zG0)4!_!2+7qTteVl?lL+a5JDthWLC7#}BVR7cuU1A~{fOeCy0Xx`<*ju=F;a+x~N~ zbr^83@GfOn3dB|AV2ku$2Yrz9Z{uj?16XbXwzEw`_7+3bm$s=+F?cq)h7fTy+_cMoP-JSSeLQ!P>@)w>gr4>1}hD>YE-XV1Ym3aR;aKWZ>LW#|tLjT%sfd0-VND!SUXU$u9b zqLP=x5wIEr-qHlV8BYD;Gp|Pa5Lg`yT`(yy+kT34aIwymeRXWeeuuH3&TBEN%?dKY|d&aeXot98dw|asf zsqMtrBoL@9$qs1WxvrX7g}v|VP(K{ehZOsRw#)8KKsoDz6g2hVyuLh)uc?yBkUC>K z_ell7#-leCW?|kA)VYgBiV3LE(FT&E0%{0W1yDfK!6#y;kbkqdamGLxXqdqp+tXkS zLN}cVMhSvH3bls2C)cC2VV_Gzcg*GsUWsac)K(4F+is67seyh^fuyoZTx{#9gh5J5nN(D3 zv4;tqphz-XzezX4`;0rE1rsZM$$3u$eURFQ!6dyRG2>tHc~|hn><>>5QXrcwE8a}? z$KK0q^#{$KPyXWlSg&PVq`XAPpkX<-l({fkNf-26#10=f@n~rE*ay+bsDzl&tP>!{ zy$c?dcNhG`uhU&orHqyCydmnHXkR=`$BaMIOckH=_@iH~Uy`NWJLE#~LRH;C8!p$Q;gKRf^tDf&nw^Pu!dRU&RN19iMZw%j4c)qT;|Jh-sY_CVHmz%r_ z=dwLpC-n469C+e5>eGW}(d7?a zNBX85J%}8ZETMdt%)EZDA{Q1G%2FZY@1i$tb2V^3zE8CKYyarh`4JF>2vS(PNOT^D$D(bCR zOmaeQ0Ebb*+3lA*>RROY#dE50Q^Jk`ANG)*yGLcyH83irzI#0;&f$;oy{Kcixkr|n>*)COz9Nem3T%o8)WH1LDVVf zx+~~ggZcQto9O=}c+l?8TQ4NROR;_7ALu#5Dr)$?mXs`CODu)D2k4n%bhRgbpF5w(M*W*{deH%Y!+2iK=W%SqsqC~}Y2Y%05zB1l z+nDQ3CT?WDv^^Ck7W%L*Guj*N+Y`ExR!`v{p*fWyY}BUTDk{VjK&!Dl`){2W`l#~S2)L0W9N;8S&D>f8<^CXM@V2HWY28SO#q_V7Js>1oI zL>oVK>4qcq9m|)#wU*c;k~*Y9htf!R%8anpES0W+5@&Cz;(Pe2#vW5xbtw@FQ0_&?{Bb@>YzQ z9GL*~q}rqr5?GfNW#d$X9hMG_caRQE0Q5o$e8k=!zkAW zGHpFS7~AV-cpQuj4USik?WxM527gDVxq+21D4f*vvB`E^7~i2AWXlK!G%3Z+Js}o= z6O0*k=d5BnK2YpHyLs#2KGezXDozI5(WMSjPO(yiO3QM#hXvZ zjq8u6PS@*0r^Ec^Vpcd3W$!UG`z`Cs`Y89=-&J_xRcfUa;JsnU?nF5sR?|}u)IH^w zR|x$4`4vmS_}U)7mYx`kUQo?;3W16yk_9V__L&Oewi%RQSuHZ0IkgTfqq{&=KO`=% z5@E7cK%#o*h`60n@Tre-QI5sG9c1xM9Dm4h`0T5;cExeha1JG?s^3ozRHN+W{A(4C zes#a;YY0&w-v(y-~D_OXM~aaQHAEiJ9td?xoYjwgHAe^!x0iOb+gvrd2{Nkp zs;LW*B*U)MGSb}Ov=h*du$e648yVsN{A1;d*Mz1c9x`&8i-CC&{?law?$c3%(l}Bq zOq)<7gf%?3S75-fdu^8}U2xM`kzvm(6P2g<2RCrYUMM$E&cV!i>Zz_9&JGeI)A0Kv`SqIjyz@Aoqz9e??SC8xvcnNoMtaG4s`&* zwYn0QnAqQ=mK};Hz3s7Z#!Kza@}nO)(|ctz%`_wZXPG{J?&RZUY&+a`mV=G|Lo?}I zfW34iRja&mWOuRGpc}UgPw(A^1rUe$kNRRky+*?wk*`PZ_0#O_7W-$)^%yyMi-tsT zPLu!zb`NXM3B-}8ObdYjXLzB6bw}_LGj-%qX?VGM31&43-Z zK;Cqa0VhbT9*Sx8)FS}#2!pvnA_^mw?eIIqelhf9WB zI8LR6;smoLW^dXE2K7sUuo~WAwaRqk&mp9BM;~N3QS9qa(A5lk$jMVky2D?)r zHT%SX>ue*Z-qX&c2yj{$Fiw6}uT9@*Yfq9b$C2pu(+0Q$y~j4lHVZJ#Pzk%T+CkeH zxrojRS)h7}7=w1Ce-+(+^C(N!)7${Zj6PO&Yjm^y|fsnX^p!9bC+xx5((p<#w_V;|%K{t=eCn1Nqrh*~3r zdSMIaCl5O7|8Vw0swq9EUISSlT2G@Ub4*OcB`fFdjK^g=a2Kwt{N>NrW62!Uf z4Ee%l-(2*1aNO*h5)kfX>cN&MtUq;fbw!&N==zu9^}RA_8B^lvS05XQorAs^$~{+rik@N?2@vYsiSm^ zDlIkyc)P&-t4bPq&{MUA<-fU#lN3NMMyId%P%l2dyt*tG=yUA& z7CX%CmuXELAjk|>lt$o4AYI0@68&9yTTY8jlqDvyldlU!f_WdB+}MdVb-d?>ExoRt zz9Wocc0j!oY)@fBZ_<7VL^cWpVyxV|Qlc=v%~LOkLNmppvqrU?=Fa7 zyKG;DOP?LAHQQwYd}4o(IInMw)Dt@)84{Ft(1rzgaUBa%n;#|)&!~wcM@I~MA7w3J zCe}H&MPi4(NHB1kgEBE>yNm$Kc-SJ5bpu}7*pmLAdQO{{3%u>4VnzbO9T?UKij=|O zdq|+&>IYA27Lb8%c9w?y*_R?-eM&sx1qV<`hSXG&zkU0bfst|IOwPsoS)qzs2nCxq2%O7kqe)ELI4<^md$FDlTAyrTY>^RHCEQB<`k$wzj-X~`iOV&bAG z6F*Dog!O8>CK8?Cg=kgCY#nu~neJw=(a2J&051yn<51ZOc;EG*vVVKgH38tvJ7_GC zX~)x0Z&*3!yvfDRo;%RENMU+HQ4G!yVpPu;Sz46=cUnOS6j54OfbBjS&eeSFTM==6 z+*7?x_L;{3P66>t-F|y(c6?1-C%pH@D{b#w-f5#1S*UC}uJG0{0jW~|7IzqqgpBjm z(Q1#^2Id^b^k{Wh0mrB|$Yn-|Lw?kGrNV#~iZr|HVhUKI3!_rB34XXMuN`n!pc5)2L{%X@Tb#`+fDDT^=MHXrcS>I-3ccVkhcr5!4GC zI6no@w@Pu-t*`I*yuNt65=YmBLoBYhgHoLU3NZ_njHJ5%o3CyfaIn$-gsCm?3@@9t z`(U1_CC@?k{2Ek$868eT6kNaOr@iQp*%t>dEn9wMJla9gAAv4Ndz4)SD5rDdwIGu1 zquSi1#%MIoP%!5cU3zU=Hv{kT|9EozRu~%}Wrg_=uOhEomE&3P=$I&N z7~g83=e7vUI^39*&G8*ZSz~H%#WHNjxpB@VB2dYLz8IJ7EQ!$rAuge5;g$KLL6vQz z0J{uO3KnLXjQYVuV1E3c&rqk=9Q0F!Ex>ne`okX#h$jtp%L5{vF z{#+Hm2K&yhHy4B38!^xt&Cf+o-T7Q%VD7A{~8ur%SC zq4Jim=>3RMqy%>``C$S3>pR4HLfQXS*(=<(;>jmIVOf2+C>ran3dBd3O)*I|Qc>3|$ba+m`LB@ysZls5NM zgixg1u2-z60KWOZzHZ(E3DjyxMlM1Nl+s~$xKPW+h7k>o-*2I=p+U3#JEM%DVa}aA zEzY;nQgwS!uk}xg=pR!xX8?J1{PEWFUuR%|qM)j(>K89rtGs;sXeZge*%W4%ZG8R1yvs0uX|z0n26heGrbokIn122BTT78`|u$V|u>*t7*3&n&bV{w^Uv*2D#@ZSTW-j zVycA+fDiIMUQDK3ybK(fO%zB$gnc{|0CG8@;=WMZ%65X|wsTCk3tSR)J?}@r_{yeK{+RU)^@$IWa4L7Nv-h^(2ITF z&FSWOPy@n}{C^Ra2XK!tkc_=cPEP)&0nYK~d+3VE< zq zHA+?uTHU%E?4g1&5YB?PM#&J5^#-7z1tJ@2CoPiqank!t!uwt6t`GHT?oBY;7Xl`! zt8kLxd%>!mgl@lPk|Fu3vEw|VRvCaI_3Yg!LBDCY`lHj5WCzAz0@#~d`s*WCf>kLz zD3bC`9ZykT9@+QekYtG9y2}hNkwlFt-NA-{KqSu;fqcI51BLN6;3uS$0r$uI;{Ir6 zSAnShuarafA1Nms74U%ABL^V}{4^(jODjzQNxYXr(7}BAL1@(16N;`!i~|G@>@SIM{kfJX zb^R~ZIGHC%`Xs=Qu{A6d=0+$Q*^MiF_=yn!ZvQd@l2E?MdZWZm-Mo!7cPuo`X{gD~ zzkklL^Qis!c5`cJNFK`T{&8^svRto`DIo(HHC~hhC|nSF=VuKWIB%lTe*SyjF7lG= znGKK7j-v*)wD3bg5gv{=CnojcJpiFpwZ$+2h?ol{&B)I)`UOB3OvO!*l|)5fY_L~n zelu7&f=uBP5EKLl6;aIM1>@u6H=PYJpPmh~my%NR4Wgk_bIOVo*)XkBkz$%1F4Vt| zM$`E!){uwISJ2j`kBW1Ml>jlfhyX}pQ=JeEv`y%CSV|QO8+%c_KnKTousW!cnkNuJ z569wJkPf1P=wGU9*o6E|!~8?pEYVRtcbc|q{{g7hAI!f0 znD`!!|~p$A4*%AkPAE!B0gp2kt+^L3~#it!Si) z@l3YWvMqu+I_m9aW(4~Gzp$Yq5^a7m#9YY$rfScYycg@Z_^t5%9wkFGl_z_Qf1d>y zWJd#rs6rH{1~YTc&Vvxqr`&K}*}S&Xe&6h_^IeP^ORehHz4kqc1F&KF3M85!9rx9kZX0-<5yAuW#Jt>>JFkjWO0po?;uAUJ-VmA z9ne+cR^>vZA3m1ynR_^ZiMRN2QcJGmRuUU-#ziLKdR&=seKcl5n=J?WS>T+Nb%M|J zN$KrTvk(Jk6Ld#e;3a4In5kjtKeXTGw9)^4Heb+((wIKM+Zc+r+JY}#(4m2hR5s{1 z zoA_gM@$0l5OwZBedwea^lMpopGfxa>V2<+AXEX&;M|qhnscGtQ+(&qh zAWOW2V$pvj&>S3q(n8Wd?&w${!e;0v*i%X}#p4rfV#s;IpZh=U_&ZK(Xnp4tzM3;* z)f4wQFr(o{d0{=-o*P z6xCM=pQ={ckgtriU^Pimq)c)y`GCY5?n_nKwX!g}Onj=(W)9IO=~~B-b`Dwq#JvX) zkS26l?h8Sf-Vn|+>h#(p^=B_W$sh#1$&@cupB<#{OD<60WDI>Ua%0>i8R@tDF=`f7DDwT zQSW~V^v(ZSpct^8y=t2QGY;g#$G;cp1~XI6YRgjBW~t7CFJ?0e0YA_F*O!MK8g@{U zor?qi`MpW`JrmG&LezfC;f!YT0tvprK*$z^5iCR)&@d%5lf^1GL4^HJi`nIU#@k&G zUp@fq=mrom<&>{|YpA(b{XiRn<}x|{B{3N#p*NEi_J=*_-OpTvaGZs8x1Dqv$2?gp z00_uv!mC7tAiyh8$u05g2|RQ_7Iny|FLr-OC%ocwAJZ&HO&%3AY&6>V_`#i4%GA2#uvtDIWn{84 zh;!c%5?pjiy80I3zb6JObMJ#L)7X0!ZYh4*gCGF(={oI2`Kl0#1x4DCC6a>^!^!Kz zrnS#~X#?SE7eW8g@}h+8e1YRKInI+rbLjwBNI7jRty|sn1hI6#@JSvN(7w-8wQ`4f zus|l-4G9^2M2&eZyyw;S*#7dQ%w-i{c#Z82mNT;+S zp>zn`xxVqfa?iP+_x#Q|_x}Dlf4IO6thMHxV~%*nGsc7&hy~)80WJcx`WGg zVEqg*8ZwyfAYoX_V6ITr{;QARp_&$HDd*hbU*O$Z?zi@6V)~~8B`0AjVU7ckSt!Ck zy3R}ELp#!bY_S;#Ye&81S-Bnw#CQ}?FYwuUADUVE_UD51J*@t;A(J~;i!K%xc*Sk+ zgl9`}|Nk_fwHEqKu^@?$q26&}Jl(#1)UvOxN*%cP|E0A*NueYXgGA6$_k?bFtk|-r zZgLxbR;F1?C;(EQ-tlV5B12) zglhv;#~s=(0WCYjy{30y*(nT{&o6rx zwCq$opA)5Kp=G~6+8_4`EPLpyAoKUMx#+Hh>m!W2)m$!0QlS*Gc>>6hsAO0e9>`IrXh_c0brs11qY9ClIm>oV%P& z_{9s3Al)&u#}Laec?HmFFy~}6tvC9C_xI4uwB855M0hjY-@>VXi6Yu^E7c<4YyE|u ze_t@u{%{hHNQz3+`s#3U9?@?OWWr_dDp9FpN&|Wa5ve`>aSr+mlSw|yxve7!&0*qo zH?Vb}oK}CT)-m`5ifCFHkT}PolC2ZJxF|sy8~qHUZ4zBsK+?Ab)XWWTl)oKqiTZw9 zz}aCYC*}1Z(Otc#wt>YfV{`~8JzXe>!HiQXa+4Kc-&8r*>Br*(pWmY;#O1&W7xcys^|jp{q!oHoyG#B~L*B*>Z`mxH%t? zKc=B{5S;5}WG3FS`Vl+ejS2P!*jr|2wqa#nWbN7CXeR)o_9QX>{{x~1tn0%=KPvG* z!N{v&=nKW{HAf-D9yj}f2T^d@mE>ASPRoW9|FO+efMu_px^{vz=fwJI_jl>&7Eb8~ zkdykl^i7bO8K)eJ-|oI~1>q@o$!JsTKyo04j5qC79jneDR#{~RDKH(FVe9((U{(;_ z@6Q96{2+RgxOmqG{&f;e>CXDmA+L`LUVxT+7C%vR%gGNM6IBp>q)wGhUi6)evsnK{ z$nc=@`1=csYk+R|}R7oZ9A|IyFWSC{|UBZ-o) zxl0RAQia1X2RLYs;+gRMc6kcZuv@tbH9Hl7X94ejZFR41ZZ$;VtvvV4JUXs* znyhf1zOgIZ##7<`UC+dScNjNZ#%nQN5o*bcUU+bCs*V`+{cNVP&G?j%3J+~Z@R6M# z)1M|`oC3BZ3XRF6%a5Li8E2N*b_l?1u`Y*nYG6$0$B|$>R3%(zm&MFxooHiQ_<;xT zrdyNKR$C6R0|vGvQ{bUzvHagaQjVqiR~#_-lGb}tn9e}=xX6}15-M-ly9#`jn1lp) z=c~*8;@fy-4SPn+%+-=0x%XL9@^Nw5yUS4d7H9eU5a1wl+UM-XDc(( zHu~;6_oVR`FvtGqM*$$XWXZ^yZ`4wnoV<8vJU!#x7O{;}ZVmr|WhpLij4`abn^RXu z2{H(f`}o>ru2l#gDlXbJnt9Wg0TGJU*VB6?l&cuG!E-g9GSh$0u;x|hl#=KA#LIaQ z?@z)3bY)GPcAh}-mz%Tp2c=uVpL;K`m9b{p~4S#yoZd3?>1GOHN3fXkubZ&?dI- zN9z?pOC&ICu^h}(rWCqIxw^VKv`6e};?^t322Qeoq81nl3tO~wZ6Xv@PvR0Hcsp0| z5JFG$$Cs$q&!$*E?evj1R|;eb>cszUU@pMwAiqNJh7dA17*G$|qzYZ{t|$T1WEP+Z ztl=}4yNAG>v~<^6tb5^(yqgTRksa0Q1r$Kj_z4ZG&hfOCO=LPe)HckB1StNP&u)AG z$|8192gE;44HhO0C&*mMrl|}K3}ovW5v57h1{2L?*RLaOUPd(d?!R(E%H39?7xUb> zJ*kaH#h2IX0k3S8m6yjZYdSqjF^H$Eb)Js-tRYrv9G$Z~@{DM<<}uj%>HO!n{(oo? zz133*FNy zW{Y~tz@5FlwRKy{*|{v?>io|-Bg;7eDd`z&cCKC-HS^`dA*3srw|N9J?2<;}7*1QZ zgkZm#2C2l?9_vQe%-+|%l#QnZRgpd>(Q~1J@2@@N#s>)jT~eJBHgQ=7M8Ct7ePWy9YR`n!?*z_;Qw(_! z1K7r2^5Iu4s55cp<f zERqKRnpefexAgQz)>ZK8C2KC=CqDy7REg+$nG0eCPZyuFwuXP*glx_JW!r!NU>a3Bk0q4|E+T?=GK(3)+4&59C6Y-3hC0?YR=2B*fH@a%cX zQ-DL|5q4J^1=Knje+X-v)9}?m!W|r=`)aelIshC_fFl0e??|B%0~>g|5JYc)Qnn^= z9|u^wm%nGT129Z@VG+Ef!m=aCkC-mh?4M$c9K8fRnm>cLyS&{K7$&-6ET!>!#Rzf@ zv>Y)3=j4Hp21q;o{i0nq$n3|!@;R~jasvj!jCFtJd4GijD45J2uX$lRo{+Bh4d<7X z1lpT_y9%2bNAla<%x7@f(Vn&atjL-<=P^ZLPg>HL=06FZ*gY9NR|d+!@BO{Zf0^LF z92PYN%n2xk9Z|Utzh(9H=H6P`x#&V12>BNnJ$0f~Amqq3>5FV{=b}-f{F26yhv&Tf z7HEOqo|!ZFA5P_ue$z``DtJ1LK*8Y!32d1i zh!UlldS+DQqjTPLR+*nqN+|)8su*-n1M>u=7$Z(i&4q0hqg(I=&nCb_<4T|P01?l> zOAp01cPb}ddX z)X?_40kE$A2?hn(LITKSg9-l%u_1R>R^N#UtKeF6!jgS@iu*Fi+@TsQ0-xx2S-v3^S5?64}% z6G+-)e}?I{sy{`RZOZviE|UruNXGnw_?Z@kRSg6-o6L3-nTs9}n;Pf*ZOj*7UXY^a zmtkQDK2-yzE3mAr-VM0dPo9|rx9329#MDd$Z`!5UmtrJ^zS(C*5@`CBVEF|LjV6+1 z!z@qzAP?|+|9Dyr^2I-A-v$96Q2E0#Zb*!U%Wk^ZmY?@7(}39bgU-QNN06U+^7h?E zA5i0B&H*)lL}s4eK)Tx27mq7yC2)&D8-#hemEf0vkaKXg2Nw9f?7}+OR0AQmjNvMH z6Iu?+a?#RP6r7YH%hDx>%!W7>r6RtpRA5uh^_iXDRL}!6iTN;KJJ6~hxw%h22cEL$ z)Gr61Ah|0ywm_aH!g!4c021LfOOaA98b3=}chUe1D4chX!xP(X6v)KilBKPR_-*=G z5E!M9dHXOf25iO-f#=@&^l~N?9mS$xO4*W7@Rn8lePas1oeRtQU=ai2-BVNHvcgjU zy3swQ0W=-=*YHpbYcw{G?d&D%A?E)Fa>i`U9zECV8-(t960AVk{h0m z^tiG?GGU9)f_adQY=;y-=E6=~L2V+SXP9D40HOE?E%v{EW8W0^?ck0#@uWr-Zc+k} zfz24tZTS!C#D9;7^D$Z&k}sYOfL<|Ny^HGpX$KsC#yADvCf=z2Gi_^6^610B&`{X? zyj7m{y-5WT8ojr&TTk!1gE;6#US3|e4xkw*yI)ec27!G1;8Gl^hWF85@ap5cqhBg5 z1V+TpU;s-AZqKDvBlj~j}m)%pGU+40)$69SK3;ytt3mg@UO3hB8t+su|&D*mJ&6;6{vQx89@vvF`} z|BNJ{l>xZu^|~)1*ENITp`TX?GDJW+TG#OpS`09)qv(MBCd-Bgm(~&k*C~#IBQHs7vj!J^|IL z`lWz8Y7P<}4^2txS3yAycev@BdTYpgDCuv@*yduG zI(#LUrU$HiKKj>VfR}R5s#SsLJ?UxFPhcIEy4R3jQh=^|vshUOsz|PJ;6%#&2FFWb zrU9}y3dYr*04&@V&QjLt4(m083Mnwc#v=~Utm&m3<~Yv$Un$SYd&G>-Ywxp?r0VMG z0WB_|S(dS><|GDB-d!pH+4f&uMqB!=+SS z%T_Glv|~jQ(kmDm8g_fffV|%=rDr3PdR{p3(wK(wGAu9T`s|u$6>#h+UquI*=p&}^ z=)@^SMMcvq`5qf%YRB!6^TjKnovzk?mJ8bbN@rttrn2ble_{Ej6Ya%b6Ev$If%@l- zOR=@a^l!Q1!~;8zM?!J%Wq|KJDR8eKI%sIVGoESnFr%M7J=;f#sh<{PI_TQt=m|dy z+_bUMp~YIPIqiEc#_PSc==^zo@=dwC*2pJrH{c9B)C5*gvQ7qQ?oh-Q>F-V;4#al6 zShXSkT?#jfjlq1Y-34SFR{7(VEOu9ix!`T5C&$D6f5mGC^=&j-iB5=i%xNLl2F3y83#$bHKWxl7rnk*UeM~vWIj`1MmeYN5y5ojm9${zhb zAPM%sFc?70tVu>!AEAE$=f7}td72hMQ=o77d5|{|nj6(W=0@sY&5cb32>Y2YMCCES zrF^NRaS#boMjl>E$@)oA17?(8)qucco=ZfIbW&%5M8*z7;xjluz(Cv^FA>maN%lV% z({~bMG&WjXSt)L!755^lYzVt27(bIK6Tl4*_4CoK&H2g|E!`*Er{3P4Oo{pSVg33d zIHYLRCpnq&plf-iJQ7!Zsxf>2JBkkD`zKj0f)niJ$=M5gO=G+~1(bV>#+I6A?`lI_ z#b8csHOP4nI7A329XOWwZ4iSDts(q|Io6YOPHQxmCuj{NxTc$-^w#-R#?g?zDgmY3X#z0x)#U zib))W$kq%GF#ygvZ~{IcH0X0ywX+BfK~lh*iQ*Njq9@f(GIXdEWgzR(5^|9Q9UPp`NW z2`YJkvRqdR)dYBk*YaBYIZyo0;v1$!R1gK`R{l#|{L+1<+H0HxC((ECT&rixfNe_s zxYu6`NU6o3Y6LJ-K`>GlZTjX4MDWflGRf^}LpaB`+Ig`h#$zYxUM>gWr$Z&rJxTZJ7B#l6l14>6|gE^W0 zA@-VZq?W9LgB}ykI*D~PG`}Uon-K8(>$#=sL0SS5`3-Ivv*M8Y4N4F5Z+HeCAL9ppOa_yrz z!`q({3=igSSEOCE?!o*cCfJevzyI*(&%<;NuRzRxB((;1B!Z{I4Br~~s5t6w=0P4@ zz`c_#VkZ7KF{lk3J^)o;c;vOP=Anti-S(8uDK8@k0SJj#R?2RIkPUOr@2BrUJYu_| zsQM?=p9q)jUn`+K!*QI}4@P(CwB(3CT__7>PK|^vb_!I$kg)JD!2*73mgj~xnBaOxU1%TW? ziuIRYo062o@TX&I1036?h?)(L>~CX5!~oS&J0OLS;KjHRA?<$?|NS)&X<=B^AjZn3 zwf_MFB;Eduo982ba%clufC>5vRr2hNetahhNRS)jho2Ha)$8r)l|@k2SyknEMo}Vs zitQo0TV!DvJ=fC|DSAvTWuw)vOrrpha$JsV9u+){V2?3;W}L`u%*(lGA|g8vSxhQ0 zpD4zPdw5_>k9Fssp3|Sr7{HXsdrqbaz)p9;jj=@jO-9+=C;@KvD46oZ^2daxEmzL zzumTQX790o(~@!MUWyHZiN6z7=hAv0U~i@X^5WNW^&SwomaV(@&!HKAfp`FKIf4qK zPhP*8>5GPk3J1J125e6CA!CU$^Z>u)@edz^XH6K#4Yn7?ig3J{EHvs({lAH`@qW$w zb`vO^O+5FzKw=Z~_f3*0-}Bqxz<-2-kxCZgWPE;&{^5CLpu(Tu!Vn{lN9e8Zoe7CMw;z2L>@$mPv zo&6O2FqB+p?NI9YMt8+E%F?TOlP@C~W!2(T14aiUW8WWMD!Pm7p-TUX+kmHZr%9Po z5B|1`C5%L!C$VcU?FOlmh~V<_f{nApYTIF9f0v?;NC+xfZY+i=Lye(BgQ4Tb?j0lv z4}LSB+HSJi*%gu$dxT}!ZOMEtYjqCt^|a0!cCpPGPW5L$i>B@tzP$c`DK?Bs0g;q@ zn(PDn>>@TYn96t}WPawceK5F?%$wh&*~x|{YfA8nycb(}RDP9XWn!4|W&FD?(afug z@Q53pZwV4sAB-*g*qw^@%AF=7SRWI?bBKn#g|c!@0%81@9xEs<#j#j*s-jU@QH<$! zQb;;kwoiFS3(}bHU}IYb_Kk!e-C=KWmeN(*`8QNH1Yc)}3xvA{FLzjc_l@)`4~WRw za4X%UE;?3P4Y2AwL94v-)gDu6R%03Rk5gpD!n^oW>$=rjZ(L#i_2wtl+(JFh{$wd$>?Ej`Q+C#rIARBUo(Ge zhqv_NQ;+;q(#pcn_l6yRj@@@myObzl*%w=$!-_O_Ure9yk;-h12DbKm`<#LIoEOOL z#aQ4}VCcDADgZfijJyk=a0d%_QW_+IX{2t{Vgt)+x$ccuk#2rW9vd!tqVY7b=_^C< zHW5_*gH5a)&4~N4?-+oV8M=Q~2K7iNF}Ojh-ZsUZi$)bM%P=aU^cnbu@0&S2mx6j8 zrMowC;bYPTFSeM%WT~>}Qe|r7X-uEecUmWE+;6U{39;kO~1QomHvcq#R|uunF5 zVHY_w9?3ap`m`O{IMZ2t%sXOtYe|94E>k%kHhvO9;VBL&+hI*s1FPLi==k)BH#(Iv#j@(zk4RCOJooPibROm}yxgRj z)D|S(D4K}6hbog@?cHk4_mQ*SjS_e+XI2R#E{4V1khsdO)t}tKE`)*rMCSBxP zcB5%%K~BALV#`bELbTWFgTY^JG2KP)x@K**a@mt|%cKuumgGK>K6$mB)S=oybxZJ? zv-lH$$Wu-jgbo_u$7qaXGw6+KXDLBb|5P%ij%COB6S2CGKo` zz<)`ZUob5r>6?mRk!@j?`~fO3-23Qtmd~#O8;Ud{mDj0V&-<2=cf#^Z84B`JM-XbO z$JJP$Z{etPGuX2$(Ipm%$xh1NbhdflyQ?>vPaJ`(;)>r{L#=<(8TM99JHLHWS|Z{5 zC52+;K2j2@H)=;LjAtGrf!j{Shcfno&)>wp34J}Z>M`o4;%bg!a>w7hR-Aztq?x>? z)TN0asCoBrQYvx#UVOyRf@ogZmA8cLZZB3dxkv(-UteA9SiOZ(g9#!8^A^)_bOXIh zy8NqOAKq}rE!fy+Wx_7(rH>^MJ(M~aIzgCHAL?(+!P?}WJWn7sYFrztVV3N6Pf3i* zW%v{{<%Kurg(n)FpK@Go@@O^vcE4`#`b4zB)n7Hypi((>zM~;^j>2kjpG$!b2)}7)lhJ?DHgr+gn0=mX)zz zU0dIq?y=&PAvd!lZ=;Pjtg^R;y8TCSnFyW2Ye)JYxHk3bmXl~qUs>D@Vt=8G*quW5 ze`(dg3LYV8E~OuRt{lV_NHH!$7pJ1F1~V%<_EEZ7JM4HN-pS_%-bD`)W_Awc0z;Fe zEM2;%orz-EKI(}_3ENsLOtZpSkHqQUq}&*^PIZ*-a(ph{^fKw~kabm!=J?jJp714a zQ_HBNaXF zw$+@q@~n1!%CQA!^Ogx7+Z@=2{%6V!8%d+-u4kh0=C3l%ugv3js-sa%<#*;EM~(eV zSrIT$c2^g8`ZfwyV8?j%g}ewAmyD@Ku+KDd>V*e51Ub+?;BiKyaFMTt4koh)lj{Qh zt2mbh<=ru@^6|whziu*A0;?sfS2163^s+LVxK_fMB z&DD5{`%-yD81Zs=cCk59p!dLT(T`twezS!veM_@b?LIYd8UFxwhuoJUa4vZ#GxjGd z$uEQgi3nCwzDPMo`)nIayiQ4B9>Vh9e%9)MDc$>}fOYFxGN_Yq2*`b}JX6=Fto|?y zSN;}7pHAWv@t{I7Mf-WA%KR>y!z)Eg>zl2QS&904J6?w{9xwz_IfFV_GI#!NObcH zES$8cduF$C<$2-*WJDc4s<1?AC&+OIzY;As!k1I#DJp8(dEkJJPo1K6FMlbuI-3+; z#1YayB`)xkcvx*ilUA)A-5iNsup!^ENgleD{rtU7VCEIGQ(4FskThg z$z`-TOY{0ZklI%qzD96Xv+))TFXZ3Kv~|0j|ZI~T7WGI4>NJI%#P-;nU#kn8z2P_0}w_-e&yV9 z{y>VB$>&|1U;A7m?esQ)$r&}^sA~2YM`K-npwg3M)Olj~+)*1zd22=^nu@E~^kul_ zZu#@{gVc@$aSDM)ule3)nGs8GXcjRsb7kDn-WQC&A(t)gP9a9dT_p(8p-OX5CJq)y~dZhr~RuFhQcr0gir~qxG4$sq9 zS3)L=+!nzcera7%z9?{8K0;c;{bT6g;1~lX=2rCnybWHPb%)l3i(08GFI&T)N@z*7 zE8bgme5FOXVFy48d3+C_F>#O2n>&l6yq8_d{gh|d#Eh1Tw5NIe3JewGh{I)D`QQY|lt~aIeA~IcoE?oD}&ES3@ zMHFaRg4WYllxXV4hmPr~OsAg|mK)5dni2~>o z)}0l95SsUKL@9yNa;>}cNR%kJc^d!s*B>A<5t>BvOJde9WCT9-2)qf9C)Xz55YD+6 zoH(Bx?bd<*-VhJ&-efI4sGMkxq~6lgHG;R)Aq8 zvJlH}1m*HyBk_I*Ll}ZVrG7LcXLqY~ywnJk9}|4pnH~(9E2L`|LSGtvT%d+*R_h1C z250-pNoXRFO5ISXfnU7b?c{${~WG;vYa+)irO6B-|7*(X%mV@DVI~zokM0(i!FNw=R=&n@!za!m(#NT)dxZ z=40O-_yj6O6?I##UIbXg+bFg3xdsft$@vpr@=pTWS;9z!K2klpMX~O>HYoYV=1lfwVx(5rOz?Kbk2zcehtN>~j85@-F zpqA{{-+e{YyhN9o*5A&+g@1#bAl!f>4OxV3rniC4z-Z(SSAfBsi8VnwWmDNpo`J- zu#%YpBQMZYYjdVy)idAT!&_lnpS~mC8fH-2o_Lqz98S-GF$%4=LPrFWhXHIoN}@Y` zUy%T73hUmtfVw|`%6Xu(@lqRB9)PBqL8eUSXC$Ei9!8IeEsO@VS^Sp};zn!W z@#HKARZe#Hh2i005!XdriJ#G$g;~b*fNrc85(*kWb%2ECun-)8M2x zoPkCAdM4Png9nDB(lhG?D)P2^1;m(fY|(4`nISa+>}wM$45Y!LcVInlyPpg8F~oo} ziwaC!P{4R$@gGeQAPg_f6cuy@=v))2@2|RETX$F(rodq{{`;n+s zmO_Sg(D~vCPd_ASovTnuHuIl@$OecIn#vF8Z0XP>bcN5Z1C+sDy6N?U!KOO~FpuBh z$s!|8j`wp*N=hby+V#%|YF8N0gZ{H)1C0tC+eR(u$1g0BzC=b;(YuU@gt7rE(R`U9 z2`+m9#s3u~-2NV@jfXVmb+Gzi|0ySqOe((z++2t7h-ea4s4ST1o5ku-k<(!3EBt=R zv-cBxGIE#V>1@a%U%WunY=zLknXJ%c`X)J8kvoisHcOG2$OyMg^5~p+cxWOfU&J}H zfe9dUpmWwju#R|u;`FcclE8ls6$Y8+1Nt^RL$eob@QaT6O_+`g4Hd=a*a%q*jbn}; zDo-)T3~ADTt+rC^NerL22&gOe!lT1Lab3L=;{+?Kn2$9+nS={2K&Onwj=WKZBI~AZ5TUMPH^e*IpEJaX;GzGw| zg2<%Um?JJQR9%6)Kn>ll*o}{b!DVZ8!xk9N?G0NnR*?lX8=SHbe1|vm(bInhjQV@} zA7lOk5(cB_vT2wj*#4VGT(R@fJa=dC-G0sPP4PgP5-QAXQP6z2KZsuq^nH=Fkcb3) zYN*~QNEO-|A>H|R!QG0k(g1(yH+G^3NY}N9aw;SQ>0?&ZL-xWyy=VX-Urs}VAcBydpi5U@KXPzzP-s%R-HKO0P!KTT>zLbXox<8I zNl8fy*O`pzYiep7#<$C$Mh(R?XA^)~QkJd_SwJApT8T#-2F8I{jveJt13rim)o!+w zZF!dwOxePcCn%(7g4w2IfvTYQzn%cXGF06M+Ic~IwiI2!3CJ#hz|d#!ve@64h77#R&evPwXTP>Zz`x;54Y73raFXPkZ>lWp^nt$~ zn0U>FN68`BI5|T*FKyM!KO$!@V)PdWlqA$yuDS1e4af4o%P^Yzonh1uScV0a``w`C zsIs^OT%as2&Cuc^)PDvKxSf`GqSVW4cK}^~?Z0QN2$c5h-&_FDYx7#SgP}h--@&Za zd*ylLP2asjT@p~+MXkh z<~-?0S0bJWsX#zXZZjMXicX5MM*rd+oq{5U-)TqRBH^JcmHYLec%`y9?;qpN`-ux^ zj-d^^ip@U=+rZHsv6kC30zKD&`2W4Cb3I!?ETz&K*@rYw#G?|zfU9W+19ew3Ff z?mDZkidX4M5O*CH{oQi&0DFyVHk5bEijuzx2QR&dHnl_sNwN}piBJLXi}rr0J*C1( zlSPeEZTVfFwEp?k6mx6B1#%Sxv+dIx#3=U&SmB`-38Q=V(rIHrW&VP;ZeV-kKKSB^ zUi+>81o)vJXh8w0HPuuwV}jIdx>Dcsniv?2$=m^iqNf7(32^uzybajA9~d)S*^RTJZ721VklHpxtzI++m{AFbfMP7=&|N2qa zQSq5%nQowi)1zT43UZU=7;Josa7^r&`#&$YUxs7M=H(?Q)gh&NkZE1NMm@9KmQ&Jf z?shKOEQ^{B*|_dW_y#r}XYl)O+DaP3aAIXyEKYx|NG>Q!9uY%MUsPxtVZe`zf@x>F zqvlM4g1SrbSy^%5uyxR8gzZ-AP?63>&?hCJzK*MNj|5>wloOhyURyTS6ey{YDIN_v zu3#nUd}Ki2JU|h>iI{=&;$9@?jcUV^$7=|5>q3^^i$f%aWQ6f4iZ4?Pvd6Ar!q7J{VkqYs(4@R*X(B`H z-}F{6=uJ&5D--cNd4mxX!FK>kJCb-Th6-<~U_oT3B`=rpJE=w5ohbweDU@zB-*~0> z_T8l?7PvTzRZV9nn<^O$k$BEAg;FdRKrzIFF6LAV5W!H2y5^~HzrZ>?0c)#;z!6oP zqFp3ny>#dgPU>`+jP6Qgr`i&i(>pzbbLmt=of!*Tlb`ZI1GODL%Whg0jjuj>~FW zr<^c+QFwNJ64_PfuAqSPobpBf=q?ONUZ9z!_e94p@Zrr_J2z6|P``eXOV@Ak%Bhxr z@24OR-Ju4N8M%-fF>j}Dga)2zf0k&1ln5p?VUyWWj07Q_9KV|_Boa(0oNuk zP-{6XwQ{!^LQxTg(pdP2d#LF0H?slMo>LDZuVyE4A#6~AP!EPAhNjKQH<~c~McdaG z$bYtiLan4{t>_RSfU48zS>=>QE0**RPRuunJm%uD>qr`c$hVhmD+j#@N`rhi z&w>R#aY}Me&6|1ax>eaWwXMa#q4V!(?hjF^Tti0(Pb$kjE;ELAR;e_y#ym|yL^w;+ z=;p`YV`ZEjCZrJo(sA3yn-7*j4@TSzpS%O||0?LWa)z$TOCcXboJX|EIJGf*G zK8m{lRw&=4!yN(6xFRzH7Yf1{O2i}O$@tNMyHS+w;`n3!lh@@_WLIo&p$9~BGsQy@ z5t(_@hc#?gUo&oLW&&~399*tZVsHg3F4y<5+EyEFF)>hKac+fa7 zLWN&B>B#H;3*^2wuw0QxhzK@|-DYq$&(4KKw(H<6NGp84fRnm>F7R5EZJBIQd#;UiCGI5)Cv$Zz-s{$DOL#CI{SsZ$&+ybAA6Cckc z4I14pmgJ@?q_BOg0-wVTgtIh=WrZ(3;qwK;f;G}xpo1Rh4NAKSLn{R#A}CwZ*s0|4 z?#AGBpXd3;lYr5<>WL>}!Q;V{MpN!S`L0GB`gQ`S(|^qGX0P4xuha?~^$_==#CYbI zt!uwOBey3L%yqE)_BSv@ev7-Bn7m*(j0!GyRTPLr(_XYxo*(QYG`SgM{m5WBNIxPJ z8WwHy!- zzG^-ViHZUDT+2g(QFDS(|9!cJ52J+EB(xU1GYwX} z?r%{&TuBLy1$fD?60EWrg*1TEscIpFddd}jh( z{`ky~*D@N~bRzZ_!Fnk(7~=o7P{CnL;N4rpGsswi3&Guq$jZV*Ajt>^m+cRs;DQc= zE+OEv58(3WXCK0tAvv1Q!v}xD8f+u@dt42F0^S`);i~r(>jeVb{dOIE-Uci^+179PD4w0R1CQLtvQvbL}=Nc z{>v5mpUM26$^1KD`5(#rpKbpCx6bs*!3U>0LT4;jJ-G*gtt3dFLp zU*18k)ijn+`#ol0RnfTR)Cs^9#@Fg+>IO$lW{7*k$H&JVoI?~h;V9eTrqf++s5V8E zfv!OnSc#dX{^CRs4v|kaj(tx3={569H;cVd99I~$hy*PTcf&24gD@xs9d1h zs;;hPxOtNn6k37a*3z=Fp(>sq$n@EG+bGQag6Yo=Iyf3=fX|!8(j0P*w=8u5aN#`VLi1k6!lrW}0ZKE{Lgi_r3@$dASv^ z%oX>b@l;q;nKR7epmJwvJ^uZ@AI+EJj>aXWI}S?8Ef+pHyD7LLa^%%IT= zF)%T4InCvsqhs5bme2-*NWMbuto_YddQb><+3=1slmBLQwZN`t8!s;tlkD#7}wLl>_P1+UMLnxekmu`3IkoLwyB^Z2bYir1`-g8q=11};s z#P1V%D%4S;Qpfwv$u@@3&2dG+&^*oga> zN-X|)d5!keap{Y^EKg!#FX_Uj)Ke2+j80Zct1EgW#uLbNj{}yczgS;C6u|5XOyKyk z;!-0F@2F{@#y_saei`4Be7&q zuVVfT9~{c%QX@pkbNKza0Dk7LVU`EF##$s@M{?!wxG}c}CelG?2c{vp5WP@A>ht>^=7Sj+g5vR5PbveI7H z#4)=0&CX*#axxL?*)S$&x@9;Cxj+jhYY92)y%h2>uF|izP9be0u>m7)Uu|zbLVh}mXm$->)Pm`JpR$mJ5gNK``XkN z_Ogx%y@#v7AF@M{uqaL zU*h)C`#ux0@1O+?BK+qtiwNkeO9fm?ukV}OszvPA!pMOdFiBtFMcs%8gXV)VZ0ld zLSFq&qs4)`ge5k8s>|*n^Cb<^i09cq)U)iqD~5J|@_zfPoA#-qt$o|@m~dA@=0oyt z%B(1da_N}eS*4m`MDMBK+K7;oOmQi_NoIiEwuaI8a9)b)a&n1B+U78e{RtL;L+X36 zAIU#c8fK~5QRXW5lET@Uw5aJsCpLZ=&DC7~h5sOQWvH(}06GyT72VuaaW7$b4oo#h~@S-;nEA^FiLVBTF z*QS$@$YjF92WllH{!Wz(LX_8zaLL3LGAvpmSXf}B{$X(qPuh%WtXs`giN_lTZ<$sL zy)yj(68PTKOL*jzl%Az$q7&%y1Xw3lehpcgasld7`BnSca-M+z(xSZ^V_aOXo@2`? zvZ&p`HZ;C6~g0E3cM>SL#E>ffL&~!`8Bn&&02YO^#~L za9+n#bC7$rjz?3gqf|S>IPOD3@Ew*nrjgUMi*+>VFjp~(nVGLKqw{m$R(NrSLn_gi z?Wz&Ku9&*2gM8q3`#b|phAvkck8a@#qdu(LW?00|{n&O6$JhJbUPl{xlBZ9J+C988 zm%&Nv+<80^e1H1n%fs$~r$^gtR{N2CSzRqJSf9PbxA$PxzNdjSr2e#QA3~kx@=j+U zZ$@+CWQ9zxsD0+}g#0MOBL4P4E%AXfu1}!c&c;C2w^cgc4ezY4-JYA&GMcl75*zK0 z#+n3zB_mIt3^kfv_1xv*bv|OCfG-@K-t$L$T~ZuhidgP!T~h0wGV8l#nxii>RZ;8G5|YH*SE`H zrIiqOd?+corj{O)FKSCD^u@~XTcH1->L^&o}WeO>CZzm?q7!0pUR~_RW zjpH=4U}7@S$EBDBc>3CC3y3!F@jp%dY#P}Uz@?;<*o;6bg$!Fos-KKLU0iF#$y?23 zF}ovQ*=~$8S`)l8z`Mmepr_bDkMy_I6><;tySp({u(NPESVl zQ&Vac$SCI4ZoVfOm_XJL%bIHhUo)C)4F8aTL#X{}`O^pHO1M#JrbftTuJt_nYvj*r zkH()qyd`O<`@m?*_EW!utYk5^hvOrow_KbxcPd95oD_^F*~hL8USDq%%F~>u{48JU zq%md@I?TaY_88{Q#o{VZe^u9~_zr`~*YYsd4I$zjJCYXdy%ZtBDJ4D5SAw6S)U(E3 z7tI<^*l2fwc7qyBRp$7EYXvBqUA731Vy0z})t_~`?c+NvK&TZ$XlopkuI5oInslM(TLSE6QJ@`0P<^Q(>@tl|@raPT8qV7?;7!Ea)`)Bx z47{qxu(M)0$#RfPrw$jN+@T((CM?wmnx2=ADW$rY(8t&tfWuzP|Mk9Dbijzh*pUCL zWX(Rk{)gUAx;5z@7o*L5Bf9wccNj6ry@k5m%(towS4ye{OB=d;TbAIS#Lby`sWn%O zJJNRoTk_s#HnSoi1H zq`Zfwg|@gj)ymUC-c7k=T|&Y~hF3rJvn0-}Sj78EH>5Jx4(b_MzF{feuBo-woo8o{ zoT5;7=3Gm;?H`JlTXY1=`J$lujO3&Qk;IqzdSV}=OD9vhtoH7%n!tp^v3}ttXLo;M zv*;hPnH|dMTACE!Ykb5j3=>Y!5fhWWp4*+X#zQCb6*uDVCBg#LzcTNV3lqk`0+s@BezCbA|@1@Tt&dDqw7fAHiF-VExV zjtLODvL@6en<+LSrY2{(MNnms{$)#`*_mq1cauTc_pCEeUg=9M!#KfCmC_+~&6ct8 z5WmTc{e(aJ?4w1hFC9~yS4-y>&H%ovf4F1=>z=<^ZwjEA2N>iZycJ%mo%n2 z=znS?pq$5Bug|KsUZD9P_co1Eljl%^&5DzYFgecLX90g?-dW+<9X6w>t(!HH>5~be z$p>%#<^udIjXE0QH^h1?6$liFQ$*Xc+^ZAg9g^Sz`Hz9*%C&AmiY7*b{xa83rgNqY z#XU0Y<5yNdcC63HJ9g7^%YQET5nX#!cXjE47XaoT(qmYwMkTUp&Vz{PDc_yTHph{> z-$$)m!(bnu15FOf@h$6RI-8e42g;!oR0K&VE`x)kgx}Jp7NVJ!x<2WxcE2v`Y#}95Op$` zPt63L`7>*yQinhqk;l3nFXN`K9=_Mux<^uSa!y_z7GQbmcqH@vV7yp%b~M_=Q@`Bl{k-A4!%78SKXojU1%eYu3fP$edba-2Uq z-8_TNfl$)aysuC6E%g3u<4q~_kH50pPRCEP{ug_18J5SAbqxmz9yGYSdq{A&aSIaM zU4pv=ch{i72?Td{hZ_kA1b26L=WWiJnd@ZcJl}lp_5OW+r2|cO*WOjTs&=itR_4*c zk8m2$?Ze}oBy=-f*iX zBeUB%6R=(Ul;nLp@oYHW^+x(1DsCp+1YcrO#E;NoSZ(ZZ(PJ|roX(yx1==D#ai{!A zjOEXN=B7f(_elv}eWRH!dXW;fFa#9vbG4@r*b!%$0*U9J>}jp4vB7DaEMU7KKwLF- z;Ct%3uUT1wuRak7cxk=z0Fy$|J!?%&efyx|2*!TJCHI(^mNws=x3%%tlCCx^XH_{u^*tEZgMKta3t9g z1x{|m4gF=l1p?j2irUBm!A>V$xDV2(L~u~wQjRoJn(&jmo+ee+dM2mRxwHDM*wEhM z2PqzQl`jtHMege2am{cZ8k(9DiREdzkpXH~8RS>Na6>rJhZ_VR56Ot)Lmli;HqYoj zm@l|wFa*3_Nw9Qc45$6WLN4Gd-Wjr%`hcQV=?*Pb?EbfCZ=~C^z6xVu45bmGpp*D! zkOIl^AGXL1VZ5jli=DT02saDfB!X$!>+EH=+kwl+zbA zXV*o=1j4YP(iV#t8(ae{7JY;+^Vw;zJ*=Z@yr@z=dYn{;Gu7gawDSP0XV=4U4jvdt z_R7OUL;ksF+5QA^^)gfvH$9bh0QN=a(NR01`5PGFuf&_@3Xp91Nhv8a;?h4100!#k zm90$t zP{_~aBk!kXd%2iSY4rg!xYqzp=rKUtQ`~-&Ni7t@VKGTEt*ii?88ebSpBca62QpK& zR=EsDsO}nek;|aJd3UG`kn9qP@``uDMr4_h8(AV1g7G%04MTzsoL%giwvfJjeX*ok zQ|+jL#i%crj>FnHv&)_+M-+K+XgG%&J0VDl%55SRks>cppE8awSiw{ ze3uO@l<N0Q5kD2l%@J*`_6qDQ`Za4-O64EjUdTf@Vg> zE(D!!?V8Nn6!;apDhi+FTa|;Um zbUBdFy&ycAL|3U8u=)>I82pNAxddE6aV5VKQ9S5iwb11B2QFee7We>z8*2tt_ypMi zL<3@G_v}Fzh{}{LqT12^0NTF^VSgN2tOf%ajT4L^>*CN5G$S@;74mSiPPN$mb~aHM zBjY$Z6)Iv*+ZO;2QXhcQFA_mKm7~fx`Y{S{dlh=}M@|@vadQQWuR|N1Dqjy770C?a zG2uM2qAdb!uBC(HA)zvZgSo{eVo8{r)Us*vckOuoy9O?F^uN5XyNN&apt^Ckm>vRo zzNMQHm)ADkCX)jAq0w-7>-?w?VKQFQ3=~X3%OZ!V&(cZ@a%|aX3?iY~YVheIJ#b`i z0XA!81L&D6HDotr+~T7i1T_(X)A=}@L9VK+V?ayf05i>Uwnp+mo#77uX_EOdgawBTKLe>P14&( zhmZsdnk|KF%B#o*rLl zse+ZZ+F*dou~E8A#88p<3OxoE+YYrZeT{&c8lx~0iE7Xd%De&he{?nOAAk=fwEYCBgXxG8qT^->_e33J$dnyP16pQGl>C; z^z@Zf0pK##2=~FKnXM;=v-aSK>2&cE^tT@yT*9B&WuPg$7ExhDZ}$Q8Tb;>9`_ZQc zQ#F8^OjX{1^D020Ub}(>y036B}3e()deUJ%b!+ zX9YjwT)_A?E!p$N(c2ok%Pfetisu>!=f5Ri&H_!7tW`!R8m7>*ZUWP)zVbaJttk>Px@|)1Ll;59PJ_QM#WeuO6a~Z zB|2Cjf8Jl~Z7XQ_zP3jR@;_Lf=%K@LgcgK@hGZ-$rT3Mx7a3PF^dFCs%`!Yg-*ev1 zir*ozm!YP~LTiwT#df0DWyM~hX-nrs2gj1l9`$99;V#8G*xSd`NSwxBA!O=T_6O1e z1vO;U&z^}lOlhBsK35jvN|el`oZgWcI|+#pd~+xr%L$fjS5SeMiZDj=x6Cx<EWl>;uYeG3v(T}J^vgCmrWqqYZqH4U0GkKrd`nm_{5J6@R<#84}Fk5<=1M1eLI#9 zV)ou5yNgwf@*7n#v#hfbY;OMme}D z=P)dmc%Bc}2oF6^i?U(Njk}a#I)zK;-%&jniKaNds0XUG0B%c;icy6oe)#+(1VZy1 zNq&sYPXDD&A@md<%(;&@=oIwqMkKj;d7@k|!2t93X(kZ=g+g(RPRoHg$nI6$K_Wbr zLi!LNMew{_Rc}CUEOG{#_)O61^Xyl-fyU=6kKw~sKn+O*YzbVz>$sGa@e_mg;6Y>D zfP_xuZck7f+|>9uO+PMCB^um?4*V6;S-Vh02Bn5+fmBcSNzs-F|qh zV`vK7tZ6c6Kp@=%1t{ODMd$kV?OP5YyBI2O`XeJfS-v@Ia@6bHTc({%Ss3^wuRANs zu+Jdc8!xIWJxNJP?D!b<{Nj z31lFLFJMQHq+vd+NtpJYMGF`32YHvJ_mZP0=`t0B@yo{ACh#}5cN-U+Bm?Sh8$ao- zzpg@(Afmg9$Ys$Jh#TJrlnsnlnH<)aH0DldDdKtc80>uBhCD^fl7<*&u^f{4 zP!+dpt65FUg@4F zlCHdqAF!Vp6TF;=6CO!`KvvJ|H5Cy}cOdH) zC|!!TjRJO*FW}FieQjm!N4XPm4fbqzKIJf-*hZQyBz19t2i$eia79I!mkxTk6mOGx zbI4Jdh(KJHE*V8%30s6t{JfNm%u!GMJUFuiEmO3KQ#s<^m5 zaRVKxHf=LJp>r>LWf~anm*~;Ij%4WfB@%b0N84V>cR?KFAl#k3x}|)g#z^% zT}uYt`-_a4gjw~eb;DRbAnXZztleeZ;YJ1-?d8d~ z7i8yESf#;??ml^C+}X9(-lHpyDqNIw0ex_D@Tao)7IgS?e&1ym>7%3&N>s>LU`NF3 zWoqIM6hCdhg6t#?*G(%l^f$*$@*d>??$ z4rw$Vg^%8bgYG9!t1du8Nm+*5kdT_n+inQv;nBb@kw>nq`kv2uGpc`bZ-`!8o#V~@ zY!HG70)t3#3Z`~#)xn+tTJ*9`dYI<8QT0lfHMG#7a!cu9a&E|2TTEDb?_lXhp$03O9_5?u(XaEeWKArtKMoQ4 z6$T>823TQy27n5EAYWrkbetUj8^-isTbR{!!HPLKn*J(RQ@wAuqN^mP-%k77)ybUN zbN4>{s0omG?n)VK&Gny9W?lPh~XQ-NKNCyy5c-)|LU zzX5muQd#!r&wE}0y=s*zz69?7;*ZX)fN*nua9#O7nEqcr`0EAgyXO^qs(cmM-}~#Y z_x|hpXFY&F{aL@(KlY~();Si0Dc^27E*N}FFX+igXTG-r1`AmyJ`sN^j%nLd0qUM2 zLNWBqK3wo)C;k(__AeX%`$dNq@JT>IP7Uvmy}K{JU{+fZfpPPouU%fUYQYfXZgE9b z31n~Hn*0+8*Bnurm34|Y&bNrMIYvPSO_)T}~3LZNvC@<=O z#Z(5f?*i;WKH?$FS&uOV3&BD;L81!a-Fsi8p`Mzcy{Hk}KZRKGE4 z_X@Mx^x0%V|t*WP1B&UBcah2gL3(twjw0si#3*V8pMl>stu7KbgKAL zhW?%zjM$ae)WLMa8Sl_8Hs~u~Vz4&TAdY;ZW@BTMZ~Jh{EUJ(QrQEzIs9d&rt~Xv> z(|{T^i_lW}vPh?Zv40SSAX!@j&eV!)ux>oZQHOPRNF~Q>-tx6E#6_*FQL^P+cv%R? z*%{Jaout~4C@vk*RqBufMaW2S@P_y*QaGW|zkXWT$jl4n~qWa*Cpuo5@#zwLlFIr=eZI%uO-fQfS zhbY9Bu@)m@qA@QZ$!uMPd*GWa{B9Qtdk}mtiu%i{G-MbUMGjz%3z!)u(n()@;E ztU5({Eyo~|sDFq0Qat0oI#UpGK@teDhq*&7e>Ox$m_)5dzSbCKHoZWH$dkogC{~UAxWUHYr}B`_r>5q?UDnDs*ve!hG#8<7Yi`YR5KMuA&OhyE zzs0#Rj@o6~^~TN+^zTFYKgK$GI1mj(F>NOQ&`m^7^s#J~S1z#Xd|}F{(x%}1VWtUG zr<%-(GKkdaJ}%B^V5@S_#bg>=*Ba2kv=6zNusZ?|8aGBnoI%ckTOG;bqPr$0YdD6- zSZBVFn$`ny+Ebst)}fyD8Pie+38MLL_Q>m2z9i=C%T`mD8#kX*fevM(Q%NK(Ca(_- zuwpFX{4a4LM$iTgs2`~ZpEdnCtoWn^MUa}!J(CDjx$y(dd0wKy#b-;oy&nH+yJ{IR zg!wK&TW3@d>^G^ZrwRmyFf))qk#lKJ8Ql$~G#8`MjXD9%N@p3JQAi(zC?E&Hq77qX znsQh+wkn@bu)rIH6Ih{e3xdCzk%ff|Au@h?!`XuK-TJ27+%> z60-yK9}j1NhcIoORfX{4;Z4ppVu1PY-yY)w@*#t%`)fhqe|+YDgaAdLEUELgz8>j+ z?W2Fa0WcE&e?02{%SbFQfyT+8!C?9Q{et4J5C6+G(47C?gulM`f13kX?|;1mbT;l+ z{)kS&(ODx25q>Lf5(wPwJJb3~8Ibk}h%6n8A59KqIa|G9or#IVc0MC^Q(1F2pvl=3 z^`*fQb>tO}>VB2}(153)t^hBtLt3TyK(}iyXxwXO6iFi}m84Zb&-SsWNw*bArkR*M zC>Y|~RQ`a8xZw0W6A2eaH$qUKe9Y(Ty}=3B@-kdOwnGg^fjH;(D9p@>!WJfCb|T!! z$OiLSBc!mL(lkB|UpynjX&1%XI+__M3CZ`p%ZSyi9RfrOiMK!JhK{kmEo0XQ*?23M z?C>m1_z2(8vy#|ASN-~0U^|R$B=pz54;&u0i7oGyxAzG=-N-5Ludf>cg4kSjblaXS zljD|1L(N&*L{7n1Uy*kjYDlPq?zK5<4B5@A%X4$j`P@z$JBwy31|_j@}#lwU-r zMiGe_e}zgyMmd!hBK#*7pd{Zz$AUPlCA*cQ;3tv$uTD1JR$SNncB$?&^O8R7gjW@F zkazJ+^@y}7Zmbhq`<+(T3*Ug_OhFAVcrR8=wMq{Rx`h|FTdQ@IJDf?}co<><(N1@> z5>NFoGl79PKRu9il`{Mms7z;K*Cl$F_X&_}dw!nhyzlaIt?6;)|2+x{LPO^+F+I3& zRaI9jC@H-L6`k<_=x5m*4ukL2%xexWriMLG-)-DnapPBP&IlB=zskH+943ri{Ak@t z?QxQ{RnbI;9WB7kZkey`wEs@oU<4|>S*2&0H^K?O*ly_H^IRzVta5H8fwb-{ay}z* z^n)rb3=Z|1M8g39kTnMtt>;K>NLre}Q<2Sv!cMg%`kl53T4Pv?us7FE!0ToVi^FX6 zQ3B{wSfbyXE|xWTYYSoOhtqrslJNb5-!7*l)n(~*Im(Pk2A*9LF)XPBa-r~|yDh%j za6L^p0H?6Po|Vg9)rmf_p%Ak}IT#w<_Uh_%q#n|`+Fyngpo(KjV_%lsb1aq)^%_Qx zoY$rll=Xc6bNcyL3|&nT)Yc}fBU6yi&I`8gc!#;YV1{d|{h*pQ)&I$LaRyJp0&-_L{W3==!F?$f5j)*VXrZG;PC@x>A4qa#=nhfDn67BgPxPb? z3mFnqh*x|A`f)W9@DDdW z3LiK2$08l&gEBAU0XbGr*ZwuJ37$du6x9fL)^1aQ7W^-C)xRkN_y$mukOe)%L2R2B zo+T%VyslTQO@+{e^F#0}A61#x4Bst-QvxWf`>#I`ECf+n)Qp@Ld=%(KI(p%YksqDz zhggWiHeT+(>zFffC>W=G$1}#czH(HceE)bvw=y5C%k+!tftiR4>gxSOAl%4}iW&^lEdXjz8JybefPt2g9(CSx_bjZT@tMWI8(rR|gki0dnSV7ailim0y zN;63f8yT>66E8o=QOmw-V5M0ok17)zC$#b5vg>rs%|8a_5BtA?A zWBSso(em?dHFD-T#xUWYrl@Z9n)1E%5$#4YHi??c+pNQDToO;Xpj>>9a7}mWh4(KtbAOzRUkyiAX&b>+HdvvAE7`0C;f}lSOuUsi8Iy3X}ueeu{I0 z+$gx`Q2+MrvX(IUeu|eN+(@^p-OMMXen~Rigae-HPXJEV%1;4R2cbXC2MpKM^m6-*vyQf;^&&ra~H{#absz6GN zbhaXzkcvlQr1jixc=z<1Mkqbl4b8jTPRPUBI>IKF&A{fr>wj#pI)p^BnGVQ*M|i?2 z*#;f`<3}euvlXm;_{sVKi2f`gL?8duUh%|j0(aj22YG{3Ux44s7y7$L^Y`c~N*;Ty zIvP4eBg!fU_a&KYK}WN`pLr_QCp^IomfS>*m4Xu=C#t=BW>~9_m)9Rb7f>ySP$TvX z+I56(jVYXJd3LF19S_&{l$jXaJEv^C?FVoORKuMMs=?D#Wbq-SMs3l0KZDEHT-+`0 z8#Y$6Gr#vVy6AR>K`p+hv9TCP(qE}Dxi1^uDzIzvAor?1kZw4yKH%#0je;9N;H|gB zfT6{Pp{=ho=-D}9QD{Vyo(ya5Ce!-F=2#+*lAut${FW?@2x9R9gY`}PT2i@XFiH29I+h zPQTlR$2F`kdtJ0h#A6};PUeEpC<)WY_~kS!6q65^(bqLxu)stkjlBc=Hc)=#RraZ; zpUULXhOe$xG^qyvkE$X9e0*M5s}6O^jg9WGkx+=!Qv7RQz6KPDO^w$<)zF4P2Oa0#mjHN1*Gy$?{GuEQ{0O4_45{M0Pk)6j{42epJo% zAX|}09oR95@ThRUX|UNdPs(`c%KCe!m#bwo+P_iWp_|DGLL&_&GAgbHT9h@yxL+Oi z`n^PKBE(F`;TA0^_3Dq`v$LLa?nst*ChT)yE)nm{J>hIQ<68$%aM})562zhXn{u5m zw)9KX>WG{IDX)9K2XdZYO1mC_>%nv_L}&T0yR2QZ?7vRG-z-eHoMyfQ5p@%je_uh}PK7G&S4a*xm-s2J4mHreJ(AtJVtiIg=@nhRz<%`k63c!J z9_LlE@q9TXz_YgJ=&tI0Pk{TR7Br!}lg#dd%tUA|z7fTtR#^}8Zt=`PE0qr8K~p|j zW;lfh>SfA+gndJ8asq#d`gACzF|6%LGQia{pNL2*igYKuz9+a>i9ldY5F(8j1W7H> zGp4#E?8~G#YRTj9CWB2-xeexr4NnjkBG$^7WAkA_b~sL!m8t#@;^@G4(GYm%^3kMV zm8e&@c9yV-EsrUg3x$V0@~0%5$Vq3wl1Z+7c>!-BG}~Xz`{a_Xgg-7q)8u=XvhYDc zv9+MsqC5c>HH=L6=la>>Rm44oR4zQZ;iLo6oKVUN(+LOHskcPZTiT@tn(A&a*x2g@ z5UJlDERN4ju!+1J%T~Mo$|>+iwkhCQ{5{@Q|75inJUq-RKvSe!kN-}VzC$xr;0)nN zlm6XWVeLeN@mSz=h2l~4%$xkqh}d6tOXHAlln*<8SzPHW?K~vMD&kf}(}v?CZ@xAh zI3PzY^HwfwCW-jM2Fo56w0aIK_P>AoAx|>m7&x&~t{yXMr^}wj{A&3+`1%2;|6Cbq z1OVR0vbT9QGt$SlD-aw}w#EYw$^5(=9f5KV?!0~{c>=w!UhWhuRw4{tWprwXW9h3o za3!`?VZ38f%dLyxZT2S2n3?o($7U8praJ))6A!01UUSE4C{jdaZX4Y%coHsde!URnF?rT%7#TrX})u7#a!k3C(e(IuCY-<#g zym#URBdtWz)=8yrYXTY4do^yGW>>m0Fx&ekm6md#OJyb+?AMKPj9k{vPozAwJYiI2 z?`Xe8znC1T%hdrzBtB|SNiej!)X;@n49YoD3%kRv@rk+~%y6`^76q9rW$Z?`@P79V zcsM?DPh;WueL3V4-En)dr=YDJ2^>SCI1BVQ9GZv#i`)PwG~t~GoZ2T$U^`dd1FP?mq3zAa8V`M67&%ub48J7;%zjBLrddO2g% zgeULW0Asq+wX&dj?Dp;LF}nE+5(Z?$9Pd#Btxr-^Q&%gitPZwI>+EW``zBUA@cTy% zj~@iCUYF1Ld^s23hm^*S>IXK~A%odmoT}Q9nnbS9FYi=WQWl(f&&_C^hrAMQepRlk z*qOzAg(w%egH6Lq3bLq8Amf6V!!+|pc5=Jnv|A6ccX5?(B4Ik3abhLZJlvP5R6E0>mDBRg2w}dLTuP`o*Isy8R?zOj=3Yx77gd_%PS93rU zt6zN_=x8)iZ-p$tq#T4%?2{Af<(8W}V{eC+wq``~$x_*Qvq^F^jz%EciWI%X^Xh~1 z8!>F@Qogr_*Wf+7wE!}t(_aSHQ*++6Qu*~na{rbz3z3Fg?RZu(T)v#MQH3JG3g5Wj zE4$pCUThi&kD4l_Lt#()Tm5YjKc%n~zoh1Mh7YbIWsc#GK$8s8egZ&_Z3^QI>6JhajYOD49-8LV1 zv>r6t_huh-7_KoR6n!=C-%YR6*Z&=g)oYMKhKUZ2D~e(bWj{FcX)TcJw^K$zfZ_!< zh+I5M51=hPcIDOny^N)va| z5Q5`HPpI0Vf2Q-=8L7t#@i53DRZV2@E#h0FS2Dq8!?c_iBTh18Fs)D?W^2-}rI5+& z7LbeD)vw+SZrz$E+FoGC2K{IotB~RKzi|*ZnAqd78}iG{I!zGB@#;c~;BG;-0bS-Y zD5YOJ06VGX@CZt(FVY>Ie(3iGVTjU6Rv?g1qzU=to=kwjVzPR&02j4KZuj#zne%Z` zxraESPkV?>ua(g|bnwnW29 zJ1#+h=**^71D#Wd-(HWvqCY?pYrq&%VViA_jLihHaUm z1CApm*4o?so?S6JF@o&!Lz~M;(hg)E%ZB^SW;;dMm=Ms?WQEDFqYQr|QE_T{zoB8& za?1Pf4KCLFiS3U>)|$s~LBtkI{Z@QxLHTc$>4Sp_Hkwdr-X1s66iB`5>=Hi`bB4u? zQ0lQ&S)voUr%H(FaDu75T}A)?{zD%s88&OcuJm14;l(c$Y?*#$>q#s*vkjzqSs{na z@p>B3=glvMy%bT8)%U&Q^E$EbJ6+Zh0uQepoO}aW>(I+@?Gnj~u=RUm;cZO+HC# zlB&RoI>`1y)t@#w=ZKybW1|YQhl-QUs=x}YXpLE0wX~(r!!~akb5M`IayF07>(;zN zW{X~&@j(71S7+)i^eaILw;E8umz63+As`Nmh$ zlU_lE)m~BXO9|IR-QmEp6xH*XoDR+3-k_k5pgkF;K1p5{$vib84whBgih9Mx5y!&w zLc$t8(G}PH<3w9pzSwGZVTaA+VRtXN>2h14n+|nQh~W-n7~(``y#CDyofi8U2oSsy z+*^rsEt1hZ>A@sP=eKqJJ*&|}=?fG=(4GisXy6eb!#?M#&X$D8wAzt3t~aFT^oh-c zA5yYiuSeA-6ft%mM_eZw_C|Yguw^WW4mglDtpCE?nNY@j^0BE-xgf$=B6Er3eP8B>+R8}VH9m+CyyMZia>H&ko=s*Q zA6}kml<1*+8hW6h>R*rx;M7-6@7K5Y(=Bf7B`Wkxjq7nlOF~`kK>!y9-jN`s$M-1Z z>xD&by=4hryQ9|>FOh61)(C5(4XLbCxd>mTIFG9mgS74W#jtbt{9d9FLEBJgdzuJ5 zp9S2azcdW9o15U`bSc3zRXmIRRUukBZHt5(8CXr-p;L`LG}Q*H3S_nIEJ*2=JYUiy zr*$SMn&{c+XN~l(4lBt{FQ)iHkrYL>b6#xl)Y2`&|qntK+$?0S^M|7>CU-D5D!_ksWxPfwmeACGA3?l_Ljl`nCb%inl;F0FL@>!Z>-H}pl3*lbtk zkjXj}y1&75rpsjblEVbkPo6U5+)?*8H5(ZGI_)DE(2{R z_WRf^u2u%e?pRw%Fr9dGdTlO|k<6~r7oB;1|1Ct7!Qqg>6pqK!DzX6D(`BW)g6$)L zeDq$CE^?B(4lqP5tUu~G1smar`of1M*F-iclLZ{uV7fyG!^kCQ3H*88MZx^vG=9c> zWrTy9YUgfMuZyu1TLgT>!9`r_K2+i1f+?0TAC2qQ-=$lvZyN0ReYx#Tk;`&QEoOt= zA!Gy*-t>Ug(d=@MZc=;5)yNCv8K$*KG&8;yT)70oj^4n}EEYoi%iMv3Kk(#P8sVVu zhECR{=UB~W31q$xiAWW}{i;3l^}VHNls+hCXV@IYrPt^~7nsno)UXdMu(t!~@A`-{6evGguToY9wf^-?{dVMHqes44}dnIr2 ztL`RZB$U*nB>1|NUjD=`s(;K))#75TexSj^8XhJacSI3$y2*{0E_QDZdv6WVzRf0E z1Pa)`z$#&58Lq7J=H`A2B0j=RjbwKA2#SvlY~bX>t!GAZ8x^ zT^$5H&?f}vt@V6C5j`@Js+OH-xiY|AC_8E~=%Uc|1D&$Py1M*8HTm#ip*b_B8huZt zv^)PxY9==m5f|ardq%;$1|$N;4h+P6S5>TnAIMwFCr?f4wCD6LEm4^67A+r*E7q{? zka?9={9AlYr$agEj4BC-MT1gQNzdK6K5Gf0@MlY4sqf;x=Ti zURevSTc1(cg+kpP}vlPYFW#%^hy1CE z+HdM|@ey3%Sfs{tY$aoiqIrY|Iwxdx8F+qy;YVV1^d6eXQ5#zQ)+Gfjt58Pk5q-kd z#xEn=f=!!jFlF-V3I1a(#sdkIuDwzz)yTUXjmIQJ#A4WPDy0ZekG9pY;DVg5?c8fVMv*Xwc{;?!i=GU|iWH*jvRtRD=xZU)y;b_VrEq5Y zKF@bi@~ZIe-yv0>huh;+_uvEwTO8?XFKf@*ebuKysxo;j26Yz0)dACJl^(dJk`Yc z=$%iv8uTtS!R?>;#Kkv_)e53D&5%7glH1K7kUsZJb{o4E4R1Ix0NDpAF4|kF3n&|Z z09`A8gHXO?$(>cl9siYt8Y7{f?IfAWAjV3t)sXXN8a{tpg_`NN3w@ML+=t_zo*%m@ z6;I3ODiPXe+{G>`H_ke&*lO4~VK!HzQu1(|eMz}Lb~G(LLS#0bDmTJx8($nv>6Z0n zTk7|@m-S9AwMJZdF4!VHANNrYIiv3f_b))jWB#Ul;Y&nzJV2ef3>5jKHq8RG+e%BV z^#IvbQ>aIAwSv?2X9E2?mhJ5(CTb01iq1p94;2nR)oAanQ#D?V9@=t`=3bs6Nl|Au zqjA5|GBdXf(&i$6@&45-i5)*a$?nOe4G~3$hAKyNq=d;*74q}V(b;LZBt~4?DET_% z(Zu0Em3)M^aYE~=f1I+E4_Uy^d^{xV(}1~5Gkck1o`lx_Av$_AF}LJP%-V}@BM)3u z(50xmHBA2=$$g-kQhd&j^ujBT7C}!^d+)xHQHo6Q&2s>YZjzJ^G(GB9I!t2U#q^?RoL4`fP6gwLjo9r_tI-?Gyexb(5-Gd0cz zCyuvDoy`xzMyjFf442*H**y-wEwz21hvfjQ&RKs5jKe*wE}uR&{|SobKVwkeII ztI9Sb{xVLL`A5d>7T|DMY4pV zNcxr1_fIUqUshqiJ^$~1{tYOV@~7?U5c=oS{(rq1XxiJqd)oi_y8oA^{olOkf13mN z5db>}T4gmh;#yf*Nk~ebY~BLZ=0Jf220%-o`V_HteX?fTs0AJz^qVlh@M6m3N|y!7 zrJVE!k}?0z`#$IOd6`VXy#^pLv7p=X{xy)ccKU8U3N9NoP@i<5hr3l%S4YOfqj|9b z$ki0z9>oO{TwGk>u;}?T1*K7E@(@J%*g0|Y$q8rjn>!FwP>4lmuv}`>hQ||$sQ`*m=e_O@AcSDh zC@iNdAeQbHuatCkZugx5y#&)E?T)pg5%-78L-LtKvAzyH>uyG*X&7Htnx7P(-#`RX z7}=MOWxTz8`ms|e=P*kHPf8~lf%kqRcf`562Y+Kx4` zF?od_hs6-dOuEf%&nv@5np}D^!sIBWc8Vd=>(1?zB6jk2a`vcRJfrrqd9sV|YJM%^ z#+bF6{RglA^HKY=k-SbnXL1_4-`pt5@omH>-9R=PLG++_UkiKOuMy|>bo9slzEJ<; z%%KX9EX!K1j0uf~C31bSVvA$baspFlIkPH~5Q-9uwJuOKySDUru#`3s`OG6Z5)e`X zo^Ex2_bjJknisskN`iq4@DHXdKF*kCI;r@lecCM?fktHhn=nk`+XWxeW7`E!&G|H- zRdweV(JKIml5nq`1LSo0syc3zUs6-IhQQZ4&L8H1;>?^r?~`y{PGf+yPTBNC$RyV9 z{=TTVOh{QdfqgQ`?FH_h^gTdC(usyk77J$t>S^=51GMV)LXfM%q5kguY6pOt42=h* z(Ht0{#kBLH4$6GG-+HEbN|%H~BQzRYB|LJ4eb(7=eSCe=aXrM<9 z0l#DuvoSO400>JqjbYUFNYryt7#4+c6|qAg5ambr6-^? zzekcf9r~t)ab6uX%LNG8q%YvDhYSD`aOB;4WzC0O&5IXITiaoek6v1UW(^K5u3c0T zm_YajsJ>bSxFYGJn0bEZeAtljF}$)LvA$WHlOkxAe*0_^s^}yfqp_UY+6i?9($A#N zDhkyY!rbY7o8ME@6GaVBCG~;*d&5!No$X2>Ha7-Y)hVE`GGeP@Lg0;+UosnmNs36V z^m;L9Prk}PWaNc*yBA-5hvWPAav(P`BeM5Yn^F&H+l_{2nz2C2FDNLD(b(8NE{O{| zC^$Hs+>7EJkU-pYv`n}X;b%T=j7<+&U&7NdL5(S`*`N#u$DghS1NTzAgGDB=ZA%(x ze`=AE6Xd4`2o>s*l8(+BnP{ow>`gr6Z!@Z4DdZQSMUZ2Tyx3$1BW8@rKJXVqK|zgN zYhvMo{Q`#7=-4xo?5oal_BTn^JaGG^BaGN~Jd*Cg;{0p^Uf7KwXqZsyjl7ca1Vieh z_9w3`F#Ju~*~5|dlKMVLC3e(;QIhyhK7qKxAnU^DSMhX0YU5zZMq-^jN)omRUg6Ut zzJ8{>?}0T;jW~paPCYa?C8u zT#uf@JMQ(jpGb}Zj0k9!c({&~XYU>Mbu=C=)1eaqRVvWRS*#T`441BAE_BNI^^Tl( zSbf_?sq1kkY&tw*<2r*Z?zTh<@x!+GS-%XJctnYAqvR6xWToY7B=x9pf09J^t<*!H z76nX-Ol%TPUYe3Za#t06f}7ZN)qGm~Ahu%4{pSSb;czau*bMNJbqY!1ysf;IthIWviWab6r#=BJ7%+*<^!;L1z;cH58O&2`$=@#aM6*`hY4$wYuJ-(#D|rLQx?kqKAaO#z^q{5CP=r zmFj7CD7Aw<8DH!K#OYBELB7&psC#umeA~Oz9A2QoQ35T)&q_aOS`7Q4G67%&D_oTI zCJ~))J$fdO)5WJ0B!>ILLtr9%ZtG7Z&@8RI~l z1kP=#A#dscVazR8xLC}xhE)XdpagQtya)mgQh}ref?URriq0mlB|)1nfI!2&wE@~p zmiVY>&~`dVKXMXh&lry*#kH8o6&cafk&Ywvlmc{#w(!s%L5Sw_8`NwOesZ?NToH|1 z52M_;;aE`K5t=(mW-M@XyLz5C5e0V2LIMqIJU=lTc1kRc)QxueImPfcME{}5x^F9q z?;0TdB!4Xf4rfvKB-Iodq{Ki6*ayn1i-dGEytajj?O{0BAV|pkwN$m864(oGsxu#u zfGH%ey4ml(bNF7TO|7Q3mP=gPh)D_w;j_xOY#P?&BsD3d%?*lQN5Y zOKb11b=q~{zI2yyCZwUm5He4~EWDA^Q_+<9OUp$rw6kQ(58Yq=CaXtJg+KQl@J)m8 zlrYt&z<4V00D7Vd|1>^2_<6csQ3vlARa6uXbMXvW_0wFeU-g#@0t%m`AL(1*fhJPM zp!>UV0d2FE%{6^)8ww>1`x#kl4$xX_PBa4(ooRaXm<4Pj8GxUHcj^Z=`q0}p=AeRe z;YSsM_8|z$AcKNL8*RW!8;O5@(J~|P=U*L2Ci05vE2TNXWAQk=9b@u*zei6e>e>3AWuhA}{8JkLFgoyq6zm;L z;KLlcLs8k!x^!YYqyR-ieM%!qZ(>^3ZPPZb@MjyqQo`8WxGrS$O`jvlS{0nCj0%60 zLL$=pNFx;rf-*vR4~W#hkQP>mTHp{g!Jv?T0caV%6r^{;ltRiI@wqurG+<#C2Ocye z`R)0i;aAVL00O~qi$wYJN8q>V7uM1seR){5+I@LHc0@5Z1UD$Vdum#YEu11&n zR|8>Dq72PE@TSt5=3RJgSfiQWhh}qn6web`lX-AGV9 ze!OZYzPK2QXs(_g?=FvC>%WUKnA%%wuoPx2ZDa?|5kYSbkYtrMJe|8Kzay=uW@5_x+M?8p|bSqN6cNHkmesDwrW%Ued zomt=9a3(UjT~4000F9JrrI5t(y1^szfMbCe^glaRfLaKs&m~>~P&EamrM5r872o*8TI9-{)bi?s z-k7+D&1g9^{P%*baep1&nSl`s5;=jJ$V>3wa$!N)YDeECzzgN}x#Q~G*U8s_ImJuonkp%50}wTJb5b77KS$PFU% z4E^BN{#`;kiBAk%NtR~R+3Q{F`cVHvByn+fRfy`zdwHA4LQ;5}T+VycCRFp2F5j{c z*Lu3LUDT~Dn?Q$Y8+euc@JY8gVG38KntQGwVdvl;d*QXFJ)KS4=>+{NRDTtSM;32J zif0*NY!%ZSnc0(KrO)Bro2=~o=a8w`1Mq5J*272q9N;|P{}<6T+Kh<7wWiu(6{L=! zt0s3Y0Syh*_x}4VjUH*OaoJ~N2F2Z{xDz~qwk$*{;W-g#R^uN)#;SsoL9Gqr;{vaO&uv=RKgICOixHRLzk2?9 z|M?yhj~RHdn)B7u6_BPrKhPsqgM3u^2w&Zt`h|Gj7}1}pT2B4y60QEVHLi#vzoDrJ z{xdszYR;r$ZA0f5Hri|smN?gW;EQyn-dAN_Xv??8eS;+}?iMV|B8b4UE%Y>GKgM9z$JK z7zE$ZSLTZ}A6*immNI+t6xs0Prt`A%f4HD}FN6bLD6ciJv;b#Kor(qH*!9&mAtG+e zBZ4S6g@U}JT!@g?H3TQ9vnXNw?7z+5_-oHy)6n7l_^Mg4nC+MSSXBt=&&w4VJK_;% zf^7xr0u_lIb1Ll3O$Qrn%*S{=;OVhrBuldJ+WDZ<*Yu;PF3j@$)+9>hC3M*_)nc-; zEAK`o2xU1J!WFVe%52D0*a+?`4in-rrEkdx@Vz|ku}=%3QN&~kqps7)Wvix%AG{sz zl$ZZwsv}Y7vr>RH8OrW%=_^$<#s`&F)kIYZ5mjtug0!C>TSK;YB?$1QRagV{O^svT zUbsvwfNzf}Hi z3=8m_F>T<5$=rTfgF*cA>-o>M+wm6N_|yTHlCy6QL%9Q5Hd!!~^;NQjDCI>hEgoA- zx9`$m&ALfDMKVyA@)KlUddqkiL`g`XhQxIZdO`UqN{m%IbQn4|s;w$t{Za{?84jX8 zWO=fviI&4}O&HQqlgnS3G@|}YBsNC{dwH*z1uE~8g*i(UZvsKQ#r|!9>!1kSvsbAa*90PRB_B+ke*I%vn}h}A?I0$xhqjmSU#pQ!%+D; z{tifx14Pz_6l#z#mX6jvM6BibSFsi((X`2t>S&3*TGS($x`*XC=%|98eSf|8j^66# z1TKGm(wZt}o=*Ki;b)De+0kVu^fS^!!K1*WX-eqUzVU%u3i&j)yE|I^7L|;;un|Lr zT!-y|9Ak#k9bw?6nhBg1i|HTwOuj=UQ_CbS@g_5ND4pDuMKE2X9Utw5J2YKVVwj0b zb|bbiBZ(SgreS!JRJObY^;b5{R!rDqyc4khw;b^pNcI)1KjJmfIJjN#9lPllgOW(A zIE81gnVp}w`~EWraEjriWUC?-n2dLG{q zha|pHy^u;b7U@^IwCTYa_`Ct#Ay9U+#lnrZCH4zWWNdH`$>vm=EahQs^pr_M%6Uqy zxT~!kRUI>ip)GUzJWt@-pym$N8T|rn;7-_-AiJcK88^S^s66>B6LKErCBZHCoD%g7 zMN5sv@E9*LxpEbTiI}xhTK7uDJ2Zy{u>vd@{)I_Z3UFD9-f}zzcw6IF5aM{*QfPk{ zB8d73_wQ;&ca0F{1l2juMgKvC9wY1YP|udj`41mH^x&*rPj)%4$GYuz99)lmKV1EE zyxXxP2YaDmVi?gWH#mq_L_>q?VM4B87oN5&S~HM8HfBLY!^l51g1-sgj{*tm4yg&Z zDmS~+lZ}CIdi5<-!SRmPKe~3RoZCN7=R(Ue=vSI}BD(7drl%!%?-~{$pFBIIC;Tqg zm^)rb#dW-(1!F%(BlGeFwIzVxrkv0X$(OZ=1|6xmt*+BR;f{tU z-3#4xZ1LYB&G{&msa9<0B1BO-cC46$;+#qOI_f>La)l<_Ua{)*Er_T=xOlCzI!aLz z-qrOblHWn~9HC~xAd6Ge1yAh4TQ_Y%z5d_2n&?F$hHhL40$Pgc?d?tDd-vo;#m%AB zj)Xu`mB!+%$Wp>)kw)E$ z;bF|nwD2rJ37+c$HQp5EV(j5|zKEUy_RhsYfoMyC&lg@(RR}2QBp#+8=1|YRiE+##sLlVW{i~XRu)yNmfu-{!|es>v4-5t7F5{i=9!C z>*F^Ve0fTgx*E@#3d1`1%k#>!URcnCH(WL`LBSdlyz9SZk2k0Wi7&20$0q%0LDL!| z8YBTLt?47b5#=5{jN|B7b>MnA>6)GoR#Hb5ZjR1+&n=mQ-v(nZM@$WJn?C6S7E2g3 zaA*u{=>OiVfSR@u2SOn?6s^JN<4MU&XUZ+$xBiON-R!Nu#BwN9KF5iGC&hxMkQuri zM?D|Wc8zRUYCcWM%@t+nODs!~I%~`9amuvrP9If$$}V?wTqh_V+(wVmhGefm5E)jc z<>>4I+o~Z*;z8T!Wg=Iwk@Xf7H2d}_e}rl_MnM!(Mw&D0JHi36>JHsiJ?WGntkl_Z z*jH%ZehO)lka(dWg3)ejlPTc|%MuC8P#`zYBbZwV-mC8CjMZLT{AQC0{rs(`VzL3G z&ZIXj>mYUZP1?DuLH6L1Qg>oX_GpzH^w2GZ_EmrA?Q!|CgBlE#8&46;%!{3D(Agro zzHgILO$31qZVl24A}?dFuc{OogRvloXK5kTW8W&YjhOklDRSAgWzm9>MVZcQ`YD)hC(_0YQ1lG@6C8HXTNctK za)db(k4zsk8Vn?D?J3qaxOot^2D#Kq4oB`vg0h7}VPtG_n|sHQTQYB$=DR{6Z;X~} z@zu^S?Z~d=mOXBkgm6T$m%Zb1`^w?XX-0GT%ta9NGtSkN7R)eEb!^T`4e~ay!6pVg z53j<)DF@G1SUSF={yz(<5>QahHtf~oUY_lH#>Dm1png7d$DbLiz0A+8JsamwtE7MNJYh+S?pBLbOsc2xhfg0{MXH5Xcb=&m z9M{LbZeV7?AR!*_1fW7p{!5iaa$PN5vd<-D4Gy#CpuLM785wC*RHdJ8}e^cN5%7-*jMjt~1#EzWzHDxjYy zZ{x14{HXe;yJK_8-^K?~Q znESZ!5r_byEdYpsb7pMje$C;!DJhB`Nv)L~fx$&36WKp15vUu!XY~uKv`PS6Vj(4| z5rZY{)%(_Sd_+m5_zz1e@P9;j)3EqOM0O~!-)MqI?zbs8@7(~fEX=o9|F1c58B))! zJv7JtF;248d?&(AGihvi+$@p&s~`_6BY<$W3QE-BvXWykM%SH35XlJ^jc;lz=L%Mz+6nu87<(_8r)dp&LWu$E~cujyz=Y#7y?!KoIg zn-CqYHf$JaTAt`n{K&!+FK!wQn^*>5F37`brXYS52tIy(i5L@TG5+i{_UpWtmdFba zZB5*sHl6j}wgc0Tt>(s$I6}UNBLseMq${HWlfAGaij@-hSt%^KBfFq6L(_gh{Jxv4po610n2qh7#i)yuWDyFwO^wn8^JssLd89qI9S}HljNl zy@dv=YrTzp02_wP$-Dht7sEs%21@e^4k)`IIE}sB*)JW#p}~xCFWdi`(mmNd6=VLVduZNnL*s4a;paWyyw$L$L1qJ46_1mY2HJ|;jv$D?m%nK^% ztK{r7(?w?d_8@c6XqD$h9{@&8f<{fEputa;Xy4`{fYGj;{0yuSuTSDUQqTp5b9CdlFBJr!n8-tC>#){`TpOHaAQP-&ABft^g3DD<=2Li z-@0~yzC8lVBs0wi_$uRW6F9pIDcc{~-~=>@(-_!^Y+!WjDU-1Mmk0=SeByma)@$ps z5ipBP>c~bF)1sG*~O8Yqoy-MY#6A3tWS5>>HTp zjb4eoWjuAfA-WKtB7~71qv|A zz_X)X6&&aTt~I29o|pv#oq!|^tUUgcZ^O(!v@~sIthdBSq^KQbhN_>WO&ae0$3vCA z>xpLOWrM{_m(re3_0&a2ok+^-NpKDQZ2&wvBNw14f`Eop-^a?qUyGJsN6sd92i4k* zSxX7TyTk_qBntra3FRXR0jq$N(@p?lTAK#`{Uy6#rt=2tTM{G-z7HiGo46y?HMLqq z1EIkUX-Gv{~qMgDvaRlfB76K6Gl635yPgz2eN|H-7j+xh6#x5RgS5t^$Ry2XJ!=Vwdc zggah`yOa&4{#NN7V!)LkmxlvL^LOCy-lL?iz=pEFKpd#7qC-HIz(4#Q@n>{ucSi_8P>sJ(qm!^Zz3Q)+ERd8=0DxBG7Pl%~md(M*;Q{QR zOWnZMf=%ueb?gR5LmErh9*wgEg)`@(z)+vE8V?PH0WJ8VkC)s0Jw`l^0s%I9qaJr@ zWo0scHT_OmCc3b-vkWxkl3s-$WHNRf{h%K#UscveKJT|mss z2Wj!onAf5*3m`J{xyz5cx>KVj!Ms&>mRGGyT*zAGIsQ?~)9Kz5j0FS4@4t(zYmdRX zh^=eii`fwtwYgT}M^FAxV4}}JLQ)h-;bFG*mZQ1zu$;QOs9BBv*L?)rFq8*R(qtmQ zkyZLuZN*TUb#=9GPcbxf?Ms7&Mrb17T=N(`n0+%|f+dXP$JUU?Yf!6eyxjm;Fi4Av zAT5HWeE^nruT5G)Ah2YYqHXc6q_4+2lNJwGntEQml}VA0{v04&`#*9AxL{U7bxk$c zU90(@D&a&7ff*$a ztsxcaQoBgJjETrtu1eCNr+F!-<5o}05xYCJ6`FA z%KfZ!L?D?`qKatukhDXBiFVe)B?%nl4|zsXWe5U7{ZAOP!SCuM>4BejawuSXBuEAw z3Y8{1@0|}h8GZj}5r;Kq{{246yJn=vKFBXPv%aOuSQ+E9>*M$zqP6op2ni;I0>elS zf8|EmrOuZ-?eTF$cg80%B_^_MxgD~lGn9-AO}a8jp^`LPG+4PJ3y~&*tR5ffcGD$F z{gtU57_y`%;5{Z6x;a$oaCQ$5W%D1NuuB=->KcrA>MeO#DXRbBR9fX@CR#gXuQtO+ zpOqDTLGf70#M>;Z2I&;!KEpy}Jifnb#j`r^wI42XjkE2srvr`>9LYPa&bb<1X(b-* z2pIQ&?fO+#Io220-pRk7c%bN+A#=_qU*DD-4sX+fIN-8MX&*`%7SY&XBX3uRYCRcm zE+j5R#RBY<_vlL%(V!PeGIwc|?pS^eMw#e@2=Y@42a!-^5kf!aMyieQTixj#2v%@vkwI}Es_$8Kxjn7h4 z7kOM7jdM_fHY&QUIUTD@oODOUCfn?htEW4CqD2%>19=xwu#IgrBQ^HtZ~OA%P{p3= zG=6V&FMUVnuXvrq{mF@<%Bqx4ARQ$e47(ogD`^1h^?Z zHM$;w@A|{jgK2bDl4_DtrjRVcvqlXzoJsy7l)jy($UC0|kB-9%ki%MG+Gg}>ke`Mn zUtc4dQcyx}tXp39C0ofJjeY$ZA|tcwh_bQp%v|#F%)n|^7565dHuV;wdl|BK?BFpD z{=m*{Kk+b;oVZ<={3SG4?#)a22QV#&?gLSD{^sXqiezm;5mZI2KW}m3` zij?Dmdx@hN@e%H;GfnWRkLHV)Tjg7^l;sKro~D~dh+Z19 z658E|S>Fw78zdi{^%PxE6~L|pUD;cIHONDkk~dw5c)|HsyzsjT&E4{`!5X4_>&|&+ zQg6jAmFlqbHS0giO+pSkQol?ee;aaL^cuGg>|K<+K4aw08+lEUI`nIXaz|NwE=)`O zj9en4lps1Roe6IgF2y|j($J3F<0;awZ7lH|2E*X;1{m&)agfTbj`+k-{CN6}?r)mD z-9PDZ>7ar79XaMQ8>re)ww;dsTS_CeDbWdWG*o>GupUc=ybxzk1AVwGDV|}u4gGjz zpw?z#$M6`c0+^1n5i%!fR$peHVLBVn-l=V7pUW3}3)6KeUja^Ad6Fdw%a)i3KBbw* znzm)$C3x6pqpk+X*=wYaj)0wgnzN3e1-!-b0l1+lAi1Im*>fWbI0Tn$m4-G=?7YOQ zQ!qJCKb}~r?h6*>&{~%=%m5WZVzw?NsB*N^)PljDd8uQ>2lmW0{+pjO0yUl}TE}$V zHw#KRyn&>ISftl#8aM6)4utfC_nF>KUyrEeNYl8o3Tpr63f;O@Plhx@`imx1SbjdP zai`}S#%%a8rJq#bC5=)hj20t-50iSW0>Ku|2^Lg*#bJFbXAwtYw>RmV8MT3t_B}l2 zPnK!90;pIR4kw)+^pwe}33q(z6Slrd0U6{piP#r+YIq>IkEaJcbzCR4_0y`_$&1dk)dI;oZV#kQ86n z#nRPV8cU@dskrwm9sm+^>k0-SrPr%8*nz@NLbF~iMc5K)a=2mRzcy%Qo?wJ$WOkBv99cN#hXT zc`V$y`1lJG06n~M8a)9d$1aGbs_GUjtpo|BUotzD>$TPF8paNZ?P4`s{Zc25Kzz9^_gSz9f z8O$T+^E5!GJ2aGFSVq58xFa%Yqdwzw-$`FB*oo&5jVmmkj#ptMh{=(h3g2y#wO?G| z>=P=@<&7~k;1ze>$$QLpIh+y2NQ=ur`(4h`dVi-FGU$u5#y&C*SCvit%!`*Wk5qmGH68ZhLGd z-A+?Pz7?5Um20ubQdcPyF%iRFs0fv(beXp0C+%7hO%V>-+NYBFe#Hp4Sbw(u&{krC z-p7;qg$x=^dN=8F%VhG=ttbcOQh$ku!R3VO_#K$mWW;$sPdpv5nCr{@v+xd!r_0U` zyH)dk!pNh#M#4mAFc~BIVqOm-co`Y%A^hLO%#SHTdbRx;w6;Wb$TCst;kMmk%+@=% z5vbI7U4GkFE|t57+|6!7ym8{9c_+fw*V|t6Dz;usAQEyw-vp68q|Ek%q zyBFlocTk;Rj>Q(uD;pb>es%fSbke@jmyf;Gv=Q0N7GyIu7fw7SxGaaJRhvdCRvR(j zAuUqLla|hpC8$Yd`7H@aREKQ@GZyjFUkGO9{NAT6v%`W5`?r+UmHSirGUlLYzQ_g)f3sA)SUY2B5Tn6XDr%&I`Zu^Ct#jsm3?>a5T` z5g=zVrMj@MV6URLX@qBKKj7ya0|?T`pQNRBakIXq37mPBq@gJJE4hx@Ax zAFyI=H2hPutIqEXNFV({1gXa+e05oTUYV^6+uDr~L;37#us?scB6y=LW&RXs7s2Jk z&~=1@sj#pEn=NhWN`%)9V6S{^WGNX42>Ca4>ztg*lpuIMVZj7I@`+bCY+vYG3FEF#)EW;#;0gHR#XQtn(^D;1*{o0hp}P{%Jj0sJb^|T8Gsp?)G_5iFg(BQ$uA1 zg6}rzi;@iA$*F{2{gU9Pw{Y}U&Dc@yeeKdhokTBjr;>>q)n6jIWAJ%D{`_YfyI7dV z*6jus*0hTkGJHtJGf}@uwXU-iCa#U%zBM_(sHI<=HWVp%^0v>XS41L#EtDP^<74QR z)&bjQ2;DPegZaCJylR?SNRSb|+d$7y--Ma&fb8ClF+vhMuv;6i z*go_B7Ez)BBX8XGF`-`A`Z!cB_?bn-uTO8;vJKOqg?8|5|t=O8Q4$pOR=`C|?sT8RU7sk=JB zt|47Sd$*7NgchZg@IxcchgyZh0YPfO-8?{G<)J0^TmXsWs`?`T-sO*$_P!c^ z)rnmuNHtu+6LFmS^a%4%>rc_!f1?DxPL=uMywOAg-N?%UnfyWq&xNRC#=vn|8FvX1HWP*)U<9z4|xv&kvsPQSYL~pUdihGJ;VHJ z(K^<$h(3YVtc5#5MQb1r=t(`jM@&KJbzIq-1rTjU(%`Eu&5*5-)@tAl!a;y_^!8R} z0Gc=AKuGuiio7<|O?7(5F~FXD(aYWP!Lps^r|u%-;Hmm-;Q)eLEPvui|Aatz`I@|) zO?Wj_`sV1>J8Abzv)p~17Wlicx?tf7_r1dV^Fd$RI%f^Mn=sWNkKhGd_YqaqIH;;V zus-y=i|BGsxKO~LE$Qz50TlT@q8xa*{1WhRV}ApRjsZ}Vg_e6n4@yoZJyM|m6-ZP= zbzxNC(8OR0)Kdg-=|{Di@2UA6OO#2kgFpxU*kc}W%vT>Ci3v1(Udh}wZT!44E04g+ zh!$Mb_PnpIMv}ov(ZUkC`G#PP92fv=L@YPZB2L|K+5I|RHH#cYQ5{m}VgBL#+?voH zOO)|5W{tz(j50|BKPZz}e|3)McW6;dO9KVzL4u=s8Tjj6_mp`6h{AsJolCg6v9BE! zv%6eh)c>APv-1Ncsb|aLp2+|Hmt;uaftT!4beTy$^Lnt{C;WAVD;eYPxnd+#pp648 zA$$-D63pn}A}RRpDEHS(Q>JVV)ru&4*u*^ikOdFP+xSiMIbVlF8TTY4pQb_Xc zBj*7oS@Gw|8lhYOk@v5IOvRp&O-Bes3$l9mG!Rk!V@x}oU|fMB7ES*azy?3DO+MNK zdTO$V*U4a!q%C-Pv|v5=?MkSL#6+V4yc`et<5S<-9pt}et;}p<{r}o^uBvE2%(HD! zY)TQsyZM6_Y*UtZ#dldSo^k6bgZ=W>=I{`l*rDMP0HVyr|N8#^*6Q&s{N;hN?KBc8 zmqE(8YMzL(3Ec+VdJRy&D>9w104&$6loJ~$ud$WZWdXoV&4K!=^&>DOn2+bpj74k1 z4nq3Q+QIxN?-YQ~x^UTjZb2=wPpfp*nH!0d*;GtvN+z=GIb@b99T5)J<6p_hAF_nC zT>QFE?{V>3aUR4gNxLEGo4W{obfHo1M9hyFBE*5&MjRMAyBeMcFlTkO0MOoFq}(4s z3i#O(0qhbtgU=N2r${OvJ7lj6jpTL2N%Q8j%fhpXzs^?y+=Pa0J|BEVs^~0J;1T$W zY(Lk6BhBB)nIAXe=;=}fLgk;oJ!=sT+f(MgIwA3Wu&hJ*@!*0d`n-Rm>q_=+A}B@> z^7nrN(Xu~;Is2xCU_si1eni&SvQ^RXi1<~!aHRVLJJN&zf$Y|ZQAJfw4ochO;fwt* zUsNNIv~+ZW6EwwbM}Eb|#N?EhLxDR=tPY&1Z}CPXU<i}S1Q^`N;s$l zAD`Fw{OTR$+|+2qqFBxOI2E8nHuH%=cuEYaZx9AZ|7u|keadw>JrG^H z{p#KS*MxyWXnAb1*$Fb(@9!k#F)-*`-)02Qcn`NERizc>v18KItyt2Bc{Zl)mp`B>^J0_DXI)|Mt4gDlXo!Bc8kZ@%OP6BukbUS8D&4+o%`7TXxFPr5|-Od-d;cJc)?s6*E&&T zY(O0+vEN8UCF1C=5Mp+Cj&=Go zQiMe(JUI&QId~Oz1w4@_3c%_!w500Kps?$^IiL7b8E|nta&yGqT-(H$&^1lv6yqh&89OxP3KGN1_6|ibg z1g<{?7&#rCvX0JJdBf71F^gZ4-Y^>!vw$7GYYw4$`_*##veh(<6MF{*H`CMcNJn2l z(DQIKt**~s@+G8`S_H2$I} zbHvcF)3fOQoNiEad(dCFxzZQy%kmdRbW5k~MTr2s=Bgq>@Cbc9Gux4;`bOD>h&su5 z`znYSY3X!A>kV0rH)5M_KN|i`3-Hr)DAv~)&M)R+1~;hCVqlKAk*oE;m-{<;KR7O~r=+0n!Mw zleIIau}1HZKyqW&Ycj`fC*^|6K>uGqCeyLWFBspZppDLBRwt*w@Izivhg4+XU-aYS z;SJo}_%Quq|V_5*jV5mDq|$iQ?b{7kjrGN_jlL zpz$KieUXxel4xt4jedKUcWJKVf30-ww*`Gc{DMjeaGT2vqfy1f@?)qnU8Pi_)*G+ja< z2m>N-*4lKEH@VSC`=?5@H8-A2LT}r_eY4-T(9B!FJxp8m)$LvW`}ihIPa34=YwiQJ z*FUi7X0hf@NFS%mncb6OI&vzeF6&1a??AbWD1lMkDfJdJFHx1!q_oe;6goIx4lk_!w)i2v2WjJF^ z;LJCnc(qSq6y1`XBzY97i{aSVPfzdR@PrLxqcaLHj&126+pMx(cDo$sD)Wg}dQ~Y^ zza>NeG+b4OOn2A+)Nfmkm%^~GB}KseQ7`;b?$WII$C_2&!2zEqjE}Fa9N{JF4D9aYOl7m`5&^_Hwx@&h7 zS_vX(UC7Cq1~Uc)`++F-ubty6_JB+l>7%ohPuAsQGZ$BcS0nPI+Tq6_d`}uIhec8% z^76$n@1-v-+XG^$Mb5s+qo|HJ?~zqw3&;*!W-c{>U4U8pp)cv}4}H zD?-X2%NCnh1W-uy>}!Z>%2~#aX-Y&xgOP_C`)R&-@~1GZ+;+{s9}%H+q^;HU>grnW z5BF$sZT^0|x8!-|m(K`nY^7&yG@YnKA{SY5HmH_flxwx1c1`eAJo&kZI{L^8>_8O0 za$Zo(;}(B3e>mqh1n7QBN903M4_+k7PjN3WP}D$K>~!Ao#Jzc+CgPFT-qj$a{8$dQ zU$ND6`6v$`pQDKe&_$N}UoR#a#{cdn!#BSrA1UST~h@m_vEs3jv zvS$r$Qhub%s%L4;Ku9A1G=TZBT1FT^fAr`fqE`DYf?OLKFuUuGH7P9`l54~&9#dj! zY7}_iv=pItG5Kor_Fq?OFZ_6i8dbbcr>)b;;>b+hNBk7Mu|3Y_Jy$L0F5d_~NggU| zBAyu6~frc$p1_Y=&e5XIF60#n9kqb&L|D@>*7Z1cJ@Y0v=GnM8xa z@J-UQKd2u0Yrm`M1^F#%FQPFc%>cil0_3^+DvDW6T~A#+@W;hQj6l1tIdd_a(-D^$ zKL`b~#=L=Ql~zgQb-=5>8&AAr1S8;=_0WkMCvqj-&@(VyFEk;@mi2fXr_Rc&U=mlv zW!0cYNVcYacGi3**hAR9p0IKJoLx2soNzm^(ip zDDQW(EV>%0pgf3n7!YlU__y5ybnkYox+rT9c+18V`CQH}?xl_KC~Nc>8eeBT zUqYpG?m(v)Y5_Ms95--b)vYsQOg}sPn_c(r_4%siFHoz!mjtu4J5xpABDaQ7_nPWb z2WB`wWLw+-G^rDAzwNl7#ucp2eA`x&DH>87Ue3#RRh97F`8Z#;(apj|S^oA8Iw*&w znEph@D~{UA8jLO;JE_pi1Jr70C}^jd{u7tw3T&B0n#`PGQfyIM`P%u3gd32A4XJVk z1F2WPI^*9+?XY#X@hZ8t_m?psXVvKW0Yn~&Y({YXsb*lpMVx}HF?KA*v!2bj`xHDtp;S_$~%LoBw z-uuw`d)UJ{cU6MP^amx}WxwewD4?&PQN2OGiBwhknE9l~mIP2OgeuiF?-~=dWzwrj z3jm)u7Et*cjBS1~*XV2mHJcTTYVrA2`kgtWs+cms-G%7+*;Q5XcWN`>KyBOdD*}JP zpivPWfHsKGRRvP$?>ngu)fh7&-;%Y(% z2ifYk3mu{I`g~MZ2NVg-C#9j?VO^4JWgk&Q`L#lMzT1s>JVXMZpz~?{Qv(-(+O_93 zftlFtF%ft*rPX3KiAI z(r5BTZXF%I_e+#Zs|D;#KwG!#jgAH5Kam54rMYHBdxd5Y7>t8$q*k)hyh-#J=3dz}?fAM*KQfPH?*1{~W zsIhEf5(%(y^!6HX_^2ZQq+}HF z;7trP!RBXFt75p-ne#7Zd7Zj!?LHnKdFX)nOQrU+R|_`WJ#$YT;CEW124NPS{)N*} zY)dS6PtVPe_zTm{{{DV|KkHl6bMO~-75X+<1Ie$~HV|XVVy?H(WOc-)&K@%nozLVl zoiE;}xeeJ9sCvp7cyq(^9i&>>J62-aAnm)ZsR1LFR?tW?z?c2n9=dC3h7d=`A*(zd zhXOO&Q=OKbXn^^Duls#<1v@{;D(8{PBR_@-GAJ|pjShmXCvvTg1sU%Nsl5W01Z<^$ z67?p*Qr0R}mE&l`42>>06`eQ$a`p4b;V+9~PkQRSQxw8od%hf*+su5>1PsP@$><}l za=Wj9^2ty3k-OG!%!UUn@8U2i$r~aD#bpaCsNpzbn|wRjZ1e^Nk0jY2nK^9zxa|0X zsdhP=q0!xo)4J``eY~ZKz94XgLHesT#3w&6B2a_$YH?zN8s-Zr>JVgh2bk2q@Pw-J81Kb(G$% zxH;}OH@R6NcvSP=jr6KYi^j2;Il|Ks;&orW({e&sT2a#@@Pj{;Kt{1B+CX zH%+sj3xQrzWGa9;agTC>0T51^?Su@F?6B$&t!Y>sICNYItshwd0<8C5dUN1^?1L5! z+IDL?^7fH0b8PBP^IDOqw{6>>S>It-z5PG31H@8~< zMBD_J1e|YuH2|^wgD7Y4biCe6`Ml*b)qb5@SCh)kTA@eM$~I^eJX<5g^i`{hofyn% z&rgG7XmEgiWV8l6+c4<*>!w14v=y6A(RpZ-HQK*oMCi%DPqq39H1_Oc9h{AT>A*4P!~yj! zp$Z+aPW0gGZ3s0toFTYL0;Tt_Q`Xr9*qo$UUX(aGw9jfjYBXg5lvdkM-E?U1{l_FB zAbBI@++q+V1TS%iF$e0&0TPE(wX%B_)Lj3~cU~7bjqne^&;m~4s<_81CiGTu$%IzU z7{A{g9eM=Hy}zs9KqTek#BDEY5J-e5pcI1yM zl=_k)!0>)PvC33yn~Z)#j3L9ST7Ua#M}VZ`E3nN{GAY1m+EDZXEn@$iGh;`8W2pgi zDHP$i!ZsRR1pD`A3hyMSWD(ccFnCIZvAsJi0#UMWZ`mq=^kYf;4`a&1I-cnNG%jSM zq9Ulw?y$q%?pqgc8->P6rf7}AOCC*x$mp&686yarN6rYsCil1r3}=y$>?;zR98Pli}BkP%-7?#*wdM&9daRc4?9$Kk(1?c9ae6H62` zDrzOO3`Lyso~5(fhLQV~#mWx(S1l_b#djX+n5H6>cAcHM2;y+OO3cIHUgDt&y)^hi z7ZgQ3fG^UwoT>BxZVUanVoJc>;^?U2Jb?AY{IV{IT6qU9UASp|v+s>9q`M4sis=<1 zf}kB=ECXxJ5*AcyTL6MM?vtTtuu%mC^uaSPZ-8?#Fjh|Z_mtlLYf2BNhDDpj0qy2< zZL^T)f7B=he8=BMOgwjLyBm{Si9rxx7Yq0X`jT+F><54oR2$6n0j0y|qz9^x#lR2i zJpsNRt#@!eFR=4~Zj>0X&5UtUA%H8P`9{M_-4@-zeOKu2HtLT~20O06n3}>);L2oT zzrjSLt^fOYhre6Yde=0hlS)6=M|Eszq_8fO^q8~API>nqjdby@KRLogg1Ku;_kkDB zd%*U``HYpUiH}^-F_4r$ECq`W4YszN;RIz!*o=;R8rES*WGHyuloVJKTD$+(4mgiR z6>dK2;k$NdNf)uD6V0Usmt(k?m$Eud`+>q|jVbT!ERp==XmApkn*2get}`q=n;NGn zv9W$fR_cEeSq*WXJq2Jv{TadaRyIS_whOtlxf@=y7ic(-(}Xm`!EQY$<-!6AJY

N0})p>uLWul?A6~avvCr1(z8yhpc;iVzP_pL@pOVLeM&}m z>4ZO1WP1aZAHhn(06G$4>k&}a5l3s;B7r=+V#x<}23&hEmj+h}0m!q-g7cEVl$Pps zeTq<<=zat{`1LF4JN(hJbX08yp0_NNbYN@ba0EXiVhUBz1JUQ+l%xm{gb4~bkRbfD zy9ErIAztmB?I2F!g1EZ08i#PyRAk`(3Eb@Y&HWk$YVWD`T&I}LdoxLFlgk_GsR!Sw zz8}9HFaW)@l$=ih;7ED*{ffX@QC8XC2ku6M9q|RiK=N(~-1jALudp2;JD?BD0ev8G z;0XhSB`jadOiTb?0@`iqMc*FGm1+5xwZqQ`DK~cpbiRE8S9u8^El>i3N_6tzD1uq{ zSR`eWo2!6k%s!N65GH|%Mll-{)F|8Xz~QN$y+=dYZEyxz z^&O)55$LrS=Y)&y+&976$OH~+R#M|7XxeM7^AUFE`HuOjZa9HwnjtXcJ>~!#%a5}h zbSHlY?WD)H1nglsdO2fV#%iwLd&n&6`*k%y-1GE9Hw+P|hIPz9UE%YtQvo0p5Xm3U zK%g2*BvhrRLj)?UqG8}iGt7pMO@aGFD9sz}!Rc4mVqsT;n{%98no-H0IpRwDPfvhn z@h0_G5g_a(Sz+$KHO%Kf`HF#|Ro-IEJHcaPhSP63hZP~>S^rPx^R(seOWytRgM;rE zLw&j_ufo3JTumNNE`#E@R5^@KT>ND;l}Jubj+~WXlpY%RY{k~&I!+dhOk^_h3?c^f zAPXUI11#9C^8ahQ{x*Ce6pq|CN)XY4X6U4oV+SxOaEiBqs#xj69k9LgMI-T*;Mq1I zYN*aT#l&pE@h`YQTs1L&=p71bN<83+Kwr|)HW7D$XC!@#%CU=L2yg&X$&nLtU;b~zNivP+6&~o4PqHU zP?o_72r1wLoIY{8B|Fs63eh-}hcq;T#sb*SI6=ouWRpCAs6C&$yJ9T*_;pM>j0~`R z9+0jDMM8bf^u0r?J`hzYvqzCY^RU7#j<|kd8_r_Py4DAfi;%K$-15sPyo&eQQE( zMf&a#zZcgv3mtN_?Ff*1_6qu$+BiP>dbO3@qlG`_UK?fOO_a}9y(A?|5QEMG4akA1 zTkZ{xJPVewqGpBlO-z?C^Koj4=fY>6?V;aP$ovg5~_b#C6M%>t9z-*Ow zVa8;4m|jz?Y-;7QstML0&W;PDeX6Ghct9W$s%p#-Ghc23Wa3ie>kAysNdTM2&DGF5EM5*u$U zDQ0!+OjS}V+mLa1vD^CxB0^!m&j#$7)Moi*J8n3e%TV(JM36pxm{9BGk9X}nCf?|4 zfi$kD$xiZ$Q4JERHKqfU@w9`FjF%N63}D>%QJCXE#0wnyAEn9k@!_{E;^s1I@#5N?j~ra+YQ7jR{_^JHtND(%8})cnE9Q_*>t^*G z#Dxo4-C8Ei9Q^%931l0$XsEjZq#5G-h&J@DXMTOLR1xiDreriO)jR#74tiy82sQQR z^h>3~<6pwyBEt}S)EQl4xY;7P%;v_k^Qr{Y86B`B60VbY;Ch#6H9J{wt3c;Kmr7P4 z*lp~e+&LRSTk&^IH#@(ja*Fs}IPl$d-Kf!e4E)Ts7Fs%W7{Ds|Tu0dL;cF94_l zU#|sU9`3la!W#qYP6$8fp;`rY)Uz|`f@Yk|yH0r5#+EdLoUU57v^-6cIUPtEnnR*P zlQC=Nb5%~@SwtQ7HdW{`yd|p+WA=V#yRxu;u{d1T^>AgGBSj!^?`{E|&M}nB_!o(|80+7(05{`0;Rk0! zG;Ql_6SCE&c9I3f|Btb+3X3ZYvTPc64-LUdun-)Ay99^e1SbhjfNm_fOVHqM!3pl} z?(XjH8enf`X6KvThyC{DK3uvlw|}Ys)TvWdUp_wpp8P2>gM={;J6l+zK}BlpId-#9 zKz4Mm{=1(vP=K-hyPhlMwsFKYBB!A5kE?Zz*Ew~Caf6|-#*!|uRs7&NoYnzjz(fMI zFUbDgVZgr=`;C>C-tZ$l8j_gc=-7!9wUq~;_U_K;k=^GzSl_NNU?H&6v?EqqGjNlW zEzw->(DNmOGeKrag#f-pSTNxL@FhxUH-Im90LOK$^Zzst^)U8`vib&G+#yV`u>&t)R%Zy*(Uo7vgJSY`ljj< zZ)a}`LyFGyrPeAq^Vog*2(Fwb^3RK)>RA&CsUE4_x7bUP?)Jg}3*9QPs`1CLjFmNU*W@w z-A!-be+l|xFM~CQen7eA-gxeH!MvHqlITAGlk|U7YNAI=zZd}gOX&fxH<9rGoNEfw z_y#xm7Kv9=Prs+n@vCbft!-Oc&w8*qX<`B)@fW=3J-@%VM=vF%g|;mOwW%8a3fV}C zJG|8xIAok(cyS%2Xipci1JW47OpI+Bzq|C89e3&c9RZAZr*Jg@Upk_H`Hu> z&}+ch{9{+1H@(8d@#Qp)O;41Cgst;tH!qW4+sy}8_n^Ql>EPc@d$UbxYVs^Dr`Ojs zeBqDYawSpwh;f0Zqt8C0p-~JWmV0=dIzxEARSi5>Dxh)R4k8AN(;CE=BzMHu7PlkQ z&@se9wpt<-6*t4mwfjd%(xns#ZAThNOr79U>EQaAA*JDp>zbuuRObhf6MjP)2eXO$ z+lk?Ckm(8#Jm?U#*$yczA>oOFg- zk(d?_d$35hPbh1LzjCpLk&IHLwLxiAN0=Gn)0BS}DUP&E;sc^%8HNm0fRF`+sRR0D zQozpLQGNj&+yCLr2vXeUS}#=%cCbvCl;F?Ui@k4In(zaN2i@6zjsH3){@+`}s{pUl zd%Qr~Zhcrrz$VOOGbiRwG+>H~BZ195IRuu&^785fO#}r5#B$iq7KV(#W9YyUJ&ZDdgw~uUIf!JK1HA z=euR{62-9FoqAQ*kOi*Dsx8E;e8Ie5B^(*l;>~IsRlmBhm*Iw(mHauYPSxFyh3*)< zPW2IJtQdO)1dvww?~dN){xr#+dMEYxrXzClbUS_Hfyx^ZFJ__~k z@T4>;uI1{w3|)!LY)=ER+k+1htj0>@&tGrGwO{dVGk2kton5a@R3o!Jw@yb6ZwP=o zPdsKyye|gNBYKeH_FSM4dh2$6T<*eO>u-K2_phlv2Ng?7?ZZ3zoMZ&eZ!>*OB2jZ5 zu|lcL6?nj+QUQZRG?%X02`rwC&x7}t=bv|r-|v|b%QQEg#e3Fn^PtyLL`9Sc)Q`C2 z66rU*LAw7;4W3;{I`UMlJnui!I6LZllSZD_rrH?|AxU=Be;CA)@h5GhVLL7`xAv^v zN?aD^^WT-GO>KQ|PoadZBqmgP@j>Ld#qDn~k}g!InP!E;X1 zE25b9JUf@1Bm$~TlBtKJZ{`((XO`$GMt<_52zmY($z4W*0qk{iVY6TuiIUj5%i z5W$$<8rw$wE^qXDeg5Zs2&SWhC4px}GvVpdn3`SECpxq)rH%PBNAQ%9H^~ zTbF|6O^uJt1z+gVV$?+_11j)_NANok*uGf73yy0vaYpw3Z00@MH@fmKP8$3A8&MHY z^9QFCCX;pO#!8M%(>F=9S{B9p{x2^}Ua>R3D=u4{EC|x)`Mu~^zD>CPxVhY75Mys;ltXoXD@$ zbO(o|1mHV-TO7gU$LexM_*e&$5-_GTx>zMehNSw!Kv4B}Wbv?X_K2L`SbU*-j!Ww$ zw#^|o)v8qn6o%%b4}ukUJ! z(T8u$$SGeqf`x*-BVr`CS0vhA@YjvOJZZOUskz3u@ZQHiH)A8}eBWN>%2zqhVfhy= zrq@Mw$75q}N}Ec@wlw*?HbK(hmMVi9fj>C(*e!P;+=&V3XJMxbpc4zYGGwPr_z}%T)L9tGxytj#69;!6wjVapSu^ZD)<=Oy!U=4@b=@a+GQuHs zycdoE9(pM##cohz0vj5Ppj!>Z`s9Nj5XqvgG`Qru07lz7)i=sVYXl&_9`k8+N z?c3ZONoPoIA0$EI*u~l`na8oeXf=^Y^DlJBV40wMAeWvmdgnLWD)EcG^OhTluu#0l z8b}nK<#sUmco)+9e6yl3?0lIN5K{UXlf_oR<3j9JgkGOvttL(Jo`)I8N?iq9>F20V8M1GYd&N3DFq#`$S@KT&lNUC$ zR`FD<3$DgK`=32WzSjz(w>?7>*jsYKoJPK9YIkH6LxT(Lgx4l~{{^W2km^LK9G>Sl zePXbju~5~#DeL-8^$pUEU`@f@^M{yshF(z(_S{IzqWgt$^d;1WS_p`0h3@ArRdkQr z!I@1yMEM+|xE|1^?dEV3`qs}I0S_96;zMetLKk5}mmOoQh#MBPC8JDVJ5) zFkVom6r8&vGmh`5&rCw92u2R#-XR2_&pC54XNlyr=};n%LyvbN z)@0eP#Ngn#SA?7=EzCseyCUy=05ooa-6y(xniOVhi@gAKFGXiSn!JyfZn{b|$)@tHXgYgW~`B-u* zbcamn?jDX2k!d$e=hW%~VK3JoHqJP2;=LmigkTm5lAi2k*dG6gqdO}vndg*0)^jo+ z{s5b->m-%7LKk*8N0UdL;BXgPpyXl8a5}HexM*KZI6(r^LGtXvb~~=tJ!xF+2V)uN zCtexUbk5iy`!>f3nTNk$k@eR;h(cz>Z$&%cNdviSyUU?Qq>FV8t%A7=`b&y4!B6Q} z11dGyZPRCnx}?e^t&yBYFD#s!K#3MY4&D zbcY>Mk^0F=U?jvyXyJMdl|7JPG`p#gjq)(FT8fR8|j&xsdm0p;%_hS=mniiH>#z0{LT)grM~eSYF~T7};@CzP{uUu~suo?WT;EM- z^8*}8M>-nVnsr>j4fXqSJ-*q+ihPcI7a9IJ!!rTTC+In>FKeH1zKE*vM2hPD+<=@zwfdg z&~tILD$CHgA8$8|&BWY0l7U{g@{jZ1C~6sDFncjIZ0SUc`XW zdB%rhtKyf{uV7l^=k4mrDR+6<0r)+?{r8u$vX`|HiMoHq6wp@fd%@a}P2Vnmb>fHH zVbd*}9+~EWC)l81fy7OV^wCvRp8>p!Q@vl)ovG zalNkO@E&!v|CDl_l&@R?R>uCMC-wq4n)>`-ow%s z%zPj}Tp|-1tVrOYbo4Bc?vQyIF(QJ3Tzg*jNYzN3RCY2M)8u%5A|N21^}B%^C0Jg-`Tg^5 zfr{I9Us*-3h~t4!&lV<|RH1E3b`$wr;G9!kEOKfutPg*JApph9iSOLy*!~^J>Vc6!OTasBc} zv*>m!W-^5p@A$*HA-^gtpjUw_4rgd%;CZLcd%OwW-)`wkt5K>JwwS!`v>d%p(U>~t zYoc$)tBli9I=+g^y~GDR64f-}?grPwgt6^#uStx`}sD)JJ_9GB3 zxlDV&Y1wd=PY4~0B9HiaY3f?Xg-5ni3wvujI`PIv2d5ou2|*kbGkFw46e2qs+}QRO zz`ELr=}Z>^UuT9}BvW^aFl~6r|LEqg{`vy-LPUPk#4g3ZNsYbSJ0EY3@1aGv;J=Af ziWzRu@S>d-(2=beRI zor$zGX=_>B?FhlEZtIu@MX~R$S!wRQ1b{4mkQnBpTScnYDH5m15fPw{|BNQ>G77j{>c9 zJK}UuadBV159y;t(2a8*yx^`nv{=_$q9D;9whVv?MbT`<38K=y0q|j!Amsg}uhMNH zZ>TJ`l-J|a@bF!i!}0&O)l_@I=TSKy6UR0JdJpnA9zh(B=DZQnU*(6`A})7g3x@*P zCcQ*K-im#bG$R8XB|NSLED`YVyrf6alo;46d5(x<`7N{E`lP9G#jA6y>kPFm1Xj(6 ziSu6dZAO9WL&&&M+dNWDH2(8KyQnFDD(MI}iXTZ9V~pSvmG1IM8}^7J_-`Wq{D3G* z@46f^t>)u|XiwxY0!bYvLhUERySvdA9xqQ}wyX(FG!xwMSj2pF+F00p(0$z>S;>#R z{2;i?ESfsJz=-&pid0z2*twIqDcFfgcCBFqfgOg9n`iA&f z?ApI|?sj+|9J;3m?DgLX@U*aUuFr;t=f4+AkbXOhc$wQ%5LD0>6kZoBi3zJpLhH$_ ztmeQ~QS|gtL(~1p|Jf&HH;ytJaXX(nG-Ew&|7x5P$DwxVP+`8EOxSsz$0UfuqifGA zJkdhHkP|ap5;kO?QybvJxbLJEob;g^W11QK9#+LSn*(j;_xi!g86 z&tN9;36RET-#YhqS~hbvb+iA(I-t%!tf(HCSed@^@>OKq;I+&9c~-bL0IZ0{ND2_qk%) z&(E*lsXBKK5R{zC=cDk2{t$CsUxyM4I8y!TaRPtBzszYtP(v{}Blc~3oq7<;+U`ow z?jQeH@CRO9jgMAi;b!9!=8Dp9>l*wR*Hy;qj#@s02;su3OL6E?!2FIEzEL@-b~En6 zVbDB0Rd-t6hdc60!Hs#+5TVy(!3blZk`_JzD`8*a{rQhmRb|{-ry!EKrFN7LiZKKW zz7A`bDGT9mjwN)AC0_ej92pc7dAC!RHrn5qP|#%5x{H#2*PYJrq7>TP6Q>NYM;lm` zg!3d^L)d|7Jo%ds!Iz$$`#j^RkDhGL8dA3#6!u|z8Q0AxZLnwg8 zuE*;qJ|P(As}($?(BX)?!{R zL&ViSCk=-so%ff!>QzXJKbZ6y)D*(^Od397q$uZRhn<1N@u1hl;>R2pV9lZZvweNK z2-8ope4aePil!8r%^DAVe>ALKSu)6vDmL1S|ccxtAD!uR7!@rqUu&8D9JXKWSY9Juk3+*1=^rHN4||;H@G- zxF(ZqzIvMO`im-&pCJYI0`AA*Dtu3EMjuO}o>&eGPXi6!@k14lYDbgRuP?JI^mSZ8 zj)s#_S=6d?p%&{rPJ3I4CBm26)w~0QXDZbsk2T$>OJ%Gj9sc-x_dDk*Ts>+H6%NLY zA(}dtl!2>!M*@faLTzj!k`u~nDy%pk?UrFLxp7lo$Jx;}3zi0fp>$=+sLm>Xo_6K< zFxAV2E0u`#O643qtKZo zQ49Xz0=GAF^q6m{PddjdYU7Vn$l-636L})8EN3~y*0v)11~XgVAJ9gE@FJ{)L#snp zy{a60m)Xrz#tNB%d9*EucdCpR1l|yD$U$aH3>BKLN=9Sj=VnU^VGmNENoSr9M%~=n zc`rq8*oT$;m0<(7b4gwI>uEHtvEFuHWWuvD+jTLA<%5qHx1pUqKe^aW%CC*JYUn?%ih^7-b5lSGq@1g>u> z{Z`2&J27BFqgNJ+t&2Nvh51DGixS5u5#9gK>>RfUv9ZDPlu;g1~2_f3G>-G7DC)@ppBK){mXKya|`6%&;LnuF+yX% zWO>oANx~^Y@Wq@T_Ver}6+SQoc`J9GEH~Qqk~!rUqtL({9E`@ZBu%u1@3*4O%*|EK zz^l9W91+qK?gT{|e?FO`h~n6|gVdR;Lups%m3=kULz{!)+Y zqG?8qfV3?Hv`%gNPm-sT{j|8oAG?x)rbFVvrUTG%?>Ni?@Ftou5adS>xrR1s!dvT9sA{iZ3B1t=%_NnP%i#(kI+ zfX}T_{;21nKW(Qir!J-1?L~r*YO~6 z44IsA`tJQv6)@rdv;l0k->2pfcbI*qs zZ=gAeoHa*(lLLX27=|B(mejeMSMRqOH@Z3v{3auk86D8kE0T~!OFhBRp3qYr52uzda3WaxV>~WT*eNn*HIAX zFxw?#KWgGif#kMZgeIXoxAs1zZk2R*mXGYkAK@N+>oAFF97ne*^(A9dk?F?MJNhhV zb)mymf4*{l(Dq`*=JVq$X9glT%0!9HgdK!L{7xro@0fU4Jx*O$J1q?!bx4KWv=o9^ zzr4Ne-I~FRXV&|~lIKUvbDoK<=tW@9rb}+twJij{Zv&rLDRR@~Ew-Q?o7)L*IlIy2 zIf<3Iae2kdls9#cf4L!1|A+QPfiP`FPM;}z>VA64val)FqE|ldI8QLw5}9s2^y8Ny zZT*oNjsltbia#-!G=oprC0B#23pG~!b^aplKDb7AmL{S8=l0f$PVVy8wf5IZ&SV-t zT4KwL2{cvsO=?mJW3%Zo-U>(x&+sVCn_n9ET?37d44jQvHrtw|+E zvKK7Xf*r6IjpNmhIjjyXw;ImjAh0~+_`A^K{4b=bb4ndcSVF6p^-Lr`6=aX(poyw@hk_XT(3!2jHQ{6H7I|HViRQBm=gI3S}Xi=;SkPYov)Lme_5 zPU0G1XtPUL6u+R%ZxgsCoyEzv{M0DP6Xxklkj8c=&|VIUUSr^U|%(#C7t(Z!we zidK~;Qvr**fI$xo*Um-ZgP%7*X$}&%-8s%o-3c9{#u4W^YG?b23q>%tJsOWjeBQCe zdO5Tmsq{YC4_Q+x4K{*WUgN-*;)Z`dK0apu=2GMJf{Mas>w4JzlL+9QTAR|KTTnWx z`D)AAk-f^a-H_371h??r%e$Vi*Ll`dwYm5~M&XWNbB$#}z)3s#70+@8)aE;&GU^P# zJjnEZG;TRiFYWkOM}fHS0(st5P!S zNP&h>R5 zg?K#H!6;oAJ7d;WSQ+%wb=dFuN1`ms!dF~FCit=?q#u}bETA>#&7s`~Xc+|?-*-Ag zo^hDb;d#hU$?7Lg`f~;8UBL}81tO3_%Et5{NlOR|W zh`u%?l?DUUr20q_2Vf?@p}G%y0nWBj)9+m=Yqy&=`WEND$H4)he5ISSC0Z?0Q$^WG zQ9FY1S)o?h?&ZVUr9W`69O#;#fZ5av)!avl2#g~?VqBL8#;^+$0G_*_<4z~I9TAM7 z+uf#4^4qumWyiX9IX9obq~>2)pD8p9sjqe0ai6Dt2MeLF;aE_fiS%abk#zU1c` z!%{hjwFPR|tL*aJ51-N!8B(Iykq;!=P?Ui17;;qbSRqDbpgCCEgo-S^F(1Fb!XdpO z6C8$=PEO5Hl3iPdqaX3r2hUv9yx!x8WoBI{T-l>6PjJDoahn#LA*Nw5a%d5$G&d6H zQIbBe-W^oN+q(PoG+6mdDqa=a3IRjvS5~Sb_{OeH2y>0e5Z~;qKk=mACkIagWa2yd zLa5b-{Rk00Ipy}u&DJ-7|GRUVBjQIp%Zxyz0q)V+^?h4n?FrTrhH)0?ATP9Z?kg3p z{MA2-F&cYbIyUO_4_f-3EP`A5b;cc~40*{z%q-wVh|FqgFBJ2K+s6;4hFk=ZLEX3v z5~<~?2I*7&!ls}{cEfaNJE?FcrU3>^B0{dn&~ZG1CCt+>-By^p*Y0^ps27nDmUO|l zHTvL$uRN<)-$JZL!(($v-eXxb@9i@M={f8lY_F-Fr)L`QJyQ~R?Q{WwotAE|$*_Dy zbYV{IYno+oIx%em5*9o*o`P4mPgru%wa(MJuSiQ1=+XEojp5WOC%uu?xX;D}R}FmH&#=p+0|X}AMI&!8k%Z9j2!)-3D={zE6zG*Q)ML0gaeD4Cgu1_%HY(( z$ck(1e7_y9u7+T9E`sB|D9qZ$QtR5Z9`Je!3@>F!x!0zCh5&(7H1SaIA*H!p$TVHV zmUaQPi85+@4c{QO%yP66zSGF3$9`B&r$q2Zm9qFkAQdOx3&!4&%rFM99V?xLaADrC zmUMHfpI=%@-bKz}mbmhFy7oWP+X>o;5JKNsl-<)W+b=^4J~@ZSf;`+rquC>F!{17f zq><3?u1?_G_9JKGh1YUN5QHkS5pUlYc@z=o)BNB^C9eEdLb3PD9KAVJ!ft9ev2^}# zFGUNFF$^~fpnl6_%r6|FI47rlwk$7C;5=VTk89cK3dU%0X1}7i zW!oCS>cDjC+i4F*6T?cOT!TlX;|%GP#xq`%2=IZ>lEZRsf9b$uOm=tgAY2i*dGy<1 z_=anH)LFDFeSx7HauH4)Y@0Fjtq>pNiKj)6!M>@I96Jxgn<&y8e>6_CE>Zop2G;xu zeJh-b4)X*287rdHs0BFL-8#o`dw=2d!DKk!HSpxwBpL+P1EqFDDZ2sROqOsoizT!h zy4U^kOg+3ad|j2TRx8R6uO-ZP&jRNdaY$MuG5M-@eXs(FM*L&g8(dy8hok-8!V4^9 zR%Jyi#kR=;C2Q1oV=mcb6c45zmz@=;KgW0_@)85AP`Gqq3({I5e`I0ph}9G63;5KT zH&ud{hA~m@UQbO$FXIbY!7)u``({vyn(b<{>K2$v%J~FB3xr_HR7>SuQJInQK%$nh$#^LqDvZa3{99d+O$K84> zzKvlcCw=?5w=J6W5IYe({0^wX5os6$jzo@UlfpU`UX8ekd;Vq4bbfaagCB9ublEosU31cBz5B9D?uNu;tI&EUev@Ue{KV&b_tcG$b)b$GcLb;%dZDCgK3X z+OdJxEbW;>w=La=3K4XC7K-JSO^~CtuQP{YF)O>1g{l#4WbKG65!ZsIVbD?)ESvC6 z5@i!V;uYwXdqR@^(U{k?J*X(<(f8rQ%51^g^a2!qa_C}DIemU-b(jm6*RhC^G!{`Z zb5?dayv)1(P_9m!H_034sn-k#$s|q0k2|ZhOCM;TM$T2lasSSYnmr^2+{!M*u7wBa z-c`wRiUSgo9*sX z^N+9ajV7Sys;PR`)DnMm${8Gbz{XTzO66PD**bw1WstsPsw9)lFw$e{wH*WUbpe*r(8O(})P`}%Npl)mgh z`tyz$xf`?ReolOu%jFJ3GR^4;w0&YCfc2kum{81?$xM1SaBRst%{wWEp}$zHX#(}R zXEi)^qIH=rwBXy{i(Y?YnY_vL3BSQ6;Wl$FBgxB}J;@N`^~f8Ca+;|y=ZuuuSTEde z2c>!}YrZJnbve^eB+d%vt_(8oAL>+OcQDxr-h$L(K1PxAO77R{9aM!W?)aLt_TZ&d zLyhT8UaQ%!Z3~!lqw??^H~|@x>FGsed96CrKu8bkubC+W-D5R}7nT&?ZT&!c_*=eD zx*0}R{`8X#Mg8i1?qVPqsIqvwtzbM_OKVT!!g-*)$T4?JNIxaJ3Z85jc4zA#yeQ)3 z{Upkt_%2xcn9r|Q!+XNpam0Zd$2dbZc*N@Fy$?D`Xu@1N*N})Q7Y+LnSR@d)dO%6* zUcl}v!{V^eRtGgBo)nvi7~KaN%rT8*I1@lzRTW)Tmr4T8fKQ5o?A2v)L>67m3x{at zO^kOc&4>x&!VPHVUE)z_65=Z|0 z6hE7@47=il1z+a_?S$ zG`+$ldZxx`!%p=hW%)@Xt1OHue`ac-btM1WH_9aOHLjH2reA-8uqITqqC&3|{it%b zem4JbPP0w+Jdm$^h)CBJci@bj*7-QPI&JhYp(cCt*Dd926spwXI*$aapZjE3T;`QM z9DKEG$|mFS=y^cH#g9K*W(e|P>L1{H-hoU~T~iO(TnoQre&2uo{FlEMu7f55G^1)G zLD5>^CPwpF>T<1~0t_MYtpu6ln=D*G~9#R=u%s|ieR`gs5ycKB0t`V2MAHOwO z=|!O`JGDJpZ#K9kTJd!WgFaGYF5^yROfLDqQd1+j5zd_+C1&2r^`euaG)_hdx*#8N zML5L{P0N{N)f*4Ig?DJKuo8lgNj7;C+3skCJoGx%RilJ05Zb&uR-b`iAaNl3Ce1iV z#^6--TK!IWCQUT2)`1I?PFUiHG52l|C=3rP1E0slXh;her z$Fr=hw~i$wkH;cnrAHi|xZAz>u0G;PRhoR`68y-2T3Lm@PB^0tUrgHBk8if&L8u=gdeZkJp=59aiK57)!YNjCQ*He& zdOO)hJ``K3-koRWZj#d zlzdm9zG|90ugK?9Z;^ImEVR8cya$`eY^aX@T)HyLJp`&>Ck=27h_sNW8jn#^j4FT6 zv*a>BRZ_;dS928UbNSVA>Ut-o3BXE zx&2EO$BmvvVQQq6csa+Xh*TobVXxP<^=u+h?t2y8<>LfIT|@~RPD3Wn6f-ak^huNN zRdsZ9k|M0I!KCm{uSGa6!e~AN9Bz1a&WX6+&%Lu2IM(mbhr)@eh>y+1G`)T{Z42;o z!VcL3wz{{QAHlSz$*o&pD1LiJ@McX3cB!6}#G2N?BLWRZIZGwQq|At2)FN{IxSf4p z0b!o5|H8DSPs!d`Swc8C>qYH|m4#es?i59ITc8E#QZ!?rA3%<3q>CSoyyOq(uoYIBoA$fR*B;Twn-2Iv1JTYdR*csb2 zeWR}9d$WRn334f!6Z$Je5mwB{f&ksC8LFx<586$xPN7=zvR8z*XIG-S&}A-FAz{?6 zweBGM5_(ooz#lhyo?DQU1N{9gjk8^}E}W(weOcgcg^rSL-&*$Q?K-k)6aE!0JR?|K zbD-;C2U6qIRbC(%a{ZpI*g8Cm!<^b!UfAdjj&D3U>0f}6Mkpj;n}D+w&qH$S=5151sw0d{CEUT4Pk=WBn;cqNzSjo#CyB zQT;0+`Y#Fn7)T^ae7i4-#)3t?dOHX>>s7jC042;`ewJ#CBI!(oiyc?(ikR<+N(tY# ztUg)X{C8=ny0QGnt`>1=+|_OZJJqZ8g6>wOa{HM5y*;&e!q*-Ple~EY)2`Hpn|!Jq z*~C}6Cn}#`adO!uI*oIab}!ofhCBT1bscdcyJo*#?`g`3bt&j|UwJYxjy8G!gM>`f z6z=E9d?4uOEPSdm!VeUdBioDwHfh)Qe2-doqd1*i=byxxNcmk-&9ubC(e)1sv*TEG zz~1b9gL_LkzKQRqi3_}w>=#iw&|x}IOCn4bH8hBwZrz>@;>GES2Ia~wXH(VCW&Qn) zz)|g1)DKs%)Dpy#gZy?@pFmj3rBEjd7Q$IR+$qON zbAsy+B~*aq5j}Sy$@=0)E@hL|nf`flObE7edG9p}e`4WA=n}MO%vyo^D0pgsfBEi* zjWW~%=7aA@Zz0{SK8@va!&^E^LlQ)}q}|jU5YEX;1@>O4_{cki8nfOAl*1O2O66iwFT~!@=c3Evz#QT@OO&r$a?jtDawKjJbL#y8STzG7zfR2 z-Fe6^akM&5@5~36PuEryj)NJZ!}|8k*S9;7(0`KT3NV=MV<~+OZ~(0z5dC)yrMGi; z;_eLU?p)j`PhV~>-`|GbALN~zU(kkV!%+^Xm@IX&=gL{bG2j2780$|&>B1?ol=!ds z@qYx7fr|ylKc34de1X?CC{t`X*AF6_GrNAfUpF4kJIj!#;l^%N8{X759cvUwL|dcM ziIFmw8~vr>Juc&v)4=3aNUM2@^Co4$M(7f%E27v~K}Q2SShS!IamcgKn#{twQ$T(c zSyfTO{#5rQlmA#0XN>}MD7HjzKFReDRNL#hL@@}r46YeSL^fm{_*QT0sfJyKPY~3$5c$}Oreii=kv%Fk ztYKt(#-JM+IG8li$(O#CTo>f6YH6uIx{)K?F6n%l)E+S-BKfw4=JJ}g1aXKzmGESM zP3T%cUa~t@FxX26+YpzD=C1QNSkXD6t;4=f&+qSnKXym$74P*EUH9nOnMC5`1aVHR%>mh7@SL+-R z41GfM8#e%rOwU>Z1f{&jk!zmxdEV%a(d@SDO(9b$Pc{dq1SY41LUnZ)|LlhiLCp^Z zL6|vMfXLEPXOsg7`{yle4+1jwCaG%y@s(vjWEk@njptw9i?nM;u^)t%kAa73wBI0L z`~+GPnLrpt^i3u`3D0=!dX_4^e!#AT&r9svJ0%==ajR3L;uoT_G)5f;A<1OOGUbJS zTivproxr4Z9!*RX!Vlfv@D+X!+Vv1~PSp2Z8HdHGr+#ganKVB3t_BJfaKeXF+fn$L z4{(nRPJ`)*C*q(08;HosE&JY5{TM}1W}N~83asjgOxQnKjgT>&zD;}V>N2R`UDM?V`;?UU3vueTUR_bokNFzU*_wK&RqwMKuhUZAi) zj4adN5PrRr;bajQPOoj)8(gyUYzaaj`v>WWS~3I->?^>^2T{4(1c+b=q3f790yL?)^tcaP%R`d{^9ScIJ*T{xV8{3y{W}|zzhS-cDK}TIiyG#K!SM1TmN5Q zzBtj(_WGqukS_*2wh+gf`%U6Cj(B+=f_MEwf?~E88B1k*jmLC3Q`efN=r5&iG-n@3 zf+a~=D>gyhAB5X{I_FOZW(d@+2npYzWMzc2`B-!nBR}LK_y{zuaWexUA+K{Ez0*Zd zQf(35+<<00K{qrfHH6b>2ht4)W1dPZ_NNLa=Lg--;usC#d<%%4xA15MHOIxsG&VT; z55mk%YW+9lDs=V|TY}781h6XwXL{$LBPXjt?=nmZ*`j8?3}oTwm{p7r%Vd%&$# z@azDnNS>3FG_wG!QxOPw?8oP=5m=kzqgNYSkywWZrNcJ+vTG*%i?*W`6Gd>qF{*j` z9|B-1p(aSW@D zw`~vXhVEo#Eb%tc|A1jlrEr79bpFUmC7N-5NpNfqHP0oUp(jz74?a1Xe~Q(Ez&TKZLpc5qycQM^j*7vAg%E=xcc>syoN*McB!u#T1SW-V*+XYx!l@nGD zf2u?<9AX=@ItqOtOl?9SEdzvNX}Z9K-Il$b@1UJSP?ee*CU1csu=5FmJIPylT{1bOHXbol{pv*AI? z2sfx58d35Y3``?!b)L@`>aJ*A`wDtWGy;J5@r4C`0!ALE!~;-q)*VsdbUM3gai85k z!J`?kjf#>Y5Utd=pr$w1lO3P;Kk5VU(eGe-mjOrodI2#C&{a{Y{Si`faVpj4mtjCt zD+0!Dnvv)Nkev7}iBRPOS}H2m4nIaUOg7eZ{kDhIaPdi@(=S$52-K(Wp^Kn59kVO* zYBb&u+Rr~f1M&=z<0*y~J7PjB=&H2{Iosa_jZN9n2g4O~_yV4x0U_yqPVg!x32H)T z)yK}bn#uMi224uZ??1dIz$C@7Mq+%SeuJa^R#nANpB_j^YGSS2l|t)U)2m5a#-l=o2=2{JM=ocyd=;js;b}Qovtnbu7S|>|Cb*AF%y$wtKNIL;b(C0RN4d z+kfh`r@uQrX}4s08wAD&VxLCgHvs9jlW*j11vtV&A^WNtz^VIYhj`=V6m-~{qCOjC z03NCZ?_Cu5T=KjIe(3AfA2?;tXk`(zttOB`xXW4Z7FSoGkW2&>lB_V=981GzIh-#L zP#Gv_2|M95CGpUJGT^}gKQ@jYM?6P%`c@zjrJ!`>QxZLE{6Cw+tUcLU^B(~Kk1YVA zQ!qZn16F6VnzT>*ZfFJ0%}uk_lRCc7eAkCZs3Dv1yVf-8ekp+A8Jl;9fECN6oq-C- z+SK$%69*d`P5a+?(<@g3TWX5Qh==2!jdMg*{R4a;nk%JY3W1H)m()-giQt)>bpdqQ z3fEKf5DB)3Ht+|Bv0x(dS+)rZ3I+OupNwl1VfCP#&7gF?b7zZ9of>3-4k|Hu(LdalnJ5CAv zx7RABQCJ9`Ny_RUTGIki6K>(6u)%_M-jJT(bbVzMW$ED1YA-t?ul^{$Lt_SDTTw&R z{Q>J0YvoP%D>$<4Z5&v_oA=*dfX-BLamoKzzN-jEi=2*X0GKT_{&dThJbh(3qE(Pp zExKeIFOM3@V>9X7-)>Cnpv0cKNkn7%Jbm{UWHE|5|u0A{fPkUuRupyo~-fW-4)|dd>rwWq#*IrS0J}a#F$JI7-5ICu+7U4B)on zV`yV4!n*%VgU(l7BVg21ZnkA#1!bm)aa=kjq9hV8=cuU|GXL8}x@B1})_@?%Q^B%d z1z?M&E`|R9ON>j9GqRJ;>3>o7mQh(o?Yb!4Al)4T(joDZN~&}t-AG7xcehBlbc2M_ zjndNH4e|ogbtd21>x?tjK4YA-|2)6odFOM_JFYwCHLo^vUSQpExGKkHrh6VPNPAxv zxw3u=k7oHm9V%XUl?j4$FE4Q2 z4En=$Qvuy0im*Jp8{4~$vCo!0@>vlM7SD?LFB=VfZIW(44lB0A8m`wX@s(wfUkr>< zaP2@GK^)wn9C%>#&LXL18mN7ZcCSo0jkkQp1<;(lVAQaH?i83q^o!Tk4)EAFKAm&G zSNbGZxAF!MznU#uu>eCGc6}@?iZ9>30woJvM9F|(!2eRW<$nQ-4lXwU%F7PMxj0uS z$8>+MnY7%VW+fE_kXbo-VNkU*ei2P?x4V*CLo1|n@I!=;*kYl~On2L(bzZ)I_6Bm+|n zgO}jD$6gwhgOF@gAO5`P!DLbZ4;COZv#^J-oqsEnF46-Ag<#HoU}%ABdgn6M2fkgq z?k5AV>(44)uVi1o75>i#<%=f(DayM2kE}1cY2d|J>_*Sn#pW;cv`$O{o&Yz4<>;}c zxmdL+VirZPvcfAhV6WL*X!oW8#BeEds<3B&|Gr}v)W(NO0kGqpz~%j%3yNk0R{|LZ zkAQ^)kI`yA3-{9@D9+F9!rV#vR9IBN4zI!t^Fy{T{{1s_c78@$Ax64s2%vfS?Mo@x z8k$xgFo|rxApQT19XF3pvsCG>CoS%3ii<_p3H*Fr;2+QWT|reQR{c3A)uRKecpeP| zkF&p&>|V0A|CI_U3!#H-1@q9P9%#O@Tu$9a5Hlk!xF2eKYHCZhDlvxY8Et)(y5j6WB&CqI}-h06c7Hv>{_KEml=c$Rqif5g7`AC2I< z{G1Er_kWP3u(5#KA@d(ZhIJO$2D*a0T+Z~CI`oxfxhgJj$n@U_i~-ImFm(J0a8C4p za8Bs|hI70x202Cl$#INg5FHqoV6t)DPh1k-FQ{u0{sqz@+Gk-0LXIpf8;W>d_f8~w zg4u6{V6dOE1`agfoviA53IKkxb8G5`x3*}qCTB9CT^9kh zZhuEo6%D*bib%H>z#!cg1kVpVJpjClYUKHquDv>Mt)PuOd;%~*Hw!Fgzzeqio&Ey+ z>+7;<#+c`U_<3t)Zk!EuEV$8Q_)IFU^{{ai35ApqSW#<>oxo zOXSEq$AFGRH(!tV`Un4ukTqM26{J)unCKYI-{5cEm&=*KNRyRXxgsg}iGuoB6|nK; z#*V;Oqgeudif>nX52V^X&G8=rAQ(3r$3>fMI(Z>O8OJX3L{WlNFReAdK~wk}O;mN{ z9ze`(uEGKT@H|=#9v*HlQbfM-ol86`eMuI`bPGZ+YPG>?nTiy(LFh?}hc%_c?!nI| zggImpUx$VH0TVo{Ee(6V8!$)(XW6b2D~16hRX|7pF%*HBYwMaH z(}GFufJ^Pb>WmO51@(`>$=0vW7)q+ma1vnNiuUOpc08KtSB(3ho(5jK4`2A~z;qvg zr9GFzkOnBVhx++rR?VX{tt)?*lawRo_2m7T{)ax&3XxZhureeA9VLZkU52?#}<=GmX(B zpJBVFHwl1)#U5;e=)Fo&o?S&CzG(TBkLbO8Tc)n?Cju@XsQMq|_s{L@=Gzb|Y>6Vn z9$tUqCq@~0;O^E22beJYez?IrIoqQwY2;_im<)H?=}kt9wNzm$PXdD`$kE7Uc26GL zDg;U(QXP5*3<0F1p4njC7iv1caS_RZLZudn0EH8@(xS>>zz&KtzWoBAizq6II3LIm z*~%V>m9B*iPf(v1ey-4Y4`XOUYyfiFu21?OM#0|Y>(@N@+B8zJPs%L4;sZPNMD?q2051n*<-ai#-yjz}MV(DgfVlGmym!gt=cp{}|eoT7F#NUy{a>+QWu z{E0m4uGiCe0ow=^-I@$KdJ)4z=pjWNn$}EP#IE`uU0hl2F?&%ua<2q{i=dUo|3JpT zSm{k+p3!ha$t6zbEv=ysBg{H1ahCs0x&ICOBX>In(Ef?m8C{_L>RoGp(4RAihAmb+ znuZd_Pf`Ill|Z%57avs{^ufhSCv2nr883ms+EaI1O3(TM)!xT zjCGa9p9{kl;YQyLH?3ttPa}wK9c(xaviwC0jjw#J`pt#yO@z36f^s)o3ku*PB)f}o zyHn)-W>j#9+I@`i<6JE4J?Y~DDnhyuz6LLKv+1FFAKbbwHI_Vj0!&lY4nV{Iflrj4 zf;03XVG@SvJn@JZFnol=_7L-*+Jb;riCbLJd;s1Pn=6;~**ND&>ysnmNfEzn<#!4{ zCt4mh_n*?ABipUiYixK;Q>SFUtPy9=9kycm==M&fbE^4?& zN1H2{#}h7TqmsA6IZ3UbT;N5$RFM}d)&*a1*^|Y|j9NfDS73#Gm{oE0nZ7pB8Et6J z@H1PMiYOZxzN1FU5%P?g2kx`LUz9P$%`FEp`A9MV4TO(8xCHY}X0Y$l<@tW?K1elp!V8R8)PgRg1$dmRu&H*N?YK!}VCJe|#RZ}Va1^SZ z6xV-n6h-2oq%4KxS6YyBmjN>cA>}n+IeD)*@{Q8UTZvwAwM+UE<>Rwoz45E%FUsog zj-&9dw_J|rR^m~~jR!wAE{K}EY_wQQ^~x0sd%D@6Zuc}rp}RR-bho$MY2*UpjO4EX z{A)D;3%WcAmZ*WiRcPaK^Si~%<>$Ls%DIHVj6s~mE(S5Iw;%Q0G}yKXn#eK`CjSdU z_WWzCr9`M0gS|w3!50nN59Y)@4tSsI6tKiP?{h$!hTL}OUIq{}{-TL8n7Y8PP$(Xf zl+6nMY77KX0tB(nW7Sn>lrGKu*!Vd)3(I&=ix2DHc1;sw*dbwmO&&vNsy{}+LO)Ay zC&A*Ar>R!uoNuWZGDJM;Mcs0>)|XBhx5oA4C_K1)_wOq}CYP7Z%EYlR;-oI2Oj#$z z2Fs*9IW~5E4^e2Ko#3O5-okFtb*{^X4Qqwz(AF?VJYbUck$w7r~)Lw7Xa8zYougt6v(-s@*z)mLp}S+OW0 z1w_|kIFbfTtUkEi9Ay9PznRk_;0T`4j}-SvdlEn@K78eFF(9NhZEOz#6Kj>`aREqV zlEv;htYgl_X?&(J!7~KdYDLc@J>t1E(dPQ52tS-g*2Q{AhdOlOANng0*AWUUwph@H zeGqqWd&Oa>Ka;v(rX5?nFbWQm87)4YZws1Rq8t#Kd2OibCD%~8BEuZMz9b9#BIm>A zhpUTpO9gj^zH;Q~xWI$p*tk)b8;O{{1D&_2-^f+ZAxc z?GDEDyvoFuhb6GBhh;DCuXopDeBb>Fc{em^x5r@>D*i^S@~FzgYg=$Nw4m zIkTQs%QoM5&ZevN;+cUat1K^^fr=a7L*RQh(8*+Gxd9zEgMfJqF8csM&B04k^yV*( z;*58t?um{d4R?LEj^lk6BAQ8A<;@c0Ie!AquwM`M zGkulfX@83`_4lq=`m~7yvkZmTbIAlhDFcPOBpjo(QyeL_4iGY3Zv@cXj|99io3(oJ znc;MiEaS9ACw)RI%oc-f7^?y5636e!;_~(kEU*&k{OT%`YXXFrzHu*&W91}liK<5VS<2PkGIx8S76&Wa% zn$glTnK2kB8~$bCT%<;lX2~_Va_oP5WeJOX>j>D)da|=w0bNG3FF4|^GaF1s2u79( z(g>7E(D*bLcA)#q57%Au${6Oh1njLMMjP$h%=a_>FPFvv@9#z1s))J-2Bs~#y?t+I z2RW(6`jjHpZUW1?%p?v8?;v>#v($<~U$GSzAB<M4IpFCE& z@G85tU^Qs(OT3mHZ&5>o=-E>boJWWBCdkL1{91j z-Jfurdk2O2NY4a`{QOAB-2Zl2z0U>K6MV@j2Q~AClj*kzK`(Seb+&1}QR?w?lX96c zkh>|nVuYY8?&C(dn7Sz_>W-&|TS0-wfTYGy{P`%u7}wU%c?Sj8&>q ze8IC6!br&SLyjOl)|HZ^49n)Z4vW6i%RO3^rVoMK$c~ zYkKFHj=0ls=j~VGm7k5USL`2*OswSu)mb7;I*)Oh|G2(clI$%=s$Nidv)dEZrhVTB zT-xq0uQxcA=aOjaE+4nm`>$xaV7g>XoI2ViIqX>7}AxiTP?X>9rb*(W&Jm7%cc z-%vw9Pb{)Pc5t|`B-^=K+GcHcd4{6J4pt?(M}>EY6!(=5cr2s^%`VDt)!?*jQ7rMo zCXV+pD1~+S!N?$=ZQf2e>k6#kHw5d7PWW#HdrPL$p%ITD~66vLeKde2f zV?GmkpyQfLH5RJwT^mw9tw!K@pILn$A7h}bSzw1>R zh5d(wH$b95+b`fnd0}}`4 zYyA5?gr^6Qpf>F4WRZvwe~%AGEgc;jet=uFIA+WCwJ#U#dyyBhVbS*Ij(%7#vJ}d> zTwR>h_S+g60*gu_zNQ8grA8E$2|H(S&oN|e0vh=e< zXYA!D%sOV$KN#9HhQwu|<7olP%*0UHzD1Ssgg4`XEWc1;S>LB=rG`_hyrdOn?0Iq= zgK771l$_2}^GY{H`m3ASePa8$yHXF8w^!@!O;Gub%()U4Gyx74(@+4+=)(-V6%qkQkH*C7m@I+d)gh4CMk+3iX6oTH*TucT$@DZ6BqTCtB2V5A=BPib1H#)X* zPj1UAv)Y9-6-x@X{ceI>^GKf)vYV3+-~^CLW93T3iFZ*%C0Pk2T{f?i1RGHvy;v0! zi9E?t*fjK0=n`~Z`U08DLFM7Z?HSQSwXum>7gLB`JN;WxSD6wNI~Zp$8`@OyF3;#~ ziHEt=z&6vJayB%uP#j(Q&HQ49DmGTuVvwMY;FJjtyw1Yrb1whPG0T!cI|;`&oTT#w z)QW4$zhVy0mM^E~3A8A4-T6y%pp?|f) zyK7HjGjV6bIXF-da&`YMRM7ZBP()3MTJ6-8VCpz2yN`W*Y|))`xGAFM&JFZwS5lhKp{5N zCEE()C2!|lq^J3y_TG?|0O&N{;GkzLm}t%7N?Fhbj(*vn_uY18e-yIyaqWfeBThKT ztN)bgP@qyvK@N}dufis>%r*`1+)j-Rk!GDHQ;BNUww;Ctq#9Afp)ne-mr#??2nKxTQyZrG|gs*dpsAm4`^A2?%DgE~>03cADn3@WH zrr>KZO^Ut?jLAMfUjBS;vo*zBxOCoP7+xid&Ca2vo`B)Gp&X%Q z@aO-*761UgpI zQ+|)xcCe~y1BfGh1ugV4MQPVI|+d?>zS1r`jhK@u9*~Uxn8~6%znPSap(nK)59&Y(n2BJFA4^+4%}SX z7i;(XFyhPA?3>28Nnz=@TdgIM7XAde7^gYkPQtp{Q-}3Dcw{OPsr|zU{n_E9^n)6iZIrPVp6$UB^DLE03#VNdc5ioLG2sjiaU2TWTSL+4 zZu|3mgq801?_^C;t9^#3^Y_!g0dzH2%mpR%h!H zQ#O7qAweu3XZ*$qkFb%qghoKd zBRnR%1y<^7Nk9|+)g8eVSu96p!!Ey!eyp~f1hQpmrHJKNH93ijKiPnd*o(`n9KD2Y zs?WA>te5r=f7hN|`iNZCRRyoQudeaEUCIwmpt=0FrAD+xC_Nlbtz5>Ep0I|BwH$x1zI2pjwGn#+eQW1;#i zgi81MQz2^{eWnswn4^r=C#Zg2p7=`8oI4hzf?gO;m#NpVqGx4gX|=l7rVqRC<%QL_9BPmYxnc;p9(4vHqN~a8 z%hKi6IPH#pvS!Eb!60@0iq8gWS{MxfUD%TFSp4sH`HfSICS1Z5e1GWKu7Vq=Of>8h zsab)nPNnhE8gP{x7Pu?B1_eF#hGz874U28M9FB6;{e47E9_4IQ?ev`mOrJ0+8X?4h$b{cDdd6 zy{Q!PQCmFEtPHLmqwDikgqF%{QL=ENe?udy5LVi&l;!a!BSs-C_B47*3NTgdv$0x5 z>st^C(xvlz(Au!s4>yr2z+r{eE)%)Ga6jXVLpB0d^zDLY-jrcxW&v~y${QS zSfzt=Glb7c@Zp2R^+5v7_P4TLgAvrTEcDImwh^}9@7@lO!NN+HuSp6uEvz8`;z0zK z>n0o6+>yPtT%NFxGd)D_;@1IdwblZ$It$@`aC7`<`5wt{u570R$zr&ylO?nOg(n>~ z-k{)*BZJ2z#Mx=c6#EZ?jA$@-y}$AT51gE>#@~tS@qO>D`PLT3L$@;wLKN} zaMhQc`6m&J4R9~)%SwJplBymz`{8^bI+NAazLM#9GyyBdwE=6}>paUQw`QSPWKUP% z$t%+jgAP&J%cK!_)8dfh^*QG4z*<7U60s}~-ro(WUnnczi{88u0x66@7?u8E8Hcul zBoZXSGR}A|cdFsnVL0SZ>0Q(zsr_R9w?CRfcOGr`YjUIpg2K^&@c)Z#u@(Q_;6YL9 z!pH5`EQ!Boocj;Cq+%F%u5I6yynd6S?>2;fNlN)Fm4*372ys=Xvt~sL9yxDO?tV;aW}be1 z@HacNfV?c_KapzX$N4xR4&R|Ivv952f(%_Ml#{wb;_y6s?5*3s)>|R&3p7QbaM&eX zYaY497XD^(H>X6Y=xhNUF2qp4+MZ73=Yqoxvy`UTAbcBatlz*JGA)lI=~QswVg4(T z0qxt?+>qC}_)5RwSC}saLIdz^Dp^=&ZH`$tXW9Y#D5^{~Wos+wOC>Vo5-3!ZbTyp4 zcTt6%NEbB2no}OrGg6-)O(w!Hko7l2g0Iw8PMX;4^O>QKV}7$?v5mdc*KwJO^bX76-c{7Gf-hc&!QN^qiMzql>*dvdGb4vmk$9d$L7lvdpk zQC$tnZcFV;OJHeaGV`(;^u+$=4JOlco2X-BEh&o?GCOZC4vkWaUPWEe#>SCHp%_E6 zf1ieLz9>N9m67K?yX=IbR|yXoE`<9;;dp&%!<2|gDSKj& zLrkbqjT-MOGreR!|sDsnS}Q(p8e`L)m7f-q!xnGG;tRc z%nb}v6d!Q4=JzCFCJn(U@MI>|-Eg>MFdQzi{qe^4B_k^;%aZTi@xdF}>h?8yl&8ke z%aHLm5*9pT>ym>`V-Ihqrs0;jdk`zn$J6SWY)2;s3!%Xhs}f=c4* z=2kvUhfc&!&Yyti{3FrN1F;+K=a=gJdqD{ajLOPN9^d0ps%aK$W|~kNKJ5AEA~kc`N;*}EKQ$1W%f8HFGsM-4B#Fwn%Fg)ZWf>aArr~n6V*!6%Bd=GSa`T=L#31?QSRfHcQPowzjtKiC566 ze6NjkU8dC!vaYXBH-FP~x;;=mT@RqC7(%K%y&rFO9aep=N-ao5SB1|8>6&-5y*N2J zVFIy*p$+eR=L}e7l_f3U0zzYKmA}z~Dj#LP7$rH95fX>| zHoZ_*X2xRvtKqX!Bjj%TOlnP0XTqEETsP~Q<0)}liv+jK&dKR_LP>kxd6OZWJ?gex z1eF0;ypXu&+Y3W6iq2qO@?xYccxT*7>xlKx5C`4WG^O$&lJ^-3f)I2q(I)@g$tY~N z9=nsD!?xJuHGvm@bgae$a*5u;dc3b+|NO=nG1&`XiB@X7+Zwh2_%GzU&4zKOt z4-;7m&0{R4wI9#xhD^a7x;Kq(;kUByV;JAf`|UZqv|As3aQ@2^{Gc<-S2Dfuor6vY z6n;?JU7fWAn_g*eSFh)f*gEJQLP+;J^XVcli+c>hA{pWPPY)QZmXrG0+cR6X5$On{ zXVZ__8-F}%SC1A}mcmfjMGxk-+dh6~ks&uiuBs@UOv=TpzAB8tA<)k`roHcOceSAo z)0ckXP(8b09pFO!rOVa6b^R+ng40~FU_bW;+?$kox=~li(cSi~A%jn#8Sc{BYsuXW zN!wSyHlHj`hULvwuR1Z+W!5) zbG{;U)n?+g6Du;;ZfM$1DeT^5Zotq>>xv+Kgu+H0A0N!{ojOmWe74MUH|n=#*$4II zGmVrwuCQcM^W*@uUz*9tC#@mIoCnqmNJjyZ2lY*4%gv z#ukj4UKX@y(3OIMq)TJJY&#(=vE!`^i@P@O*_Z~wYO_nXBdYmwkH!u(Pfz=;%1-EW8cI-hUmqgr@Jhc&+zJlXEqbmFfv` znr>M-=l1Jf9r>-UPTSHlK*J{Vv|d(wp$Rd$+f}6aW>dd_)G>>inj%5ENpAL_>n_B~itG+Ofg2%GRE;LvvFvyvVJ9*_kk5^C zWOOJ+@(Fj3W-U`O6qKUl=T{=~Ii(x&WTR;@q=nX91}ZtZab9xgW0H*ob(4uA^UT`* zPQgw%;W$cZ-Ue)8|?fePfNV!iUyk&$5t~Z!&4M{;EfeNljS*mBl8T4?Yj_(h>hT%M4#@@N9g;%vgr(4#pt!Trmga^GGs_1 zzt*%dRkX*DRMnPIDB?^ECYOUZ3g|X-go}Bb63{N4FJ)$E-SbWfVitx$LW|SWnQk2S zhnct_JnzR3ZQ4+{#t4oN)TbFAdsDn$l?I~aAxFLs^EeGQf;dsizb3SXmIKPHXGVk6BWo9l{K ztoS-^f>?mRGsp)nr$DzA7V~MMh&8v5RJdc&8rH}c1Z5>H>V6qaPVd{As9qKxI2LcEnpAM69glch%&B?w zXI>U~O|j^W`05eoD$ZVBip3?4yKChO0dvX98^7Z!di{kN*ec^fXb=w19`*(wjt_-& zJl_FqOY4d*aOgOO+CNqZ0^P63HwlYnHbBnWF+Ys^BjJ7bYRnE9YJPX3wZmSFrEzakLy4|lt zZ+CAuHR=cyF!;g+012eZ}3PH)aXptC=P$I&@5ZL6Wr7_7rAa7MIq!?4jI;f zF;m-1JNDSa;2+B&B^PO(xqnzHl0(3+>OX;Yg&Z4;HQ1S87GZ8Ts=c0@TL9QUddrj! zKD9CJs!9$Y2@P(p-FQXyOgrj$zKJWKCw((je>T!|(w^?)T77svqG;6FMV$2Tnk`FL z3HQC1qz|U_>)wfEg)}xACL5zH`ET&jp6|_iVeye_S1H0pqn2V&XujgG%*isPp%C3v zTX>Ds$JLB^*B6Gwxdj`#$(~HjpR~5F+pBr#R8{| zKyQq4BW8LYl=jd6O75EH@WSV^fBOZG3EsnI`RDXhl$YPmBAGMwp~kV9AG8Zu zx|ef&R<>c0rscsoQ3ofemto>3x4;|uJ0-(>S&SRor0ZOyAUm?a(7v21tl<=H!78#A z4(m6IOUn#oX?Ty`RVoP0O$umVF=zrwlzKb8LX(tTg(^@q>R**h;=r#mGP5Uy(?C*S zR_6s@3S6%R-BsYP;?Nt1$1bbk;ZVc2N7?K4NudZcDH$4gfowhf=|)bs)tzfp^v>qI zs{0>D$36GXa9YrAj^9eF4mUUazzM!6xkE3GIeCZW1TEfjfXUu7Lw-2@wVXUXZW}G9 zN^gztgC{Rvw6u;6<^lwFZW>3zS`&jpH)0vf+0DHBsR_z&F?;Ue4e|d+2t&~~|2iw* zuz(DeXG~d_a&*jCq@=R)!gm&?!G+7&4R&9lzaMKwU!lq=Kl3eiRaNvs!p6a!8rrEO zEx8wc^Ouy;OjA|FxbTiG0!!P8+&EjAn93gXGxha&pHq+OQ=R+1CE0)?aBAhlhr*~5V%~yHZBSZ_8Woa(j;h!3S0_uP<~A+sZ=ygEV_!1*=(2;W8^_uAoVQsc5d`b*w1J=$cXZ3NwA3xcuVPI!LY<{Z4Z3;WBf%;utki0bqovGX>? zY$53Pr{rIqKlY~+R|{-*e%s`c4};9xoRf<|la1qLmIb(llB=4rw|%tOT_V8EdPI+$n}<0bj%jtu{QNYoE}@%pfaPN81u3Smpu zj@Z}*@Cib-Z_Cz*`8Jm1_qabz>Gf{qPh?ka4aGiXaGb-ld&Or{~G7HR7L2nCr<^kp;zi z6ISbJO^bzI$Of_d(B0x(S%)EWLz?yA5=*PwHNT(0@}ScCvG@TZ^#xPB{xK@*eR{AN zKYZgx8;FV5|!qzf?q8!Ts=KF1Gyu3TQxrf0FIx2EkT0dx4d zwz^~x=|&?ZA39Rk*DzG@`;}>ro#8*`_?3n`g|!t*FHdg^QrisX%o`n2-KzbLE+$#y zx-lN{e>SpO*9{*?pj}4E&7yv5LjIm?kO6sb@w1Ru^U|W!M$7H;?#QW5>UD@DWZ0A_ z{-xr=u%bbiSMtM*8nr7owixRq_2dcni=6=rrYCbhxkdNc&>P!3br#DSEJM)`gUh0t z*M1RK?)p=W9UBdO){$aIP3|K}@YM#3p>H2@2yo}`+EDi>|HQ;DU|}5CNP4@mPMY75 z8?{{XFPb9ay(T%Gpd8~}pg+7xZ}hXMH@x}IOfj9^vw*ffEMi0Qu{NRd!=;GvqG8tZ z{7sF1D`7>g$%v-^KOGo8xKHgu(4Y1mTI&os z+Lu`&V+qVKL~yq6?7G@dYr}m|zVUlrHuz9ge^^MlTzhSM=gk7Q<^rxWTy4jys~Mx; zNn=}~v3vaPaV5Dw>5(S7u(J9c_NmFGNMugN^8_F4S4&@woL{^zm2AhZNZ9qtZ?73N zviqewhK1Pf^5&+okI@(OtEl4lTGXy;7(t;7wZ0E6q%A3f+Qm`+4AeLhgR^i~javxZ znrDuVK^&IOXXiX*=81SznS%n*PC(Iv^f%^LO(F(xN#t^4zZ9zMw}KHF1&Dq57L~-Bj)6oEvemd)T?Q zdl;KS1+-jJ1MK*0)w(}$!zgw}GIvTzSMM6C&7EzE(!>23#Bt8LL(oUQ#*z0tbIJ=G zloUjd`x_%je>9{=l2+X^MnJ>4_BP!jh&>?*NN|E59*{QFZL~=v8FFGlUAenozr&K+ z6Rzu%BNu||7L5t5>;&^Lrr$Z~PBOpQJ+l_S)uwJkleIg`)V~=m1XpR{D!f!g{E2le zdDysY2}b4SLf!i(bfS9%@BVC zY)W4gxUQ(_f|%D)aL@bI>t`;Fx!RoCoeT)H4lZTH^T$%?@I5tx0>y_t%Y3IUh@I^+ zUUpI--oF#`V3>XqGseA2;($@KL;Ipl6S@BN712g`TT2PmpQsIs*4$VrY}qEUSk#a1 zqu(fDLtQks6dot@46|Noo7vZ`2!srH+77z%dfM_Hn`=AgpWb@DfI-9@5~;;l?B%_K zseLDYWKYdU(doN#A;tcE){5GNEZ+CGQ~#}l()hY4c{oLugDgq$*2^*GV=mcqehRVS zxY=|@;c$5bV`O-)zh~d88T+ZJAU{4Osl!+jMRL1(di}1uCF_8HA7Ku;6`VK4Ekqu^kFBsoL|fAPzVfdZ_R@mI?5OwCSy%L1 zcB>K})bE&S8vc0u0jB72jh)|YOXxfj5!T>iRUyo3@u8|LKm2JwvGIj2->5n? z8{3k}P!e+KS!*K_prE)ouUP^6r`q$1=}s6;jS8Friqev{AXJB+}(a)6n;QX1~P z3#Vlk6%vIuL+xgUAgvyH9%D34B6X{q~^piA>dfM&7 z7$MX=q6PK6iZ2aB7Y7GK4Lm4(H@McF{zymWvRUe^Ua1PWk-6UnSn^^3X?3?;$^MB z+$W?3oN;hW+zo+|HeAvgYP6fFjCN;haj1Ur7a3P*A=EZv$DF_JO zRbH5GPlBd%IM*zHS9GN^yE)4WJ4tAb{p56)kuwj`@p2DDp2XVO*BijEPTOUca`Dz& z<4JZIA}lj~8u9I3X}YBNA@=ge>MUGoIzDdCk2nPE99TmnY@tCfHxjsSc%&`JeP#b> z$BAGgh>@VTxiISyjMy(==KwJ+aEk0d)y4Xqm}m_o8PvvNM+z^ z9mI8P$r?YeL^{Zu;P_P|<@Q92WkPqYlsXb9_V&KBU<*db4_vCjAbVnoL;lv0e;1j+ zs@R-ZVBJ8r_e%p7jSTh62&yE4(N-L3ffI+l%0e+g1lSHNMqyDezx)r&a~hkn>= z=GlUq$s)eby4x#EXQmbQD(fFU+xYw&g?st15ko`GIszdbH{)K>9%ZWXFztumR69~$ z<22iXU!(WBAxwK1HS7Q8u^=z@P|h-66-6s&*Z;197CRMnOh0^w&*J0zi9n(4EKu<; zb8b?2KrCzYdk1E{-LZ@X+TsHdb;Fz!^m2R8qU{QK!vd~Wkc6?r!E-Y0mvtgs)=2hd zkl*BGYZ0@qz@BPs5&Mi$_s{WB8+gHqJgH(qL@^s=4if!hd?QYd7Sf-TbMtkROGB9* zJhUoxhI-BU$v3C%1)H}X)DLwj9LM9UU3W&f*kUija}t2G=O4FX9=!>&Tsk zF1!ELcjU5dgn5m=BEwx8YnasZvc$8qCU!bL3!CM$eZSj8fHskLfLLw&=@Zvw?jWn3 zsmkG+)s@D|r1HCBiaUu&%{|TniMZ{v?1t`Fk*Is_1w3Dtc~2A}G#+}B%sIzXrg!ys zcrCxP%<3>%Cm~t$IrD?W8qnU>iq2r4fEcBuWuk@lM4dfOu@xr{4_ewtQ8dBpo@U>= zAz7F#RiSYoDKw`148N;hMd$Z|5zvG|ze^6Rg~p8bx`Z&}XP&|lF$w+I|(;$NXf4dv6UHO9R|3+}c> z*_UCqb>(OE*+1HP122D=H~IdG`Dm)`?6m=3y~^*}*bV!5864(OAXxLX)i&CmGU_*z zbESQGGw-1V`=$yd#O3=$hGUM%59!?>t+B$e0TH9nqO0f~m*0<}W3rGf5!is6oC^~Y z{VgmfdD9LrP6I`HOY%oPtEkx=r>az)lnJ{jI<1Dc?28thc8apoJri|<^B0|0Y@Z9{ z=JyEn)4c6+?YqNon2t=I_N3Uk8h;bA*62lB_F5;49g*Gm4){)>$=5eNa9=hBDs~WD ztk~H|Qck+5_#5S*&UaMi_Tg!!TX?$ivXett%VEmVEsU$2Rcy7T1x!cW9TcJNCH9gcHpvgRuT!m;MDYVnokt7O>S$=qoh0pdXbV5g8B{9snw57~m;Yj=&W(E%%V{3YxAhE@7f00zg&XIOK6xL1k z?>~s&XRP$rbl9L5C5Goo`kO)YXhXRJT;eMwF|eq=(x3y+1*5JVDISh6*Q8R?iGm*8 zC|*oFaC;w(gDa5m&H`rjg2Xn)#Eo)^HqaQ^3+fd6l=jsLMtDwaj*aw2jE>w9tCMn6 z3WLuC!nFS{e=@dwRnwdtlM5+&{kJQmVgK9qH(R!7iTDfCf8ps>>BEsykcc0~4xjpA zZ8LrOY@Dn1I;(n%ctTi;irwLm$Ud$>>g#A@!YnreI3i==^|vCT;6pDDGCc zxV!5p+p|aH6Y0yiV*TRnhFH|U^(2FpZbS*f!r{ntj zOw$M#mkDn|Yp`H&RM2s+2De*pHBRg_P{=Cx)(kEN2F1?8EuxL{y>vue^ay0cfU2IT z9DVg-uP%ro@%m@OVbsD4`3G1YIZa(>-n;2nZ@0(UeoKU#wd$Y^U2;8x6yOa$fH5Ah2v*o3A)N6sp}4IeYBJ4Zvi@O_^0=^X+t=+S;){x%v2$_vaFH>8v*6n= zO$XH&)YPQF=&JY?w`4#*KJD3&Hrm*!$|RD!Xl8O1c)H zbS+Z4ySqV9Pyy*~=`QIODQQtqLK;E3MPd=s-JoGPT*`XuXt0H*K+*iPS9dpi{Oq zg>pU(M4tCNE3ST|Roqh99)&Ae9zy8Z*WiqWs98=sr+X@fEwt96@+wutSOgfcnck{y z3Gk%wfYr(J)#={)!S%*DN%Rb6h%^!=={}P}2d*fhA{f#qNEAC3V0@qC1AZLO{md09 zNKKNOhg&+lS{*lFiXgh6;o+DEM1W)F`VFYdP%14JfcmA+8q*`B?~+vRS99~Xl0P*p z?Q?9Q$hv}`U5>Po(g&wq&h{9(oraY=3}qi=(5`(~SF`tigtXN(UZ*R0^on>bQnbF5 zU*{lcdXl&U^^uZ|P5`0f6#)U~nU(a(+@c#PmiT%|La17JGyEsvKmzh>Jyly81CMDY zM_1P?1Xz#!BdJf!*W^`21`ugC;yLv3BWH;VVuw}#lLz>=>)-lLAmuRAYUiAtq>OF4 z;Zh4Sml?VCVi$4ZaMk^c%T56%@;z8Tv@AS#oVNIjb&8t5H|6tk1afCc?c9Z|9E$j* zIeNeC;{ZYo4D*Zr(l()+x!X2~d}8m@ zusJioi8lK zhqvC7J@r)RSjhTRL`G-qC_8K?_7>HtSF0{Uf)@fN*4no6-kx$X{4kQJ0;@G?H)Ekj zmt_URlL7*sBdsS+7eVw6I{-UORpKWFRdowS9SnDgKpA$deXahjlCBf3hB-bw@c8}H z;3Z1?C#{Sq(dKP?XITPNem8KoltYx_4&D(*%W2`1axIRI=E`AB7qK@Ltlg*Jvfm%& z27VuL7C8`8n%#;BlKPCH!`sb{=%!zTU(&-BPE;{%qSGk9`mEi1?Y{cAvLDm=R4L-J z$|eD4&m^KDMD(G~;=qm%Vg}Wn5(qhEFmxtu^2)s@Aw_VIiC`eE`(BR}Iy7=aT_;!~ zh{)Pp-XzIj#!4hplSU9-Nv>ukej*M0;e0;QeOCe4JFz)VG0Xl$YwQSDj`Jb_$Srx-JYuC7V$2Yt!*_Adyz zZj`}njNtZ?JCF;&z>^XsGHTIX8GN~?Ht4h?f+zhEiwUgDMtE>ns;YS@4%B22SZw2T z!0s(&BXaOHG^s*Ep|;Puv;fzpnSoY-dM~P_kSvlCEvT$Sz~y;;mBD;et>W^N4kGPh zJH#zNG-Py=X=88Cce(mA92=wwSCi0diukwL&+b=uKT3RNW(1_vMyUj#fz7A@aDUsS zo8H9mR`DVZEo&&P$`q3_5>pfqZ<3k1PRS<^NbtRCEQQ8<9dhvHJ#!TMh}9)hlwHiv zJ6c2@PAo*)$r&#c+U{@<*l|H8)O5xj>J9;lgzY_`IyaE`iIc`il1tt%aivM+#9CHa zq$G>^Y8L*z4uVx=1x2sz;wvF4zWd=?8Lkuo35#=wpoHy4c*djvMK(y4Qhs0VZTay@ zJn9i{JUH2v9XW!C=|>rMIvpffIyJUJlNMQ?sy9AH22(884~g~`UtzY!!V912ph)7% z+8xm`g2-ozZp9Q_5>rIN36B#g;J&e@>Z@0%y0Q@xArNrMHq4(N1)tCuQXSvuWeMVkq2*RK_SW%43F;qtV`oRUV`6CKN_@ z7#g`FJVks@fuI@ZHDtzyuvFQ&!Iew2IwA!YwTL~$JAnnWdRuN$uzG*w8h6FRewg*CO zWmQk913&yazrKM7vK0H_C0?L44X}dhXEO%gML?lAJpuVIp~ggm4<2hT;&EK!o>N^krm1xRGHkA=49RsO6-z z$tf7BKVgG4g~uN=>5M;Wvfis1%6+^O`r zeAt~E3Ju6Xk-H_x%^B|0g-;aO&PDs;r7 z{6J=Zx1>M!fL`p`gQVz3MEMpq3E`Z>5-QM8idaQBJGdn{lBjpTR%j!LG7MdkBV;fK zG=zE-OxziWk|I!%pgdfw{B5kw~xx>%1@>5PdO4?=pA{xiRAw$pS+{FDv9N!|#H zfZe+*3=a6exc=}aJXc%_@eueaV*9N6Cp^xxTmnB5U@R~_x=4u+clM{rvROlp$634j z%-SB0^NrHr_Br56i<9v0Z(c`q1Lyakt(j7Z`K zZ>y`MJnk{G!FXC;5XMX(gb&=&rr3C#GQ%thg>Pgq6S%@YMgJGr+a-D-Dd^+8A2-X? z!suW}!J9|XSQjt7(NyXfq|6OGe*p~*T-+&m4E$RIT|5RHU}fV>Dn z!E%W@EFuPJNe6MC{Swx#uJqTL$$;MXQ{8tmn0|^O>1z1YiwD|PPz^=EU_R2?e6@*^ z!Q6TJ^_wCTnUG+1l^P=Lm%KSD@pD|lI#77bd*ugQ2Rj_zJUqw2hyxu!z(Z(7a(FJP zrJ0BZX~*PkO53_tFb)&keb7Z%J^QaV6fl-+(Eu>np_q9ZSKk>%b?A z=Ss0)l|f2t4m1>B9b9}zGlq;F{PnkDX2~TU zKY-%K1Fwe<+-B_o98Z^p*YWsGxY5D{Arsg(^q&G%g#RQC*OLvufoz=Dc%M)Q`CGe% zCWvK0=z?irITjH|BLiH-FeLRckY=0qBdCVaoisUug{)(LC=HCyBF)PfJ7Q2a_0b$NOEODL94Bupmztjfrj9U zs9iRtimZ_K7bb=9MIV89LYoX*|4W>esz2?ij=8BC5yMpxm&W1u1zQjH5}*I~JZX@> z_o!Fm0IX=fR$n`ouvMT(pfNu8H||D=C`Cxk5LXBHUxEGb?*0Q$o&k^q*7Qcj}0!_TxH#umip@vo*+^1iGM?zF?O7yn0otU42 zOX%UdCT7cE+6yGp0JHxtS$!nJ3(*vkUZp}9RRVTzUF|c!4XUHh$APkkDnLlPo-o0W zzhaHQsElK!!;`S}GA}}nK77Z*F)W3JyR7~CYVo!`a3ZyBS{bZfmw1DMDTtx}Ml@~B z$ss>zXu+-xMb1C=|8FNq&NjE5uLZV-5k&i-2A*dGe)YwoCL^^X?@{Jb<9k4%!S*G zuHb_r0ewp0r>XpZhDQVuzs(C=H0WKu2(9r(w%LUs)j0;$wHu{X7~DQaK*#6{g3y~v z)>J7_XI@BJ1YzwvT=gp!0QvAQh}A|X8ZkAJKA;{+-w~)r8DQ}Ll#u`#>L7kHK-?S; zIOCPLsxVx?RAv1Oo+pB{(&i+Uz#D4G-Y_7#B4bR7NK7$zMA!Tg|2E)PSn@h`AdiZC zpYC%vM-wmB_^-qYvp7_l48E+m;*fBE#BlO^0SSak0swCA=9Ltli>aafP4lmlj+yQK zU1Acy^T*b}5&Qk=b9uc< z&UZB=AHZq=NH=ln(`Xj94lp5kv?t=kEcGGrSjnMiGFBn6=AY z_g5f?hQ7#Y?Fm`ZlSFB0L+OwrP{~ark*}QS)Ow&Lero znO!7~Q+Z?g~r8(y2Q^1!IhZ{V)phyc*N(rZ~)o&93 zpuoXMs1quK+3Cc5`s^+0Lw=)Gc7!BlaIx>zb`Mz-!*dC|c3>ceijHW$1UV{0W2VG` zHkB)PfT_6(r8p2@|1?|0n1z@aV9&qh1@IbD6Za0(SK%La(2~@L-DNoe^1r7?@F&wt zL7cePVU8?5zDo>3AKiU>p$MY3Rr2>d5kx_Q=AoKli`NoZ8z5$A6GlFI* z{C=Ip5((VprTDzV9W8y0&X5U=-SI>h5D-916V*&k9R-RAAm8YJ#}b@>6-%Hw`3=rX zvKhY)3I3ZQ87^KoU}YD+7-?x7uG|EU79nGo`_unKP{cVx0Dk~~>Wv4H$}Hd~qw;Tb z$N(t;8R8Q+sD|tv8bM7^EDL`Vhxo_PP+Te$Mu4<%Wv?YJO5tkY%PZk{kOcT80MS5b zL8k^2qL#qc0CW@(jrhkVr?^x_sE}{ezlDSMuY|)T;Tr$pZ;I`skCK1Gl>n*gD*@!f zEt#CiJ1dgy!X5Q(=xoHnK3kSTIkP4v8@4x#u^ORC3EcZr@fAR`-4Mg&f}pG>~9*4Qe_NE@%hEqJ}1B85rsC;lqF^9Z|WJK+cX!XCqU|c1MVQ z55F@ZnGrtl#mLIEN%4WSWuFHHIxGS{vR>;DFF0$ zX83mlpeA65nawl98O;~ElUJ@ANO+{Mew97@%_bS|IA|b?H26zz;0uF6g#6Qj7C-^TOXrD9u zu=k7cE~mO=di0-UD7YF_ho1A@4JYw;!{CJI^Aiob!ruiwYm5K3T1m<9)Bj^Hz@M7@ z|5x$N;dLl@YuOW5v6x_^FzWAKK^a14I?LhF`9dT0|U3VWucSMpaUL-%&_Z-+q|zO975y8`}0G}3$Ep>w{J;kUK&1+ zUFWx*2(TK-Cx&m=QWp)$ixv9L^4Mb~L7v0&z?8;xVPfkQz8VKu_C4F_2|;5iCvJ?Df3}jSUgoy_Ji~3u%KXDUN~w(6h1-k`k6$HU9KTVArS`-;Dbij9ZSj2X z?x}@l_+4z$_lHsXp{j{ddT*7RL(LA?`qvK2O}gKemzNjtMt0!7HacB02D-`GzZ+C- zW58SfoyPL@e-BTYW$(V=f#9juf7BjT4#2=7A`diiXOqYYUmVpj=p4+IF5hjseCu>J z?a&-kIUrP|^QyBT+mA$^!t;GZTMK0@>>OKhs2w6t2JZ(ud}wc&6(@Q^q$apZP#JDC zlCNrMW5d1a(QxpcnMl-&rz?)qp=ntU;gFQyK7;sn8p!QuquQl42J?xX1(^;*7nY6O7H3&3(|;m&UDH70Qt1 z(H2fx+ZH@Ta>mafERfq4j&&DRXxn!>K|vW;bQ#2@zpR6T@C3e4t^YlgY2QU?zPG3m z`TCEGe$q*xaD*TbkUxdA10%ITLhtYI-`Lvf$cqz;JcNli%XhSV#KI9f%Yjg9v`D}s zoQz^TVBt7-9%=&(W@Yn! zmuV#|XVY@7??V6^oBLH&nhffcCBFa*`)irtPa~sQ75A5j1=D-?Fx;v;xM3nAG{$8` zTmr;x!HJ|9Wee|7802e}f>A;+Fa>)Qan-UMJ5eYNPiLItAQBwWbg-Tm36c;*2DJ*X z?WX+Gy-IT=^v}jd=G*6p`3T(4*x6#fUOc3^&m&r1s08@Z%pVH8 z_%IlNl5G|zej@-jfsxTXUYM|2{hlNMTJ!qHa2gy+S^_uE`@GjP-N923Ob@)4WBB{( zuF`{$*4z(z7)-vuc_?~5?>_Hqo{qM5yq4}jB8e!A9^Le91EZVFIr_Z6gjG%S_%XNG zf;ZzY6C7sag$eP?!?OO?I-E#WBEcYMd?DmyI9W^=^p_NJCMki{_msb=IS(98ikUCi zJZavv+~V`JL#c{DRh1NTdHzYL)2uj&$e zNLy`*?eS?~72ai}W)*@uT8`eRYR?^`!l|W0Q(wQ7#Vl>U`I=U|(AtCBM7Bq!Cb73@ z3R^@%X5bbOdsoGC7STUqno zQ85=btg68e-+t<>Sov^%SdP06*}`MRuPim2R{8+xi#P(sRvq^5Iu2*>)I5;!S0-2_ag#nw*=-Q@#xjFY`acXdYc7L z3Wx%C6Z`!4mpTPD-zWARzTV{lPe|u)LzOc&?U0Slopf-f2w1kZf7p6hNsdmy$$>@4 zgSk?Vn^wl=;(>WYCS#_T^r1Sa$Z`{Rg_kzW(27MrLsfT=VzCj{sd%Tc?N(0O5F@-K z%wksC%_=nV^=PhQF`ETDDP6~3Ea;@A~!br$l$3YT6u22(VQd6b42CYNHWHm`ddRvv>VG zSBnys{cm~m?@uyU)}k9zF>tbIk7ajDs29HJ>GO82aY-FvdutjQOFU`dC^fQ^N1FNe z6MYrNrQVcWQ1ONyP8G&3DRyz*USAY;T3`vq)gV`Q}4wdlm;O~}1i z5j?5uE*EWH_lR0@vgdAf5{8L_ps7ksz&T-w9nIE>8V!zi;l-dl6TGxa?iLGL<#>)L z`(W}>tOvyi=25GVQ+%cm2Ck_AkjdYVcY4^ddup1SouA=w7E z3+y8SX>B7y_!zI}GI6h3>Bm6}og_eBIA^>0Lp z)Mj=Je^6HaAsdOLCbHl00y53BGfu~h0Hyk`*AO(P+`DQkcWP@EBzLHjegtG3uQHyr zJ41tVsXrAiBZXp7t0y2xD^;|cFq-FoSzLc=R`{6sWO%Ke=j{*7$y6paBpHdnf8{Kp zIy@96Qwi{7lQ6A*9+L2>MJTR27TVO^y!d&Q2Xr>CouL}D`flx+&;uam*8Bc*1c z+!llf>RxNKv@~y@m__5ZT4Ip>;{J~KD^CICzI)v#$-kZUU;gb05=7jD-k?P4P8B%< z?-w#}ORU2KQ2+RnSV21@_P$iqQjzXWa^Q3w68y(YL2;46LRVXkUapyA5}Hnu>F#`Q z5)Ecpk8fq|1?_w}V6T-zA9uGovS=(hNdh)l-Qw*HX8{fYeJe)ifnF={g60I$a8hVaC zSzPs28#c*y$vO3k`NUGb%BmDMC%$rv)nAE`+r1kdE0yA>qF<{> ze%judAfrmlYJEl5)dvHsPO;s?{?-jogRi3KjmpQT*xHsivas`EJIy|#*Spqa-Tb_~ z$1?p!ssf=a?im;+RpjKYXth2#W2s^Sw>N7_SAB|HaeBfRqNPV9I&RpVFZ(lf%ip}r z^MAtEcu>WbQj+aH?z3xt(qz;uD;^#5O*`v3vkv5=&s~|cDW-Q=O3d=EfpwWhd^wss zS}QrRkiF>)iY>Ayad!%yfd2N2tQtIK?P88tOt(4AY(bkb7Vf7TyA2gQ?-00GSMGR# z$%)pgSc%A3@w4FO>um>fgE0_a2<6FL3FP7^W=FiH;xFrCiMhKlhd0RHV{Mm%vq&2D zyGR89HNX(UV#fV2Lcf2{AN13ii_ZY=GcEA+9C`$}>RVCQ^LIVlMrz{MM=v1H&L(Y2 z8_l=&2ZVQ1cOR-vR@)FhV1HqIGQ4_wx!dgjC_yiS?@5>?eMc_7x zTQb)bHWdG`grLR*^tzkHoGbI|mcuT6oH?`~m#+I-xj6~mzFYUPs$o2`pPu(7TxX#4 zJ$gjuceZH06K&#QKi*rH4$iGIY`#9>Hi3b5=%2WaJ;#1k$K|j+Ro(TlSCZpCY^F33LUcCxo@TR;8`c46q$OyHI8KnK z;2fY+``UCorYo=#FCDGLH1FAITe?^r=xroNK(hzmGurcb&l$HXxCoAjGZ=pk&~6^7 zdw%i-XKx;AMTY}{J~1zoBW*ewR$dDU<1?PRYoiqC-{k0v-6|)aP zz+Ztp&1{D^a+PO+ZRcX?y@!2vM+Pvd=sA<@YoD+IcZ&JZi2^6C%w0>LlVAFE0@E8T zz|sAY^qQD$`gY?y4L(JB&Jn&1UUZg+T@KqWdEJD-{6yEIz9^QPd>bv&N%sz1mL5s5I#%l33|F)pC@)G%iAnsb-=iJ13UT4EnR+e4SEu7jKH z$Hk%t{UsBc4hAvp#?x zE^9&JUf4!>h5U)9*8(y(mciCTp`4&>c6N}gtxym^bl!|^obt?34>w;;To;ky$M&l^}Awv;4BRDd$&cUO_7OeLTET5 zdjaRsrz9vp$PBe?55OsNZ+*^|I#5aU9_G*pz^7ajZMR&ST^w!FPhr|QZrE|G2@jW!3lfx|PQ=j!m zPr0myX%C}w^@)s>cfYr8zvBjR_X>Yw_xv4avwt$1=7~j|5A3pO&G4v!y`Raii$!wH zAel|SaNP%ue%~a{$3$UZ$Z;onS$^OH>(jE9zE;Pb5N8fOnKn^qY|u~GSL zG8dKdO@cj5U34|YTZcT!rw#?i+m9^mL$Hr6vV9*gWH=(6v4EAUX4b2LX^ZB=;kY(N ztPF#mQ~R#n7k=kv_)pTLsN~eg-0)iMz&xq$c6WZIh@@{JyaK814C?&~hDYauG;EGk z9DY|GBe{oWp^2X{d(1O`kr8N&c9r0GtYqo9bQWI8h_O@(>XP{^3{T2K&?vK1x)mL# z0>8KTp3aWb`YuH<^d;jzrXKcGlNI`szK~NgNOANecEGph_k7W&Y1HYw6NcvT}gh1(M9)ec4Ywpv$gn%Shwbp7WcBQK;`M`lN^C1Z98zhWxC7R%Q#7)9r z@j{r@UGah^3seEjaCOaGIEBNT1nUwdrH7H94U@7`9R|B1oTfsSUd<$db1U}DMnZKg zgoI2tF&7K{g@iyhk1ka&E1UF=wQlnKMd-I=_RNfl-nj=*9lL>uhv*MJ9{B(V{g&*F6i0AC+~!y4#%0LXl!|Qj#gX@0M>PUyan^)uWXYSi=yz_pr)~2;gf5auPt1j zafX$MspeBgyR3 z^EE>O`F4x&tW$g2C7`cEwm7kik6DMh@%9v%2nZ02z zXusZ6zVWk)*Q(W%orWYz|0g^3#Opd|Gi5`bb+a7nVfXtBMEJBm|K5c8v&{L~^R#J2 z3->L|I=K*HgQL2iaoA#^?z**()C1zTK8NJebwiL&$-w(!rrA2lN;;DHb-{cG7D&iD zA*xPjc5RgTG?&}cUr3)&>6~zLA=`Cqkj%UeD&k8^UOe0|P04Gh!eBf#3r9ej<42+N zDVuBxEn3Q5O#eF{@839Fp(bMu8 z4J{E^C$26?TtCrvsez)tZTAYG<_Nq>^l4bzHoC0vNg%R}0>N}w@Gn~2CpN(mU%#(I zlPQZ(=ld+zqS=?BG9jsAmwS$VxB0fovu3chwUvKj8=HPWE!Km zQ(@G~M7(pHkG!D^rchs<@B7#Vq>9N02hL8v&2mztjYx zst+=b-W!;ZGLW(jR%`IUyA5Y(tQK+z8GO3Q^UAOm7dkwvfT_Lp?%U_KXKf|)|4eV; zCG>-sFOJ&jFteZpBa$17GMRvC;v*UXRl~`YO(?%zmjb2>!Z1Y5l|FOb2j1+d2{txS zNTAV2f!u*xD`tBJrx~a2%|P7@MX!PHe#Gx+A`nf4OjvEu6*mN+4(N*Dm_KXeA%YZ* zaz%N(ZCM6&L32-Kzlp9pSZfqsB0p4z4 zZ1tWslrP}{OlZ(|$p=~%NBBIK#JhIdUEll|IBUq7;nUcx)9ay=)5fB6!e0{O09j9^ zJ_W^63%*#tynlY^Fi_%1b`F|6Nn06dlJ|t!T1bT5Y^{=t+A8%M@1p10Qcq1-wqTFX z@@uJeD;CNbxy~sXcVVNIlcrX>GARQSEWjUS3QsA-(5o;q4ZVtqg^Cz5l#lI-@~$`RqGQxZyj-S&jJ%*DHISb#d+ee%l;Duem*``sy% zwCjJ0ro)1%u2X&O&ji&Gx0gzbW|~+)egngu!#K%gITh<=%}m_L=u6U%{Gx21{rDsM zvUiH_$+S1UfkBs|%T!2_#Y5va8lQQlH$V;>c!O5!r8Ab=>_6tGNpRQz<3~x=L?L#0Gj;WnXx&u6p#3t)IgL!`plMkoZLU6On&Hy7=Eoha z4L*d4(oEkaH-|CG=$QqaCXSZ`cTq5DOVfEC5;U%0VOq(0wDa9l>1IOk!e{0j?B~ry z8JYZu1!X~iYLJ1dLF96Nr4p^-lUq9Tyb)z8D$+M_rF{i!Q~B{FrtMs$@3OZJ_fu5c zzC;+T`Hh6k2YqLG)WAIQ+4{*j>RF@3RX($UYEtDL3~6O7@RB2voRRF2FO_p!;K` z>`%o2u$}i`tKy$b3>OV>Fqt;Yozd9K|JVyq`05|ZVSl5Ue~=cS>B#@qB%yab9SW(E zNq@ZQKb25?xa9bsP2(TtEJ1r$>O^>icBS#s>td_QwGiY3~SLuBqFC>Ze)Ts$e{#8$nHL6Nd8YN zh%Nl=Dd>3##*1GMSkFgSljs%U|XKS7%!!3;f~N)ix~*C+gtU*(akD&0!PLm_u5l zvF>|O^CF=SE&S24ML&L$z?p>5lnyu#-iA$$=7Lm&DS6!__6LXgHsdnvP#EWdPQ}Xtx_>{8lK91eSNmmaV zx0*eLH!52icl$Hq4`V~u=Z)*K-vl3NMSV3wSvr7G#C1{Kv)7Mp7C8|Tn`)}sewV%B9){T4@S}L2`R9G`L6Xhzx`!59U;$3g_jr`<5jZV@*5_nJd*+hza9;_X zNO0T7=k!Wiy#F|laKE(KAG-uDR%DmN$L~UH&OOs|Qfc*y3bS8x;Y+axT(g%Cf73|} z%)}H5Py2eqUj1EuF7|ARaCs3Hkr3I_a$_1f6(P7hl<8U=#VXs`SkqZ59xRIJw=&E- zO@3n9B{x{oa zE8n7=M)&jJ#>#yeYPOYDo+%DSPWuZ{3dd!KRp#@+^=KD+Si`@V7QHvFFN`Cdn7N@q zuVIkVvXiMh6hV(^ccSfCwc8P^4xVN3o$XSqm|XbFyOK)m;I}C0huf__Q$m5ha^_q6;lb%me`ws(l zPPD6>8m2RNKTp?Tj?Z84s5Ks0lL^0jpa928X(w&Gvhe}}9oe4VZ`B@n3O7qB5_0dm!azSTGnnq5?3Uc8Z=Pf}Z>BBNk*Ir|5cI<&%pNb;<;FsO? zJ#JOD^C71C!JV)UU z8H})Z?8|gbbGPpZ5*L5;6tKbV0$dVhblah-aKZ>bz5OSbpD z*4}kgTzg@CX*cCucC`OZHw^5QV`;wjn#mHvxZNehVc*Fbe)dOqTYx;Rw!Uv)yNK-K z>beN_Ew$nJ?FGM{0LwslU=fUYr_N7oj+l$6e)_HBHh<~Xv&}NMMgOHQyDre7(b)EZ zdSru~aHDnWnaTw^+nueoDdZn~G2QEH{c$K8|SgSw3h3sWXNL_5Q7zwp&|LLKO0<#v-4;UI~b}T>BK0 z@xhz?tRKu&p?*->`bK(vp_n*r8|C>JOY64soV<<>-p5a!W&7O=6_Y6GJ+I8-=3)rH zxa0~aAsO=$aorHMyZHu5ZlWzm+rE5_1*Udk-^O5_UIUoHtJO-ke{RL9*=B z7tf4~J#30)&gVzmw6AJ##ko19(cS;xU=W7p?~U-KsSG1A?91|X$+m(KOOwkg@kGN4 zM5M`_^y}B*@X;TJ-zM@LH#4lV7>yXRybY<7{f8q=BbkY;9Zxz9I^Ku&tvjT{0;j&3 zXZVcikqK2`lcun>1-aL}D@w-%caR;x-0X-h#D3CGM=7V&GIbCYHoX%b6`JkaeC$|2SU*@i%KS^x{ho_7Le(=P$FPhZv zoqUZO8cmXFsKE~F{|d*TzGnIi&*rkMb&BC8sQbB`iC#B-vBNK9l3$Qr+qO=fj5x@P z*>Q1K;Rn6~Bs%&|UiV5rIt_a=;{PFPi=kH4)GVp{U*M0G=!T7`i<3tYvUjQb9V9NL z3KE;#Cn9WiH`sL=uEpO^LL6IePOwn31Wl6oqe(QlIhDA0sepW^vb?bsN#>)q- z^VTu%)7Oep3>)aG^L)py+2JUEz;adEOT@|*6PrA~UunSJWpvmS;)&0{Fg8;cr(D_* zj-~84u52?nH;Tpa)r6hzJS~g24&Ek(rNd-*S3<{~Bw|X4%;Shyz+}qO#nyxPi)bY} zxxV82WzHY8Bu-;=geF^SSJ~=?Cd91=-&xGhT$;k8gooGtF;Y}}HMZw&xcm;L3miK_ z47xYQDLbZ*!sJlXq$>c2mGJAUd!tKq#y|ab6?B&xUhGl~rrx(d~fpdHhcWV9- zGRnYatgHPve;H^(OKuoNCd{>#-*w;!tF=#)(dB=ni?SZtXu;?{4D4S<&t$pi>@X_b>0=IoY6=CAu8h`yqp z)?U1segO5{(#vpNFyz6aj2rmizQDeV+4jUBGc2L8X2`aa9AL@k!_xNq<^;2`W;j>; zHx-50GOo%IxJl);sdvxAj&+BQY>EQ=`Ul;VY#6OZdh+M(V zIiyB77Jf9bFmNdJ)`F5X`%z4I9q~3*wt$C+Dbu2|xzPPJ- zt`>Dxn!#jlvfD&qU5KUj)~t#Tv#oDr-Edg!VMFH=I4I+@FP!&jHb0s;2#+RPq=j z5UiaqkLfyeu8ZG#R%X-ZajJmAb?urkv57Ba#DsE-lWnfX(r?#EbJ=q1bl=3h&l><_ zJA8U}Yd?lTrx;51s}XEsyLV6?H9>@BKG9c{;zwd9v;N2fqMl6FZYAwO_e!apIy}$T zo@tdgEu0;h{&=sucd(?R!EMGAI!3oYuq3>%v<^AD8D%g!6jt7^M=|I`Bh<6)`e4%K zvN)hiAvxO@N3iR=x&Mw*a9HGbpE!y=poov8WNE#>Cm5&6=#=3UNHNV~yJ18z2^ASPjk z3?FHkWveDFPFk=-rZ^V4%>g%gvoo5#-^Tqd?>@agGI64G1N~Q>=_LE^;Hf{;l&NvT zUnm2LVCm-XWbJ1rLfg$LLaI+!ZX5irxdRWacX%ZSBkONW#KZ&^kTL{wA><$_^{}}2 z;?@K8^ZAtQN6%IEvr*;x{pw#$Sg6J{6e6h2jpHDkfh4zIEo4#J=x*lWHM<>iuBDIEIs z0(<80@cb#?8iCL4>*c}6gwoSvDNfhBS*=x`^Bps1BWFFLy`0x?>ICdps5-umEx>RZ zBfrwDFJ4-x%Z~5pTTYfEmXPaP&L7a*`(F5R?{nEXV(eUO_HPKB+SD#N+Q&eob$a=1 zC;Jr>jG{HtT&tEo8*oT_*$m?1Vy4laY$_>kmVup!e&eGeiT?!n&W;YspW%Mzo zvuthgyw+?L90o#q$dUgEyQhZS<0f`~DeZ0IzQ4W`0Y%e3Jqx)XUX%MiCy^$hv<^zU zYX06gRsKamm9G2i6d{tFh9kWgdxI#)wHLe10Xlxyq{X%wuPR{z@Z9t zW!QJ{_rtQdnsrU(<+GT^WH?Rdg8Y3U^`i?ybPHI@XEy{Jkj}uNp`2g?#g88o+XPXz zjYXVelO`ubgu9$-k)1#_hza<D=C&WuKGVRM-Q@=r4T$!^V!6x!m+xg=0g;c4!QgLpC$ zwBbBch7e7xs?V;iAyduD)ltKd&p$o?Quyf6!*?;^xRdWC5>zF7>18mDNTI}1skH4J zDmSo3ZfZ27*Ai_P>FfKROMQ*&S%-rBU8k9+S<;%ls53jkZwS^Z=cm%@{W#+tcZce5 zPLpl3E>6uqH?Ha&S=&#%Iapqb^ElMSIGyK?^qm|{UnAZv#W0?54YndCYYDu%-*7rl zuIJaTPwRI{vb!4Mw0d7>sK7>-#1m&opo%kHEKP6wQhcD$TQ{lQi*aqar*zNGkbqF; z>7JL~7UM)%{btCF|1VdWI=+MN;$jTY^OX0eRs%Kc^DEU)V(Jd(hN`Uf9$}Sl63L<_ z9inu#6D*?HMPLdjY)TTI3xkKNJQI=@l6zTvSdG_?cJoE1Kv4n#FFpW?mI@wCK>{H^ zpd6t+mRz_m3|o(lkX5&amMX{kvCF&1OvVC_>X_EgBZ;u}FG)Y+yzSP?Ufu5%_Lpsy zFFiEdfTN(WS}cY2AKfRfnl~4_@6W*!Sz9LY9RWe0%%Ac@F5%1h(y+D!MZ`nJ1luW` z#^6VUy1qKR`0SG|dtXl1Q!0p4_u+igpRk>>uPv_|7)eW^$9-@;$<#4lFR>^X6j;@^ zN7ZZ5%D$B_bzvEULq&Des)Z?fELG2VCWWY5uypUZNot@j!gm%=KkM75-}#`0fBO^t z;TNv136ka7Qe&~3X=dA4)%WtIxM9Vd9bXh%#)<{|-zM)~Zz^vPO;Zz3LT$|hE^C<1|V?!Ef`m5pn*UWVlTF&Tx#XHw~_?ExIm7vZ8Yw;r1;5Y|(kH#>^ zZM{wu<`a%R3;vN(Pio4WWqmign3X_yx~t<=n3a2fNwmoD$SrLrtb1NMZ_;6Jt|nQ; z#fJUnIPMg!?kBb!e;RD}cAJ^4&akMwu#>QhBZzR4(0mciq1rMpcr6_f0T<}VQ9W?c1? z8nu6|>Zry5d-xmESTB|^GNKm0+Cx-SR9t)Tzu0@LfVj4`TX3Vnf(Mu2!QCx^00Dvq zcMI96z=X?bY-9a?30}C+ue`%;l35JYEAoWj4|iL1e74(u6i)b zq!HMC7Hm792M~~)YC2UZYPJ1H<@qtg0KDyQ`%oJd`=8 z1fmvTBMammh;SO1T!W#2SY_>OmF%M*Ud#0TU84?bl##sy%bi1%SP6dy)iqPLg&G2#i{mjGgJmHW5a~SI#t13(erj3!po#`_3gePA=J`NEw zKZN6H=nflFcu8~G@4d?O0)y&U!tkJX&S%QXQQG%$DeqoK^dyVtOu~A<&{i_qu^koW zaIoK`17A3q#|O`?G$-;s%UoCr!#j&Nl7sq_mn~85sOD+7g7lDc^z~sMEg0!&9EZa3 zxbSqdPuoIhP6(y$Yso;eZkf?x%sbJIx7(n29sOZ3ZWevlRw-4+o%mfHeXDS9qbr+Z z4-gAg$O4XCfW2=!9O@16JA>ZbX3xWj%|zYEe6jaVr)Zm{xU$*hL(=l!X~Iw1vt+?X zV(RCOPy3_}`#e|9;@ZG~W8~HKdMAv0Cx`P%HfEPq{vZ|QME!SJyUjq`+h@mx#$=OK zO_?;**e%PT2oGy&A?|P*;Y+GMrordCWbg>U~Px?~fHJezPsin67)Ws;|R1tL}%4 zsoXZQ-rhpotF9Cod`^7#Z}5ihhYaiEBdc@UAt%#_X=$y*pClNr{*@Q99-=nCH@9wh z(vc;b(-CEzc8ytCUVF|D`Ac%OHMWJ2tG{}G`TcCYAOb2hc0mOaIgsL$tuz zq9we9-k_LOoI4D!WQ&-KZT~){uBS^Eqq4>Mh~WG;x1v5u2S3qKg1e)HA87O^f~ma@&icv~}x#*o9^Aeay%BWS(5n z9HUBq!G5X*ZYF9ELt1}tZ)DXvgp!-*y%+E%>{3Z;8Y`(gzB6tf|6{3A+hg)WBlp60 z+t;0>Zmbn;%qe%3PACL3fmD~B`tLbQ2~Kp`BRj`dWM1m*P*@x71U9yPk_`qI?6mMK z^L0fKUt4(It;h5vke(fhpxw$erG!a{XnBG+hRZCul4&Hg6{nAL#;N`l>;66d$nF zxNi6J!mC>Y)VOw{Qf%kzA9yYszbw4Vj5?Qjr_CK%WXy}teS=$vgqBln;;){shx7is z@DJUZhK=@c0nf9IWy{F6+kwOuB zvY0wNI!PQl{&~)UipYAK^yF!QFt01@J4lxaenS_uGG^)k=UY;F5QZ1l@tADVQRUE| zec1F6r*br`KIT!IggLdcAeEz<5VrMiEkMG3Ku_mo8k^@wBy9uHg+}_Ui2&pUu1zPQ znqU^AJ$d&!gn{D`6IFc#Tx~qj6K-A(SxeDcYADML;e^Ic#_dE8n}W%fgVj!$c@rnA zLvF|7r{cgA&--s5I-3HS^w)%%vR>;l8;k`(2Z219+c&=PD%~+Mw^yUfB`2-T&D-9F z$VyoDEBpxQcD1KABCUP7haV1yL6B=o^_Xr+UAB8#d{L5%^B85_trhEvy`7j8LrI8N zeihCC3K9JE9oF4SK-L!pfPKts_EqDD22uH`kh*2Irgs~ZN$%xIAQ?{bzZ0N;FN$m6k&AGJ{>^I3-JRSi2ZnT@hF6(>r~vu@cGKHzeoWREup2v;Xf zZlPb5)p(6c?PiC?5P)0u`Tzhq#QsZLiTiYjRo3~40DqD;YqDQbUvCb%^ENgXh$40> z-DUwq>4(D_`+bXPty!)!Z~ofF4vw(Y%cl#x=wxm2F}G8#n@E>+nx?%6EF?^G99Kw0 z=T!Y1%sHaf61&jRxi#;#*;N~jZ`08YZ}aXE2FrD8UZT=mO{K;ER`)T+O2+Ey#2Zc! z(-6VF_1!y$LbnaL0A;!fTIQf1BZrK4VWBpRG$mh{D^6De5yI2TK~KSD3BvZ>YbfGQ zmEcSsP4IG#x6~hrN|EfZ>IUxxuM$EaPgLr5y6XmZn`(-oT(cE*WY5IgzshS-v)g4h zoZ^=@T{Xe(l#Qb4s!t4MHl7}1_-GnNacd!zcCC981VCSU_t!WSZY(i8d!dhJ+r94P z5Pvw&OdCE~Bv#Y5$!PM^)GnpA4{k8b`qXQI%c;UU<;)y>zmC+#n2Pl+4JLSKAxXFA+T}S&Rz|>+T`(TM6~+`FU&H{EHGQzmoqXXR zSbYnWZ5=`*y7Rw=8CY=dX*YxSd2)PZc-j$v1E!H3(n3`kOX&v^Tc=6{*jFulP*+l& zs@NCRnil_#V`)5ARJ*8z^TBoVJ!;EP6ZNyPMv~?B@VLqOil02W=(lrsR9luUkrRSh z|ChFBAwo$0K!hFQ0g_YGxTf&B6JziyYPn^m%C4%g(v~va&JfVDaNFs({AQ3kO^ML9 z>VE_}rQV;SZ*Fm+89A01*7D@s<`in|t?z8}AGT7)P3N$YW=E{{B^aS98nQU|lc?r!B(6y7?tKO~k(W-FkR04_?jJThF?Wk5R>yzhIf1}t-WSMe~X=7zI zzImH3-#l;qh)Lbv7$Mr={lwIcmiVxEQK;iBIveuuGUsnAx7|U;do=xZ=h^p!1Po&0 zQOF)i)2aN_qA@wgch_$W>#ZD>w1780F9LM37yWH+PZuYx`|>JX7jEooRlU-du7;?@ zJnvh#((u%{#v{Tt#o*D=aX$DiOLp+5X1xdm%2w+)5eeYVk@XodH(f*GT0q;{@C9y};>8=dsKwNMOMGU$$#Srjufp8(N znp-E_;@o4l1C;LNWKGXhchMF8lTF3Ll1QeEGr2}I_#LA&=Hi255ZaNLLuty}w=bnX zp1gjdE?u{V+9jzrmaLN@IeU)BxxMIng$8~q4g9MT_qJQFqTLPUxLq8q$HYx!@fag2 zYp=qj2T)zE`WT#cD7%2tVJqI?h5zw?w@t(u74L~GwSFpUc`JLu8wI% z-vm1I8`hcd1F{=SkeIp>a%u`l1Gm;{SBF4i$rI|w3rIBAlEcE_sWn`%^;TZ(02&&x zLCq9M8HA&dvqsx({SxX`@Cvc!<79=?JAM~Fgm5cK$B>sadmF@M$WNixAIf6i@F?|I zxB5T70`8c8W5l5BlTd7Oz@_>Sc}C)>U|xqyAmym!kekNA7ERAzm8C6woY%J}5mQNu z!O9q7zSUz58tzcU{qTV-K#lQxvtVDHsTnny6mjdKc2gD%EGF@M5cQ)ErHhXtlPRd> zAnE>2t4)C`m2gvNLs>c2SWD}2a=|v+s06D$CKv` zpSJ5rbvBU2GXHz^J0W1~_qZEYe zkb(w1yTS^8SIONie6ho!auaN&GH zF?VWBX?j7#l)9{u5{Ta6BmCasWp^Nb9Pn!7v0#JbqQ+%c_J%u*JSSy*Ra0ruZHkg?=P~nEyNMqCs0XrmeKP zq=|AiXxA-TUbkY3diAU2e30nxm(gyG4vY6>J%!rPXy7pXs;Vz^<0UH)9FaXMVpNOM z2aBC*XZLA>Osjwil?aJ4-;A={auUpl6a6Mje4Wv*s#oEY*$?Kq*H%Okhwmvg1_sbW zg4>;SBP_K_zlxyn+c#igE~m~_C#WJ7H`PW(AP)=kI(zPEZrga38d-PbzInA`UByum z=ThtmN(9&Wdy<=NMvImLr~kIUVD%T>!6-r5=^c4_3X$H_sf#L^>q7C&zV=RE?Z=yS zwjfgMk5vV%4T)R}tyrzo{ZNhbBisQ2>SnVHaWLZPnxl{6R^HmnB^u*4*rZ1WKI+?( z@DqImVzq-|Zng~GS-VMZ;=Sj2;!1vI-Hi#E;)EVC(sDl9Y}pYc?S5prcoo>!V5;op z-5v5Mja-e(GfEU=hs=fgy1?us1FKA_Tk(eH9a|@AT1Eol53Khq9Y*-%7mq zk4V$bDShp7D8?^I_&&aWj}9f_JkB%jfxrv}OE6Ez-$!Qi_QMCKJ@n^X^oNsw>-T`kV;rH( z%T#gPKh*a9{@Y^SrdM8j&0o;|C5SzcrLocPQJkvQDAh*#>Al`xI?=&hYgj8cl`VG@ zoyz)uqfmemNmzK5G?!w=@#-k{oot4;Fi08!qhTw46Wcjs@sm>lbGRIKs+PrI~*M{Hv&E=z2;+qC707Me4l zTGH@(zvH-Ihi8}FFD0^_JZ?rqGcMz3Ad;Xqwr{H!8dV6@)2b1r5Zs(08x;bq)?mbQ z*l$<}X~^`AogO>tmxV8&5I{6B_dt$bsAL`Wohk2UC6wZ;CqQO3Vil*XLe(48@m1bA>+) zhNl+RJmbBcXKz3#Dap!x7h&?%{BX3p&$C4I#TXK9sCLW7oi(EvnW)>@j}ISPFI}(B ze^TnC_C3t%3-H*XaBW%+*pp;7Wg^A{Fg=VhG9=pVE@n-16*=u~`jzLev(Kh|F0cDl zFKeBhqJgv{RO}YW+(sz*P$DkatyvO{#X)qxnYdrAR`wig6RWHV$*G)YAm_=B0MEX+ z?vZ5&u*~NLt?gL`5!cCjpyf3`zUO0JJ|zi8CGX{3r?3oQ<%v4eqspY-eypwkv*%ap ziaW{{H7U~!Ph|i2GQ86lvkOJ0!?^MJe0DoamrKuqi=Ush9NxrRpDwMj=a2`%)6Bu4 z`1JrSceY*LHp}!g$54?673-n3B8P>BhLbg+DgoljaFEnvQp8$kP?p5!*0(fBN<}vhn!(Q!Zk@f;Mv=#keRszKPQ%1kcrV!6sS+DZz_Buk z7s*>yP`2)wh$4t~d;5xs!D~ZdBhxbp%*8!S0~`qRL$mXcdW3h=cqz-s{<3r~Qp1ir zNmk%e5R5{Ag@qexa%+9V8A--eb`r}^)odiY{K*_3UlMR)ZI}=huj?XO{Ycv`>B#zr zRb#J~NZcB4In5U*NPu-cYb1?#e^HA|)%*!+3P>_`P3E}A zp_^-WseQ6RW49ZKM!(Rk0RwOMbRb`Gwiz!;AQYt&dj1jK9U;_QEP^xnDRBHkXTLt* zWu-Si824i0`#`n6Nl(Tm{$1B$zN2Xf=5>j-5=O5i(3G$K23j1WS45RmF+Qr8izO)m zC{+_ndHwyjg&-I^FR+rb_QkyGG(?#EBZyQ&g@q7WuU@5`~?NuZ85XL_8t2k4J~ zrs~JB?<;DKkRz6R5U$-bV=Ar6Fi|`$+!e0bOL*Z!+kU+{i*df?eTP6;>6z;1=g@rm z(-VC6B*TG>EWl4T9;!nqhBCb8U{viVT(}A(OEF4&Q{=@P-pJLzvoN$i(Jten$akNG zY|pPI=)>#mvlTVpf09N1X%ugd-hjpMWp?daMDK0G$xlb_d3vWB&l>{`$J4Hs*)%Bn zpR_+YE0&5Ep3|G|IS_uI#B^Nf`lxO}{*;$l>y|p+!Q)$FRa%3E+9Nmb_6xQ`Fm+1I z`?HpY%Y|ZzPhN-G?)Rm5N5eFi!ORBucIv2=qn$xzCXYnh7B3ehCu;l=jW+G6#W5vt zhZZ_gG|bo9;(Z>2?t9Ev?l-rvV?Hr7$3FyozOWUMJE~&zx}DS8J-jl*W*uQT5OtrY z2*VrsO7$#flq}3#pq;gSdQxGzdgZrH} zGcdmoz^80|IEdTg%_VfpTIp?13p($9rk$l^)+&42`?{*VuBWynf5cw1kjfKrZV0cx za*wz#-OA?VNNxePWsj;JN9VY=Q@JJc zywon;tp%(m&O|_c+%UQ}aiEnwl6++tw}RTCmC);JQQ2#JUf!UFHyJ7Y(9k7iTdrcI zbmYAXYJ&bfTj^4#kblGj`VSL-`m|1`Xp`12T$7n!;Pag~EB~_Wnz@aSa`h!D_=tZB z!ILeVOx&v3P!LV%K_W=-f)4l8HDkH(hUPFZFC4GKjVl3dV<29UFA0v<*Xr$U1hEmo zsd<{zz^t(dKVxspX20_C(nNyg{=9SA!IE$Fv=MXV2e-dF4cDGj7=&H6us*D9%`=WO zRA#l4p`&vfnMD_nz+v?qSX1Z?;imT%SWq>pCbwsy;1jR$8hhnA?fJI1WpSjOMxf$& zB$Y3^!WhFpUX1kfz_bNyyQO$Tf4J9AnldE9kz(-q*4R%YWh1s;53To~Y>zXK6v(%Z zI(BC~{+wrHza<)Zy87+0O)&py!6^kPOO2OWJ+56@##qxp;Y7g;)fUr3qU>!)7X{4n zH;30hZrgj4C%x3K0QMEl&4TpY0k(E)bPOxvllgj3i=);iQweWcz2*dvh!un(-lzNX z4R?6AJ&)yytW;Pe@aQuabphK9gF&+BT**#^)bT-hWxKUX+apx$4}3=sgG<_JL{hFW z>q!6-v5wYqr{O`Hry_e0`aW=MX8&@JcLUxMAl4?E=ou%o5X14%cvZ#19$vM@;aw6CP|P|e>7zLrl_*MA-wS8rIC0-w!) zs4_;nZFlgU^g?#?a6`#k_8AR2gW}L>NI2PqS76y>B!`?jld$7b^ZHT|L$tT4WR?Op zf^wkk>4viL$3kzn*6VIJBMi}5FE-@H5rdr8%I4Q%)+*G2&r|z2nwdjqf(4Uf3Wv9tQRn8J+uy*MwisT;~tN)CV705HZeg>9|XS2G^ zo14yUk4doss<$$=KDwis+(7B*0CcSz8PBH^0j7shQoI!G!IlKw>O78!?6+v8py%(> zKHO2KS+3#TmBKPlnap^QLlbLs_#bFv9lV%iU+$1n;(4QQ{Nq@0)Xv(;L&A}Hb3@3| z$~YyB@)J)7ku(cUHb~MxDCXO624`|dzintk-zbJCiZMae6de;Q;jM!o)TZ>@>z&wX z*u(o~P!7;r@)n-2K)eTjfAm70|JS_DVzX|^dW3X-6z(eZAD%b1Ww)7$bk!Nmo!$w) z?{&}zzC1kFy}pcT+&dLuE5fY=cL+D^g`Jv4t};DZ(a~3?4l=4by%m5BLsGe1*7X7y zs{7=Bm4u@2)Q~fie;fSmhV8mO%XKXpm+jooQzwHfLQq$rCk+GbEEv4)RlIU{X#YJ7 z?;y9pP)@CDLDnFrG+I4Ee%ncjZ8L;CNNN{f45e9c8V_9;ENx7wR7s2k)VrS`lE(>C$Ix{6O^!%!-r5Q;lcBH?D~Kv4N|01ZyQ5pek` zC@lgeSG2i|OW<6yq!J8&w8DPNP%u8)8zNu;)muW(N~GPV*LPR}wJnBHyBEim8aDB~ z_Xh9P6GI9@=Xd;;;E#H*Y03H7!zo`9W9tKzj&w9>iD~|{BkTW}51vGUQEmEQ)@!ge zc>QSoenxltu$)1paHTt|R@%%br@EvaS9P7K;lx7Zan37+Wk0dEloyYN$%7$5?8nPi zqu{XNqX3{tX#B1Wmqlt$umV#`z^}~h$(swsC$)OzWgv1>%joNCGM~wK0qwYMWKsIC z<-=ta2$R8Ba#QlAIGQ|2(4sb_mNyY&{)Qt9$!@Eh+@o9LAr%o7?Xb4!>^a9<%gZVE zzIl1S&#F3Am=H1PG)@tJQiYy%4=3Tznna#SejYZ=@Hq|m7!qt!v>L{kzmaBbvTCrZ zW4(P7yMj2P`F^RL^!%zce$U9VaKG*n9B{rB;TB5sa34=GMg%!RP(4WS8QR}Kz%%*5 zf+?LXA?oHwekUljjHbmrPPW+>aw%$r5WXlcn|%e*7sB)BSbA0^Y*tq_VM8QPBhgU3 zpp}|!T%#isGM89PDr?LqISk~&5z1`P`-)E-La&OZL;KD9zu9@cVNJg@W(tzjU@9+1u4s!KBODwR=%=7zi{>X+&_{W-u8{P;U@Rtf{KQ* z_sO-Zsn0zpWxvLtc8sKKDCeftO+=ny^xN2)_BbK8Ss=Za zk4irO#rSi^&|1SUGEh%L785@> ziK!n5o@~T~X}SS-mArTlbY!DLpHGyC5v9$2XW=pYE7p~E>4w5$&T9b7w&`%@D$?|n zS{hP+*BH^p>dzN&vLw5K(&9h!=8sUkb_eYg-VHTCr#LXWK3gV1r=oC{SoJjQ6U*yB zF{$sza~r_s2()QxaY2zdx!Y5_rrR`jqBy+mU?fx(j2#P)MLQdN7CdXYx!5-OGN@5K zttD37htV4op$U0}-G^UR=-2UGd0B==HhD8E{YjPW@10k@fzE`DG9B^ZWwXbu>cTF5 z5N|i2P(Jf^&F=VXRwFH|z65YY2e;M79s>(kvg*Dz&Dd@|I9^{ObC-@zPxr?_TWW#i z7Xso1Iopp!;yNP>($mUyw`aQmewo}<{d(99I$$JyK7MRMCU%M0lv1C3e2h@iAJaJI z?AJmiFL0!DE9i%-^{JM^fZt_Zh3ga{UvzhFXZpG#H|tJc6Re+Ut7)Opuhi#0Mtr!i zTnAG=`b^!m$*}fV?tHmBN6h!wkTY?JjqJM6>LDz%nHweLd2eul_lv`8LAw9>MqJCN zpRyUrc{4Jk*G1FS76)7Y2zkY9s*d*6O=~F2hBv$8t$bbMUp}U2uvoJU@Y31AJu7el zu9!jE|JDL}kdo}Jv^$I5$0(Zamd1{&7p9IZDWZz0!IP~vJWlqm9d5WU|E%s3a0 zelOXr;$6q@x8t}69Eo@#JSZR!3W`&1HEI6^Pd?Dj{PkxTA%Hzde;->6JI3-0!&wL@ z=Km86VTFT$IN%)!&UjqzxaCHj{c+HZYn`Ct_kcSl3PmM9)+;GI5LCACOq3@7TH^N} z?pFC4oGr;!gyEUn6i|$_Ls5y0)gsQ@{_c@%Ns!+8*^|gV@NyaTpX@FKnDhMJ4xZp& z&G5GWA1o;o(UM8aF*8!F_fMxh#_fk1`#j!AX3@5r>}zoAU@5{$^t+{`_dY|7@NF{J_`P4hH}Llw;ny1VTS6`l$+=PCQ~dw^1Uxom zkYP4T%zkh1@2&V_+5CFBIde97(30l<;N`zCx^eNc^?!zdPy& zk1Kz)y4F{84E^BYv$W@=|ND#5ogpx9`VB3Q6S3`*YVE>g(0AEM8c&71$Wh1a)=~E! zD8OLYA$)iFPDIbnbzYEr=@J)+UlGvB`tA&2S5`QDG(27&PZhY3RD_Zgp!!@P&NK z=*sawMqtVV<@ICIw!vH-dH~DT^Aa9Q7^t)#!vw*|a7yUKbYCX(+G=~m43a8%Iy9vf z2IWaS&Cw@M1W3F**+P@3tG%7@&}4}=`9am`!88>nJ^9srnQ+s37QjUo_I$*MN_|m7FNwM+YCJ~`seR-- zW4%W=e?(JYx6TJ|q$~zO#wz79SLZhel#U23o7gEFD>v69>1B(Vq>41sdA|%R1XTYK zO>AQ@RW2BH;JCVh>tXX{`eYj=ol5_tv(ejD_ zsM?baYhJ5Af4P;5=UW&aL3+~-E=%TW713@iR^xJH!3ES#9#*|62xKdH0$o^cCLw-+ z5eQvx_3GWosBumy+7HPANvj!-81oj(xb%l>;*Mv-;1KgniRuJq+6VBm7f^`7uP_<-;V zS?ALMe?eRNYG8q!fD|zPbPBX%d>`v$@IY{3%A z=tsnoWawMm)YNj_8Rb`k&tECYM^{n#17Bin_sL|IERN|=#?gocN1#a%od`oT!h%0V zT@!*Mxf+O}aB8z2?3gOXrm2##{&2V*w6gtCHK)+*IelgOl>#9kQe5ejjvUTUS9u# zv33+Aw@*FV(eV&6JkZFywII3K#bS8%LT>dkv1_{yv>|h$2O)QJi)mtt#| zSB(_W_rvpko%)p)q{5uXq5wVJ9N+28-VLea1wNW-!5oA0!GnjxABufzM%PFEJp45A zmgy!;ADSP|t}R#MpOLu^fe))HaK<{Zyf;#kJ|jv0`x9uwiUrhu|PYvP6sX_Dq`PNrOt{Ti9Ux zJ;i_gKsG95iR7WG@hL%HzpDag?T>tN_XAy*nw1A=0g9q%p0m`iIM7zc*nhZ8Uy`a{ z4f$jQUj&^Wgt*!Zdj>?R3XOJkH3M&rgnT@~)Tx1RbB57`xwJIW!asXF6p#e@AvXzo zmRa!pOlilXfWB$Byds%-KD)smh#bgphMZUI#lyv9(;f0GdZWZ>P^{f{X!P@Hf8yEX z${Z_jdr$~>CoZKvg6o*VHsRHl<6B;;$q{v)<6-q9(+|PVhYOZ{D;e>Ul2s(!MS6fE z6++q8l`INV$=g-Ng%*esD90lW0!z}#856N*$zKxDIae<3Sqh5yoQ}_>eChlxuo9?r z^}g)*i0RF9m9<^#EOn&z`}Wea@}zLlWhA}~=IXv4hIQAXa{bneI#9oiE7Z4QF*Qg4 z3g%=kh);T8qSz2L61>877ku=9-W48GNxUZRgt8- zw=CC3{Q2`Cp4QFwh_;gWJUuf@JdE{#ii-6^D3ow(qUqlly=0P()*K&z!F)mBMbjH8 zvd99&wR0XdTDyqH^ZoFVq}jJ9zEUWoH-{@}0;08XWUWQ7ZOSkyh!p8i;IGU=Dhf?Fz_CT(XR$A<@p zXZ=dIVo1NMeqO)!4xsRFl#hkgj#X(a4SR=)(n6m}F#gr#$Y1vS$*rCg{=qtOM(YHH zOippmhQcr4bX2h5SNIHx{OL&x0oI!DQSI*2LI7^r-aYwFGA%P|FXg>?@H#M zW*okU?y8MzX0vG@LSw#M4d)F16UY7dkoKe_`M&MjBF@Bj#eoVg#Lw$d_Sbv-e%;+O zNt@GB780I7+CI`sPlO^(80IC8qlp#F>OJzdj9-|{%S^Q}O4ewU)EdBgga3^hvhStC zaIemRNjg{JY;ABgxbvv8sA681eeBqi<(UvZip1}jhn`{yg6YO>%u%{n>+396J5i;1 zOKq6UQ_tZ=FRMPMeO;~4S}i0`Y@{lRnW09VzX>A`(imvn_L3#_D{sj~hFrixcI-~= zpwI53CFsHFCmK98Z`|*>rzb|1(V`_nNO59KAe!znZs&mX3nbn+=-E!HzZuw|UsSV= zL2iYdQ`~dBFrrE*is$SlS0>)Ek$fMJS|nTTF)D6yhylq(8phHe82^J9OiVyqClN}2 zBJ+`Kj}%f4!)v%yJ6Jhtb*2>5LalN#oXB1U2k%DD)6-9m!h+B#Oh+j3P?h!MPSS&p3u38Ia?sa4(-yHL76{^$C@L}8Z_F^UPi6wZ zo})q0S8Gh%IfqE+gw!zP03j3&`YiF-7Wh2oEL@k9=xEFHBL+G;s+VfJH)5Y(sM8gC zTkh#B+aQ$5sGiv1`>7UjhcYn1&+x#psH=D2#IOD3O*N`C8xgrMyUvBOSrX$I+XOFN&pO!6-5yWaV!=mvpu&>4*t$wfli4=4EM(j(NenqXWYS@Ms7cN~~vFWLuZZi;o z#-XF|rTk^!lVR@&g-%rcH2&=ZcFR>~08k7xwZDq%YLu-Y-x)OXxT-(0*TLX!$U6@N zW+o7dH1XKJNwm&0Rjl$oGHztwA4)|YmmB_^qI+jU$!WN^UXB}~{7U6fmF2Ab`<~I{ zD+s{L7G_=DG0Fv`Y92{$2=mLEuG%6MCK=C2mDK4Z+$SY923!!b7onT>0b)BCNroHa zi=EmuWwJ^aQnFMdOONSm)G&CHF^DNxN%_>?{CwTpihiQ&o?DnMa+3bJ!-Ds_zP4v| z6NL#0`&=Iz-E5NoS<9vCEljT+LhQgOjZztoTiLzJk++67mh4Zl>s#=5mP7J?0uDq2 zQtq2U^W{|UeFEfy@t2HeII&5_YPgo_morX>j@AD17w%Ydk=tGhNIuvrz%3jqk$F#b z-0N>wk<#OJN~Grq5?R$D>D{~0ttIpPD>BKd;IZig_K0hE$TE%H_Ib&p+>|mzy@9B< zJnc}+MthVb+qh7oyZ*S^nPOf2M%vgqCHCiyHTQ&Yx3se{j^q#gx@#NdxU`I)fPAH( z#7>1|(VY=JwyEfM1}yRDOjGP}sJO3{WS#MZ$LWtGH5$XdzK7t+6c*AFZ16O;f3MAy zQY1tN+zlB55e>8#YI-mY_XfXn-=|tUWr7p(SNf9v`?GUaIEIvk#uF!djH)AfrOWdU z!&jey{_LN^UtJ=r9zQTQvv%$yEKm&}TDq%9b})Q2W_K8UBz=;*QbVlr~jm z)g4bBOmpLoyZ=;K@@ec^;OP$3d==!;ROf_Hv66Oox8mjqfvP`ABN?p>RW2wHNXf?p z&z_EE57-P;@BeJXdwQ7eJN;=qGd=p#y?#6e@${ufnA5OtJ$b5rKsIMUM&|}vm(1IU zY%%3>&&`40O^!F&C0p&Dt0??>)aJmZ#~g#+2OT^w_xk>g5&cEXS6|)AY6#}*FsLy-8Bsl~%ejLcHKR(_y_Q;Dt4`Qy^x%bULVdH(bJ% zegi7===3GC2`WapZ{n}wSxz%-xUHMdhVMORix47ixvxJPek!=-_KK05^d;P1oYD>_ zhu@U;92|tSq+3=)ygv*ELOYEBw=~PwY%vXvm1?9O;wMWBAYh)h&uCw7;#|I?Z}Tws zq=_C zN6p&6rO0=NOP9ceYX-#o@K5cd(kgSl@CVnDT!*ye9z!TS!G)=sj7n{7mMP$hPIS;a zgJj91I!8K@XOTi<<4Ivb|El9fB4(0XY%7By8p3_yYv4=*bt+hTT)E0Sh&)!)Ma z$<615K_EViOIMj=^|aCS(RGye7Me*FWa}cV@L8$JLbwq%+@7k^M@%cu27uOh`qA|j zv6bbp?N!o?L}i~mWFyM4-u+X#qwIdv>}SOh3gQz&1OH9=H77V>yGs2 z-%4MVv*=T6CQem@App+_=PugIMaM8N@7bSsWbDVJbU_(yEUGmqVwmy3L=o zdZj~SQUk7<|3SZa1b@|`S51c{yRE)yZP(7ZSXOF`IO$OWLhc(FTxf1VMU@tzkV4sp zxzYY{@C0^;@$K_1(tQ>LI-# z;}6byVO4DaI>5*^s(q|{dANR@eVa$>(mS7Di3Yj!VB&oap~5SjRb^4&b*}Jgv#@05 zjiwSN+3Fdt%&r}sH=$tmn+@BBg`jmqw0OSE$m&L;y0whHkqe<) zxb9Z7%kH$z3v#-G_ry(Hd*7C+ z_JDROncNx@X`vDue+s~~6o|q6?3rZkC>cSOEP`WXJb3~@S$a^F2R6TrKV4E@l_gIa zaf^wa!wI{%TZ=Eak|Pvrn-$d`(?~2^k*#W8&re9Kw(hX2qv$OTJ8v0WZi-drT}G^h z-Mnr>h&~mGW(o~Rc`okg^lL^=-aOD3id=W%Uu+^zOV71NA)Z53UB#Iz(+!VDcld!3 zO%os_3Xg8V>rMp!Md#)f!|TIw2+96$PQahO#J2>8)pxlg2(4y*!fMa7CE>K%fLc=} zHW@E+dY_AHu8%nL{Y$2H2nr(Lkj`Kjz*)9(LfNOr-G4}yuT2V1Ir}7C@Ntm#VSD21 zKj`jzVz{dUapG>rCfEb9>=52tfo{l_wr)Q^S4a`nX@o#aQBmmR%5pEAwY@suG z8sdb@Doh_=w#|>gy`c~t9^&lvsde9dDe$pDZRGw;Xcb9z_m+a00+!h=tD`%=z%8Kp z_=@P3oPxQ+jnK~>e-4pj!wI+Aa2bcovo*m#2ZtTZiF6tsPB>|@ARn=UvLd#u)@e?) zj2bZYE<0js&9+4c=zn9UZ!FMp{1{mVJPIE`BW9q=by9VAG_wJ0Mx|RCGtiP(8w$Ka zBVr*%M~G?*_`U_Jd(_sEac}z#;}qOv_ZnoiEN7bcb_kW2GXHs7OIfDPqVG=A2iO-B z*@}QrjgF1(JHMH;?7LovGD79B^f#*nBAHTUQ0TxEbvl1oXSG}sSKAZ^r}y*+59nDs z#ZI4y!#~F3Q}HLUSc!QSFw)YM_xUE}S_#(}uek6aQe~HojL>L#k1F@gJv~7|V8}IU zA!*r3&||Gp?u^Voq35mNG^O6|{tQ3fnK_QvuuIrGjp1pzwoz~ly2Dpt7fHjG*UdqP z6(^AxQI+m&8MqWAYZ;H47vuZ@_URMyoaexR2N9=inA?}@`MXpHw#$z5?@``~vF#L4 zxVjxT(2H)5cFR^kzI$0db+jzCQ+NoZ?J{M^y~jjrbP9$6!~9aAnN?8BUwa{AuqxoW zkx(EiHnsZ37~2KhsmeRzo)q#>2E7A88MB$*3WbCto{IEMd!G zVNb`Va?Wyto@d=Ve}@6S8?NK`77m?=XFSMv-ldh-|Kfyr{B;5Te?21ItXBXB)&L*H z#0-u+5p=Wyg{vzC;PlKyJ}dP%1Pw$$@E)Oz+E5ZzEz=6u^=tQYSELld+gDRl!RW?) zV+CZvn-490t>WuHJK7(gd7*U&MxQ=phpz}Xo8hRk3X{z1+_bI8+@@2aZhhYhrV-l%`k?LY7yC*BzowvIuKy#ztLKj zJ1nIw0I^A1?5Mnr%3!nbV?Z#*5yk`ejugBbpkiT?N7 z{JxMw$g3|sW#RuoWB);b{-56_9}l50%`vBTcgwpjb#>iVqqJduVd%CMhyu3zK4bM{ zW&*#>+%Nv`lxyOpHOs@H1mmAd67rVpieDpAx`0T03fOntaE8G_Rw;cmj9CBWG5)C3 zq_(vGZOgLkkrX7cEvoEQD^n>GXP4!##XTkGE#RM9a@oEj+IQY;P>ZtX0*Em_pQe-A zx<6Eu{!P8TZ%6(mRbO3J^8Z&`{4N!`_Nz8+TSgb=jBAP68=Uxw@q&rH)yqDn`4uoX zjQn)K%1D0iSP(P&w{YG1%=KRFQU&7`VQ;Mg(GNIU%I_@!=o=gN%fMaS=8(6ePKg6mM0k47YU-ZPK$^bY%hR#24ox^8DSdYyA&W2;I-KuC66(C6`NK60W2x4 z?}6GLx0pmkBippJALk4Gumq@GWT`FqSG&#{)}1W7e;zD`FYceC6TE?g^PojV-KnAf zQsrjBiNTl`?=4KM53%$PhILtnm#jK<<#nsa!SNA&8jpI$bsR21$3Q7K4~cV}{NeOgy*7 zcC(&?=_^|s%rS!5lg2wxwptD`&7El8Iaj`!R(Fbl418HClatDCW{QGqyTdraFs1iz zEr7`eeb$;a7@2wnl$YBWWs}Tu-b>fsx&J~vNkNeA7JfgyRiHITl~pNevaxWoV;8j@ zpVG8LN4>II-z`xN5yVq+QM;amwQEhZb2FB8b2Px(cWJHsmAkPK<=WEMc+kzN%jxO4 z<<`8IQYI($RV^b9$J*Z5r@O@8PHV39bu11t-~xl>Eje`*dQq(2qKG-5i;qSv0*o)p zohkr1JDe|jV6p3z}Dd2cL`L(*}s{f$tR>r#?FR2 zDQx(0_8ixmj2)ScZE3dTOW2AxnX`yt+Z^{B5f4KBR;SD*PGMXRso)5>f zM(q=gxs5l0`K#6bMVSZAckL>~d{}0F|0{w0z0b{wkWk6P*b8_VFBmVFlJY(LXJ`=w z40Oau-|v6fn|uq4ea&Pr2iiNCYfx>}u&HpaSMkWZQY|lCwk~yUjASSfP-EgFr^i62 z%`tsTkdN+{p9(v(ZjIMNhBC14Dma!x<`O^&q@+F*dckJj^|Z;{&5!mJy5t3&)&=X3 z*(@w}eDt~b1d$DU)S~L>SGffSPt>~^p-GcdKcFPx>qtoru_8bztP%XYDys|1k6bU$ z&2NhXL^}+Il`&16sn-@lZj(d{4hvsMNRg|62m^9dVXU-1QWC4m8bURYY zmQC1;uRtTPt$ar^2II4kbMi0{NC?eu9Xh`2?5 zc=vx1_m)v{E@U!3TE>FgOgs-95NF1b2rJ+yexMAxIzucXxLP!QC0$UG9)$ zIrqEkUH8}h{>_4!>3O=VtE=|jRsBLyk;&oC=?9r*kcYIYGQ`QittmhrATfFM?C0kM zBX$Eq|8fTang-nXk*b1{?)a#x>ade`5&bcw1ZXO34s$J>qDJ@5GYmn-c|5B+b0Rfc zL;{}JIi2ds)59aspv^wFi4FR*j&nh`6)6d1D5sJeOf#G@5cPOj!^2W$g67{=ejSK( z7auIiz{gVE)J|Si;cg-Ka>CawLPr^Fp!rji$Zh8jevb#>O_!K+zW>TXK;E>VZku^* z8nfA6L(%knSY3f?qQZ<_Rrv9E1zvUkk!rkx?u=KcoVLcg4u-jIr@k$tB2j2$ww*~; zGi7JqZem4uOjr6E9NI33cSfP9Ib=v2evF!Glqt(VgDYpwzDf|XgAQkmY?K#o*(xcg zi!xljsUKYcrvc;utuB?|NTx45$!&**v`yx&R>1vs%0d~S#i_vH0Qw`@=MDRJF& zljfN;vkhqjALF97`u4_6OZO84e{M1w%1ON*A?G)lcjPD8DGGM)PaQdR-5AAs5;wiw zZDYA8Grqo+(PGM*_{!d~fcLq%IUz1T8<(&3<(BOGYMTxHO?n$i*V)^E=4Ka+{A@=A z-@P^eA{C@$XMBiUTseO+1>4(TL1=4RR@FqezP{AfFY7NZ*l7)q5}Jp*N5+#`2K$MU z-!Kit2Yq2}Yc5voWtgDl8;yP9< z>8a=%2~nJ4rRhU#imUy8z&mMk_i;?QxC{e3wMa!KMt79Ih)9^-JABi5il=lKzlfMmr51?)3a)BFu!S&A z8IbJFqNR%UDz@gjZQ?p$@dgg$_R8m>2IMio(+%gfjMs4nS=%?f&_93qk~7*A^3kdK z{)ouy@*!eC&+B7(s4MI0c$Jk@T1UreHz(#FPSvZ;kH zf%m-w6lZ|`pdO>3q_+Q7#5G;_VJHHR6a3TeiyUN9=dS3{jtWKkt>$RQ-skUnA*@buBaA(&}lk)XhjC!B6^Tlr(unxL0&9pSC4Qj^h%$ zk2QN-lUos;BE9;7{7`g+^>9$f)p*s}66bA8nz_JE5d|1IJBFm!$7VfQwuPmMhJ@vW z-%0NPjs}-|ZRtxw7bfQiB)C~=_JD6CKqCzef>$qDn2WMLUalqad&;;`27i*Yo{_5V zl*!h2Vk-z!Wy&3u4LjF3dOd*CGJtehbiooac@nb{56GISHRfuwcLbQ(zQb#8uz)ow zV@=}c`s#l3r5-R+Ei->@CV@HaI6GW;T|vHvyt=SzAl;6%X-u(PviKp7-mk7EiVRqO z*4gYV?bc!otmvVb4MZcY0GCq^*bQp5CW!<$scl{O)eRDDltXR0$Y`Uwd2j@Egv)rc z+&r|Zag#oaA=+7SFqs=p{PTHoA{O01k|I;aXY3NEX(M+WF{DsR<0dL0Ohv_KeBZA^ z5U*|CmJb9y%}S#1{!`Gq?E#J28Wy#Ae?`EpU9_e5k&jvH82_`b^hLzhSjN8^NnSm#2H56ZG6%qs)x<2sFAzzL_}p4cnPbzDLvm?tOe@?cPM;-i%6R&tUfM zpyNt9pD5H;?XHA{rGUFosBG^^KS1o9&AfHNE(vXGA|XG?5-{dQG$NKxEFt$C*4B1u zwJfy|WiG3DnZ#3S(P~+wyG&XUSvwh3aXVsok>nQxnjZ+GoJ(E-i^BMDV7iA4(dzFh z6a=)rji}zzFN#>65k0uWt=$t?=&2W_gK!)187UQVX}Jf9T0t^wx8N?UwfpP!Ij+~* z?VBMBo&5}mnDj}b(8fJS>b(SlR_|!aR}C>Uy@|`{Two5gv6!8Pm6z_dCYBBs9*Hah ze#>cirCVxl05OR95c*5?*ah{<8vVGBA-NkdXBZ)0@ zcG~cR0vpLY8g(uA$L<1N`9bRNN_-3D!-H9}q3`89S1@!Pd)Q+mrsaI%nh2ir=w)&^SfgXkWK3-X1G&)>ET>2b!kyr+#Gi#utM;niGPfS?opty-}-O zcjw>jBZw116zk$$FZDX^df&W^3;Zjnaj9j>- zk`SvQC&Uq6pWAdL9FL0~wF6IzcWr-of&6oetL_yE_`Q(EzpWIZ-mWz}GpQDO zZBFwE%iAT0}^vat%NGnRYj2Z#U-&8`<{{o_4WtT z;^MlL`Kti*C$B?>(%NcGpV_)m24d3X*#*^JRJJ4CH7cF~G4`$T?+R&8K7p5<0)+~g zvLd+x3g^3sZZ|$ktlQMYjOBc4*Q<&}ZtH_~Y@Z!A?8wAq!HawS^EzFocPL7G>2+O2 zt~q(~b(}?Y>Q32v9!kVo9H^$1HRJwZzWTxCaM)Gc=r^2UI~1k}iy7*9UkHh4&0)el zC-6FSe%RngJ^oREI@q3vIwq^>(o+AUm2Ba(_Njr{`D8xyXQnxOk!>i37hIye!M_SNsWzYaqUnnPJj3wlXoP>MW6gy@72n&jCIY>D|;aw zQD!>Vb4uUhstKXE-lhj~?4po%9RSb}^Rt()RSB3dNt z%Flk(yfpl^ds9*m9d=Q=)_qm9jzG6=Pec5hxhCpG_Q>DBtuNfKDm6Pt9a7i2-s6^OxxC4Fn+tM-r|PEJnoR3lz@;c*p+JeO#<9I zZx0kwRcz~DkV)l@s}!NmUD+5~HH@WZD6I(sRT|M2T$ngoy1*!oje)X^?8RPU?A1uJ zoF=nQONt&Fx;$E=vzp}^d0XMZ<#t#+Hq4;CEVUj|;(Opp#&1dSryG-6Ndg3gjzf5$ zYU6s|U5z@{pcz(bLv}MaI(233wocd;N*4Sc_xF@RtT@ada-ulXL5hXqawcXkDml-z zq3B%1&$$`U9Vm=iBKHJ-+l?X8pm~ffD9K9v!W-%}ThEjfVJ#q`AVL%w%eg@DmZ6IVWlo;A-ZfxWCqD}3uC8b3>rynlCm)G@+*n~akL z##~3ee(XHzlI}YKem%M*KjPu4mo^2wB+x(oaZVsfG>pteZZ8UBvNnp6U~9Ju1Vrc@ z`F2n9gnd5`zm^_kGnJF+2o0@Sl?|(*sA%Oyfv3WfPE<(c4c~hKKQ_iJ(j&HdoXhy~ zMaQ+@0F~@o0R+hHs}F!f$vds&6?=YLUFNjbL!swM&PA@X0$O5YLado%8Aib&tW@cI zZRLrQ*EBlnf+oBWbzb#@>AhD*v~YQ#!%`oL2}A zcUM?4N$Jv3Rw4CG4YYIh!EtJDNif&LuHKb*N0Ie;(2-;6A0FsfEmS1Z5sn3Xe734A z&g$}0!7y9)dst#=UxtvFCOx%0Q8!bTM6J(DE(+bKQ*MopGf!3Bpox?-p!%)V( zuROwSB*M0h$%D;#hsx+jhg)mB+%xAh_J)NU!U$+cRF31;GoT`Gro{aA z;k7yJ^NC#z)p!eAXZxK}Bo|vcqmhTW05$Tuk3YvWBJfg-Z8On`w$cYf=%Y0rAyf(0 zk{0EZqH#Gv8^^~$7igC*oJqd4$?3sNs9)Z+kR*gUwN?M3+@~}2OaSWCJeOt1Km9sU zzjz}4++XSH(c4tc^WXkPBh=<`V5MPhm)a)jS+P!EErp1L*}`h?{sjUSws60Su9KeJ5ZEa0wZo2tW9crr-rrVM8pJ!O=CZO#W-tNJ~MiI=u zEGL)Z-6go+U#vJt6r=kW79YKb^)g|!&oDy*XRz5U)S7Jw={`8>fNWl+fP$h7G#9Pc zbHKAlBg^OTL?orlTZ8zvu)fb0eXe1{ETauPbiDSvZ0(9z(brvJp!Ct(XH^z)sw-_{ z9pcQX4@~tq-ZvD>rRC_P7>{k_X%SurwQsjK}K23jlPCM zQ4i3|iylA(iUC4Yg1*R>{M*ti^Q7us2!2Tv=wx~q@H3sKgv(G{IOuM@v zhdq%vRF9a?X#!3(tq=ZG_pxhau(+yhePe(ab4Gj5hjj z)GiTwf^%Df`sK3#94uJkqst`?mI!QV_#G2dNMxCkB&J^FapXmv% zzIiD4lIuM>0cd3U1RLAOrZL=29+#w~96ZgeU7IV5zA0K`eAcNt%@tzN$-a6klw#N@Z=$Uh272Js;$Ypkl&XsS;u{-#(fyQ=B%-i1A zy_}?byh0!_0BUg8ChTl^WMaOL)v_9J+vHMbRA(E34frafwN^Kw^zX_5{Y7A1-X6VS6g)Rm0fQflf$K@jse@4=;d-eqYKm z7J^HR*S{#kzEto%D)I9ABDubJ`CcgwBc%~UWc)b1pv~oF-0=$WJlOJT+R_B>hSkcr zWn7n~gaD$ye&zF`3#=<U7fHe|cA^~4MAjS< zn>>0jaPSwom3yvV(V#gz1icr8p4bAeXbNPN4fBYRe@Xo8LJEB_ zLcOsQ^wy|8Y=K+&e85`Sx52mWVMpg*dO-kYK@dt4F025}krtG`{AelDijwyKMUDGa z-~bYsuJ;&!VEvXsF6auBdDgUun(+$U@B2&|*Z;}i{bd3;=}?LdSg-XR@pr!LKX3W% zyPjTp5`^c*30U-1c=54D{JJAg7H_yV-0abvKB9Jr(Oz$>_wKS|YGF%C7H4bIm!@6hMfIwfzMA1& z4ZQwurV~LlHceGcZui=!&$l>=64Yp2puKSd-D7`-{jMkgqWFbvM4!I5_+T)lGqQsE zAfzKhgv!rbB)Vs#bQ4azI%5{gW)3>;;mheK?wE%M8#fO4DQdMx>v;v^7tf7&>S2~2 zEz;xn)NF`i+cbolwQ$srmqDvUA)RJ(e&^q%w06;xT-XN_TO9l{R>@G4uWjI{oxGxg zTv-dkvajDSlBA))=T;FsZ<3UY+IJ)0Pn!Yji*qZHDfW492-4J89TZ>)W(6J! zsIQ{i6|H|--DJB<@1A=#*pAdjcc-F#PU**DbsHDpA~e+zsSky%AIn`Xx4p|3P|g5ES9FULqz-*vVvYelk)vfdt64xLHId^L5MG1 zx&PW&#pjvI65VPWA_LtVa>5X!@p1`|%=UUipvb3eoHHKt1r(~JPhLP+gH4zArhJ>}p#|tN~1 za<%ksq!!qMYzYl0XYLXJQn+W<)5d*h{YGnW zdn`F`A2;xw=1Xrya)kXF?tAtK!3{0qqZ-MIq*#~lOV1-3j;R{-B1YV9{qd-V>(klH z!YM={yH
9ie%Nb!;zb0(c~>3!4K&!O_O&Q+{A38Iv~tHQHxUd5ueDpn#}d~bEn zz~TkBw6Tw@LnVJ}0hEJgx)7WDYx3(2-_%6bpi@tp^#Hurj*fJJrfib=lE^Ke%{-uD zoYAi>1UoV?ys83-9YmhHY<7Q7`LKBFx8>Bp=$OZXjX^vB(9)de;`si~*8VKPJp%cv zl|2YD-ZQ6X2w$M4Q0vYnjgwQcAAGsoaA_vea`n7gPP;WkeyW_-9tCv-ey`L01fuSAfgP`^J3b%u7Hh-*7ZxRC*DS6>KPC(PM#rEI}Jk!}zLIL<}3&jrm_AJ-ON@_nm|)u>qtiL=vPubq%nDjA>E&|7aK z<`3GXMroB~lk9_rL?;AvRFII^;h5iKMy+2-Uh5B(>zyoVMcWND^6+`?NB=}hAMy_z zmozs?_8mW3Jx>O(+aBxrUVT8kd<=1)>QQXEL*s~c4}yijJ*r;4gu>zkx?ZbG*Zoa_ zUS$nIooH*xe0)vHYD({*SG4h!bn_(um)df!StUZtVtH0nu(Be&={1`D^H0r~m`+Y_ zc32YPyUMPZ4uis%_D?qLBaev}gJr9jSCb@+$#A zrL~Z>jcQI3V5ME2wp_~<;i%E_jI=RTRRNpZ|2j@NP@54bYpu5* zH+n#-vXToNz;QcWV^6#Lab`W*5o&_Dt{8MR6bhyKFb~es?k$JLrqM(amFG(G#%19b zHcerGS&ScB&~T6POF$<0pLTCR-e<%GEw>aUCYz@fzDaW019)&Sckbt@KPgcA3)%OdaKbvF)RF=nn(m28^LXtekvR_ed85EyMbPOO|`UN&Tyr1#~Ix~>q%FoJE0iAUc9c=`(-Os_RoT!Ww%x3*)v1t}m~ zHS@1J6xl>D%od6n$VS+|4bdsXu-ig`{-%4xn zc?sCKO@zONPS&t(^zw?y=1tRL5$SF-gh2ONYxU4Kf%f9EJ>3zC?>TB~*-kvfHb)6v zZf~}^S@PFhg6}@p9Y_Xf9{6jh$&Q8TtaEBWA$fPSHe4GPd95zia&J+ZAfJ3m(9Y#? zv+aw6nY=JSN)5)_cimaC-uq<1lNU=om0v?-?XTC(e&mF-d02LIWPV0cGVD-}X4yUJ ziK24V4zH5jllOmt_d&= zP;u-Tb|nACSY|0ISD@Vynq|{Ll|hLwJc^$(f`g{<-oG;f5Y99I8lp#1>1IHWQS@T> zC?9hX2l_Wo1X0nsz;!<(c=yv|Ujz9SX&yf2sC2ERl{kztZ6EhfC!!_C@rMgN2h_d; z5o%!4jnULW-+E$jB6Zrpvd1=iQBQAMZrulEErn|IIjyqWx4s;(MtfC4_^5Qkd{LsZw#ED?W@xtMIm zabLarNY;Ci)dhl5VTN7zW;Ra|@tGH=u%^4NZ7?;^ncoaTeZe+@kD;*>+`DYJb30t z4wf1iy=t3CYycU6ci$H8(6}0XrmM-3Ds0Qw?c2rQiAr5_!Fv>#oB)jtBaC`9%UW_u za$9*P7EivcnD1{r@Vc~hq#sxfCWs;xdClnU(~>crpOL}o%@Dhjf9e}FxQ94zV2KdU zc83vKtZa~IS@cZTfHzEpht)evOKL;PBfL(6*%%E=(UI?Mo6`kjB0{PfDaXnvrf)gZ zAP8to7iI6ST}*3jDKm$TDMnR^Ckn!*!49lkkCbl`tBbF-({8BW%_{LDZ zin=k&u%aWX?2?&*Gjev7fq;-RQcFx-OQ4#kaGzw+L?{l2a*uTnho*JkM!V1ciR2Im z)^t21xur2X?_)9ptY|c&3Nk|sxCt%tvQa-6x_jY1jyz0h+r-du)b= zM9?nXtUm9?|Y*y{z{{RUq?oesgm~#_GdJ<{lPZ z(7#pFu6cvK+m`l!a=8g?RxlI(q0)OJ<=| zV?Amoyv2hTEGwSO;Yno?Dkr1I@Oazp5wwBL^1Wn?LJ}<}%Z<6=ks~yjb-b)*nGH!M zc>KY2{1~9in9CX?(ooyhsixJ9zw1BfEKfBlSNfM(ZM>B+jz+=B69rf2<}n}P?uI44(MO-hBPMw@=(b|edx+kLRj zb@L`!y7k24^80-$w5UWkoce}pNMpbgY zWOR2>(t9uMBc9J1?XDsBrr**YS-Qr^BN&oxc)rF{?ExpPcheB0au@M^g6AeAI)lC` zHD_DLt7+LAd`jQiQ2A+p`G-)Bmm zl$$c)iIA|oa{olPs@#Xi9hNg~zEdz&QTPVqGNLz@;Cup;!LoT@XgnV9K0L9M%Z25X zI#2&#PV9ISuXx+~97p(l3*GdFbY|=Kh%yXxlbk$ihrMY@gk&!w{*bAN2ZoQ^w z@){o^I!CxXSW-T@f4mZ$isOAx!#uXaKoKMoi}~zP*QKc?u8F$2H1QQOtUprIu_?># zTl2Tz=iHOW!#&jY>eLzo^142hxWW~sB$PBD_!E8 zX%scEd_Zr4m}t3XEbvZ$5xMhq)dAPbdV~avGaT?~6(=x@+H@_(!Y(fl7KI?-Y?*>w;%h=tI^AdPP964h-9$P!rPXrOFcHGC=w{Ma}!Cze~6N+=lR~3-+zkO?L+Iw z3|8C5^NK%gTkc@Gs(P53fXx@HoVAmn4D^0jU&-me=mr+oQEG8hpPWv9cknHouLl^h!xJB%u#=u9OY>5`@ zinH36#Y3`NKT?!w_-gKPdC(OaH%6h6F(dk1Ww3u_^(3zC2v@Bu4ihq^*90doig&$s z`}#VmU^UK8bB!{@_tC&GHn!|B?zLY%IRP)4P0!onopIDW^6xWlGHXoYQJi35C&rsj z>gCc|b2A?6bAxjnq@VUz+o3@Z*(E!|O2*u;Di%l33KTl{psa-zrTi@4XM{R|k;asm zR#D)WcmVJOzYy|wWcV7J>3*;9Zrv#|sQ{OY?b*1V@CLOa5`J1kYeI%IijaZa*Kw3#f*MA)A-bIAX=XOZyF6B?* zyN|UKVTT$G4vr$T8}{0*wjAij^>xNi>R9elxH&oQ`@%BUyG=SML?+ymft^nKFWE%m z7p_O5;QFcMfOnK>45ao(jk;^5Yunj(p>J{foft~khQyE!AA5@18By!#=T53)^-uTQ zu8tc=G02P*KZ%Q1j7pppeS;$R%u0StX*|h{q^qebEpd?dNSAoSmD$;4gRS=qAT!`l zPr0pqvmX)p>Bmm&`Oss6q4z5Ut+$_*- z@Mqxfz#heD7qq%#+wjO{LWgcniH$I$DYC1Ybmc2`!zy%{b(jNky=l;XOsww6!|*CY zv2)(jW{aP{`RR1>CpGTA@JVtuSQNM2{5wt~sOhOg} zwEvYZx`&OPcLw4J9VLCyHyj1}0Dq5y*a3E5VtfC0)(#cV52GPmT{`kmh2|VB#-;nv zxJ*eQr9XVi|0lWnHQbkhr)k(&-zm*Qcz45j@j3H-8uY+Sq+y~rI7ysts89G$>dWwD znh-Nid$#3yO4ILi0u+OmPiaTEsyO~zH22#R{~umLnOrR9v)0sH(*N74q5rpI)RVxB zv~X^GtjrdJPG$v;+cur=+uLxb|C)kbAEMLNw2u7{OoX9q zuPl%mRjQ~$Ar=%I7OhW+fAx|nj?5`Kq`h^QegD>cgQOid1UooB+We48kEF;>u8n7x zK*BX@0c%S8OR(_J-$&Y?l~U;>`m3k7L$l5tp?%1<47weHn)L;ed$u}8u}Ra{OSjPS zJq(*`cXkUmS_axJ1*YD3?^ye!4EuFAwy~*230;p>clL$Nu7~$wJSyuAW}oa5ngELq zQvLjtfW}xp@8#Z@H4*B00o|zZ9d^;Z-rlXrHnX`M4U{Ylxx?YmPjX4cDW3&u&=tx{ zv=&g1#r}zU{(z&5W;Bk+C1D`PFq$H|V;*-qgYXPv=1(R(fb~kI#UAg1uZJUxOS3cv z*5n%{Zq!)vX`ToGS0mq5x{ZccbZ%!eo)EgjVrcGh+*9S5KNXig8I_n@gZ9z&nvL8u$OgQj&*^{MNNCW%}n5bySQ72aoICN z9OofZqs8@pw<1FJMRs)naZ7D7z8K*$?@J9g+XQcL$=RRS{vq)KWDVM%$=Up{ATe^ z8MiN)lZl48jVRgz8T1yso&)$E9{#O&(CmT>i&_29uadW|g4w*KYLjn)3(djrpgtu= zpau&%rE`mT$TELTsh_keNpIAIB^Nj$hz=N~zmV5>d__mWcS`0O4Z25;2wUPGw&g%J ztlUL@NI9kRVX@X%KNy8O(c^9N#f&mMjf;-E`$5H?X6mzrJrtYV~} z?QATsGcy)EHipmFxi0Sr3}qpqtktKCaKB>3v{ubcyb}{bfA2u}*@zbV?1<@=2kY(Odf-Zl=c6BTVjI zI)H2}>t+Ow2b~m62{S?<$(xsAQ5kZY9e8PQDh1NttZHYwt{@sQly8y0OG$mRYGy$w zE+i;7L}7>KwKa(}TkohZxQeV0k0Cc3h4#kwTeX6nZ}EQMAvdX&FdCkY37&-_vfWv! ztD-<$v{W5(0-izfZVj8r>8BD5xejSbNiH~2l9$@#$>4ZwIpdkN?``qh9lNhkOAehi zkXS5fpf+;@_-UnuWZU(=-!i0flZ?8=$Tr4lOGKh4<4roPADH%wvEE3dE#5!3IpNd@ zd}#)6Pfz#a%nGV*;3%9okrAcY-Sm5A*m#HEmu1&l?cdWAouZG(BDbj6T6qSFzc)Mm zk%syG@d(h6%hOT$t%~R9=QE$PJDs!e$og8ehVebJV`n+xwvX%}{w~o&mduS;C}x9b zl|)nclm+=t^-PV>ZErxLu?DZ8tSKkF4vz0Y;O2bY&L#|!+rSj!Qw3`FZ9^%m3@-K` zBs1wou3hX45Wgw)|E_8-j98b_%SUR$k+_+>Hmh3`(yHt5q&W1>(_VSp%X!ogk6i=s z$>!;u4wsYYHuSW%Icq$as|~nZGi5T9d1Q_1KT0TfS;L6{J4D{A20#i7cESEKP50QI zi1M~jc>OI{YPk2A3x0D-(H>V)-+oPwk;i~~9Z+O=Q1HSmBfcbeGQMMdP>|wRjR+Hs zuQx-_cm=L0mUt51BCx=4hoPp*?Nz(}+UiE<5RGxf?imbRLG%u?sMR+jA-Tn)UbkOG z3kQTVpyP_>UVnZcq$zoV4{_$Pv7X0^yOz*v$5K|F@8K#{IMczin%PU&W9(s(bFjXj zcTyO@@$Iasy54`#JjkM;K1*l`W%PahIV#IP&~ufmUJ_2_46@YUOxd#A%3Ki6H; zLT}c`@YteZ;dSTp98wHN_ag}@nH zqD;DhMO25SddkKn&cqob^!*w=AyZxx>4cS}iVw`8RQQSX)Hah|-Dk)x#rl(K6%HD> zvmTjMRnm%L2TAbu2g%tvx%3e0`S5*LQowxfoL(vJDGU z4e}exJm-|)Fid8BEAmG_wK~r>5sru4yF{gbFhwZQL4JxSNv&ThP2_Xk@uwEH+< zy)S**^+QgTA(=x2f=6eyiyoP6{jf-bCKuoA=no1sd-|=tlQa0?xIc4RYE*Xi3#!-o zQ3bDT_%6*#v?x~e5~b)D4NV`6{qg|&i+t&S1{{BfQeKiUru!KhI=VfrZ9tif#LI+| zm5Thw!FG3YrfP;wKQ;Ms{j7|oc&ak}ZBH)%XT0v={?MbP#TEB+Fq1^H>yfFUeCEIns9g`+Z|LXVKva2&JSXtBc=hDCa4A%bd%m{6gzDm(zB4AT2{EEsb0MCu1zoTh zbIE{-br@Q{(z#V+LEZQ4S{i+A2MsAOmp{AX(eFI>+Jm?kW;($M##~LvzRt|}Fc|Hk zNPmIZ{$!z51HiQ>KwCuB$9(O<1$uPj@Fna>!RUp3i1pTc+3@z?t-24zE_oh|uqjPX zm(w{}S=ftp%ErS0g>)aE?d%9&^%HH~#=|zAL{A-Mf84sx-QxOzVny+2Ny-Dx->)vh z7*<{`gzD8llYg^x4(uKe2ZSA44Ol64jvCIrEcjqxjo4I7)TM4YAnj?=9Yy$OFk9yN zt>VAuuno!bg3QCz)Dhi?vieuVe-UTC#&g_*p_^B(i#V-o$z6Vt^2ahwsW=YuSl{)o zjtfFo+Ec-f;hC+^I2d(CV%AsYKe3`GjvLgN5X`onAj{3e`sdG8faAH1l6aqxPNqhz zLfT^eRT#_N;MXd!PJm=izGhGdUJs>h61N|kA1e?30bxT_cvz%9!y}1_ptCf$| zCBT^Ek+h(DsuZd>nzV)?XN0T_iJ=yuP>8#+E+}k0bdYe1Y==G^u;Wr_rn0dilj?3X zJh;|Ir%PsI@jGfnd(7Ubw>QO zvXHhj#q#Qa7G16oEo#%(I9Rm$cA&SFE$@Gws9usI)%AZFP-p=i-``q*zf!tctRqzw zKRSlH`}~#cGheW=!G=`=Z`{=Da9ouF_cJtNehm*!$+3njkG5N$EsYPZ7NlLmy31N? zH`Q|^bzrDk%`txW^R5u!mOu0Ri7+4E2^SQ5RYCo@XhKUiydb||_H{J(9#$X(x9E`*jA z&xo%#prM=s;d!LBpWMUfJaRMC_27cW7|H8l)c-BpiN_=$UEuG2?s)q$P9nbGL>OT<=HuwRA zel}m=gBP@=3n7%Z&3a6S^|@NOJJ?QP0u?;1`9zw9pY$JVp>da6YTu?kZ{7yX4*x=D zIRkA`ap&uM2sV%98-(ue@sgT&c!cOK_XW({9QI-%cPjq_f(E)`$Y*M`$iHp%&*K(H zK!2n^u<>rI{^&AK5Tj?5844IjrUj|sAnW=rKZAMYGu(KLDDa_1&&O|d)+k9AN6+&Z zUwe1&>WzmPw=uMJPLXY%GKJ<18)KoXHrB&7-u2JcrdanbShAKU(r>_c2Jen%s*5Yv%{ z0LBwz^S+^6F|SYU%#Z#^^^h$Nny~|(g~^vE`XXIjVuV1%g*rGe1*7)(#SYi`L@@r+ zFk4hhi}rT<9w9_3hvY@GmJ^Ef;^j%Utb-bA+vRfi_(RBP>)J>Fp!P9^L%T8mrg=%i z;ApV*+U8SIQyOl zkZ)5ldtzj>ZX#$#?`mzr6ymU;5IKHI!wlU|JriynSqY*LGs+liio;vIsXl&Q9CQVAupD+_6`gLvsB69nLQ;hKR!TC7@P*^7vtO# zPTu|Y^C|2Mp#R@1uH9^(H>x804WNdK%{-uATzhsRif!TGX)vcysA!=+KqLLPzx~fIN5Rlf{3VO|eY$`D z>HjXm|MM}45?o&kxAc!2zc8va#31bVyv!< zJ?sLkx^V@`^A9k|K*h=2oQ)fwy*NHJ(ofBxoHUL+c5A7&3-^3|bF>R7qHF`IAP@b= zCS_m9JkNlTl%*#PZ=KH`f9r?|8JM5|vNgV&NTJBhiMqqtS`E+{x_>m(NpbwL|yW(EG&K*T>FcKm*{^^u?L72E&fiI_~=4n)5uF z?J!L4O2-x}ll`Y{hcUK6&c-S?WOxfmF_nFN=!h8d|(^<&PTpdZ#?n3@#iya5kH_8!~mVay<1vfUo}ETD0XQ(`l5&e&=GJo0$ZSdKaUd+Bk*A+}gq3v`*QIJ0EAg_J4PF5DeAVmMc=QH&v(wE(M_B+er`8 zr5`o!p@aUrfLYvpe`NK7U;o`qTin0gUP;OpPclK=N1#`m)Ro=(plH4^ZSLSiaVfK zpO5SEwJ%rk7jG1}&X27aVnY$lyXGC4-~A8N*BJP{uF_iCtWd}CPPd0Dy!U3VUL_FU zV7K@y0!+FF?->zxk6QaK!1>YMejhkg(|cy&9#Efr#Q2s zlhM0x7no=%JEjuhWI>yvui>zua4MH`{*&%`r3RRS%?wynl6pf(fu}1MImzz8qhXO} z>bB|9NLg@gH7YTf&b@CbzPVndPPlsJIX4sfiRg??CstSmt%K5ij{Ub=jr=%Xe9UO> z;l9NHoL$d(c}l`Tn;B%R?2(+G3mO_3wP(Oz9!s><(9oPPeZTo1Mb8{km&;x+W(Q#b zpNoNQD^i`i)*;_<`FRTrv`}qD5jWW3GGB{`w)Gy5OG-QGdknZcp28ELoReO^fp=LX z*;Ft>^KYsWLFRH_+i(0(^F821D*IXn+OWr@tF*bdV@$BG^M#!E9t9mWeB$`*`&Dbc zY2PHizCMs$%($O5JvXEM&m)fWhiB7Gna+V1_MAe?x;jp6k8P9J8@ zM?=E;fowD9#WBx`ayReg^Q=XWq`by!9$z&SonJRYOPna!05Sp# zW)>-i!U2QNtM(qV)UK>?vV&@B;Oow#LRUJ4pAgd6{;R@g7hAcw^6%e&$qXT#)M`sT zw4&zqr0P&AQXxtqp0LGS85*P{Z}Y=-kMA(Jp#>J3R(qy2q5Dtt{Mk|GjTlqDS3|`A zqU>?>}r^7rXptar=|f{;9`u zHO#qlm`Zo7ooB{we?ZSqZ^)uc9QOhl(z+iJus zvn!8eQZTQx=#*z>hz&##Z|uq|IVLDH1)966a1&bug9XgwmcfEAKM6go8YzQnHtq{R;1q+DFtR9n~Sw}L3v&wknv83*fp96_4$kJ z-Q6k=LWn7PaEB}NRMwyvUT0K#=Z*yn&B(VId^&syJF0^+^vBqUKlX;LzPl$eS=n;;#z4G8BmaweI^C3_*MlY^3j89%0Y_ZzgBZV-#Wg%&qA~_# zAxGbaU%r}?(z|rPVg5$-CXxrsNRHM}J+vlI$cZ@gvpOt-AoI7OQyy;mcncAPvvcQt zmGa?lRQ!qQecJCN>~EI#cJ|))bKQR2zOX@{Rs1IY{?9|I0N38eJ)`Ax!l9j|+=jx9 zK*)EEXU&Yi`ytg6wo8mI>Sk$Ws`R+@YEjI#(S|l%2z7Pv3#N6bQ)6v@NVl)s@m}6` z{rnUG&{aYJuaa$A^1;GMg7|x-R8T{6!fiJ%TMf;cM%`ydpNZ5gd<)e&+XVWb z595akDW=P>1Slz$ovtT^Mn$l5fDWAs%R{K>jFPF-p*5&^%7Mnp&^KrjxHkP<6^pWVPsloM8Z8yhl+s< z=oGQ(5GFRhi~>&J$CJ(Y5vE=4x!xlA#ZS+!!rbOP=o3!uu8FZl33DHm^yy@WJaP1g zZAIyOhTxQ&UkF)QUNOnb8FJ?>Xs0(zP9BD9ALVv|u8F*n^;R5vr-ar6%r6&WK}SdH zqR7y<^Xm1jQB~7uprunxCe-45eGAyAKB$211vmV}RN08Sk0KM}N1HvJMFf>w0trQp0&>o6UxHk({_#m@4N)*0u1t7KXp{?JF@iZ&M(kzFM%g0y_Ta88E#9 zk#GlnKjH*i%vFWq53ZBsq1leds?tb`BJ1oD+&6mx{Fn+YZO9*$l-znSb02#2aaeBm zL@DCfQ=LHSOlVdYu0dncI&EZb1Ky;wnFA#cp0M(!f@6?Oq)>rII56avJ2QR^FN$e# zY+?f{P1wkYtO<5LJq+LVl^I)^29*AEoc3?(F=~&u<{}sYe#B8m%yE#qHx@&v5Vuo^6A zD7r~!qI>MssvI>iLTjAxF+KS$(DxVL`WhgxJ7FS%dOp;D>XvOIR5Jw1ms7x_m2}!d zg1CItLC;;i1Ol6^B${mCF0R|G>1X;^6X+IF^i60qNmVfd+#FHCs_E93^;ah`k&sI; zOnHYOY72@CsIzt!`k_9K3aqMkq=LKpT5vdFXBvyh0PL)GoD6hkmL4-z(IdR}OmhWv zYHW^CO@TUsaQ+;f4k94(zIMtZ{R2?)W``>0h<1YfNCJvSK3IA97 zJNA7*Q$~HCzXKwXd-0rurw~g4It%T*rs!EE_ns>e=Y;HR*cE>(MdWSrLuemll$Bof z=sVDIXRIT!f5q`&bfH_=47dE&`bBVSCz{f=YuaD?>>}M}#><|MVahLT1ebWm=!eH+lOMaJ!^lbj#HNZQ|_|GnzU- zw~V$qxX_oU#e7UK?2=H(&93$N6H6SD+zCjJ-B8I;`s_$^AYV!(NI4Q>R;B<$Irz=6 z-}(m}*MY`()DCa}O7Jy*QEq?t{8e%LJMYCmI+cErMrxGS-9$B`7|kYIK3QF94qUjA zqGfJ7_W2~`3x@dJ@6O0RC-=cs*UHLnqr{BZh>l}k`+!?vkvqziL&~H`R?)b8F z)IuHN2-gZ%Ly`j@?&CVPy7f`V6o*3253 z-R02YRj^uii`v7Tgb9}2c=jIml-uc#Rbx^KX~C~5C>7Cmhfg&Z-q;4r$5<^Zmd!(E@&c{*IMWry`t zw7%#0j%;CKXlL-&TNLtG#m_J|ES8p+Kc?+1$8_6Pkg&W|++Ru>WNIB2t%m1D%FcRX zP14|x`7>9FpIdN)?UbAfld^oS4H`(6`6jLhwVa;$9nwOTh;fn#TB3Qst1y~g2WzPf ztx`s2K4SvTI{HW}}T0DeZp36T;$kmG#vY|j8<_70hd2c6$* z_D*9_avgzyB_YR$aA}K0aQ>Z5g#ohlf@!ze&q}9ghNHz!14@hboA=4^JHjN^0(jpm zGmZA%!25W<(cj+ii2_?*a#tGB zBuC&&svBvm>(vCy>r9FMg|zB(eH`TlY`aFaWdjHnN=w>0oW@LSYro=0>jZ$y?AX8L zn8^V~(1o^u@E;4x!GB##I;%@A+-zZY(4@(l%n^%A<3l+w3 z3Xt}QvW_XgAU%0bKoh?PKoCb$6;Ql&p!~~TNd?EO0~p)1i7)xGcxW+_#|4M$f1)S= zq7?V{40BvYwq~476-Cya23yn5_a=)IEe#yscsgEnzC)I5{8WjhYPW}A0w4^Zzs~*X zF9B%Z_qxYQ(z;ENHVe_0m32MISa=0Zt8dkDiyJfsstrediL(Pl3BtI^@&U*K9)CUf1R=q~W1f8F_u007XM zN5_pey@Yl3n$nJ0pZY=s6BH7d|20ys$MA0#pAL2Nw?}Yxqt;U4-+%na zJ^q_Z|5JH@*t@lyQ3U?K{=$|H$eh{olo0}Y{ZC=rKi}t%d#&7J0kd_*W%m2OluQ2j z?7zSKq6NV7Ia+chaFZBNV}9I4lxd1YGzi0Y7kVa7aqY)jZln80g)QQgxb{02{!@pa zAk3)^aE3E`mO74 zHN3eP4&6Ve$C>OoNH%dO3_=kS8QC{A*k9WC-A27CC39vwWZjIAiN08dV$CqreCp$> zt5JA}dEE#Tngt>LOjQHi#N10{E~W`F=l8qE)$<$OxFjP@qLb7?29C`$3oOXiu3o{z z;@~sLPkR!a76#S*6F;5bU!IKYce&>ba5cU}b+Z&9QG!0d%n5B5Y@xA;FjOOE`NiBm ztg>16^l?Pr$u8K&hj1EBxw_U&P5|o{Bg}H0%HPMXqc>PhS6*z!cS)z?G(nhEO;22j z!H;`u)KaNx&ByiH`z$J~o8SIpZkLGUh=jS?*MeM3@-4xrgUL^rB8ygn9EATF3V$T= zPUpnq9%j7)-~I-CrS^ckoQc$jpFfrR)Jz@(vbi`tLWwvCA@%z|1M^N-l$AqSN>U!S zDc0Ia@q!jTpMP0( zHqyg5^x@9XvW>FX@C^9cuw-;}-oVm>N>e{xPNW5Kyh}vmoW^iEN1+mJC~aoZCc4r; zeb-&y9woU&+~6kTC(l*>*RrUG3_LAM1FSj@3*f@-s1=@g5|9dgJ~^Qm?z=;hACcnD z8KNfA^M=|Ij1QSv{Y;x3%xv1}9(S#O|HwqX`N<#1jY;4Q%^znq2LxYXu=A)l-Z zu5pVzaE5whUmgc~Kp*-;6CdD6cIY!do_-R2-tDnvn-WU!94fbGdnA(X5=T7GQvC$Xvk1Sk@~|} z%p;|g`W?NyH;V|Er|C1Q;Oozy_6yjGdRSS;Oe?EKx3@q3*|9K^a+7VS@?bABCYUt# zARniDPlEMHZQXqxp<|S^w;8;Nb$)3GwDYp|-WKGPO$F-^i17Uyd9X9)mBEuv##R!? z-_c;V5T5~R_U#n?_9LmzY(lJkmIy6T^`ul(Bp5`F6rH{VNmJw^pls%G&hfd*Z_sCy zKrq;h37x1>&0SL^ue4yTxveqTXWz}O9O24xGC9vI&8z2Hy7`T@+H4mBQ2B2HnIgG= zpn~}y4_}hCLb$HMVpzDQ1-5|n8pY0{t( zHE=lxvy#FcwC~M#TGVpgem|0?*uC*d{+sp5;UTXCb8UX-u{)X68+rmzH?Pkv;O{%H zA)UgN*D=fpyiWXSYG>_EkEF3r5=`0d0oC)xx>xgp*eFcS&{7FhO*NHHX0@2ix))Be z=L$`!ELpd&zi&%~5ro9$dkf=WqJ+75P`1ZONJNnEUQBpJhtxY?GG;_fVa3mP&=Jqc z{)Cts&6bh;=XW{rSHeugG%IJhs)iEspa0zHqvHOSS#AphlNFosbIV}`w|jcW2tspf zFYSB>5uuBJ`GW6^9}41sbymN)aql~Zj`Lfm+E^(WE=e05VmB9ry6xc2p|@p52YXFxVSB6*44@8z3halDlC;cAby^aQ3`%^A=|PrL)d#uImp5nY zN?PbZE6kb5y3$2~h$4{S)?Ha!e}9P8*UF{O8ZBn{1Vyf#L33 zQe)0H?cu-)fHB-%4Ct4z35ky;$r_w2y{5uX-$kcOZ6IcDW}&B}r3Kr%VI=J7YXV4e zi8Z4Z1po359UF!cEcdG30TGb_zLLff{Xjr=Tp%D$NfO}~OvJ>+G+~X4l$A}x`Dj(BMhhS2C#R;f&vUZ#b3tJdB0u=^eIwmXwEkfiwsI36Ucm{Zdi1C^TU`xzA&6aC zz-hrctq)x~J=oB+=hA-k29^%VPwM*(+DYS3*XgqC#x4S&(enK~yZ#ht13BbGCvDHt zHcLcQKyPSoa|>t;kb?6JR2{*_5cpT0<=V4Y$6fgoMY*{=B=B8u0x0&sGsI=VPp`Z# zr`bp=sS;#cXt^r9MZXJ(9_e%O~zc<|}>G7=arT-zsNv*2vX_3P*xeAw*EB(ADP_&)M7M4%1_5t_k)D z2S%rA8e3k-GB3`}{Ws$ZB3WNm;&1W`K{pp>+g00&Qhm!(-S-gMsFbdNnm$gOitier zol94gFr*g<@SBBq<4`^q?x>+i1wEa9Ry2Zu`EPWCMCvR$WeBvfenrzZH< z=^GsO)3)9ut-qFCsXxpCKWX$5mDsonB(R1ErmmASv-~U$X{WF%P@5Cp0Hna zOvm?H+JZ<68ZIo#v+WkM&?9YDF*!WfaDeL=_D%HD(jp&? zvo~FO6IR)0LsLo>USs^si8!}X@Pq*87fwPfrx`En6ufWzTCeo>VZVWUco;=Mbw{hX zM#uO<0)IkGy%l~frU;DySPIz%vo!5bd->Mvg-Qj;Vax6^kv)3G2;xxI=fK6CNdxrB z^YVJ`#vcbR3{_KX+N8uh@bM2WK!(f32K(6ATTQu7-P%%eEpR4`kOkYDC?MAN@Mvo) zzc=V;ad%Z3`T))AWKJ?(zr$3ZKkJ*n$QjtKqFn3#%E!!@ZBDbOb4J{^%awXq(keuY zNDZg9`-hYn)6xJBu~y~xu=LDt$G^A@XFjBWqsSwBVf%bvypT$Xalsm|=T+V0B{=Bs zdeNj+znc4%JGvuqWF=`FL;s*aUlMV>#@6s-naNA*#gddz8Kl|XI7713RMjs3F0CtA z?fw3~2I}aORTPK2_7BoCKe#e?LNWXsoNrA9UP&+Ya8ic%AP^-oIL%H8MegJpA)r>b zH`Gtfh-r?#={~Ogp*LsUQg)??A)+OGt^1#|6mTFLU&1b!++K!mg=8NiJed8)k!4_d z(@;2HpRrtihrC?hQGNAR&-bLn3?I)5L_4zH&J`8Mu>{&Bq8uQ+CMOG)&EE2 zOf#t%zbQ9M{h8&1J%*_VG^Ii;7}CTu*TWD2&Erq9f??Uf@av z$FJirIM=KrX7-K!rXSGJjH0B;G~z(Qfo;0{5k=!)$|X;)+B%dJ4#(!QMoUp9D>Cok ztU{4T($M@x4(LAw%dz;RL4_Lz%TOxUjZo^YcK^pd*3=ISsXi6^zbN2xBgllBLw=<~ z*r+*SDy;AxYTR*_uRG*f7z9H|(x*>nV--Blj;dUa=e=)e+$vA2rX{>wp0iFKvTYUl za_bSe=??5OGwGWIX7?BB!mO`{Lvx^WMb2WueJqI6HY1tk$(5HP%xn)aVA*V!eLai* zUe%P%^hyg`MNjhLGxw)sg_K>Y`vg(sDSCu&uQg0!c)Xxg+C|@8B^noKP1o^5F%zb& zJ0Ju4qFZ@(o5VpWuU^xkQhSL}+@!T-=$}upuX1AEkTQS1G}d6c!8BuI<=n#tkZAR+ z7XM>^^|tf-`bk$UG~xeY<9kp(#lOcamJTi^NetzI#@W2ZLxL~uKsfw&3z46vrYk*s z2*f>Mj-yHIesws8G|5M;>@>l9T#f9gblk9X910}UP?HX!JGVvvc=M79qo!Sat<|d_ zAe(c&Y|kD**kIbU{Wbh0cY=LOWc&-xS5^xU8Ig}v%#(ovVRJb#x|1UWZAUJG}?DWOu_U$=q<;NsyI4D^<;&)>r z3U=zc#Lay(xJ-3JqgQ=70`%L&T|AwvIq%p!>FyMFr(}fl*8Tnau2FjPwEsXx_imcO zo$b`4{ZLzCuZx4beM@NLH>yt359edmcdW-nMc{_6%6eXHEjiCk#`n`&4py&HdE$v0 zlDP%rro!-#JZJ|QjQb-je&R5Kgvi5tI<=U}@L*RU)fUG}-9IJ_7TJC)RRbD7N&8*KZAnKB17Z9e{6>y5ncDKdMQdbcz z#Cu@;URMyLb7j2sYQ@|8%p=!Kg_n+2{-xENeVVKFQF=nTwy=pebre2xpa%nDdfe!x zx>Yzl7O2*sfy)}UN{A=^II{OSI&S1}0l&P4jl)hH4G7jq-J4$;o4b~FZ zrY@{^ninwL@>MSl0Fr4o1ncAlC&t>Yyyrzi=hcXwT;V)`P*&2LMawdT`vn7E1qbU}-|5Te**bX{Y&8 zELr%7_l5-2s)plt?#@bIC6Vk2oO}SarwWpZR5bZtwsZbw2zRfc$jYc)myXRiOFb7G zN-xj|C3hEs9Zkew;C3VA2=UtrB6YSDQ`r{HH! z>340zv>{H3z=`5Xo#!+rq$l6;T_3evtG}({^T`jQ<$?+g@Qq!EzY|EXyHsz{N7oaL z09<;w)Qw|+(vh!rdn~AnG`d+(Q%(&d^ug{S%53@rhGnxv`?{#9&TQkBesTdDt%l~u z2ka6OcZdyzpE805JCH7DNoP!Vb2!5!y1YAUvBVr;buDhdtFd%rY!mq;DK+x4v^j)p zC@6-#ZPf->Z;^&Oxx6cjJM*mPK9UeciyhTsL2j*wv$PqbW5;kKPI$P-*;Xn-kQ9yU zv^ETX>I%&26H>>MD`~NcSxk}dpgi~ySOeksx27a~($X_7E41~U3A+CUQWMPNesZIKVg~D2>!&A9;S+?w+~kW7zrHE--z7nPV-*jOby|4yKd z1O5mSMS;x>Z;6`C&(YNu8fNXK6$%)F?OAiWFFi3?2>&qx09IK6C1?pbF!s|Cc>uv_ zcXbM)2x+Eg3GCg!4l$sFHx#vBY8JUYTndndMhPeF--tDk70M^d-v3fR%>u{CWVOR? zInxBj;r3gpj76DO$iNFm8}lc$j#aEhaDjejF92`peHQ)#iRv?duqDqNcYanI(V9v2 z^q0+}WPf=taWR8a4{m3w&xL}KtbknjrUIh?;h0@x>uMGNy!$5-$XVx-BMV9R9yrFC znPN?=b30NL;N<$fW4?aVx35a<*MlpW-RJLag=YUNu0Q{9#1pMfkC@0maw*n_P%WrZ zSE17J*&Tx2oY|!KzCZIePRQi^f!$+_hW|h9dY9)DHOY(F9B}(1yhLpJv?4d36(Aja zGerC`u>rzGi#73gVm0yIa4cshf^Py{{slk}R8>~Do1$emmxlkPn*8>5`EP9m)%`38 z6iFfi&mlRl`!m2HW+_a2ih@#o7w+t-bAb(nhl}N4Jif%mTU05^HFWDOUOam~Uik#I z^gmU41VA@xizf7f-vS45dsKUtJVe28+xux>NMO%%XTu;*t4`T2MmLDti4{<>ziHk7 zfG}2YoLOA)*V!eooDFlX_r$l{mV0FM%GDHAITt?uJ#Ve@;uqFeLCsxMmIzOxlefv( zM;-z{i3MNOONZ_m+0D6DNxRku@J=cMw1!F4G;|KiC&9187wAWn`gw@uSFaa)7o|H{ z&^JNi9Iw6CxE7!npL)2Djzsv|znr6%A*>vSr%3JJ!pH`=9B_Xw=^W75>M|?<9}UN@A*L^nd#LBgzd8Fs_{gB!8kmnXjiq@Mwtteb0ZtMvxqa z`#nf9^M|dQwevy4!yHNQH`b@QZGirRhsQlVqjPMHm#y#ev~m-O2LOEkot)P+ajiik zt8C@0^~|2DwJH}19>Y{KfRT3kaxT`FFFz+R${oA>?X}dg9Z}Jwz+0l6-_WP@TA|@z#%sfX}#|$ zns2R4XgM;MMQ-rtXyHsJ@zNLW0#|l$qdl-o%ANXagiDW!;G{glP(AFhg4*? z+&+Emn!>S~-D2OFpoyEC)BNOp9OrqToZJS8`0on#Y3c~y zoW8qXpQk=0(|NzpuueBmI2a(mEcNBrLR&1EkWQb-*pl3`>xFoM&j^$l4#U(vO11~0 z4@FM>1wxmaECuD1+{U1GJzDmFYyfDqSUGDj5j&l3;mz$Z<%3h?BFZRf|X z`$hS9rl98|u3KgMJ?Z1BCYUdb_^fBK|TVk>lPzh@c=hQ^3c_xK@epcyfZs= zF!npmXKfShG}~zAQ}4o(A5s)o)Y0yqVyTz4pkg$$sbTFvU+{s^M1sdcBC84mtMfRx ztIn1#@V=xUA2(_QE`KLLH}-uXoU%rWv_@;dPQX|zLKk6qL3PaJk^}eJ*zM!XjKhm9 zJ{31@pXHTwPN2_;+H&EN#p9|mb_D32=mv7FJRha57<-T8E z%kere8(dHuz;|_p-7|ywN)g09{-Y_AVx{PHca!I{hK(L9=QR>223BGQLzW`V8$rH^ zb(&Y-OuyI8<*gd-&y^A1%n7n3{;afgOa~+#q_u5bBB?-{8#$5d+F0Z^b<3IUfXt3t znrx)#pBuaYvvAV`oT+_hDOhwT@=WMPjlVm(p1VIi`v-lh;st#BLuD8H)k9F*tx&2O zM`p5FkHQr=m@d2aBi*}0hvjv6kCUszAIxWYg$fhnqA;bxfs^B?j+pXHZz|gvqTOO_ zaadDqIomrh+>|?Vfo*Q7Sq1t~pH$|RM&YK!u5?^SYiO=sHeP9XJyV}dEAY4V@aX)B z@^r0P;T(DF9>WG>VlLRv`;=@Q2mFx9fJEn>eX}km4o}5c2k{)@<-NWI9!jWxoe6%- zk1Mf)6437jOahr!iE| zOk+RfGPRZqr}c14$^k9zv|%y@p}yBmc1UfCUic6b&%<3QzIC11Cedz-3=QyG=eS2X zFn*}sEbaiSvw6bW^7WrqiaYS5#=DEX_GOpsa$l2W?!4Jv% z7V<}(BLT;1Os~8a%};99Xnoc=7aD{_qD7;X*zQ#^FFM2>dXPyoIFdq4Z|p4vn}gm0 zeU_x9tq9WWIV2qzAyPJqJu6&A*JsZJh>UIotb|sE5V;(5YDqwKiI6Gpu5Bx^H+yxK za9BJnm>_z?qi7H-RYEn+VRe}r@pLqSn6bGLXBp0?zqYt*)u_bFl%%iNXJ!3ub$A}3@`|07%~B)?no|M5hsZE!`iC! zk1@x~dwb4H>~Gj74uR}uLIIirR3w;(ThXn{+gK4DM z$RVdA$VO!L)&W5cE>T}P1N4nU6#Jqj+>Az}_cw2I+{fiN+_i4Z*}kfyIn2Tcs6=AG zOTJ|l4yS-Comq?qgnsKZ0G2gu0+`d9qss1spw_jV@%8p|7_D9w-%2QFtH8d=KKnlJ zD-5Fc)(lBH#P=M2T{$=*e-HV$0vVsDWijoD{?!lntYd9tW1z8HvY;SXql8U|Wg_tb z!o$_`$XH{PyO?MY^@J0MH0~fpYNUF4+h@8)ChVY<3tgq>NR}V5d5aFl+Z`nUr03hU z)$-6+P&cmqkjXlej>k$o&(uvO+~FTP^BYptoB4M1tShn?)x~%#BEQ#*aO(Up;XB{Y zU-mluPL6&0jNWrukG5mKN!*P`Tr&HBEuJv=&)kX}rG65--Gv|9bW_ap$byu=aIvyP z3b^=lwA+{mf(K|{*4@D%^%1?XsFB^PJqcO?&&!$SOPlt)c)ppd8LPau=8q}A-BM3g zgfc23CRCh7pJ#^}{5;uE3|J(y{Z>B))9xhe42(4BL)Tnc%W?3TslGAH`3>iar1^~H zSAb1uCd?V?qg7tHQlve?_p0u5TJSMgp3-T!s-V>7^It<;Z&UiH#P=U_;(x%PaD4BL z%UI8PQvh+?|1Ri{*L8Q!VXdpz7fbr?HdmbSs)E??AfD3Q^WdGXuM_X&q2TbL*VsmA z=zjF#sEPuBLDJ`+@@aHNPtSn)VCN-FYX=scsXl^6-Ay7*A6ue-Ohw8wG!yhJ=kdh zdr{MQOqsv65j#@}BAX=2+8Q-kw`aol`(2{F+q8AS)vs~O&=8odg`3yWB*>k zfm@P3e?Blkc0zm(I7+>@=4^-A12eJ74Kt+OTV?+rJV&&HTHBJ4oC)(udoNhzWTXkw zcke+#DUBsk>bk#-Oh?}f1E-q1+LjW2nw*@}n-n+`hNPOEwS=HVeD6u@%`z%$Dc*G> z%FZ{eGDNO=ubN7{7m|2BU$^nmsdt1UTI@>)J&tnQ`XTBTFv|aQn%`PMQ9m5^&i=Z& z&nzIr4`0;ja*7s=V%#P0b>Dv$QC!#BK0XSdOlfhXCLL|T!2#6+9lLY!K$Y_UN>41? z*;az0W=baVdJp58&WIkbmROosXiLnq0}UmLJik^Z9Ei^OYZEI$Fg{_MMF!Lxwh^eE zw)WD-o_lg0Nu!A`;%qk_n&;UBOXckTV;~K`pdch@yj)3b&7H`ns(@+F2 zoB0nzLhWB%$9%G|21#YvN|qs+ub@k6n2*NGB*I~EH_uAX-ddJ2w&!s(vo*+JM^f|U z3WwDHg06qSyjs=$MD7eBSI-+S?e3$Tfe3s;F$JGjO?JMYD9v8v z+(^-BHw1@!&32M?clzQfA4HL}D{QQTYTUTAI1kshUrj-LuXQ*=e}z~&stE%|{&Iv} z>VKb#U8wV5&Xa=WO(owqpY$ibmq9FD{jV!yqS(Hf^YHCJ;_*k3B^z6SZ{Fna5J0A#P~OuR%<^i*z7rL7^0rTGxe_Bkc zqdJ7f%S9c?X)?4f94g5>^NA=w2mT|n2QlX_Xn*hkxmPv<)O5d8{zj4kTE%HOqb*lA zEYMd{wmfRP{#4O2d!9VMHVMh>Q|GmxHvh4q03;LpF?z0zZ&q*GUUB9l1O7}w&P?aOseF~I;%0gz ze69x@VHlL@uSBAjhcB(+>)L`?D;?4ivlT(30_B~E&_Jd0)d7~-PtnW;Nhse4=-|t0 zjomH*uW>$pYzAk@-!KzD75*a>W51r-mHfSAONb@F3$`7JpW&R;vco)V0s7cCW?H0d zSOiuh+^ z+Sh1kK3B(qkl4>0Q}jQl_g0mYpP!k{^skq2IrqHGpJ3!D?aM=BkPuZRvym+7IaL3g8USR_5nuT$hSf1+n#B6Y zXY_{O*>8871(+4PDGAX z8O~Q6Pto@SnicvR=niim zB$0Ab$*aC-MA??`0=6|d(!!RAtFbnJx3|Q(Hn#O@KUp{QNU12vp>i!5g|up;O2kQi ziBx-BU*vV3A4G<`H=prlwOKhAfPfC76QM0bD9BPt?E#QtD*{|wa8T$Y5~27RE_(o< zNY%mI0Y9CB1z1{vfaJH~ysW*HK=crBZE{XMi zl6#4}yP`(C>Y(cCy+C_P=r}bIS#z|k@}`4Y-*={VOc0&n92WJ`o35$$%9`FpaCr%k zPI3-`1|wG4+|1V*{zi!ylC-M}$+_DnIW*OBfbcw^WQZ03c;V=8%YPUpPAI0VyVdCJ zUH6Z*ig!ixdZT2znti2ac(KmipO6pM3L1@e@w3uc!;W6Y`^;yyHhaJB@NHY~51$W2~Ufs;DkXk+6g8?L~Addcfg7g{xgj2Boky;^)RAv7na;7qX- zO3oOD4`l7{PI8#9JvE6!P0=%dW}>|Yv-WkrQ3^>z?RPiXI9UrL z!tQOoYbHSHg}v{$x_q+z-?IP3V3Ry4xsur6H32Kn+r14P^N0HJ zLB+58R0#VG2Tg8?u8HoXvu+lK$VMCh)U*OXO-bW}175UHw&=t6`1O$r7ecuZ9%k8; zx5ah0D~PQ7YKn+5vSBu~jg@P2YxG|!7rb>(aeRf&TG&F>Yr=lKaQkwj=Yu0{Db`Kb z;AXF8W3rBlr|08>@$TKqd1Ga?Q_Pfl&k8+5e(fMat(A}8Z}s_Ru-c4xejMShm12*6 zqm)L=IT8T&Kts5+O|X+yVdq-5zg9>{WlGi7sTu1N+hVREyY7`g7mJI*__wMx2Ath?JCS`t@BQ_Vn}m@02?>i(B*eYI1>eL z(VdoPamcFG9n$#76N~R({(5DpGlNgcgZ#nkeK3swvh*sY6RksQA0-`Q3BI-{#0gSw zodKbN7pt{fWWMZLL*&-Wdb=Y%tHOiJPT3diw8Si-ajE=i$u9=1gPQeVORp#XC@5Ke z`^BZG{pvE0JDRahkxE-2sc}2$CPB4)@LQuN_p~-wEjiuE6{_Hz6XJwzI~*Sz5dbWS z!$+C+m`pWLdvV%rD%`%YB_%pX1AIu{?BJxaflbhU%V$@4Cf)2N&{&t zhu7JzyrzKLQ3S8>&)`7vdCjN2S?1I5Z%CmQrR+x^m?%$a47g8evcH;9m(%0rYk+Pl zwvH9g-eP~|GyBb`o;NYuCGJ8ri41gM>@x~XYpIEy>$9aa+W5*wGOV2u(vk2 zFrf-LqE@SmmWV6)H2R(rU+6U(I`pA#Ro0iYod}_-w57te{ls~E=gCR+hBuL89)31- z0W^Fm{M^K#x>x|v>fM%9d(+qSFY;O}0t2<6iC<(sMUa9T!D0EbnD)szG7-LH-D{2FU?W*R#58tMbshU%%@rlWNN_oIE5TfZ0O1@ z4hzGQ!9_PqQak^+=QneikNDp87 z*mEadHL1v^jP&3$#IEJ?b49-tM+Jf84+55*tDFZoe-J{RmpN~)0lg=^`M6*Kg@x(+ zke#5XHcJhsP&aseboq$Ej8yh;vqg2iktkynU`MFb+)n$gv3I0*v_Fuy^PttZ%e~h~VN3w)3xEjC8S?9VZ<%R)Y zPpPEVP#ZDa(E5Oa17^}NM=lnAfvD&yyVa9ll2qEHfs6Ynvvo z@=Qj_`^+MZh>F+?97NS6l)Fnj{Ny9<(!qenx$JT2Qc<<+8BY>{+RF(1n(i zW-)q|VZR92Ls6XvzqnhF=S;Ara(8-)=A4U&BHJMDcs*TP!We~28vU6_SRU*`WksEx zb=MBQtALo^5BZ3i#n&ziU4}QbaZE+VyE!nr{XY0sif{i;>6+hY1cFWLJUZ}IX*#azjPF0z`f(Df-vj5dZY7kR&3Q!CV$Tj zjxKwsi(nOM4$z725SuGO3MpbT9{qIBtw-uMsw21#2UWF$SY`Fn*G68Z1xeiKxq$nl zkoY+R(ght!S zSDC~&T+uDEQb@@wq?w_0_yO!4A3vX22L;17P?}YyrL2N1)FEBb8e7zF1S1o=7}Y*; zf5--$o<8|zrl*KnbJ0hQE9x3Q){ozq<<043Dl~bbx9(2m=nZLaK+zh%q&An%SU<0r zOy@rse7I_GUlTIL(9{EMp7U}4pbYUlJBoQ2B;OR|`Bbn)`fG!$Kw0OKr2{Q{2n#E^ zH;DwT7{C;`+E_HtJc{N{P`|BO_;X3h$rfGJg}-BW=(eyau3zZ>s6PAD5@QTb=b1SUCmB@cj$J-r;eTaYzZ5p zm3JKrJXpM-zESMAJZx0PWo=dF3ELZBl?||} zBFte=))`2Z3Fm32=qi8J^iwuV)^WQ_8PZS{Vz>g(?@vivP@^f=`+`ga1riw?lFqg^ zivkD_-7xT;led8oi}+dqVH$@9w`J-VoWZPjgz+Z5zSV?k-sXH}m5~En1wU@oE0{j5 z#4OE}324uA1F89>nD(bZBoqE~H`b`bhsf4juQcEI#giW5rPOO8UtaRB1OZ*?4JM}> z3%v_j__&v??XC*nsjTi{?nvi`bo zY&G!AsAJ!?wepcYS?g7APT05rWTP==N*U= zd-+lf+Pan6G8fzyWLoH+Ybmgh*X!?H1Q|yqVq5SsAB9fJ4N(N$4WvfcCEZ%sRM%#{ zhj=G&&_6Y0)-W>n%i%QxkUKtkAr{=0mQP!xKEzs6?6*gA&;L^r?qBlh1w}}BrBThS zeam2q9|R<$U72!7{f0`M<$pz8eK<4u8?63Dg-hvNIRHfXBBmY)LHus*+CsXV)hZpL zGk@lpdrzADDqE1ejvxxHpJ!S8aQm$?WNDp5hJaXZv791lAHl%WsMMx$P+dd4@3J)Y zJ$#e=qF#&314rHhC$!g{E+>xlFZ)4kTbYnfH8ruN>P#7lmaIl|h9pkb1!`A@7&L5$ zj7H1=$=<$5z!^5oTvA<#920R^qPO(C2_;S){k)2Dx|o&GC5n}AZ=(%LN(?g4ubH2( z>nH{o1p8IflTVLSF3h9-t;FGMg@;3-E&r;jMuw@A8Okx%t#44}`$RI6bJMftWBRH} zdSRO;C(FvXM|)?VI}dBhtA*?zKwcgLS6ESHIOZy)D>)vvzFB?@v0WPrnN5L#qp!8E zX0cH{{K@i&^*&VQ;s9{h_}9fcfx~yIW$I&!>5P?7pO(!WC4buYMUcL8mq4FtPkD9E zO>ut@D<06r?}!mlP6#f{S%q0IusxKM`V02u+%;r65QxcR%?&|Dfm?nTmRVBNR*Tn# zA!!_el0!Q^5YzXKtISxu7ablrf*sVbt4kZB8dq6w@3zO^8d7rK(z7WUK}*Jlk=ICC zY1&o;B)IbnL)HEAZ*CGSKtYW^jEoh~)unkCRO;{)X)~kzzfcIl^(7%!6{VfFNYu2n z2oqZ3-Q4g|huY%VeO$W?_wHmBux6(d8fsXdvWpx1z%{$Y2pl?8%f}Qo<Wec%H8E~&Vs!Ye|>zP zfyJa^tua9k7D+^SRRe*W)_#+env(j99gT^QdXCb(@2;aO%2ICD>){o`P|{h~-sIX& zAeXZ`dcwK?-fR&+C*vSmUY`aC$AlPR7Ao;EzVHv;Aa&t@FTbj+b&<1&h|nT(Y{56J z$22rI_ZYb9$4gq%=?+mE3vB0Moey0rW01vQpqY?qWZi|-*+~}zvx53LY(B#^pq4~q z|6%g#0jy`8{K54(23Jq!0viWJpq5QVTgk~f)6%rq;%el!KqKv{?$(sPq{?w_WOzZ; ziJXI-V~B$hf`g5NfxZfryt{Gjm*K_y0zo~D#{EP| zV@T}E&}25Mw0B)HAQTewY&t(^`qYb~Z`qr?-DjCCj z8PL8rnK3}gQ17|&acVI!sFF}ytfBLhESDV87Tc3@j%JM(WLdQ!ruWKRG(mxB-j&yv zq|@WD{_G{vFnY=&Dc9}nn_a)*N!_w0XK5yg6wc^{n_75-nq^-g+9KA7mu2!W9>2ka zwOGhQ?*EPTWs3aXrgaBvtUt^v60c1l^e5s>2$%v)lCuk)i0N2RjD*=Alp;7 z_y1w1lP)#%nn(>rsiB76 zd+3~e_W8bhZ{6Q>o%090zvjA@Ju~Ef4@j2qipoNu>4R<5YC3fGl9%|< z!lQ>SJ)Mg45brt3Z!&k;y|zX0t*a3U5qsCgOf(-aEm541l4@6=xESi_JIV;JBeWz$YkzB*L=Wy*9>rtXOTP`i!Z*Px6?D>T!za!4 z{F0D78mq^jD0en*vwt6zkLxNB=x`Sv^*uCbZCmlU$k@@ zX&LLQzF7omP@7VrV~Q5>8&U-^b@hJb>t?9Txf5Kx_!3^d#=-$k7;bP+oE%Yh_?O#X z+Wpzc@t%?$Q;OvSn8#A%Aw?O!|hA_qNOceTzxZ^sUIz*dbuyZJsw(sth(^7g+A&oGu$ zM$RAS%5$&!x4aDs58w*}2n?{(!V@6ZWy{OD4_n4@dS%;RW1jcUM%yCys(JsJ8OL$k z^*B?acjf9AQ=-S;g;*@qtw+A!BVYt%Palm@@tMsK218lKUpedc{^U2V+Ful40zSwJ zsKQ1kXCkMIUyghh54JRR2x?DjsCE7&JU0F+uw*?XlDgc-_tzf=#QG-eekqOL*(EpA z8|smoW`3d0@ zaCJKG;WxSY9HE<$gh#SVxfkF6wu!6HSTvxkV{QjN@DrI+TtD>-SM(TSMC8r@eEg`b z!g0CaOtlUWOSQYZysk4;FyU>g6liqiak(|8fw_u#Eu}VmOew=(tL7$NB7=>wZT6{9 zCu>qwf3M_VnQk1F6~Qm8#>b5!=&DYArl+2@YS6;Zd@a?H-j}Ntf|SVJiSZ+Y#j@(* z%eb;awzQt*Bvd<-sI-dX0IrjzifltN#pd_V0C3{Hy%=YG%&}RqAOG3MH`@tc_xvJ) zLw8s_w&}8l{V`wMAXBsQuJrBlP2Eb=#7?3)=-@Y3Zf@s80-@L>kB`NCh_#?Vjl61q z-Uuej16a4W$jy!|b5_cWEKcsUOyBsydzs4C4+Cop3yO~L$CaBJpW9sw~ z^R=41$EI509YOB#!Vy0k4x;k2bl=%fQZE3)!scR5op)3nd%LO#e0+DP>enn zaVl>mGh2%lOc;d?0vTvD?-Wak90Fj?S*n-j&PU5trdQV91jSib5&r&J)*mmQGWxT} z1*$^hE&_IMDZZ_OV zqsra*Rd&}lt(6Tf{GC0+cdX9f&dybPDiDki-Dwp%<&=C>0P7OK-#nY`>Uc25u)H2SS z-ZIXdrT=bF5oSteIPx=!%Q0wE5#0{>&jWWerm#6Z$ACCFbkF zg?u#Ikcl@KvdnQCQ_goyfktF4q=4lMkW*<{%>M{h1E&Zz^}Gbe2dtIWA3x~n+Ds|g zNRD@}vUzMiR_Gu$6Yi8jE5>-CU-m+%)Om5;YwIl0^Vo^><3EXAqWi=Ql^nmb(NEE1 z=He1T8k52EXsF5|wM-S2ICo)np(Asb8AvSSl!1FZjas7St~ZXGj0XiBu#w;Dc};bi z_+@hKGHbmW{d1G4dH|TUSCLz8NkFe&GSrnNy$5d`TsAPjsGL=xS1R)ezPt!S3_4u6 zQ}jTl$G!&v@uO;Z^~J_~aqD5&U(y;wmmzxYd!B+%U=PyA>9s*EF`rFY=pPjKmuxye zitVVgn`s^Wg&6|!`sKx+*}z#3t}Zdabs+GpErgE*7H`tYz66q5_4m< z65%w2Y;x~Vk<1k;M{-}q_-8j{Cq-H&njtVterWc#6II(*Sqr~EooUb$I=mSle0|km9=-2PD zDU*n`)ihdh8H9L4i2u}@Eya9r0&8~9bZ1E1y=kzO>i^AB+2J9 zdc1#n{@VAC?O7twExm1V)}syXxHR_4phsWhxVg=Knw`@D#Y_>4{fK%~Iy8qBcq_8E zIk;O%)}r%_vDD9+tX|b_D6vHbxzI|X33olSu6UAvQ{gk>edkt?VfEN!V4m@3gK55N z5pXKx_;>XrV`h70bWXG*?auhix}nr4+cR&8(9~Ck;u(9nWYm;QD`!$`!*+?=xYh<{ zN??}>Cuta14>nFD*XO*m0B)$7lCC08WeA)ToY#HWL4l^-Q6w6RlSOS&NS``f_n0cP` z-}@$DQm8j!*aALW2Y07${hrCuCdmK>7gD-!`Nhv^I=u##M~I_n=2?=6MM40r=OU*M zPP;DCgd}DKzihMZksWVQZRoc$w<@;0?|ze)E${mMiN~0x-&XnZ@EUJQx|MHvVC5olKiTFq5s*?aX!C~89~_i!184>tD=x_waYls z169>_4u7_4uNrquU?6?!qneJKiv_#VM=wRhfzy%res*}hk{=}7wj`nlvZ6hPEx;FG zOuj*J;TKX@QKKJ)xjx+lXh;2Vn|RJkQMrri1?(MqAF4EruXg!5u$eOgv@k6Bit02M z&*V?REY_9Z(C(`nY*?MAHD;oj_}k^MurP?THP0$ccCPEDtp$-?pT)txB?yz&$y%;& zymfe^DAgiSkFU(o)qnCt*hd1|!af4HdPj2`%QmLGC-zkaa<3m=7@a|{{ndc>QsP6O zY47piaZ0)iM*a)SIRW_%gL#W&)LyEkUs*}=l5vpf19m-X%u!7nf&eyJ*Q!{mR|OtR z7GN(D`Y`FJ4Z*svHU@O1>rKY zOf>1JHNU75wt>iy+jUN={e5d~puc^>IV5XGaX93UYu??5zx3{M_Yy}x*{{H-d1Oe7 zVnp?JqZzmXLeB=Q`X~H24_ykoQ9RZ25?!cUn;!fa>%%N)*UyV>jb^H2vA{je)F(wg zoERLX*_N=*#&Rn+ME3*Q{n^R7SSh{10fo#%mJL#^SAEC%-5hGH1y?F$Vv*DsI88`^ z5%$)UX#m+`|4Mu;^$G8o-jAv7vqgps=lAjYQ;!ocgCX5U^Rcj0F059aA6iTfY9~5W z3IVSejra>T0H@wx*v@O~tHgyI!{9gUEZ) zouPoZCX=#n;T^B&^)4`n{-&-?$L8{oT5v62}^6OkUn=J~(l+hF^sUc~Y>)M~yK^3shrzoaKIhYQ|qE=zmlG z6f^!HZ=Rv$p&MjikWkA16YhR7^<)xF<6vjij>;5?RQMuqFgKSO=NOX`i5$g5C4I?- zU{>?fBRbi^(yga|ydxj)2k2qZ-KPJH{+1$TK)bvK>T2*4;b%KnhWF!(s5}V~@$$S{ zL2tM0`0VZ;OPlXjeMy)4Jm7)Y2Q69{sWluEKnqSV9%L+6cq&soVd^M`-vT82l203N zvUjTLYl4!#pp!g--#aS|Fn%Z4Pl){vx0T@i`^i70D?jIpXQWKdCb$>B={Bj)v{<=P zBfq31^OR$5SxWC$r|pg1`@kW9tjg%VTfiqACscKmk9AM~8J$%*yW~%G-KP7#wWSu) z!2${dlZTW1KrRmd(i*koSD?zmy!NG~O}sj(@d1NK#K-%-LPXdlDbiVG78>8G)D*~l zWV6F_`fiMJcI@5>5#eKOczLk2?q9IMe}D-=)4V1tCB^2+j+cSW`9SboluA;nZBqbg5lr=L=gvEUBG2^48LbMot=lU*gop^+?S##Ru}x$vL)n`A zsYM!aa_*W8O?LIgOCP&9A*LQ7LJ2cU^bhgfitXXa`~-0bW%J=G4+ z+9_C?PH3Ma#MZ_iSyj_$KEK1>cMP{+XMw-AvEgKoBPm#`^jLAjlZ>`_Q_58Q`vk`t zY`h`-y`{CR?+S+SWLfY0%b+$ZpO0S@OUX=xSsOQG!S0He2A=aZJEZ7v1|%IP*K%*cbW`T`CaFqzwwTwE8+7o^uI1~ zm>9mVLdq#s9U(qeP+cKLu2Dj>SNBj#$dmu%TB;X$MjF$+0^eei0dKU^W(L?}-(}Z8 z&dyeSIJB9Oj_sbgBwO-D-41ia9Ja2>-$-1rgDQaz2a?SV2h;)M1dT|+1k7kQ+nweu zPUmWus|7CyaTi+SI1bMy2$8=t$8R!T#C&wW`nB z!`othn4`UxjrU!bF_b=&Q)|BLVu8T*Lq3a>$O(QC zg|!W=JHh&HDO(g&*&>RG2#;Ov}$al z&k7HWu2NjpqBJl}!0LUv)olm7bcomtwt&~5m5-GUJ5hLxw-NMaiYHwLC)RXmZ-xhI zL3I{?>lcgYIjz+1l?En8$?X#}v$p$`&wlNviDHWF$QPD1>6L+ClvTkik=JDfJKSoR zei7xY-w=Q7Ly&ReM@Tgs4HQ6#Z?>;n3E{c2i7^FcqdXxld{X^4c^v&C@}hR? zud)S)1c{C!X4A_iJ}Cwb=_0I#tO7rTq7aY|HC-pDEXaft@AAOZRn!DAUX(jIwJttT z+>h%H2PaSW0TAT^D?DK!zJPQ&4Wd+AH_Uh(x+kqQ)-?G9?rXras$KEjVDpqmdP5Yt z3~N3Y<6TYPa1p+y(RC0CGPDrG%lb#eN?_swfr&xOm17H9VrACuE($Hb3o=T|1uzDx zI)vV7f;3l8k&Dv_lq!1vpPGa?5(hnDO>tM{(B@fHafRUk%SX+ znC|xza)_6KfA83M0FK({LrH6(8h%%V;BfA^}QsVsru<@v8-h-&pe(t}HqQ=t`^nX?*i(zhSug|g7zl8n|<-hPV4CGGBQC31I zk(4MzS$|B7$CB;dGSDbt@DGLJ?ItYr*VVRGzP;-AHw<-=09*8Q)5z+8*Ut860KRQr z9%&vwpZFVf4{H2pg+`e!+IcN}`T;|)-)rOD5xk!+f5{8l$^Cf_f5N~2sxo+9MuO4$ zm8CrO_^(;ne?9eIi@vGH&>nB<*L3p!B(MJ7=Ks<)|Dwh42)|N`F)ge9we0`@pZU*E zJ@o(CAHM)$iNE&eufzY(HUIq>|2~bs?DT(_+P{tJ->>-p#U=jRQ~lfF{$C=_zr)|Z zqxgTO9silI{E?UZ?_>m`s`U`M!SR##fVn{Vo)mYDUV6e%F(}-IJ~&H>(4dkvCWFq4 zWIBfqf>mNS+!>19`%S^!{Nv7AYSy>uRkK(xfe#h zG{KHxmrqlniJH;Qs;kwSBuL@!aAAW>>&m9i?4uYb>$NEtUk@h`uhhgMQc9#kx5o>* zc9+kICLw%nNQ*}@eyc&-q2%F$Ic#5y^!QP$(__^AjM1dB*g{7tI*}f^9s=2v& z9SJ@9?V6w~=CMsKlEqIejN4oaK_2HVFKLV=hnLv5E$R6vO;sN8F!;V_h$1g^T+V}} z5YWcH(#%SQZpS#~fBUGp;q$A4HR~X6<|2rLyui_N1SUs*w-q3(G?yC+WXCR?Y`P^s zXY*{n4vv6C<;`g%;BeXB1RpBMx_q@evtLEddoU78N<{+$q_Cj^=3ddQs3I&XCQr&T_M3ZoR2HK&8 zMxSkN44loy-MvOFHuKFo*@awc)q8qyFun?a(1g()9Fwsev^27RWU}`9opesZ!T8~n ziIU#F)0~*FC3FcKNmWy6zeCySd%PN1uSwxwn_sq?px_s=H%XbJcIUHFQa{qR^PsR z_ws0U5Q?7jt0>mMOtofj9gV}+Jw6nwn|ji`QzqqUpQcjQ#K5caFD*dkO(>O>L-w6@ z{^I~eI1W^%`fFB#(! z&-z7H77Rx0^BJOZK3|nq$0vgx?xW#jc^|Pg3#!`Acdj<-*q5nv5BSefYnqE%?)G<~ z*7%PfC!5^jRXo(?UDh91AbHgim1SAwJxxF4LEZDs>7-*lk1fWb8pqTUwn%Sr_sA$+ z(Y5nhwfPBdskQ?nyOgwnxhVD{dfn6~T&A~Qy>#Q}GdbWMU1K&A9@Hoq>$)X6(r9B_ zDwR_5B<}^s!)$&&d~QYkUC{aIdu<<&HH4ya8v_WW`o=83vi%bU@uz#-Rv}Lt6O3vP z&jB(XL%|d=AD?g1?C6LQ@%V<&*j7nhPrh;Rq1@+xiL7}*d6qMUQHyjRE0QGHJS7<^;FF5U&9tJ z`047wa;ld%FpaM*z?&d;m&&Ez0De0(+nX)9x3-FFygklC^o?q?Spk`!@TTv$%-zXu zStp40&sHLK29HHWlah>lBLuC7#HItb%IeE^X%+l@ZcZ%8m(WN2=K|w4|WnOwnyKVoi)WoIm8t^<%B2Z`5_B>9;r%+{ zJQtaP&8?BK#IowmvXiBhQfe|LVCf26;(6}n`vwffH8BYdzknKRI}@uf&~K5mWp_QB z>8qp@Rv#NcbSS#CQpPx4yP?`859gl;T3@b2Z@RIwk?Rkkb~JNxyX>$v&*?w%`jg$B zyOWI%pMtk(!or$JE?298D*~s+Hb0XenrC1GLhmtp8*PWhZi(;p5xrB8_H*HK|5=f^O{=B*|DmE!*S)!BR6QbYPSqQ?O+Y6SwH zFx>_R!4z#eDi=8S<4}@_Yus1H2psM4CMeaL!f$F~A&bMBxV zujAz?4bjnWI;8hf&&8(on;q~AOV^+ayU~S81aYwW?oqC>NvhH0S9?d3ueTeZexx&2 zkAo#8lVAg~jj`f%F)lZthu*#!_*(gZ9BOvNl*t@~@_=Q#>5X>ogkpJzK4L`5=I) z(=JAA5>a&zH7VuA*wixPa?6n4pY`F)ZTuyXXhVwMMbhjkDs1N5(3FR2j}W;pbnbfe zaV8>02ugr>v~Ia(aNzU$H4-=6Nj>hX`>8dR<~z5$8k)GlVe{&mfv*e&;}Gh?R)?Qu z7WQT38W7k+H4rRbQTu4#%We0WmV4nOeTHc`xS0(l%SZAMeuqWwCUWnzYD3^S?t9y|&`xp!*|zcC9pivZJ5;RYgaa z4Ve@9w)Iy5FGBc^$ZH2rq?B6CxhWT$TNQ`NR8O@gggJD6 zY<#|RjfrnTzU6u8`I?w>&DNr_yaS)&X?T$k$8dc_ZJ&(9;T=oE+z({2wP}VN)d#rI zj|JN2s}e$e3@ycRS!CaO5a?K{ce#Nrqgt6~J?BVDe7$`~zfa&^h;Zr0FYuTZ30aTk zB6IS(QMUG!<~>15o_nT-B$UV7q6}7v3IZF5 z+IGzw+PnygORTECFSGAz*epu@cKeKmoI0s5hk_H5R^$|gq_osjcaGVU!RJs_qIe|j`_^fnY*73 z#y!c~ZC=9T(m_YPu>MnKKJoNRX6Dd9ir~Tiezsbg2)%4TdKjbcdTJ`Bj8ym_A=988 znN(o9F$cM-sDC8vPMWvWmBX5Wo=*yUQ#Fm8k)UFBAG%y|N(5&pkQR_cn8u(adf^cUPyAegW?^~p&I+OlIk~SuqeC^)cdf4n)dVMmnLVzsMG0&%Nygje15V~ z*1Uz^`uQK!?{hpBda#uU9gtb*|K>;fu%a@xJ)Nr16i5NsHa?SJVi4DeiuT`_k@(bk zTsAQ6{k1i3H^=Ka(L7JaAeH;-Zjh^Y^2-R$={|jxdJ+#5ecd^vP3A_u5F9&=amXnRu-dWbL^KRvA!_Dq`1Y2 zPu-bi?dfVkUV;+vgxZQ&V?4V*hJ%w9-3^ipBRW_NV-oN^wt)wv!t4mtQiY(6iM&nT zPMaTm(O}b+2@aaT+pZcyp*j&{dz)1N0wNmnBcPuPbFrXyECHwNvCi@C{Adu9w4`Oq zH+n3w`rv`5EjY~hJ|R$Bd`X*y(l!$sU7zU8QKY4zB;`;Vxj;3Oxem^ksz1hk3z3K$ z<|fiO0wnUzgeqO;NQsF>qqf%g?Nwx?oiwszD?&236J5Fsx!ambs4}Szr!LM#q|8yc zA_*=FM?MbKb!!KHeqZ$fAPylaOgy}p201kW`8(pjqyxOAK39e z%+cpJqW?K75W{6(O?|nAV?(7otxlq1>>s?d=zo6Ho%YnhG6mkLGjFAnXL{xFUjG!4 z(OLSn7fz1`N3YUrdhlNnp)k4X>6C^tHidYg#+FaudCo*Hk_;Zn)FabiVeB{ACl^I#&==EP25S5Ol`5XAw#y0L#5t)^UF_^+>)5F4ZEyp(x;^(-60S>%$U(t z=Kd+d`XVVd_$r_=gzH~p!|nv`6wqR`&v5tv7ZYJ zK6xQ`K9lSzR@W=`Ye27iLHF<&_aTZY+q&xx@-^Q1VV9`hR#y8wOvLo2-`TZ!_EkXE zBYd{0f#k!xPW4jlhC6(`6PwSuuQILYb=8*SV#E`9G1lwlRpHBs3Z87+r;w3A#^0iU z;ey%mJo%PGR&2q6>wxJ84bVhu4@!WLY;F1)6$7j3sI+?&F8{c4PbgIZ9#EI1jq+Fc z9|9DY-&im_0^`7IVZ$a*HV%%kWK+BzGsTonQ?n#D)ZU|>l*z#@3}*W+6T3N*5l8aE^dh3%(L9nL$9VeWYdt5 zN-S+XpwUmN5*keN3-ps61Z|VAteFoX|d>B+%IiHPJ`AmhizDDui2(--}xDIQ`e- z`&WgwNQsRnPSHGzQRq2~vNgz+?K|h@*=H-CD4V4q86@}4;f5Jck@23Gxh)~&^Y=4p z=n!*075s%3{0MNAR{-Me8&uyGwW}i(^h)Na@I8fQnl9jku3z< zB>w&;kSb0xoolST5D3;9u-vZlk!m{TK}&nesx3NotMr~@>;4X$NipqgtzRWW0cS8q^7|6vGUU<5+7Py=Xyg&%?ea{d(w@r4mLnf0 zuAy&oDeZMWox$Ly4hlsHQUb0Tms<4p78gPCm6-HqQXuXw?j1Vf6@>CmdS3IFj!VA5 zZol=u%C#Go>u)MT?16FSK6ALe^;Av)7k9ctD1!_@4}*7w*K8F4a$a7Y~HrP z7bhSJrfy?j++AwA^8x>ZvZxug_XL}0zAI5ChPtur09?jXd=ozQOQere!;aH~83>!G zq4R_>@>!L`us!R8bQP9e8T-x^84;6T*+kB#i_4Ll7Y6#T3`FGtVI*nL(#PCdSeLpwtLUL!NZZGhb_Ra`{Rb)`m{9@I!LGv1b5pUJ@ zDzun8obL3F`HXlJ;psqTr$ML~DQ^;{YMzd^ygl6;99=y^3gEW| zx-pvyA4%3I1_b{#m-vnw5GW2h<1f>%_jGt-TH3h(lO^U&MP}9N2SWPtu#-H-O9mtE zxy3xxh?GyD&T2CTwYz4rXue&$@`$be*ru0St_3Gk8TBvXGXS(xfrEcW@=>a@%ffWZKyt2WexS(Iozli6FaShL;RXwF$_^zUF z{ZT+gaU+MKWHOg>n>Siav+tgH6`$S7`jn@&`uKa~VkCXZJ#86TVj=?TOVO=!Uo;mk zUZ-pkNj>|qrz7I6-C`fp`&hx0;UCEwbLkz$<9R;K#!qfR<}_9HNQ8}f)NoW-HDoXM z!6Ev9B8r-a$8X1@PM$UdpJ7sPk78Au)6CoSJCH53>fi-MB)!A$?q5AT-mbJ$EgVPB z(Jnd~13aK}S$ZcRjs_uTYdl{hnn#n`<=mjI&H?osJ%O74F1^!bikO>C-{0;WYioqQ z4EWR^$^R5KtEhwr;Z-StGWAnBQlF2Onq5XU=D`a76Y$5@ZBJ55eB5;G$ClgQ8*%Ww3)Q&;0F_bxoWM36(HPmf@FyNJ2wvI2*_fM9w_5|dW%S3tpyYCeg`cr3&9^s~^78Uu zQc`-80p>O{bvv~c?Qf=w1rC&=fLrGiO7o-N6!^o4I+y3wnAwF>tPS)>gjEdRSPsxr z*m?EXCoL`Yo7Z8gEu0idx_U*fc1AwC9iV!`I`RP|E}-+R=32=}Sy}}GJ`Ho7U?bJt zv30YB-B6rG!k3ePErvuYp`|%}Nz}&Ti;g-AnQ5wyF^%X(jB2Z3_UYOxrs9}F#tZg6 z-<;3HG{GOde6|#ceQt@8S-W>NP+_f;5^ST5DSoVJYCJ#av6E5JcDj3Bc>1OJ=JDHE zrNa_N%Ors^8Eb(jt&AJ?GRtMNFIYWl`1j}}F}Yk&Xi}mn|5qN6tQRd%u+#fY)N3?* zdo*58-}@k#@8PygrZGC&lNsYxI(5v47k08|D z+YS+ybChFMIhS-loUa8wMWlRHR}Z~l4*db#h|@UyRX<5N{CSrUgn^oJ9Q(y+C)%VY zG<|OSRxL_F(nqh+d0UqBO0A213Is~i;N{{d^X9~P9toX4K;|OlyXITrgK46Yk<{Q@ zFfS{uuv<^5u=f*8ti`q3xVMIr{Adqx!^XsaWWq=VGWS^ul7H!7sjY5fZatK?=lZLS zkR|MtoqhNo&`JVo1gHTY6xyH-GWDHSGn?R}{KGiTGe+=W8>PGQwmofIi!~@~M~8vb zi@UZRqAqKWE#dqWUs7z@*q?pwsZcX7^z(P3llfE*VB9vWPu8f*T&(j8kfTByHec+n zoz=9Yd<)2U*x6THYK2VC5$FM*6pbN|r3htd-2KCx{U+=y zdyfaAC-mJPi2!fD!i(jwyWOL^$~tFGhq$$IKaFW0tU)C=JmA-?LMO}Z1r!4}>*r@9byD6k=^i^<(H~~}waqB6Bfq3y z8z0^r?#QE?(v%H5+dZS%_FB4(n)uFlA?IWM^(dVHCL*}*Gd{DT&hqbm*(tKU&Moj4 zZFI?EKV%`QPzT-CRsk3#%&kRNet>HP_{ws|WeXYDps(s>@3vVL=r}kC@q~nrA zmIW)Fbv_}HMO5VKT?LQ>ZhdR>WQyJ8J?GNZ)!4RN=dS0?J2=nU=1bDx7)dAPK62E& zd`F{?gGgV${-DBZf)ped2s^Ql+AyF@p=3%G;qnj8R}6UaS8QH*dY_11ti7MFZTrX}!n>0(u@c+}vVc)yQ+(G+{FT?JU8SaigzvENQ7PuY)3OLSXnJ(Lmvz|3w zPhlU7rg-%C*;*MM0J610&I-RWhZ;gi&t}$D^qHh2Jt$Zh6t*dVSVkaYOD4L8$g6(X zkAJcp<8#jh@$m0v4X~gMts#x;Tyy$?lN@DL>deIVR?XF)w?!hZ7V8?^&LgpZFRM0& z`n>zv6gM%i7d428w$9T(+u5&6Dtluhen40;bdmZo)RB6$4PWgg2#__c(bqV*-H*4B zi31xg&7=yWx=kaFejsSOME&8xhbgGlL;O}mwxKPFTnH%K2dD+`z@Wh`gB%+Htb|N2 z!l=n`M0l;|bd(x=w)dzX1yri4?ifVmY(k|52a;r&TU`A@yF(XOR^(hPG-(x#40aE5 zb$UR9=l520p5IqFL8C1B)ZXiK55uZHt>g~)B1J%)2a7W4k_i#cD6vo6tK{WNXt4U9 zbYZ!g$;N0t^(_tj^Fy-r-z7SbicXW7GUibGG>(ZW>;bQq2>xd>ckEY1o6i;>FgM1a zTIT=_dY-PfDeb&BndS%|m3lKmqMn(S&r3&y-V2$TrM~{O zO)YZ!9-@nTTZ#dmB5xT&U6c?aXHW{)?U@rEU9U%)*Cx%C=3F(yu0Q1)eFFNMvK(M@ zkFl6Al(4~qfz=Zh#v4M%Ye$DH*$lSA*>IxMC*^QX+FejsN|+k*y2+SK|5>(sBRO$P z*29Ar^m>O9dxgSld~I}*^>XD`YkK-r{3rcm@(S3CRI|a#v%!jc1iiS^xu zPTmybS$3rMKxb?svc}CwzAs5BD*Z+*4Yev=Zv8=wdWR2~3Vg^m7Nd144<5V{sT(Fz zr5+D{HPupa~yU& zwxbHUevU1-6=3AQqX~b_kgq80r|~Z>0Jh*Iq+Y>5#Ykdx&xGaXxSPRSTZ*dTcs3Cv ziB_ZhX88Ci&wbG*2r2U5)UkW=VQ@cHV|=>RToV(pTQL0*6PcXTPCL@;DRS@kP#&hZ zsx8I!8$d%gb{#XZ%h#LhR@b}oB}wqxU;DU@{`lgRKEn7S8LVQ>jJs=P4WjEk*Y!0; zvGe!;f>s-R@0v3WV)Diqe5z-UE^eoqF2&Neu5MAp<`U7av?vpLv!7aI;{}d1+L3Pw zo3{1TwBM=uH&NHgv*tT;Q6^axdvJ3?GM$?9@#eL}yy7GwY7Y)5xL^zaon?c*jgCY}dy1FGq6T-Zw&c%G|D* zwMu_T;A|xiS*>ritO1;l3#=qDFqKzxMuxcjMY`1`etHuZ2(zhEe}IL zf6-0;Qr0_V0;aaZ2Q+0k`)40ZUjE_$1s5!cctIQ`A|dj z>SD;EQSv1>4Tk~zaH`7Vo{Eei+*JP_Gmq(6^8=q+de(0AvNbOqHW^cM)9v8=EgGLl z)aDZ}GRBp)Ql=_~J1}ElPhwKcRr(uu2KxG_2H-J!Pxf#_>2_Jt*ne|^uuH5mi(PiB z-?`Ci!Ogh$B=K+c^b^yNf3;u%Zy8$rjuzk-{x|ddZpfnanICbJH4QiV<3c{(TRnZQ$>5- zK0_*PjsDOJ{={^xado5H8pd$xc98l;^!q~qWXqIs8nGLUbHMoIOhmmQpD5ajXp?>x zaeB=jZKcL#!R5f$rXFmfx4-DR*8yC|h1(g2);byTz*Rf(*B0ZQ2p>w$Uj33CiZ;C5 zXFM-nQ1anERa6VF$!vhUG)ec19$yu>)p#*uURx%wD4cD(Krr^Hzxt5D=mRj>lx3Gq zWM4JiJtJebI4fva_Y?{g+dgqS)_okC%{Zc#8_`fo36F^vkP7&0D2WE@0c2Js!@s|h2z>kZy&vn_|vM0unKH{SR*n`dfTg_h{7-nNsvwvF60UIEMnU*6Lggq&>luDYeIzL(My3}rUlMQ905M34H3R> z*S75^YjCA@YM@Sap@C>yCwNa3*(5Jej&>I~JTCh{5Gbw7ySlo{VxfMv(|TUo`VH(Y zqhiXY+Kl}oVW6d%Jaw`C8%MlnM*f=4PYOj0E3{&VeUDG$fU(`ZBCY!`_~5ULcsvhO zb^Ug7Y@hV|z9|*4)ySZe-9@bCW9WI;h7+zQ@Q2RVjAd2j9S=pWS0_ZoNn%Mjl*0|jhNL?0g`DgME zs-3ngfKIt2PC`6~%*Y94>zn&_oCGz@%K*z;=rQ+%f%b)?jd`P}gyl!`hZz9hyov2G zX_w^TG)m#S3wZxj8_%I6P(#gYoACPx%!hmKd*i)>`N^dhk`a)`;LsYzgHa4wTRTHM zsZU?;kRvFkh!dLO%5tM6S7(aB63eNN zbC5vT`UxyXu^CFPaU6Sn-sch-cug2bpNF{Yb=Sae7Z7n0fn8QHG2t6v)q;WBcXDt; z4~JO-ns6P@-M+$svh(0&(qu`>tqToq#drLt_Pe2i>4wopa`czH%TEcPqp?2Ceko{T zRcjv_eAepEdmuevKYXC8AjHSfcIW;BkH0e2i%xUc$%vN(d?EEt8gW}Ff8TP&->fVr z+!pH7nNV@-Z@uv9>mi2;6CRh}okeWf6hDnM=nJe)L@F^K6b2PM9;jCZK0kiKoc51L z8?_lG4XCFnjy)h;NYxo)B)As3 zq!Lk4UWo7P>aYuKQH_~i$GSLpq(IYnb#!2ho|U)bq?lvl~o zLVWF(qs@Dt`d^Rfr}Uv-%Ua3GN? zhM3Ax{MTcWL-kGjzsCGh6or1E9Z}fB^6e!K{C|y!GUz?1k-~pFo*#lBk^TVS(3w+c z-(4eM)`EX}amDgaQOHoA?9jJHhC|35lm`5!e1S`JxdZJAyKFN5;LGOnnnWmqu0PCY z4{L3&4R0#dH(OQMUls^}+8h3O-HhVZ{0SGn)@bcCVKbaox+|=&dX<9;gY~qY7b_1| z6?CiLtVP_ovk#;B%CS&<51>o=W(g9@Mv2uF2TGL4v2Lz>;Z2iDY}5S90GmuM5ljic z$!+mSx7ea$)`nvcO(Us(iNG8YI`^0j0f`{uJ%erCY&rMA8{s2}R%*m0T2*tlLQs1# zR3SsY5+${|RigpSeFj|iywxKQyh=@J_qJLQq}jyAEHeMX6v~>HZAipd4j>9$i6KZs zobp;apqP^wr^MDNi<(3+WO?pi8(ka@W7%mHE6>J%@$U#G^Ya@*#kvG5dWL)^qI z0bJv7?e5jSP_MNFjH23sr2(Vee6oQ{OLc_B$kvFO>iUtRg=(_CjJ0q0xEezNvbuO*^^S^8?3};}guZO+EQF%(6w}43plV zIlvVmPZk=wRvfpL2fWM_)#JyQ2_8zgTaPgL6V_Ol7My1{J8zD3Qi#Xi`J%!o;Z>0< z-DnxF@7QxiplhnzRI3esIKkZ59X*?^^fT~d_&9#g(RO~>okGSSzzL|$_k6)G z+{Y0ZS{+qK?F(B*Z?tE|ylb6=fDOiYx9*kF8|A@p}L|~wg>O!4wMG#U{ z!X63To+7Wq`Cx(s%N}>+0XvY4uBRu=n_=;swM$IOXeE6)>sl$S!e8)mMTx{7iJbAK zuZa?Ii5Z*S`AtxjmZH&4DVhHnkAsrEtggm@>=e?}t-oVOH{{s#*qq~B82ru_5xX5{ z=?~6shkY5}_V=WD0dI9I$upmit!J;!Ecb9wqoFV?8g|F#h8J0=CAvl*Mx}I3)L{y; zV3nDFTRNlfGxjh9!BWpxS-Z-&Jj2etdzz1u#7`i@6tvRdd!?NHpJek+s#3jHy>DBr zTkymICntB2ZUxW7?nfp%B;J{d_(wk!uxn~DW30knP3b;Q8xDIcY1X5@*9{QYa?IlO|GBTBR#KDRCZIJD!EtcU>1}fQ*K=}&wV~F?W%Pm zE!b6#MqR)_pf)}iD}KH2SM^Axk|cxG3b@|8VfiNe+Z+VJlyI9ci*OhC$XpJfv{i2? zl2S>&jwUes8xKF_EZ#CdFJsOt=d13`A7A`dQUaLXUIZ5%$eDbOKBj)*{u(Q%tqECY z#@pTjf@`<0We>bHd}k<9dt^W}X|Qg>V;9)KnK`~R0)6Z$3Cu}`9aA6eyx1Z`Fw^<& zy*SLG>x5;mUISu!nkg= zW!J*lI!!tE&Pv4s4U@QmG92lvEwf$cun*d+QoZ4?3qJH?Wr=$RaSlYj>LRQB^#O0w z-8-LJ*VU|bG_A!t2OB{?m0IPtoYmHuqVfhyzQ=i>+%7{*vnH+$?96*3oKl1eGR}|~ zR8Q4};5qgnRSiVK5e@0G9PhW$ShbORm6SoNcw6s9esdrcDZJq-kw1!}3QZ68C9;tE zOn6~S7r_v!?UtQwOqS;GEWrgV=@v34?rUqck3i1BY3#&ZYa{VBb2gZZy9HhBFb>yO2{|PBpn41#x)g?_Y#mY|E}i#>?MMmE7#ZZ{ zR&q{D2o`nbe9^?nFU=JD2v(bdFsy+h@e#0}b!S`W-u>E(9%N#t=9KGx8}e6`j6r=T zeOxs17N6XGT~Wjvbc7FS&?r0Ai9PH3eO{!0mJXyU`>!XN< zgkh@MZIjnjL93dZ?=m&FvJ_h_JmF^QXl5;|lxaVqgwqcC+XR#OOR2nD#*GOKdrgx? zllM5D$wDvg!suA6yV|Qv_SS^L|3kt%rI+`@h-VB!6uJ|WF;p@|W3|di7}?IF%xj|0 zN{mOaJFzbyO=nAo5b&@)Igfu^b$=~uv z-gRjEBT{>681_xNm|JoOwwAzY8*vC3+oyETjeI?dd+BV-#eyl}G(n?crKJWvHVXSM zPKHsF$W~AYF3*qwSrbWV=T`z@`i_T;udnC6TTJ+uUQ4Z5_Nl-VoD$3CH+R%P>NNn5 zp`Yo}WFDxm8^}>_VqJPDDYl$3dor6M(Dl*OQW!!o@7T&%03fa79L}kv)Y))`)K2G( zNiW$zAdRswNWrls`?X`lr&j`F4VsUdQ zv|qkTdDl-|Egh5;F`#5c18*ICVNb%rqG3Xnz z=kef)C5O{8w7I1>rAg=Ox9RabEYM|QVfv1g8hk8PaN#5-Pv~ZNXN6^l26pV2fOSN( zoX!_}$(u&9c{K~S<+0`OVURPj-lWglu$x!=MbHU+3IO-SS&r6KS0MuxHye~m8Pt*9 zSJ)83IlXOU8Caq3Tzk5^ru4vbN~a$0slW9m736Ky~q;#;rcz?0z$-MYHrH zs>z>UDn6lo6$OKVss4HyQi@I-pvpTaF)CCg5m@1Ex;CmlbWy;(d%EFnc`SDV@O;bj z3KVTYe77r^JRVu^8^OI{yGNd0Sxw|CwrHH`98xQ%jmueKOU^9f2qG>wi5~H1 z-JiWy(CTz2k7qTNU1U|!tNIcZ>x6~({WQ;8XDhk(tb%f7Iw9(ntK=_uZ+N>c++@qGWCc7z*U36Lu)9x z)V-^Hx2Q%OpG5}sfHeoKFj~U!EHvvdCdiYxx74(A2(e8iEu4LHHJOGcreffXPFARuIxz!FAxLM?l{;Pc)KF@Vfhfv8BGu z?940&IxD%8^4KK=kQyvC!ulW!UIJ-BcagbjxN!woIXAs$MpFxEMQT7c% zduIhN6`hi1mcE2W;+ua;*~pSj!)YsZ!@^?PpADgS!=o+e-~_|oT+Ox4lhBRLLu{#t z3l$q)PAHz;iV$dg%$vz)X27go3)55KGMC)Xm&u8%qB&Q+*d~;|@0&^HZx`DXIA}_| zL6RheAo9Wsuit?v{6xHw<=fN`l{5QDk}QWH_VR&m5TIc7!2VrOCVzyjn_Mos0( zyu_*E13zO3(nST)=_dp)UE=))SbS>*3tpmjv;>{)6=|%MY_wm#_nRu@zgS=1lEMOT z#PR*Y)IsmjXkTIs8NIJ59m{456i|hFT&MfzYq#=d`aO%Lesc-wAiW*sTj>1sK7|^> zP&&?#zC^#oGw%NUnFjfvKU2u|n{)QtkNsoWjLL&hhHaR9z<++^A5Z^$saOmGKHg0$ z)V$Q~|M7k6a1hwTA;y9J-?o<$&j3LFOP;myPaZ;H2X$Qk5*rK*&s_*T#NW6Vo$ITf zBh1G)W}oA~eO^nHv|nR2|9ke{%&$R684f=YC~Bv6V$apV6uWgb#c_rQFW0ME7*v76 zYAsf7IQ|j#Yxv%K!W8OxS^k|R z3y&p_KP(0uVgUFMw&<#j@#GPvY$=M~AG`jG!%Ow{0(Dsd4^H~efmf0>YR6+g5^{R(i$+#r$FTo4cpfZHX z9fU(B^ZKJ^a$7oK={Q zL5QG`b0IQ7(9Yy&lNv}XKO4?YM%T8LU$7&V*8+^rB)Batt zq6EC*`QERN-Jr#;eo@qFm!0;f^4lSi87dQ)4-wd0lc!pm{J>F87lCaK<)qk> zHTkJ2q!mdfLuX-pub17+GxXZg&t@z=EnlbrxINQ$#&LY~xtk&_KN+6~*xXZnUHgXE z&(9ByU^$*qVXZ>vk48HSCOgx2xC=;Y>?I^a#Uv+{otXQM<2S**2g?melF2#~WkR=E zS?|~XhYKKDG}|Jjy+q`VLzUs2Cn}TtKWhyHu#HN#_p1+7vtz7U5J*x;^3j&ICAU_1 z6U}!;!!q9tC(G`e^j`=^T0f(8*VU|Qa|a}rjyNAOc8g-0FULvdzmKq%ty5@$Ki*1( z_1a2)*s}lh2#(!EQg7V(RW9Y|*1s>WMQqjq>FnWnA&moZ%#|ShijD<$@I1TeYv4JY z6&xuIPs)k56GN^}z&R6TQF%1hAZp`h;I>iT>O8V!bd@5i5Ya;JcQ^ty!e?IuTCS-Q zB_SHIh)R#c58?LG8EymBsZ*gMaKxC_(LbvH#HLc}K4UzNCd;A!X~)_{NOe!1*1ZfA z4y@`+%rtOVUw6TqiHG!}=o*}ykXG67*&|sTD#Oc?GwVDDLZ^HA(aCF1d$l5lbcNG0 zq3UQO?xGp3c-$%Z>$t5U9pv3h_J-c`r(_=!v(5J|j}#?bMn&wFE#gb@s6Kv;!DJIW zwxQyg%( zri~3%r2t)(96N#kACRQ9lirctck&0?_(mEYkpew%lxYRd3O^|SvbBXZpQAd~z1;m~ zfs2wewIe~V&-E;@~OR_-Kn!?-I{law7(wkHHOeCRnTT9tt02VeV$CZgrWZt$T91cwb>S_s# z-LLZ@gaH@p+uub+6HjDRjcSbC67rvz#v#Cy*A~SIadZHf0JjXo<=}`7QFo#Kv~%Bj zf9}cNnCxGNtw8MSgrl(reit~|k%nYPgkp+nizC(Hm4TXsXIK7Wz0bg*wq=6Oro)fU zCHde}W`GI|qoI2VJ4C>G{aomw4FFYWG%3Cwbg6XWbHKju^QZn84&yNdI+NnW zgkcKlg$f5D7AmVniB%)`qaVx?+8Z5F6=|7Nbgt-Rj6B=2Tbq24lH@NDtBeocvQw%= zL3(z@F<*31eLHI3QqQT|m-$+rY6&hl;`}G1ssa^c7Q4)gkWjxlgUlkjRUyt_N2`DX zhPBrd!vO9*^Y&A+iQGw(rJk1)O>0Pe1kVUuT`j`Hn^2(J=ehtMspPLN7oQ9OfDY6< zDl9J}9A8ljgIco#5S9Uy!s%>tZ5bqV6@%VCJrdXNzd069yoNz^;u;OwuTQ%aj*wa% z&9Zp2)a>ZR#5sarTo(Iff45$j+nWsP`DgIsM!pUeL1I%IG6=sE+btKCzJ?Z!1s{fJaPw18B=~I&sH-{VQl?m0wB5Ol@9p zfAbjb{(-^X>0))&ZOxba;!r(hxW2h!822L
6JR9@FUolj58Kp1L(Ss+XX>9 z8&WLKg)t6BTXt0*1FThg&-RfKa4L9jygR90^1QQ1Gm?@;YU|N6W?E0QF^?0t<)k@M z=RZD2ojOGW>zEqvuR+y8qMG#n(O6*IbfwY>gC&e?Qd7G7(VWfeyMy~^mf64XFzC ze|j5ouYPXaKZKQjIWw4k0z_0qx0i(2jzEuUQ}d3P3fP&X=ac@NZBw(k-q4P*Dt1p~ zr#|l4i%~FT^JjXM#rVz`?@+Lng&r^cO&MRSwwn~*UO8Sm~R4c^eFT2_!j{`tP{U_RC0w$kQKMDAM55dWN zs^gNCvq2T&*gd8rJKG}GoT98o^G{445QA&Y8ygpKcE{=YGv+04dgiDk!tkfI4Ftw5YxLz2e;PgJxLXX&>CIGHdcz zQ|$J_@FmqHX-j}hk};YS|1bnO-jKt-g?}aqz4vG{MB4Uv`S())JaZLOKZ78)=w~3k z%l^?aOK7$37XHff(H&vZsO?04!$6w!{_R!(xTZ3DG?YX5X;(CMaTBK>=IdyzvnxZp z_Wizo=6=;1CNlt`aqn@669P;qnO%o!S{46?55Vyw1l_Z_$c`IrIvD^%y1kA5><6d_ zb%DX=#EnM_j)EvzhFdncnACv_kW9qA{DbDe6W$aL1+Y`ZBbd@h5%BtBJ2`&isy{a` z;0Ss(`H_FUu?f{w@uU)N<4mnE2;8$AR%M z05R9){a{FiJ|rA_EeX|oZbr>^D#c$hnH=QLZ3||=`fJ;=3bt3dzPm1M#Ga|&558;a z-0j8{XMpkd=Q}%x4<~@jwrtTfT4awNRlsD(V2Gq)92`bU3BCJ7Q@ZV%#^5+sSP-f@ zlYX0BMs;(Kr)|3|HZw=(Ixob{=nUS(B)on8RG(?!*yM{(SY|j|ynSP6fQXhlu&A2Q zT@D}_OB`s%;|R!F8C2(si!uebX&EmPO@QWd0ibq~aJ@y$c3HvdUx^)hP{eHUhm6MZ zB)ar%fyY;Vs2vQ?J)d24ME1}S`^u?}Pa#hpWf>_D_C}6Jfizz_^>5^Go2Gn=ieh)P zjp?Yd6LY2tYtubQzBC@z?@0SBloT(U?edJx8rVOUSid4$P1kbhZ3Q>lZNtMdBm(S2 zBZPBB=Kuo;t?`IzDj=u0PBUyQD>ZN6NLIDmpbo6qE{Q*R0rhrCgUYC8R?KaiD}K z*(Aa*GaLq4y`vIFA*S_bcPRU=~IrUvtbM2yCnm2--KF6a}2n=sGjIP(aM||yPQRWkf@qyPBRN0XAR6w+b5B= zZ?`;*4meAoj@}xaF+t4c&E+TW!RQU&yk+Fjof%|zxhN|-b!-i})nBVXoozkqCi9nf z=}JgOp1qswwl+R}x+o|55*S&&8e3n$K%JB zObM-un{!oGC&s?J#bE?SNBA)|KCR~9bc$sWGqZ_lgnay3z;)7@@V9hS4sMV`WxSo+ z^tVGLjoGip9Uy=1~>Ucy$TiG(a}#vom;3YO^xHI+BE;k*b#zI?^J zh>fj^$2e=jMiVE{d@CEB{(z~l-6jrQ)G^3uSAOXhNrwo>No{<#14bQ_za$$v(lv^34C4Kk?31e;{rnR8^_vp%VI#wCV# z-xDvKZTae)VDNKQu|ekNoluR>-td^_s88rL*(Fj6(%#$qrjg=>XlX4;4$t)XJ6bL~ zi+ncWFTSP*ReB>_SC5ME4Cw=g((`CeBTBP0AfP8>SB~}90+9Z>0Hi5Im;SuT*1Hh% z#7*t_w(p_q61@+sPh!Ju$J!3Ht*t$67hX%flKE1bscV`=~{Rcwvfz~4lDKJ!bdV$nrW6bz)`&n`?Yh;$RlfiZ`+WMHV zzCc5$)4P35RF}e^5AkHvYIQer-GtqS;2Hw>WX=2|Q7WP{6-&8I{A_`{VV*$s;$;1N zYbwvq%hLJ^u~tK&ba=DC-0U#Ns)%y9*_^3WTkLA0@ymLjo0-1JL-AI_gZF{az+G5)lG z{UR-4bt2$YWOB^WR-R=TY~KjA?685ADv|wIw!@k7)sBRc3UPf9rh z|8g^Rpxtuk=Nm`WxuK9QQPk5N8d1#!7_TQjzGq;aYV|Dx$|^ah1DEyj32>^!1_B}) zi(K70_X6gquzd3|AG@xY)XsS6y#Yu4jMQ5fc|y&Yb)WBMX*NvT0^A4F)+hI;TkIQ+ zPfNSNd)If&KRF_-o|BKunpayIHV~Nh?N+XH`vbIl6|{vYwe8?&cX1DkEgLRE>BUiw zStK8hscrW$YRHkp%;S+osoEp>Y^}b8m54*WvVh}O zpqBOZrlyOM6oW)oIf7S6xG-dwd`z*lMn%o8IAt+{N4PoW-SY54$Mk_O#W1LxNd?s+ z0_L*FUvpWLUE7Q_3q;H$v^vtZg`;Q(WJfJwNS(lFd&Vrbq-EU(Rg0m?hsPsN3`>7sk4gvj%4(Ufb!=IKA^Hw9kaM5<`JwCNR{CJ<|7gNWJs z$>Ww!M%ow}*CLY@(uy71=C!VSQx!@(_szx9288c|v?HiX&6SUUnPU#1oTqiEEv7st z?H5hqn1alos6#yjXu~4HqBiT*N5AQ0vw2%|KH zb!1#F^@|L#QD!Co8TiJBgMbXW)P`yCe?1ys`5AC6>2k$-6#{ZghI@FLaFYMj=P#tA z0fYpCGJtehw(2kqf#eE8KM6|Ku&+%fj!{$W5!8MG!=N`P9orx%w1is8Al{5=qD~dR z{|8MfB^LyKj-nm_nmx=c?|L|B!X*Cu9v#Y`@N87nr-WZf;wxCqK@c!Zzd1KEOK$`+ zw3z1ypUnT~Gth{(-(~!St`#`{1}pypEB*rh{)&Zue({|mNDSzM1%v>So9>AM@Eh6N%%MS!< z&>46LXdJoYKJs4FFJa{c^#J--IT(%ph05Y0_6-<@6fs#h@g{g{93tY?t|?1(`Rb{c zFUX=qBta4Qt{wZNk7RwK#lWpabx_h+4BksHg(w;1-eT@K3YMq-^ieV5@8$Dz0^WPX z)_e8KWN&7m1)aFV6?&E_?1A0ujFLS&-fhf2o3iLW(DOZj{1f9XxfC7M0?3dN$3a{4 zk~|Ot52Iz}GSOV)jOzJPWZX@_YA~i3r2ndP7Fy)gmc$P)1*}A@TYi;l>R#T_&1uB7 zgb!(fqc)s!MXshzf2glfws{!4vyZObGhN-2yI-+N`*-z7qkRW*y$*q76 zSB*OHYKx?K84I9~z-Be{_UNduzC>te)avO0>-g~XdKy2kY{17?yLT!C+e`S7H{Iv< zRleKFbqQC?aakChot>~q$DqvPDMgJ2x~xa7<8d|yj}aZ$W|YI-bKmC3{3C>g}jc2fHHk5K%!BH=%m$ zm2#P9sB9&&xaEV-vL?TLTZrce$`~N#e5?cQ@`DjY!54X+Z|1LjuPJzj&KxVM9X!P2 zXS6P;9y}K7;>Y+OktP@sNk}a=4hMBR_d^oz=B2o1-OV-6r~>o>*21D|Lkm4?uwET} zm*_{7u|X>fO;NJXb_rNw83cq)Y@WUQAr{SS=i$1jk9+wk&E+Vr5t6G>1R|1Ty5{Rh z*I|bFn7w)RJG*~e2M0+#Fs21GVdQ*BAebZ{>EXL{IieB|{$^eQr{pz_Nm%)?@(QLc zD(9(W@CU+M#;+j~?7!{XZyjL9f&08gH|cKdr{iBCva&n-mrfDTo+_ihwnI24)$W8)JASj0~0LQw8%Z71@xt{c*W2;c~x>q0aFutd%1IbRVI)kN0Qq$PAwcf1Ai9gw9FlOI8fr!22 ze8Pajkb26Kt!*>{l=sd%k{Fz5b8LLE^4|24+I;l4t=1&PkWNS96sMWAIgLkfz3FD; z9^E+PpCvA_REYpn!8NOXWRkm)(0k^ihs%1w*-LWAJ@oo4K%z;sb{m`c7 z((uT1oRUx(8YMn#h2(}hAvT12mi7N2rC|_@5mNUIn4S6IAuf6T9<84 zU3A&EW@=ey_ElZl)oMACf;V#Zk7$OQIUw3BHBJ#(3rOhh574v6j6XYlnHGef_GVUi2LB- z%rxyLcK-O)IOJ|qn>SY8%#HDO8jAtp%1Wzuu}+%cW{C8Gr_w%uG$dCLu4%?o>Q2_8 zAybQJqSIi1TL;Z%U0QR$JnB~MT@i1|?(}2f3U+3mF}03m?c}r5j2|i&2ymr;3`O)n zHH~ia_rq0>+W4s_naFp)B^~8_A!Tr9k{g=&&rw>>7RA>Dpb2SJg%_Sk>q%SJsT{Ab zUl0dXQ+8Igz3t-CO;3}Zk9>7briTeS&P02G5}v@pog?7+!6dFt3)Tk!%t3uUo8G&+ z-dP4|-xA5Klkj}%GTHjDe}TdTYxuk8x5G}L-mKv(YZ1HJJz_c{Q5-CYI$Iw#b;Ovv z=djJ3v2LVWlkVx{N6F^JyxkuAia8eJylqs_qS7Vyph4&IZ~-WDXSi2r`NC&dd4O1y zvM0A&-;KuN!RFyJg{lBgUmLxlhI7=RG@s~-?tAVIsF2aFXMPHWLj~O+CY5wb44&@p zeZv;j@fys^2rY3rPvO|-R(e;FDE72F@opn_WMh>K=5o|0 z+tD=!RJ-?R&JOQU8Mkd)*KR>qs#m|iYl1shDVe>t$hcEZrBm?&cSsn{FWG4r-Gv@fS4*#nU0LuJk%ilC*y$h4VRSK+U zNX*~DzS#R1aB+E$eQW#9Lp^r>eFa&x8^Y)Y%STPLkccoCGR9^T!wzP79?lE&=&hFb z6v+d70ms`-IoR+wrfklz@EF<%mbl75jp|bA~-ppi-SPKaZ zyXZ7p(9E{&WhS}^)Qm*FhG^ucN2jGcx3hoDvruxluDuartEJVSq&}W>IEjJ3QNn#) z1WU%4Alq2aX#Un$jF!l7S?cVGE#-SZMS^>>-@vGWD>^x24u4no!7Hgf+}WGS-;ln% z@dg@Mhp4G$UQp(OpaCUSVrM>dxLT2|k4u75U3k#YW)H`e?ClEhN|sMUDOo$nqg+GE zwyqd(TDwJdWf4JJZqen^4RVl%Ca13d;m`hj`6;@6z@{bY6w%9llfhT?DHw~ozRta8 zag6OeKw?b6oNrgR`NU$hq_plIM=9eHS7?SFH!$a zf~WBnVf~E+d}66$GduajJ1g+>c&iN0E`Qa|&XfD_^5@U-cL@7aE!UrY*2!gnv>@mB z@vEu#&j0oo-g!@vF+#kg%1J(1TbA2)Rt?wa^nL578?O*CG4@l?@`ms?HXhw>?3Q1g zEFpdSQ$5aoP2z#0+mALv0|$=K+3~T%wiv8266sW=A;4B3;uh8`p5)ApcaX~u?oNN-Vcm*sA z#i-HUvGI@S%EWg^!qd%!Z9HG&`?sd_`SLQ|jHh=OyLoyWj|dYaq|1HnMs`=zYYtf( zU+N342%?cm=z+_(xOuRN?Y4gMM^_eF?%kxBS5M|+cj!am;hAb@pzUC1vK@=;9$)@c ze!Q}}=84s$R>>5yfA6p!>@Qs&XY=(ND3bDgT_a$BW%TZEKF80%KryzRDjF-4#)yyG z*KmS2(Z-2Kx)>4`9s`#xq+>8~jLAxk#n*UIrjFbX7CzJYJ19k;Qo}~jTmok_{UI%t zF@7gasGhe~Lmtex#|Vxt>)*j_wtzM;3Ha)_V!nOsb4^+NxzIKhcO74tZ2>S=<&}+kKC|1HQ1>KAu8V&c=?Q-t6D7qD47i_Je_Gmb~Z@NG$u zDLO|lZa@18Zdfk2*Ubf#Lm`b_=vhpqE?0#0|3uS3{taZ^9K4nvH)D4k-yRu%%y&p` ztd#FDKE70=vywkI3>k<&{ckqRD|Q7CE}gKJCDuU>{gO!6PPiA+#hEmra=6lg5;M1M zA)Z`>gZ`Xwbi+Fq(HhrMq+_s=j56%%2GOML7Mah#B-Djr0ctjx!g!4L$g_lxthxwu z&^_LV;!JG-CyRtH))aJJzn#?12cGG9Ny#GvxC|j{Yl$g3^cF$l=dypP%%5`pZY;Kq{e=j_s8MgtKZv^ed`;Guyoy58`HoH6B1|r| zLtiHqkkRk?n%QcWr~QjCcqNeS$-n&IuQ}7k{phA6`->-F6k)UCz2J2sE??I98(Xl- zxcUBir40B5bzd~o)|1}tDv`w!RbpUDT9#e$r`CjiMw{#kurHQiMj?b$CA&qgXVY3X z!SJGa?a?rI0r<3$g^9x0P+keQ>`}_)Yp&X$&f%re=~TVy{aLW%D`^8<3gCRPbl=LF z$ntgaN!^Y(r9HxBm-30$>h{orUn~2$V7YA?4Vufy0|qP}XZD zYE27$kJTh}1l6D22}#>bKdabpqCNuL4bjFW28!aadWHRbHr^^zLh*K4Qy#U;FWIK% zw`&+PK0(Ta?}NiaySUZHq^{HM1!s%k;)p^4KExa**P>2m;nRLdyWL@)y;$v}{XdF&I(VeE$5C6cY zewq9c5SAh|l2rC#_i%dg;zPkTptM>`u`I;J`Jaf`FHA;}+51ntqiD{cfcy8ESZn`e z?$Pt1|D6!}{gHoEjsAR@k@a)#^3jDaiIyO7{k4gHd+B}t6ZvsDEhztwkNggdp}z&K z=HO^W-v7^F{;r5jiT^3W89IS4&!KTHM9HE_ByO zbSy#X@r-vT`huBm?G)iAQJ>>dnu-|yBwStD4`C=n*Ql!Pqs*bOXL&xbBw9w zg^yXxsaVX9mUy|1+y9;`H=YW7xMf^kK<@=LZ%#wZ^-R}!9$as30!K}EPP25RTryHs zBt-I)=fM^Kb`D*YWp0Yoci(Z)38d ziK;qtthOBKerQ9C<%>v12{-H=AH^Vsll zd%v9HV3vgRbaOM3PY-H2U&qjyNTH(z%=kcw*H#$hO1QTn zW@@4Oq}NU6?x@1}zLiv-EYaaVNH8eT=_O|e)q=X?Emo!1$AFkz$~km7w~>0)HU7{V z!$acw6QwfnhYQWaC?Jqaie%|G1Gtif(SNhgz!&V1c*={L>XO2Th6WcWw-dzA9QHn& zjcI|E4V1e#0x+esSoBRJOyo4%7*C+Q{!cu*0mOgs=#;9sy>|xybMw+Y`i}OQI+)PC zwQq}gzK3~g2|mJjF7FYw>cpc~@O0oKQx$g|2b42BEc+fb@r38J=7Rib{9%oRfeby~ zAeg(`*%Y=2{8ZH4dr+6DnVWBgO^54kdF#mQ$em>E{d(Qj3{b%|XAEQ(z4RRg2HFDh8~t4@Y)3%uI( zi`(Ii_V>baV6Vy^Uq^eW?l(DUKg_gVsUNmIfPV?Od!@Mj+nL}l1o>{JWwiC%k-OO@ z@5V(+UomckC$jFHbaB*W!51RP(pB?BhV;|NL#*5egQpVaBQZCxg2jSTl)H9a(UbRE z@IE4KPx$+&{!B;HuU7vMGJ*5M@S^2A&;y(ELu+@U5QmLo&J< z|9Vn#;}>YpP$c$`^#fgD>2Qn(+nWb~k5&GxQVrO}@AUQFlc^=*w^f6`W^|{Da{TT1 zvzCW@BW-`W)(526ROi>mgD2og5Z=awfCU{TeIa`0#vSSB))!3?Zes2M<8HUC>&)Lq zllqs%(z5oOF&n6O`f@v-o19ppoI*Dr3)-@QJnWf_*kkjip;XxY>vdcmEFATZ4j8Ql zw%3GS9jp@|DwC)(Qquig!*QE~nHSF2=88lK(e>I zzVnm35zU2s4=e*R1N_P-bLcbUn`hRWqrDG;JQh}D)SF+ByPjwb%7VzKTkM3&3J2pp zzF|aGnHdM5&HtuP@s(t9Vyln5Hnp|j?B7pKEf2sY+BoAk!3y}c2kHjwMOdh@jx$FZ-K~+HvjRD$oK3U@>}+d zIoV;fE}U5G;aNH<0}CN=8AYi`j*evO0jCbaN?IcKZZ4B4s)x+BxVPjuzl+X6Nl z$|lykk$rQ04w^|c)v`Oy%>C<58j~YqbCHEemjS8jFY*kL?IOhG+a>N#3Ksb#q@P#k zMxxQ5^;Wcy7}pH!gp{qeZnxoJA=pmu8o>>u-2Fp6N6UqF;1CD~au0DM7@FRNU>+TY z@2U-HW!EurU%L&D)kpAM68o=Vho+gmwR0AOx%<|y(~;y`z*EHmw>==Lg(JcxKxERP zqyNQNlybxlZGAAS$bw(ePI-#^;+2ouz*;jCm*dq({P+*HK4F#3=7rIsQ3eZRLoOOv zU!y`vd6)s8d6VPL)kTmh{qYF_<%-25R?=>jOigST-74DcpS<`rVP7+{3?BZF_{~ez zBm(P+(R#DU5ivmV1&fXTnc2?`fvxQp>ONGSr^?x&-iVDlxF2|fV!_SDVS6IP_TcfB zaM>AiN{q}?FGAK4VQiiPo7W54;vx3n-Vx(m$ClNdg^)}Blm&F7RsdtOK72>leZSYG z5+b>*!D;HF3{C=v#^P(n6xso_QGI7exq2J!j(!aLz#4_Bd@P-;kniD)iWX{vX5LTm z$C@M2JcM0Lc+GJdQj^~@Z{k{|ls=Ms;9(3d&D}&Z?P9AuLk34E%~`I=!ZXemswP#% zd8>7W!!nwaE?6i9W=0*A$xy%aIzb6am>aVbXwq_3!68e}VXr67RQ}kAja&&2KH!J| zYm+1X>oG1}#aJea{Dg`r;~0}71jYoUrUu5W$S8dbX8LWl!e@8-xe27x8yM<{CQ;^c zzV7lZM)KoUKdOPuOFrRF|0C* zs6%cN;&%4@&jvec>ZIiAjt_e!3y5_Va-~ zl7=;C2uA|VlP#)>E2;S6#-Hw{me$b0IztfN_&je<^EWq|PQaV~HKQV^c8u5yIeR{X z#R{)xf{0-+xy4P8IdSSx#Bt1tXQO_wd1p;HSOUlIY1Cj#t z997ZEKn1D)qr5{X?V z7Q}b}%H!10Fa$IGJJqN|M5J%_p{MeZhvb<@z@p0dDTnWr^D`bL08qEY<+yNz+)w2G zq76M<1uvZx?-14YDo3Vl%>0$Ksps!4@aA2yeBS9}4l#?ZY~3sAJLEME2wuqy!Dp@f zMq~Vv{VCkO`&mT^2RI{Ppba|Sn7n1Om4k<`U7*UE1`X%G>Iu+Y-%rxkR%=Z8(#o!1 z$GSc#NizGj4#K#8)W47xviPiq;;EgS1~`(Dza;j46lb1-Q>~3Edidf8iLtv-sRPdOaJbt*z1L8?6XzTf~zZ?1uj`9n? za>CA*$u5EJ<&Aw@{^(}VxPSnu1;_-vE>2%N&?Na7Fx7_=X6oFpqup-kp-C1XDhTp} z2h~KCawM*a6Ujt1zCC3G8tzjwk~YO~(l9Acj>rxWSg0HgfO%F z{?FMjyI=Y=Io-d$)V*cTeX5G0e>G(U^5h;TSqYxrvWR9S($p{V75;rTZ`0L#QEBGk#ADJ;yKh zD+41B+MW3p3)`iqk8>?43t!2yfP=+zZ$HD;5QJi8mHyMuwY#zyI?!@)5tU}l5eBaX zn4pl&^NX9OU5NrEK9W_tz6LL#_~sm1H<5AfFw=Hk@t_G|W;~TvMA$phg@js^W3+0+ zhZEfaFTw5S2t^%-VJ&_u85ka7boa0a^F$pH@|0VioQFP&auSrSTic>Ibfve;F-B!erx;lpt(8R|P@=2@$XK@}hQV`96<{p1|v*yozH~Z2rZb~_4 zAF!nW+y0HMszDEt^$^NNm!j*xBPK7wzqMXGI)r*(H{UiH=&G{PWgu zTGQZ}`@Y)p_ixS|4z=bX=g6mryR7VtUowO)no()=dP&lg5^328CzYJGCY@2J)QDiTVilKCf@b)j+DoY^lnXg0WOU#&nLt zsiku`5%t!%mLXk$$(YcT^6R%2~$ZhCn2&~_SHelJ5AWnTa;gQ|Ax8TI3`rP4!t zc)|nlxta4|_h$k1GJn%0f`>#U7sUEhLU#CcMo~v!Ozhne!WDK7r|b2(N>#dS=gJWV z+M&Rgiz}mTLKl1p?sLg(Ok{4sTyme)LQzu@?nLUUk5~MP%0Tm{^5nVr`WkiNoob!9Iq2D9JM^JWR1FTkQ|!1nm}q zi*Mi?YXDswIl|w~xkpR%?dl9lIFI?buYfonI9StR2{l7 zBkGwYTg&&$1G^KaJFc6F-ba<=sGahQI{CBrbdBM-kZm6tsp$J^kykJ@_k~Yc3azzH%5w zH4=82#V6U&lLY!dpq-T$EJc@<*K%9s_q)Ru*4~sH(ZRM#Yn7BIJg_Hd;$L>d>H`=k zT11X>`0ugHa?nbRXp~c)09gO}69it&C{h8dA$3*1U>;9*_|IpAlBOdG==SY3J(bfx zivjf479GsT)A+D^PqJQ_s~P!j(4J7KHXQ)bt#lO~-8+}(kR zk+rM(y4o-C+P<4UYkr-p>FvM&Aa!U_nc}>-91S;t{={;j7`Z(kZ(F}W@o+bDT)F<- zFw4T@B#sk?x`gcS0XV^|K1xlIXvuTAaG^SO5@Q62-C7ouIK{JSm#}OAMkh%6- zU|0{F;>3r)&>6Qi+d97rOO|Kk@Gh?Nr&lor&6A6ho{$g|rj7~nRBOFBnYPa?+Ti^f zd8BQkvTcRYgrlK%t69TpM^4o7xjS;OF5jDzY|rYU(KQm?Y3Uj&iGF{WRZ;0iA$Y(T z*O;@|0XsFcsonyyc&>V_vl*();g-%gP`tS|cart+32*KVn4xl;Y{e(TMg8kT2^1Z; zeuwKFzB`PCrD^NCm=GAe+r{ztVoTl2x+VD5LJGCEvw@mXzEzhZAR^<+L*vJ5wL=S; z1|t|)wh1fyTBjxV(#Q>0vWTgAhhBKe`=D02sWhg~(7_M`ZTQTrv?nxIm)GNzU88wT zhBl`JsaG|p`HNx2%FLgI_|}^5JW&(&zSgb}WJ04oy7`LZx{TK9(o7Kx&B)7qBX^gn ze}HR&$8|dJ1ty*WAA=Xiv{Gba zZB9c)h@fp8lg`%od4;#(g&x__>%kZ9dm3v=8ZbFDU3`aE3rks=2T5k%oD%|~#awE_ z2tI-%=Uz}?Hl6e{(d}EKs;jcDeL8M1=u;)>9hu>;?ORz`0e?hiUn zA`}Z2-FS&GSpX@a+Lm)0KRkTz$yw*Bk#AYHi_`d%*$^~^2g7+Am)jNo4Y5z-eYFiR zoE*L5sW!v9$DFCv+sW44Pa%P-32|qzVLj*Xs3AJd z=f3+22Rof%=HZsxEfy4V52HfTh#`t<&=FW)O9}^swJEm1IDYrIRr5rxZi}HHr|YuJQgf0QD6Uo6P;_G>623j0)S|>%6N!T2Z~6u zs!EeQ38aRv&&@mlse|QcdG)$j#D;>EdP{A72{8R}VTKYLPFq;djyj}hYGG%r0q{EbhWIR-JZ1(jdT5ZA*o7?v&mOX zI3XWp#+Z#jC?(Br$X%5wE9~_9$QX^rx@=FXmjMEXTzf zwWgP=yD5_zujx3`bN-~*?TS`cF3RF&y=}DBer&SCGiSY)#9&I za~xk!=+5HUkK;RMm}LzwLVX7(zi(*0U6e{QEMAfl@oA2f#Nb+pnS9bK*9kInTcz*y z67pw0s#C?XEiI}Mn&Gdj6XGc2y#;3MCnYpoenH1=9K9Fn+Nho2nhy_c-ITUlgg|?rvIZd(RSr6ioI@u}~6?`#=H}5B_pCG|%=U`-j z@5F%*hbWNM#Yur)Fg=Z1o*ra=r`;jR-(yM7BC!p0@{|};$-UQ21>j8abWZ`Q@sSH` zuTQTOZ)W6kLgNAsOPHZ zwz@BH6lYgR z(y$~7j-~PYA0m@=j70J-H$-#ZU*GR|nenVsgpJj-_me5A5h|*)oz^-Dp&u{AY|+tP z2O8pEu-4MwVJ%zdV0+pp2MeR|jS*F!_%7$dbfraE#}9uX$g_(ldH+RdrcKpnzvYpb z{A$T>mx^7iPiuB%``SFR*+Bu)*3QW|@U~cI(g}|S(+?QvB_97>=xt4sj~~(tIde*_ zm{Q&oC^qdI3rOBWJ{X&+QNF&uTk#0J9LHXnv*)v-m&{aWJJVFI3L8>W&K!Lw(&BZk zCcl?j{Vi%`dFj>0rnZZEeWS+CIPl@jsh!-eq2J4wz+>6}fXfXlh3kAIrQpv2qb%USMV95_eY zws*2iBbhRQ+IJx;mF$iSl5@*0MjGR59VOA}EV*098t+~G!&aC)K;%1s9j%&1iR~H&hK-24lPk{{~*U|Fc)1lajxt zX;pjOw?2NZVHa=AB?NACFO$q4wm zmL-1m9k?-*f??-4#9YEHQq$;S-Q_3cs|w5dwNq3ZBN$qCwi2$y0UM4&VPNjLW{Af% zZO-QK*ZcOX*~2sTgTuwDPqV)63Abw;lnd})HnxbjqyX@9A7S>&~ zzU=%_?jm~+V0}n z)PZB5ZcL#KVLQ`DrNh4@joSk02mcI$bp*;+I^OdDl$KDhEP=jBd;C=qp2MELwS|1J z^yI7NsUN2v9|Bs;zy1wSBc@Xl=)>_Obydc?%!3Xo5EX7-_pkuqh~`Dodi)0<()bAF zeQm0<%e&#?x4`nLhh`B?ha*l>jial~`;{Vni#rKYOT}gdde8Q{s}HYbSSj>P+~0!S%HOlpzW-X`mfXtm*hmKzHENR?`c76a#(Nv*uf{S&*}n>q8mId$syfQllAD({1;t8N+ZX)@=~4a< z(h~*=Ov=)Gw%p?VzNhA;r<{~#6b=xk) zh{D}%l;o%a`)R9jH`s~Sb3??L<{Gy&;_CSMK)aBV# zI~l7R|G=sga6n9X#PW;#{szDY+f8}gJbLp&$JPPB?N`1g|4;`-jisHVjNgQ*2@)o} zq5=$~p_96%^K-z^OFj5~CqE$*$0zpw-#~>nU&8bs(UBzUrXD?AXH1Ms520V;sXWcn zE6G?QZxU;_-Yl?9{ zr5m=fi?*>GJ2l6Xtv1Y^K-gCrgRb}4UiZGr&2X7C^+BleU1m%xSiAfg+CkwGJT&Mw zskEjO0YS=i(Y*^Zoz&E|)@O)N$U)?osnta@ueL3vkY_!?Y$ zq*X&()*tWu5HtAV8?r;pt5e}Lxe`aC4}O(S7tH;_aL+sjk<4F2kTt zcxl|aec5$}s(T!Rv9c8LM&WeVAM*})XCCqV#NwHCv-hf?=u@@xfQNsC$Mc9$8$2p9*JJ3snVZlC4A2XF@w{fE zbVD~6RmhITYfmIr@|O70Sn_NgwdD=N{~X3KJWfvzR{!k=p0|pmi!mt^!&sf5)e7Uq z*sYG)V6NUiAA+*3v2DJu#tTTP*f=3zh!~g96hfk09C}$%1$SoTd|I%w$%J&quHt#;Kw?LerM_KoB5B4>~3h9A^-@oFCZ0DMG^BC{N zLtq?)4l@`|Z^-;i25}XtCp+avcFCUAQcZ2XA7 zqFtvOXxi+X+ULef>|2%11J59R_=yD}sDb09_KL#48#q-O;+VBJFvqqVjR(in3H@@;9kpDX^o<#LA=NY+^}76VD2uGVurYYCIel}8 z10}1ZW3}NGtT%ETP@`8iIJ7#g-I2+^v9Nf`+6$P_(Lo@H^Q~q$3n@(X&z)gGR}hI` zKeeBRh|yHWei`F?r41eG8_mqeo0Qf_Zfgc%0#NGtru>~Ift}&C1GM?3XfHFl4UetN zYo{p*U9rA5c&(E!bK2VvODm5_qZ%KtVM_w}JQTcbNmr>gLmQp=?@JoJVplsB1{xe4 zMu|7k-*Nh#PFGNtgyrylOeME z3BZxP8f0y{B$ERTS@6k2hL0=t5F^`4L# z6maC&1y4S`B*3U?^Dw9f_z_nBpme*hK|XBWuITyvoT*Vx6fOvlzc! zWw*)lcz?Go){6jPy1h5HW;meO(r=%+`I$x5^rh&Ji|gwBg{-=jt(JzR78|!+(Gb& zoeJJt>#gHv-y|V~q`ztPi1s9@b6O+!=EvYsdh`ia4jlQy&0;q^SL_r5yZoL#AAuru zOUGh^!Ot;-(8&q^rnIHMeIt;jrBYL%cp39E2+8oaMX17%{{f6}L%;jDLD=c7 zjG>L{kO=Ut2|vs!F{^T54gZ(diS2|>Q5tO!N|QKIiIv_&;Qw{%g)j{5ym~CCD;i8sr zZF~rKkkc4%>Mdco6-KjQ9RSF0V{-&gUyL-z_9rZZD{1r(xXiZTt{w;(DzsHPdL2X! zqAHCtQ0u6}f>>?QR}$MjmlwR3{Y+ z9=-2eEqg-l@D{n=r&U=leKlUFwScbIb)C9z2_jc_95Za;zH4#0z{J?5>^h4Z-5>{==A!$(Q2;g)$jv+ zWpM(H$BIkQ2ME}lxG$GG(65nWn!fNwB>LkSnrV_R;rjC2elug*+B#X}5CvV2C;tZ+=Jm=?Fic;Ap{LOBelZp&knOf6-&4~JemebwAR(-X*#h%d3}kuB2tKkn z{~Yn$(((SV4#NbV`5si~E2Km>?L$lqdHyuXf^o>4z}&As3FE2RkDc`ku`^B?ZlF^? zrs=IL*gi0DTzwS6O!b)<3Q_01Qr(sxOENMjnS6MrIF)`JiA?TsuZ`U}E7uhEB27c& zecMJPoBHnb8I{@8?JjSUjLW!ODHK=Vy!9EJliNACkv`~U)bk3%G2uHLgpZ1Ap{*vm{06KSI=cCihrUH6Y*L4ih$x`70ry^Qc|EpWor95YMV&vKJNByUe%@n6eT4Ul zcbLzUCZ!~ZyTK=8UFgo^p!z_QI~YncKnEatg^W>@u@TxD*<1wYDhK{yGCOO@nxFkD z6dqskE*@0Q)1ZZj*4_RKGbeF0?en(gqn2o+>5T*wPR7C8QI-?)k?oY4UAQA7?d9kE z<>opah#`-oe0=pRv9W(3E-RVD)sLoAO{9#{w~3iA7d2R)giD}4(JTB_NmtZ`ra;ui z*g~$VBHUMu?oEyE^tcUn#9VTbkR~(D_T=`iW0(DfCUIhLhbq4_YZAJCXV!3NTHmEF z_Y$`Hit+*DCBdr28;b;KY8vL|kLLaPE6^AtgjAJ)l}b8$SNVM3RvWyF<5;&NiSf0K zzx%zJOe&fgOFZ((WmPZ*Z%-F)s|}7h>WbjxdHCwgHi7)q0B~@FvHCkyR<>Lsq%rv+ zq|lMy#wS)ih=9gxt0JnaG@89vH-D&CcwdvLnu{s6OjmOhnl4(4;3MkzNLbUNsa)&I zqNp+H)i9Q_w|G?1*pi2Mq@B4K6UTn*Y6Jq2hnejZhGkkm~ zUJB#47IZ(|nkJKi$Q;8c8?zjt%V&6&aTe?A#MR6c;4g-ZrdMIsP)kWv2HqvZ>-+;T z#!3VH^TWNFhH5{6IBjBB1sQJit2z`{7x@?=kGb!!Hs=%gI}oTT~HpECIR9^LI*!iOh(cNqGHrt=mt!gJ%`3(KNkYH-8xF^*hRCP)*nhhf`1x%vl2pLkaR2}M^WyK`fUelAaVDUj9*Tcu9lg>SW&S1Y zeCiVa_`sVe(1J3A7a&=G?lAPPPX~$2_kS{aa}?BeOvebNcJ=y$lcQOdUL%whDE7yw z88^=~USWl6^IP?t>wgfJ+cDs(S!NNrQYgBt9mFt|ij%m?j2(T*S@knVJ1I?lE#Ge$nkQsx?35UR5@4G&R^C5f0im`44-? z_-of=!X$7@PWo7J7j=Op#fjD%QQl^5wy?bZch6z~xfeUezaY3Aw9lhF!*P0-OYN+iOt8zhjD&Wm2jqvqi_Ub!c;n&lKBb92%pe@uvjIN18jY_B}>Ahb69< z%xqUm*@|ff^R3F?OSX&`cWf(VDUd5qmy;Z`&M8Z&j2DZE;>w#D1pFLxYHC-H63R0Aifw?-_Tnn-vE4cCVb z%5c`pFHwra$ActaJN%(2sK04TUfD&?@4xV|?7|P{dNOltB^g@oBx_%y1gJ~*LPf~W zbhiIaD88&+a5#&vw>tfQ$dlo8mXbIkdh5x`J)j_4*C{;rX`p-#tm&b)_J30bXHQDs z7(Y>@4KHf}S=g_nge0tB&^z8(clne4{3c?z{J&6^7K^R6H=OI^l{fXSOuY)}TVeVk z$!J57&M!K({YMpA?09U6KsZacm*F8xPc+=diE4@#_UnZQE?7;bdSH0#O5)DAiqeUw zDp1~m!jm@XYe9*cr)=&qOHz;j(dlrBsPIkuMOu=>__+m{r7@|1XQGH5c=GAYz3Mj& zRAB{|LmTXj;sP^DLF5a>J^y$9evWngYM9ZIOF@7gDZ_VE}XwmX+{ifO;N(_&c;eb z6RnhPR4+{0iQ^02m7|hj;yqm4VyoCoW;o`?TS=|U_10XL{8=AH#R6G2w~VOx8N_&7 zRoH*p1%Xb&tDw3L;1*`Mz{#=ix}zLw%2K!3>yJ6bzpA6K#=L=GJ`=UZNau#Sn8lUu zlo(te(TTal=(n=!zR`M11rO7((HZ9b^R4vLz@gGNGiJEg*fmHwz|3h8UK)E2Rsw+dL+ z+|-qAk18_e4V&c`=CM5AgqV#ct^0VWgiixq#>ou@D$(*Q^4cYRoMgXI@W+EYSjx9> zhUS~z1kA)4S_RuDfuGtaSVlexd-k@K=14<3j3pzM)tQ3utPO!1kWqM{R)XoWpzTI~!Al5jkhAJPzsFpGwVJEie; zpdm07(8r3@9ZSUPKF5E{6xB>VRoaKrqn{ng8_d)!JW!4hP~Ki8=@m+;ec0=G8lqX1 zzm#JdV)Y{A#==gty+2tkhWb{t*4odZ&$B zQi|c0G!Wx@`P?++qzmbVmx;nAO(xY?7VwK0N+zwGr&L$PMNE9eV&Ci70N-c$uQrc| z4ZW`);3bOu;@B0?t@>C6goDB#R1UwlKV2h%mo7vBOxk8#FtM}StvZLf28`jO-|Una zI=>aKLgr_PanX;icHm(FA{rmlJ`M?lGuM=&9)-QbbJt_TvOT-D_yICtf;#PVOpHdy zkoo0)ZXHVQ>3IleII8hE^V4XdN~-p6jC8T}JYYLkD9YB7XYEVKuR?I4R8#&2jMHcz zeNYb!%Y$W5Dqb~ak#shD&ngHTcQ%{;%ED@nv58x$zA3PeKUC{2-GjB>jf<+`V615Mi9CF1{!DyHA(k1`HNk!T{puD4 z?Rjc-CFcE@MoEo7B=2YNJ65|rMjsqCc5C~A9vtYKibj0Ah3o{u^{f zwefI3iq5fOOQ@?LrB@z$m5BvBD|gdui|q?`4)f$aCD^wii>j0wwV{&qpgCXsIpWhT z=S>X)nI*)x`uCGZPg(yfYp8jgQXQIUBRK~FxWUGwG>kE>o_5T|Uupge0D<(?JpCWc z4Ff_r$dl==G1qSwaP`K|elMHuO6~i!+}kcmWNbUA&R%$By)(X56b5yxf3yEG)?~Ybns#pF4 z9Yf>&Z*&am#r!2u?aY4g?J*wPoVv4fW~;vfDEZ@)Gx_CUfijtG0fJZWDL^+KbBtRd z^pEyoyz9Zc&z{(JP_2(36^O+k=%PFMPlStMwRAUmwxo4+I3U#z-*u2sD<|}8nnWi7 z$|~uGfdv{*$c#Vo&|@_4yB2r1*I1%vM)v{C3oXOthE9}+f3*ew!V(iXfi1thw|` zcZ5peA(xu}?k(_mIFb_h+OWpd5ttJ`C5(*EUWfjTwcg6lKW+@r`?r;N+X z0p6-#5T9iH=i{>d(YfeSsGh7R`bRQYtUkiBP-z>B<-)sPDQRY;Iwu#`oUfWiB99W@ zt8C8^d3MUSuF=O_xCan)=(IB(_lk*&noWfLR{5fNzmZ`nE%6A9`nLj@^O4g@)k5N5 ztZx$03S~l{4}>`u@C{0_Ii$W|u+_BQ>47>qf|gVKO&j={nyxTlDRHl#34KVtKOjMJ zd;lSJGAg0TmI3iR-!;(Eg)+VZ30Spk3xv4U;a}nZ*4`QSJx82GtAcP_pGbyjcb4lj z0c+FEKi0Y+xO*Lo-<(PFKUrAvi~rjRH>Z=>@CHiim>V15GXavg^w%mzU_IpdBD+S4M%tv#OQ+$)AQ|X-8V#tJ2ahd zDh>sVJr)f(oOyYZpA9&bzJC^a;roeVqPqs_gG3dh=&W*VBqqx#DJJSBL3YsduYTZ_ zFAzGvgjv@~*bVh zGTfHeUh^6kn6-$=18_?6qt>b$?JD`WuCoW-q4tPuKa+{?(Qh}nEGBSEE7&@bmCjWV z;bJCaSCPoTZEx*np@Ad4dG`FTm%d{CORRV>Y3%8FZEdQ@6=R9sAG7H3+SpZWR_tO z@{CMFPAgPu$DwfnbMSKpi8R1~Itxw(F5hQh&;+0Ud_nR8`;cN&sc8KD_MN@NB0Ght zMNx7$dm2M}!$mz+742BT`II@bfETbLL78dDk&5?iL876e_y;e5NKGGu+ni#nUlS7REp#C-19Be}wZNyF>bhO-t?D$G4vXD|aZ zB;#tjrG&#ZRl;q0bsWHNF$H+YwCjx@=nTX{_-ogHe>WW3Mu;|tKbjXO5}mrx;+`RT zc32pFRgC2A>Y8EjN~17xtt#vgrL&O!+R()L!)LY0U>4hK!For8h|e0V(Xpoct8mS7 zk-1@@k?Xl5#?%+x2&`g*QyV0v`zA19Lr~lB<>=z@?+m2LJ4ifNObZr zssP+P#=Ly|ZDi2V4u|Yy<-zH&Jr(iW0=hC&{Xv#RP7;asOep!=tt75wHbqkA9>>9p z#?OgJ0*ZO5+DR8^2M;z7kZ?jCyWJm|;?&F9%s*52&uAE9 zuU`NBw!!@L(w0Q)8z-}B`AE@pao}P84dmv$Vp@DCL^|4_E zOr4<8%$n^+0$C@|kqZR2^L8P@FqlmZYs49k*;8U;PEUPc$HrHG`_o<`1-N;Q%0zNk z2Av;Qo6}SCO!g!(+qRYv6fTl5|zF1YX3h%jj-^f@_NQ_GI zR0~9ReH>wz6+nEXu6rw-s>*tqe`kskHCn6E=L-A+3w_os*0LGexLMFJpj}FR)8O## zoG7$KHv|&oCNOC#s!9RQJ z$YN!s%>33S)t5PB&5^8%w32+ev+I$Y`Gpho+qCk-{q_yzX`HWh;wO^}tFbajso`(b z;BQMwA#RWToK@^CMXpF4JxO{$gpVD4jOo@>2F_F-Nv%iH78I&w+=!a1Gy&fFqHE?Q>c;^M3u7Y8qTmEd z{IF>$l`?QVq>Ef-8v&Uv@8A}9GGK3$E}Rb~4o&WYbq2{OF{K7KQSC%U_^T%r^Rnm! zopD8-Ut{Pnup6gTsJ!W~fm6$=FjZDBhn>Spm`)P_7q4g6I$-r7Tum9O|x< z>2!-i=VrYF7k~FOpyfx9kDls>E?rCdn}l}{m|ag$vkD+CG7H`p8{igDP3V>?Ri94! zPtwnPO>|uPqN`iHR!nxYfI+EyOPt75V(HY~zGrx-VyjoTraLIZK;bE>8QPbeKB!8T zPn`?!!EBgi#yDo*KmK0I?V{gO7k)cO19RJaJ7ziARyUlDcIS^sHRGCIbh^K?nn@ns zwV?U}=&+2zzZjAV_?t)kA!awp=Z_H|+~+11TpY~4mb{*5Ncjv`%C~go3klzW9CMZPeoTE3sOBX)j>4ZmdLUu)m{Pery znhL?YP4;OxguiY6pD*u&-@FmRzRI)Reg5K4ABnCC%La9dWWXhK;(krctFwpnN-9S$7c62YI1C@31*L59A)=qtIZ zu05ev?kJ=NpDeu6$L2AL_d^IeY@z=6UeXtn@+ZCg^ac@$plkF+&^M$fb`P|&J7~-Y z16)oIoNpR&d5%T$1`fU){17X2Pfi)H#wR3!aC*iU@1HK{NwoIkp9D%2%atuPP8d93iVvw zlkc()d*c){Nb;jXhjo-&=eG3r#3B)B`jf^3f_Oj%6mOAV?pw?0JLTv5{JTQzr03}o zjIVxnDP92Ll`&Jv=5$pQ_vO&=4V=q-c}i;u-OHLD`^N_&5B0bC>{2XDL&DvxCQpCutoT8#I@Kc{s* zS?7QJMGC)6WU;s7Kwh_< z%(HnU6*)eLD{LO|7BV$4*~h?X-+FO-w;w!lmBedfAxY9TIww0~dg%kGFN`zpftoJ7ju19UX}}+CO4j_=;$r@L5x_RrB&U7pbn=06 zzsjN9Z@Jdpv81#RqFct~s~V4NX?A!-C=4FplJuf4`@YaR%0_YNm&*R)lXbE@NuzM7 z&djkZlbDDb-Rc(DmlRq|h1sjL#mm+ZpdFA?d=h1xzkZ&^wz<)-R;RHmoB{2f^``l> z^7US*44-a&^_u_h}gr~m->zsh544iWDck%r~ZTIX(u&>D=LD2%j?mbvHk zo1KG7M9cCYX#ER#I$10_Vpe(I!H@7YE8=7h;)in@_epeCite+q?1p&`NSSdvW&*BeYU<<*Fc1qQYu_9btYR5iwbuI_~sF!k| zd>t*1KF${SY;#74vgdVBJEn{0;eJr%w()zlZGxr?eH(xtcc6uw!c$=qcnMHd@uy4E z$58OryCZ_fZOtoE9;p&SUR}N$qG(be?KZ}pC-qa*JRX@i4FRt&z%bqt3AQPz(!`XnDGAsmWB5^}ixyC|K`(?youWc|mt z3iNue!|FX0pCRk)z)UimRkn0w&;m$8KUUP#XfaJ3R2#eXVD7$J_4z$>rSwJW#0s+g zIV%6uw)+y(W_VEHfO+5ER0nwa9KOG{l+T&e?-oU$US#4{9+msyOqJocKj*5s)5T{FHHv5mxeLO?6P)&zvC~{4Sh}e4np;xlLF!lnbL4v( z<~DNseoZ06NCHOs-RzHPbeJq6Q9>GYrdR5AYfbq!#7{htEye$(gcW;^F5MIX|G1%qgtEkUl;8z=K z#E(sNdZ9GS!igctm)T-}FQ^g2os4Y-Yy}0B9$tDiRKo_G`k?Goy7=Uf&`;`}80$yODjy*cHl_J#kxxEEDyJ2wAd?p|R5-hM{aBON@O_ z_88gCSl+9<`|f#1J`UOnJx#sDDa#vNNj$AC(hzP4MjphmM30=>%d6Hs*$XC&}IPs`)ac5+Ecj}(8UMiFGvn=RFX3|YU1+h5b zUL2cUyM>^A^HUIB!DFMTu^MqOF$Sq~CxA6)lW@%}pB#XCbv(LXj!7}Oa0-wN@$Xn@y zxxVNbBb{TY&3+F5%KFiq2+Vd@FOj{#M<=bGBl~v${(pfeU`rZS_bsa7s7`IsH8v5nhOT*|9&aaFg5rW|Zx4sV~}dWHV2u2QHA)ABlx!XDZ!|Xjm&#e~|r@R0Hzf_AHpI zfK%|~_vcz%Z1y-eB2qhTVBc_e*qtP2q#2cyt#iR*M+H{@z}%aP4cH-NSvS6-3H~U5 zuFFGQrL7bLcShQK`sOwi01s_K`zXh0zcLfvIY;ZrVkCRc#7=dfH0&vCfuF{`i{utd zFsK-y&y zJ;jN3&`L5kuqbq$e^<4I2pJ9$yjv9F5YV)(*(9D0#=jg2Bh(_2RZqEG84)ws- zsoSD{(r4WRC7t6l@{=l9Eak2-y(zapJLcRoj}mB@=wmp~%*tzl^(WirJYern8BgNHXLE3lXNSG}?lO|gPrg7ZN`=l>*MQo2 z8W%oG+Qs>A$n@6nx>Xaf7rO2{fR`yXWTAnXvT8a+S%)EBo(an|X~OEJy=fo4)zc+OHRbpLT7UTz-2jCH3RPbQwaM zH|70%HUJwFMb)Q(LqvV15a&X_k`v}{Q~YHp7a}D%g3DBlGuBH$P|$ap8$V$m*R2pxEIz#$6VFZZGx>PwyFu&Kpn8+NFJCl{l5*>_85p+i_S04@!0Vq`H^W+V(K+0+ z?OTK8luof2b@Ad?^a~D;j{eP)eiHHTBon(<>sHEU@w&jCt@mWhhq{*1?00>YfvrTZ z$_n`JwR2afZOqb;-!5gU!^iW7jhEhVmC$3=YweW`qNVk<75xW=cc<>yZaC0kZeM$p zU*Y`>yqlqB#{@>9VVE|UXXVmKqMtq~KvOclRZ@Ewrl=%cqQQ1p;;t~kH5^!Bo6?l* zIlsXqLA9;mwFz3|>4Qy8BuLUXSw5KqaSzD96C*_ucpk}FASc25d{Plo1ATeLz2}Vm zI+8`YW=emdwD;qkrtXKN>K)2jlt4tAt`g}EDx5oYD$}^C)GcVyd^!EMMvZ*Y73sZ| z!PS|*(zk)*y8VGA55+fQ7Bv>)B@i7CA4;ce^q_jG+#(7=?#EZQc!||VYRT0mT$w_Z zp!hj>*X6m{hNjk&ysgL)iwo-y~DH)a;w;z^KkgvS^ zpdE@-Z%1+M#zmC0pPrplOW-2t+fBj&M;A+ac*H;NbCJgDRG==ui#+7f1Dbypi|$AIVbCBffpExa@a+WI^RVulT>@%p;8vBl>wsv;LjSA4oCGR#AcQnAVo} zht|8jz3=z}Pb(3U({FKh#ERIy_%wcJ;hjld`2^NI^mW!SDrR65+!Or1!tw5WaZ-M> z-U8vGVe$@7b@$l&=%)iR63*ZyG!9o-joY%Wx<_B+z;#k!b#u?+I3Jm-x$II8ebHI- z{`$FU2QAM~cS97k-S725SMhx;6%+a9nVct03qD*si}sjF<43KFb(B6O7=uE4^aqn>>xjacXRKs>OSYb@naaBG5v2~ zw06rI@rEB^rrzEJv6O={M@}QlFlf6Bx31`qd84PM*X4%)X#BmtG>h>~F9vb^-Jw$3 z;m7diCT>nf0jh)W1vmEjj^o(Q2X$y%Um7B;KOxDQq0DSvD5@zr>uB!vKX4-Z9b1T5 zE<=TMkZVmZtTS5Gfhm~r2edj4rF~0@=Il>nhy3jV5K$XqoW}}h|Z_5 zYvztQ<32;j{-v${g;6eLVj(u&c68j|le^IjNtCRbld=%@QE*k+La5Wb=b0448xt`r0`26Xf`Y0oK7fDv z-JN>yOY^d`r3D2YslKGSXqe>-aozRwD?k~g$Vvc#SoRgA15)JiQgF^zxKd{zrq1Q~ zC}G{+reD&LXDK*#S86S3ZF5NGBQ&H|*t7F+NHu??wPeC%$z#2SzAMkUwU+Fok;byY z28NgNPXm192(@J(mltDl6i9=u{_3uYHkFXuLus|PLa=qK*k~2{HGwT-*1cB-A=6Xi z7uF24N-0}RROwBo`?|dd1u?OQYhNprr8s5T&5=ive>$y@yASX-0AyMRU*a~IZd(=QB7ye@Hu5f#!sgu z>8EpQh7OU9FqH9McU_MqI~FT#+pw`Iv5u(o-~D75i3~5R%C$M$P?q0(;~l-T=zF*n z~GF^eC}cW0XyIph>N6&CIItNaG1$p+c8;rzn{; zNEM`&Lf3$=#b3Q@pHhMSQj9}z618$b`4@=(1tayf*8Z(QGLRYOsuL?eUn6Td8l@?_m{j0a&*XUh%N^?sNoLaVxSJrR{(gfC)rs zMb`JGO4B(=t;KnQUgI-h#Z%dnP1907rp1>$Vu+KKsAi*bE!p)8fRuQd;9eqg8e@&( zPszEwSCXN8a^$>r&Z6e5dC=mFrZTqWA!fROMfz4VTd|Q!mrn})BhhU_2Q3{|?^8lg zk!COq5aV{jv+QKasKbhyz6yKFr2f8OiOafN|0NG&;;OF^yx1^embA zyyaG%lWSD(U3??0LBIq8D_2>G8^CxC2hob+bfjCvHrfq9r~A)xB1{>ijr9suWVh1| zH!@36By7zSW>t>V9at+qu^E7QO^NK7T_3z+a)cAO#B@4#BT?}3vjC@(&yVc z`&DKV#CPT{o)_DWq}m4afQis~f+)v)6kWvZv+^<`)etddxvFBZ0d(u7AuBx%+hH$g z#g_i9$xP34gMZ)<&HG*7yEI_$cO=-+-igQh&qi(O^R)5qMiQ8 zL1LMHR1`e&n;d4#c?-PZQ$fV$PMDvH_$?S8Kl+AKmx0FY8AuqId>PO_F!}3{nHr$`^whWXN6C`J z4*(gs)cxOqt}*iwXnMqtzlIMXqS}?qkY928Yts1@x5?7j0m@$~@|PO%QyHj9}>?Ee3;`+1VKFP1#)) z}+j)!oF zU}A#1?HBj}*{i92(CWLjm*naGPl1$rf^OTNo2nU>wHyLD0KC+$YF)`!xe@q3JcQ>4 literal 0 HcmV?d00001 diff --git a/test/packages/parallel/system/img/system.svg b/test/packages/parallel/system/img/system.svg new file mode 100644 index 000000000..0aba96275 --- /dev/null +++ b/test/packages/parallel/system/img/system.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/test/packages/parallel/system/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json b/test/packages/parallel/system/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json new file mode 100644 index 000000000..7219b7bd7 --- /dev/null +++ b/test/packages/parallel/system/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json @@ -0,0 +1,894 @@ +{ + "attributes": { + "description": "New users and groups dashboard for the System integration in Logs", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": {} + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "[Syslog](#/dashboard/system-Logs-syslog-dashboard) | [Sudo commands](#/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a) | [SSH logins](#/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a) | [New users and groups](#/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab)" + }, + "title": "Dashboards [Logs System]", + "type": "markdown", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 4, + "i": "7", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "7", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Host", + "field": "host.hostname", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "User", + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "UID", + "field": "user.id", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "5", + "params": { + "customLabel": "GID", + "field": "group.id", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "6", + "params": { + "customLabel": "Home", + "field": "system.auth.useradd.home", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "7", + "params": { + "customLabel": "Shell", + "field": "system.auth.useradd.shell", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "searchSource": { + "filter": [] + } + }, + "description": "", + "params": { + "autoFitRowToContent": false, + "filter": { + "language": "kuery", + "query": "data_stream.dataset : \"system.auth\"" + }, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": true, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "type": "table", + "uiState": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + } + }, + "type": "visualization" + }, + "gridData": { + "h": 12, + "i": "b9f97626-14a8-42d6-8bc4-2f37b06b9e6d", + "w": 24, + "x": 0, + "y": 4 + }, + "panelIndex": "b9f97626-14a8-42d6-8bc4-2f37b06b9e6d", + "title": "New users [Logs System]", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-15m", + "to": "now" + }, + "useNormalizedEsInterval": true, + "used_interval": "30s" + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "searchSource": { + "filter": [] + } + }, + "description": "", + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "defaultYExtents": false, + "detailedTooltip": true, + "grid": { + "categoryLines": false + }, + "labels": { + "show": false + }, + "legendPosition": "bottom", + "legendSize": "auto", + "maxLegendLines": 1, + "mode": "stacked", + "palette": { + "name": "default", + "type": "palette" + }, + "radiusRatio": 0, + "scale": "linear", + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "setYExtents": false, + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "truncateLegend": true, + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": true, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "" + }, + "type": "value" + } + ] + }, + "type": "histogram", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 12, + "i": "eb0fbea1-6c85-41e0-b52c-b0db0c895432", + "w": 24, + "x": 24, + "y": 4 + }, + "panelIndex": "eb0fbea1-6c85-41e0-b52c-b0db0c895432", + "title": "New users over time [Logs System]", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "system.auth.useradd.shell", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "searchSource": { + "filter": [] + } + }, + "description": "", + "params": { + "addLegend": true, + "addTooltip": true, + "distinctColors": true, + "emptySizeRatio": 0.3, + "filter": { + "language": "kuery", + "query": "data_stream.dataset : \"system.auth\"" + }, + "isDonut": false, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "right", + "legendSize": "auto", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "type": "pie", + "uiState": { + "vis": { + "colors": { + "/bin/bash": "#E24D42", + "/bin/false": "#508642", + "/sbin/nologin": "#7EB26D" + }, + "legendOpen": true + } + } + }, + "type": "visualization" + }, + "gridData": { + "h": 12, + "i": "2e5bb345-992a-4cf4-9b8b-8d68a6b26f3c", + "w": 24, + "x": 0, + "y": 16 + }, + "panelIndex": "2e5bb345-992a-4cf4-9b8b-8d68a6b26f3c", + "title": "New users by shell [Logs System]", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "system.auth.useradd.home", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "searchSource": { + "filter": [] + } + }, + "description": "", + "params": { + "addLegend": true, + "addTooltip": true, + "distinctColors": true, + "emptySizeRatio": 0.3, + "isDonut": false, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "right", + "legendSize": "auto", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "type": "pie", + "uiState": { + "vis": { + "colors": { + "/bin/bash": "#E24D42", + "/bin/false": "#508642", + "/nonexistent": "#629E51", + "/sbin/nologin": "#7EB26D" + }, + "legendOpen": true + } + } + }, + "type": "visualization" + }, + "gridData": { + "h": 12, + "i": "26b1fdeb-77e8-4eaa-8d09-140485154c1a", + "w": 24, + "x": 24, + "y": 16 + }, + "panelIndex": "26b1fdeb-77e8-4eaa-8d09-140485154c1a", + "title": "New users by home directory [Logs System]", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "group.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "group.id", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "searchSource": { + "filter": [] + } + }, + "description": "", + "params": { + "autoFitRowToContent": false, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": true, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "type": "table", + "uiState": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + } + }, + "type": "visualization" + }, + "gridData": { + "h": 12, + "i": "c6ff6af0-7172-4e98-8f0e-7b3a6c37217e", + "w": 24, + "x": 0, + "y": 28 + }, + "panelIndex": "c6ff6af0-7172-4e98-8f0e-7b3a6c37217e", + "title": "New groups [Logs System]", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-15m", + "to": "now" + }, + "useNormalizedEsInterval": true, + "used_interval": "30s" + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "group.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "searchSource": { + "filter": [] + } + }, + "description": "", + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "defaultYExtents": false, + "detailedTooltip": true, + "grid": { + "categoryLines": false + }, + "labels": { + "show": false + }, + "legendPosition": "bottom", + "legendSize": "auto", + "maxLegendLines": 1, + "mode": "stacked", + "palette": { + "name": "default", + "type": "palette" + }, + "radiusRatio": 0, + "scale": "linear", + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "setYExtents": false, + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "truncateLegend": true, + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": true, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "" + }, + "type": "value" + } + ] + }, + "type": "histogram", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 12, + "i": "edc0a4ad-a2f9-4ae8-93ca-cfd7d0ed40fe", + "w": 24, + "x": 24, + "y": 28 + }, + "panelIndex": "edc0a4ad-a2f9-4ae8-93ca-cfd7d0ed40fe", + "title": "New groups over time [Logs System]", + "type": "visualization", + "version": "8.6.0" + } + ], + "timeRestore": false, + "title": "[Logs System] New users and groups", + "version": 1 + }, + "coreMigrationVersion": "8.6.1", + "created_at": "2023-03-23T04:03:56.987Z", + "id": "system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab", + "migrationVersion": { + "dashboard": "8.6.0" + }, + "references": [ + { + "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", + "name": "b9f97626-14a8-42d6-8bc4-2f37b06b9e6d:search_0", + "type": "search" + }, + { + "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", + "name": "eb0fbea1-6c85-41e0-b52c-b0db0c895432:search_0", + "type": "search" + }, + { + "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", + "name": "2e5bb345-992a-4cf4-9b8b-8d68a6b26f3c:search_0", + "type": "search" + }, + { + "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", + "name": "26b1fdeb-77e8-4eaa-8d09-140485154c1a:search_0", + "type": "search" + }, + { + "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", + "name": "c6ff6af0-7172-4e98-8f0e-7b3a6c37217e:search_0", + "type": "search" + }, + { + "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", + "name": "edc0a4ad-a2f9-4ae8-93ca-cfd7d0ed40fe:search_0", + "type": "search" + }, + { + "id": "system-fleet-pkg-system-default", + "name": "tag-ref-fleet-pkg-system-default", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/test/packages/parallel/system/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json b/test/packages/parallel/system/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json new file mode 100644 index 000000000..cf1d2557d --- /dev/null +++ b/test/packages/parallel/system/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json @@ -0,0 +1,513 @@ +{ + "attributes": { + "description": "Sudo commands dashboard from the Logs System integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": {} + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "[Syslog](#/dashboard/system-Logs-syslog-dashboard) | [Sudo commands](#/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a) | [SSH logins](#/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a) | [New users and groups](#/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab)" + }, + "title": "Dashboards [Logs System]", + "type": "markdown", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 4, + "i": "4", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "4", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "system.auth.sudo.command", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "searchSource": { + "filter": [] + } + }, + "description": "", + "params": { + "autoFitRowToContent": false, + "filter": { + "language": "kuery", + "query": "data_stream.dataset : \"system.auth\"" + }, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": true, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "type": "table", + "uiState": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + } + }, + "type": "visualization" + }, + "gridData": { + "h": 16, + "i": "9176826e-b47b-405c-9fed-7928177e627b", + "w": 48, + "x": 0, + "y": 4 + }, + "panelIndex": "9176826e-b47b-405c-9fed-7928177e627b", + "title": "Top sudo commands [Logs System]", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-15m", + "to": "now" + }, + "useNormalizedEsInterval": true, + "used_interval": "30s" + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "searchSource": { + "filter": [] + } + }, + "description": "", + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "defaultYExtents": false, + "detailedTooltip": true, + "grid": { + "categoryLines": false + }, + "labels": { + "show": false + }, + "legendPosition": "right", + "legendSize": "auto", + "maxLegendLines": 1, + "mode": "stacked", + "palette": { + "name": "default", + "type": "palette" + }, + "radiusRatio": 0, + "scale": "linear", + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "setYExtents": false, + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "truncateLegend": true, + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": true, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "" + }, + "type": "value" + } + ] + }, + "type": "histogram", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 16, + "i": "f3e4b05c-4eab-4e12-98ac-5e5a7ae4fac7", + "w": 48, + "x": 0, + "y": 20 + }, + "panelIndex": "f3e4b05c-4eab-4e12-98ac-5e5a7ae4fac7", + "title": "Sudo commands by user [Logs System]", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-15m", + "to": "now" + }, + "useNormalizedEsInterval": true, + "used_interval": "30s" + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "system.auth.sudo.error", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "searchSource": { + "filter": [], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "system.auth.sudo.error:*" + } + } + }, + "description": "", + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "defaultYExtents": false, + "detailedTooltip": true, + "grid": { + "categoryLines": false + }, + "labels": { + "show": false + }, + "legendPosition": "right", + "legendSize": "auto", + "maxLegendLines": 1, + "mode": "stacked", + "palette": { + "name": "default", + "type": "palette" + }, + "radiusRatio": 0, + "scale": "linear", + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "setYExtents": false, + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "truncateLegend": true, + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": true, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "" + }, + "type": "value" + } + ] + }, + "type": "histogram", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 12, + "i": "fd4d0b9e-760d-4d7a-90e9-62aca0609b9e", + "w": 48, + "x": 0, + "y": 36 + }, + "panelIndex": "fd4d0b9e-760d-4d7a-90e9-62aca0609b9e", + "title": "Sudo errors [Logs System]", + "type": "visualization", + "version": "8.6.0" + } + ], + "timeRestore": false, + "title": "[Logs System] Sudo commands", + "version": 1 + }, + "coreMigrationVersion": "8.6.1", + "created_at": "2023-03-23T04:03:56.987Z", + "id": "system-277876d0-fa2c-11e6-bbd3-29c986c96e5a", + "migrationVersion": { + "dashboard": "8.6.0" + }, + "references": [ + { + "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", + "name": "9176826e-b47b-405c-9fed-7928177e627b:search_0", + "type": "search" + }, + { + "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", + "name": "f3e4b05c-4eab-4e12-98ac-5e5a7ae4fac7:search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "fd4d0b9e-760d-4d7a-90e9-62aca0609b9e:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "system-fleet-pkg-system-default", + "name": "tag-ref-fleet-pkg-system-default", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/test/packages/parallel/system/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json b/test/packages/parallel/system/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json new file mode 100644 index 000000000..f06eb87c0 --- /dev/null +++ b/test/packages/parallel/system/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json @@ -0,0 +1,582 @@ +{ + "attributes": { + "description": "SSH dashboard for the System integration in Logs", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false + }, + "panelsJSON": [ + { + "embeddableConfig": { + "columns": [ + "system.auth.ssh.event", + "system.auth.ssh.method", + "user.name", + "source.ip", + "source.geo.country_iso_code" + ], + "enhancements": {}, + "sort": [ + "@timestamp", + "desc" + ] + }, + "gridData": { + "h": 12, + "i": "5", + "w": 48, + "x": 0, + "y": 44 + }, + "panelIndex": "5", + "panelRefName": "panel_5", + "type": "search", + "version": "8.1.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": {} + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "[Syslog](#/dashboard/system-Logs-syslog-dashboard) | [Sudo commands](#/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a) | [SSH logins](#/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a) | [New users and groups](#/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab)" + }, + "title": "Dashboards [Logs System]", + "type": "markdown", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 4, + "i": "6", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "6", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true,\"lightModeDefault\":\"road_map_desaturated\"},\"id\":\"985e7399-20df-464b-b6d5-880922106ffe\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{\"type\":\"TILE\"},\"includeInFitToBounds\":true,\"type\":\"EMS_VECTOR_TILE\"},{\"alpha\":0.75,\"id\":\"05b729fa-80a9-4215-aaed-4a8d9476e87d\",\"includeInFitToBounds\":true,\"joins\":[],\"label\":\"SSH failed login attempts source locations [Logs System]\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyForceRefresh\":true,\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"source.geo.location\",\"id\":\"80bac1cc-d19d-415d-93ad-f776fd099f24\",\"metrics\":[{\"type\":\"count\"}],\"requestType\":\"point\",\"resolution\":\"MOST_FINE\",\"type\":\"ES_GEO_GRID\",\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"Yellow to Red\",\"colorCategory\":\"palette_0\",\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3},\"type\":\"ORDINAL\"},\"type\":\"DYNAMIC\"},\"icon\":{\"options\":{\"value\":\"marker\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"size\":6},\"type\":\"STATIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"value\":\"\"},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#3d3d3d\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"GEOJSON_VECTOR\",\"visible\":true}]", + "mapStateJSON": "{\"zoom\":1.58,\"center\":{\"lon\":0,\"lat\":19.94277},\"timeFilters\":{\"from\":\"now-15m\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", + "references": [], + "title": "SSH failed login attempts source locations [Logs System]", + "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" + }, + "enhancements": {}, + "hiddenLayers": [], + "isLayerTOCOpen": true, + "mapBuffer": { + "maxLat": 66.51326, + "maxLon": 180, + "minLat": -66.51326, + "minLon": -180 + }, + "mapCenter": { + "lat": 19.94277, + "lon": 0, + "zoom": 1.58 + }, + "openTOCDetails": [], + "type": "map" + }, + "gridData": { + "h": 16, + "i": "9cef48b8-7995-45f6-9420-1d0b3dbbefe5", + "w": 24, + "x": 24, + "y": 28 + }, + "panelIndex": "9cef48b8-7995-45f6-9420-1d0b3dbbefe5", + "type": "map", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-15m", + "to": "now" + }, + "useNormalizedEsInterval": true, + "used_interval": "30s" + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "system.auth.ssh.event", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "searchSource": { + "filter": [], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index" + } + }, + "description": "", + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "defaultYExtents": false, + "detailedTooltip": true, + "grid": { + "categoryLines": false + }, + "labels": { + "show": false + }, + "legendPosition": "right", + "legendSize": "auto", + "maxLegendLines": 1, + "mode": "stacked", + "palette": { + "name": "default", + "type": "palette" + }, + "radiusRatio": 0, + "scale": "linear", + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "setYExtents": false, + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "truncateLegend": true, + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": true, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "" + }, + "type": "value" + } + ] + }, + "type": "histogram", + "uiState": { + "vis": { + "colors": { + "Accepted": "#3F6833", + "Failed": "#F9934E", + "Invalid": "#447EBC" + } + } + } + }, + "type": "visualization" + }, + "gridData": { + "h": 12, + "i": "ea2ece08-f34b-47e9-99af-4242fd5450d3", + "w": 48, + "x": 0, + "y": 4 + }, + "panelIndex": "ea2ece08-f34b-47e9-99af-4242fd5450d3", + "title": "SSH login attempts [Logs System]", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-15m", + "to": "now" + }, + "useNormalizedEsInterval": true, + "used_interval": "30s" + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "system.auth.ssh.method", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "searchSource": { + "filter": [], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "system.auth.ssh.event:Accepted" + } + } + }, + "description": "", + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "defaultYExtents": false, + "detailedTooltip": true, + "grid": { + "categoryLines": false + }, + "labels": { + "show": false + }, + "legendPosition": "right", + "legendSize": "auto", + "maxLegendLines": 1, + "mode": "stacked", + "palette": { + "name": "default", + "type": "palette" + }, + "radiusRatio": 0, + "scale": "linear", + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "setYExtents": false, + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "truncateLegend": true, + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": true, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "" + }, + "type": "value" + } + ] + }, + "type": "histogram", + "uiState": { + "vis": { + "colors": { + "Accepted": "#3F6833", + "Failed": "#F9934E", + "Invalid": "#447EBC", + "password": "#BF1B00", + "publickey": "#629E51" + } + } + } + }, + "type": "visualization" + }, + "gridData": { + "h": 12, + "i": "782d75bd-ba9d-47c1-a022-073565c79953", + "w": 48, + "x": 0, + "y": 16 + }, + "panelIndex": "782d75bd-ba9d-47c1-a022-073565c79953", + "title": "Successful SSH logins [Logs System]", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 50 + }, + "schema": "segment", + "type": "terms" + } + ], + "searchSource": { + "filter": [], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid" + } + } + }, + "description": "", + "params": { + "maxFontSize": 72, + "minFontSize": 18, + "orientation": "single", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "scale": "linear", + "showLabel": true + }, + "type": "tagcloud", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 16, + "i": "305f2fa8-f09c-4018-bdbd-a4d901689514", + "w": 24, + "x": 0, + "y": 28 + }, + "panelIndex": "305f2fa8-f09c-4018-bdbd-a4d901689514", + "title": "SSH users of failed login attempts [Logs System]", + "type": "visualization", + "version": "8.6.0" + } + ], + "timeRestore": false, + "title": "[Logs System] SSH login attempts", + "version": 1 + }, + "coreMigrationVersion": "8.6.1", + "created_at": "2023-03-23T04:03:56.987Z", + "id": "system-5517a150-f9ce-11e6-8115-a7c18106d86a", + "migrationVersion": { + "dashboard": "8.6.0" + }, + "references": [ + { + "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414", + "name": "5:panel_5", + "type": "search" + }, + { + "id": "logs-*", + "name": "9cef48b8-7995-45f6-9420-1d0b3dbbefe5:layer_1_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ea2ece08-f34b-47e9-99af-4242fd5450d3:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "782d75bd-ba9d-47c1-a022-073565c79953:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "305f2fa8-f09c-4018-bdbd-a4d901689514:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "system-fleet-pkg-system-default", + "name": "tag-ref-fleet-pkg-system-default", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/test/packages/parallel/system/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json b/test/packages/parallel/system/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json new file mode 100644 index 000000000..c024ef02f --- /dev/null +++ b/test/packages/parallel/system/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json @@ -0,0 +1,4493 @@ +{ + "attributes": { + "description": "User management activity.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "system.security", + "windows.forwarded", + "windows.security" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "system.security" + } + }, + { + "match_phrase": { + "data_stream.dataset": "windows.forwarded" + } + }, + { + "match_phrase": { + "data_stream.dataset": "windows.security" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "winlog.provider_name", + "negate": false, + "params": { + "query": "Microsoft-Windows-Security-Auditing" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "winlog.provider_name": "Microsoft-Windows-Security-Auditing" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": false + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 10, + "markdown": "# **User Management Events**\n\n#### This dashboard shows information about User Management Events collected by winlogbeat\n", + "openLinksInNewTab": false + }, + "title": "User Management Events - Description [Windows System Security]", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 8, + "i": "1", + "w": 17, + "x": 0, + "y": 0 + }, + "panelIndex": "1", + "title": "", + "type": "visualization", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2d2094c7-e57e-4a12-88ad-50291d81a64b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ee7f0132-6cba-4ea8-80ea-50bddb3c588e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "2d2094c7-e57e-4a12-88ad-50291d81a64b": { + "columnOrder": [ + "bc1e93e0-12cf-4730-8736-4a2bb261ee4d", + "7dc6af71-b4db-4262-b6a2-05d40c06c17d", + "636e03a9-9b87-4c7a-a04b-402ad5c78483", + "b621a299-9e1c-46fc-8876-98a3b2933237" + ], + "columns": { + "636e03a9-9b87-4c7a-a04b-402ad5c78483": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performer LogonID", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "b621a299-9e1c-46fc-8876-98a3b2933237", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.logon.id" + }, + "7dc6af71-b4db-4262-b6a2-05d40c06c17d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performed by", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": true, + "orderBy": { + "columnId": "b621a299-9e1c-46fc-8876-98a3b2933237", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.SubjectUserName" + }, + "b621a299-9e1c-46fc-8876-98a3b2933237": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "bc1e93e0-12cf-4730-8736-4a2bb261ee4d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Created User", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "b621a299-9e1c-46fc-8876-98a3b2933237", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 100 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.TargetUserName" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "ee7f0132-6cba-4ea8-80ea-50bddb3c588e", + "key": "event.code", + "negate": false, + "params": { + "query": "4720" + }, + "type": "phrase", + "value": "4720" + }, + "query": { + "match": { + "event.code": { + "query": "4720", + "type": "phrase" + } + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "b621a299-9e1c-46fc-8876-98a3b2933237" + }, + { + "alignment": "left", + "columnId": "bc1e93e0-12cf-4730-8736-4a2bb261ee4d" + }, + { + "alignment": "left", + "columnId": "7dc6af71-b4db-4262-b6a2-05d40c06c17d" + }, + { + "alignment": "left", + "columnId": "636e03a9-9b87-4c7a-a04b-402ad5c78483" + } + ], + "headerRowHeight": "single", + "layerId": "2d2094c7-e57e-4a12-88ad-50291d81a64b", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + }, + "rowHeight": "single" + } + }, + "title": "Users Created - Table [Windows System Security]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "3", + "w": 9, + "x": 0, + "y": 56 + }, + "panelIndex": "3", + "title": "Users Created - Table [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-95473519-9e23-4ab1-acb8-3212f69ea3b5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f8e3cf39-b76f-4658-af4f-c9c915ba6ba6", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "95473519-9e23-4ab1-acb8-3212f69ea3b5": { + "columnOrder": [ + "2e2024e2-e599-4fb0-a7ab-1a24dd30b919", + "f6598c5a-cb6f-4bbf-9534-525c3573fa75", + "7b527c70-07d2-46ec-816d-775b472c2af9", + "900f2a97-5fda-45dd-826e-3b992e50cec7" + ], + "columns": { + "2e2024e2-e599-4fb0-a7ab-1a24dd30b919": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Enabled User", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "900f2a97-5fda-45dd-826e-3b992e50cec7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 100 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.TargetUserName" + }, + "7b527c70-07d2-46ec-816d-775b472c2af9": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performer LogonId", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "900f2a97-5fda-45dd-826e-3b992e50cec7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.logon.id" + }, + "900f2a97-5fda-45dd-826e-3b992e50cec7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "f6598c5a-cb6f-4bbf-9534-525c3573fa75": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performed by", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": true, + "orderBy": { + "columnId": "900f2a97-5fda-45dd-826e-3b992e50cec7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.SubjectUserName" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "f8e3cf39-b76f-4658-af4f-c9c915ba6ba6", + "key": "event.code", + "negate": false, + "params": { + "query": "4722" + }, + "type": "phrase", + "value": "4722" + }, + "query": { + "match": { + "event.code": { + "query": "4722", + "type": "phrase" + } + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security " + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "900f2a97-5fda-45dd-826e-3b992e50cec7" + }, + { + "alignment": "left", + "columnId": "2e2024e2-e599-4fb0-a7ab-1a24dd30b919" + }, + { + "alignment": "left", + "columnId": "f6598c5a-cb6f-4bbf-9534-525c3573fa75" + }, + { + "alignment": "left", + "columnId": "7b527c70-07d2-46ec-816d-775b472c2af9" + } + ], + "headerRowHeight": "single", + "layerId": "95473519-9e23-4ab1-acb8-3212f69ea3b5", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + }, + "rowHeight": "single" + } + }, + "title": "Users Enabled - Table [Windows System Security]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "5", + "w": 9, + "x": 9, + "y": 56 + }, + "panelIndex": "5", + "title": "Users Enabled - Table [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-dc37e882-6f66-420e-a41d-17176340e1fc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "87383246-3af7-4da7-bf25-da8b92485bf4", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "dc37e882-6f66-420e-a41d-17176340e1fc": { + "columnOrder": [ + "0ead95a2-6c9c-49f4-bff5-4f376b8754f8", + "c5b66e5a-f608-46d0-91e1-e8740430d275", + "02bbb586-1441-43d5-8cc1-777ff1e18b41", + "36336253-a60b-4de5-ba0a-366d7867ef1d" + ], + "columns": { + "02bbb586-1441-43d5-8cc1-777ff1e18b41": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performer LogonId", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "36336253-a60b-4de5-ba0a-366d7867ef1d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.logon.id" + }, + "0ead95a2-6c9c-49f4-bff5-4f376b8754f8": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Disabled User", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "36336253-a60b-4de5-ba0a-366d7867ef1d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 100 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.TargetUserName" + }, + "36336253-a60b-4de5-ba0a-366d7867ef1d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "c5b66e5a-f608-46d0-91e1-e8740430d275": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performed by", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": true, + "orderBy": { + "columnId": "36336253-a60b-4de5-ba0a-366d7867ef1d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.SubjectUserName" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "87383246-3af7-4da7-bf25-da8b92485bf4", + "key": "event.code", + "negate": false, + "params": { + "query": "4725" + }, + "type": "phrase", + "value": "4725" + }, + "query": { + "match": { + "event.code": { + "query": "4725", + "type": "phrase" + } + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "36336253-a60b-4de5-ba0a-366d7867ef1d" + }, + { + "alignment": "left", + "columnId": "0ead95a2-6c9c-49f4-bff5-4f376b8754f8" + }, + { + "alignment": "left", + "columnId": "c5b66e5a-f608-46d0-91e1-e8740430d275" + }, + { + "alignment": "left", + "columnId": "02bbb586-1441-43d5-8cc1-777ff1e18b41" + } + ], + "headerRowHeight": "single", + "layerId": "dc37e882-6f66-420e-a41d-17176340e1fc", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + }, + "rowHeight": "single" + } + }, + "title": "Users Disabled - Table [Windows System Security]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "6", + "w": 9, + "x": 0, + "y": 79 + }, + "panelIndex": "6", + "title": "Users Disabled - Table [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5ef7cf84-7e34-4c90-afe6-2a3bc54f9e62", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2974422c-1f81-4077-9f55-a01a8b045f56", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "5ef7cf84-7e34-4c90-afe6-2a3bc54f9e62": { + "columnOrder": [ + "881c3fbc-6d02-4e9b-a683-dcfaa9148d25", + "2dfe6335-d29c-478f-986b-eb228db115ea", + "f9fb320f-2485-437e-9c05-3a0f4ecf7d83", + "7fe58e26-2c9d-4c54-ad14-a7b8ef9e4b8a" + ], + "columns": { + "2dfe6335-d29c-478f-986b-eb228db115ea": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performed by", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": true, + "orderBy": { + "columnId": "7fe58e26-2c9d-4c54-ad14-a7b8ef9e4b8a", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.SubjectUserName" + }, + "7fe58e26-2c9d-4c54-ad14-a7b8ef9e4b8a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "881c3fbc-6d02-4e9b-a683-dcfaa9148d25": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Deleted User", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "7fe58e26-2c9d-4c54-ad14-a7b8ef9e4b8a", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 100 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.TargetUserName" + }, + "f9fb320f-2485-437e-9c05-3a0f4ecf7d83": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performed LogonId", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "7fe58e26-2c9d-4c54-ad14-a7b8ef9e4b8a", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.logon.id" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "2974422c-1f81-4077-9f55-a01a8b045f56", + "key": "event.code", + "negate": false, + "params": { + "query": "4726" + }, + "type": "phrase", + "value": "4726" + }, + "query": { + "match": { + "event.code": { + "query": "4726", + "type": "phrase" + } + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "7fe58e26-2c9d-4c54-ad14-a7b8ef9e4b8a" + }, + { + "alignment": "left", + "columnId": "881c3fbc-6d02-4e9b-a683-dcfaa9148d25" + }, + { + "alignment": "left", + "columnId": "2dfe6335-d29c-478f-986b-eb228db115ea" + }, + { + "alignment": "left", + "columnId": "f9fb320f-2485-437e-9c05-3a0f4ecf7d83" + } + ], + "headerRowHeight": "single", + "layerId": "5ef7cf84-7e34-4c90-afe6-2a3bc54f9e62", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + }, + "rowHeight": "single" + } + }, + "title": "Users Deleted - Table [Windows System Security]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "7", + "w": 9, + "x": 18, + "y": 56 + }, + "panelIndex": "7", + "title": "Users Deleted - Table [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f8300e3b-29eb-46f6-a509-9bd4b4b2f8ec", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8726b1f3-6de9-4d3f-8ac6-c47b378bdcb2", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f8300e3b-29eb-46f6-a509-9bd4b4b2f8ec": { + "columnOrder": [ + "f37acc2c-0fae-4670-a434-0c939124f9d3", + "16cddd4c-69d4-479a-9f57-81916e475839", + "fdfaf51d-5ab4-4259-bed8-3453117d62d2", + "c5a8f9ae-5f3a-446e-bfa8-9ed3a003e806" + ], + "columns": { + "16cddd4c-69d4-479a-9f57-81916e475839": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performed by", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": true, + "orderBy": { + "columnId": "c5a8f9ae-5f3a-446e-bfa8-9ed3a003e806", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.SubjectUserName" + }, + "c5a8f9ae-5f3a-446e-bfa8-9ed3a003e806": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "f37acc2c-0fae-4670-a434-0c939124f9d3": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Password Change to", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "c5a8f9ae-5f3a-446e-bfa8-9ed3a003e806", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 100 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.TargetUserName" + }, + "fdfaf51d-5ab4-4259-bed8-3453117d62d2": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performer LogonId", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "c5a8f9ae-5f3a-446e-bfa8-9ed3a003e806", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.logon.id" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "8726b1f3-6de9-4d3f-8ac6-c47b378bdcb2", + "key": "event.code", + "negate": false, + "params": [ + "4723", + "4724" + ], + "type": "phrases", + "value": "4723, 4724" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4723" + } + }, + { + "match_phrase": { + "event.code": "4724" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "c5a8f9ae-5f3a-446e-bfa8-9ed3a003e806" + }, + { + "alignment": "left", + "columnId": "f37acc2c-0fae-4670-a434-0c939124f9d3" + }, + { + "alignment": "left", + "columnId": "16cddd4c-69d4-479a-9f57-81916e475839" + }, + { + "alignment": "left", + "columnId": "fdfaf51d-5ab4-4259-bed8-3453117d62d2" + } + ], + "headerRowHeight": "single", + "layerId": "f8300e3b-29eb-46f6-a509-9bd4b4b2f8ec", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + }, + "rowHeight": "single" + } + }, + "title": "Users Password Changes - Table [Windows System Security]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "9", + "w": 9, + "x": 18, + "y": 79 + }, + "panelIndex": "9", + "title": "Users Password Changes - Table [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8ee3da48-29cf-4b5a-b9be-ede6e7f10f54", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6d7d0e01-edd7-4907-a80b-65abcdd357ca", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "8ee3da48-29cf-4b5a-b9be-ede6e7f10f54": { + "columnOrder": [ + "26403b58-b2fb-4a4a-b3dc-8f139025201f", + "ee0bc81c-2c6e-4b5a-852f-9fe72e955c8e", + "66edd873-c5e9-4ef2-86d2-eccb01b242fe", + "1a82fe58-0eee-4ebc-844d-8e2360ec9564" + ], + "columns": { + "1a82fe58-0eee-4ebc-844d-8e2360ec9564": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "26403b58-b2fb-4a4a-b3dc-8f139025201f": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Unlocked User", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "1a82fe58-0eee-4ebc-844d-8e2360ec9564", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 100 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.TargetUserName" + }, + "66edd873-c5e9-4ef2-86d2-eccb01b242fe": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performer Logonid", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "1a82fe58-0eee-4ebc-844d-8e2360ec9564", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.logon.id" + }, + "ee0bc81c-2c6e-4b5a-852f-9fe72e955c8e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performed by", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": true, + "orderBy": { + "columnId": "1a82fe58-0eee-4ebc-844d-8e2360ec9564", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.SubjectUserName" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "6d7d0e01-edd7-4907-a80b-65abcdd357ca", + "key": "event.code", + "negate": false, + "params": { + "query": "4767" + }, + "type": "phrase", + "value": "4767" + }, + "query": { + "match": { + "event.code": { + "query": "4767", + "type": "phrase" + } + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "1a82fe58-0eee-4ebc-844d-8e2360ec9564" + }, + { + "alignment": "left", + "columnId": "26403b58-b2fb-4a4a-b3dc-8f139025201f" + }, + { + "alignment": "left", + "columnId": "ee0bc81c-2c6e-4b5a-852f-9fe72e955c8e" + }, + { + "alignment": "left", + "columnId": "66edd873-c5e9-4ef2-86d2-eccb01b242fe" + } + ], + "headerRowHeight": "single", + "layerId": "8ee3da48-29cf-4b5a-b9be-ede6e7f10f54", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + }, + "rowHeight": "single" + } + }, + "title": "Unlocked Users - Table [Windows System Security]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "15", + "w": 9, + "x": 9, + "y": 79 + }, + "panelIndex": "15", + "title": "Unlocked Users - Table [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5ffb434e-0578-45fe-bbc8-01893ae2f867", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d72b2685-a2ee-4c6d-bf7f-70cdfad9817e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "5ffb434e-0578-45fe-bbc8-01893ae2f867": { + "columnOrder": [ + "b940e43a-bfed-494b-aae4-9740335da997", + "0ba64458-1a5b-4ecb-a4b6-254ea4b1549d", + "0b36b00a-d3af-48ae-a9d8-3099d1de0808", + "084148b6-cc9b-4a3c-9609-d4c109703dab" + ], + "columns": { + "084148b6-cc9b-4a3c-9609-d4c109703dab": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "0b36b00a-d3af-48ae-a9d8-3099d1de0808": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performer LogonId", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "084148b6-cc9b-4a3c-9609-d4c109703dab", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.logon.id" + }, + "0ba64458-1a5b-4ecb-a4b6-254ea4b1549d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performed by", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": true, + "orderBy": { + "columnId": "084148b6-cc9b-4a3c-9609-d4c109703dab", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.SubjectUserName" + }, + "b940e43a-bfed-494b-aae4-9740335da997": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Changed User", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "084148b6-cc9b-4a3c-9609-d4c109703dab", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 100 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.TargetUserName" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "d72b2685-a2ee-4c6d-bf7f-70cdfad9817e", + "key": "event.code", + "negate": false, + "params": { + "query": "4738" + }, + "type": "phrase", + "value": "4738" + }, + "query": { + "match": { + "event.code": { + "query": "4738", + "type": "phrase" + } + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "084148b6-cc9b-4a3c-9609-d4c109703dab" + }, + { + "alignment": "left", + "columnId": "b940e43a-bfed-494b-aae4-9740335da997" + }, + { + "alignment": "left", + "columnId": "0ba64458-1a5b-4ecb-a4b6-254ea4b1549d" + }, + { + "alignment": "left", + "columnId": "0b36b00a-d3af-48ae-a9d8-3099d1de0808" + } + ], + "headerRowHeight": "single", + "layerId": "5ffb434e-0578-45fe-bbc8-01893ae2f867", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + }, + "rowHeight": "single" + } + }, + "title": "Users Changes Table [Windows System Security]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "16", + "w": 9, + "x": 18, + "y": 102 + }, + "panelIndex": "16", + "title": "Users Changes Table [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-7868e85e-6ff2-4087-8bd9-7d22da031e24", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "84460bff-f94b-4d8b-a166-5ab188df891c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "7868e85e-6ff2-4087-8bd9-7d22da031e24": { + "columnOrder": [ + "f86a3e5c-b673-412a-8120-5c018f5d9d53", + "5a4bcb3b-926f-4881-8390-ce37adfbe392", + "a5cf5fe1-7ab1-4be7-83d3-0639e59f6594", + "c2fd7b5a-2f4c-4d52-93af-1c56873b255b" + ], + "columns": { + "5a4bcb3b-926f-4881-8390-ce37adfbe392": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performed by", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": true, + "orderBy": { + "columnId": "c2fd7b5a-2f4c-4d52-93af-1c56873b255b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.SubjectUserName" + }, + "a5cf5fe1-7ab1-4be7-83d3-0639e59f6594": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performer LogonId", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "c2fd7b5a-2f4c-4d52-93af-1c56873b255b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.logon.id" + }, + "c2fd7b5a-2f4c-4d52-93af-1c56873b255b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "f86a3e5c-b673-412a-8120-5c018f5d9d53": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Locked User", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "c2fd7b5a-2f4c-4d52-93af-1c56873b255b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 100 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.TargetUserName" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "84460bff-f94b-4d8b-a166-5ab188df891c", + "key": "event.code", + "negate": false, + "params": { + "query": "4740" + }, + "type": "phrase", + "value": "4740" + }, + "query": { + "match": { + "event.code": { + "query": "4740", + "type": "phrase" + } + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "c2fd7b5a-2f4c-4d52-93af-1c56873b255b" + }, + { + "alignment": "left", + "columnId": "f86a3e5c-b673-412a-8120-5c018f5d9d53" + }, + { + "alignment": "left", + "columnId": "5a4bcb3b-926f-4881-8390-ce37adfbe392" + }, + { + "alignment": "left", + "columnId": "a5cf5fe1-7ab1-4be7-83d3-0639e59f6594" + } + ], + "headerRowHeight": "single", + "layerId": "7868e85e-6ff2-4087-8bd9-7d22da031e24", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + }, + "rowHeight": "single" + } + }, + "title": "Users Locked Out - Table [Windows System Security]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "20", + "w": 9, + "x": 0, + "y": 102 + }, + "panelIndex": "20", + "title": "Users Locked Out - Table [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 46, + "i": "22", + "w": 21, + "x": 27, + "y": 72 + }, + "panelIndex": "22", + "panelRefName": "panel_22", + "type": "search", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 19, + "i": "23", + "w": 48, + "x": 0, + "y": 118 + }, + "panelIndex": "23", + "panelRefName": "panel_23", + "type": "search", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c613d393-dc99-42e4-a4f0-afb124b56634", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "642679d4-cdd9-44fe-9723-862f94ee2256", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "c613d393-dc99-42e4-a4f0-afb124b56634": { + "columnOrder": [ + "1d812881-c1ba-4b91-825c-8dc3d2fe9ad2", + "b6315fb5-2e5c-42f1-bfe6-92404796792e", + "82c2bda9-7f77-4546-a167-2c008532e954", + "0485c61c-fd61-463a-9b15-bacb6243a85a" + ], + "columns": { + "0485c61c-fd61-463a-9b15-bacb6243a85a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "1d812881-c1ba-4b91-825c-8dc3d2fe9ad2": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Old User Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "0485c61c-fd61-463a-9b15-bacb6243a85a", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 100 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.OldTargetUserName" + }, + "82c2bda9-7f77-4546-a167-2c008532e954": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performer LogonId", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "0485c61c-fd61-463a-9b15-bacb6243a85a", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.logon.id" + }, + "b6315fb5-2e5c-42f1-bfe6-92404796792e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performed by", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": true, + "orderBy": { + "columnId": "0485c61c-fd61-463a-9b15-bacb6243a85a", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.SubjectUserName" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "642679d4-cdd9-44fe-9723-862f94ee2256", + "key": "event.code", + "negate": false, + "params": { + "query": "4781" + }, + "type": "phrase", + "value": "4781" + }, + "query": { + "match": { + "event.code": { + "query": "4781", + "type": "phrase" + } + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "0485c61c-fd61-463a-9b15-bacb6243a85a" + }, + { + "alignment": "left", + "columnId": "1d812881-c1ba-4b91-825c-8dc3d2fe9ad2" + }, + { + "alignment": "left", + "columnId": "b6315fb5-2e5c-42f1-bfe6-92404796792e" + }, + { + "alignment": "left", + "columnId": "82c2bda9-7f77-4546-a167-2c008532e954" + } + ], + "headerRowHeight": "single", + "layerId": "c613d393-dc99-42e4-a4f0-afb124b56634", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + }, + "rowHeight": "single" + } + }, + "title": "Users Renamed - Table [Windows System Security]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "33", + "w": 9, + "x": 9, + "y": 102 + }, + "panelIndex": "33", + "title": "Users Renamed - Table [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "[Windows Overview](#/dashboard/system-Windows-Dashboard) | [User Logon Information](#/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891) | [Logon Failed and Account Lockout](#/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da) | **User Management Events** | [Group Management Events](#/dashboard/system-bb858830-f412-11e9-8405-516218e3d268)", + "openLinksInNewTab": false + }, + "title": "Dashboard links [Windows System Security]", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 8, + "i": "cf0adfac-7cf2-479d-8ddb-1edeee62d37c", + "w": 31, + "x": 17, + "y": 0 + }, + "panelIndex": "cf0adfac-7cf2-479d-8ddb-1edeee62d37c", + "title": "", + "type": "visualization", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5cfa8804-5c32-451e-a9ef-ab4f2f5ea013", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1cdd7bfd-1207-485b-9fbc-a80cafd98b00", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "5cfa8804-5c32-451e-a9ef-ab4f2f5ea013": { + "columnOrder": [ + "ee354f1a-af8f-47d5-9e55-7500ff35589a", + "e66adfc6-a434-4665-93ad-34ccded647c7" + ], + "columns": { + "e66adfc6-a434-4665-93ad-34ccded647c7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "ee354f1a-af8f-47d5-9e55-7500ff35589a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "event.action: Descending", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "e66adfc6-a434-4665-93ad-34ccded647c7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "event.action" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "1cdd7bfd-1207-485b-9fbc-a80cafd98b00", + "key": "event.code", + "negate": false, + "params": [ + "4720", + "4722", + "4723", + "4724", + "4725", + "4726", + "4738", + "4740", + "4767", + "4781", + "4798" + ], + "type": "phrases", + "value": "4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781, 4798" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4720" + } + }, + { + "match_phrase": { + "event.code": "4722" + } + }, + { + "match_phrase": { + "event.code": "4723" + } + }, + { + "match_phrase": { + "event.code": "4724" + } + }, + { + "match_phrase": { + "event.code": "4725" + } + }, + { + "match_phrase": { + "event.code": "4726" + } + }, + { + "match_phrase": { + "event.code": "4738" + } + }, + { + "match_phrase": { + "event.code": "4740" + } + }, + { + "match_phrase": { + "event.code": "4767" + } + }, + { + "match_phrase": { + "event.code": "4781" + } + }, + { + "match_phrase": { + "event.code": "4798" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "hide", + "emptySizeRatio": 0.3, + "layerId": "5cfa8804-5c32-451e-a9ef-ab4f2f5ea013", + "layerType": "data", + "legendDisplay": "hide", + "legendMaxLines": 1, + "legendPosition": "right", + "legendSize": "auto", + "metrics": [ + "e66adfc6-a434-4665-93ad-34ccded647c7" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "percentDecimals": 2, + "primaryGroups": [ + "ee354f1a-af8f-47d5-9e55-7500ff35589a" + ], + "secondaryGroups": [], + "showValuesInLegend": true, + "truncateLegend": true + } + ], + "shape": "pie" + } + }, + "title": "User Management Actions [Windows System Security]", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "a2871661-98a8-489b-b615-e66ebe3b971a", + "w": 17, + "x": 0, + "y": 8 + }, + "panelIndex": "a2871661-98a8-489b-b615-e66ebe3b971a", + "title": "User Management Actions [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-49665402-a64a-44e2-b251-976e50a5c030", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7e29a9cf-64d5-426d-b6aa-8808264a7496", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "49665402-a64a-44e2-b251-976e50a5c030": { + "columnOrder": [ + "03dfb72e-e140-48d0-8b6b-0dd7253a1f61", + "fb36a279-27ac-4814-ae98-a5864704ff3a", + "050b0eae-08cf-44a4-be0e-fd22d216cdff" + ], + "columns": { + "03dfb72e-e140-48d0-8b6b-0dd7253a1f61": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "event.action", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "050b0eae-08cf-44a4-be0e-fd22d216cdff", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "event.action" + }, + "050b0eae-08cf-44a4-be0e-fd22d216cdff": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "fb36a279-27ac-4814-ae98-a5864704ff3a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "event.code", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "050b0eae-08cf-44a4-be0e-fd22d216cdff", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "event.code" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "7e29a9cf-64d5-426d-b6aa-8808264a7496", + "key": "event.code", + "negate": false, + "params": [ + "4720", + "4722", + "4723", + "4724", + "4725", + "4726", + "4738", + "4740", + "4767", + "4781", + "4798" + ], + "type": "phrases", + "value": "4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781, 4798" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4720" + } + }, + { + "match_phrase": { + "event.code": "4722" + } + }, + { + "match_phrase": { + "event.code": "4723" + } + }, + { + "match_phrase": { + "event.code": "4724" + } + }, + { + "match_phrase": { + "event.code": "4725" + } + }, + { + "match_phrase": { + "event.code": "4726" + } + }, + { + "match_phrase": { + "event.code": "4738" + } + }, + { + "match_phrase": { + "event.code": "4740" + } + }, + { + "match_phrase": { + "event.code": "4767" + } + }, + { + "match_phrase": { + "event.code": "4781" + } + }, + { + "match_phrase": { + "event.code": "4798" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "050b0eae-08cf-44a4-be0e-fd22d216cdff" + }, + { + "alignment": "left", + "columnId": "03dfb72e-e140-48d0-8b6b-0dd7253a1f61" + }, + { + "alignment": "left", + "columnId": "fb36a279-27ac-4814-ae98-a5864704ff3a" + } + ], + "headerRowHeight": "single", + "layerId": "49665402-a64a-44e2-b251-976e50a5c030", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + }, + "rowHeight": "single" + } + }, + "title": "User Event Actions - Table [Windows System Security]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6", + "w": 13, + "x": 17, + "y": 8 + }, + "panelIndex": "dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6", + "title": "User Event Actions - Table [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e1805dcb-7ae9-4b50-b201-34f1337a8c57", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "e1805dcb-7ae9-4b50-b201-34f1337a8c57": { + "columnOrder": [ + "d5bb0346-b16f-44ab-b12a-78b0e2c2758d", + "8571440b-0b36-4565-9f37-e06df2d69b01" + ], + "columns": { + "8571440b-0b36-4565-9f37-e06df2d69b01": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d5bb0346-b16f-44ab-b12a-78b0e2c2758d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Target Users", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "8571440b-0b36-4565-9f37-e06df2d69b01", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.TargetUserName" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "8571440b-0b36-4565-9f37-e06df2d69b01" + ], + "layerId": "e1805dcb-7ae9-4b50-b201-34f1337a8c57", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "xAccessor": "d5bb0346-b16f-44ab-b12a-78b0e2c2758d" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_horizontal", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "44697eb7-bb8e-4994-9e1b-95599f1b994a", + "w": 18, + "x": 30, + "y": 8 + }, + "panelIndex": "44697eb7-bb8e-4994-9e1b-95599f1b994a", + "title": "Target Users [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-81502bd7-7787-49aa-a890-24912feb1796", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2434c52c-2206-4a9f-9d0c-c4d6ec7b7854", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "81502bd7-7787-49aa-a890-24912feb1796": { + "columnOrder": [ + "15718d57-7630-4e2e-95c2-e54ed6194206", + "bcc8b6f9-e162-4212-a450-0767191d1022", + "cbf854c1-cf1f-42b9-a300-45c58996aadb" + ], + "columns": { + "15718d57-7630-4e2e-95c2-e54ed6194206": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Target User", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "cbf854c1-cf1f-42b9-a300-45c58996aadb", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.TargetUserName" + }, + "bcc8b6f9-e162-4212-a450-0767191d1022": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "event.action: Descending", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "cbf854c1-cf1f-42b9-a300-45c58996aadb", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "event.action" + }, + "cbf854c1-cf1f-42b9-a300-45c58996aadb": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "2434c52c-2206-4a9f-9d0c-c4d6ec7b7854", + "key": "event.code", + "negate": false, + "params": [ + "4720", + "4722", + "4723", + "4724", + "4725", + "4726", + "4738", + "4740", + "4767", + "4781", + "4798" + ], + "type": "phrases", + "value": "4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781, 4798" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4720" + } + }, + { + "match_phrase": { + "event.code": "4722" + } + }, + { + "match_phrase": { + "event.code": "4723" + } + }, + { + "match_phrase": { + "event.code": "4724" + } + }, + { + "match_phrase": { + "event.code": "4725" + } + }, + { + "match_phrase": { + "event.code": "4726" + } + }, + { + "match_phrase": { + "event.code": "4738" + } + }, + { + "match_phrase": { + "event.code": "4740" + } + }, + { + "match_phrase": { + "event.code": "4767" + } + }, + { + "match_phrase": { + "event.code": "4781" + } + }, + { + "match_phrase": { + "event.code": "4798" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" + }, + "visualization": { + "gridConfig": { + "isCellLabelVisible": true, + "isXAxisLabelVisible": true, + "isXAxisTitleVisible": true, + "isYAxisLabelVisible": true, + "isYAxisTitleVisible": true, + "type": "heatmap_grid" + }, + "layerId": "81502bd7-7787-49aa-a890-24912feb1796", + "layerType": "data", + "legend": { + "position": "right", + "type": "heatmap_legend" + }, + "palette": { + "accessor": "cbf854c1-cf1f-42b9-a300-45c58996aadb", + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#F7FBFF", + "stop": 0 + }, + { + "color": "#C3DBEE", + "stop": 25 + }, + { + "color": "#6DAED5", + "stop": 50 + }, + { + "color": "#2271B3", + "stop": 75 + } + ], + "continuity": "none", + "maxSteps": 5, + "name": "custom", + "progression": "fixed", + "rangeMax": 100, + "rangeMin": 0, + "rangeType": "percent", + "reverse": false, + "stops": [ + { + "color": "#F7FBFF", + "stop": 25 + }, + { + "color": "#C3DBEE", + "stop": 50 + }, + { + "color": "#6DAED5", + "stop": 75 + }, + { + "color": "#2271B3", + "stop": 100 + } + ] + }, + "type": "palette" + }, + "shape": "heatmap", + "valueAccessor": "cbf854c1-cf1f-42b9-a300-45c58996aadb", + "xAccessor": "15718d57-7630-4e2e-95c2-e54ed6194206", + "yAccessor": "bcc8b6f9-e162-4212-a450-0767191d1022" + } + }, + "title": "User Management Events - Affected Users vs Actions - Heatmap [Windows System Security]", + "type": "lens", + "visualizationType": "lnsHeatmap" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 25, + "i": "29f54335-78db-4c49-a3e0-a641fd0099f6", + "w": 48, + "x": 0, + "y": 24 + }, + "panelIndex": "29f54335-78db-4c49-a3e0-a641fd0099f6", + "title": "User Management Events - Affected Users vs Actions - Heatmap [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_logs-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "logs-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "d62110e5-9d90-412a-833a-3bb5da7f6693": { + "columnOrder": [ + "f6c30a0d-83b4-4139-a669-5041c87cc19a" + ], + "columns": { + "f6c30a0d-83b4-4139-a669-5041c87cc19a": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "event.code: \"4720\"" + }, + "isBucketed": false, + "label": "Users Created", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ + { + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "indexpattern-datasource-layer-d62110e5-9d90-412a-833a-3bb5da7f6693", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "f6c30a0d-83b4-4139-a669-5041c87cc19a", + "colorMode": "Background", + "layerId": "d62110e5-9d90-412a-833a-3bb5da7f6693", + "layerType": "data", + "palette": { + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#D0D0D0", + "stop": null + }, + { + "color": "#cc5642", + "stop": 0 + } + ], + "continuity": "all", + "maxSteps": 5, + "name": "custom", + "progression": "fixed", + "rangeMax": null, + "rangeMin": null, + "rangeType": "number", + "reverse": false, + "steps": 3, + "stops": [ + { + "color": "#D0D0D0", + "stop": 0 + }, + { + "color": "#cc5642", + "stop": 1 + } + ] + }, + "type": "palette" + } + } + }, + "title": "TSVB visualization", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 7, + "i": "a6f12dd2-11fb-4039-8a8c-56b742a96e30", + "w": 9, + "x": 0, + "y": 49 + }, + "panelIndex": "a6f12dd2-11fb-4039-8a8c-56b742a96e30", + "title": "", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_logs-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "logs-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "d62110e5-9d90-412a-833a-3bb5da7f6693": { + "columnOrder": [ + "f6c30a0d-83b4-4139-a669-5041c87cc19a" + ], + "columns": { + "f6c30a0d-83b4-4139-a669-5041c87cc19a": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "event.code: \"4722\"" + }, + "isBucketed": false, + "label": "Users Enabled", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ + { + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "indexpattern-datasource-layer-d62110e5-9d90-412a-833a-3bb5da7f6693", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "f6c30a0d-83b4-4139-a669-5041c87cc19a", + "colorMode": "Background", + "layerId": "d62110e5-9d90-412a-833a-3bb5da7f6693", + "layerType": "data", + "palette": { + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#D0D0D0", + "stop": null + }, + { + "color": "#cc5642", + "stop": 1 + } + ], + "continuity": "all", + "maxSteps": 5, + "name": "custom", + "progression": "fixed", + "rangeMax": null, + "rangeMin": null, + "rangeType": "number", + "reverse": false, + "steps": 3, + "stops": [ + { + "color": "#D0D0D0", + "stop": 1 + }, + { + "color": "#cc5642", + "stop": 2 + } + ] + }, + "type": "palette" + } + } + }, + "title": "TSVB visualization", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 7, + "i": "39724444-251e-480d-b5f2-642362f8929e", + "w": 9, + "x": 9, + "y": 49 + }, + "panelIndex": "39724444-251e-480d-b5f2-642362f8929e", + "title": "", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_logs-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "logs-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "53b82494-6fb7-47b6-8d8d-dd3fcb3b89ed": { + "columnOrder": [ + "b54a4942-5808-4c83-b3ea-50406c4199ef" + ], + "columns": { + "b54a4942-5808-4c83-b3ea-50406c4199ef": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "event.code: \"4726\"" + }, + "isBucketed": false, + "label": "Users Deleted", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ + { + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "indexpattern-datasource-layer-53b82494-6fb7-47b6-8d8d-dd3fcb3b89ed", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "b54a4942-5808-4c83-b3ea-50406c4199ef", + "colorMode": "Background", + "layerId": "53b82494-6fb7-47b6-8d8d-dd3fcb3b89ed", + "layerType": "data", + "palette": { + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#D0D0D0", + "stop": null + }, + { + "color": "#DA8B45", + "stop": 1 + } + ], + "continuity": "all", + "maxSteps": 5, + "name": "custom", + "progression": "fixed", + "rangeMax": null, + "rangeMin": null, + "rangeType": "number", + "reverse": false, + "steps": 3, + "stops": [ + { + "color": "#D0D0D0", + "stop": 1 + }, + { + "color": "#DA8B45", + "stop": 2 + } + ] + }, + "type": "palette" + } + } + }, + "title": "TSVB visualization", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 7, + "i": "9fdcbd20-59e6-4fd2-bc0a-72b0daaee79e", + "w": 9, + "x": 18, + "y": 49 + }, + "panelIndex": "9fdcbd20-59e6-4fd2-bc0a-72b0daaee79e", + "title": "", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f948c2c2-e83b-4f32-aaab-acb740cf74e3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9863d407-89f7-419e-ac97-2dd548e76e0b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f948c2c2-e83b-4f32-aaab-acb740cf74e3": { + "columnOrder": [ + "11ccc892-90c4-4cfa-9c5e-821d584dabcc", + "d8077715-92a4-46cb-8baa-471f429e0fd4", + "2915bf68-6254-470e-b565-bf1597c1d345" + ], + "columns": { + "11ccc892-90c4-4cfa-9c5e-821d584dabcc": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "2915bf68-6254-470e-b565-bf1597c1d345": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d8077715-92a4-46cb-8baa-471f429e0fd4": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "event.action: Descending", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "2915bf68-6254-470e-b565-bf1597c1d345", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "event.action" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "9863d407-89f7-419e-ac97-2dd548e76e0b", + "key": "event.code", + "negate": false, + "params": [ + "4720", + "4722", + "4723", + "4724", + "4725", + "4726", + "4738", + "4740", + "4767", + "4781", + "4798" + ], + "type": "phrases", + "value": "4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781, 4798" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4720" + } + }, + { + "match_phrase": { + "event.code": "4722" + } + }, + { + "match_phrase": { + "event.code": "4723" + } + }, + { + "match_phrase": { + "event.code": "4724" + } + }, + { + "match_phrase": { + "event.code": "4725" + } + }, + { + "match_phrase": { + "event.code": "4726" + } + }, + { + "match_phrase": { + "event.code": "4738" + } + }, + { + "match_phrase": { + "event.code": "4740" + } + }, + { + "match_phrase": { + "event.code": "4767" + } + }, + { + "match_phrase": { + "event.code": "4781" + } + }, + { + "match_phrase": { + "event.code": "4798" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "curveType": "LINEAR", + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": -90 + }, + "layers": [ + { + "accessors": [ + "2915bf68-6254-470e-b565-bf1597c1d345" + ], + "isHistogram": true, + "layerId": "f948c2c2-e83b-4f32-aaab-acb740cf74e3", + "layerType": "data", + "seriesType": "bar_stacked", + "simpleView": false, + "splitAccessor": "d8077715-92a4-46cb-8baa-471f429e0fd4", + "xAccessor": "11ccc892-90c4-4cfa-9c5e-821d584dabcc", + "xScaleType": "time", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "2915bf68-6254-470e-b565-bf1597c1d345" + } + ] + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "showCurrentTimeMarker": false, + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": false, + "yLeftExtent": { + "enforce": true, + "mode": "full" + }, + "yLeftScale": "linear", + "yRightScale": "linear", + "yTitle": "Count" + } + }, + "title": "Event Distribution in time [Windows System Security]", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 23, + "i": "1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa", + "w": 21, + "x": 27, + "y": 49 + }, + "panelIndex": "1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa", + "title": "Event Distribution in time [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_logs-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "logs-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "4a1f13e9-c9c4-44b2-b9dc-ce205372ca10": { + "columnOrder": [ + "64cc5931-61bd-44b8-b16c-5054d276ae0e" + ], + "columns": { + "64cc5931-61bd-44b8-b16c-5054d276ae0e": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \"4725\")" + }, + "isBucketed": false, + "label": "Users Disabled", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ + { + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "indexpattern-datasource-layer-4a1f13e9-c9c4-44b2-b9dc-ce205372ca10", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "64cc5931-61bd-44b8-b16c-5054d276ae0e", + "colorMode": "Background", + "layerId": "4a1f13e9-c9c4-44b2-b9dc-ce205372ca10", + "layerType": "data", + "palette": { + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#D0D0D0", + "stop": null + }, + { + "color": "#209280", + "stop": 1 + } + ], + "continuity": "all", + "maxSteps": 5, + "name": "custom", + "progression": "fixed", + "rangeMax": null, + "rangeMin": null, + "rangeType": "number", + "reverse": false, + "steps": 3, + "stops": [ + { + "color": "#D0D0D0", + "stop": 1 + }, + { + "color": "#209280", + "stop": 2 + } + ] + }, + "type": "palette" + } + } + }, + "title": "TSVB visualization", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 7, + "i": "bd1b0e6a-ed99-423d-8a51-29456ec74e0e", + "w": 9, + "x": 0, + "y": 72 + }, + "panelIndex": "bd1b0e6a-ed99-423d-8a51-29456ec74e0e", + "title": "", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_logs-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "logs-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "f0a07f86-9bd8-4a78-a711-4a9e7addd049": { + "columnOrder": [ + "f98f0911-786f-45d8-a808-8c2f20f07313" + ], + "columns": { + "f98f0911-786f-45d8-a808-8c2f20f07313": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "event.code: \"4767\"" + }, + "isBucketed": false, + "label": "Users Unlocks", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ + { + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "indexpattern-datasource-layer-f0a07f86-9bd8-4a78-a711-4a9e7addd049", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "f98f0911-786f-45d8-a808-8c2f20f07313", + "colorMode": "Background", + "layerId": "f0a07f86-9bd8-4a78-a711-4a9e7addd049", + "layerType": "data", + "palette": { + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#D0D0D0", + "stop": null + }, + { + "color": "#209280", + "stop": 1 + } + ], + "continuity": "all", + "maxSteps": 5, + "name": "custom", + "progression": "fixed", + "rangeMax": null, + "rangeMin": null, + "rangeType": "number", + "reverse": false, + "steps": 3, + "stops": [ + { + "color": "#D0D0D0", + "stop": 1 + }, + { + "color": "#209280", + "stop": 2 + } + ] + }, + "type": "palette" + } + } + }, + "title": "TSVB visualization", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 7, + "i": "16030d60-0638-4c98-8bc5-0d8c4bf43a0c", + "w": 9, + "x": 9, + "y": 72 + }, + "panelIndex": "16030d60-0638-4c98-8bc5-0d8c4bf43a0c", + "title": "", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_logs-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "logs-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "71d71f2b-1120-4e6e-b3cf-c5dc99a1860f": { + "columnOrder": [ + "101426f1-a447-42fb-8a21-203065dd42c5" + ], + "columns": { + "101426f1-a447-42fb-8a21-203065dd42c5": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "event.code: \"4723\" OR event.code: \"4724\"" + }, + "isBucketed": false, + "label": "Password Changes/Reset", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ + { + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "indexpattern-datasource-layer-71d71f2b-1120-4e6e-b3cf-c5dc99a1860f", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "101426f1-a447-42fb-8a21-203065dd42c5", + "colorMode": "Background", + "layerId": "71d71f2b-1120-4e6e-b3cf-c5dc99a1860f", + "layerType": "data", + "palette": { + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#D0D0D0", + "stop": null + }, + { + "color": "#d6bf57", + "stop": 1 + } + ], + "continuity": "all", + "maxSteps": 5, + "name": "custom", + "progression": "fixed", + "rangeMax": null, + "rangeMin": null, + "rangeType": "number", + "reverse": false, + "steps": 3, + "stops": [ + { + "color": "#D0D0D0", + "stop": 1 + }, + { + "color": "#d6bf57", + "stop": 2 + } + ] + }, + "type": "palette" + } + } + }, + "title": "TSVB visualization", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 7, + "i": "9c593d0d-c730-4277-ae74-ac3134055800", + "w": 9, + "x": 18, + "y": 72 + }, + "panelIndex": "9c593d0d-c730-4277-ae74-ac3134055800", + "title": "", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_logs-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "logs-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "afbadb03-16b7-407f-af63-f2e4a851e785": { + "columnOrder": [ + "1094c3d6-772d-435d-b002-698f1320d162" + ], + "columns": { + "1094c3d6-772d-435d-b002-698f1320d162": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \"4740\")" + }, + "isBucketed": false, + "label": "Users Locked Out", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ + { + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "indexpattern-datasource-layer-afbadb03-16b7-407f-af63-f2e4a851e785", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "1094c3d6-772d-435d-b002-698f1320d162", + "colorMode": "Background", + "layerId": "afbadb03-16b7-407f-af63-f2e4a851e785", + "layerType": "data", + "palette": { + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#D0D0D0", + "stop": null + }, + { + "color": "#808080", + "stop": 0 + } + ], + "continuity": "all", + "maxSteps": 5, + "name": "custom", + "progression": "fixed", + "rangeMax": null, + "rangeMin": null, + "rangeType": "number", + "reverse": false, + "steps": 3, + "stops": [ + { + "color": "#D0D0D0", + "stop": 0 + }, + { + "color": "#808080", + "stop": 1 + } + ] + }, + "type": "palette" + } + } + }, + "title": "TSVB visualization", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 7, + "i": "0f1cf1e8-0798-464b-b18a-0dd1ae19d36f", + "w": 9, + "x": 0, + "y": 95 + }, + "panelIndex": "0f1cf1e8-0798-464b-b18a-0dd1ae19d36f", + "title": "", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_logs-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "logs-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "92862cde-d2fe-4d8a-87ba-d2e86f3751c7": { + "columnOrder": [ + "2a0b322c-fbee-472a-aea7-86cc0bb9a3e6" + ], + "columns": { + "2a0b322c-fbee-472a-aea7-86cc0bb9a3e6": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "event.code: \"4781\"" + }, + "isBucketed": false, + "label": "Users Renamed", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ + { + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "indexpattern-datasource-layer-92862cde-d2fe-4d8a-87ba-d2e86f3751c7", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "2a0b322c-fbee-472a-aea7-86cc0bb9a3e6", + "colorMode": "Background", + "layerId": "92862cde-d2fe-4d8a-87ba-d2e86f3751c7", + "layerType": "data", + "palette": { + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#D0D0D0", + "stop": null + }, + { + "color": "#808080", + "stop": 1 + } + ], + "continuity": "all", + "maxSteps": 5, + "name": "custom", + "progression": "fixed", + "rangeMax": null, + "rangeMin": null, + "rangeType": "number", + "reverse": false, + "steps": 3, + "stops": [ + { + "color": "#D0D0D0", + "stop": 1 + }, + { + "color": "#808080", + "stop": 2 + } + ] + }, + "type": "palette" + } + } + }, + "title": "TSVB visualization", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 7, + "i": "ca7947ea-7c33-4ef7-acfb-51df31226ea0", + "w": 9, + "x": 9, + "y": 95 + }, + "panelIndex": "ca7947ea-7c33-4ef7-acfb-51df31226ea0", + "title": "", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_logs-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "logs-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "f3ab0f05-2e4c-4794-a430-81d0f4f2585c": { + "columnOrder": [ + "2c0aee5b-6685-49c3-8a07-4b4858303bdf" + ], + "columns": { + "2c0aee5b-6685-49c3-8a07-4b4858303bdf": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "event.code: \"4738\"" + }, + "isBucketed": false, + "label": "Users Changes", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ + { + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "indexpattern-datasource-layer-f3ab0f05-2e4c-4794-a430-81d0f4f2585c", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "2c0aee5b-6685-49c3-8a07-4b4858303bdf", + "colorMode": "Background", + "layerId": "f3ab0f05-2e4c-4794-a430-81d0f4f2585c", + "layerType": "data", + "palette": { + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#D0D0D0", + "stop": null + }, + { + "color": "#d6bf57", + "stop": 1 + } + ], + "continuity": "all", + "maxSteps": 5, + "name": "custom", + "progression": "fixed", + "rangeMax": null, + "rangeMin": null, + "rangeType": "number", + "reverse": false, + "steps": 3, + "stops": [ + { + "color": "#D0D0D0", + "stop": 1 + }, + { + "color": "#d6bf57", + "stop": 2 + } + ] + }, + "type": "palette" + } + } + }, + "title": "TSVB visualization", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 7, + "i": "38e91c86-1d3e-4342-b8cc-e95031dbf1b7", + "w": 9, + "x": 18, + "y": 95 + }, + "panelIndex": "38e91c86-1d3e-4342-b8cc-e95031dbf1b7", + "title": "", + "type": "lens", + "version": "8.7.0" + } + ], + "timeRestore": false, + "title": "[System Windows Security] User Management Events", + "version": 1 + }, + "coreMigrationVersion": "8.7.1", + "created_at": "2023-05-04T21:59:59.346Z", + "id": "system-71f720f0-ff18-11e9-8405-516218e3d268", + "migrationVersion": { + "dashboard": "8.7.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3:indexpattern-datasource-layer-2d2094c7-e57e-4a12-88ad-50291d81a64b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3:ee7f0132-6cba-4ea8-80ea-50bddb3c588e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5:indexpattern-datasource-layer-95473519-9e23-4ab1-acb8-3212f69ea3b5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5:f8e3cf39-b76f-4658-af4f-c9c915ba6ba6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6:indexpattern-datasource-layer-dc37e882-6f66-420e-a41d-17176340e1fc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6:87383246-3af7-4da7-bf25-da8b92485bf4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7:indexpattern-datasource-layer-5ef7cf84-7e34-4c90-afe6-2a3bc54f9e62", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7:2974422c-1f81-4077-9f55-a01a8b045f56", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9:indexpattern-datasource-layer-f8300e3b-29eb-46f6-a509-9bd4b4b2f8ec", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9:8726b1f3-6de9-4d3f-8ac6-c47b378bdcb2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "15:indexpattern-datasource-layer-8ee3da48-29cf-4b5a-b9be-ede6e7f10f54", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "15:6d7d0e01-edd7-4907-a80b-65abcdd357ca", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "16:indexpattern-datasource-layer-5ffb434e-0578-45fe-bbc8-01893ae2f867", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "16:d72b2685-a2ee-4c6d-bf7f-70cdfad9817e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "20:indexpattern-datasource-layer-7868e85e-6ff2-4087-8bd9-7d22da031e24", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "20:84460bff-f94b-4d8b-a166-5ab188df891c", + "type": "index-pattern" + }, + { + "id": "system-7e178c80-fee1-11e9-8405-516218e3d268", + "name": "22:panel_22", + "type": "search" + }, + { + "id": "system-324686c0-fefb-11e9-8405-516218e3d268", + "name": "23:panel_23", + "type": "search" + }, + { + "id": "logs-*", + "name": "33:indexpattern-datasource-layer-c613d393-dc99-42e4-a4f0-afb124b56634", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "33:642679d4-cdd9-44fe-9723-862f94ee2256", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a2871661-98a8-489b-b615-e66ebe3b971a:indexpattern-datasource-layer-5cfa8804-5c32-451e-a9ef-ab4f2f5ea013", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a2871661-98a8-489b-b615-e66ebe3b971a:1cdd7bfd-1207-485b-9fbc-a80cafd98b00", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6:indexpattern-datasource-layer-49665402-a64a-44e2-b251-976e50a5c030", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6:7e29a9cf-64d5-426d-b6aa-8808264a7496", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "44697eb7-bb8e-4994-9e1b-95599f1b994a:indexpattern-datasource-layer-e1805dcb-7ae9-4b50-b201-34f1337a8c57", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "29f54335-78db-4c49-a3e0-a641fd0099f6:indexpattern-datasource-layer-81502bd7-7787-49aa-a890-24912feb1796", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "29f54335-78db-4c49-a3e0-a641fd0099f6:2434c52c-2206-4a9f-9d0c-c4d6ec7b7854", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa:indexpattern-datasource-layer-f948c2c2-e83b-4f32-aaab-acb740cf74e3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa:9863d407-89f7-419e-ac97-2dd548e76e0b", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/test/packages/parallel/system/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json b/test/packages/parallel/system/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json new file mode 100644 index 000000000..cde4f402c --- /dev/null +++ b/test/packages/parallel/system/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json @@ -0,0 +1,4616 @@ +{ + "attributes": { + "description": "Overview of host metrics", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "## Host overview\n\nTo select another host, either go back to [System Overview](#/dashboard/system-Metrics-system-overview) or select a host from the dropdown at the top below the search bar", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 5, + "i": "fcb53f5b-0e6b-41c8-ae1c-e2aafdeaff5a", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "fcb53f5b-0e6b-41c8-ae1c-e2aafdeaff5a", + "title": "System Navigation [Metrics System]", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.network" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.network" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "id": "0e346760-1b92-11e7-bec4-a5e9ec5cab8b" + } + ], + "drop_last_bucket": 1, + "filter": { + "language": "lucene", + "query": "-system.network.name:l*" + }, + "hide_last_value_indicator": true, + "id": "0c761590-1b92-11e7-bec4-a5e9ec5cab8b", + "index_pattern": "metrics-*", + "interval": "auto", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "bytes", + "id": "0c761591-1b92-11e7-bec4-a5e9ec5cab8b", + "label": "Outbound Traffic", + "line_width": 1, + "metrics": [ + { + "field": "system.network.out.bytes", + "id": "0c761592-1b92-11e7-bec4-a5e9ec5cab8b", + "type": "max" + }, + { + "field": "0c761592-1b92-11e7-bec4-a5e9ec5cab8b", + "id": "1d659060-1b92-11e7-bec4-a5e9ec5cab8b", + "type": "derivative", + "unit": "1s" + }, + { + "field": "1d659060-1b92-11e7-bec4-a5e9ec5cab8b", + "id": "f2074f70-1b92-11e7-a416-41f5ccdba2e6", + "type": "positive_only", + "unit": "" + }, + { + "function": "sum", + "id": "a1737470-2c55-11e7-a0ad-277ce466684d", + "type": "series_agg" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "terms", + "stacked": "none", + "terms_field": "system.network.name", + "time_range_mode": "entire_time_range", + "value_template": "{{value}}/s" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "bytes", + "id": "37f70440-1b92-11e7-bec4-a5e9ec5cab8b", + "label": "Total Transferred", + "line_width": 1, + "metrics": [ + { + "field": "system.network.out.bytes", + "id": "37f72b50-1b92-11e7-bec4-a5e9ec5cab8b", + "type": "max" + }, + { + "field": "37f72b50-1b92-11e7-bec4-a5e9ec5cab8b", + "id": "37f72b51-1b92-11e7-bec4-a5e9ec5cab8b", + "type": "derivative", + "unit": "" + }, + { + "field": "37f72b51-1b92-11e7-bec4-a5e9ec5cab8b", + "id": "f9da2dd0-1b92-11e7-a416-41f5ccdba2e6", + "type": "positive_only", + "unit": "" + }, + { + "field": "f9da2dd0-1b92-11e7-a416-41f5ccdba2e6", + "function": "overall_sum", + "id": "3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b", + "sigma": "", + "type": "series_agg" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "terms", + "stacked": "none", + "terms_field": "system.network.name", + "time_range_mode": "entire_time_range", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "last_value", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "metric", + "use_kibana_indexes": false + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 9, + "i": "6fd34c50-53a3-4919-b7c5-aba460f0fe6d", + "w": 12, + "x": 36, + "y": 5 + }, + "panelIndex": "6fd34c50-53a3-4919-b7c5-aba460f0fe6d", + "title": "Outbound Traffic [Metrics System]", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.cpu" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.cpu" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "data_stream.dataset : \"system.cpu\"" + }, + "gauge_color_rules": [ + { + "gauge": "rgba(32,146,128,1)", + "id": "4ef2c3b0-1b91-11e7-bec4-a5e9ec5cab8b", + "operator": "gte", + "value": 0 + }, + { + "gauge": "rgba(214,191,87,1)", + "id": "e6561ae0-1b91-11e7-bec4-a5e9ec5cab8b", + "operator": "gte", + "value": 0.7 + }, + { + "gauge": "rgba(204,86,66,1)", + "id": "ec655040-1b91-11e7-bec4-a5e9ec5cab8b", + "operator": "gte", + "value": 0.85 + }, + { + "gauge": "rgba(32,146,128,1)", + "id": "860f8db7-6191-4519-8d2a-c51f2a95c2bc", + "operator": "empty", + "value": null + } + ], + "gauge_inner_width": 10, + "gauge_max": "1", + "gauge_style": "half", + "gauge_width": 10, + "hide_last_value_indicator": true, + "id": "4c9e2550-1b91-11e7-bec4-a5e9ec5cab8b", + "index_pattern": "metrics-*", + "interval": "auto", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "percent", + "id": "4c9e2551-1b91-11e7-bec4-a5e9ec5cab8b", + "label": "CPU Usage", + "line_width": 1, + "metrics": [ + { + "field": "system.cpu.total.norm.pct", + "id": "4c9e2552-1b91-11e7-bec4-a5e9ec5cab8b", + "type": "avg" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "last_value", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "gauge", + "use_kibana_indexes": false + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 9, + "i": "d0a6fc45-278c-427e-a440-eec3ec3ce367", + "w": 12, + "x": 0, + "y": 5 + }, + "panelIndex": "d0a6fc45-278c-427e-a440-eec3ec3ce367", + "title": "CPU Usage Gauge [Metrics System]", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.memory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.memory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "data_stream.dataset : \"system.memory\"" + }, + "gauge_color_rules": [ + { + "gauge": "rgba(32,146,128,1)", + "id": "a0d522e0-1b91-11e7-bec4-a5e9ec5cab8b", + "operator": "gte", + "value": 0 + }, + { + "gauge": "rgba(214,191,87,1)", + "id": "b45ad8f0-1b91-11e7-bec4-a5e9ec5cab8b", + "operator": "gte", + "value": 0.7 + }, + { + "gauge": "rgba(204,86,66,1)", + "id": "c06e9550-1b91-11e7-bec4-a5e9ec5cab8b", + "operator": "gte", + "value": 0.85 + }, + { + "gauge": "rgba(32,146,128,1)", + "id": "4bbf6453-9bd4-4ab7-aa12-5a7ed6306651", + "operator": "empty", + "value": null + } + ], + "gauge_inner_width": 10, + "gauge_max": "1", + "gauge_style": "half", + "gauge_width": 10, + "hide_last_value_indicator": true, + "id": "9f51b730-1b91-11e7-bec4-a5e9ec5cab8b", + "index_pattern": "metrics-*", + "interval": "auto", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "percent", + "id": "9f51b731-1b91-11e7-bec4-a5e9ec5cab8b", + "label": "Memory Usage", + "line_width": 1, + "metrics": [ + { + "field": "system.memory.actual.used.pct", + "id": "9f51b732-1b91-11e7-bec4-a5e9ec5cab8b", + "type": "avg" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "last_value", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "gauge", + "use_kibana_indexes": false + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 9, + "i": "e50a72f5-160a-4694-8f44-2e6da666b90b", + "w": 12, + "x": 12, + "y": 5 + }, + "panelIndex": "e50a72f5-160a-4694-8f44-2e6da666b90b", + "title": "Memory Usage Gauge [Metrics System]", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.load" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.load" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "id": "feefabd0-1b90-11e7-bec4-a5e9ec5cab8b" + } + ], + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "" + }, + "gauge_color_rules": [ + { + "id": "ffd94880-1b90-11e7-bec4-a5e9ec5cab8b" + } + ], + "gauge_inner_width": 10, + "gauge_style": "half", + "gauge_width": 10, + "hide_last_value_indicator": true, + "id": "fdcc6180-1b90-11e7-bec4-a5e9ec5cab8b", + "index_pattern": "metrics-*", + "interval": "auto", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(32,146,128,1)", + "fill": 0.5, + "formatter": "number", + "id": "fdcc6181-1b90-11e7-bec4-a5e9ec5cab8b", + "label": "5m Load", + "line_width": 1, + "metrics": [ + { + "field": "system.load.5", + "id": "fdcc6182-1b90-11e7-bec4-a5e9ec5cab8b", + "type": "avg" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "last_value", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "gauge", + "use_kibana_indexes": false + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 9, + "i": "baca3f6a-498a-4752-8882-1d8906d06405", + "w": 12, + "x": 24, + "y": 5 + }, + "panelIndex": "baca3f6a-498a-4752-8882-1d8906d06405", + "title": "Load Gauge [Metrics System]", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.network" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.network" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "id": "0e346760-1b92-11e7-bec4-a5e9ec5cab8b" + } + ], + "drop_last_bucket": 1, + "filter": { + "language": "lucene", + "query": "-system.network.name:l*" + }, + "hide_last_value_indicator": true, + "id": "0c761590-1b92-11e7-bec4-a5e9ec5cab8b", + "index_pattern": "metrics-*", + "interval": "auto", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "bytes", + "id": "0c761591-1b92-11e7-bec4-a5e9ec5cab8b", + "label": "Inbound Traffic", + "line_width": 1, + "metrics": [ + { + "field": "system.network.in.bytes", + "id": "0c761592-1b92-11e7-bec4-a5e9ec5cab8b", + "type": "max" + }, + { + "field": "0c761592-1b92-11e7-bec4-a5e9ec5cab8b", + "id": "1d659060-1b92-11e7-bec4-a5e9ec5cab8b", + "type": "derivative", + "unit": "1s" + }, + { + "field": "1d659060-1b92-11e7-bec4-a5e9ec5cab8b", + "id": "f2074f70-1b92-11e7-a416-41f5ccdba2e6", + "type": "positive_only", + "unit": "" + }, + { + "function": "sum", + "id": "c40e18f0-2c55-11e7-a0ad-277ce466684d", + "type": "series_agg" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "terms", + "stacked": "none", + "terms_field": "system.network.name", + "time_range_mode": "entire_time_range", + "value_template": "{{value}}/s" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "bytes", + "id": "37f70440-1b92-11e7-bec4-a5e9ec5cab8b", + "label": "Total Transferred", + "line_width": 1, + "metrics": [ + { + "field": "system.network.in.bytes", + "id": "37f72b50-1b92-11e7-bec4-a5e9ec5cab8b", + "type": "max" + }, + { + "field": "37f72b50-1b92-11e7-bec4-a5e9ec5cab8b", + "id": "37f72b51-1b92-11e7-bec4-a5e9ec5cab8b", + "type": "derivative", + "unit": "" + }, + { + "field": "37f72b51-1b92-11e7-bec4-a5e9ec5cab8b", + "id": "f9da2dd0-1b92-11e7-a416-41f5ccdba2e6", + "type": "positive_only", + "unit": "" + }, + { + "field": "f9da2dd0-1b92-11e7-a416-41f5ccdba2e6", + "function": "overall_sum", + "id": "3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b", + "sigma": "", + "type": "series_agg" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "terms", + "stacked": "none", + "terms_field": "system.network.name", + "time_range_mode": "entire_time_range", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "last_value", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "metric", + "use_kibana_indexes": false + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 8, + "i": "02993ece-9e84-4957-9780-a89d1cfef103", + "w": 12, + "x": 36, + "y": 14 + }, + "panelIndex": "02993ece-9e84-4957-9780-a89d1cfef103", + "title": "Inbound Traffic [Metrics System]", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-9f6d8570-52c1-4af2-a105-b9993b2e8b5c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "04b54a98-baa0-43a7-aaa8-ace6b600ff4b", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "9f6d8570-52c1-4af2-a105-b9993b2e8b5c": { + "columnOrder": [ + "314b8c49-2a3b-464b-bc85-ab7e098fd510", + "314b8c49-2a3b-464b-bc85-ab7e098fd510X0" + ], + "columns": { + "314b8c49-2a3b-464b-bc85-ab7e098fd510": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Processes", + "operationType": "formula", + "params": { + "formula": "unique_count(process.pid)", + "isFormulaBroken": false + }, + "references": [ + "314b8c49-2a3b-464b-bc85-ab7e098fd510X0" + ], + "scale": "ratio" + }, + "314b8c49-2a3b-464b-bc85-ab7e098fd510X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Processes", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "process.pid" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "04b54a98-baa0-43a7-aaa8-ace6b600ff4b", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.process" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.process" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "314b8c49-2a3b-464b-bc85-ab7e098fd510", + "layerId": "9f6d8570-52c1-4af2-a105-b9993b2e8b5c", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "type": "lens" + }, + "gridData": { + "h": 8, + "i": "17f54fe4-ae84-4319-97fd-069225d0a8fb", + "w": 12, + "x": 0, + "y": 14 + }, + "panelIndex": "17f54fe4-ae84-4319-97fd-069225d0a8fb", + "type": "lens", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.memory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.memory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "id": "6f7618b0-4d5c-11e7-aa29-87a97a796de6" + } + ], + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "data_stream.dataset : \"system.memory\"" + }, + "hide_last_value_indicator": true, + "id": "6bc65720-4d5c-11e7-aa29-87a97a796de6", + "index_pattern": "metrics-*", + "interval": "auto", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "bytes", + "id": "6bc65721-4d5c-11e7-aa29-87a97a796de6", + "label": "Memory usage", + "line_width": 1, + "metrics": [ + { + "field": "system.memory.actual.used.bytes", + "id": "6bc65722-4d5c-11e7-aa29-87a97a796de6", + "type": "avg" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "bytes", + "id": "b8fe6820-4d5c-11e7-aa29-87a97a796de6", + "label": "Total Memory", + "line_width": 1, + "metrics": [ + { + "field": "system.memory.total", + "id": "b8fe6821-4d5c-11e7-aa29-87a97a796de6", + "type": "avg" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "last_value", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "metric", + "use_kibana_indexes": false + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 8, + "i": "79d36896-445a-4904-ad18-e0234fd9ca3f", + "w": 12, + "x": 12, + "y": 14 + }, + "panelIndex": "79d36896-445a-4904-ad18-e0234fd9ca3f", + "title": "Memory usage vs total [Metrics System]", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.fsstat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.fsstat" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "data_stream.dataset : \"system.fsstat\"" + }, + "gauge_color_rules": [ + { + "gauge": "rgba(32,146,128,1)", + "id": "51921d10-4d1d-11e7-b5f2-2b7c1895bf32", + "operator": "gte", + "value": 0 + }, + { + "gauge": "rgba(214,191,87,1)", + "id": "f26de750-4d54-11e7-b5f2-2b7c1895bf32", + "operator": "gte", + "value": 0.7 + }, + { + "gauge": "rgba(204,86,66,1)", + "id": "fa31d190-4d54-11e7-b5f2-2b7c1895bf32", + "operator": "gte", + "value": 0.85 + }, + { + "gauge": "rgba(32,146,128,1)", + "id": "79158349-1f03-4701-8ecc-c882c2b13ff3", + "operator": "empty", + "value": null + } + ], + "gauge_inner_width": 10, + "gauge_max": "1", + "gauge_style": "half", + "gauge_width": 10, + "hide_last_value_indicator": true, + "id": "4e4dc780-4d1d-11e7-b5f2-2b7c1895bf32", + "index_pattern": "metrics-*", + "interval": "auto", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "percent", + "id": "4e4dee90-4d1d-11e7-b5f2-2b7c1895bf32", + "label": "Disk used", + "line_width": 1, + "metrics": [ + { + "agg_with": "avg", + "field": "system.fsstat.total_size.used", + "id": "4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32", + "order": "desc", + "order_by": "@timestamp", + "size": 1, + "type": "top_hit" + }, + { + "agg_with": "avg", + "field": "system.fsstat.total_size.total", + "id": "57c96ee0-4d54-11e7-b5f2-2b7c1895bf32", + "order": "desc", + "order_by": "@timestamp", + "size": 1, + "type": "top_hit" + }, + { + "id": "6304cca0-4d54-11e7-b5f2-2b7c1895bf32", + "script": "params.used/params.total ", + "type": "math", + "variables": [ + { + "field": "4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32", + "id": "6da10430-4d54-11e7-b5f2-2b7c1895bf32", + "name": "used" + }, + { + "field": "57c96ee0-4d54-11e7-b5f2-2b7c1895bf32", + "id": "73b8c510-4d54-11e7-b5f2-2b7c1895bf32", + "name": "total" + } + ] + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "last_value", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "gauge", + "use_kibana_indexes": false + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 8, + "i": "81d645ce-9d97-499f-9117-b3e662caee53", + "w": 12, + "x": 24, + "y": 14 + }, + "panelIndex": "81d645ce-9d97-499f-9117-b3e662caee53", + "title": "Disk Used [Metrics System]", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "### CPU", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 3, + "i": "958f18a3-3163-4d3b-a9ba-b917c5528f79", + "w": 48, + "x": 0, + "y": 22 + }, + "panelIndex": "958f18a3-3163-4d3b-a9ba-b917c5528f79", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-7e73c5a0-687d-49a1-9431-d445b9698b64", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "4a1e24c8-23cf-41d6-805c-b73aac7e9531", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "7e73c5a0-687d-49a1-9431-d445b9698b64": { + "columnOrder": [ + "f4b209b5-853c-44ef-9bb2-abbbaa5612ef", + "c9120817-6c14-43d9-9cc7-14aa03a27634", + "09875540-a6e2-4509-a801-eca27e129cf5" + ], + "columns": { + "09875540-a6e2-4509-a801-eca27e129cf5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Last value", + "operationType": "last_value", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } + }, + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "process.cpu.pct" + }, + "c9120817-6c14-43d9-9cc7-14aa03a27634": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Average", + "operationType": "average", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "process.cpu.pct" + }, + "f4b209b5-853c-44ef-9bb2-abbbaa5612ef": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Process", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "c9120817-6c14-43d9-9cc7-14aa03a27634", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "process.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "4a1e24c8-23cf-41d6-805c-b73aac7e9531", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.process" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.process" + } + } + } + ], + "query": { + "language": "kuery", + "query": "process.cpu.pct: *" + }, + "visualization": { + "columns": [ + { + "columnId": "f4b209b5-853c-44ef-9bb2-abbbaa5612ef" + }, + { + "colorMode": "cell", + "columnId": "c9120817-6c14-43d9-9cc7-14aa03a27634", + "palette": { + "name": "positive", + "params": { + "continuity": "above", + "name": "positive", + "rangeMax": null, + "rangeMin": 0, + "reverse": false, + "stops": [ + { + "color": "#d6e9e4", + "stop": 0 + }, + { + "color": "#aed3ca", + "stop": 20 + }, + { + "color": "#85bdb1", + "stop": 40 + }, + { + "color": "#5aa898", + "stop": 60 + }, + { + "color": "#209280", + "stop": 80 + } + ] + }, + "type": "palette" + }, + "width": 88 + }, + { + "colorMode": "cell", + "columnId": "09875540-a6e2-4509-a801-eca27e129cf5", + "isTransposed": false, + "palette": { + "name": "positive", + "params": { + "stops": [ + { + "color": "#d6e9e4", + "stop": 20 + }, + { + "color": "#aed3ca", + "stop": 40 + }, + { + "color": "#85bdb1", + "stop": 60 + }, + { + "color": "#5aa898", + "stop": 80 + }, + { + "color": "#209280", + "stop": 100 + } + ] + }, + "type": "palette" + }, + "width": 102.5 + } + ], + "layerId": "7e73c5a0-687d-49a1-9431-d445b9698b64", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "type": "lens" + }, + "gridData": { + "h": 15, + "i": "b479c652-8d38-47ed-8599-be33592ebffe", + "w": 11, + "x": 0, + "y": 25 + }, + "panelIndex": "b479c652-8d38-47ed-8599-be33592ebffe", + "title": "Top Processes by CPU Usage", + "type": "lens", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-8da587a6-a617-4bd4-9ae5-dffb9c6343f8", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "497fbd26-58ef-4073-ac3f-024ba1789d9a", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "8da587a6-a617-4bd4-9ae5-dffb9c6343f8": { + "columnOrder": [ + "75bae7c5-d933-4999-ab28-05ccff25a382", + "5572d1db-8760-4518-aaeb-33e6843a17c6", + "f0a4086c-3976-47bb-b67a-2f73c8ed1f03", + "ca53d73b-1fbb-4864-8c6a-c71cc6e64aba", + "11e92f7e-a84a-4ce7-a97a-a31729fa5835", + "0eb945ae-3601-40ce-8951-3aeed0555712", + "b17f720c-5d06-4ba6-8390-8ffbd8b3d4bd", + "5572d1db-8760-4518-aaeb-33e6843a17c6X0", + "f0a4086c-3976-47bb-b67a-2f73c8ed1f03X0", + "ca53d73b-1fbb-4864-8c6a-c71cc6e64abaX0", + "11e92f7e-a84a-4ce7-a97a-a31729fa5835X0", + "0eb945ae-3601-40ce-8951-3aeed0555712X0", + "b17f720c-5d06-4ba6-8390-8ffbd8b3d4bdX0" + ], + "columns": { + "0eb945ae-3601-40ce-8951-3aeed0555712": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "softirq", + "operationType": "formula", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } + }, + "formula": "average(system.cpu.softirq.norm.pct)", + "isFormulaBroken": false + }, + "references": [ + "0eb945ae-3601-40ce-8951-3aeed0555712X0" + ], + "scale": "ratio" + }, + "0eb945ae-3601-40ce-8951-3aeed0555712X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of softirq", + "operationType": "average", + "scale": "ratio", + "sourceField": "system.cpu.softirq.norm.pct" + }, + "11e92f7e-a84a-4ce7-a97a-a31729fa5835": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "irq", + "operationType": "formula", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } + }, + "formula": "average(system.cpu.irq.norm.pct)", + "isFormulaBroken": false + }, + "references": [ + "11e92f7e-a84a-4ce7-a97a-a31729fa5835X0" + ], + "scale": "ratio" + }, + "11e92f7e-a84a-4ce7-a97a-a31729fa5835X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of irq", + "operationType": "average", + "scale": "ratio", + "sourceField": "system.cpu.irq.norm.pct" + }, + "5572d1db-8760-4518-aaeb-33e6843a17c6": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "user", + "operationType": "formula", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } + }, + "formula": "average(system.cpu.user.norm.pct)", + "isFormulaBroken": false + }, + "references": [ + "5572d1db-8760-4518-aaeb-33e6843a17c6X0" + ], + "scale": "ratio" + }, + "5572d1db-8760-4518-aaeb-33e6843a17c6X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of user", + "operationType": "average", + "scale": "ratio", + "sourceField": "system.cpu.user.norm.pct" + }, + "75bae7c5-d933-4999-ab28-05ccff25a382": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "b17f720c-5d06-4ba6-8390-8ffbd8b3d4bd": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "iowait", + "operationType": "formula", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } + }, + "formula": "average(system.cpu.iowait.norm.pct)", + "isFormulaBroken": false + }, + "references": [ + "b17f720c-5d06-4ba6-8390-8ffbd8b3d4bdX0" + ], + "scale": "ratio" + }, + "b17f720c-5d06-4ba6-8390-8ffbd8b3d4bdX0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of iowait", + "operationType": "average", + "scale": "ratio", + "sourceField": "system.cpu.iowait.norm.pct" + }, + "ca53d73b-1fbb-4864-8c6a-c71cc6e64aba": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "nice", + "operationType": "formula", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } + }, + "formula": "average(system.cpu.nice.norm.pct)", + "isFormulaBroken": false + }, + "references": [ + "ca53d73b-1fbb-4864-8c6a-c71cc6e64abaX0" + ], + "scale": "ratio" + }, + "ca53d73b-1fbb-4864-8c6a-c71cc6e64abaX0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of nice", + "operationType": "average", + "scale": "ratio", + "sourceField": "system.cpu.nice.norm.pct" + }, + "f0a4086c-3976-47bb-b67a-2f73c8ed1f03": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "system", + "operationType": "formula", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } + }, + "formula": "average(system.cpu.system.norm.pct)", + "isFormulaBroken": false + }, + "references": [ + "f0a4086c-3976-47bb-b67a-2f73c8ed1f03X0" + ], + "scale": "ratio" + }, + "f0a4086c-3976-47bb-b67a-2f73c8ed1f03X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of system", + "operationType": "average", + "scale": "ratio", + "sourceField": "system.cpu.system.norm.pct" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "497fbd26-58ef-4073-ac3f-024ba1789d9a", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.cpu" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.cpu" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "hideEndzones": true, + "layers": [ + { + "accessors": [ + "5572d1db-8760-4518-aaeb-33e6843a17c6", + "f0a4086c-3976-47bb-b67a-2f73c8ed1f03", + "ca53d73b-1fbb-4864-8c6a-c71cc6e64aba", + "11e92f7e-a84a-4ce7-a97a-a31729fa5835", + "0eb945ae-3601-40ce-8951-3aeed0555712", + "b17f720c-5d06-4ba6-8390-8ffbd8b3d4bd" + ], + "layerId": "8da587a6-a617-4bd4-9ae5-dffb9c6343f8", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "75bae7c5-d933-4999-ab28-05ccff25a382" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "type": "lens" + }, + "gridData": { + "h": 15, + "i": "43ee6ea2-797b-4ef6-83da-c81b9594f694", + "w": 19, + "x": 11, + "y": 25 + }, + "panelIndex": "43ee6ea2-797b-4ef6-83da-c81b9594f694", + "title": "CPU Usage", + "type": "lens", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-60c0e8b2-20ab-4451-87a6-5a7d2241ccb0", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d251cb14-5566-4617-b12d-9d587f9c11a8", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "60c0e8b2-20ab-4451-87a6-5a7d2241ccb0": { + "columnOrder": [ + "ddc223d8-7456-4545-957d-3cad10a34329", + "c4d344af-62bd-4678-baf6-542cc91acb73", + "9935f59e-9e3b-4ae1-b2c7-1c303403def8", + "da273a36-6477-4984-a0e9-e71cf17c561c", + "c4d344af-62bd-4678-baf6-542cc91acb73X0", + "9935f59e-9e3b-4ae1-b2c7-1c303403def8X0", + "da273a36-6477-4984-a0e9-e71cf17c561cX0" + ], + "columns": { + "9935f59e-9e3b-4ae1-b2c7-1c303403def8": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "5m", + "operationType": "formula", + "params": { + "formula": "average(system.load.5)", + "isFormulaBroken": false + }, + "references": [ + "9935f59e-9e3b-4ae1-b2c7-1c303403def8X0" + ], + "scale": "ratio" + }, + "9935f59e-9e3b-4ae1-b2c7-1c303403def8X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of 5m", + "operationType": "average", + "scale": "ratio", + "sourceField": "system.load.5" + }, + "c4d344af-62bd-4678-baf6-542cc91acb73": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "1m", + "operationType": "formula", + "params": { + "formula": "average(system.load.1)", + "isFormulaBroken": false + }, + "references": [ + "c4d344af-62bd-4678-baf6-542cc91acb73X0" + ], + "scale": "ratio" + }, + "c4d344af-62bd-4678-baf6-542cc91acb73X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of 1m", + "operationType": "average", + "scale": "ratio", + "sourceField": "system.load.1" + }, + "da273a36-6477-4984-a0e9-e71cf17c561c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "15m", + "operationType": "formula", + "params": { + "formula": "average(system.load.15)", + "isFormulaBroken": false + }, + "references": [ + "da273a36-6477-4984-a0e9-e71cf17c561cX0" + ], + "scale": "ratio" + }, + "da273a36-6477-4984-a0e9-e71cf17c561cX0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of 15m", + "operationType": "average", + "scale": "ratio", + "sourceField": "system.load.15" + }, + "ddc223d8-7456-4545-957d-3cad10a34329": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "d251cb14-5566-4617-b12d-9d587f9c11a8", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.load" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.load" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "c4d344af-62bd-4678-baf6-542cc91acb73", + "9935f59e-9e3b-4ae1-b2c7-1c303403def8", + "da273a36-6477-4984-a0e9-e71cf17c561c" + ], + "layerId": "60c0e8b2-20ab-4451-87a6-5a7d2241ccb0", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "ddc223d8-7456-4545-957d-3cad10a34329", + "yConfig": [ + { + "color": "#209280", + "forAccessor": "c4d344af-62bd-4678-baf6-542cc91acb73" + }, + { + "color": "#77b6a8", + "forAccessor": "9935f59e-9e3b-4ae1-b2c7-1c303403def8" + }, + { + "color": "#bbdad3", + "forAccessor": "da273a36-6477-4984-a0e9-e71cf17c561c" + } + ] + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "type": "lens" + }, + "gridData": { + "h": 15, + "i": "dcf35812-283d-4cc7-b7bb-76419f5231fc", + "w": 18, + "x": 30, + "y": 25 + }, + "panelIndex": "dcf35812-283d-4cc7-b7bb-76419f5231fc", + "title": "System load", + "type": "lens", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "### Memory", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 3, + "i": "0aa7a83d-82f4-46d2-9e9e-10f2e63c7575", + "w": 48, + "x": 0, + "y": 40 + }, + "panelIndex": "0aa7a83d-82f4-46d2-9e9e-10f2e63c7575", + "title": "", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-7e73c5a0-687d-49a1-9431-d445b9698b64", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "45f7e45b-a19f-471f-9437-d2cdb13e836d", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "7e73c5a0-687d-49a1-9431-d445b9698b64": { + "columnOrder": [ + "f4b209b5-853c-44ef-9bb2-abbbaa5612ef", + "c9120817-6c14-43d9-9cc7-14aa03a27634", + "1e8576bb-67d1-458a-973f-144560cc3cfd" + ], + "columns": { + "1e8576bb-67d1-458a-973f-144560cc3cfd": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Last value", + "operationType": "last_value", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } + }, + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "system.process.memory.rss.pct" + }, + "c9120817-6c14-43d9-9cc7-14aa03a27634": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Average", + "operationType": "average", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "system.process.memory.rss.pct" + }, + "f4b209b5-853c-44ef-9bb2-abbbaa5612ef": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Process", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "c9120817-6c14-43d9-9cc7-14aa03a27634", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "process.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "45f7e45b-a19f-471f-9437-d2cdb13e836d", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.process" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.process" + } + } + } + ], + "query": { + "language": "kuery", + "query": "system.process.memory.rss.pct: *" + }, + "visualization": { + "columns": [ + { + "columnId": "f4b209b5-853c-44ef-9bb2-abbbaa5612ef" + }, + { + "colorMode": "cell", + "columnId": "c9120817-6c14-43d9-9cc7-14aa03a27634", + "palette": { + "name": "positive", + "params": { + "stops": [ + { + "color": "#d6e9e4", + "stop": 20 + }, + { + "color": "#aed3ca", + "stop": 40 + }, + { + "color": "#85bdb1", + "stop": 60 + }, + { + "color": "#5aa898", + "stop": 80 + }, + { + "color": "#209280", + "stop": 100 + } + ] + }, + "type": "palette" + }, + "width": 85 + }, + { + "colorMode": "cell", + "columnId": "1e8576bb-67d1-458a-973f-144560cc3cfd", + "isTransposed": false, + "palette": { + "name": "positive", + "params": { + "stops": [ + { + "color": "#d6e9e4", + "stop": 20 + }, + { + "color": "#aed3ca", + "stop": 40 + }, + { + "color": "#85bdb1", + "stop": 60 + }, + { + "color": "#5aa898", + "stop": 80 + }, + { + "color": "#209280", + "stop": 100 + } + ] + }, + "type": "palette" + }, + "width": 97.5 + } + ], + "layerId": "7e73c5a0-687d-49a1-9431-d445b9698b64", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "type": "lens" + }, + "gridData": { + "h": 12, + "i": "5be13ea6-48db-4fc3-8213-20e4736be04e", + "w": 11, + "x": 0, + "y": 43 + }, + "panelIndex": "5be13ea6-48db-4fc3-8213-20e4736be04e", + "title": "Top Processes by Memory Usage", + "type": "lens", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-b517c683-82f8-48e6-bfce-ee0568c45958", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "2044f8ca-61ce-4e33-8768-0c31694a5c76", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "b517c683-82f8-48e6-bfce-ee0568c45958": { + "columnOrder": [ + "37a9160d-30f4-4aee-80b0-4fba3b047938", + "ac2bf785-8ec5-4d8c-b83d-7aaeac97c8f1", + "807db5e3-119b-46e9-8361-b97d04e78d09", + "807db5e3-119b-46e9-8361-b97d04e78d09X0", + "807db5e3-119b-46e9-8361-b97d04e78d09X1", + "807db5e3-119b-46e9-8361-b97d04e78d09X2", + "6731f7a3-a13c-40ad-9552-74b2789297df", + "6731f7a3-a13c-40ad-9552-74b2789297dfX0" + ], + "columns": { + "37a9160d-30f4-4aee-80b0-4fba3b047938": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "6731f7a3-a13c-40ad-9552-74b2789297df": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Free", + "operationType": "formula", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "formula": "average(system.memory.free)", + "isFormulaBroken": false + }, + "references": [ + "6731f7a3-a13c-40ad-9552-74b2789297dfX0" + ], + "scale": "ratio" + }, + "6731f7a3-a13c-40ad-9552-74b2789297dfX0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Free", + "operationType": "average", + "scale": "ratio", + "sourceField": "system.memory.free" + }, + "807db5e3-119b-46e9-8361-b97d04e78d09": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Cache", + "operationType": "formula", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "formula": "average(system.memory.used.bytes) - average(system.memory.actual.used.bytes)", + "isFormulaBroken": false + }, + "references": [ + "807db5e3-119b-46e9-8361-b97d04e78d09X2" + ], + "scale": "ratio" + }, + "807db5e3-119b-46e9-8361-b97d04e78d09X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Cache", + "operationType": "average", + "scale": "ratio", + "sourceField": "system.memory.used.bytes" + }, + "807db5e3-119b-46e9-8361-b97d04e78d09X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Cache", + "operationType": "average", + "scale": "ratio", + "sourceField": "system.memory.actual.used.bytes" + }, + "807db5e3-119b-46e9-8361-b97d04e78d09X2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Cache", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "807db5e3-119b-46e9-8361-b97d04e78d09X0", + "807db5e3-119b-46e9-8361-b97d04e78d09X1" + ], + "location": { + "max": 76, + "min": 0 + }, + "name": "subtract", + "text": "average(system.memory.used.bytes) - average(system.memory.actual.used.bytes)", + "type": "function" + } + }, + "references": [ + "807db5e3-119b-46e9-8361-b97d04e78d09X0", + "807db5e3-119b-46e9-8361-b97d04e78d09X1" + ], + "scale": "ratio" + }, + "ac2bf785-8ec5-4d8c-b83d-7aaeac97c8f1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Used", + "operationType": "average", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "system.memory.actual.used.bytes" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "2044f8ca-61ce-4e33-8768-0c31694a5c76", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.memory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.memory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "hideEndzones": true, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "ac2bf785-8ec5-4d8c-b83d-7aaeac97c8f1", + "807db5e3-119b-46e9-8361-b97d04e78d09", + "6731f7a3-a13c-40ad-9552-74b2789297df" + ], + "layerId": "b517c683-82f8-48e6-bfce-ee0568c45958", + "layerType": "data", + "position": "top", + "seriesType": "area_stacked", + "showGridlines": false, + "xAccessor": "37a9160d-30f4-4aee-80b0-4fba3b047938" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "area_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "type": "lens" + }, + "gridData": { + "h": 12, + "i": "7138d681-0dc7-4055-a4c5-8395db1aa1e8", + "w": 30, + "x": 11, + "y": 43 + }, + "panelIndex": "7138d681-0dc7-4055-a4c5-8395db1aa1e8", + "title": "Memory usage", + "type": "lens", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.memory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.memory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "data_stream.dataset : \"system.memory\"" + }, + "gauge_color_rules": [ + { + "gauge": "rgba(32,146,128,1)", + "id": "d17c1e90-4d59-11e7-aee5-fdc812cc3bec", + "operator": "gte", + "value": 0 + }, + { + "gauge": "rgba(214,191,87,1)", + "id": "fc1d3490-4d59-11e7-aee5-fdc812cc3bec", + "operator": "gte", + "value": 0.7 + }, + { + "gauge": "rgba(204,86,66,1)", + "id": "0e204240-4d5a-11e7-aee5-fdc812cc3bec", + "operator": "gte", + "value": 0.85 + }, + { + "gauge": "rgba(32,146,128,1)", + "id": "466e9835-712f-469c-8f00-edda88559776", + "operator": "empty", + "value": null + } + ], + "gauge_inner_width": 10, + "gauge_max": "", + "gauge_style": "half", + "gauge_width": 10, + "hide_last_value_indicator": true, + "id": "cee2fd20-4d59-11e7-aee5-fdc812cc3bec", + "index_pattern": "metrics-*", + "interval": "auto", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "percent", + "id": "cee2fd21-4d59-11e7-aee5-fdc812cc3bec", + "label": "Swap usage", + "line_width": 1, + "metrics": [ + { + "field": "system.memory.swap.used.pct", + "id": "cee2fd22-4d59-11e7-aee5-fdc812cc3bec", + "type": "avg" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "gauge", + "use_kibana_indexes": false + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 12, + "i": "c2428ef6-13fa-4254-9ab0-6be1c80a82d4", + "w": 7, + "x": 41, + "y": 43 + }, + "panelIndex": "c2428ef6-13fa-4254-9ab0-6be1c80a82d4", + "title": "Swap usage [Metrics System]", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "### Disk", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 3, + "i": "a41333eb-ba79-4557-9819-820de64abdf6", + "w": 48, + "x": 0, + "y": 55 + }, + "panelIndex": "a41333eb-ba79-4557-9819-820de64abdf6", + "title": "", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-7e73c5a0-687d-49a1-9431-d445b9698b64", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "4319b26f-d004-4331-bda3-3d2771c47381", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "7e73c5a0-687d-49a1-9431-d445b9698b64": { + "columnOrder": [ + "f4b209b5-853c-44ef-9bb2-abbbaa5612ef", + "c9120817-6c14-43d9-9cc7-14aa03a27634", + "a7e79c34-8ff8-4705-ae1b-5122ca2d2863" + ], + "columns": { + "a7e79c34-8ff8-4705-ae1b-5122ca2d2863": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Last value", + "operationType": "last_value", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } + }, + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "system.filesystem.used.pct" + }, + "c9120817-6c14-43d9-9cc7-14aa03a27634": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Average", + "operationType": "average", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "system.filesystem.used.pct" + }, + "f4b209b5-853c-44ef-9bb2-abbbaa5612ef": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Mountpoint", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "c9120817-6c14-43d9-9cc7-14aa03a27634", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "system.filesystem.mount_point" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "4319b26f-d004-4331-bda3-3d2771c47381", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.filesystem" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.filesystem" + } + } + } + ], + "query": { + "language": "kuery", + "query": "system.filesystem.used.pct: *" + }, + "visualization": { + "columns": [ + { + "columnId": "f4b209b5-853c-44ef-9bb2-abbbaa5612ef" + }, + { + "colorMode": "cell", + "columnId": "c9120817-6c14-43d9-9cc7-14aa03a27634", + "palette": { + "name": "positive", + "params": { + "stops": [ + { + "color": "#d6e9e4", + "stop": 20 + }, + { + "color": "#aed3ca", + "stop": 40 + }, + { + "color": "#85bdb1", + "stop": 60 + }, + { + "color": "#5aa898", + "stop": 80 + }, + { + "color": "#209280", + "stop": 100 + } + ] + }, + "type": "palette" + }, + "width": 88 + }, + { + "colorMode": "cell", + "columnId": "a7e79c34-8ff8-4705-ae1b-5122ca2d2863", + "isTransposed": false, + "palette": { + "name": "positive", + "params": { + "stops": [ + { + "color": "#d6e9e4", + "stop": 20 + }, + { + "color": "#aed3ca", + "stop": 40 + }, + { + "color": "#85bdb1", + "stop": 60 + }, + { + "color": "#5aa898", + "stop": 80 + }, + { + "color": "#209280", + "stop": 100 + } + ] + }, + "type": "palette" + }, + "width": 101 + } + ], + "layerId": "7e73c5a0-687d-49a1-9431-d445b9698b64", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "type": "lens" + }, + "gridData": { + "h": 10, + "i": "40c809d8-2728-4ead-a85a-02ac2c3c346e", + "w": 11, + "x": 0, + "y": 58 + }, + "panelIndex": "40c809d8-2728-4ead-a85a-02ac2c3c346e", + "title": "Top mountpoints by disk usage", + "type": "lens", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.diskio" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.diskio" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "data_stream.dataset : \"system.diskio\"" + }, + "id": "d3c67db0-1b1a-11e7-b09e-037021c4f8df", + "index_pattern": "metrics-*", + "interval": "auto", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(84,179,153,1)", + "fill": "00.5", + "formatter": "bytes", + "id": "d3c67db1-1b1a-11e7-b09e-037021c4f8df", + "label": "reads", + "line_width": 1, + "metrics": [ + { + "field": "system.diskio.read.bytes", + "id": "d3c67db2-1b1a-11e7-b09e-037021c4f8df", + "type": "max" + }, + { + "field": "d3c67db2-1b1a-11e7-b09e-037021c4f8df", + "id": "f55b9910-1b1a-11e7-b09e-037021c4f8df", + "type": "derivative", + "unit": "1s" + }, + { + "field": "f55b9910-1b1a-11e7-b09e-037021c4f8df", + "id": "dcbbb100-1b93-11e7-8ada-3df93aab833e", + "type": "positive_only", + "unit": "" + } + ], + "palette": { + "name": "positive", + "type": "palette" + }, + "point_size": "0", + "seperate_axis": 0, + "split_color_mode": null, + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range", + "value_template": "{{value}}/s" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(96,146,192,1)", + "fill": "00.5", + "formatter": "bytes", + "id": "144124d0-1b1b-11e7-b09e-037021c4f8df", + "label": "writes", + "line_width": 1, + "metrics": [ + { + "field": "system.diskio.write.bytes", + "id": "144124d1-1b1b-11e7-b09e-037021c4f8df", + "type": "max" + }, + { + "field": "144124d1-1b1b-11e7-b09e-037021c4f8df", + "id": "144124d2-1b1b-11e7-b09e-037021c4f8df", + "type": "derivative", + "unit": "1s" + }, + { + "id": "144124d4-1b1b-11e7-b09e-037021c4f8df", + "script": "params.rate \u003e 0 ? params.rate * -1 : 0", + "type": "calculation", + "variables": [ + { + "field": "144124d2-1b1b-11e7-b09e-037021c4f8df", + "id": "144124d3-1b1b-11e7-b09e-037021c4f8df", + "name": "rate" + } + ] + } + ], + "palette": { + "name": "temperature", + "type": "palette" + }, + "point_size": "0", + "seperate_axis": 0, + "split_color_mode": null, + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range", + "value_template": "{{value}}/s" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "timeseries", + "use_kibana_indexes": false + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 10, + "i": "4e2ec836-0e0c-4125-9a0b-be26183c524f", + "w": 30, + "x": 11, + "y": 58 + }, + "panelIndex": "4e2ec836-0e0c-4125-9a0b-be26183c524f", + "title": "Disk IO", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.fsstat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.fsstat" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "data_stream.dataset : \"system.fsstat\"" + }, + "gauge_color_rules": [ + { + "gauge": "rgba(32,146,128,1)", + "id": "51921d10-4d1d-11e7-b5f2-2b7c1895bf32", + "operator": "gte", + "value": 0 + }, + { + "gauge": "rgba(214,191,87,1)", + "id": "f26de750-4d54-11e7-b5f2-2b7c1895bf32", + "operator": "gte", + "value": 0.7 + }, + { + "gauge": "rgba(204,86,66,1)", + "id": "fa31d190-4d54-11e7-b5f2-2b7c1895bf32", + "operator": "gte", + "value": 0.85 + }, + { + "gauge": "rgba(32,146,128,1)", + "id": "79158349-1f03-4701-8ecc-c882c2b13ff3", + "operator": "empty", + "value": null + } + ], + "gauge_inner_width": 10, + "gauge_max": "1", + "gauge_style": "half", + "gauge_width": 10, + "hide_last_value_indicator": true, + "id": "4e4dc780-4d1d-11e7-b5f2-2b7c1895bf32", + "index_pattern": "metrics-*", + "interval": "auto", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "percent", + "id": "4e4dee90-4d1d-11e7-b5f2-2b7c1895bf32", + "label": "Disk used", + "line_width": 1, + "metrics": [ + { + "agg_with": "avg", + "field": "system.fsstat.total_size.used", + "id": "4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32", + "order": "desc", + "order_by": "@timestamp", + "size": 1, + "type": "top_hit" + }, + { + "agg_with": "avg", + "field": "system.fsstat.total_size.total", + "id": "57c96ee0-4d54-11e7-b5f2-2b7c1895bf32", + "order": "desc", + "order_by": "@timestamp", + "size": 1, + "type": "top_hit" + }, + { + "id": "6304cca0-4d54-11e7-b5f2-2b7c1895bf32", + "script": "params.used/params.total ", + "type": "math", + "variables": [ + { + "field": "4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32", + "id": "6da10430-4d54-11e7-b5f2-2b7c1895bf32", + "name": "used" + }, + { + "field": "57c96ee0-4d54-11e7-b5f2-2b7c1895bf32", + "id": "73b8c510-4d54-11e7-b5f2-2b7c1895bf32", + "name": "total" + } + ] + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "gauge", + "use_kibana_indexes": false + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 10, + "i": "fbbc5c65-b8a4-4604-b5bd-072c3c99e4c3", + "w": 7, + "x": 41, + "y": 58 + }, + "panelIndex": "fbbc5c65-b8a4-4604-b5bd-072c3c99e4c3", + "title": "Disk Used [Metrics System] (copy)", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "### Network", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 3, + "i": "4340cff4-224d-43c0-8e98-8257782236f3", + "w": 48, + "x": 0, + "y": 68 + }, + "panelIndex": "4340cff4-224d-43c0-8e98-8257782236f3", + "title": "", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.network" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.network" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "id": "0e346760-1b92-11e7-bec4-a5e9ec5cab8b" + } + ], + "drop_last_bucket": 1, + "filter": { + "language": "lucene", + "query": "-system.network.name:l*" + }, + "hide_last_value_indicator": true, + "id": "0c761590-1b92-11e7-bec4-a5e9ec5cab8b", + "index_pattern": "metrics-*", + "interval": "auto", + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "bytes", + "id": "0c761591-1b92-11e7-bec4-a5e9ec5cab8b", + "label": "Inbound Traffic", + "line_width": 1, + "metrics": [ + { + "field": "system.network.in.bytes", + "id": "0c761592-1b92-11e7-bec4-a5e9ec5cab8b", + "type": "max" + }, + { + "field": "0c761592-1b92-11e7-bec4-a5e9ec5cab8b", + "id": "1d659060-1b92-11e7-bec4-a5e9ec5cab8b", + "type": "derivative", + "unit": "1s" + }, + { + "field": "1d659060-1b92-11e7-bec4-a5e9ec5cab8b", + "id": "f2074f70-1b92-11e7-a416-41f5ccdba2e6", + "type": "positive_only", + "unit": "" + }, + { + "function": "sum", + "id": "c40e18f0-2c55-11e7-a0ad-277ce466684d", + "type": "series_agg" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "terms", + "stacked": "none", + "terms_field": "system.network.name", + "value_template": "{{value}}/s" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "bytes", + "id": "37f70440-1b92-11e7-bec4-a5e9ec5cab8b", + "label": "Total Transferred", + "line_width": 1, + "metrics": [ + { + "field": "system.network.in.bytes", + "id": "37f72b50-1b92-11e7-bec4-a5e9ec5cab8b", + "type": "max" + }, + { + "field": "37f72b50-1b92-11e7-bec4-a5e9ec5cab8b", + "id": "37f72b51-1b92-11e7-bec4-a5e9ec5cab8b", + "type": "derivative", + "unit": "" + }, + { + "field": "37f72b51-1b92-11e7-bec4-a5e9ec5cab8b", + "id": "f9da2dd0-1b92-11e7-a416-41f5ccdba2e6", + "type": "positive_only", + "unit": "" + }, + { + "field": "f9da2dd0-1b92-11e7-a416-41f5ccdba2e6", + "function": "overall_sum", + "id": "3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b", + "sigma": "", + "type": "series_agg" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "terms", + "stacked": "none", + "terms_field": "system.network.name", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "metric", + "use_kibana_indexes": false + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 8, + "i": "00a52be5-9be0-452a-974f-15c2eb08e5a5", + "w": 6, + "x": 0, + "y": 71 + }, + "panelIndex": "00a52be5-9be0-452a-974f-15c2eb08e5a5", + "title": "Inbound Traffic [Metrics System] (copy)", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.network" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.network" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "id": "6ba9b1f0-4d5d-11e7-aa29-87a97a796de6" + } + ], + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "data_stream.dataset : \"system.network\"" + }, + "hide_last_value_indicator": true, + "id": "6984af10-4d5d-11e7-aa29-87a97a796de6", + "index_pattern": "metrics-*", + "interval": "auto", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "6984af11-4d5d-11e7-aa29-87a97a796de6", + "label": "In Packetloss", + "line_width": 1, + "metrics": [ + { + "field": "system.network.in.dropped", + "id": "6984af12-4d5d-11e7-aa29-87a97a796de6", + "type": "max" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "metric", + "use_kibana_indexes": false + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 8, + "i": "8fd9ee13-c94c-44c6-9871-da172760e777", + "w": 6, + "x": 6, + "y": 71 + }, + "panelIndex": "8fd9ee13-c94c-44c6-9871-da172760e777", + "title": "Packetloss [Metrics System]", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.network" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.network" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "id": "0e346760-1b92-11e7-bec4-a5e9ec5cab8b" + } + ], + "drop_last_bucket": 1, + "filter": { + "language": "lucene", + "query": "-system.network.name:l*" + }, + "hide_last_value_indicator": true, + "id": "0c761590-1b92-11e7-bec4-a5e9ec5cab8b", + "index_pattern": "metrics-*", + "interval": "auto", + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "bytes", + "id": "0c761591-1b92-11e7-bec4-a5e9ec5cab8b", + "label": "Outbound Traffic", + "line_width": 1, + "metrics": [ + { + "field": "system.network.out.bytes", + "id": "0c761592-1b92-11e7-bec4-a5e9ec5cab8b", + "type": "max" + }, + { + "field": "0c761592-1b92-11e7-bec4-a5e9ec5cab8b", + "id": "1d659060-1b92-11e7-bec4-a5e9ec5cab8b", + "type": "derivative", + "unit": "1s" + }, + { + "field": "1d659060-1b92-11e7-bec4-a5e9ec5cab8b", + "id": "f2074f70-1b92-11e7-a416-41f5ccdba2e6", + "type": "positive_only", + "unit": "" + }, + { + "function": "sum", + "id": "a1737470-2c55-11e7-a0ad-277ce466684d", + "type": "series_agg" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "terms", + "stacked": "none", + "terms_field": "system.network.name", + "value_template": "{{value}}/s" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "bytes", + "id": "37f70440-1b92-11e7-bec4-a5e9ec5cab8b", + "label": "Total Transferred", + "line_width": 1, + "metrics": [ + { + "field": "system.network.out.bytes", + "id": "37f72b50-1b92-11e7-bec4-a5e9ec5cab8b", + "type": "max" + }, + { + "field": "37f72b50-1b92-11e7-bec4-a5e9ec5cab8b", + "id": "37f72b51-1b92-11e7-bec4-a5e9ec5cab8b", + "type": "derivative", + "unit": "" + }, + { + "field": "37f72b51-1b92-11e7-bec4-a5e9ec5cab8b", + "id": "f9da2dd0-1b92-11e7-a416-41f5ccdba2e6", + "type": "positive_only", + "unit": "" + }, + { + "field": "f9da2dd0-1b92-11e7-a416-41f5ccdba2e6", + "function": "overall_sum", + "id": "3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b", + "sigma": "", + "type": "series_agg" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "terms", + "stacked": "none", + "terms_field": "system.network.name", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "metric", + "use_kibana_indexes": false + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 8, + "i": "40931ebc-38d8-4032-949d-246c8b381743", + "w": 6, + "x": 12, + "y": 71 + }, + "panelIndex": "40931ebc-38d8-4032-949d-246c8b381743", + "title": "Outbound Traffic [Metrics System] (copy)", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.network" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.network" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "id": "6ba9b1f0-4d5d-11e7-aa29-87a97a796de6" + } + ], + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "data_stream.dataset : \"system.network\"" + }, + "hide_last_value_indicator": true, + "id": "6984af10-4d5d-11e7-aa29-87a97a796de6", + "index_pattern": "metrics-*", + "interval": "auto", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "ac2e6b30-4d5d-11e7-aa29-87a97a796de6", + "label": "Out Packetloss", + "line_width": 1, + "metrics": [ + { + "field": "system.network.out.dropped", + "id": "ac2e6b31-4d5d-11e7-aa29-87a97a796de6", + "type": "max" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "metric", + "use_kibana_indexes": false + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 8, + "i": "42625329-6a7b-496e-89e3-2459675bf904", + "w": 6, + "x": 18, + "y": 71 + }, + "panelIndex": "42625329-6a7b-496e-89e3-2459675bf904", + "title": "Packetloss [Metrics System] (copy)", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 1, + "filter": { + "language": "lucene", + "query": "-system.network.name:l*" + }, + "id": "da1046f0-faa0-11e6-86b1-cd7735ff7e23", + "index_pattern": "*", + "interval": "auto", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(111,220,190,1)", + "fill": "0.5", + "formatter": "0.[00]a", + "id": "da1046f1-faa0-11e6-86b1-cd7735ff7e23", + "label": "Inbound", + "line_width": "01", + "metrics": [ + { + "field": "system.network.in.packets", + "id": "da1046f2-faa0-11e6-86b1-cd7735ff7e23", + "type": "max" + }, + { + "field": "da1046f2-faa0-11e6-86b1-cd7735ff7e23", + "id": "f41f9280-faa0-11e6-86b1-cd7735ff7e23", + "type": "derivative", + "unit": "1s" + }, + { + "field": "f41f9280-faa0-11e6-86b1-cd7735ff7e23", + "id": "c0da3d80-1b93-11e7-8ada-3df93aab833e", + "type": "positive_only", + "unit": "" + }, + { + "function": "sum", + "id": "ecaad010-2c2c-11e7-be71-3162da85303f", + "type": "series_agg" + } + ], + "palette": { + "name": "positive", + "type": "palette" + }, + "point_size": "0", + "seperate_axis": 0, + "split_color_mode": null, + "split_mode": "terms", + "stacked": "none", + "terms_field": "system.network.name", + "time_range_mode": "entire_time_range", + "value_template": "{{value}}/s" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(96,146,192,1)", + "fill": "00.5", + "formatter": "0.[00]a", + "id": "fbbd5720-faa0-11e6-86b1-cd7735ff7e23", + "label": "Outbound", + "line_width": "01", + "metrics": [ + { + "field": "system.network.out.packets", + "id": "fbbd7e30-faa0-11e6-86b1-cd7735ff7e23", + "type": "max" + }, + { + "field": "fbbd7e30-faa0-11e6-86b1-cd7735ff7e23", + "id": "fbbd7e31-faa0-11e6-86b1-cd7735ff7e23", + "type": "derivative", + "unit": "1s" + }, + { + "id": "17e597a0-faa1-11e6-86b1-cd7735ff7e23", + "script": "params.rate != null \u0026\u0026 params.rate \u003e 0 ? params.rate * -1 : null", + "type": "calculation", + "variables": [ + { + "field": "fbbd7e31-faa0-11e6-86b1-cd7735ff7e23", + "id": "1940bad0-faa1-11e6-86b1-cd7735ff7e23", + "name": "rate" + } + ] + }, + { + "function": "sum", + "id": "fe5fbdc0-2c2c-11e7-be71-3162da85303f", + "type": "series_agg" + } + ], + "palette": { + "name": "complimentary", + "type": "palette" + }, + "point_size": "0", + "seperate_axis": 0, + "split_color_mode": null, + "split_mode": "terms", + "stacked": "none", + "terms_field": "system.network.name", + "time_range_mode": "entire_time_range", + "value_template": "{{value}}/s" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "timeseries", + "use_kibana_indexes": false + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 11, + "i": "83789cc1-735e-426f-af14-7feceeb1e3ec", + "w": 24, + "x": 24, + "y": 71 + }, + "panelIndex": "83789cc1-735e-426f-af14-7feceeb1e3ec", + "title": "Network Traffic (Packets)", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-a9aa67d3-6d5c-40f9-a45d-69410b2a90bb", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "0edd5ba7-5679-4903-8b1a-9b52a84763e4", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "a9aa67d3-6d5c-40f9-a45d-69410b2a90bb": { + "columnOrder": [ + "69b78cd3-0694-49cd-92cd-23c27f675523", + "bdb2f885-054b-490d-91b8-2685ce22a5f5", + "30b47015-4e96-48da-997b-9e9d41984945" + ], + "columns": { + "30b47015-4e96-48da-997b-9e9d41984945": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Outgoing Traffic", + "operationType": "max", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "system.network.out.bytes" + }, + "69b78cd3-0694-49cd-92cd-23c27f675523": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Interface", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "bdb2f885-054b-490d-91b8-2685ce22a5f5", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "system.network.name" + }, + "bdb2f885-054b-490d-91b8-2685ce22a5f5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Incoming Traffic", + "operationType": "max", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "system.network.in.bytes" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "0edd5ba7-5679-4903-8b1a-9b52a84763e4", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.network" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.network" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "69b78cd3-0694-49cd-92cd-23c27f675523", + "isTransposed": false + }, + { + "colorMode": "cell", + "columnId": "bdb2f885-054b-490d-91b8-2685ce22a5f5", + "isTransposed": false, + "palette": { + "name": "positive", + "params": { + "stops": [ + { + "color": "#d6e9e4", + "stop": 20 + }, + { + "color": "#aed3ca", + "stop": 40 + }, + { + "color": "#85bdb1", + "stop": 60 + }, + { + "color": "#5aa898", + "stop": 80 + }, + { + "color": "#209280", + "stop": 100 + } + ] + }, + "type": "palette" + }, + "width": 139 + }, + { + "colorMode": "cell", + "columnId": "30b47015-4e96-48da-997b-9e9d41984945", + "isTransposed": false, + "palette": { + "name": "positive", + "params": { + "stops": [ + { + "color": "#d6e9e4", + "stop": 20 + }, + { + "color": "#aed3ca", + "stop": 40 + }, + { + "color": "#85bdb1", + "stop": 60 + }, + { + "color": "#5aa898", + "stop": 80 + }, + { + "color": "#209280", + "stop": 100 + } + ] + }, + "type": "palette" + }, + "width": 143.5 + } + ], + "layerId": "a9aa67d3-6d5c-40f9-a45d-69410b2a90bb", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "type": "lens" + }, + "gridData": { + "h": 14, + "i": "5eae5b45-6bce-4bbd-9db2-275b45d7d329", + "w": 24, + "x": 0, + "y": 79 + }, + "panelIndex": "5eae5b45-6bce-4bbd-9db2-275b45d7d329", + "type": "lens", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 1, + "filter": { + "language": "lucene", + "query": "-system.network.name:l*" + }, + "id": "da1046f0-faa0-11e6-86b1-cd7735ff7e23", + "index_pattern": "*", + "interval": "auto", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(84,179,153,1)", + "fill": "00.5", + "formatter": "bytes", + "id": "da1046f1-faa0-11e6-86b1-cd7735ff7e23", + "label": "Inbound ", + "line_width": "01", + "metrics": [ + { + "field": "system.network.in.bytes", + "id": "da1046f2-faa0-11e6-86b1-cd7735ff7e23", + "type": "max" + }, + { + "field": "da1046f2-faa0-11e6-86b1-cd7735ff7e23", + "id": "f41f9280-faa0-11e6-86b1-cd7735ff7e23", + "type": "derivative", + "unit": "1s" + }, + { + "field": "f41f9280-faa0-11e6-86b1-cd7735ff7e23", + "id": "a87398e0-1b93-11e7-8ada-3df93aab833e", + "type": "positive_only", + "unit": "" + }, + { + "function": "sum", + "id": "2d533df0-2c2d-11e7-be71-3162da85303f", + "type": "series_agg" + } + ], + "palette": { + "name": "positive", + "type": "palette" + }, + "point_size": "0", + "seperate_axis": 0, + "split_color_mode": null, + "split_mode": "terms", + "stacked": "none", + "terms_field": "system.network.name", + "time_range_mode": "entire_time_range", + "value_template": "{{value}}/s" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(96,146,192,1)", + "fill": "00.5", + "formatter": "bytes", + "id": "fbbd5720-faa0-11e6-86b1-cd7735ff7e23", + "label": "Outbound ", + "line_width": "01", + "metrics": [ + { + "field": "system.network.out.bytes", + "id": "fbbd7e30-faa0-11e6-86b1-cd7735ff7e23", + "type": "max" + }, + { + "field": "fbbd7e30-faa0-11e6-86b1-cd7735ff7e23", + "id": "fbbd7e31-faa0-11e6-86b1-cd7735ff7e23", + "type": "derivative", + "unit": "1s" + }, + { + "id": "17e597a0-faa1-11e6-86b1-cd7735ff7e23", + "script": "params.rate != null \u0026\u0026 params.rate \u003e 0 ? params.rate * -1 : null", + "type": "calculation", + "variables": [ + { + "field": "fbbd7e31-faa0-11e6-86b1-cd7735ff7e23", + "id": "1940bad0-faa1-11e6-86b1-cd7735ff7e23", + "name": "rate" + } + ] + }, + { + "function": "sum", + "id": "533da9b0-2c2d-11e7-be71-3162da85303f", + "type": "series_agg" + } + ], + "palette": { + "name": "complimentary", + "type": "palette" + }, + "point_size": "0", + "seperate_axis": 0, + "split_color_mode": null, + "split_mode": "terms", + "stacked": "none", + "terms_field": "system.network.name", + "time_range_mode": "entire_time_range", + "value_template": "{{value}}/s" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "timeseries", + "use_kibana_indexes": false + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 11, + "i": "701fed8c-da9b-41aa-adab-09f793c3c84f", + "w": 24, + "x": 24, + "y": 82 + }, + "panelIndex": "701fed8c-da9b-41aa-adab-09f793c3c84f", + "title": "Network Traffic (Bytes)", + "type": "visualization", + "version": "8.6.0" + } + ], + "timeRestore": false, + "title": "[Metrics System] Host overview", + "version": 1 + }, + "coreMigrationVersion": "8.6.1", + "created_at": "2023-03-23T04:03:56.987Z", + "id": "system-79ffd6e0-faa0-11e6-947f-177f697178b8", + "migrationVersion": { + "dashboard": "8.6.0" + }, + "references": [ + { + "id": "metrics-*", + "name": "6fd34c50-53a3-4919-b7c5-aba460f0fe6d:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d0a6fc45-278c-427e-a440-eec3ec3ce367:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "e50a72f5-160a-4694-8f44-2e6da666b90b:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "baca3f6a-498a-4752-8882-1d8906d06405:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "02993ece-9e84-4957-9780-a89d1cfef103:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "17f54fe4-ae84-4319-97fd-069225d0a8fb:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "17f54fe4-ae84-4319-97fd-069225d0a8fb:indexpattern-datasource-layer-9f6d8570-52c1-4af2-a105-b9993b2e8b5c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "17f54fe4-ae84-4319-97fd-069225d0a8fb:04b54a98-baa0-43a7-aaa8-ace6b600ff4b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "79d36896-445a-4904-ad18-e0234fd9ca3f:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "81d645ce-9d97-499f-9117-b3e662caee53:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b479c652-8d38-47ed-8599-be33592ebffe:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b479c652-8d38-47ed-8599-be33592ebffe:indexpattern-datasource-layer-7e73c5a0-687d-49a1-9431-d445b9698b64", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b479c652-8d38-47ed-8599-be33592ebffe:4a1e24c8-23cf-41d6-805c-b73aac7e9531", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "43ee6ea2-797b-4ef6-83da-c81b9594f694:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "43ee6ea2-797b-4ef6-83da-c81b9594f694:indexpattern-datasource-layer-8da587a6-a617-4bd4-9ae5-dffb9c6343f8", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "43ee6ea2-797b-4ef6-83da-c81b9594f694:497fbd26-58ef-4073-ac3f-024ba1789d9a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "dcf35812-283d-4cc7-b7bb-76419f5231fc:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "dcf35812-283d-4cc7-b7bb-76419f5231fc:indexpattern-datasource-layer-60c0e8b2-20ab-4451-87a6-5a7d2241ccb0", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "dcf35812-283d-4cc7-b7bb-76419f5231fc:d251cb14-5566-4617-b12d-9d587f9c11a8", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "5be13ea6-48db-4fc3-8213-20e4736be04e:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "5be13ea6-48db-4fc3-8213-20e4736be04e:indexpattern-datasource-layer-7e73c5a0-687d-49a1-9431-d445b9698b64", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "5be13ea6-48db-4fc3-8213-20e4736be04e:45f7e45b-a19f-471f-9437-d2cdb13e836d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7138d681-0dc7-4055-a4c5-8395db1aa1e8:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7138d681-0dc7-4055-a4c5-8395db1aa1e8:indexpattern-datasource-layer-b517c683-82f8-48e6-bfce-ee0568c45958", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7138d681-0dc7-4055-a4c5-8395db1aa1e8:2044f8ca-61ce-4e33-8768-0c31694a5c76", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "c2428ef6-13fa-4254-9ab0-6be1c80a82d4:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "40c809d8-2728-4ead-a85a-02ac2c3c346e:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "40c809d8-2728-4ead-a85a-02ac2c3c346e:indexpattern-datasource-layer-7e73c5a0-687d-49a1-9431-d445b9698b64", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "40c809d8-2728-4ead-a85a-02ac2c3c346e:4319b26f-d004-4331-bda3-3d2771c47381", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "4e2ec836-0e0c-4125-9a0b-be26183c524f:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "fbbc5c65-b8a4-4604-b5bd-072c3c99e4c3:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "00a52be5-9be0-452a-974f-15c2eb08e5a5:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "8fd9ee13-c94c-44c6-9871-da172760e777:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "40931ebc-38d8-4032-949d-246c8b381743:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "42625329-6a7b-496e-89e3-2459675bf904:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "5eae5b45-6bce-4bbd-9db2-275b45d7d329:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "5eae5b45-6bce-4bbd-9db2-275b45d7d329:indexpattern-datasource-layer-a9aa67d3-6d5c-40f9-a45d-69410b2a90bb", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "5eae5b45-6bce-4bbd-9db2-275b45d7d329:0edd5ba7-5679-4903-8b1a-9b52a84763e4", + "type": "index-pattern" + }, + { + "id": "system-fleet-pkg-system-default", + "name": "tag-ref-fleet-pkg-system-default", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/test/packages/parallel/system/kibana/dashboard/system-Logs-syslog-dashboard.json b/test/packages/parallel/system/kibana/dashboard/system-Logs-syslog-dashboard.json new file mode 100644 index 000000000..7e4004c87 --- /dev/null +++ b/test/packages/parallel/system/kibana/dashboard/system-Logs-syslog-dashboard.json @@ -0,0 +1,370 @@ +{ + "attributes": { + "description": "Syslog dashboard from the Logs System integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false + }, + "panelsJSON": [ + { + "embeddableConfig": { + "columns": [ + "host.hostname", + "process.name", + "message" + ], + "enhancements": {}, + "sort": [ + "@timestamp", + "desc" + ] + }, + "gridData": { + "h": 28, + "i": "3", + "w": 48, + "x": 0, + "y": 20 + }, + "panelIndex": "3", + "panelRefName": "panel_3", + "type": "search", + "version": "8.1.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": {} + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "[Syslog](#/dashboard/system-Logs-syslog-dashboard) | [Sudo commands](#/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a) | [SSH logins](#/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a) | [New users and groups](#/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab)" + }, + "title": "Dashboards [Logs System]", + "type": "markdown", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 4, + "i": "4", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "4", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-15m", + "to": "now" + }, + "useNormalizedEsInterval": true, + "used_interval": "30s" + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "host.hostname", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "searchSource": { + "filter": [] + } + }, + "description": "", + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "defaultYExtents": false, + "detailedTooltip": true, + "grid": { + "categoryLines": false + }, + "labels": { + "show": false + }, + "legendPosition": "right", + "legendSize": "auto", + "maxLegendLines": 1, + "mode": "stacked", + "palette": { + "name": "default", + "type": "palette" + }, + "radiusRatio": 0, + "scale": "linear", + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "setYExtents": false, + "shareYAxis": true, + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "truncateLegend": true, + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": true, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "" + }, + "type": "value" + } + ], + "yAxis": {} + }, + "type": "histogram", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 16, + "i": "1c0a80d4-cd4d-488a-a06d-e9b816e733a8", + "w": 32, + "x": 0, + "y": 4 + }, + "panelIndex": "1c0a80d4-cd4d-488a-a06d-e9b816e733a8", + "title": "Syslog events by hostname [Logs System]", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "host.hostname", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "process.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "searchSource": { + "filter": [] + } + }, + "description": "", + "params": { + "addLegend": true, + "addTooltip": true, + "distinctColors": true, + "emptySizeRatio": 0.3, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "bottom", + "legendSize": "auto", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "shareYAxis": true, + "truncateLegend": true, + "type": "pie" + }, + "type": "pie", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 16, + "i": "30ce1a8d-6460-45b6-be1a-841db5ca7c8b", + "w": 16, + "x": 32, + "y": 4 + }, + "panelIndex": "30ce1a8d-6460-45b6-be1a-841db5ca7c8b", + "title": "Syslog hostnames and processes [Logs System]", + "type": "visualization", + "version": "8.6.0" + } + ], + "timeRestore": false, + "title": "[Logs System] Syslog dashboard", + "version": 1 + }, + "coreMigrationVersion": "8.6.1", + "created_at": "2023-03-23T04:03:56.987Z", + "id": "system-Logs-syslog-dashboard", + "migrationVersion": { + "dashboard": "8.6.0" + }, + "references": [ + { + "id": "system-Syslog-system-logs", + "name": "3:panel_3", + "type": "search" + }, + { + "id": "system-Syslog-system-logs", + "name": "1c0a80d4-cd4d-488a-a06d-e9b816e733a8:search_0", + "type": "search" + }, + { + "id": "system-Syslog-system-logs", + "name": "30ce1a8d-6460-45b6-be1a-841db5ca7c8b:search_0", + "type": "search" + }, + { + "id": "system-fleet-pkg-system-default", + "name": "tag-ref-fleet-pkg-system-default", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/test/packages/parallel/system/kibana/dashboard/system-Metrics-system-overview.json b/test/packages/parallel/system/kibana/dashboard/system-Metrics-system-overview.json new file mode 100644 index 000000000..dfef489de --- /dev/null +++ b/test/packages/parallel/system/kibana/dashboard/system-Metrics-system-overview.json @@ -0,0 +1,1406 @@ +{ + "attributes": { + "description": "Overview of system metrics", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "# System overview\n\nTo view host details, select a host from the list below by clicking the respective label.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 6, + "i": "471f7546-e704-4a38-a041-d8b11869d7cc", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "471f7546-e704-4a38-a041-d8b11869d7cc", + "title": "System Navigation [Metrics System]", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.memory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.memory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "" + }, + "gauge_color_rules": [ + { + "gauge": "rgba(32,146,128,1)", + "id": "a0d522e0-1b91-11e7-bec4-a5e9ec5cab8b", + "operator": "gte", + "value": 0 + }, + { + "gauge": "rgba(214,191,87,1)", + "id": "b45ad8f0-1b91-11e7-bec4-a5e9ec5cab8b", + "operator": "gte", + "value": 0.7 + }, + { + "gauge": "rgba(204,86,66,1)", + "id": "c06e9550-1b91-11e7-bec4-a5e9ec5cab8b", + "operator": "gte", + "value": 0.85 + }, + { + "gauge": "rgba(32,146,128,1)", + "id": "4bbf6453-9bd4-4ab7-aa12-5a7ed6306651", + "operator": "empty", + "value": null + } + ], + "gauge_inner_width": 10, + "gauge_max": "1", + "gauge_style": "half", + "gauge_width": 10, + "hide_last_value_indicator": true, + "id": "9f51b730-1b91-11e7-bec4-a5e9ec5cab8b", + "index_pattern": "metrics-*", + "interval": "auto", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(84,179,153,1)", + "fill": 0.5, + "formatter": "percent", + "id": "9f51b731-1b91-11e7-bec4-a5e9ec5cab8b", + "label": "Memory Usage", + "line_width": 1, + "metrics": [ + { + "field": "system.memory.actual.used.pct", + "id": "9f51b732-1b91-11e7-bec4-a5e9ec5cab8b", + "type": "avg" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "last_value", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "gauge", + "use_kibana_indexes": false + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 13, + "i": "aa7fddcf-8146-4d85-b3d7-d37a99a5ff32", + "w": 9, + "x": 0, + "y": 6 + }, + "panelIndex": "aa7fddcf-8146-4d85-b3d7-d37a99a5ff32", + "title": "", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.cpu" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.cpu" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "" + }, + "gauge_color_rules": [ + { + "gauge": "rgba(32,146,128,1)", + "id": "4ef2c3b0-1b91-11e7-bec4-a5e9ec5cab8b", + "operator": "gte", + "value": 0 + }, + { + "gauge": "rgba(214,191,87,1)", + "id": "e6561ae0-1b91-11e7-bec4-a5e9ec5cab8b", + "operator": "gte", + "value": 0.7 + }, + { + "gauge": "rgba(204,86,66,1)", + "id": "ec655040-1b91-11e7-bec4-a5e9ec5cab8b", + "operator": "gte", + "value": 0.85 + }, + { + "gauge": "rgba(32,146,128,1)", + "id": "860f8db7-6191-4519-8d2a-c51f2a95c2bc", + "operator": "empty", + "value": null + } + ], + "gauge_inner_width": 10, + "gauge_max": "1", + "gauge_style": "half", + "gauge_width": 10, + "hide_last_value_indicator": true, + "id": "4c9e2550-1b91-11e7-bec4-a5e9ec5cab8b", + "index_pattern": "metrics-*", + "interval": "auto", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "percent", + "id": "4c9e2551-1b91-11e7-bec4-a5e9ec5cab8b", + "label": "CPU Usage", + "line_width": 1, + "metrics": [ + { + "field": "system.cpu.total.norm.pct", + "id": "4c9e2552-1b91-11e7-bec4-a5e9ec5cab8b", + "type": "avg" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "last_value", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "gauge", + "use_kibana_indexes": false + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 13, + "i": "9fc7a050-de1b-495b-8ca7-2a852ed5a28c", + "w": 9, + "x": 9, + "y": 6 + }, + "panelIndex": "9fc7a050-de1b-495b-8ca7-2a852ed5a28c", + "title": "", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.cpu" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.cpu" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "bar_color_rules": [ + { + "bar_color": "rgba(32,146,128,1)", + "id": "6131bb70-2938-11ed-a1c4-3f04ff5e1036", + "operator": "gte", + "value": 0 + }, + { + "bar_color": "rgba(214,191,87,1)", + "id": "b048c5a0-2938-11ed-a1c4-3f04ff5e1036", + "operator": "gte", + "value": 0.7 + }, + { + "bar_color": "rgba(204,86,66,1)", + "id": "b84aa340-2938-11ed-a1c4-3f04ff5e1036", + "operator": "gte", + "value": 0.85 + }, + { + "bar_color": "rgba(32,146,128,1)", + "id": "c0f1c190-2938-11ed-a1c4-3f04ff5e1036", + "operator": "empty", + "value": null + } + ], + "drilldown_url": "../app/kibana#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8?_a=(query:(language:kuery,query:'host.name:\"{{key}}\"'))", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "" + }, + "id": "f85dd7f0-6f50-4ca3-b431-a8332b12f516", + "index_pattern_ref_name": "metrics_d85621b3-cf7e-4019-83ae-3a1e06d9933f_0_index_pattern", + "interval": "", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "percent", + "id": "0fa4599f-6d53-4f7e-a508-b10debeae3a7", + "line_width": 1, + "metrics": [ + { + "field": "system.cpu.user.norm.pct", + "id": "20916733-fe1d-4854-8f60-7da167023e8a", + "type": "avg" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_mode": "terms", + "stacked": "none", + "terms_field": "host.name", + "terms_order_by": "20916733-fe1d-4854-8f60-7da167023e8a", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "last_value", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "top_n", + "use_kibana_indexes": true + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 13, + "i": "d85621b3-cf7e-4019-83ae-3a1e06d9933f", + "w": 30, + "x": 18, + "y": 6 + }, + "panelIndex": "d85621b3-cf7e-4019-83ae-3a1e06d9933f", + "title": "Top Hosts by CPU", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-6a26e3ad-990f-42a2-82fd-f147b1ede3b0", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "6a26e3ad-990f-42a2-82fd-f147b1ede3b0": { + "columnOrder": [ + "6702f512-7df6-4b95-892c-200bafa8bd0e", + "6702f512-7df6-4b95-892c-200bafa8bd0eX0" + ], + "columns": { + "6702f512-7df6-4b95-892c-200bafa8bd0e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Hosts", + "operationType": "formula", + "params": { + "formula": "unique_count(host.name)", + "isFormulaBroken": false + }, + "references": [ + "6702f512-7df6-4b95-892c-200bafa8bd0eX0" + ], + "scale": "ratio" + }, + "6702f512-7df6-4b95-892c-200bafa8bd0eX0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Hosts", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "host.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "6702f512-7df6-4b95-892c-200bafa8bd0e", + "layerId": "6a26e3ad-990f-42a2-82fd-f147b1ede3b0", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "type": "lens" + }, + "gridData": { + "h": 12, + "i": "f95d2a8f-0ec2-4252-b3e8-8771b9165241", + "w": 9, + "x": 0, + "y": 19 + }, + "panelIndex": "f95d2a8f-0ec2-4252-b3e8-8771b9165241", + "type": "lens", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.fsstat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.fsstat" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "" + }, + "gauge_color_rules": [ + { + "gauge": "rgba(32,146,128,1)", + "id": "51921d10-4d1d-11e7-b5f2-2b7c1895bf32", + "operator": "gte", + "value": 0 + }, + { + "gauge": "rgba(214,191,87,1)", + "id": "f26de750-4d54-11e7-b5f2-2b7c1895bf32", + "operator": "gte", + "value": 0.7 + }, + { + "gauge": "rgba(204,86,66,1)", + "id": "fa31d190-4d54-11e7-b5f2-2b7c1895bf32", + "operator": "gte", + "value": 0.85 + }, + { + "gauge": "rgba(32,146,128,1)", + "id": "79158349-1f03-4701-8ecc-c882c2b13ff3", + "operator": "empty", + "value": null + } + ], + "gauge_inner_width": 10, + "gauge_max": "1", + "gauge_style": "half", + "gauge_width": 10, + "hide_last_value_indicator": true, + "id": "4e4dc780-4d1d-11e7-b5f2-2b7c1895bf32", + "index_pattern": "metrics-*", + "interval": "auto", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "percent", + "id": "4e4dee90-4d1d-11e7-b5f2-2b7c1895bf32", + "label": "Disk usage", + "line_width": 1, + "metrics": [ + { + "agg_with": "avg", + "field": "system.fsstat.total_size.used", + "id": "4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32", + "order": "desc", + "order_by": "@timestamp", + "size": 1, + "type": "top_hit" + }, + { + "agg_with": "avg", + "field": "system.fsstat.total_size.total", + "id": "57c96ee0-4d54-11e7-b5f2-2b7c1895bf32", + "order": "desc", + "order_by": "@timestamp", + "size": 1, + "type": "top_hit" + }, + { + "id": "6304cca0-4d54-11e7-b5f2-2b7c1895bf32", + "script": "params.used/params.total ", + "type": "math", + "variables": [ + { + "field": "4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32", + "id": "6da10430-4d54-11e7-b5f2-2b7c1895bf32", + "name": "used" + }, + { + "field": "57c96ee0-4d54-11e7-b5f2-2b7c1895bf32", + "id": "73b8c510-4d54-11e7-b5f2-2b7c1895bf32", + "name": "total" + } + ] + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "last_value", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "gauge", + "use_kibana_indexes": false + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 12, + "i": "4a59a56e-e5fd-4ff3-b2f0-8a1c07be572b", + "w": 9, + "x": 9, + "y": 19 + }, + "panelIndex": "4a59a56e-e5fd-4ff3-b2f0-8a1c07be572b", + "title": "", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.memory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.memory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "bar_color_rules": [ + { + "bar_color": "rgba(32,146,128,1)", + "id": "6131bb70-2938-11ed-a1c4-3f04ff5e1036", + "operator": "gte", + "value": 0 + }, + { + "bar_color": "rgba(214,191,87,1)", + "id": "b048c5a0-2938-11ed-a1c4-3f04ff5e1036", + "operator": "gte", + "value": 0.7 + }, + { + "bar_color": "rgba(204,86,66,1)", + "id": "b84aa340-2938-11ed-a1c4-3f04ff5e1036", + "operator": "gte", + "value": 0.85 + }, + { + "bar_color": "rgba(32,146,128,1)", + "id": "c0f1c190-2938-11ed-a1c4-3f04ff5e1036", + "operator": "empty", + "value": null + } + ], + "drilldown_url": "../app/kibana#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8?_a=(query:(language:kuery,query:'host.name:\"{{key}}\"'))", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "" + }, + "id": "f85dd7f0-6f50-4ca3-b431-a8332b12f516", + "index_pattern_ref_name": "metrics_72f0915f-db77-4d67-b92b-ed8cdd97e1aa_0_index_pattern", + "interval": "", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "percent", + "id": "0fa4599f-6d53-4f7e-a508-b10debeae3a7", + "line_width": 1, + "metrics": [ + { + "field": "system.memory.actual.used.pct", + "id": "20916733-fe1d-4854-8f60-7da167023e8a", + "type": "avg" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_mode": "terms", + "stacked": "none", + "terms_field": "host.name", + "terms_order_by": "20916733-fe1d-4854-8f60-7da167023e8a", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "last_value", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "top_n", + "use_kibana_indexes": true + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 12, + "i": "72f0915f-db77-4d67-b92b-ed8cdd97e1aa", + "w": 30, + "x": 18, + "y": 19 + }, + "panelIndex": "72f0915f-db77-4d67-b92b-ed8cdd97e1aa", + "title": "Top Hosts by Memory", + "type": "visualization", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-13084d12-8f45-4ff7-84ff-1aa82f6e91d4", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "6a4289ad-9ff1-40c9-aeff-f102d2251bba", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "13084d12-8f45-4ff7-84ff-1aa82f6e91d4": { + "columnOrder": [ + "3a15aec4-8bda-4361-8807-6f4cf5d2246b", + "9f4265d2-4b84-419e-a1b6-58cfcb6f6ffc", + "ac7e5bcf-a361-44c9-ba8c-12eb2d7974bb" + ], + "columns": { + "3a15aec4-8bda-4361-8807-6f4cf5d2246b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Hosts", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "ac7e5bcf-a361-44c9-ba8c-12eb2d7974bb", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "host.name" + }, + "9f4265d2-4b84-419e-a1b6-58cfcb6f6ffc": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "ac7e5bcf-a361-44c9-ba8c-12eb2d7974bb": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "CPU Usage", + "operationType": "average", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "system.cpu.user.norm.pct" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "6a4289ad-9ff1-40c9-aeff-f102d2251bba", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.cpu" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.cpu" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "gridConfig": { + "isCellLabelVisible": false, + "isXAxisLabelVisible": true, + "isXAxisTitleVisible": false, + "isYAxisLabelVisible": true, + "isYAxisTitleVisible": false, + "type": "heatmap_grid" + }, + "layerId": "13084d12-8f45-4ff7-84ff-1aa82f6e91d4", + "layerType": "data", + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right", + "type": "heatmap_legend" + }, + "palette": { + "accessor": "ac7e5bcf-a361-44c9-ba8c-12eb2d7974bb", + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#d9dada", + "stop": 0 + }, + { + "color": "#d6bf57", + "stop": 0.7 + }, + { + "color": "#cc5642", + "stop": 0.85 + } + ], + "continuity": "above", + "name": "custom", + "rangeMax": null, + "rangeMin": 0, + "rangeType": "number", + "reverse": false, + "steps": 5, + "stops": [ + { + "color": "#d9dada", + "stop": 0.7 + }, + { + "color": "#d6bf57", + "stop": 0.85 + }, + { + "color": "#cc5642", + "stop": 1.85 + } + ] + }, + "type": "palette" + }, + "shape": "heatmap", + "valueAccessor": "ac7e5bcf-a361-44c9-ba8c-12eb2d7974bb", + "xAccessor": "9f4265d2-4b84-419e-a1b6-58cfcb6f6ffc", + "yAccessor": "3a15aec4-8bda-4361-8807-6f4cf5d2246b" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsHeatmap" + }, + "enhancements": { + "dynamicActions": { + "events": [ + { + "action": { + "config": { + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "factoryId": "DASHBOARD_TO_DASHBOARD_DRILLDOWN", + "name": "Host Overview" + }, + "eventId": "19bf22c3-97f5-4a71-8752-74cd3d5ec6f9", + "triggers": [ + "FILTER_TRIGGER" + ] + } + ] + } + }, + "type": "lens" + }, + "gridData": { + "h": 15, + "i": "e6f8fdab-5f7e-42b1-9093-36c017e0d26d", + "w": 48, + "x": 0, + "y": 31 + }, + "panelIndex": "e6f8fdab-5f7e-42b1-9093-36c017e0d26d", + "title": "Top Hosts by CPU Usage over time", + "type": "lens", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-13084d12-8f45-4ff7-84ff-1aa82f6e91d4", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "33b2f4d6-9337-4d77-a45b-8debb9604323", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "13084d12-8f45-4ff7-84ff-1aa82f6e91d4": { + "columnOrder": [ + "3a15aec4-8bda-4361-8807-6f4cf5d2246b", + "9f4265d2-4b84-419e-a1b6-58cfcb6f6ffc", + "ac7e5bcf-a361-44c9-ba8c-12eb2d7974bb", + "ac7e5bcf-a361-44c9-ba8c-12eb2d7974bbX0" + ], + "columns": { + "3a15aec4-8bda-4361-8807-6f4cf5d2246b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Hosts", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" + }, + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "host.name" + }, + "9f4265d2-4b84-419e-a1b6-58cfcb6f6ffc": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "ac7e5bcf-a361-44c9-ba8c-12eb2d7974bb": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Memory Usage", + "operationType": "formula", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 0 + } + }, + "formula": "average(system.memory.actual.used.pct)", + "isFormulaBroken": false + }, + "references": [ + "ac7e5bcf-a361-44c9-ba8c-12eb2d7974bbX0" + ], + "scale": "ratio" + }, + "ac7e5bcf-a361-44c9-ba8c-12eb2d7974bbX0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Memory Usage", + "operationType": "average", + "scale": "ratio", + "sourceField": "system.memory.actual.used.pct" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "33b2f4d6-9337-4d77-a45b-8debb9604323", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "system.memory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "system.memory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "gridConfig": { + "isCellLabelVisible": false, + "isXAxisLabelVisible": true, + "isXAxisTitleVisible": false, + "isYAxisLabelVisible": true, + "isYAxisTitleVisible": false, + "type": "heatmap_grid" + }, + "layerId": "13084d12-8f45-4ff7-84ff-1aa82f6e91d4", + "layerType": "data", + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right", + "type": "heatmap_legend" + }, + "palette": { + "accessor": "ac7e5bcf-a361-44c9-ba8c-12eb2d7974bb", + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#d9dada", + "stop": 0 + }, + { + "color": "#d6bf57", + "stop": 0.7 + }, + { + "color": "#cc5642", + "stop": 0.85 + } + ], + "continuity": "above", + "name": "custom", + "rangeMax": null, + "rangeMin": 0, + "rangeType": "number", + "reverse": false, + "steps": 5, + "stops": [ + { + "color": "#d9dada", + "stop": 0.7 + }, + { + "color": "#d6bf57", + "stop": 0.85 + }, + { + "color": "#cc5642", + "stop": 1.85 + } + ] + }, + "type": "palette" + }, + "shape": "heatmap", + "valueAccessor": "ac7e5bcf-a361-44c9-ba8c-12eb2d7974bb", + "xAccessor": "9f4265d2-4b84-419e-a1b6-58cfcb6f6ffc", + "yAccessor": "3a15aec4-8bda-4361-8807-6f4cf5d2246b" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsHeatmap" + }, + "enhancements": { + "dynamicActions": { + "events": [ + { + "action": { + "config": { + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "factoryId": "DASHBOARD_TO_DASHBOARD_DRILLDOWN", + "name": "Host Overview" + }, + "eventId": "cb4db4a1-91ee-41e3-9f16-4b373cb189ad", + "triggers": [ + "FILTER_TRIGGER" + ] + } + ] + } + }, + "type": "lens" + }, + "gridData": { + "h": 16, + "i": "e6f6cabf-ecec-482f-b7b5-634e323e9a15", + "w": 48, + "x": 0, + "y": 46 + }, + "panelIndex": "e6f6cabf-ecec-482f-b7b5-634e323e9a15", + "title": "Top Hosts by Memory Usage over time", + "type": "lens", + "version": "8.6.0" + } + ], + "timeRestore": false, + "title": "[Metrics System] Overview", + "version": 1 + }, + "coreMigrationVersion": "8.6.1", + "created_at": "2023-03-23T04:03:56.987Z", + "id": "system-Metrics-system-overview", + "migrationVersion": { + "dashboard": "8.6.0" + }, + "references": [ + { + "id": "metrics-*", + "name": "aa7fddcf-8146-4d85-b3d7-d37a99a5ff32:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "9fc7a050-de1b-495b-8ca7-2a852ed5a28c:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d85621b3-cf7e-4019-83ae-3a1e06d9933f:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d85621b3-cf7e-4019-83ae-3a1e06d9933f:metrics_d85621b3-cf7e-4019-83ae-3a1e06d9933f_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f95d2a8f-0ec2-4252-b3e8-8771b9165241:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f95d2a8f-0ec2-4252-b3e8-8771b9165241:indexpattern-datasource-layer-6a26e3ad-990f-42a2-82fd-f147b1ede3b0", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "4a59a56e-e5fd-4ff3-b2f0-8a1c07be572b:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "72f0915f-db77-4d67-b92b-ed8cdd97e1aa:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "72f0915f-db77-4d67-b92b-ed8cdd97e1aa:metrics_72f0915f-db77-4d67-b92b-ed8cdd97e1aa_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "e6f8fdab-5f7e-42b1-9093-36c017e0d26d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "e6f8fdab-5f7e-42b1-9093-36c017e0d26d:indexpattern-datasource-layer-13084d12-8f45-4ff7-84ff-1aa82f6e91d4", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "e6f8fdab-5f7e-42b1-9093-36c017e0d26d:6a4289ad-9ff1-40c9-aeff-f102d2251bba", + "type": "index-pattern" + }, + { + "id": "system-79ffd6e0-faa0-11e6-947f-177f697178b8", + "name": "e6f8fdab-5f7e-42b1-9093-36c017e0d26d:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:19bf22c3-97f5-4a71-8752-74cd3d5ec6f9:dashboardId", + "type": "dashboard" + }, + { + "id": "metrics-*", + "name": "e6f6cabf-ecec-482f-b7b5-634e323e9a15:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "e6f6cabf-ecec-482f-b7b5-634e323e9a15:indexpattern-datasource-layer-13084d12-8f45-4ff7-84ff-1aa82f6e91d4", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "e6f6cabf-ecec-482f-b7b5-634e323e9a15:33b2f4d6-9337-4d77-a45b-8debb9604323", + "type": "index-pattern" + }, + { + "id": "system-79ffd6e0-faa0-11e6-947f-177f697178b8", + "name": "e6f6cabf-ecec-482f-b7b5-634e323e9a15:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:cb4db4a1-91ee-41e3-9f16-4b373cb189ad:dashboardId", + "type": "dashboard" + }, + { + "id": "system-fleet-pkg-system-default", + "name": "tag-ref-fleet-pkg-system-default", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/test/packages/parallel/system/kibana/dashboard/system-Windows-Dashboard.json b/test/packages/parallel/system/kibana/dashboard/system-Windows-Dashboard.json new file mode 100644 index 000000000..b9772f6f9 --- /dev/null +++ b/test/packages/parallel/system/kibana/dashboard/system-Windows-Dashboard.json @@ -0,0 +1,815 @@ +{ + "attributes": { + "description": "Overview of all Windows Event Logs.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "system.application", + "system.security", + "system.system", + "windows.application", + "windows.forwarded", + "windows.powershell", + "windows.powershell_operational", + "windows.security", + "windows.sysmon_operational", + "windows.system", + "winlog.winlog" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "system.application" + } + }, + { + "match_phrase": { + "data_stream.dataset": "system.security" + } + }, + { + "match_phrase": { + "data_stream.dataset": "system.system" + } + }, + { + "match_phrase": { + "data_stream.dataset": "windows.application" + } + }, + { + "match_phrase": { + "data_stream.dataset": "windows.forwarded" + } + }, + { + "match_phrase": { + "data_stream.dataset": "windows.powershell" + } + }, + { + "match_phrase": { + "data_stream.dataset": "windows.powershell_operational" + } + }, + { + "match_phrase": { + "data_stream.dataset": "windows.security" + } + }, + { + "match_phrase": { + "data_stream.dataset": "windows.sysmon_operational" + } + }, + { + "match_phrase": { + "data_stream.dataset": "windows.system" + } + }, + { + "match_phrase": { + "data_stream.dataset": "winlog.winlog" + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 10, + "markdown": "## **Windows Overview**", + "openLinksInNewTab": false + }, + "title": "User Logon Dashboard [Windows System Security]", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 5, + "i": "a631db29-cb48-4bfb-b9c9-77ea2baff486", + "w": 12, + "x": 0, + "y": 0 + }, + "panelIndex": "a631db29-cb48-4bfb-b9c9-77ea2baff486", + "title": "", + "type": "visualization", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b8e30995-8308-4085-bebc-b744255d4471", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "b8e30995-8308-4085-bebc-b744255d4471": { + "columnOrder": [ + "b76296f1-254e-44be-885c-dab598a5769a" + ], + "columns": { + "b76296f1-254e-44be-885c-dab598a5769a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "b76296f1-254e-44be-885c-dab598a5769a", + "layerId": "b8e30995-8308-4085-bebc-b744255d4471", + "layerType": "data" + } + }, + "title": "Number of Events [Windows Overview]", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 20, + "i": "f1073adc-88c7-4213-947d-72d05705e81a", + "w": 12, + "x": 0, + "y": 5 + }, + "panelIndex": "f1073adc-88c7-4213-947d-72d05705e81a", + "title": "Number of Events [Windows Overview]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "**Windows Overview** | [User Logon Information](#/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891) | [Logon Failed and Account Lockout](#/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da) | [User Management Events](#/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268) | [Group Management Events](#/dashboard/system-bb858830-f412-11e9-8405-516218e3d268)", + "openLinksInNewTab": false + }, + "title": "Dashboard links [Windows System Security]", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 5, + "i": "dadfa90b-35df-4cdb-8b7f-80b75ef8cb9b", + "w": 36, + "x": 12, + "y": 0 + }, + "panelIndex": "dadfa90b-35df-4cdb-8b7f-80b75ef8cb9b", + "title": "", + "type": "visualization", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5e87aee1-99b0-42aa-8b38-30ad57feda11", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "5e87aee1-99b0-42aa-8b38-30ad57feda11": { + "columnOrder": [ + "c3110bfa-477d-4c3d-9483-a63044c42900", + "b3737588-4175-4ab0-b9da-23267d72fe70", + "b1b1cc91-e400-414c-90b7-912cd62a404a" + ], + "columns": { + "b1b1cc91-e400-414c-90b7-912cd62a404a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "b3737588-4175-4ab0-b9da-23267d72fe70": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Channel", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "b1b1cc91-e400-414c-90b7-912cd62a404a", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 6 + }, + "scale": "ordinal", + "sourceField": "winlog.channel" + }, + "c3110bfa-477d-4c3d-9483-a63044c42900": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "curveType": "LINEAR", + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": -90 + }, + "layers": [ + { + "accessors": [ + "b1b1cc91-e400-414c-90b7-912cd62a404a" + ], + "isHistogram": true, + "layerId": "5e87aee1-99b0-42aa-8b38-30ad57feda11", + "layerType": "data", + "seriesType": "bar_stacked", + "simpleView": false, + "splitAccessor": "b3737588-4175-4ab0-b9da-23267d72fe70", + "xAccessor": "c3110bfa-477d-4c3d-9483-a63044c42900", + "xScaleType": "time", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "b1b1cc91-e400-414c-90b7-912cd62a404a" + } + ] + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "showCurrentTimeMarker": false, + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": false, + "yLeftExtent": { + "enforce": true, + "mode": "full" + }, + "yLeftScale": "linear", + "yRightScale": "linear", + "yTitle": "Count" + } + }, + "title": "Number of Events Over Time By Channel [Windows Overview]", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 20, + "i": "57c36a54-2c5c-4ca5-ae9a-b2a9b71423cc", + "w": 36, + "x": 12, + "y": 5 + }, + "panelIndex": "57c36a54-2c5c-4ca5-ae9a-b2a9b71423cc", + "title": "Number of Events Over Time By Channel [Windows Overview]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f91444b8-f989-4d50-9791-659f63b410a6", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f91444b8-f989-4d50-9791-659f63b410a6": { + "columnOrder": [ + "d79151d8-0464-460f-985d-7710afd65951", + "f823b376-2c3e-4893-befa-3d99b5e4b54d" + ], + "columns": { + "d79151d8-0464-460f-985d-7710afd65951": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "winlog.provider_name: Descending", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f823b376-2c3e-4893-befa-3d99b5e4b54d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 7 + }, + "scale": "ordinal", + "sourceField": "winlog.provider_name" + }, + "f823b376-2c3e-4893-befa-3d99b5e4b54d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "hide", + "emptySizeRatio": 0.3, + "layerId": "f91444b8-f989-4d50-9791-659f63b410a6", + "layerType": "data", + "legendDisplay": "hide", + "legendMaxLines": 1, + "legendPosition": "right", + "legendSize": "auto", + "metrics": [ + "f823b376-2c3e-4893-befa-3d99b5e4b54d" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "percentDecimals": 2, + "primaryGroups": [ + "d79151d8-0464-460f-985d-7710afd65951" + ], + "secondaryGroups": [], + "showValuesInLegend": true, + "truncateLegend": true + } + ], + "shape": "pie" + } + }, + "title": "Sources (Provider Names) [Windows Overview]", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 20, + "i": "49364a81-aad0-4123-9b41-e29cc0d20211", + "w": 16, + "x": 0, + "y": 25 + }, + "panelIndex": "49364a81-aad0-4123-9b41-e29cc0d20211", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-92b81c04-c009-42b2-a123-cbb40bacb21b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "92b81c04-c009-42b2-a123-cbb40bacb21b": { + "columnOrder": [ + "59206405-b932-4821-894f-0e7df0c64c49", + "72e6c0f0-dd8b-4557-a0a1-282c3a527bff" + ], + "columns": { + "59206405-b932-4821-894f-0e7df0c64c49": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Event IDs", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "72e6c0f0-dd8b-4557-a0a1-282c3a527bff", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.event_id" + }, + "72e6c0f0-dd8b-4557-a0a1-282c3a527bff": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "72e6c0f0-dd8b-4557-a0a1-282c3a527bff" + }, + { + "alignment": "left", + "columnId": "59206405-b932-4821-894f-0e7df0c64c49" + } + ], + "headerRowHeight": "single", + "layerId": "92b81c04-c009-42b2-a123-cbb40bacb21b", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + }, + "rowHeight": "single" + } + }, + "title": "Top Event IDs [Windows Overview]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 20, + "i": "24dc70bf-961d-43d5-bbaf-b596523308d8", + "w": 16, + "x": 16, + "y": 25 + }, + "panelIndex": "24dc70bf-961d-43d5-bbaf-b596523308d8", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-948e4465-d614-4c5c-845c-e2cc11f14b14", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "948e4465-d614-4c5c-845c-e2cc11f14b14": { + "columnOrder": [ + "a86889ec-ce6a-4b72-90f2-73cdcdf5af59", + "3c6aceef-e72a-484a-a9b4-c9ccabad0da8" + ], + "columns": { + "3c6aceef-e72a-484a-a9b4-c9ccabad0da8": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "a86889ec-ce6a-4b72-90f2-73cdcdf5af59": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Log Levels", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "3c6aceef-e72a-484a-a9b4-c9ccabad0da8", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "log.level" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "3c6aceef-e72a-484a-a9b4-c9ccabad0da8" + }, + { + "alignment": "left", + "columnId": "a86889ec-ce6a-4b72-90f2-73cdcdf5af59" + } + ], + "headerRowHeight": "single", + "layerId": "948e4465-d614-4c5c-845c-e2cc11f14b14", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + }, + "rowHeight": "single" + } + }, + "title": "Event Levels [Windows Overview]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 20, + "i": "8f939618-5923-43d4-9b23-57f7d21b4908", + "w": 16, + "x": 32, + "y": 25 + }, + "panelIndex": "8f939618-5923-43d4-9b23-57f7d21b4908", + "type": "lens", + "version": "8.7.0" + } + ], + "timeRestore": false, + "title": "[System] Windows Overview", + "version": 1 + }, + "coreMigrationVersion": "8.7.1", + "created_at": "2023-05-04T21:59:59.346Z", + "id": "system-Windows-Dashboard", + "migrationVersion": { + "dashboard": "8.7.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f1073adc-88c7-4213-947d-72d05705e81a:indexpattern-datasource-layer-b8e30995-8308-4085-bebc-b744255d4471", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "57c36a54-2c5c-4ca5-ae9a-b2a9b71423cc:indexpattern-datasource-layer-5e87aee1-99b0-42aa-8b38-30ad57feda11", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "49364a81-aad0-4123-9b41-e29cc0d20211:indexpattern-datasource-layer-f91444b8-f989-4d50-9791-659f63b410a6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "24dc70bf-961d-43d5-bbaf-b596523308d8:indexpattern-datasource-layer-92b81c04-c009-42b2-a123-cbb40bacb21b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8f939618-5923-43d4-9b23-57f7d21b4908:indexpattern-datasource-layer-948e4465-d614-4c5c-845c-e2cc11f14b14", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/test/packages/parallel/system/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json b/test/packages/parallel/system/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json new file mode 100644 index 000000000..8cd88e122 --- /dev/null +++ b/test/packages/parallel/system/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json @@ -0,0 +1,1592 @@ +{ + "attributes": { + "description": "User logon activity dashboard.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "system.security", + "windows.forwarded", + "windows.security" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "system.security" + } + }, + { + "match_phrase": { + "data_stream.dataset": "windows.forwarded" + } + }, + { + "match_phrase": { + "data_stream.dataset": "windows.security" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "winlog.provider_name", + "negate": false, + "params": { + "query": "Microsoft-Windows-Security-Auditing" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "winlog.provider_name": "Microsoft-Windows-Security-Auditing" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": false + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-0eeae7e3-4be6-439a-8d11-e248d89729c7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6c0aae98-74e3-48f0-bfe4-01114857e9ea", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "0eeae7e3-4be6-439a-8d11-e248d89729c7": { + "columnOrder": [ + "6c20c34d-d053-4d81-9dc7-015ef4065cc8", + "011f8ab2-fbac-408d-b01a-100820072975", + "865f73fe-058f-468a-b4dc-e67be53b290b", + "bcb7b474-2877-4665-a58e-58279b2a85a0", + "a2383fe5-f58b-45bd-bc84-7750f113121e" + ], + "columns": { + "011f8ab2-fbac-408d-b01a-100820072975": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "user.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "a2383fe5-f58b-45bd-bc84-7750f113121e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "user.name" + }, + "6c20c34d-d053-4d81-9dc7-015ef4065cc8": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Date", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "865f73fe-058f-468a-b4dc-e67be53b290b": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "# Thread", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "a2383fe5-f58b-45bd-bc84-7750f113121e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.process.thread.id" + }, + "a2383fe5-f58b-45bd-bc84-7750f113121e": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "bcb7b474-2877-4665-a58e-58279b2a85a0": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "LogonID", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "a2383fe5-f58b-45bd-bc84-7750f113121e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.logon.id" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "6c0aae98-74e3-48f0-bfe4-01114857e9ea", + "key": "event.code", + "negate": false, + "params": [ + "4672" + ], + "type": "phrases", + "value": "4672" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4672" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "a2383fe5-f58b-45bd-bc84-7750f113121e" + }, + { + "alignment": "left", + "columnId": "6c20c34d-d053-4d81-9dc7-015ef4065cc8" + }, + { + "alignment": "left", + "columnId": "011f8ab2-fbac-408d-b01a-100820072975" + }, + { + "alignment": "left", + "columnId": "865f73fe-058f-468a-b4dc-e67be53b290b" + }, + { + "alignment": "left", + "columnId": "bcb7b474-2877-4665-a58e-58279b2a85a0" + } + ], + "headerRowHeight": "single", + "layerId": "0eeae7e3-4be6-439a-8d11-e248d89729c7", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + }, + "rowHeight": "single" + } + }, + "title": "Logged on Administrators [Windows System Security]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 28, + "i": "1", + "w": 18, + "x": 0, + "y": 34 + }, + "panelIndex": "1", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-7a52b543-0c01-4543-9ed6-a89dfbdd8b87", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c92cd2bc-c3a2-40cf-8932-aa33cee31978", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "7a52b543-0c01-4543-9ed6-a89dfbdd8b87": { + "columnOrder": [ + "c1fa9bb2-329d-452b-9aea-8019bbedf069", + "6d33622e-b154-4aee-91af-31f692da9922" + ], + "columns": { + "6d33622e-b154-4aee-91af-31f692da9922": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique count of winlog.logon.id", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "winlog.logon.id" + }, + "c1fa9bb2-329d-452b-9aea-8019bbedf069": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "user.name: Descending", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "6d33622e-b154-4aee-91af-31f692da9922", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "user.name" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "c92cd2bc-c3a2-40cf-8932-aa33cee31978", + "key": "event.code", + "negate": false, + "params": { + "query": "4672" + }, + "type": "phrase" + }, + "query": { + "match": { + "event.code": { + "query": "4672", + "type": "phrase" + } + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "hide", + "emptySizeRatio": 0.3, + "layerId": "7a52b543-0c01-4543-9ed6-a89dfbdd8b87", + "layerType": "data", + "legendDisplay": "show", + "legendMaxLines": 1, + "legendPosition": "bottom", + "legendSize": "auto", + "metrics": [ + "6d33622e-b154-4aee-91af-31f692da9922" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "percentDecimals": 2, + "primaryGroups": [ + "c1fa9bb2-329d-452b-9aea-8019bbedf069" + ], + "secondaryGroups": [], + "showValuesInLegend": true, + "truncateLegend": true + } + ], + "shape": "pie" + } + }, + "title": "Administrator Users [Windows System Security]", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 18, + "i": "3", + "w": 18, + "x": 0, + "y": 16 + }, + "panelIndex": "3", + "title": "Administrator Users [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 10, + "markdown": "## **Logon Information Dashboard**", + "openLinksInNewTab": false + }, + "title": "User Logon Dashboard [Windows System Security]", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 6, + "i": "4", + "w": 12, + "x": 0, + "y": 0 + }, + "panelIndex": "4", + "title": "", + "type": "visualization", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 46, + "i": "10", + "w": 23, + "x": 0, + "y": 62 + }, + "panelIndex": "10", + "panelRefName": "panel_10", + "title": "Logon Details", + "type": "search", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "[Windows Overview](#/dashboard/system-Windows-Dashboard) | **User Logon Information** | [Logon Failed and Account Lockout](#/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da) | [User Management Events](#/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268) | [Group Management Events](#/dashboard/system-bb858830-f412-11e9-8405-516218e3d268)", + "openLinksInNewTab": false + }, + "title": "Dashboard links [Windows System Security]", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 6, + "i": "34fc9633-8a7c-444d-8d19-06095b55fb43", + "w": 36, + "x": 12, + "y": 0 + }, + "panelIndex": "34fc9633-8a7c-444d-8d19-06095b55fb43", + "title": "", + "type": "visualization", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_logs-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "logs-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "3dfd861c-68d7-44e0-9755-de21ecd15ba1": { + "columnOrder": [ + "a278011b-444a-4e01-af26-6395f2f54bf1" + ], + "columns": { + "a278011b-444a-4e01-af26-6395f2f54bf1": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \"4672\")" + }, + "isBucketed": false, + "label": "Administrator Logons", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ + { + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "indexpattern-datasource-layer-3dfd861c-68d7-44e0-9755-de21ecd15ba1", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "a278011b-444a-4e01-af26-6395f2f54bf1", + "layerId": "3dfd861c-68d7-44e0-9755-de21ecd15ba1", + "layerType": "data" + } + }, + "title": "TSVB visualization", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 10, + "i": "f2925b5d-a820-428f-83dc-a547186bcbe6", + "w": 9, + "x": 0, + "y": 6 + }, + "panelIndex": "f2925b5d-a820-428f-83dc-a547186bcbe6", + "title": "", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_logs-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "logs-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "83d20141-1b90-44a1-ac90-a024a460e2f7": { + "columnOrder": [ + "f6e7fa4a-d41d-41e3-b8cb-112a3d34d3be" + ], + "columns": { + "f6e7fa4a-d41d-41e3-b8cb-112a3d34d3be": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \"4624\")" + }, + "isBucketed": false, + "label": "Logons ", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ + { + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "indexpattern-datasource-layer-83d20141-1b90-44a1-ac90-a024a460e2f7", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "f6e7fa4a-d41d-41e3-b8cb-112a3d34d3be", + "layerId": "83d20141-1b90-44a1-ac90-a024a460e2f7", + "layerType": "data" + } + }, + "title": "TSVB visualization", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 10, + "i": "b6b45344-9881-4adf-ae69-4b892d976e63", + "w": 9, + "x": 9, + "y": 6 + }, + "panelIndex": "b6b45344-9881-4adf-ae69-4b892d976e63", + "title": "", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_logs-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "logs-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "e6fef655-e731-4662-95d5-1d528e81aa31": { + "columnOrder": [ + "d2c3177a-a480-4200-9cd1-e40f87f81192", + "23784821-7b5a-4a62-ba6f-000d1600ac1f", + "c496f94a-303f-4786-a5cf-16ffbda12881" + ], + "columns": { + "23784821-7b5a-4a62-ba6f-000d1600ac1f": { + "dataType": "string", + "isBucketed": true, + "label": "Filters", + "operationType": "filters", + "params": { + "filters": [ + { + "input": { + "language": "kuery", + "query": "event.code: \"4672\"" + }, + "label": "Admin logons" + }, + { + "input": { + "language": "kuery", + "query": "event.code: \"4624\"" + }, + "label": "Logon Events" + } + ] + }, + "scale": "ordinal" + }, + "c496f94a-303f-4786-a5cf-16ffbda12881": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d2c3177a-a480-4200-9cd1-e40f87f81192": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ + { + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "indexpattern-datasource-layer-e6fef655-e731-4662-95d5-1d528e81aa31", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fillOpacity": 0.5, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "c496f94a-303f-4786-a5cf-16ffbda12881" + ], + "layerId": "e6fef655-e731-4662-95d5-1d528e81aa31", + "layerType": "data", + "seriesType": "line", + "splitAccessor": "23784821-7b5a-4a62-ba6f-000d1600ac1f", + "xAccessor": "d2c3177a-a480-4200-9cd1-e40f87f81192", + "yConfig": [ + { + "axisMode": "left", + "color": "#68BC00", + "forAccessor": "c496f94a-303f-4786-a5cf-16ffbda12881" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yLeftScale": "linear", + "yRightExtent": { + "mode": "full" + }, + "yRightScale": "linear" + } + }, + "title": "Logon Events Timeline", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 13, + "i": "e6bde0c0-6365-4c2a-b6d1-232e936d592e", + "w": 30, + "x": 18, + "y": 6 + }, + "panelIndex": "e6bde0c0-6365-4c2a-b6d1-232e936d592e", + "title": "Logon Events Timeline", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-674fcc58-08d6-4ab5-b6cb-671d86391a1f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0b35b218-725a-492d-8a26-fc07ece4cefa", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "674fcc58-08d6-4ab5-b6cb-671d86391a1f": { + "columnOrder": [ + "d3920133-e719-4f21-96b0-de104644c62d", + "c5eeb90d-c93c-45c6-a105-cd6dd7de45c9" + ], + "columns": { + "c5eeb90d-c93c-45c6-a105-cd6dd7de45c9": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique count of winlog.logon.id", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "winlog.logon.id" + }, + "d3920133-e719-4f21-96b0-de104644c62d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "winlog.logon.type: Descending", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "c5eeb90d-c93c-45c6-a105-cd6dd7de45c9", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "winlog.logon.type" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "0b35b218-725a-492d-8a26-fc07ece4cefa", + "key": "event.code", + "negate": false, + "params": { + "query": "4624" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.code": "4624" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "hide", + "emptySizeRatio": 0.3, + "layerId": "674fcc58-08d6-4ab5-b6cb-671d86391a1f", + "layerType": "data", + "legendDisplay": "show", + "legendMaxLines": 1, + "legendPosition": "right", + "legendSize": "auto", + "metrics": [ + "c5eeb90d-c93c-45c6-a105-cd6dd7de45c9" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "percentDecimals": 2, + "primaryGroups": [ + "d3920133-e719-4f21-96b0-de104644c62d" + ], + "secondaryGroups": [], + "showValuesInLegend": true, + "truncateLegend": true + } + ], + "shape": "pie" + } + }, + "title": "Logon Types [Windows System Security]", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "cf50b48e-453c-46fb-ad35-7ccfb7b03de0", + "w": 15, + "x": 18, + "y": 19 + }, + "panelIndex": "cf50b48e-453c-46fb-ad35-7ccfb7b03de0", + "title": "Logon Types [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-00652829-18f8-4bed-9423-c1b08879fa96", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b48f02eb-a573-4758-a23f-ab02a2379751", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "00652829-18f8-4bed-9423-c1b08879fa96": { + "columnOrder": [ + "028821e7-2e7e-4604-ac9d-25e9d90bbb0d", + "0d65d110-92d0-42b0-a150-f5d7c154122c" + ], + "columns": { + "028821e7-2e7e-4604-ac9d-25e9d90bbb0d": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Logon Source IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "0d65d110-92d0-42b0-a150-f5d7c154122c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "source.ip" + }, + "0d65d110-92d0-42b0-a150-f5d7c154122c": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "b48f02eb-a573-4758-a23f-ab02a2379751", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "windows.security", + "system.security" + ], + "type": "phrases", + "value": [ + "windows.security", + "system.security" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "windows.security" + } + }, + { + "match_phrase": { + "data_stream.dataset": "system.security" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "0d65d110-92d0-42b0-a150-f5d7c154122c" + ], + "layerId": "00652829-18f8-4bed-9423-c1b08879fa96", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "xAccessor": "028821e7-2e7e-4604-ac9d-25e9d90bbb0d" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_horizontal", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "2ccb4f49-c9ee-48a0-b602-f86fa0e21504", + "w": 15, + "x": 33, + "y": 19 + }, + "panelIndex": "2ccb4f49-c9ee-48a0-b602-f86fa0e21504", + "title": "Logon Sources [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 28, + "i": "454bb008-9720-455e-8ab9-b2f47d25aa4f", + "w": 18, + "x": 18, + "y": 34 + }, + "panelIndex": "454bb008-9720-455e-8ab9-b2f47d25aa4f", + "panelRefName": "panel_454bb008-9720-455e-8ab9-b2f47d25aa4f", + "title": "RDP Reconnections and Desconnections", + "type": "search", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4a1aa374-6802-4ad3-aaa8-5178d0944859", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d5b55106-1b94-4e5d-af4a-30edbe70102e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "4a1aa374-6802-4ad3-aaa8-5178d0944859": { + "columnOrder": [ + "8bb80378-dfd5-4dbc-bc6c-6a311530b1f0", + "71ed13d3-5581-4cb5-a9fd-c2137e961d1e", + "c46bc820-0dbe-4560-8250-1c4c414bbfc0", + "8602e508-3dc5-4e7e-a87e-8fd9ddf7b1d9", + "c8f202eb-e9fe-469f-8a65-72c55a8755f9" + ], + "columns": { + "71ed13d3-5581-4cb5-a9fd-c2137e961d1e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "subjectUserName", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "c8f202eb-e9fe-469f-8a65-72c55a8755f9", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.SubjectUserName" + }, + "8602e508-3dc5-4e7e-a87e-8fd9ddf7b1d9": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "LogonID", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "c8f202eb-e9fe-469f-8a65-72c55a8755f9", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.logon.id" + }, + "8bb80378-dfd5-4dbc-bc6c-6a311530b1f0": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "user.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "c8f202eb-e9fe-469f-8a65-72c55a8755f9", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 200 + }, + "scale": "ordinal", + "sourceField": "user.name" + }, + "c46bc820-0dbe-4560-8250-1c4c414bbfc0": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "source.ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "c8f202eb-e9fe-469f-8a65-72c55a8755f9", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "source.ip" + }, + "c8f202eb-e9fe-469f-8a65-72c55a8755f9": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "d5b55106-1b94-4e5d-af4a-30edbe70102e", + "key": "event.code", + "negate": false, + "params": { + "query": "4648" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.code": "4648" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "c8f202eb-e9fe-469f-8a65-72c55a8755f9" + }, + { + "alignment": "left", + "columnId": "8bb80378-dfd5-4dbc-bc6c-6a311530b1f0" + }, + { + "alignment": "left", + "columnId": "71ed13d3-5581-4cb5-a9fd-c2137e961d1e" + }, + { + "alignment": "left", + "columnId": "c46bc820-0dbe-4560-8250-1c4c414bbfc0" + }, + { + "alignment": "left", + "columnId": "8602e508-3dc5-4e7e-a87e-8fd9ddf7b1d9" + } + ], + "headerRowHeight": "single", + "layerId": "4a1aa374-6802-4ad3-aaa8-5178d0944859", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + }, + "rowHeight": "single" + } + }, + "title": "Logon with Explicit Credentials [Windows System Security]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 28, + "i": "29a0e70a-ab23-4d48-8d4e-9a39c5af47ad", + "w": 12, + "x": 36, + "y": 34 + }, + "panelIndex": "29a0e70a-ab23-4d48-8d4e-9a39c5af47ad", + "title": "Logon with Explicit Credentials [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 46, + "i": "28115147-8399-4fcd-95ce-ed0a4f4239e3", + "w": 25, + "x": 23, + "y": 62 + }, + "panelIndex": "28115147-8399-4fcd-95ce-ed0a4f4239e3", + "panelRefName": "panel_28115147-8399-4fcd-95ce-ed0a4f4239e3", + "title": "Logout Details", + "type": "search", + "version": "8.7.0" + } + ], + "timeRestore": false, + "title": "[System Windows Security] User Logons", + "version": 1 + }, + "coreMigrationVersion": "8.7.1", + "created_at": "2023-05-04T21:59:59.346Z", + "id": "system-bae11b00-9bfc-11ea-87e4-49f31ec44891", + "migrationVersion": { + "dashboard": "8.7.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1:indexpattern-datasource-layer-0eeae7e3-4be6-439a-8d11-e248d89729c7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1:6c0aae98-74e3-48f0-bfe4-01114857e9ea", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3:indexpattern-datasource-layer-7a52b543-0c01-4543-9ed6-a89dfbdd8b87", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3:c92cd2bc-c3a2-40cf-8932-aa33cee31978", + "type": "index-pattern" + }, + { + "id": "system-ce71c9a0-a25e-11e9-a422-d144027429da", + "name": "10:panel_10", + "type": "search" + }, + { + "id": "logs-*", + "name": "cf50b48e-453c-46fb-ad35-7ccfb7b03de0:indexpattern-datasource-layer-674fcc58-08d6-4ab5-b6cb-671d86391a1f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cf50b48e-453c-46fb-ad35-7ccfb7b03de0:0b35b218-725a-492d-8a26-fc07ece4cefa", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2ccb4f49-c9ee-48a0-b602-f86fa0e21504:indexpattern-datasource-layer-00652829-18f8-4bed-9423-c1b08879fa96", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2ccb4f49-c9ee-48a0-b602-f86fa0e21504:b48f02eb-a573-4758-a23f-ab02a2379751", + "type": "index-pattern" + }, + { + "id": "system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", + "name": "454bb008-9720-455e-8ab9-b2f47d25aa4f:panel_454bb008-9720-455e-8ab9-b2f47d25aa4f", + "type": "search" + }, + { + "id": "logs-*", + "name": "29a0e70a-ab23-4d48-8d4e-9a39c5af47ad:indexpattern-datasource-layer-4a1aa374-6802-4ad3-aaa8-5178d0944859", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "29a0e70a-ab23-4d48-8d4e-9a39c5af47ad:d5b55106-1b94-4e5d-af4a-30edbe70102e", + "type": "index-pattern" + }, + { + "id": "system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", + "name": "28115147-8399-4fcd-95ce-ed0a4f4239e3:panel_28115147-8399-4fcd-95ce-ed0a4f4239e3", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/test/packages/parallel/system/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json b/test/packages/parallel/system/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json new file mode 100644 index 000000000..9146a205b --- /dev/null +++ b/test/packages/parallel/system/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json @@ -0,0 +1,4431 @@ +{ + "attributes": { + "description": "Group management activity.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "system.security", + "windows.forwarded", + "windows.security" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "system.security" + } + }, + { + "match_phrase": { + "data_stream.dataset": "windows.forwarded" + } + }, + { + "match_phrase": { + "data_stream.dataset": "windows.security" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "winlog.provider_name", + "negate": false, + "params": { + "query": "Microsoft-Windows-Security-Auditing" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "winlog.provider_name": "Microsoft-Windows-Security-Auditing" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": false + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 10, + "markdown": "# **Group Management Events**\n\n#### This dashboard shows information about Group Management Events collected by the Elastic Agent Windows integrations (System, Windows, Custom Windows Event Logs).\n", + "openLinksInNewTab": false + }, + "title": "Group Management Events - Description [Windows System Security]", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 7, + "i": "22", + "w": 16, + "x": 0, + "y": 0 + }, + "panelIndex": "22", + "title": "", + "type": "visualization", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-bd7f857d-8824-4cfa-b6a9-85f4efdc2623", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a19c4278-5416-4446-99a1-0c0b841ad56b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "bd7f857d-8824-4cfa-b6a9-85f4efdc2623": { + "columnOrder": [ + "7f1d902e-af5f-4b65-a519-9ef6003f7e44", + "941899f1-1b0a-4ca2-9fd4-ec751ecd6ca3", + "6aa544a5-ecf4-4401-989d-bf738652c121", + "2d5bc858-8374-44e4-a40f-0182d750e7c9", + "7c3baf0b-0f49-4022-b50a-c7d4f6280003" + ], + "columns": { + "2d5bc858-8374-44e4-a40f-0182d750e7c9": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performer LogonID", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "7c3baf0b-0f49-4022-b50a-c7d4f6280003", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.logon.id" + }, + "6aa544a5-ecf4-4401-989d-bf738652c121": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performed by", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "7c3baf0b-0f49-4022-b50a-c7d4f6280003", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.SubjectUserName" + }, + "7c3baf0b-0f49-4022-b50a-c7d4f6280003": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "7f1d902e-af5f-4b65-a519-9ef6003f7e44": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Group", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "7c3baf0b-0f49-4022-b50a-c7d4f6280003", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "group.name" + }, + "941899f1-1b0a-4ca2-9fd4-ec751ecd6ca3": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Domain", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "7c3baf0b-0f49-4022-b50a-c7d4f6280003", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "group.domain" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "a19c4278-5416-4446-99a1-0c0b841ad56b", + "key": "event.code", + "negate": false, + "params": [ + "4731", + "4727", + "4754", + "4744", + "4759", + "4779", + "4790", + "4783" + ], + "type": "phrases", + "value": "4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4731" + } + }, + { + "match_phrase": { + "event.code": "4727" + } + }, + { + "match_phrase": { + "event.code": "4754" + } + }, + { + "match_phrase": { + "event.code": "4744" + } + }, + { + "match_phrase": { + "event.code": "4759" + } + }, + { + "match_phrase": { + "event.code": "4779" + } + }, + { + "match_phrase": { + "event.code": "4790" + } + }, + { + "match_phrase": { + "event.code": "4783" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "7c3baf0b-0f49-4022-b50a-c7d4f6280003" + }, + { + "alignment": "left", + "columnId": "7f1d902e-af5f-4b65-a519-9ef6003f7e44" + }, + { + "alignment": "left", + "columnId": "941899f1-1b0a-4ca2-9fd4-ec751ecd6ca3" + }, + { + "alignment": "left", + "columnId": "6aa544a5-ecf4-4401-989d-bf738652c121" + }, + { + "alignment": "left", + "columnId": "2d5bc858-8374-44e4-a40f-0182d750e7c9" + } + ], + "headerRowHeight": "single", + "layerId": "bd7f857d-8824-4cfa-b6a9-85f4efdc2623", + "layerType": "data", + "paging": { + "enabled": true, + "size": 5 + }, + "rowHeight": "single" + } + }, + "title": "Groups Created - Table [Windows System Security]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 13, + "i": "36", + "w": 9, + "x": 0, + "y": 55 + }, + "panelIndex": "36", + "title": "Groups Created - Table [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b600888f-707d-4333-b65c-64ccd1512086", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c1e670c6-0a4d-4954-82f9-51dc32e07139", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "b600888f-707d-4333-b65c-64ccd1512086": { + "columnOrder": [ + "c56afdf2-4288-4388-804c-a8d44425a564", + "bb1a6287-e2d3-4136-9e1c-773f5b041afb", + "054a5d8e-b121-4790-bd89-f497705b33e4", + "8e115107-32e4-4af6-b61c-2f8d5442286d", + "0ae4bc48-8f3e-4bbb-8a14-a47cfa5983f7" + ], + "columns": { + "054a5d8e-b121-4790-bd89-f497705b33e4": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performed by", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "0ae4bc48-8f3e-4bbb-8a14-a47cfa5983f7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.SubjectUserName" + }, + "0ae4bc48-8f3e-4bbb-8a14-a47cfa5983f7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "8e115107-32e4-4af6-b61c-2f8d5442286d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performer LogonID", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "0ae4bc48-8f3e-4bbb-8a14-a47cfa5983f7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.logon.id" + }, + "bb1a6287-e2d3-4136-9e1c-773f5b041afb": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Domain", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "0ae4bc48-8f3e-4bbb-8a14-a47cfa5983f7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "group.domain" + }, + "c56afdf2-4288-4388-804c-a8d44425a564": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Group", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "0ae4bc48-8f3e-4bbb-8a14-a47cfa5983f7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "group.name" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "c1e670c6-0a4d-4954-82f9-51dc32e07139", + "key": "event.code", + "negate": false, + "params": [ + "4735", + "4737", + "4755", + "4750", + "4760", + "4745", + "4791", + "4784", + "4764" + ], + "type": "phrases", + "value": "4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4735" + } + }, + { + "match_phrase": { + "event.code": "4737" + } + }, + { + "match_phrase": { + "event.code": "4755" + } + }, + { + "match_phrase": { + "event.code": "4750" + } + }, + { + "match_phrase": { + "event.code": "4760" + } + }, + { + "match_phrase": { + "event.code": "4745" + } + }, + { + "match_phrase": { + "event.code": "4791" + } + }, + { + "match_phrase": { + "event.code": "4784" + } + }, + { + "match_phrase": { + "event.code": "4764" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "0ae4bc48-8f3e-4bbb-8a14-a47cfa5983f7" + }, + { + "alignment": "left", + "columnId": "c56afdf2-4288-4388-804c-a8d44425a564" + }, + { + "alignment": "left", + "columnId": "bb1a6287-e2d3-4136-9e1c-773f5b041afb" + }, + { + "alignment": "left", + "columnId": "054a5d8e-b121-4790-bd89-f497705b33e4" + }, + { + "alignment": "left", + "columnId": "8e115107-32e4-4af6-b61c-2f8d5442286d" + } + ], + "headerRowHeight": "single", + "layerId": "b600888f-707d-4333-b65c-64ccd1512086", + "layerType": "data", + "paging": { + "enabled": true, + "size": 5 + }, + "rowHeight": "single" + } + }, + "title": "Group Changes - Table [Windows System Security]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 13, + "i": "37", + "w": 9, + "x": 9, + "y": 55 + }, + "panelIndex": "37", + "title": "Group Changes - Table [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4f4fa0d5-5ea9-45ba-9214-d1fe2310876f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3d460e27-249d-4c99-831f-193ccd17f8f4", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "4f4fa0d5-5ea9-45ba-9214-d1fe2310876f": { + "columnOrder": [ + "f91ab9f5-c2a5-4590-875c-fabf6d047e37", + "1afb18ce-62b9-4585-9dea-0e4310a67c50", + "6d13ad70-08bd-44d9-963f-1f8872cc7d79", + "29662a4b-5326-4531-8996-2b95afb69ed3", + "9b24429a-7651-4972-aed9-83971847531b" + ], + "columns": { + "1afb18ce-62b9-4585-9dea-0e4310a67c50": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Domain", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "9b24429a-7651-4972-aed9-83971847531b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "group.domain" + }, + "29662a4b-5326-4531-8996-2b95afb69ed3": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performer LogonID", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "9b24429a-7651-4972-aed9-83971847531b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.logon.id" + }, + "6d13ad70-08bd-44d9-963f-1f8872cc7d79": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performed by", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "9b24429a-7651-4972-aed9-83971847531b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.SubjectUserName" + }, + "9b24429a-7651-4972-aed9-83971847531b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "f91ab9f5-c2a5-4590-875c-fabf6d047e37": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Group", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "9b24429a-7651-4972-aed9-83971847531b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "group.name" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "3d460e27-249d-4c99-831f-193ccd17f8f4", + "key": "event.code", + "negate": false, + "params": [ + "4734", + "4730", + "4758", + "4748", + "4763", + "4753", + "4792", + "4789" + ], + "type": "phrases", + "value": "4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4734" + } + }, + { + "match_phrase": { + "event.code": "4730" + } + }, + { + "match_phrase": { + "event.code": "4758" + } + }, + { + "match_phrase": { + "event.code": "4748" + } + }, + { + "match_phrase": { + "event.code": "4763" + } + }, + { + "match_phrase": { + "event.code": "4753" + } + }, + { + "match_phrase": { + "event.code": "4792" + } + }, + { + "match_phrase": { + "event.code": "4789" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "9b24429a-7651-4972-aed9-83971847531b" + }, + { + "alignment": "left", + "columnId": "f91ab9f5-c2a5-4590-875c-fabf6d047e37" + }, + { + "alignment": "left", + "columnId": "1afb18ce-62b9-4585-9dea-0e4310a67c50" + }, + { + "alignment": "left", + "columnId": "6d13ad70-08bd-44d9-963f-1f8872cc7d79" + }, + { + "alignment": "left", + "columnId": "29662a4b-5326-4531-8996-2b95afb69ed3" + } + ], + "headerRowHeight": "single", + "layerId": "4f4fa0d5-5ea9-45ba-9214-d1fe2310876f", + "layerType": "data", + "paging": { + "enabled": true, + "size": 5 + }, + "rowHeight": "single" + } + }, + "title": "Groups Deleted - Table [Windows System Security]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 13, + "i": "38", + "w": 9, + "x": 18, + "y": 55 + }, + "panelIndex": "38", + "title": "Groups Deleted - Table [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ec211cdc-aeae-4682-9cc8-deec18aee3d1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "dcdfe597-2586-47d7-a08a-d204f5caebbb", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "ec211cdc-aeae-4682-9cc8-deec18aee3d1": { + "columnOrder": [ + "2cef85a9-ce4b-4803-a11a-fb8d474d54b5", + "a9cfc671-e843-46b8-a08b-173da51037a9", + "e42f2fdf-510a-4da6-9839-a5678ca093e4", + "4938a319-1510-4931-8d5f-fd64137d7bda", + "305d7edd-b815-4333-b542-dd82ceee2ea7", + "f6418ff7-7f4c-4b47-ada1-effc9abc019e" + ], + "columns": { + "2cef85a9-ce4b-4803-a11a-fb8d474d54b5": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "User", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f6418ff7-7f4c-4b47-ada1-effc9abc019e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.MemberName" + }, + "305d7edd-b815-4333-b542-dd82ceee2ea7": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performed by Logon ID", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f6418ff7-7f4c-4b47-ada1-effc9abc019e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.logon.id" + }, + "4938a319-1510-4931-8d5f-fd64137d7bda": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performed by", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f6418ff7-7f4c-4b47-ada1-effc9abc019e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "user.name" + }, + "a9cfc671-e843-46b8-a08b-173da51037a9": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Group", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f6418ff7-7f4c-4b47-ada1-effc9abc019e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "group.name" + }, + "e42f2fdf-510a-4da6-9839-a5678ca093e4": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Domain", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f6418ff7-7f4c-4b47-ada1-effc9abc019e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "group.domain" + }, + "f6418ff7-7f4c-4b47-ada1-effc9abc019e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "dcdfe597-2586-47d7-a08a-d204f5caebbb", + "key": "event.code", + "negate": false, + "params": [ + "4732", + "4728", + "4756", + "4751", + "4761", + "4746", + "4785", + "4787" + ], + "type": "phrases", + "value": "4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4732" + } + }, + { + "match_phrase": { + "event.code": "4728" + } + }, + { + "match_phrase": { + "event.code": "4756" + } + }, + { + "match_phrase": { + "event.code": "4751" + } + }, + { + "match_phrase": { + "event.code": "4761" + } + }, + { + "match_phrase": { + "event.code": "4746" + } + }, + { + "match_phrase": { + "event.code": "4785" + } + }, + { + "match_phrase": { + "event.code": "4787" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "f6418ff7-7f4c-4b47-ada1-effc9abc019e" + }, + { + "alignment": "left", + "columnId": "2cef85a9-ce4b-4803-a11a-fb8d474d54b5" + }, + { + "alignment": "left", + "columnId": "a9cfc671-e843-46b8-a08b-173da51037a9" + }, + { + "alignment": "left", + "columnId": "e42f2fdf-510a-4da6-9839-a5678ca093e4" + }, + { + "alignment": "left", + "columnId": "4938a319-1510-4931-8d5f-fd64137d7bda" + }, + { + "alignment": "left", + "columnId": "305d7edd-b815-4333-b542-dd82ceee2ea7" + } + ], + "headerRowHeight": "single", + "layerId": "ec211cdc-aeae-4682-9cc8-deec18aee3d1", + "layerType": "data", + "paging": { + "enabled": true, + "size": 5 + }, + "rowHeight": "single" + } + }, + "title": "Users Added - Table [Windows System Security]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "39", + "w": 16, + "x": 0, + "y": 75 + }, + "panelIndex": "39", + "title": "Users Added - Table [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ac94b4e8-791d-42c3-923b-d871496199d8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ba9b962b-bc66-4c05-89c7-bbcfea69b19d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "ac94b4e8-791d-42c3-923b-d871496199d8": { + "columnOrder": [ + "5567fdee-554a-47ce-857f-67d88d8d0525", + "0bbbe141-f2c1-4d1c-8c97-cdccce1645c4", + "742898ba-a8f4-4374-8f8e-89e8c8e1d895", + "48ce407b-3a27-45b2-81a2-c2a7777d5b6b", + "916dfdf0-0aac-4720-ae54-fae544299b7d", + "8270757b-487a-4232-a473-2392e043ece1" + ], + "columns": { + "0bbbe141-f2c1-4d1c-8c97-cdccce1645c4": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Group", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "8270757b-487a-4232-a473-2392e043ece1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "group.name" + }, + "48ce407b-3a27-45b2-81a2-c2a7777d5b6b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performed by", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "8270757b-487a-4232-a473-2392e043ece1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.SubjectUserName" + }, + "5567fdee-554a-47ce-857f-67d88d8d0525": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "User", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "8270757b-487a-4232-a473-2392e043ece1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.MemberName" + }, + "742898ba-a8f4-4374-8f8e-89e8c8e1d895": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Domain", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "8270757b-487a-4232-a473-2392e043ece1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "group.domain" + }, + "8270757b-487a-4232-a473-2392e043ece1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "916dfdf0-0aac-4720-ae54-fae544299b7d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Performed by Logon ID", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "8270757b-487a-4232-a473-2392e043ece1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.logon.id" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "ba9b962b-bc66-4c05-89c7-bbcfea69b19d", + "key": "event.code", + "negate": false, + "params": [ + "4733", + "4729", + "4757", + "4786", + "4788", + "4752", + "4762", + "4747" + ], + "type": "phrases", + "value": "4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4733" + } + }, + { + "match_phrase": { + "event.code": "4729" + } + }, + { + "match_phrase": { + "event.code": "4757" + } + }, + { + "match_phrase": { + "event.code": "4786" + } + }, + { + "match_phrase": { + "event.code": "4788" + } + }, + { + "match_phrase": { + "event.code": "4752" + } + }, + { + "match_phrase": { + "event.code": "4762" + } + }, + { + "match_phrase": { + "event.code": "4747" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "8270757b-487a-4232-a473-2392e043ece1" + }, + { + "alignment": "left", + "columnId": "5567fdee-554a-47ce-857f-67d88d8d0525" + }, + { + "alignment": "left", + "columnId": "0bbbe141-f2c1-4d1c-8c97-cdccce1645c4" + }, + { + "alignment": "left", + "columnId": "742898ba-a8f4-4374-8f8e-89e8c8e1d895" + }, + { + "alignment": "left", + "columnId": "48ce407b-3a27-45b2-81a2-c2a7777d5b6b" + }, + { + "alignment": "left", + "columnId": "916dfdf0-0aac-4720-ae54-fae544299b7d" + } + ], + "headerRowHeight": "single", + "layerId": "ac94b4e8-791d-42c3-923b-d871496199d8", + "layerType": "data", + "paging": { + "enabled": true, + "size": 5 + }, + "rowHeight": "single" + } + }, + "title": "Users Removed from Group - Table [Windows System Security]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "40", + "w": 17, + "x": 16, + "y": 75 + }, + "panelIndex": "40", + "title": "Users Removed from Group - Table [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-1b283aa0-01f0-4d69-9338-1d312aa7409a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5fd25934-f4ed-4561-8e83-22d8642198fe", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "1b283aa0-01f0-4d69-9338-1d312aa7409a": { + "columnOrder": [ + "bf39160d-a5ee-43ec-8231-c228b273d0db", + "281b8735-ca43-45ad-b6db-bd7bcfc36ba3", + "aeac3302-fabf-4396-973b-e3129d83f10b", + "7e13870d-43ba-4c46-a8d2-fafd4d61636e", + "32cabe3d-6f07-4dcd-9f86-29a535239e11" + ], + "columns": { + "281b8735-ca43-45ad-b6db-bd7bcfc36ba3": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Domain", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "32cabe3d-6f07-4dcd-9f86-29a535239e11", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "group.domain" + }, + "32cabe3d-6f07-4dcd-9f86-29a535239e11": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "7e13870d-43ba-4c46-a8d2-fafd4d61636e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Creator LogonID", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "32cabe3d-6f07-4dcd-9f86-29a535239e11", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.logon.id" + }, + "aeac3302-fabf-4396-973b-e3129d83f10b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Creator", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "32cabe3d-6f07-4dcd-9f86-29a535239e11", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.SubjectUserName" + }, + "bf39160d-a5ee-43ec-8231-c228b273d0db": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Group", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "32cabe3d-6f07-4dcd-9f86-29a535239e11", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "group.name" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "5fd25934-f4ed-4561-8e83-22d8642198fe", + "key": "event.code", + "negate": false, + "params": [ + "4799" + ], + "type": "phrases", + "value": "4799" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4799" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "32cabe3d-6f07-4dcd-9f86-29a535239e11" + }, + { + "alignment": "left", + "columnId": "bf39160d-a5ee-43ec-8231-c228b273d0db" + }, + { + "alignment": "left", + "columnId": "281b8735-ca43-45ad-b6db-bd7bcfc36ba3" + }, + { + "alignment": "left", + "columnId": "aeac3302-fabf-4396-973b-e3129d83f10b" + }, + { + "alignment": "left", + "columnId": "7e13870d-43ba-4c46-a8d2-fafd4d61636e" + } + ], + "headerRowHeight": "single", + "layerId": "1b283aa0-01f0-4d69-9338-1d312aa7409a", + "layerType": "data", + "paging": { + "enabled": true, + "size": 5 + }, + "rowHeight": "single" + } + }, + "title": "Group Enumeration - Table [Windows System Security]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "42", + "w": 15, + "x": 33, + "y": 75 + }, + "panelIndex": "42", + "title": "Group Enumeration - Table [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 20, + "i": "43", + "w": 21, + "x": 27, + "y": 48 + }, + "panelIndex": "43", + "panelRefName": "panel_43", + "title": "Logon Details [Windows System Security]", + "type": "search", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 22, + "i": "45", + "w": 48, + "x": 0, + "y": 89 + }, + "panelIndex": "45", + "panelRefName": "panel_45", + "title": "Group Management Operations Details [Windows System Security]", + "type": "search", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "[Windows Overview](#/dashboard/system-Windows-Dashboard) | [User Logon Information](#/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891) | [Logon Failed and Account Lockout](#/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da) | [User Management Events](#/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268) | **Group Management Events**", + "openLinksInNewTab": false + }, + "title": "Dashboard links [Windows System Security]", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 7, + "i": "663e0493-2070-407b-9d00-079915cce7e7", + "w": 32, + "x": 16, + "y": 0 + }, + "panelIndex": "663e0493-2070-407b-9d00-079915cce7e7", + "title": "", + "type": "visualization", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d498ce52-e422-4548-869e-12b54ca2a5de", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "042819ba-9576-492a-9bad-c3febb27fd0d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d498ce52-e422-4548-869e-12b54ca2a5de": { + "columnOrder": [ + "f2f50bd0-9beb-4ed3-a1d1-39970db0d880", + "a30cd9e9-b0dc-4aa8-871c-57b0e2bce3f5" + ], + "columns": { + "a30cd9e9-b0dc-4aa8-871c-57b0e2bce3f5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "f2f50bd0-9beb-4ed3-a1d1-39970db0d880": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "event.action: Descending", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "a30cd9e9-b0dc-4aa8-871c-57b0e2bce3f5", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "event.action" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "042819ba-9576-492a-9bad-c3febb27fd0d", + "key": "event.code", + "negate": false, + "params": [ + "4731", + "4732", + "4733", + "4734", + "4735", + "4737", + "4764", + "4727", + "4728", + "4729", + "4730", + "4754", + "4755", + "4756", + "4757", + "4758", + "4799", + "4749", + "4750", + "4751", + "4752", + "4753", + "4759", + "4760", + "4761", + "4762", + "4763", + "4744", + "4745", + "4746", + "4748" + ], + "type": "phrases", + "value": "4731, 4732, 4733, 4734, 4735, 4737, 4764, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758, 4799, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762, 4763, 4744, 4745, 4746, 4748" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4731" + } + }, + { + "match_phrase": { + "event.code": "4732" + } + }, + { + "match_phrase": { + "event.code": "4733" + } + }, + { + "match_phrase": { + "event.code": "4734" + } + }, + { + "match_phrase": { + "event.code": "4735" + } + }, + { + "match_phrase": { + "event.code": "4737" + } + }, + { + "match_phrase": { + "event.code": "4764" + } + }, + { + "match_phrase": { + "event.code": "4727" + } + }, + { + "match_phrase": { + "event.code": "4728" + } + }, + { + "match_phrase": { + "event.code": "4729" + } + }, + { + "match_phrase": { + "event.code": "4730" + } + }, + { + "match_phrase": { + "event.code": "4754" + } + }, + { + "match_phrase": { + "event.code": "4755" + } + }, + { + "match_phrase": { + "event.code": "4756" + } + }, + { + "match_phrase": { + "event.code": "4757" + } + }, + { + "match_phrase": { + "event.code": "4758" + } + }, + { + "match_phrase": { + "event.code": "4799" + } + }, + { + "match_phrase": { + "event.code": "4749" + } + }, + { + "match_phrase": { + "event.code": "4750" + } + }, + { + "match_phrase": { + "event.code": "4751" + } + }, + { + "match_phrase": { + "event.code": "4752" + } + }, + { + "match_phrase": { + "event.code": "4753" + } + }, + { + "match_phrase": { + "event.code": "4759" + } + }, + { + "match_phrase": { + "event.code": "4760" + } + }, + { + "match_phrase": { + "event.code": "4761" + } + }, + { + "match_phrase": { + "event.code": "4762" + } + }, + { + "match_phrase": { + "event.code": "4763" + } + }, + { + "match_phrase": { + "event.code": "4744" + } + }, + { + "match_phrase": { + "event.code": "4745" + } + }, + { + "match_phrase": { + "event.code": "4746" + } + }, + { + "match_phrase": { + "event.code": "4748" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "hide", + "emptySizeRatio": 0.3, + "layerId": "d498ce52-e422-4548-869e-12b54ca2a5de", + "layerType": "data", + "legendDisplay": "hide", + "legendMaxLines": 1, + "legendPosition": "right", + "legendSize": "auto", + "metrics": [ + "a30cd9e9-b0dc-4aa8-871c-57b0e2bce3f5" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "percentDecimals": 2, + "primaryGroups": [ + "f2f50bd0-9beb-4ed3-a1d1-39970db0d880" + ], + "secondaryGroups": [], + "showValuesInLegend": true, + "truncateLegend": true + } + ], + "shape": "pie" + } + }, + "title": "Group Management Events - Event Actions [Windows System Security]", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 20, + "i": "3f7e277d-09d1-4a79-bc17-bc5da5a7e290", + "w": 20, + "x": 0, + "y": 7 + }, + "panelIndex": "3f7e277d-09d1-4a79-bc17-bc5da5a7e290", + "title": "Group Management Events - Event Actions [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b1157a10-8ee7-4ce0-8fa3-3088007e12a6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "25cdfdc0-53d7-4cf7-b982-a59694f34875", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "b1157a10-8ee7-4ce0-8fa3-3088007e12a6": { + "columnOrder": [ + "db99025d-1f2b-4d05-8d3d-ad15bbcf252d", + "9caf1c5b-9f00-47e7-b27e-a2b631145b7f", + "a5c04a37-1867-4051-8eb5-848d6499a8eb" + ], + "columns": { + "9caf1c5b-9f00-47e7-b27e-a2b631145b7f": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "event.code", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "a5c04a37-1867-4051-8eb5-848d6499a8eb", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "event.code" + }, + "a5c04a37-1867-4051-8eb5-848d6499a8eb": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "db99025d-1f2b-4d05-8d3d-ad15bbcf252d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "event.action", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "a5c04a37-1867-4051-8eb5-848d6499a8eb", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 50 + }, + "scale": "ordinal", + "sourceField": "event.action" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "25cdfdc0-53d7-4cf7-b982-a59694f34875", + "key": "event.code", + "negate": false, + "params": [ + "4731", + "4732", + "4733", + "4734", + "4735", + "4737", + "4764", + "4727", + "4728", + "4729", + "4730", + "4754", + "4755", + "4756", + "4757", + "4758", + "4799", + "4749", + "4750", + "4751", + "4752", + "4753", + "4759", + "4760", + "4761", + "4762", + "4763", + "4744", + "4745", + "4746", + "4748" + ], + "type": "phrases", + "value": "4731, 4732, 4733, 4734, 4735, 4737, 4764, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758, 4799, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762, 4763, 4744, 4745, 4746, 4748" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4731" + } + }, + { + "match_phrase": { + "event.code": "4732" + } + }, + { + "match_phrase": { + "event.code": "4733" + } + }, + { + "match_phrase": { + "event.code": "4734" + } + }, + { + "match_phrase": { + "event.code": "4735" + } + }, + { + "match_phrase": { + "event.code": "4737" + } + }, + { + "match_phrase": { + "event.code": "4764" + } + }, + { + "match_phrase": { + "event.code": "4727" + } + }, + { + "match_phrase": { + "event.code": "4728" + } + }, + { + "match_phrase": { + "event.code": "4729" + } + }, + { + "match_phrase": { + "event.code": "4730" + } + }, + { + "match_phrase": { + "event.code": "4754" + } + }, + { + "match_phrase": { + "event.code": "4755" + } + }, + { + "match_phrase": { + "event.code": "4756" + } + }, + { + "match_phrase": { + "event.code": "4757" + } + }, + { + "match_phrase": { + "event.code": "4758" + } + }, + { + "match_phrase": { + "event.code": "4799" + } + }, + { + "match_phrase": { + "event.code": "4749" + } + }, + { + "match_phrase": { + "event.code": "4750" + } + }, + { + "match_phrase": { + "event.code": "4751" + } + }, + { + "match_phrase": { + "event.code": "4752" + } + }, + { + "match_phrase": { + "event.code": "4753" + } + }, + { + "match_phrase": { + "event.code": "4759" + } + }, + { + "match_phrase": { + "event.code": "4760" + } + }, + { + "match_phrase": { + "event.code": "4761" + } + }, + { + "match_phrase": { + "event.code": "4762" + } + }, + { + "match_phrase": { + "event.code": "4763" + } + }, + { + "match_phrase": { + "event.code": "4744" + } + }, + { + "match_phrase": { + "event.code": "4745" + } + }, + { + "match_phrase": { + "event.code": "4746" + } + }, + { + "match_phrase": { + "event.code": "4748" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "a5c04a37-1867-4051-8eb5-848d6499a8eb" + }, + { + "alignment": "left", + "columnId": "db99025d-1f2b-4d05-8d3d-ad15bbcf252d" + }, + { + "alignment": "left", + "columnId": "9caf1c5b-9f00-47e7-b27e-a2b631145b7f" + } + ], + "headerRowHeight": "single", + "layerId": "b1157a10-8ee7-4ce0-8fa3-3088007e12a6", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + }, + "rowHeight": "single" + } + }, + "title": "Group Management Events - Event Actions - Table [Windows System Security]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 20, + "i": "74edddd5-2dc5-41b8-b4f2-bf9c95218f1b", + "w": 12, + "x": 20, + "y": 7 + }, + "panelIndex": "74edddd5-2dc5-41b8-b4f2-bf9c95218f1b", + "title": "Group Management Events - Event Actions - Table [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-066e9369-184c-4225-b244-7e8d029e52c1", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "066e9369-184c-4225-b244-7e8d029e52c1": { + "columnOrder": [ + "08302e5a-7a5e-4352-9ff3-2ce5b44cbed8", + "603e57fe-6201-45e9-940c-860540f0c65d" + ], + "columns": { + "08302e5a-7a5e-4352-9ff3-2ce5b44cbed8": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Target Groups", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "603e57fe-6201-45e9-940c-860540f0c65d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "group.name" + }, + "603e57fe-6201-45e9-940c-860540f0c65d": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "603e57fe-6201-45e9-940c-860540f0c65d" + ], + "layerId": "066e9369-184c-4225-b244-7e8d029e52c1", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "xAccessor": "08302e5a-7a5e-4352-9ff3-2ce5b44cbed8" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_horizontal", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 20, + "i": "3016efc8-187d-4630-892d-af2160a584d7", + "w": 16, + "x": 32, + "y": 7 + }, + "panelIndex": "3016efc8-187d-4630-892d-af2160a584d7", + "title": "Group Management Events - Target Groups [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d80f3769-ceeb-46ac-888d-8177bbbfa43c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5e7b0749-4021-4e07-a255-71965ec7f574", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d80f3769-ceeb-46ac-888d-8177bbbfa43c": { + "columnOrder": [ + "be908dc7-f6ac-4c18-aa16-9f95629da6f4", + "24b9ffd8-1bb0-4c0b-a1d4-f2f8ef4083c0", + "3189a302-09f6-44a0-9a0a-049c578c4b18" + ], + "columns": { + "24b9ffd8-1bb0-4c0b-a1d4-f2f8ef4083c0": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Actions", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "3189a302-09f6-44a0-9a0a-049c578c4b18", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "event.action" + }, + "3189a302-09f6-44a0-9a0a-049c578c4b18": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "be908dc7-f6ac-4c18-aa16-9f95629da6f4": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Target Groups", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "3189a302-09f6-44a0-9a0a-049c578c4b18", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "group.name" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "5e7b0749-4021-4e07-a255-71965ec7f574", + "key": "event.code", + "negate": false, + "params": [ + "4731", + "4732", + "4733", + "4734", + "4735", + "4737", + "4764", + "4727", + "4728", + "4729", + "4730", + "4754", + "4755", + "4756", + "4757", + "4758", + "4799", + "4749", + "4750", + "4751", + "4752", + "4753", + "4759", + "4760", + "4761", + "4762", + "4763", + "4744", + "4745", + "4746", + "4748" + ], + "type": "phrases", + "value": "4731, 4732, 4733, 4734, 4735, 4737, 4764, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758, 4799, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762, 4763, 4744, 4745, 4746, 4748" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4731" + } + }, + { + "match_phrase": { + "event.code": "4732" + } + }, + { + "match_phrase": { + "event.code": "4733" + } + }, + { + "match_phrase": { + "event.code": "4734" + } + }, + { + "match_phrase": { + "event.code": "4735" + } + }, + { + "match_phrase": { + "event.code": "4737" + } + }, + { + "match_phrase": { + "event.code": "4764" + } + }, + { + "match_phrase": { + "event.code": "4727" + } + }, + { + "match_phrase": { + "event.code": "4728" + } + }, + { + "match_phrase": { + "event.code": "4729" + } + }, + { + "match_phrase": { + "event.code": "4730" + } + }, + { + "match_phrase": { + "event.code": "4754" + } + }, + { + "match_phrase": { + "event.code": "4755" + } + }, + { + "match_phrase": { + "event.code": "4756" + } + }, + { + "match_phrase": { + "event.code": "4757" + } + }, + { + "match_phrase": { + "event.code": "4758" + } + }, + { + "match_phrase": { + "event.code": "4799" + } + }, + { + "match_phrase": { + "event.code": "4749" + } + }, + { + "match_phrase": { + "event.code": "4750" + } + }, + { + "match_phrase": { + "event.code": "4751" + } + }, + { + "match_phrase": { + "event.code": "4752" + } + }, + { + "match_phrase": { + "event.code": "4753" + } + }, + { + "match_phrase": { + "event.code": "4759" + } + }, + { + "match_phrase": { + "event.code": "4760" + } + }, + { + "match_phrase": { + "event.code": "4761" + } + }, + { + "match_phrase": { + "event.code": "4762" + } + }, + { + "match_phrase": { + "event.code": "4763" + } + }, + { + "match_phrase": { + "event.code": "4744" + } + }, + { + "match_phrase": { + "event.code": "4745" + } + }, + { + "match_phrase": { + "event.code": "4746" + } + }, + { + "match_phrase": { + "event.code": "4748" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" + }, + "visualization": { + "gridConfig": { + "isCellLabelVisible": true, + "isXAxisLabelVisible": true, + "isXAxisTitleVisible": true, + "isYAxisLabelVisible": true, + "isYAxisTitleVisible": true, + "type": "heatmap_grid" + }, + "layerId": "d80f3769-ceeb-46ac-888d-8177bbbfa43c", + "layerType": "data", + "legend": { + "position": "right", + "type": "heatmap_legend" + }, + "palette": { + "accessor": "3189a302-09f6-44a0-9a0a-049c578c4b18", + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#F7FBFF", + "stop": 0 + }, + { + "color": "#C3DBEE", + "stop": 25 + }, + { + "color": "#6DAED5", + "stop": 50 + }, + { + "color": "#2271B3", + "stop": 75 + } + ], + "continuity": "none", + "maxSteps": 5, + "name": "custom", + "progression": "fixed", + "rangeMax": 100, + "rangeMin": 0, + "rangeType": "percent", + "reverse": false, + "stops": [ + { + "color": "#F7FBFF", + "stop": 25 + }, + { + "color": "#C3DBEE", + "stop": 50 + }, + { + "color": "#6DAED5", + "stop": 75 + }, + { + "color": "#2271B3", + "stop": 100 + } + ] + }, + "type": "palette" + }, + "shape": "heatmap", + "valueAccessor": "3189a302-09f6-44a0-9a0a-049c578c4b18", + "xAccessor": "be908dc7-f6ac-4c18-aa16-9f95629da6f4", + "yAccessor": "24b9ffd8-1bb0-4c0b-a1d4-f2f8ef4083c0" + } + }, + "title": "Group Management Events - Groups vs Actions - Heatmap [Windows System Security]", + "type": "lens", + "visualizationType": "lnsHeatmap" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 21, + "i": "33cef054-615a-49cb-bb2e-eb55fab96ae5", + "w": 27, + "x": 0, + "y": 27 + }, + "panelIndex": "33cef054-615a-49cb-bb2e-eb55fab96ae5", + "title": "Group Management Events - Groups vs Actions - Heatmap [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f3ae7a76-3702-4e40-aa81-849598fa2b3c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b7ec06e9-b2f3-4ec6-813b-e8cc45150c28", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f3ae7a76-3702-4e40-aa81-849598fa2b3c": { + "columnOrder": [ + "04168b99-2dd3-40c8-b444-bc949803664e", + "f7b7059a-8e4d-4538-b28f-35d597944976", + "27e21c84-c884-4a36-8e48-88d42cdc286d" + ], + "columns": { + "04168b99-2dd3-40c8-b444-bc949803664e": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "27e21c84-c884-4a36-8e48-88d42cdc286d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "f7b7059a-8e4d-4538-b28f-35d597944976": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "event.action: Descending", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "27e21c84-c884-4a36-8e48-88d42cdc286d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 25 + }, + "scale": "ordinal", + "sourceField": "event.action" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "b7ec06e9-b2f3-4ec6-813b-e8cc45150c28", + "key": "event.code", + "negate": false, + "params": [ + "4731", + "4732", + "4733", + "4734", + "4735", + "4737", + "4764", + "4727", + "4728", + "4729", + "4730", + "4754", + "4755", + "4756", + "4757", + "4758", + "4799", + "4749", + "4750", + "4751", + "4752", + "4753", + "4759", + "4760", + "4761", + "4762", + "4763", + "4744", + "4745", + "4746", + "4748" + ], + "type": "phrases", + "value": "4731, 4732, 4733, 4734, 4735, 4737, 4764, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758, 4799, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762, 4763, 4744, 4745, 4746, 4748" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4731" + } + }, + { + "match_phrase": { + "event.code": "4732" + } + }, + { + "match_phrase": { + "event.code": "4733" + } + }, + { + "match_phrase": { + "event.code": "4734" + } + }, + { + "match_phrase": { + "event.code": "4735" + } + }, + { + "match_phrase": { + "event.code": "4737" + } + }, + { + "match_phrase": { + "event.code": "4764" + } + }, + { + "match_phrase": { + "event.code": "4727" + } + }, + { + "match_phrase": { + "event.code": "4728" + } + }, + { + "match_phrase": { + "event.code": "4729" + } + }, + { + "match_phrase": { + "event.code": "4730" + } + }, + { + "match_phrase": { + "event.code": "4754" + } + }, + { + "match_phrase": { + "event.code": "4755" + } + }, + { + "match_phrase": { + "event.code": "4756" + } + }, + { + "match_phrase": { + "event.code": "4757" + } + }, + { + "match_phrase": { + "event.code": "4758" + } + }, + { + "match_phrase": { + "event.code": "4799" + } + }, + { + "match_phrase": { + "event.code": "4749" + } + }, + { + "match_phrase": { + "event.code": "4750" + } + }, + { + "match_phrase": { + "event.code": "4751" + } + }, + { + "match_phrase": { + "event.code": "4752" + } + }, + { + "match_phrase": { + "event.code": "4753" + } + }, + { + "match_phrase": { + "event.code": "4759" + } + }, + { + "match_phrase": { + "event.code": "4760" + } + }, + { + "match_phrase": { + "event.code": "4761" + } + }, + { + "match_phrase": { + "event.code": "4762" + } + }, + { + "match_phrase": { + "event.code": "4763" + } + }, + { + "match_phrase": { + "event.code": "4744" + } + }, + { + "match_phrase": { + "event.code": "4745" + } + }, + { + "match_phrase": { + "event.code": "4746" + } + }, + { + "match_phrase": { + "event.code": "4748" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "curveType": "LINEAR", + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": false + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": -90 + }, + "layers": [ + { + "accessors": [ + "27e21c84-c884-4a36-8e48-88d42cdc286d" + ], + "isHistogram": true, + "layerId": "f3ae7a76-3702-4e40-aa81-849598fa2b3c", + "layerType": "data", + "seriesType": "bar_stacked", + "simpleView": false, + "splitAccessor": "f7b7059a-8e4d-4538-b28f-35d597944976", + "xAccessor": "04168b99-2dd3-40c8-b444-bc949803664e", + "xScaleType": "time", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "27e21c84-c884-4a36-8e48-88d42cdc286d" + } + ] + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "showCurrentTimeMarker": false, + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": false, + "yLeftExtent": { + "enforce": true, + "mode": "full" + }, + "yLeftScale": "linear", + "yRightScale": "linear", + "yTitle": "Count" + } + }, + "title": "Group Management Action Distribution over Time [Windows System Security]", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 21, + "i": "e0d495aa-f897-403f-815b-6116fae330b7", + "w": 21, + "x": 27, + "y": 27 + }, + "panelIndex": "e0d495aa-f897-403f-815b-6116fae330b7", + "title": "Group Management Action Distribution over Time [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_logs-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "logs-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "acb39e04-812e-47cc-b982-fabce6e6ec94": { + "columnOrder": [ + "628ee1fd-9f6f-4c72-b373-49fccf7806ba" + ], + "columns": { + "628ee1fd-9f6f-4c72-b373-49fccf7806ba": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "event.code:4731 OR event.code:4727 OR event.code:\"4754\" OR event.code:\"4749\" OR event.code:\"4759\" OR event.code:\"4744\" OR event.code:\"4783\" OR event.code:\"4790\"" + }, + "isBucketed": false, + "label": "Groups Created", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ + { + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "indexpattern-datasource-layer-acb39e04-812e-47cc-b982-fabce6e6ec94", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "628ee1fd-9f6f-4c72-b373-49fccf7806ba", + "colorMode": "Background", + "layerId": "acb39e04-812e-47cc-b982-fabce6e6ec94", + "layerType": "data", + "palette": { + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#D0D0D0", + "stop": null + }, + { + "color": "#cc5642", + "stop": 1 + } + ], + "continuity": "all", + "maxSteps": 5, + "name": "custom", + "progression": "fixed", + "rangeMax": null, + "rangeMin": null, + "rangeType": "number", + "reverse": false, + "steps": 3, + "stops": [ + { + "color": "#D0D0D0", + "stop": 1 + }, + { + "color": "#cc5642", + "stop": 2 + } + ] + }, + "type": "palette" + } + } + }, + "title": "TSVB visualization", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 7, + "i": "e861343c-a5c9-4a8f-aacf-175a2d697587", + "w": 9, + "x": 0, + "y": 48 + }, + "panelIndex": "e861343c-a5c9-4a8f-aacf-175a2d697587", + "title": "", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_logs-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "logs-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "87aea4f8-5513-4348-b6e3-3f15ef52448f": { + "columnOrder": [ + "442cce25-7692-4749-9adb-c342d5fcdecd" + ], + "columns": { + "442cce25-7692-4749-9adb-c342d5fcdecd": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "event.code:4735 OR event.code:4737 OR event.code:\"4755\" OR event.code:\"4764\" OR event.code:\"4750\" OR event.code:\"4760\" OR event.code:\"4745\" OR event.code:\"4784\" OR event.code:\"4791\"" + }, + "isBucketed": false, + "label": "Groups Changed", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ + { + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "indexpattern-datasource-layer-87aea4f8-5513-4348-b6e3-3f15ef52448f", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "442cce25-7692-4749-9adb-c342d5fcdecd", + "colorMode": "Background", + "layerId": "87aea4f8-5513-4348-b6e3-3f15ef52448f", + "layerType": "data", + "palette": { + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#D0D0D0", + "stop": null + }, + { + "color": "#d6bf57", + "stop": 1 + } + ], + "continuity": "all", + "maxSteps": 5, + "name": "custom", + "progression": "fixed", + "rangeMax": null, + "rangeMin": null, + "rangeType": "number", + "reverse": false, + "steps": 3, + "stops": [ + { + "color": "#D0D0D0", + "stop": 1 + }, + { + "color": "#d6bf57", + "stop": 104 + } + ] + }, + "type": "palette" + } + } + }, + "title": "TSVB visualization", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 7, + "i": "36142fad-01b3-43eb-a7c5-1b71fa6aa3bc", + "w": 9, + "x": 9, + "y": 48 + }, + "panelIndex": "36142fad-01b3-43eb-a7c5-1b71fa6aa3bc", + "title": "", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_logs-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "logs-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "52b8f6c3-23ba-42d7-94b3-b28380016e21": { + "columnOrder": [ + "e9922ed6-8940-4348-975a-39c8a936a46c" + ], + "columns": { + "e9922ed6-8940-4348-975a-39c8a936a46c": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "event.code:4734 OR event.code:4730 OR event.code:4758 OR event.code:4753 OR event.code:4763 OR event.code:4748 OR event.code:4789 OR event.code:4792" + }, + "isBucketed": false, + "label": "Groups Deleted", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ + { + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "indexpattern-datasource-layer-52b8f6c3-23ba-42d7-94b3-b28380016e21", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "e9922ed6-8940-4348-975a-39c8a936a46c", + "colorMode": "Background", + "layerId": "52b8f6c3-23ba-42d7-94b3-b28380016e21", + "layerType": "data", + "palette": { + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#D0D0D0", + "stop": null + }, + { + "color": "#DA8B45", + "stop": 1 + } + ], + "continuity": "all", + "maxSteps": 5, + "name": "custom", + "progression": "fixed", + "rangeMax": null, + "rangeMin": null, + "rangeType": "number", + "reverse": false, + "steps": 3, + "stops": [ + { + "color": "#D0D0D0", + "stop": 1 + }, + { + "color": "#DA8B45", + "stop": 2 + } + ] + }, + "type": "palette" + } + } + }, + "title": "TSVB visualization", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 7, + "i": "b03662fb-926d-49e0-b543-18ae6f526395", + "w": 9, + "x": 18, + "y": 48 + }, + "panelIndex": "b03662fb-926d-49e0-b543-18ae6f526395", + "title": "", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_logs-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "logs-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "914f2ede-b9f6-4cb5-8b54-f4bcd6be6466": { + "columnOrder": [ + "f8c7d2ef-cd6e-4aa7-a912-7bebc89579f4" + ], + "columns": { + "f8c7d2ef-cd6e-4aa7-a912-7bebc89579f4": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "event.code:4731 OR event.code:4727 OR event.code:\"4754\" OR event.code:\"4749\" OR event.code:\"4759\" OR event.code:\"4744\" OR event.code:\"4783\" OR event.code:\"4790\"" + }, + "isBucketed": false, + "label": "Users Added to Group", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ + { + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "indexpattern-datasource-layer-914f2ede-b9f6-4cb5-8b54-f4bcd6be6466", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "f8c7d2ef-cd6e-4aa7-a912-7bebc89579f4", + "colorMode": "Background", + "layerId": "914f2ede-b9f6-4cb5-8b54-f4bcd6be6466", + "layerType": "data", + "palette": { + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#D0D0D0", + "stop": null + }, + { + "color": "#AA6556", + "stop": 0 + } + ], + "continuity": "all", + "maxSteps": 5, + "name": "custom", + "progression": "fixed", + "rangeMax": null, + "rangeMin": null, + "rangeType": "number", + "reverse": false, + "steps": 3, + "stops": [ + { + "color": "#D0D0D0", + "stop": 0 + }, + { + "color": "#AA6556", + "stop": 1 + } + ] + }, + "type": "palette" + } + } + }, + "title": "TSVB visualization", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 7, + "i": "744ba653-cbed-4af4-8114-ebe20b7ce075", + "w": 16, + "x": 0, + "y": 68 + }, + "panelIndex": "744ba653-cbed-4af4-8114-ebe20b7ce075", + "title": "", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_logs-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "logs-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "b646c7ff-6c54-479c-af9a-882661bac81d": { + "columnOrder": [ + "2ecb3e68-af02-4281-9a6d-f4ca2a460626" + ], + "columns": { + "2ecb3e68-af02-4281-9a6d-f4ca2a460626": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "event.code:4733 OR event.code:4729 OR event.code:4788 OR event.code:4786 OR event.code:4752 OR event.code:4762 OR event.code:4747" + }, + "isBucketed": false, + "label": "Users Removed from Group", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ + { + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "indexpattern-datasource-layer-b646c7ff-6c54-479c-af9a-882661bac81d", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "2ecb3e68-af02-4281-9a6d-f4ca2a460626", + "colorMode": "Background", + "layerId": "b646c7ff-6c54-479c-af9a-882661bac81d", + "layerType": "data", + "palette": { + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#D0D0D0", + "stop": null + }, + { + "color": "#DA8B45", + "stop": 1 + } + ], + "continuity": "all", + "maxSteps": 5, + "name": "custom", + "progression": "fixed", + "rangeMax": null, + "rangeMin": null, + "rangeType": "number", + "reverse": false, + "steps": 3, + "stops": [ + { + "color": "#D0D0D0", + "stop": 1 + }, + { + "color": "#DA8B45", + "stop": 2 + } + ] + }, + "type": "palette" + } + } + }, + "title": "TSVB visualization", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 7, + "i": "81b505b6-9694-40ed-8800-dfc5f41af3c8", + "w": 17, + "x": 16, + "y": 68 + }, + "panelIndex": "81b505b6-9694-40ed-8800-dfc5f41af3c8", + "title": "", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_logs-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "logs-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "92834d49-5d90-4296-a0e8-331ac3426c63": { + "columnOrder": [ + "e4ff5d2c-bdd4-4c47-ada1-129834297614" + ], + "columns": { + "e4ff5d2c-bdd4-4c47-ada1-129834297614": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "event.code:4799" + }, + "isBucketed": false, + "label": "Group Membership Enumeration", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ + { + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "indexpattern-datasource-layer-92834d49-5d90-4296-a0e8-331ac3426c63", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "e4ff5d2c-bdd4-4c47-ada1-129834297614", + "colorMode": "Background", + "layerId": "92834d49-5d90-4296-a0e8-331ac3426c63", + "layerType": "data", + "palette": { + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#D0D0D0", + "stop": null + }, + { + "color": "#808080", + "stop": 1 + } + ], + "continuity": "all", + "maxSteps": 5, + "name": "custom", + "progression": "fixed", + "rangeMax": null, + "rangeMin": null, + "rangeType": "number", + "reverse": false, + "steps": 3, + "stops": [ + { + "color": "#D0D0D0", + "stop": 1 + }, + { + "color": "#808080", + "stop": 71658 + } + ] + }, + "type": "palette" + } + } + }, + "title": "TSVB visualization", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 7, + "i": "2c3d475b-54d9-472a-b97a-03a37d7c944b", + "w": 15, + "x": 33, + "y": 68 + }, + "panelIndex": "2c3d475b-54d9-472a-b97a-03a37d7c944b", + "title": "", + "type": "lens", + "version": "8.7.0" + } + ], + "timeRestore": false, + "title": "[System Windows Security] Group Management Events", + "version": 1 + }, + "coreMigrationVersion": "8.7.1", + "created_at": "2023-05-04T21:59:59.346Z", + "id": "system-bb858830-f412-11e9-8405-516218e3d268", + "migrationVersion": { + "dashboard": "8.7.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "36:indexpattern-datasource-layer-bd7f857d-8824-4cfa-b6a9-85f4efdc2623", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "36:a19c4278-5416-4446-99a1-0c0b841ad56b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "37:indexpattern-datasource-layer-b600888f-707d-4333-b65c-64ccd1512086", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "37:c1e670c6-0a4d-4954-82f9-51dc32e07139", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "38:indexpattern-datasource-layer-4f4fa0d5-5ea9-45ba-9214-d1fe2310876f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "38:3d460e27-249d-4c99-831f-193ccd17f8f4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "39:indexpattern-datasource-layer-ec211cdc-aeae-4682-9cc8-deec18aee3d1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "39:dcdfe597-2586-47d7-a08a-d204f5caebbb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "40:indexpattern-datasource-layer-ac94b4e8-791d-42c3-923b-d871496199d8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "40:ba9b962b-bc66-4c05-89c7-bbcfea69b19d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "42:indexpattern-datasource-layer-1b283aa0-01f0-4d69-9338-1d312aa7409a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "42:5fd25934-f4ed-4561-8e83-22d8642198fe", + "type": "index-pattern" + }, + { + "id": "system-7e178c80-fee1-11e9-8405-516218e3d268", + "name": "43:panel_43", + "type": "search" + }, + { + "id": "system-9066d5b0-fef2-11e9-8405-516218e3d268", + "name": "45:panel_45", + "type": "search" + }, + { + "id": "logs-*", + "name": "3f7e277d-09d1-4a79-bc17-bc5da5a7e290:indexpattern-datasource-layer-d498ce52-e422-4548-869e-12b54ca2a5de", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3f7e277d-09d1-4a79-bc17-bc5da5a7e290:042819ba-9576-492a-9bad-c3febb27fd0d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "74edddd5-2dc5-41b8-b4f2-bf9c95218f1b:indexpattern-datasource-layer-b1157a10-8ee7-4ce0-8fa3-3088007e12a6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "74edddd5-2dc5-41b8-b4f2-bf9c95218f1b:25cdfdc0-53d7-4cf7-b982-a59694f34875", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3016efc8-187d-4630-892d-af2160a584d7:indexpattern-datasource-layer-066e9369-184c-4225-b244-7e8d029e52c1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "33cef054-615a-49cb-bb2e-eb55fab96ae5:indexpattern-datasource-layer-d80f3769-ceeb-46ac-888d-8177bbbfa43c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "33cef054-615a-49cb-bb2e-eb55fab96ae5:5e7b0749-4021-4e07-a255-71965ec7f574", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e0d495aa-f897-403f-815b-6116fae330b7:indexpattern-datasource-layer-f3ae7a76-3702-4e40-aa81-849598fa2b3c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e0d495aa-f897-403f-815b-6116fae330b7:b7ec06e9-b2f3-4ec6-813b-e8cc45150c28", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/test/packages/parallel/system/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json b/test/packages/parallel/system/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json new file mode 100644 index 000000000..09439c5f0 --- /dev/null +++ b/test/packages/parallel/system/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json @@ -0,0 +1,1832 @@ +{ + "attributes": { + "description": "Failed and blocked accounts.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "system.security", + "windows.forwarded", + "windows.security" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "system.security" + } + }, + { + "match_phrase": { + "data_stream.dataset": "windows.forwarded" + } + }, + { + "match_phrase": { + "data_stream.dataset": "windows.security" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "winlog.provider_name", + "negate": false, + "params": { + "query": "Microsoft-Windows-Security-Auditing" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "winlog.provider_name": "Microsoft-Windows-Security-Auditing" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": false + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 10, + "markdown": "### **Failed Logons and Account Lockouts**", + "openLinksInNewTab": false + }, + "title": "Failed Logon and Account Lockout [Windows System Security]", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 7, + "i": "1", + "w": 14, + "x": 0, + "y": 0 + }, + "panelIndex": "1", + "title": "", + "type": "visualization", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-51928276-cada-4ce4-8054-672e298c095f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c5560265-9668-4020-acf5-2f125a50e192", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "51928276-cada-4ce4-8054-672e298c095f": { + "columnOrder": [ + "07d2d99e-f8e9-4d2c-9361-637a3e327459", + "1e7f30e1-cab2-4099-a7c1-6debb680be54" + ], + "columns": { + "07d2d99e-f8e9-4d2c-9361-637a3e327459": { + "dataType": "string", + "isBucketed": true, + "label": "Filters", + "operationType": "filters", + "params": { + "filters": [ + { + "input": { + "language": "lucene", + "query": "event.code: 4624" + }, + "label": "Successful Logon" + }, + { + "input": { + "language": "lucene", + "query": "event.code: 4625" + }, + "label": "Failed Logons" + } + ] + }, + "scale": "ordinal" + }, + "1e7f30e1-cab2-4099-a7c1-6debb680be54": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "c5560265-9668-4020-acf5-2f125a50e192", + "key": "winlog.provider_name", + "negate": false, + "params": { + "query": "Microsoft-Windows-Security-Auditing" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "winlog.provider_name": "Microsoft-Windows-Security-Auditing" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "hide", + "emptySizeRatio": 0.3, + "layerId": "51928276-cada-4ce4-8054-672e298c095f", + "layerType": "data", + "legendDisplay": "show", + "legendMaxLines": 1, + "legendPosition": "bottom", + "legendSize": "auto", + "metrics": [ + "1e7f30e1-cab2-4099-a7c1-6debb680be54" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "percentDecimals": 2, + "primaryGroups": [ + "07d2d99e-f8e9-4d2c-9361-637a3e327459" + ], + "secondaryGroups": [], + "showValuesInLegend": true, + "truncateLegend": true + } + ], + "shape": "pie" + } + }, + "title": "Logon Successful vs Failed [Windows System Security]", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 18, + "i": "2", + "w": 12, + "x": 0, + "y": 7 + }, + "panelIndex": "2", + "title": "Logon Successful vs Failed [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "winlog.event_data.TargetUserName", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 20 + }, + "schema": "segment", + "type": "terms" + } + ], + "searchSource": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": { + "query": "4740" + }, + "type": "phrase" + }, + "query": { + "match": { + "event.code": { + "query": "4740", + "type": "phrase" + } + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security " + } + } + }, + "description": "", + "params": { + "bucket": { + "accessor": 0, + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "/s/siem", + "origin": "https://192.168.1.72:5601", + "pathname": "/s/siem/app/kibana" + } + } + }, + "type": "vis_dimension" + }, + "maxFontSize": 53, + "metric": { + "accessor": 1, + "format": { + "id": "string", + "params": {} + }, + "type": "vis_dimension" + }, + "minFontSize": 18, + "orientation": "single", + "scale": "linear", + "showLabel": false + }, + "title": "Blocked Accounts Tag [Windows System Security]", + "type": "tagcloud", + "uiState": {} + } + }, + "gridData": { + "h": 21, + "i": "3", + "w": 12, + "x": 12, + "y": 35 + }, + "panelIndex": "3", + "title": "Blocked Acoounts", + "type": "visualization", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-892d74e5-47d2-4c42-80d9-4bc979530ef2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "14b89fc0-8a6c-47a7-b5e3-516699233c61", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "892d74e5-47d2-4c42-80d9-4bc979530ef2": { + "columnOrder": [ + "8b1cbfde-e270-446d-a789-2a1d26f4480a", + "37216882-b7d2-4179-af7f-9bd64d35e0bd", + "50c2ab55-2ea4-4bd9-a7fd-3037baaea103" + ], + "columns": { + "37216882-b7d2-4179-af7f-9bd64d35e0bd": { + "dataType": "string", + "isBucketed": true, + "label": "Filters", + "operationType": "filters", + "params": { + "filters": [ + { + "input": { + "language": "lucene", + "query": "event.code: 4624" + }, + "label": "Logon Successful" + }, + { + "input": { + "language": "lucene", + "query": "event.code: 4625" + }, + "label": "Logon Failed" + } + ] + }, + "scale": "ordinal" + }, + "50c2ab55-2ea4-4bd9-a7fd-3037baaea103": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "8b1cbfde-e270-446d-a789-2a1d26f4480a": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "14b89fc0-8a6c-47a7-b5e3-516699233c61", + "key": "winlog.provider_name", + "negate": false, + "params": { + "query": "Microsoft-Windows-Security-Auditing" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "winlog.provider_name": "Microsoft-Windows-Security-Auditing" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "curveType": "LINEAR", + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": -90 + }, + "layers": [ + { + "accessors": [ + "50c2ab55-2ea4-4bd9-a7fd-3037baaea103" + ], + "isHistogram": true, + "layerId": "892d74e5-47d2-4c42-80d9-4bc979530ef2", + "layerType": "data", + "seriesType": "bar_stacked", + "simpleView": false, + "splitAccessor": "37216882-b7d2-4179-af7f-9bd64d35e0bd", + "xAccessor": "8b1cbfde-e270-446d-a789-2a1d26f4480a", + "xScaleType": "time", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "50c2ab55-2ea4-4bd9-a7fd-3037baaea103" + } + ] + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "maxLines": 1, + "position": "bottom", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "showCurrentTimeMarker": false, + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": false, + "yLeftExtent": { + "enforce": true, + "mode": "full" + }, + "yLeftScale": "linear", + "yRightScale": "linear", + "yTitle": "Count" + } + }, + "title": "Logon Successful - Logon Failed Timeline [Windows System Security]", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 18, + "i": "4", + "w": 23, + "x": 12, + "y": 7 + }, + "panelIndex": "4", + "title": "Logon Successful - Logon Failed Timeline [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "searchSource": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": [ + "4625", + "4771" + ], + "type": "phrases", + "value": "4625, 4771" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4625" + } + }, + { + "match_phrase": { + "event.code": "4771" + } + } + ] + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "bucket": { + "accessor": 0, + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "/s/siem", + "origin": "https://192.168.1.72:5601", + "pathname": "/s/siem/app/kibana" + } + } + }, + "type": "vis_dimension" + }, + "maxFontSize": 37, + "metric": { + "accessor": 1, + "format": { + "id": "string", + "params": {} + }, + "type": "vis_dimension" + }, + "minFontSize": 15, + "orientation": "single", + "scale": "linear", + "showLabel": false + }, + "title": "Logon Failed Acconts [Windows System Security]", + "type": "tagcloud", + "uiState": {} + } + }, + "gridData": { + "h": 21, + "i": "5", + "w": 12, + "x": 0, + "y": 35 + }, + "panelIndex": "5", + "type": "visualization", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-0ca1181c-9c17-4b68-9da9-e90032ba66a0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4a5e2651-5d45-4b6b-a761-c8cb22fb8a70", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "662ad73f-d904-4d2c-86b0-d677879a602c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "0ca1181c-9c17-4b68-9da9-e90032ba66a0": { + "columnOrder": [ + "891a49e8-cd86-401a-8901-911327320374", + "176619c3-a6a7-4793-b36f-2e24a88de891", + "ccbc2e70-16e1-45e0-841e-1b9349badf37" + ], + "columns": { + "176619c3-a6a7-4793-b36f-2e24a88de891": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "h" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "891a49e8-cd86-401a-8901-911327320374": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "user.name: Descending", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "ccbc2e70-16e1-45e0-841e-1b9349badf37", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "user.name" + }, + "ccbc2e70-16e1-45e0-841e-1b9349badf37": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "4a5e2651-5d45-4b6b-a761-c8cb22fb8a70", + "key": "event.code", + "negate": false, + "params": [ + "4625" + ], + "type": "phrases", + "value": "4625" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4625" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "662ad73f-d904-4d2c-86b0-d677879a602c", + "key": "winlog.provider_name", + "negate": false, + "params": { + "query": "Microsoft-Windows-Security-Auditing" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "winlog.provider_name": "Microsoft-Windows-Security-Auditing" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "gridConfig": { + "isCellLabelVisible": true, + "isXAxisLabelVisible": true, + "isXAxisTitleVisible": true, + "isYAxisLabelVisible": true, + "isYAxisTitleVisible": true, + "type": "heatmap_grid" + }, + "layerId": "0ca1181c-9c17-4b68-9da9-e90032ba66a0", + "layerType": "data", + "legend": { + "isVisible": false, + "position": "bottom", + "type": "heatmap_legend" + }, + "palette": { + "accessor": "ccbc2e70-16e1-45e0-841e-1b9349badf37", + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#FFFFCC", + "stop": 0 + }, + { + "color": "#FEE187", + "stop": 20 + }, + { + "color": "#FEAB4C", + "stop": 40 + }, + { + "color": "#F95C2E", + "stop": 60 + }, + { + "color": "#D31020", + "stop": 80 + } + ], + "continuity": "none", + "maxSteps": 5, + "name": "custom", + "progression": "fixed", + "rangeMax": 100, + "rangeMin": 0, + "rangeType": "percent", + "reverse": false, + "stops": [ + { + "color": "#FFFFCC", + "stop": 20 + }, + { + "color": "#FEE187", + "stop": 40 + }, + { + "color": "#FEAB4C", + "stop": 60 + }, + { + "color": "#F95C2E", + "stop": 80 + }, + { + "color": "#D31020", + "stop": 100 + } + ] + }, + "type": "palette" + }, + "shape": "heatmap", + "valueAccessor": "ccbc2e70-16e1-45e0-841e-1b9349badf37", + "xAccessor": "891a49e8-cd86-401a-8901-911327320374", + "yAccessor": "176619c3-a6a7-4793-b36f-2e24a88de891" + } + }, + "title": "Failed Logon HeatMap [Windows System Security]", + "type": "lens", + "visualizationType": "lnsHeatmap" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 30, + "i": "6", + "w": 48, + "x": 0, + "y": 56 + }, + "panelIndex": "6", + "title": "Failed Logon HeatMap [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 20, + "i": "8", + "w": 48, + "x": 0, + "y": 86 + }, + "panelIndex": "8", + "panelRefName": "panel_8", + "title": "Logon Failed and Account Lockouts", + "type": "search", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b205119a-3d44-424a-b471-3adc7b233437", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d0cc9cbc-3f24-4f1d-a33f-d6161d3e1323", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d16c0ea3-8535-405e-a080-314609ff2eb9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "b205119a-3d44-424a-b471-3adc7b233437": { + "columnOrder": [ + "6c00efd4-5d72-4cb3-bd7f-805f413d6368", + "5a76cdff-8d92-4431-967b-ead53ef7c47e", + "6035bb34-7f8b-43b6-9a35-a286b0e42b68", + "c6126afa-c771-4709-a1e8-ce1598a07d96", + "b95d6baa-4b3d-4f61-ae4f-8981aed9a448", + "d0645d98-f6dd-4f10-811e-7fef21a41c3e", + "f0f3ac3f-402d-41e8-87b4-e3416b3b4e31", + "6034755d-4e5f-46e8-8700-7397eca1b2c7" + ], + "columns": { + "5a76cdff-8d92-4431-967b-ead53ef7c47e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "user.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "6034755d-4e5f-46e8-8700-7397eca1b2c7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 1000 + }, + "scale": "ordinal", + "sourceField": "user.name" + }, + "6034755d-4e5f-46e8-8700-7397eca1b2c7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "6035bb34-7f8b-43b6-9a35-a286b0e42b68": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "source workstation", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "6034755d-4e5f-46e8-8700-7397eca1b2c7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "source.domain" + }, + "6c00efd4-5d72-4cb3-bd7f-805f413d6368": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Time Bucket", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "h" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "b95d6baa-4b3d-4f61-ae4f-8981aed9a448": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "event.action", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "6034755d-4e5f-46e8-8700-7397eca1b2c7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "event.action" + }, + "c6126afa-c771-4709-a1e8-ce1598a07d96": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "source.ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "6034755d-4e5f-46e8-8700-7397eca1b2c7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "source.ip" + }, + "d0645d98-f6dd-4f10-811e-7fef21a41c3e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "winlog.logon.type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "6034755d-4e5f-46e8-8700-7397eca1b2c7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.logon.type" + }, + "f0f3ac3f-402d-41e8-87b4-e3416b3b4e31": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "winlog.event_data.SubjectUserName", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "6034755d-4e5f-46e8-8700-7397eca1b2c7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "winlog.event_data.SubjectUserName" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "d0cc9cbc-3f24-4f1d-a33f-d6161d3e1323", + "key": "event.code", + "negate": false, + "params": { + "query": "4625" + }, + "type": "phrase" + }, + "query": { + "match": { + "event.code": { + "query": "4625", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "d16c0ea3-8535-405e-a080-314609ff2eb9", + "key": "winlog.provider_name", + "negate": false, + "params": { + "query": "Microsoft-Windows-Security-Auditing" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "winlog.provider_name": "Microsoft-Windows-Security-Auditing" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "6034755d-4e5f-46e8-8700-7397eca1b2c7" + }, + { + "alignment": "left", + "columnId": "6c00efd4-5d72-4cb3-bd7f-805f413d6368" + }, + { + "alignment": "left", + "columnId": "5a76cdff-8d92-4431-967b-ead53ef7c47e" + }, + { + "alignment": "left", + "columnId": "6035bb34-7f8b-43b6-9a35-a286b0e42b68" + }, + { + "alignment": "left", + "columnId": "c6126afa-c771-4709-a1e8-ce1598a07d96" + }, + { + "alignment": "left", + "columnId": "b95d6baa-4b3d-4f61-ae4f-8981aed9a448" + }, + { + "alignment": "left", + "columnId": "d0645d98-f6dd-4f10-811e-7fef21a41c3e" + }, + { + "alignment": "left", + "columnId": "f0f3ac3f-402d-41e8-87b4-e3416b3b4e31" + } + ], + "headerRowHeight": "single", + "layerId": "b205119a-3d44-424a-b471-3adc7b233437", + "layerType": "data", + "paging": { + "enabled": true, + "size": 15 + }, + "rowHeight": "single" + } + }, + "title": "Logon Failed Table [Windows System Security]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 31, + "i": "11", + "w": 24, + "x": 24, + "y": 25 + }, + "panelIndex": "11", + "title": "Logon Failed Table [Windows System Security]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "[Windows Overview](#/dashboard/system-Windows-Dashboard) | [User Logon Information](#/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891) | **Logon Failed and Account Lockout** | [User Management Events](#/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268) | [Group Management Events](#/dashboard/system-bb858830-f412-11e9-8405-516218e3d268)", + "openLinksInNewTab": false + }, + "title": "Dashboard links [Windows System Security]", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 7, + "i": "628de26f-7b7b-457c-b811-e06161e4e7b4", + "w": 34, + "x": 14, + "y": 0 + }, + "panelIndex": "628de26f-7b7b-457c-b811-e06161e4e7b4", + "title": "", + "type": "visualization", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2f8af088-1452-476f-9b74-7854a8e9d8a3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d192bb2b-0add-406e-8fa5-d749aa93cd68", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9ba1595f-e9a3-4987-9eb0-21d2714752ef", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "2f8af088-1452-476f-9b74-7854a8e9d8a3": { + "columnOrder": [ + "70837b96-3c24-4578-9988-3e91c976bf09", + "b2c05801-5cfa-40a5-9988-1aa4056ba903" + ], + "columns": { + "70837b96-3c24-4578-9988-3e91c976bf09": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Logon Source IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "b2c05801-5cfa-40a5-9988-1aa4056ba903", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "source.ip" + }, + "b2c05801-5cfa-40a5-9988-1aa4056ba903": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.code", + "index": "d192bb2b-0add-406e-8fa5-d749aa93cd68", + "key": "event.code", + "negate": false, + "params": { + "query": "4625" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.code": "4625" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "winlog.provider_name", + "index": "9ba1595f-e9a3-4987-9eb0-21d2714752ef", + "key": "winlog.provider_name", + "negate": false, + "params": { + "query": "Microsoft-Windows-Security-Auditing" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "winlog.provider_name": "Microsoft-Windows-Security-Auditing" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "b2c05801-5cfa-40a5-9988-1aa4056ba903" + ], + "layerId": "2f8af088-1452-476f-9b74-7854a8e9d8a3", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "xAccessor": "70837b96-3c24-4578-9988-3e91c976bf09" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_horizontal", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 18, + "i": "13f5fdc0-b503-4e37-a39e-a2365be6356d", + "w": 13, + "x": 35, + "y": 7 + }, + "panelIndex": "13f5fdc0-b503-4e37-a39e-a2365be6356d", + "title": "Logon Failed Source IPs", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_logs-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "logs-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "f29083db-60ee-4050-a6fd-3c8ec6f2b86c": { + "columnOrder": [ + "e4afb6fa-36ce-46cc-bea2-175b29605d8a" + ], + "columns": { + "e4afb6fa-36ce-46cc-bea2-175b29605d8a": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \"4625\")" + }, + "isBucketed": false, + "label": "Failed Logon", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ + { + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "indexpattern-datasource-layer-f29083db-60ee-4050-a6fd-3c8ec6f2b86c", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "e4afb6fa-36ce-46cc-bea2-175b29605d8a", + "layerId": "f29083db-60ee-4050-a6fd-3c8ec6f2b86c", + "layerType": "data" + } + }, + "title": "TSVB visualization", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 10, + "i": "af0b27cf-3a49-4180-bd15-a399f7b349b3", + "w": 12, + "x": 0, + "y": 25 + }, + "panelIndex": "af0b27cf-3a49-4180-bd15-a399f7b349b3", + "title": "", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_logs-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "logs-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "7b50ca11-6492-47c9-bb57-5d2e88f51719": { + "columnOrder": [ + "46e6f211-0dc7-4f4f-963d-033c09854126" + ], + "columns": { + "46e6f211-0dc7-4f4f-963d-033c09854126": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "event.code: \"4740\"" + }, + "isBucketed": false, + "label": "Blocked Accounts", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "user.name" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ + { + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "indexpattern-datasource-layer-7b50ca11-6492-47c9-bb57-5d2e88f51719", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "46e6f211-0dc7-4f4f-963d-033c09854126", + "layerId": "7b50ca11-6492-47c9-bb57-5d2e88f51719", + "layerType": "data" + } + }, + "title": "TSVB visualization", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 10, + "i": "d69a5e0c-274d-4515-8f31-737b9ecbddba", + "w": 12, + "x": 12, + "y": 25 + }, + "panelIndex": "d69a5e0c-274d-4515-8f31-737b9ecbddba", + "title": "", + "type": "lens", + "version": "8.7.0" + } + ], + "timeRestore": false, + "title": "[System Windows Security] Failed and Blocked Accounts", + "version": 1 + }, + "coreMigrationVersion": "8.7.1", + "created_at": "2023-05-04T21:59:59.346Z", + "id": "system-d401ef40-a7d5-11e9-a422-d144027429da", + "migrationVersion": { + "dashboard": "8.7.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2:indexpattern-datasource-layer-51928276-cada-4ce4-8054-672e298c095f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2:c5560265-9668-4020-acf5-2f125a50e192", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4:indexpattern-datasource-layer-892d74e5-47d2-4c42-80d9-4bc979530ef2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4:14b89fc0-8a6c-47a7-b5e3-516699233c61", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6:indexpattern-datasource-layer-0ca1181c-9c17-4b68-9da9-e90032ba66a0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6:4a5e2651-5d45-4b6b-a761-c8cb22fb8a70", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6:662ad73f-d904-4d2c-86b0-d677879a602c", + "type": "index-pattern" + }, + { + "id": "system-757510b0-a87f-11e9-a422-d144027429da", + "name": "8:panel_8", + "type": "search" + }, + { + "id": "logs-*", + "name": "11:indexpattern-datasource-layer-b205119a-3d44-424a-b471-3adc7b233437", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "11:d0cc9cbc-3f24-4f1d-a33f-d6161d3e1323", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "11:d16c0ea3-8535-405e-a080-314609ff2eb9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "13f5fdc0-b503-4e37-a39e-a2365be6356d:indexpattern-datasource-layer-2f8af088-1452-476f-9b74-7854a8e9d8a3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "13f5fdc0-b503-4e37-a39e-a2365be6356d:d192bb2b-0add-406e-8fa5-d749aa93cd68", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "13f5fdc0-b503-4e37-a39e-a2365be6356d:9ba1595f-e9a3-4987-9eb0-21d2714752ef", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/test/packages/parallel/system/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json b/test/packages/parallel/system/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json new file mode 100644 index 000000000..82486ae0c --- /dev/null +++ b/test/packages/parallel/system/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "columns": [ + "user.name", + "user.domain", + "winlog.logon.id", + "event.action", + "winlog.logon.type", + "winlog.event_data.SubjectUserName" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": { + "query": "4625" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.code": "4625" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "winlog.provider_name", + "negate": false, + "params": { + "query": "Microsoft-Windows-Security-Auditing" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "winlog.provider_name": "Microsoft-Windows-Security-Auditing" + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "User Logouts [Windows System Security]", + "version": 1 + }, + "coreMigrationVersion": "8.7.1", + "created_at": "2023-05-04T21:59:59.346Z", + "id": "system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/test/packages/parallel/system/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json b/test/packages/parallel/system/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json new file mode 100644 index 000000000..2927c111b --- /dev/null +++ b/test/packages/parallel/system/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json @@ -0,0 +1,144 @@ +{ + "attributes": { + "columns": [ + "event.action", + "winlog.event_data.TargetUserName", + "user.domain", + "user.name", + "winlog.event_data.SubjectDomainName", + "winlog.logon.id", + "related.user" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": [ + "4720", + "4722", + "4723", + "4724", + "4725", + "4726", + "4738", + "4740", + "4767", + "4781", + "4798" + ], + "type": "phrases", + "value": "4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781, 4798" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4720" + } + }, + { + "match_phrase": { + "event.code": "4722" + } + }, + { + "match_phrase": { + "event.code": "4723" + } + }, + { + "match_phrase": { + "event.code": "4724" + } + }, + { + "match_phrase": { + "event.code": "4725" + } + }, + { + "match_phrase": { + "event.code": "4726" + } + }, + { + "match_phrase": { + "event.code": "4738" + } + }, + { + "match_phrase": { + "event.code": "4740" + } + }, + { + "match_phrase": { + "event.code": "4767" + } + }, + { + "match_phrase": { + "event.code": "4781" + } + }, + { + "match_phrase": { + "event.code": "4798" + } + } + ] + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "User management Details - Search [Windows System Security]", + "version": 1 + }, + "coreMigrationVersion": "8.7.1", + "created_at": "2023-05-04T21:59:59.346Z", + "id": "system-324686c0-fefb-11e9-8405-516218e3d268", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/test/packages/parallel/system/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json b/test/packages/parallel/system/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json new file mode 100644 index 000000000..97614d9a9 --- /dev/null +++ b/test/packages/parallel/system/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json @@ -0,0 +1,51 @@ +{ + "attributes": { + "columns": [ + "system.auth.ssh.event", + "system.auth.ssh.method", + "user.name", + "source.ip", + "source.geo.country_iso_code" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset:system.auth AND system.auth.ssh.event:*" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "SSH login attempts [Logs System]", + "version": 1 + }, + "coreMigrationVersion": "8.6.1", + "created_at": "2023-03-23T04:03:56.987Z", + "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "system-fleet-pkg-system-default", + "name": "tag-ref-fleet-pkg-system-default", + "type": "tag" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/test/packages/parallel/system/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json b/test/packages/parallel/system/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json new file mode 100644 index 000000000..a4db9fdd6 --- /dev/null +++ b/test/packages/parallel/system/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "columns": [ + "user.name", + "source.domain", + "source.ip", + "winlog.logon.id", + "event.action" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": [ + "4778", + "4779" + ], + "type": "phrases", + "value": "4778, 4779" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4778" + } + }, + { + "match_phrase": { + "event.code": "4779" + } + } + ] + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Remote Interactive Connections and Disconnections [Windows System Security]", + "version": 1 + }, + "coreMigrationVersion": "8.7.1", + "created_at": "2023-05-04T21:59:59.346Z", + "id": "system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/test/packages/parallel/system/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json b/test/packages/parallel/system/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json new file mode 100644 index 000000000..e1efc40d0 --- /dev/null +++ b/test/packages/parallel/system/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "columns": [ + "event.action", + "user.name", + "related.user", + "user.domain", + "source.domain", + "source.ip", + "winlog.event_data.SubjectUserName" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": [ + "4625", + "4740" + ], + "type": "phrases", + "value": "4625, 4740" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4625" + } + }, + { + "match_phrase": { + "event.code": "4740" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "winlog.provider_name", + "negate": false, + "params": { + "query": "Microsoft-Windows-Security-Auditing" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "winlog.provider_name": "Microsoft-Windows-Security-Auditing" + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "3. Login Failed Details", + "version": 1 + }, + "coreMigrationVersion": "8.7.1", + "created_at": "2023-05-04T21:59:59.346Z", + "id": "system-757510b0-a87f-11e9-a422-d144027429da", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/test/packages/parallel/system/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json b/test/packages/parallel/system/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json new file mode 100644 index 000000000..728ec1dc1 --- /dev/null +++ b/test/packages/parallel/system/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "columns": [ + "user.name", + "source.domain", + "source.ip", + "winlog.logon.id", + "winlog.logon.type" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": [ + "4624" + ], + "type": "phrases", + "value": "4624" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4624" + } + } + ] + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Logon Details [Windows System Security]", + "version": 1 + }, + "coreMigrationVersion": "8.7.1", + "created_at": "2023-05-04T21:59:59.346Z", + "id": "system-7e178c80-fee1-11e9-8405-516218e3d268", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/test/packages/parallel/system/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json b/test/packages/parallel/system/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json new file mode 100644 index 000000000..1f4d2568e --- /dev/null +++ b/test/packages/parallel/system/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json @@ -0,0 +1,51 @@ +{ + "attributes": { + "columns": [ + "user.name", + "user.id", + "group.id", + "system.auth.useradd.home", + "system.auth.useradd.shell" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "system.auth.useradd:*" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "useradd logs [Logs System]", + "version": 1 + }, + "coreMigrationVersion": "8.6.1", + "created_at": "2023-03-23T04:03:56.987Z", + "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "system-fleet-pkg-system-default", + "name": "tag-ref-fleet-pkg-system-default", + "type": "tag" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/test/packages/parallel/system/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json b/test/packages/parallel/system/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json new file mode 100644 index 000000000..85ebf3746 --- /dev/null +++ b/test/packages/parallel/system/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json @@ -0,0 +1,263 @@ +{ + "attributes": { + "columns": [ + "event.action", + "group.name", + "group.domain", + "user.name", + "user.domain", + "host.name" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": [ + "4731", + "4732", + "4733", + "4734", + "4735", + "4737", + "4764", + "4727", + "4728", + "4729", + "4730", + "4754", + "4755", + "4756", + "4757", + "4758", + "4799", + "4749", + "4750", + "4751", + "4752", + "4753", + "4759", + "4760", + "4761", + "4762", + "4763", + "4744", + "4745", + "4746", + "4748" + ], + "type": "phrases", + "value": "4731, 4732, 4733, 4734, 4735, 4737, 4764, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758, 4799, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762, 4763, 4744, 4745, 4746, 4748" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4731" + } + }, + { + "match_phrase": { + "event.code": "4732" + } + }, + { + "match_phrase": { + "event.code": "4733" + } + }, + { + "match_phrase": { + "event.code": "4734" + } + }, + { + "match_phrase": { + "event.code": "4735" + } + }, + { + "match_phrase": { + "event.code": "4737" + } + }, + { + "match_phrase": { + "event.code": "4764" + } + }, + { + "match_phrase": { + "event.code": "4727" + } + }, + { + "match_phrase": { + "event.code": "4728" + } + }, + { + "match_phrase": { + "event.code": "4729" + } + }, + { + "match_phrase": { + "event.code": "4730" + } + }, + { + "match_phrase": { + "event.code": "4754" + } + }, + { + "match_phrase": { + "event.code": "4755" + } + }, + { + "match_phrase": { + "event.code": "4756" + } + }, + { + "match_phrase": { + "event.code": "4757" + } + }, + { + "match_phrase": { + "event.code": "4758" + } + }, + { + "match_phrase": { + "event.code": "4799" + } + }, + { + "match_phrase": { + "event.code": "4749" + } + }, + { + "match_phrase": { + "event.code": "4750" + } + }, + { + "match_phrase": { + "event.code": "4751" + } + }, + { + "match_phrase": { + "event.code": "4752" + } + }, + { + "match_phrase": { + "event.code": "4753" + } + }, + { + "match_phrase": { + "event.code": "4759" + } + }, + { + "match_phrase": { + "event.code": "4760" + } + }, + { + "match_phrase": { + "event.code": "4761" + } + }, + { + "match_phrase": { + "event.code": "4762" + } + }, + { + "match_phrase": { + "event.code": "4763" + } + }, + { + "match_phrase": { + "event.code": "4744" + } + }, + { + "match_phrase": { + "event.code": "4745" + } + }, + { + "match_phrase": { + "event.code": "4746" + } + }, + { + "match_phrase": { + "event.code": "4748" + } + } + ] + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Group Management Details - Search View [Windows System Security]", + "version": 1 + }, + "coreMigrationVersion": "8.7.1", + "created_at": "2023-05-04T21:59:59.346Z", + "id": "system-9066d5b0-fef2-11e9-8405-516218e3d268", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/test/packages/parallel/system/kibana/search/system-Syslog-system-logs.json b/test/packages/parallel/system/kibana/search/system-Syslog-system-logs.json new file mode 100644 index 000000000..5619eb7db --- /dev/null +++ b/test/packages/parallel/system/kibana/search/system-Syslog-system-logs.json @@ -0,0 +1,62 @@ +{ + "attributes": { + "columns": [ + "host.hostname", + "process.name", + "message" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlight": { + "fields": { + "*": {} + }, + "fragment_size": 2147483647, + "post_tags": [ + "@/kibana-highlighted-field@" + ], + "pre_tags": [ + "@kibana-highlighted-field@" + ], + "require_field_match": false + }, + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset:system.syslog" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Syslog logs [Logs System]", + "version": 1 + }, + "coreMigrationVersion": "8.6.1", + "created_at": "2023-03-23T04:03:56.987Z", + "id": "system-Syslog-system-logs", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "system-fleet-pkg-system-default", + "name": "tag-ref-fleet-pkg-system-default", + "type": "tag" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/test/packages/parallel/system/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json b/test/packages/parallel/system/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json new file mode 100644 index 000000000..f8e0c8787 --- /dev/null +++ b/test/packages/parallel/system/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json @@ -0,0 +1,50 @@ +{ + "attributes": { + "columns": [ + "user.name", + "system.auth.sudo.user", + "system.auth.sudo.pwd", + "system.auth.sudo.command" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "system.auth.sudo:*" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Sudo commands [Logs System]", + "version": 1 + }, + "coreMigrationVersion": "8.6.1", + "created_at": "2023-03-23T04:03:56.987Z", + "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "system-fleet-pkg-system-default", + "name": "tag-ref-fleet-pkg-system-default", + "type": "tag" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/test/packages/parallel/system/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json b/test/packages/parallel/system/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json new file mode 100644 index 000000000..cee2784d8 --- /dev/null +++ b/test/packages/parallel/system/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "columns": [ + "user.name", + "winlog.logon.type", + "source.domain", + "source.ip", + "winlog.logon.id" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": { + "query": "4624" + }, + "type": "phrase" + }, + "query": { + "match": { + "event.code": { + "query": "4624", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "User Logons [Windows System Security]", + "version": 1 + }, + "coreMigrationVersion": "8.7.1", + "created_at": "2023-05-04T21:59:59.346Z", + "id": "system-ce71c9a0-a25e-11e9-a422-d144027429da", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/test/packages/parallel/system/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json b/test/packages/parallel/system/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json new file mode 100644 index 000000000..410853e5d --- /dev/null +++ b/test/packages/parallel/system/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json @@ -0,0 +1,48 @@ +{ + "attributes": { + "columns": [ + "group.name", + "group.id" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "system.auth.groupadd:*" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "groupadd logs [Logs System]", + "version": 1 + }, + "coreMigrationVersion": "8.6.1", + "created_at": "2023-03-23T04:03:56.987Z", + "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "system-fleet-pkg-system-default", + "name": "tag-ref-fleet-pkg-system-default", + "type": "tag" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/test/packages/parallel/system/manifest.yml b/test/packages/parallel/system/manifest.yml new file mode 100644 index 000000000..5525fdd27 --- /dev/null +++ b/test/packages/parallel/system/manifest.yml @@ -0,0 +1,124 @@ +format_version: 1.0.0 +name: system +title: System +version: 1.33.0 +license: basic +description: Collect system logs and metrics from your servers with Elastic Agent (TSDB Beta). +type: integration +categories: + - os_system +release: ga +conditions: + kibana.version: '^8.8.0' +screenshots: + - src: /img/kibana-system.png + title: kibana system + size: 1220x852 + type: image/png + - src: /img/metricbeat_system_dashboard.png + title: metricbeat system dashboard + size: 2097x1933 + type: image/png +icons: + - src: /img/system.svg + title: system + size: 1000x1000 + type: image/svg+xml +policy_templates: + - name: system + title: System logs and metrics + description: Collect logs and metrics from System instances + inputs: + - type: logfile + title: Collect logs from System instances + description: Collecting System auth and syslog logs + - type: winlog + title: 'Collect events from the Windows event log' + description: 'Collecting events from Windows event log' + - type: system/metrics + title: Collect metrics from System instances + description: Collecting System core, CPU, diskio, entropy, filesystem, fsstat, load, memory, network, Network Summary, process, Process Summary, raid, service, socket, Socket Summary, uptime and users metrics + vars: + - name: system.hostfs + type: text + title: Proc Filesystem Directory + multi: false + required: false + show_user: true + description: The proc filesystem base directory. + - type: httpjson + title: Collect logs from third-party REST API (experimental) + description: Collect logs from third-party REST API (experimental) + vars: + - name: url + type: text + title: URL of Splunk Enterprise Server + description: i.e. scheme://host:port, path is automatic + show_user: true + required: true + default: https://server.example.com:8089 + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. The logs are part of agent's diagnostics dump under `logs/httpjson/http-request-trace-.ndjson`. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. + - name: username + type: text + title: Splunk REST API Username + show_user: true + required: false + - name: password + type: password + title: Splunk REST API Password + show_user: true + required: false + - name: token + type: password + title: Splunk Authorization Token + description: | + Bearer Token or Session Key, e.g. "Bearer eyJFd3e46..." + or "Splunk 192fd3e...". Cannot be used with username + and password. + show_user: true + required: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- +owner: + github: elastic/obs-infraobs-integrations diff --git a/test/packages/parallel/system/script.py b/test/packages/parallel/system/script.py new file mode 100644 index 000000000..178eb89fc --- /dev/null +++ b/test/packages/parallel/system/script.py @@ -0,0 +1,50 @@ +import argparse + + +if __name__ == "__main__": + parser = argparse.ArgumentParser() + parser.add_argument("--list", required=True) + parser.add_argument("--reference", required=False) + parser.add_argument("--dashboard", required=False) + parser.add_argument("--all_dashboards", action="store_true", required=False) + + args = parser.parse_args() + + lines = [] + with open(args.list, "r") as f: + lines = f.readlines() + dashboards_references = {} + references_dashboards = {} + + for line in lines: + fields = line.split(":") + dashboard = fields[0] + + references = [r.strip() for r in fields[1].split(",")] + + dashboards_references[dashboard] = references + + for r in references: + if r in references_dashboards: + references_dashboards[r].append(dashboard) + else: + references_dashboards[r] = [dashboard] + + if args.reference: + print(references_dashboards[args.reference]) + + if args.dashboard: + print(dashboards_references[args.dashboard]) + for ref in dashboards_references[args.dashboard]: + number = len(references_dashboards[ref]) + print(f" - {ref}: {number}") + + print("") + + if args.all_dashboards: + for dashboard in dashboards_references: + print(f"Dashboard {dashboard}:") + for ref in dashboards_references[dashboard]: + number = len(references_dashboards[ref]) + print(f" - {ref}: {number}") + print("") From 78b628a3ce72260e53593370a4d82e47ab999cf7 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 20 Jun 2023 10:28:30 +0200 Subject: [PATCH 5/9] Fix lint in system package --- .../parallel/system/data_stream/network/fields/agent.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/test/packages/parallel/system/data_stream/network/fields/agent.yml b/test/packages/parallel/system/data_stream/network/fields/agent.yml index c20bbf2c7..da7e7451a 100644 --- a/test/packages/parallel/system/data_stream/network/fields/agent.yml +++ b/test/packages/parallel/system/data_stream/network/fields/agent.yml @@ -195,3 +195,4 @@ example: "stretch" description: > OS codename, if any. + From ded80262c2bd52bae7560ca07eac0c9847d95e8a Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 20 Jun 2023 10:43:36 +0200 Subject: [PATCH 6/9] Remove some datastreams and config from system package --- .../application/agent/stream/httpjson.yml.hbs | 107 - .../application/agent/stream/winlog.yml.hbs | 24 - .../elasticsearch/ingest_pipeline/default.yml | 13 - .../data_stream/application/fields/agent.yml | 198 - .../application/fields/base-fields.yml | 20 - .../data_stream/application/fields/ecs.yml | 12 - .../data_stream/application/fields/winlog.yml | 357 -- .../data_stream/application/manifest.yml | 80 - .../_dev/test/pipeline/test-auth-rhel79.log | 3 - .../test-auth-rhel79.log-expected.json | 121 - .../test/pipeline/test-auth-ubuntu1204.log | 122 - .../test-auth-ubuntu1204.log-config.yml | 5 - .../test-auth-ubuntu1204.log-expected.json | 4348 ----------------- .../_dev/test/pipeline/test-multiline.log | 3 - .../pipeline/test-multiline.log-config.yml | 7 - .../pipeline/test-multiline.log-expected.json | 56 - .../_dev/test/pipeline/test-secure-rhel7.log | 7 - .../pipeline/test-secure-rhel7.log-config.yml | 5 - .../test-secure-rhel7.log-expected.json | 251 - .../core/agent/stream/stream.yml.hbs | 18 - .../system/data_stream/core/fields/agent.yml | 198 - .../data_stream/core/fields/base-fields.yml | 20 - .../system/data_stream/core/fields/ecs.yml | 24 - .../system/data_stream/core/fields/fields.yml | 103 - .../system/data_stream/core/manifest.yml | 39 - .../cpu/agent/stream/stream.yml.hbs | 19 - .../system/data_stream/cpu/fields/agent.yml | 205 - .../data_stream/cpu/fields/base-fields.yml | 20 - .../system/data_stream/cpu/fields/ecs.yml | 27 - .../system/data_stream/cpu/fields/fields.yml | 183 - .../system/data_stream/cpu/manifest.yml | 41 - .../diskio/agent/stream/stream.yml.hbs | 19 - .../data_stream/diskio/fields/agent.yml | 205 - .../data_stream/diskio/fields/base-fields.yml | 20 - .../system/data_stream/diskio/fields/ecs.yml | 29 - .../data_stream/diskio/fields/fields.yml | 137 - .../system/data_stream/diskio/manifest.yml | 38 - .../filesystem/agent/stream/stream.yml.hbs | 15 - .../data_stream/filesystem/fields/agent.yml | 205 - .../filesystem/fields/base-fields.yml | 20 - .../data_stream/filesystem/fields/ecs.yml | 3 - .../data_stream/filesystem/fields/fields.yml | 62 - .../data_stream/filesystem/manifest.yml | 43 - .../fsstat/agent/stream/stream.yml.hbs | 12 - .../data_stream/fsstat/fields/agent.yml | 205 - .../data_stream/fsstat/fields/base-fields.yml | 20 - .../system/data_stream/fsstat/fields/ecs.yml | 27 - .../data_stream/fsstat/fields/fields.yml | 36 - .../system/data_stream/fsstat/manifest.yml | 34 - .../load/agent/stream/stream.yml.hbs | 13 - .../system/data_stream/load/fields/agent.yml | 194 - .../data_stream/load/fields/base-fields.yml | 20 - .../system/data_stream/load/fields/ecs.yml | 27 - .../system/data_stream/load/fields/fields.yml | 38 - .../system/data_stream/load/manifest.yml | 29 - .../memory/agent/stream/stream.yml.hbs | 15 - .../data_stream/memory/fields/agent.yml | 205 - .../data_stream/memory/fields/base-fields.yml | 20 - .../system/data_stream/memory/fields/ecs.yml | 27 - .../data_stream/memory/fields/fields.yml | 200 - .../system/data_stream/memory/manifest.yml | 29 - .../network/agent/stream/stream.yml.hbs | 16 - .../data_stream/network/fields/agent.yml | 198 - .../network/fields/base-fields.yml | 17 - .../system/data_stream/network/fields/ecs.yml | 49 - .../data_stream/network/fields/fields.yml | 78 - .../system/data_stream/network/manifest.yml | 38 - .../agent/stream/stream.yml.hbs | 15 - .../process_summary/fields/agent.yml | 205 - .../process_summary/fields/base-fields.yml | 20 - .../process_summary/fields/ecs.yml | 49 - .../process_summary/fields/fields.yml | 44 - .../data_stream/process_summary/manifest.yml | 30 - .../_dev/test/pipeline/test-1100.json | 53 - .../pipeline/test-1100.json-expected.json | 60 - .../_dev/test/pipeline/test-1102.json | 60 - .../pipeline/test-1102.json-expected.json | 81 - .../_dev/test/pipeline/test-1104.json | 53 - .../pipeline/test-1104.json-expected.json | 60 - .../_dev/test/pipeline/test-1105.json | 58 - .../pipeline/test-1105.json-expected.json | 65 - .../_dev/test/pipeline/test-4663.json | 74 - .../pipeline/test-4663.json-expected.json | 85 - .../pipeline/test-4670-windowssrv2016.json | 67 - ...est-4670-windowssrv2016.json-expected.json | 97 - .../_dev/test/pipeline/test-4674.json | 125 - .../pipeline/test-4674.json-expected.json | 184 - .../pipeline/test-4706-windowssrv2016.json | 66 - ...est-4706-windowssrv2016.json-expected.json | 89 - .../pipeline/test-4707-windowssrv2016.json | 61 - ...est-4707-windowssrv2016.json-expected.json | 81 - .../pipeline/test-4713-windowssrv2016.json | 61 - ...est-4713-windowssrv2016.json-expected.json | 81 - .../pipeline/test-4716-windowssrv2016.json | 66 - ...est-4716-windowssrv2016.json-expected.json | 89 - .../pipeline/test-4717-windowssrv2016.json | 62 - ...est-4717-windowssrv2016.json-expected.json | 84 - .../pipeline/test-4718-windowssrv2016.json | 62 - ...est-4718-windowssrv2016.json-expected.json | 84 - .../pipeline/test-4719-windowssrv2016.json | 64 - ...est-4719-windowssrv2016.json-expected.json | 91 - .../_dev/test/pipeline/test-4719.json | 64 - .../pipeline/test-4719.json-expected.json | 92 - .../_dev/test/pipeline/test-4738.json | 72 - .../pipeline/test-4738.json-expected.json | 101 - .../pipeline/test-4739-windowssrv2016.json | 68 - ...est-4739-windowssrv2016.json-expected.json | 88 - .../_dev/test/pipeline/test-4742.json | 74 - .../pipeline/test-4742.json-expected.json | 104 - .../_dev/test/pipeline/test-4743.json | 63 - .../pipeline/test-4743.json-expected.json | 91 - .../_dev/test/pipeline/test-4744.json | 65 - .../pipeline/test-4744.json-expected.json | 91 - .../_dev/test/pipeline/test-4745.json | 65 - .../pipeline/test-4745.json-expected.json | 91 - .../_dev/test/pipeline/test-4746.json | 65 - .../pipeline/test-4746.json-expected.json | 101 - .../_dev/test/pipeline/test-4747.json | 65 - .../pipeline/test-4747.json-expected.json | 101 - .../_dev/test/pipeline/test-4748.json | 63 - .../pipeline/test-4748.json-expected.json | 89 - .../_dev/test/pipeline/test-4749.json | 65 - .../pipeline/test-4749.json-expected.json | 91 - .../_dev/test/pipeline/test-4750.json | 65 - .../pipeline/test-4750.json-expected.json | 91 - .../_dev/test/pipeline/test-4751.json | 65 - .../pipeline/test-4751.json-expected.json | 101 - .../_dev/test/pipeline/test-4752.json | 65 - .../pipeline/test-4752.json-expected.json | 101 - .../_dev/test/pipeline/test-4753.json | 63 - .../pipeline/test-4753.json-expected.json | 89 - .../_dev/test/pipeline/test-4759.json | 65 - .../pipeline/test-4759.json-expected.json | 91 - .../_dev/test/pipeline/test-4760.json | 65 - .../pipeline/test-4760.json-expected.json | 91 - .../_dev/test/pipeline/test-4761.json | 65 - .../pipeline/test-4761.json-expected.json | 101 - .../_dev/test/pipeline/test-4762.json | 65 - .../pipeline/test-4762.json-expected.json | 101 - .../_dev/test/pipeline/test-4763.json | 63 - .../pipeline/test-4763.json-expected.json | 89 - .../_dev/test/pipeline/test-4797.json | 219 - .../pipeline/test-4797.json-expected.json | 369 -- .../pipeline/test-4817-windowssrv2016.json | 64 - ...est-4817-windowssrv2016.json-expected.json | 89 - .../pipeline/test-4902-windowssrv2016.json | 57 - ...est-4902-windowssrv2016.json-expected.json | 66 - .../pipeline/test-4904-windowssrv2016.json | 64 - ...est-4904-windowssrv2016.json-expected.json | 89 - .../pipeline/test-4905-windowssrv2016.json | 64 - ...est-4905-windowssrv2016.json-expected.json | 89 - .../pipeline/test-4906-windowssrv2016.json | 56 - ...est-4906-windowssrv2016.json-expected.json | 65 - .../pipeline/test-4907-windowssrv2016.json | 66 - ...est-4907-windowssrv2016.json-expected.json | 92 - .../_dev/test/pipeline/test-5379.json | 239 - .../pipeline/test-5379.json-expected.json | 364 -- .../_dev/test/pipeline/test-5380.json | 229 - .../pipeline/test-5380.json-expected.json | 354 -- .../_dev/test/pipeline/test-5381.json | 219 - .../pipeline/test-5381.json-expected.json | 344 -- .../_dev/test/pipeline/test-5382.json | 239 - .../pipeline/test-5382.json-expected.json | 364 -- .../pipeline/test-security-5140-5145.json | 110 - ...test-security-5140-5145.json-expected.json | 194 - .../test-security-windows2012-4673.json | 64 - ...curity-windows2012-4673.json-expected.json | 89 - .../test-security-windows2012-4697.json | 65 - ...curity-windows2012-4697.json-expected.json | 91 - .../test-security-windows2012-4768.json | 66 - ...curity-windows2012-4768.json-expected.json | 99 - .../test-security-windows2012-4769.json | 66 - ...curity-windows2012-4769.json-expected.json | 97 - .../test-security-windows2012-4770.json | 63 - ...curity-windows2012-4770.json-expected.json | 92 - .../test-security-windows2012-4771.json | 63 - ...curity-windows2012-4771.json-expected.json | 94 - .../test-security-windows2012-4776.json | 59 - ...curity-windows2012-4776.json-expected.json | 79 - .../test-security-windows2012-4778.json | 61 - ...curity-windows2012-4778.json-expected.json | 103 - .../test-security-windows2012-4779.json | 61 - ...curity-windows2012-4779.json-expected.json | 88 - .../test-security-windows2012r2-logon.json | 1303 ----- ...ity-windows2012r2-logon.json-expected.json | 1769 ------- .../test-security-windows2016-4727.json | 65 - ...curity-windows2016-4727.json-expected.json | 91 - .../test-security-windows2016-4728.json | 65 - ...curity-windows2016-4728.json-expected.json | 100 - .../test-security-windows2016-4729.json | 65 - ...curity-windows2016-4729.json-expected.json | 100 - .../test-security-windows2016-4730.json | 63 - ...curity-windows2016-4730.json-expected.json | 89 - .../test-security-windows2016-4731.json | 65 - ...curity-windows2016-4731.json-expected.json | 91 - .../test-security-windows2016-4732.json | 65 - ...curity-windows2016-4732.json-expected.json | 100 - .../test-security-windows2016-4733.json | 65 - ...curity-windows2016-4733.json-expected.json | 100 - .../test-security-windows2016-4734.json | 63 - ...curity-windows2016-4734.json-expected.json | 89 - .../test-security-windows2016-4735.json | 65 - ...curity-windows2016-4735.json-expected.json | 91 - .../test-security-windows2016-4737.json | 65 - ...curity-windows2016-4737.json-expected.json | 91 - .../test-security-windows2016-4754.json | 65 - ...curity-windows2016-4754.json-expected.json | 91 - .../test-security-windows2016-4755.json | 65 - ...curity-windows2016-4755.json-expected.json | 91 - .../test-security-windows2016-4756.json | 65 - ...curity-windows2016-4756.json-expected.json | 100 - .../test-security-windows2016-4757.json | 65 - ...curity-windows2016-4757.json-expected.json | 100 - .../test-security-windows2016-4758.json | 63 - ...curity-windows2016-4758.json-expected.json | 89 - .../test-security-windows2016-4764.json | 64 - ...curity-windows2016-4764.json-expected.json | 90 - .../test-security-windows2016-4798.json | 65 - ...curity-windows2016-4798.json-expected.json | 92 - .../test-security-windows2016-4799.json | 65 - ...curity-windows2016-4799.json-expected.json | 91 - .../agent/stream/stream.yml.hbs | 15 - .../socket_summary/fields/agent.yml | 205 - .../socket_summary/fields/base-fields.yml | 17 - .../data_stream/socket_summary/fields/ecs.yml | 49 - .../socket_summary/fields/fields.yml | 106 - .../data_stream/socket_summary/manifest.yml | 29 - .../uptime/agent/stream/stream.yml.hbs | 12 - .../data_stream/uptime/fields/agent.yml | 205 - .../data_stream/uptime/fields/base-fields.yml | 20 - .../system/data_stream/uptime/fields/ecs.yml | 3 - .../data_stream/uptime/fields/fields.yml | 10 - .../system/data_stream/uptime/manifest.yml | 29 - 233 files changed, 26836 deletions(-) delete mode 100644 test/packages/parallel/system/data_stream/application/agent/stream/httpjson.yml.hbs delete mode 100644 test/packages/parallel/system/data_stream/application/agent/stream/winlog.yml.hbs delete mode 100644 test/packages/parallel/system/data_stream/application/elasticsearch/ingest_pipeline/default.yml delete mode 100644 test/packages/parallel/system/data_stream/application/fields/agent.yml delete mode 100644 test/packages/parallel/system/data_stream/application/fields/base-fields.yml delete mode 100644 test/packages/parallel/system/data_stream/application/fields/ecs.yml delete mode 100644 test/packages/parallel/system/data_stream/application/fields/winlog.yml delete mode 100644 test/packages/parallel/system/data_stream/application/manifest.yml delete mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-rhel79.log delete mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-rhel79.log-expected.json delete mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log delete mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-config.yml delete mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-expected.json delete mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-multiline.log delete mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-multiline.log-config.yml delete mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-multiline.log-expected.json delete mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log delete mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-config.yml delete mode 100644 test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-expected.json delete mode 100644 test/packages/parallel/system/data_stream/core/agent/stream/stream.yml.hbs delete mode 100644 test/packages/parallel/system/data_stream/core/fields/agent.yml delete mode 100644 test/packages/parallel/system/data_stream/core/fields/base-fields.yml delete mode 100644 test/packages/parallel/system/data_stream/core/fields/ecs.yml delete mode 100644 test/packages/parallel/system/data_stream/core/fields/fields.yml delete mode 100644 test/packages/parallel/system/data_stream/core/manifest.yml delete mode 100644 test/packages/parallel/system/data_stream/cpu/agent/stream/stream.yml.hbs delete mode 100644 test/packages/parallel/system/data_stream/cpu/fields/agent.yml delete mode 100644 test/packages/parallel/system/data_stream/cpu/fields/base-fields.yml delete mode 100644 test/packages/parallel/system/data_stream/cpu/fields/ecs.yml delete mode 100644 test/packages/parallel/system/data_stream/cpu/fields/fields.yml delete mode 100644 test/packages/parallel/system/data_stream/cpu/manifest.yml delete mode 100644 test/packages/parallel/system/data_stream/diskio/agent/stream/stream.yml.hbs delete mode 100644 test/packages/parallel/system/data_stream/diskio/fields/agent.yml delete mode 100644 test/packages/parallel/system/data_stream/diskio/fields/base-fields.yml delete mode 100644 test/packages/parallel/system/data_stream/diskio/fields/ecs.yml delete mode 100644 test/packages/parallel/system/data_stream/diskio/fields/fields.yml delete mode 100644 test/packages/parallel/system/data_stream/diskio/manifest.yml delete mode 100644 test/packages/parallel/system/data_stream/filesystem/agent/stream/stream.yml.hbs delete mode 100644 test/packages/parallel/system/data_stream/filesystem/fields/agent.yml delete mode 100644 test/packages/parallel/system/data_stream/filesystem/fields/base-fields.yml delete mode 100644 test/packages/parallel/system/data_stream/filesystem/fields/ecs.yml delete mode 100644 test/packages/parallel/system/data_stream/filesystem/fields/fields.yml delete mode 100644 test/packages/parallel/system/data_stream/filesystem/manifest.yml delete mode 100644 test/packages/parallel/system/data_stream/fsstat/agent/stream/stream.yml.hbs delete mode 100644 test/packages/parallel/system/data_stream/fsstat/fields/agent.yml delete mode 100644 test/packages/parallel/system/data_stream/fsstat/fields/base-fields.yml delete mode 100644 test/packages/parallel/system/data_stream/fsstat/fields/ecs.yml delete mode 100644 test/packages/parallel/system/data_stream/fsstat/fields/fields.yml delete mode 100644 test/packages/parallel/system/data_stream/fsstat/manifest.yml delete mode 100644 test/packages/parallel/system/data_stream/load/agent/stream/stream.yml.hbs delete mode 100644 test/packages/parallel/system/data_stream/load/fields/agent.yml delete mode 100644 test/packages/parallel/system/data_stream/load/fields/base-fields.yml delete mode 100644 test/packages/parallel/system/data_stream/load/fields/ecs.yml delete mode 100644 test/packages/parallel/system/data_stream/load/fields/fields.yml delete mode 100644 test/packages/parallel/system/data_stream/load/manifest.yml delete mode 100644 test/packages/parallel/system/data_stream/memory/agent/stream/stream.yml.hbs delete mode 100644 test/packages/parallel/system/data_stream/memory/fields/agent.yml delete mode 100644 test/packages/parallel/system/data_stream/memory/fields/base-fields.yml delete mode 100644 test/packages/parallel/system/data_stream/memory/fields/ecs.yml delete mode 100644 test/packages/parallel/system/data_stream/memory/fields/fields.yml delete mode 100644 test/packages/parallel/system/data_stream/memory/manifest.yml delete mode 100644 test/packages/parallel/system/data_stream/network/agent/stream/stream.yml.hbs delete mode 100644 test/packages/parallel/system/data_stream/network/fields/agent.yml delete mode 100644 test/packages/parallel/system/data_stream/network/fields/base-fields.yml delete mode 100644 test/packages/parallel/system/data_stream/network/fields/ecs.yml delete mode 100644 test/packages/parallel/system/data_stream/network/fields/fields.yml delete mode 100644 test/packages/parallel/system/data_stream/network/manifest.yml delete mode 100644 test/packages/parallel/system/data_stream/process_summary/agent/stream/stream.yml.hbs delete mode 100644 test/packages/parallel/system/data_stream/process_summary/fields/agent.yml delete mode 100644 test/packages/parallel/system/data_stream/process_summary/fields/base-fields.yml delete mode 100644 test/packages/parallel/system/data_stream/process_summary/fields/ecs.yml delete mode 100644 test/packages/parallel/system/data_stream/process_summary/fields/fields.yml delete mode 100644 test/packages/parallel/system/data_stream/process_summary/manifest.yml delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1100.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1100.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1102.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1102.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1104.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1104.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1105.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1105.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4663.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4674.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4738.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4738.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4742.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4742.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4743.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4744.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4745.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4746.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4747.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4748.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4749.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4750.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4751.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4752.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4753.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4759.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4760.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4761.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4762.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4763.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4797.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4797.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5379.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5379.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5380.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5380.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5381.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5381.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5382.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5382.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json delete mode 100644 test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json delete mode 100644 test/packages/parallel/system/data_stream/socket_summary/agent/stream/stream.yml.hbs delete mode 100644 test/packages/parallel/system/data_stream/socket_summary/fields/agent.yml delete mode 100644 test/packages/parallel/system/data_stream/socket_summary/fields/base-fields.yml delete mode 100644 test/packages/parallel/system/data_stream/socket_summary/fields/ecs.yml delete mode 100644 test/packages/parallel/system/data_stream/socket_summary/fields/fields.yml delete mode 100644 test/packages/parallel/system/data_stream/socket_summary/manifest.yml delete mode 100644 test/packages/parallel/system/data_stream/uptime/agent/stream/stream.yml.hbs delete mode 100644 test/packages/parallel/system/data_stream/uptime/fields/agent.yml delete mode 100644 test/packages/parallel/system/data_stream/uptime/fields/base-fields.yml delete mode 100644 test/packages/parallel/system/data_stream/uptime/fields/ecs.yml delete mode 100644 test/packages/parallel/system/data_stream/uptime/fields/fields.yml delete mode 100644 test/packages/parallel/system/data_stream/uptime/manifest.yml diff --git a/test/packages/parallel/system/data_stream/application/agent/stream/httpjson.yml.hbs b/test/packages/parallel/system/data_stream/application/agent/stream/httpjson.yml.hbs deleted file mode 100644 index 6364f1ab6..000000000 --- a/test/packages/parallel/system/data_stream/application/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,107 +0,0 @@ -config_version: "2" -interval: {{interval}} -{{#if enable_request_tracer}} -request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson" -{{/if}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: |- - {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: - - decode_json_fields: - fields: message - target: json - add_error_key: true - - drop_event: - when: - not: - has_fields: ['json.result'] - - fingerprint: - fields: - - json.result._cd - - json.result._indextime - - json.result._raw - - json.result._time - - json.result.host - - json.result.source - target_field: "@metadata._id" - - drop_fields: - fields: message - - rename: - fields: - - from: json.result._raw - to: event.original - - from: json.result.host - to: host.name - - from: json.result.source - to: event.provider - ignore_missing: true - fail_on_error: false - - drop_fields: - fields: json - - decode_xml_wineventlog: - field: event.original - target_field: winlog - ignore_missing: true - ignore_failure: true - map_ecs_fields: true - - timestamp: - field: winlog.time_created - layouts: - - '2006-01-02T15:04:05Z' - - '2006-01-02T15:04:05.999Z' - - '2006-01-02T15:04:05.999-07:00' - test: - - '2019-06-22T16:33:51Z' - - '2019-11-18T04:59:51.123Z' - - '2020-08-03T07:10:20.123456+02:00' diff --git a/test/packages/parallel/system/data_stream/application/agent/stream/winlog.yml.hbs b/test/packages/parallel/system/data_stream/application/agent/stream/winlog.yml.hbs deleted file mode 100644 index ca336f119..000000000 --- a/test/packages/parallel/system/data_stream/application/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -name: Application -condition: ${host.platform} == 'windows' -{{#if event_id}} -event_id: {{event_id}} -{{/if}} -{{#if ignore_older}} -ignore_older: {{ignore_older}} -{{/if}} -{{#if language}} -language: {{language}} -{{/if}} -{{#if preserve_original_event}} -include_xml: true -{{/if}} -{{#if processors.length}} -processors: -{{processors}} -{{/if}} -{{#if tags.length}} -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{/if}} diff --git a/test/packages/parallel/system/data_stream/application/elasticsearch/ingest_pipeline/default.yml b/test/packages/parallel/system/data_stream/application/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 7d7aa4443..000000000 --- a/test/packages/parallel/system/data_stream/application/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -description: Pipeline for Windows Application Event Logs -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - - set: - field: ecs.version - value: 8.0.0 -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/test/packages/parallel/system/data_stream/application/fields/agent.yml b/test/packages/parallel/system/data_stream/application/fields/agent.yml deleted file mode 100644 index da4e652c5..000000000 --- a/test/packages/parallel/system/data_stream/application/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/test/packages/parallel/system/data_stream/application/fields/base-fields.yml b/test/packages/parallel/system/data_stream/application/fields/base-fields.yml deleted file mode 100644 index 4d2e3fc51..000000000 --- a/test/packages/parallel/system/data_stream/application/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: system -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: system.application diff --git a/test/packages/parallel/system/data_stream/application/fields/ecs.yml b/test/packages/parallel/system/data_stream/application/fields/ecs.yml deleted file mode 100644 index cfbc8e8c8..000000000 --- a/test/packages/parallel/system/data_stream/application/fields/ecs.yml +++ /dev/null @@ -1,12 +0,0 @@ -- external: ecs - name: error.message -- external: ecs - name: event.code -- external: ecs - name: event.created -- external: ecs - name: event.ingested -- external: ecs - name: event.original -- external: ecs - name: message diff --git a/test/packages/parallel/system/data_stream/application/fields/winlog.yml b/test/packages/parallel/system/data_stream/application/fields/winlog.yml deleted file mode 100644 index adca1bbdd..000000000 --- a/test/packages/parallel/system/data_stream/application/fields/winlog.yml +++ /dev/null @@ -1,357 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/test/packages/parallel/system/data_stream/application/manifest.yml b/test/packages/parallel/system/data_stream/application/manifest.yml deleted file mode 100644 index aad38959f..000000000 --- a/test/packages/parallel/system/data_stream/application/manifest.yml +++ /dev/null @@ -1,80 +0,0 @@ -type: logs -title: Windows Application Events -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Application - description: 'Collect Windows application logs' - vars: - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: >- - Preserves a raw copy of the original XML event, added to the field `event.original` - type: bool - multi: false - default: false - - name: event_id - type: text - title: Event ID - multi: false - required: false - show_user: false - description: >- - A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details. - - name: ignore_older - type: text - title: Ignore events older than - default: 72h - required: false - show_user: false - description: >- - If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - - name: language - type: text - title: Language ID - description: >- - The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US - required: false - show_user: false - default: 0 - - name: tags - type: text - title: Tags - multi: true - show_user: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: httpjson - title: Windows Application Events via Splunk Enterprise REST API - description: Collect Application Events via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: false - required: true - default: "search sourcetype=\"XmlWinEventLog:Application\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-rhel79.log b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-rhel79.log deleted file mode 100644 index 391e8c74c..000000000 --- a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-rhel79.log +++ /dev/null @@ -1,3 +0,0 @@ -Oct 11 09:10:48 plinode useradd[25494]: failed adding user 'aol', exit code: 4 -Oct 14 16:49:59 dlig userdel[1619336]: delete user 'jce' -Oct 19 12:54:40 plielk0 usermod[7730]: change user 'acris' expiration from '2001-01-01' to '2243-10-16' diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-rhel79.log-expected.json b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-rhel79.log-expected.json deleted file mode 100644 index 514b2e5d8..000000000 --- a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-rhel79.log-expected.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2023-10-11T09:10:48.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "category": [ - "iam" - ], - "kind": "event", - "outcome": "failure", - "type": [ - "user", - "creation" - ] - }, - "host": { - "hostname": "plinode" - }, - "message": "failed adding user 'aol', exit code: 4", - "process": { - "name": "useradd", - "pid": 25494 - }, - "related": { - "hosts": [ - "plinode" - ], - "user": [ - "aol" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "aol" - } - }, - { - "@timestamp": "2023-10-14T16:49:59.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "category": [ - "iam" - ], - "kind": "event", - "outcome": "success", - "type": [ - "user", - "deletion" - ] - }, - "host": { - "hostname": "dlig" - }, - "message": "delete user 'jce'", - "process": { - "name": "userdel", - "pid": 1619336 - }, - "related": { - "hosts": [ - "dlig" - ], - "user": [ - "jce" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "jce" - } - }, - { - "@timestamp": "2023-10-19T12:54:40.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "category": [ - "iam" - ], - "kind": "event", - "outcome": "success", - "type": [ - "user", - "change" - ] - }, - "host": { - "hostname": "plielk0" - }, - "message": "change user 'acris' expiration from '2001-01-01' to '2243-10-16'", - "process": { - "name": "usermod", - "pid": 7730 - }, - "related": { - "hosts": [ - "plielk0" - ], - "user": [ - "acris" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "acris" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log deleted file mode 100644 index b8cdc1e52..000000000 --- a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log +++ /dev/null @@ -1,122 +0,0 @@ -Feb 9 21:19:40 precise32 sshd[8317]: subsystem request for sftp by user vagrant -Feb 9 21:19:40 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/sh -c echo BECOME-SUCCESS-lhspyyxxlfzpytwsebjoegenjxyjombo; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675177.72-26828938879074/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675177.72-26828938879074/ >/dev/null 2>&1 -Feb 9 21:19:40 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) -Feb 9 21:19:41 precise32 sudo: pam_unix(sudo:session): session closed for user root -Feb 9 21:21:02 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/sh -c echo BECOME-SUCCESS-lwzhcvorajmjyxsrqydafzapoeescwaf; rc=flag; [ -r /etc/metricbeat/metricbeat.yml ] || rc=2; [ -f /etc/metricbeat/metricbeat.yml ] || rc=1; [ -d /etc/metricbeat/metricbeat.yml ] && rc=3; python -V 2>/dev/null || rc=4; [ x"$rc" != "xflag" ] && echo "${rc} "/etc/metricbeat/metricbeat.yml && exit 0; (python -c 'import hashlib; BLOCKSIZE = 65536; hasher = hashlib.sha1();#012afile = open("'/etc/metricbeat/metricbeat.yml'", "rb")#012buf = afile.read(BLOCKSIZE)#012while len(buf) > 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2>/dev/null) || (python -c 'import sha; BLOCKSIZE = 65536; hasher = sha.sha();#012afile = open("'/etc/metricbeat/metricbeat.yml'", "rb")#012buf = afile.read(BLOCKSIZE)#012while len(buf) > 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2>/dev/null) || (echo '0 -Feb 9 21:21:02 precise32 sudo: vagrant : (command continued) '/etc/metricbeat/metricbeat.yml) -Feb 9 21:21:02 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) -Feb 9 21:21:02 precise32 sudo: pam_unix(sudo:session): session closed for user root -Feb 22 10:21:42 precise32 sshd[1332]: subsystem request for sftp by user vagrant -Feb 22 10:21:43 sshd[1332]: last message repeated 2 times -Feb 22 10:24:49 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/sh -c echo BECOME-SUCCESS-ippzqmywwjlstxlqlpyxbnzzgeigarma; rc=flag; [ -r /etc/heartbeat/heartbeat.yml ] || rc=2; [ -f /etc/heartbeat/heartbeat.yml ] || rc=1; [ -d /etc/heartbeat/heartbeat.yml ] && rc=3; python -V 2>/dev/null || rc=4; [ x"$rc" != "xflag" ] && echo "${rc} "/etc/heartbeat/heartbeat.yml && exit 0; (python -c 'import hashlib; BLOCKSIZE = 65536; hasher = hashlib.sha1();#012afile = open("'/etc/heartbeat/heartbeat.yml'", "rb")#012buf = afile.read(BLOCKSIZE)#012while len(buf) > 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2>/dev/null) || (python -c 'import sha; BLOCKSIZE = 65536; hasher = sha.sha();#012afile = open("'/etc/heartbeat/heartbeat.yml'", "rb")#012buf = afile.read(BLOCKSIZE)#012while len(buf) > 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2>/dev/null) || (echo '0 -Feb 22 10:24:49 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) -Feb 22 10:26:52 precise32 sshd[1332]: Received disconnect from 10.0.2.2: 11: disconnected by user -Feb 22 10:26:52 precise32 sshd[1317]: pam_unix(sshd:session): session closed for user vagrant -Feb 22 10:49:54 precise32 sshd[3007]: Accepted publickey for vagrant from 10.0.2.2 port 52059 ssh2 -Feb 22 10:49:54 precise32 sshd[3007]: pam_unix(sshd:session): session opened for user vagrant by (uid=0) -Feb 22 10:50:01 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/usr/bin/vi /etc/apt/sources.list.d/elastic.list -Feb 22 10:50:17 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/usr/bin/apt-get update -Feb 22 10:50:17 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) -Feb 22 10:50:28 precise32 sudo: pam_unix(sudo:session): session closed for user root -Feb 22 11:04:28 precise32 sshd[3403]: Accepted publickey for vagrant from 10.0.2.2 port 52321 ssh2 -Feb 22 11:04:28 precise32 sshd[3403]: pam_unix(sshd:session): session opened for user vagrant by (uid=0) -Feb 22 11:04:32 precise32 sshd[3418]: Received disconnect from 10.0.2.2: 11: disconnected by user -Feb 22 11:04:32 precise32 sshd[3403]: pam_unix(sshd:session): session closed for user vagrant -Feb 22 11:17:01 precise32 CRON[3448]: pam_unix(cron:session): session opened for user root by (uid=0) -Feb 22 11:17:01 precise32 CRON[3448]: pam_unix(cron:session): session closed for user root -Feb 22 11:21:21 precise32 sshd[3452]: Accepted publickey for vagrant from 10.0.2.2 port 52747 ssh2 -Feb 22 11:21:21 precise32 sshd[3452]: pam_unix(sshd:session): session opened for user vagrant by (uid=0) -Feb 22 11:21:24 precise32 sshd[3467]: Received disconnect from 10.0.2.2: 11: disconnected by user -Feb 22 11:21:24 precise32 sshd[3452]: pam_unix(sshd:session): session closed for user vagrant -Feb 22 11:24:43 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/usr/bin/vi /etc/filebeat/filebeat.full.yml -Feb 22 11:24:43 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) -Feb 22 23:17:01 precise32 CRON[3760]: pam_unix(cron:session): session opened for user root by (uid=0) -Feb 22 23:17:01 precise32 CRON[3760]: pam_unix(cron:session): session closed for user root -Feb 22 23:29:50 precise32 sudo: pam_unix(sudo:session): session closed for user root -Feb 22 23:29:50 precise32 sshd[3007]: pam_unix(sshd:session): session closed for user vagrant -Feb 23 19:17:01 precise32 CRON[3938]: pam_unix(cron:session): session opened for user root by (uid=0) -Feb 23 19:17:01 precise32 CRON[3938]: pam_unix(cron:session): session closed for user root -Feb 23 19:26:35 precise32 sshd[3945]: Accepted publickey for vagrant from 10.0.2.2 port 58363 ssh2 -Feb 23 19:26:35 precise32 sshd[3945]: pam_unix(sshd:session): session opened for user vagrant by (uid=0) -Feb 23 20:05:18 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/usr/bin/less /var/log/auth.log -Feb 23 20:05:18 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) -Feb 23 20:15:04 precise32 sudo: pam_unix(sudo:session): session closed for user root -Feb 23 20:15:09 precise32 sshd[3960]: Received disconnect from 10.0.2.2: 11: disconnected by user -Feb 23 20:15:09 precise32 sshd[3945]: pam_unix(sshd:session): session closed for user vagrant -Feb 23 23:17:01 precise32 CRON[4170]: pam_unix(cron:session): session opened for user root by (uid=0) -Feb 23 23:17:01 precise32 CRON[4170]: pam_unix(cron:session): session closed for user root -Feb 24 00:11:15 precise32 sshd[4185]: Accepted publickey for vagrant from 10.0.2.2 port 60839 ssh2 -Feb 24 00:11:15 precise32 sshd[4185]: pam_unix(sshd:session): session opened for user vagrant by (uid=0) -Feb 24 00:11:24 precise32 sshd[4302]: Accepted publickey for vagrant from 10.0.2.2 port 60840 ssh2 -Feb 24 00:11:24 precise32 sshd[4302]: pam_unix(sshd:session): session opened for user vagrant by (uid=0) -Feb 24 00:11:26 precise32 sudo: vagrant : TTY=pts/1 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/bash -Feb 24 00:11:26 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) -Feb 24 00:12:02 precise32 groupadd[4480]: group added to /etc/group: name=tsg, GID=1003 -Feb 24 00:12:02 precise32 groupadd[4480]: group added to /etc/gshadow: name=tsg -Feb 24 00:12:02 precise32 groupadd[4480]: new group: name=tsg, GID=1003 -Feb 24 00:12:02 precise32 useradd[4484]: new user: name=tsg, UID=1001, GID=1003, home=/home/tsg, shell=/bin/bash -Feb 24 00:12:07 precise32 passwd[4491]: pam_unix(passwd:chauthtok): password changed for tsg -Feb 24 00:12:10 precise32 chfn[4492]: changed user 'tsg' information -Feb 24 00:12:14 precise32 su[4496]: Successful su for tsg by root -Feb 24 00:12:14 precise32 su[4496]: + /dev/pts/1 root:tsg -Feb 24 00:12:14 precise32 su[4496]: pam_unix(su:session): session opened for user tsg by vagrant(uid=0) -Feb 24 00:12:20 precise32 sudo: pam_unix(sudo:auth): authentication failure; logname=vagrant uid=1001 euid=0 tty=/dev/pts/1 ruser=tsg rhost= user=tsg -Feb 24 00:12:37 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/cat /var/log/auth.log -Feb 24 00:12:37 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) -Feb 24 00:12:37 precise32 sudo: pam_unix(sudo:session): session closed for user root -Feb 24 00:12:42 precise32 sudo: tsg : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/ls -Feb 24 00:12:42 precise32 sudo: unable to execute /usr/sbin/sendmail: No such file or directory -Feb 24 00:12:50 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/cat /var/log/auth.log -Feb 24 00:12:50 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) -Feb 24 00:12:50 precise32 sudo: pam_unix(sudo:session): session closed for user root -Feb 24 00:13:02 precise32 sudo: tsg : user NOT in sudoers ; TTY=pts/1 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/ls -Feb 24 00:13:02 precise32 sudo: unable to execute /usr/sbin/sendmail: No such file or directory -Feb 24 00:13:06 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/cat /var/log/auth.log -Feb 24 00:13:06 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) -Feb 24 00:13:06 precise32 sudo: pam_unix(sudo:session): session closed for user root -Feb 24 00:17:01 precise32 CRON[4588]: pam_unix(cron:session): session opened for user root by (uid=0) -Feb 24 00:17:01 precise32 CRON[4588]: pam_unix(cron:session): session closed for user root -Feb 24 00:45:47 precise32 su[4496]: pam_unix(su:session): session closed for user tsg -Feb 24 00:45:48 precise32 sudo: pam_unix(sudo:session): session closed for user root -Feb 24 00:45:49 precise32 sshd[4317]: Received disconnect from 10.0.2.2: 11: disconnected by user -Feb 24 00:45:49 precise32 sshd[4302]: pam_unix(sshd:session): session closed for user vagrant -Feb 24 00:46:32 precise32 sshd[4598]: Accepted publickey for vagrant from 10.0.2.2 port 61852 ssh2 -Feb 24 00:46:32 precise32 sshd[4598]: pam_unix(sshd:session): session opened for user vagrant by (uid=0) -Feb 24 00:46:32 precise32 sshd[4613]: Received disconnect from 10.0.2.2: 11: disconnected by user -Feb 24 00:46:32 precise32 sshd[4598]: pam_unix(sshd:session): session closed for user vagrant -Feb 24 01:05:42 precise32 sshd[4185]: pam_unix(sshd:session): session closed for user vagrant -Feb 24 08:17:01 precise32 CRON[4626]: pam_unix(cron:session): session opened for user root by (uid=0) -Feb 24 08:17:01 precise32 CRON[4626]: pam_unix(cron:session): session closed for user root -Feb 24 09:17:01 precise32 CRON[4642]: pam_unix(cron:session): session opened for user root by (uid=0) -Feb 24 09:17:01 precise32 CRON[4642]: pam_unix(cron:session): session closed for user root -Feb 24 09:18:35 precise32 sshd[4645]: Accepted publickey for vagrant from 10.0.2.2 port 53513 ssh2 -Feb 24 09:18:35 precise32 sshd[4645]: pam_unix(sshd:session): session opened for user vagrant by (uid=0) -Feb 24 09:18:40 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/usr/bin/apt-get install nginx -Feb 24 09:18:40 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) -Feb 24 09:18:46 precise32 sudo: pam_unix(sudo:session): session closed for user root -Feb 24 09:18:53 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/cat /var/log/auth.log -Feb 24 09:18:53 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) -Feb 24 09:18:53 precise32 sudo: pam_unix(sudo:session): session closed for user root -Feb 24 09:19:04 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/cat /var/log/auth.log -Feb 24 09:19:04 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) -Feb 24 09:19:04 precise32 sudo: pam_unix(sudo:session): session closed for user root -Feb 24 09:19:09 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/cat /var/log/auth.log -Feb 24 09:19:09 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) -Feb 24 09:19:09 precise32 sudo: pam_unix(sudo:session): session closed for user root -Feb 24 09:19:29 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/usr/bin/apt-get install mysql-server -Feb 24 09:19:29 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) -Feb 24 09:19:55 precise32 groupadd[7996]: group added to /etc/group: name=mysql, GID=111 -Feb 24 09:19:55 precise32 groupadd[7996]: group added to /etc/gshadow: name=mysql -Feb 24 09:19:55 precise32 groupadd[7996]: new group: name=mysql, GID=111 -Feb 24 09:19:55 precise32 useradd[8002]: new user: name=mysql, UID=106, GID=111, home=/nonexistent, shell=/bin/false -Feb 24 09:19:55 precise32 chage[8007]: changed password expiry for mysql -Feb 24 09:19:55 precise32 chfn[8010]: changed user 'mysql' information -Feb 24 09:20:08 precise32 sudo: pam_unix(sudo:session): session closed for user root -Feb 24 09:20:10 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/cat /var/log/auth.log -Feb 24 09:20:10 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) -Feb 24 09:20:10 precise32 sudo: pam_unix(sudo:session): session closed for user root -Feb 24 09:26:29 precise32 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/cat /var/log/auth.log -Feb 24 09:26:29 precise32 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=1000) -Feb 24 09:26:29 precise32 sudo: pam_unix(sudo:session): session closed for user root -Feb 24 09:26:59 precise32 sshd[10535]: Accepted publickey for vagrant from 10.0.2.2 port 58988 ssh2 -Feb 24 09:26:59 precise32 sshd[10535]: pam_unix(sshd:session): session opened for user vagrant by (uid=0) diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-config.yml b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-config.yml deleted file mode 100644 index 98cc18212..000000000 --- a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -fields: - event.timezone: "+0000" -dynamic_fields: - event.ingested: "^.*$" - "@timestamp": "^[0-9]{4}(-[0-9]{2}){2}T[0-9]{2}(:[0-9]{2}){2}\\.[0-9]{3}Z$" diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-expected.json b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-expected.json deleted file mode 100644 index bee9bd62b..000000000 --- a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-expected.json +++ /dev/null @@ -1,4348 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2023-02-09T21:19:40.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "subsystem request for sftp by user vagrant", - "process": { - "name": "sshd", - "pid": 8317 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-09T21:19:40.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": { - "sudo": { - "command": "/bin/sh -c echo BECOME-SUCCESS-lhspyyxxlfzpytwsebjoegenjxyjombo; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675177.72-26828938879074/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675177.72-26828938879074/ \u003e/dev/null 2\u003e\u00261", - "pwd": "/home/vagrant", - "tty": "pts/0", - "user": "root" - } - } - }, - "user": { - "effective": { - "name": "root" - }, - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-09T21:19:40.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "root" - }, - "id": "1000", - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-09T21:19:41.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session closed for user root", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "root" - } - }, - { - "@timestamp": "2023-02-09T21:21:02.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": { - "sudo": { - "command": "/bin/sh -c echo BECOME-SUCCESS-lwzhcvorajmjyxsrqydafzapoeescwaf; rc=flag; [ -r /etc/metricbeat/metricbeat.yml ] || rc=2; [ -f /etc/metricbeat/metricbeat.yml ] || rc=1; [ -d /etc/metricbeat/metricbeat.yml ] \u0026\u0026 rc=3; python -V 2\u003e/dev/null || rc=4; [ x\"$rc\" != \"xflag\" ] \u0026\u0026 echo \"${rc} \"/etc/metricbeat/metricbeat.yml \u0026\u0026 exit 0; (python -c 'import hashlib; BLOCKSIZE = 65536; hasher = hashlib.sha1();#012afile = open(\"'/etc/metricbeat/metricbeat.yml'\", \"rb\")#012buf = afile.read(BLOCKSIZE)#012while len(buf) \u003e 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2\u003e/dev/null) || (python -c 'import sha; BLOCKSIZE = 65536; hasher = sha.sha();#012afile = open(\"'/etc/metricbeat/metricbeat.yml'\", \"rb\")#012buf = afile.read(BLOCKSIZE)#012while len(buf) \u003e 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2\u003e/dev/null) || (echo '0", - "pwd": "/home/vagrant", - "tty": "pts/0", - "user": "root" - } - } - }, - "user": { - "effective": { - "name": "root" - }, - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-09T21:21:02.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "vagrant : (command continued) '/etc/metricbeat/metricbeat.yml)", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ] - }, - "system": { - "auth": {} - } - }, - { - "@timestamp": "2023-02-09T21:21:02.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "root" - }, - "id": "1000", - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-09T21:21:02.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session closed for user root", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "root" - } - }, - { - "@timestamp": "2023-02-22T10:21:42.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "subsystem request for sftp by user vagrant", - "process": { - "name": "sshd", - "pid": 1332 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-22T10:21:43.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "message": "last message repeated 2 times", - "process": { - "name": "sshd", - "pid": 1332 - }, - "system": { - "auth": {} - } - }, - { - "@timestamp": "2023-02-22T10:24:49.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": { - "sudo": { - "command": "/bin/sh -c echo BECOME-SUCCESS-ippzqmywwjlstxlqlpyxbnzzgeigarma; rc=flag; [ -r /etc/heartbeat/heartbeat.yml ] || rc=2; [ -f /etc/heartbeat/heartbeat.yml ] || rc=1; [ -d /etc/heartbeat/heartbeat.yml ] \u0026\u0026 rc=3; python -V 2\u003e/dev/null || rc=4; [ x\"$rc\" != \"xflag\" ] \u0026\u0026 echo \"${rc} \"/etc/heartbeat/heartbeat.yml \u0026\u0026 exit 0; (python -c 'import hashlib; BLOCKSIZE = 65536; hasher = hashlib.sha1();#012afile = open(\"'/etc/heartbeat/heartbeat.yml'\", \"rb\")#012buf = afile.read(BLOCKSIZE)#012while len(buf) \u003e 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2\u003e/dev/null) || (python -c 'import sha; BLOCKSIZE = 65536; hasher = sha.sha();#012afile = open(\"'/etc/heartbeat/heartbeat.yml'\", \"rb\")#012buf = afile.read(BLOCKSIZE)#012while len(buf) \u003e 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2\u003e/dev/null) || (echo '0", - "pwd": "/home/vagrant", - "tty": "pts/0", - "user": "root" - } - } - }, - "user": { - "effective": { - "name": "root" - }, - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-22T10:24:49.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "root" - }, - "id": "1000", - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-22T10:26:52.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "Received disconnect from 10.0.2.2: 11: disconnected by user", - "process": { - "name": "sshd", - "pid": 1332 - }, - "related": { - "hosts": [ - "precise32" - ] - }, - "system": { - "auth": {} - } - }, - { - "@timestamp": "2023-02-22T10:26:52.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sshd:session): session closed for user vagrant", - "process": { - "name": "sshd", - "pid": 1317 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-22T10:49:54.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "ssh_login", - "category": [ - "authentication", - "session" - ], - "kind": "event", - "outcome": "success", - "timezone": "+0000", - "type": [ - "info" - ] - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sshd", - "pid": 3007 - }, - "related": { - "hosts": [ - "precise32" - ], - "ip": [ - "10.0.2.2" - ], - "user": [ - "vagrant" - ] - }, - "source": { - "address": "10.0.2.2", - "ip": "10.0.2.2", - "port": 52059 - }, - "system": { - "auth": { - "ssh": { - "event": "Accepted", - "method": "publickey" - } - } - }, - "user": { - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-22T10:49:54.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", - "process": { - "name": "sshd", - "pid": 3007 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "vagrant" - }, - "id": "0", - "name": "" - } - }, - { - "@timestamp": "2023-02-22T10:50:01.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": { - "sudo": { - "command": "/usr/bin/vi /etc/apt/sources.list.d/elastic.list", - "pwd": "/home/vagrant", - "tty": "pts/0", - "user": "root" - } - } - }, - "user": { - "effective": { - "name": "root" - }, - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-22T10:50:17.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": { - "sudo": { - "command": "/usr/bin/apt-get update", - "pwd": "/home/vagrant", - "tty": "pts/0", - "user": "root" - } - } - }, - "user": { - "effective": { - "name": "root" - }, - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-22T10:50:17.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "root" - }, - "id": "1000", - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-22T10:50:28.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session closed for user root", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "root" - } - }, - { - "@timestamp": "2023-02-22T11:04:28.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "ssh_login", - "category": [ - "authentication", - "session" - ], - "kind": "event", - "outcome": "success", - "timezone": "+0000", - "type": [ - "info" - ] - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sshd", - "pid": 3403 - }, - "related": { - "hosts": [ - "precise32" - ], - "ip": [ - "10.0.2.2" - ], - "user": [ - "vagrant" - ] - }, - "source": { - "address": "10.0.2.2", - "ip": "10.0.2.2", - "port": 52321 - }, - "system": { - "auth": { - "ssh": { - "event": "Accepted", - "method": "publickey" - } - } - }, - "user": { - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-22T11:04:28.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", - "process": { - "name": "sshd", - "pid": 3403 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "vagrant" - }, - "id": "0", - "name": "" - } - }, - { - "@timestamp": "2023-02-22T11:04:32.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "Received disconnect from 10.0.2.2: 11: disconnected by user", - "process": { - "name": "sshd", - "pid": 3418 - }, - "related": { - "hosts": [ - "precise32" - ] - }, - "system": { - "auth": {} - } - }, - { - "@timestamp": "2023-02-22T11:04:32.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sshd:session): session closed for user vagrant", - "process": { - "name": "sshd", - "pid": 3403 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-22T11:17:01.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(cron:session): session opened for user root by (uid=0)", - "process": { - "name": "CRON", - "pid": 3448 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "root" - }, - "id": "0", - "name": "" - } - }, - { - "@timestamp": "2023-02-22T11:17:01.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(cron:session): session closed for user root", - "process": { - "name": "CRON", - "pid": 3448 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "root" - } - }, - { - "@timestamp": "2023-02-22T11:21:21.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "ssh_login", - "category": [ - "authentication", - "session" - ], - "kind": "event", - "outcome": "success", - "timezone": "+0000", - "type": [ - "info" - ] - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sshd", - "pid": 3452 - }, - "related": { - "hosts": [ - "precise32" - ], - "ip": [ - "10.0.2.2" - ], - "user": [ - "vagrant" - ] - }, - "source": { - "address": "10.0.2.2", - "ip": "10.0.2.2", - "port": 52747 - }, - "system": { - "auth": { - "ssh": { - "event": "Accepted", - "method": "publickey" - } - } - }, - "user": { - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-22T11:21:21.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", - "process": { - "name": "sshd", - "pid": 3452 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "vagrant" - }, - "id": "0", - "name": "" - } - }, - { - "@timestamp": "2023-02-22T11:21:24.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "Received disconnect from 10.0.2.2: 11: disconnected by user", - "process": { - "name": "sshd", - "pid": 3467 - }, - "related": { - "hosts": [ - "precise32" - ] - }, - "system": { - "auth": {} - } - }, - { - "@timestamp": "2023-02-22T11:21:24.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sshd:session): session closed for user vagrant", - "process": { - "name": "sshd", - "pid": 3452 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-22T11:24:43.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": { - "sudo": { - "command": "/usr/bin/vi /etc/filebeat/filebeat.full.yml", - "pwd": "/home/vagrant", - "tty": "pts/0", - "user": "root" - } - } - }, - "user": { - "effective": { - "name": "root" - }, - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-22T11:24:43.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "root" - }, - "id": "1000", - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-22T23:17:01.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(cron:session): session opened for user root by (uid=0)", - "process": { - "name": "CRON", - "pid": 3760 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "root" - }, - "id": "0", - "name": "" - } - }, - { - "@timestamp": "2023-02-22T23:17:01.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(cron:session): session closed for user root", - "process": { - "name": "CRON", - "pid": 3760 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "root" - } - }, - { - "@timestamp": "2023-02-22T23:29:50.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session closed for user root", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "root" - } - }, - { - "@timestamp": "2023-02-22T23:29:50.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sshd:session): session closed for user vagrant", - "process": { - "name": "sshd", - "pid": 3007 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-23T19:17:01.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(cron:session): session opened for user root by (uid=0)", - "process": { - "name": "CRON", - "pid": 3938 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "root" - }, - "id": "0", - "name": "" - } - }, - { - "@timestamp": "2023-02-23T19:17:01.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(cron:session): session closed for user root", - "process": { - "name": "CRON", - "pid": 3938 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "root" - } - }, - { - "@timestamp": "2023-02-23T19:26:35.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "ssh_login", - "category": [ - "authentication", - "session" - ], - "kind": "event", - "outcome": "success", - "timezone": "+0000", - "type": [ - "info" - ] - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sshd", - "pid": 3945 - }, - "related": { - "hosts": [ - "precise32" - ], - "ip": [ - "10.0.2.2" - ], - "user": [ - "vagrant" - ] - }, - "source": { - "address": "10.0.2.2", - "ip": "10.0.2.2", - "port": 58363 - }, - "system": { - "auth": { - "ssh": { - "event": "Accepted", - "method": "publickey" - } - } - }, - "user": { - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-23T19:26:35.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", - "process": { - "name": "sshd", - "pid": 3945 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "vagrant" - }, - "id": "0", - "name": "" - } - }, - { - "@timestamp": "2023-02-23T20:05:18.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": { - "sudo": { - "command": "/usr/bin/less /var/log/auth.log", - "pwd": "/home/vagrant", - "tty": "pts/0", - "user": "root" - } - } - }, - "user": { - "effective": { - "name": "root" - }, - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-23T20:05:18.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "root" - }, - "id": "1000", - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-23T20:15:04.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session closed for user root", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "root" - } - }, - { - "@timestamp": "2023-02-23T20:15:09.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "Received disconnect from 10.0.2.2: 11: disconnected by user", - "process": { - "name": "sshd", - "pid": 3960 - }, - "related": { - "hosts": [ - "precise32" - ] - }, - "system": { - "auth": {} - } - }, - { - "@timestamp": "2023-02-23T20:15:09.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sshd:session): session closed for user vagrant", - "process": { - "name": "sshd", - "pid": 3945 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-23T23:17:01.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(cron:session): session opened for user root by (uid=0)", - "process": { - "name": "CRON", - "pid": 4170 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "root" - }, - "id": "0", - "name": "" - } - }, - { - "@timestamp": "2023-02-23T23:17:01.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(cron:session): session closed for user root", - "process": { - "name": "CRON", - "pid": 4170 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "root" - } - }, - { - "@timestamp": "2023-02-24T00:11:15.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "ssh_login", - "category": [ - "authentication", - "session" - ], - "kind": "event", - "outcome": "success", - "timezone": "+0000", - "type": [ - "info" - ] - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sshd", - "pid": 4185 - }, - "related": { - "hosts": [ - "precise32" - ], - "ip": [ - "10.0.2.2" - ], - "user": [ - "vagrant" - ] - }, - "source": { - "address": "10.0.2.2", - "ip": "10.0.2.2", - "port": 60839 - }, - "system": { - "auth": { - "ssh": { - "event": "Accepted", - "method": "publickey" - } - } - }, - "user": { - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T00:11:15.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", - "process": { - "name": "sshd", - "pid": 4185 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "vagrant" - }, - "id": "0", - "name": "" - } - }, - { - "@timestamp": "2023-02-24T00:11:24.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "ssh_login", - "category": [ - "authentication", - "session" - ], - "kind": "event", - "outcome": "success", - "timezone": "+0000", - "type": [ - "info" - ] - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sshd", - "pid": 4302 - }, - "related": { - "hosts": [ - "precise32" - ], - "ip": [ - "10.0.2.2" - ], - "user": [ - "vagrant" - ] - }, - "source": { - "address": "10.0.2.2", - "ip": "10.0.2.2", - "port": 60840 - }, - "system": { - "auth": { - "ssh": { - "event": "Accepted", - "method": "publickey" - } - } - }, - "user": { - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T00:11:24.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", - "process": { - "name": "sshd", - "pid": 4302 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "vagrant" - }, - "id": "0", - "name": "" - } - }, - { - "@timestamp": "2023-02-24T00:11:26.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": { - "sudo": { - "command": "/bin/bash", - "pwd": "/home/vagrant", - "tty": "pts/1", - "user": "root" - } - } - }, - "user": { - "effective": { - "name": "root" - }, - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T00:11:26.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "root" - }, - "id": "1000", - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T00:12:02.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "category": [ - "iam" - ], - "kind": "event", - "outcome": "success", - "timezone": "+0000", - "type": [ - "group", - "creation" - ] - }, - "host": { - "hostname": "precise32" - }, - "message": "group added to /etc/group: name=tsg, GID=1003", - "process": { - "name": "groupadd", - "pid": 4480 - }, - "related": { - "hosts": [ - "precise32" - ] - }, - "system": { - "auth": {} - } - }, - { - "@timestamp": "2023-02-24T00:12:02.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "category": [ - "iam" - ], - "kind": "event", - "outcome": "success", - "timezone": "+0000", - "type": [ - "group", - "creation" - ] - }, - "host": { - "hostname": "precise32" - }, - "message": "group added to /etc/gshadow: name=tsg", - "process": { - "name": "groupadd", - "pid": 4480 - }, - "related": { - "hosts": [ - "precise32" - ] - }, - "system": { - "auth": {} - } - }, - { - "@timestamp": "2023-02-24T00:12:02.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "category": [ - "iam" - ], - "kind": "event", - "outcome": "success", - "timezone": "+0000", - "type": [ - "group", - "creation" - ] - }, - "group": { - "id": "1003", - "name": "tsg" - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "groupadd", - "pid": 4480 - }, - "related": { - "hosts": [ - "precise32" - ] - }, - "system": { - "auth": {} - } - }, - { - "@timestamp": "2023-02-24T00:12:02.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "category": [ - "iam" - ], - "kind": "event", - "outcome": "success", - "timezone": "+0000", - "type": [ - "user", - "creation" - ] - }, - "group": { - "id": "1003" - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "useradd", - "pid": 4484 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "tsg" - ] - }, - "system": { - "auth": { - "useradd": { - "home": "/home/tsg", - "shell": "/bin/bash" - } - } - }, - "user": { - "id": "1001", - "name": "tsg" - } - }, - { - "@timestamp": "2023-02-24T00:12:07.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(passwd:chauthtok): password changed for tsg", - "process": { - "name": "passwd", - "pid": 4491 - }, - "related": { - "hosts": [ - "precise32" - ] - }, - "system": { - "auth": {} - } - }, - { - "@timestamp": "2023-02-24T00:12:10.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "changed user 'tsg' information", - "process": { - "name": "chfn", - "pid": 4492 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "tsg" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "tsg" - } - }, - { - "@timestamp": "2023-02-24T00:12:14.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "Successful su for tsg by root", - "process": { - "name": "su", - "pid": 4496 - }, - "related": { - "hosts": [ - "precise32" - ] - }, - "system": { - "auth": {} - } - }, - { - "@timestamp": "2023-02-24T00:12:14.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "+ /dev/pts/1 root:tsg", - "process": { - "name": "su", - "pid": 4496 - }, - "related": { - "hosts": [ - "precise32" - ] - }, - "system": { - "auth": {} - } - }, - { - "@timestamp": "2023-02-24T00:12:14.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(su:session): session opened for user tsg by vagrant(uid=0)", - "process": { - "name": "su", - "pid": 4496 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "tsg" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "tsg" - }, - "id": "0", - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T00:12:20.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:auth): authentication failure; logname=vagrant uid=1001 euid=0 tty=/dev/pts/1 ruser=tsg rhost= user=tsg", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ] - }, - "system": { - "auth": {} - } - }, - { - "@timestamp": "2023-02-24T00:12:37.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": { - "sudo": { - "command": "/bin/cat /var/log/auth.log", - "pwd": "/home/vagrant", - "tty": "pts/0", - "user": "root" - } - } - }, - "user": { - "effective": { - "name": "root" - }, - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T00:12:37.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "root" - }, - "id": "1000", - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T00:12:37.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session closed for user root", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "root" - } - }, - { - "@timestamp": "2023-02-24T00:12:42.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "tsg", - "root" - ] - }, - "system": { - "auth": { - "sudo": { - "command": "/bin/ls", - "error": "3 incorrect password attempts", - "pwd": "/home/vagrant", - "tty": "pts/1", - "user": "root" - } - } - }, - "user": { - "effective": { - "name": "root" - }, - "name": "tsg" - } - }, - { - "@timestamp": "2023-02-24T00:12:42.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "unable to execute /usr/sbin/sendmail: No such file or directory", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ] - }, - "system": { - "auth": {} - } - }, - { - "@timestamp": "2023-02-24T00:12:50.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": { - "sudo": { - "command": "/bin/cat /var/log/auth.log", - "pwd": "/home/vagrant", - "tty": "pts/0", - "user": "root" - } - } - }, - "user": { - "effective": { - "name": "root" - }, - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T00:12:50.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "root" - }, - "id": "1000", - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T00:12:50.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session closed for user root", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "root" - } - }, - { - "@timestamp": "2023-02-24T00:13:02.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "tsg", - "root" - ] - }, - "system": { - "auth": { - "sudo": { - "command": "/bin/ls", - "error": "user NOT in sudoers", - "pwd": "/home/vagrant", - "tty": "pts/1", - "user": "root" - } - } - }, - "user": { - "effective": { - "name": "root" - }, - "name": "tsg" - } - }, - { - "@timestamp": "2023-02-24T00:13:02.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "unable to execute /usr/sbin/sendmail: No such file or directory", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ] - }, - "system": { - "auth": {} - } - }, - { - "@timestamp": "2023-02-24T00:13:06.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": { - "sudo": { - "command": "/bin/cat /var/log/auth.log", - "pwd": "/home/vagrant", - "tty": "pts/0", - "user": "root" - } - } - }, - "user": { - "effective": { - "name": "root" - }, - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T00:13:06.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "root" - }, - "id": "1000", - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T00:13:06.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session closed for user root", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "root" - } - }, - { - "@timestamp": "2023-02-24T00:17:01.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(cron:session): session opened for user root by (uid=0)", - "process": { - "name": "CRON", - "pid": 4588 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "root" - }, - "id": "0", - "name": "" - } - }, - { - "@timestamp": "2023-02-24T00:17:01.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(cron:session): session closed for user root", - "process": { - "name": "CRON", - "pid": 4588 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "root" - } - }, - { - "@timestamp": "2023-02-24T00:45:47.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(su:session): session closed for user tsg", - "process": { - "name": "su", - "pid": 4496 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "tsg" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "tsg" - } - }, - { - "@timestamp": "2023-02-24T00:45:48.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session closed for user root", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "root" - } - }, - { - "@timestamp": "2023-02-24T00:45:49.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "Received disconnect from 10.0.2.2: 11: disconnected by user", - "process": { - "name": "sshd", - "pid": 4317 - }, - "related": { - "hosts": [ - "precise32" - ] - }, - "system": { - "auth": {} - } - }, - { - "@timestamp": "2023-02-24T00:45:49.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sshd:session): session closed for user vagrant", - "process": { - "name": "sshd", - "pid": 4302 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T00:46:32.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "ssh_login", - "category": [ - "authentication", - "session" - ], - "kind": "event", - "outcome": "success", - "timezone": "+0000", - "type": [ - "info" - ] - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sshd", - "pid": 4598 - }, - "related": { - "hosts": [ - "precise32" - ], - "ip": [ - "10.0.2.2" - ], - "user": [ - "vagrant" - ] - }, - "source": { - "address": "10.0.2.2", - "ip": "10.0.2.2", - "port": 61852 - }, - "system": { - "auth": { - "ssh": { - "event": "Accepted", - "method": "publickey" - } - } - }, - "user": { - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T00:46:32.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", - "process": { - "name": "sshd", - "pid": 4598 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "vagrant" - }, - "id": "0", - "name": "" - } - }, - { - "@timestamp": "2023-02-24T00:46:32.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "Received disconnect from 10.0.2.2: 11: disconnected by user", - "process": { - "name": "sshd", - "pid": 4613 - }, - "related": { - "hosts": [ - "precise32" - ] - }, - "system": { - "auth": {} - } - }, - { - "@timestamp": "2023-02-24T00:46:32.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sshd:session): session closed for user vagrant", - "process": { - "name": "sshd", - "pid": 4598 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T01:05:42.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sshd:session): session closed for user vagrant", - "process": { - "name": "sshd", - "pid": 4185 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T08:17:01.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(cron:session): session opened for user root by (uid=0)", - "process": { - "name": "CRON", - "pid": 4626 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "root" - }, - "id": "0", - "name": "" - } - }, - { - "@timestamp": "2023-02-24T08:17:01.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(cron:session): session closed for user root", - "process": { - "name": "CRON", - "pid": 4626 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "root" - } - }, - { - "@timestamp": "2023-02-24T09:17:01.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(cron:session): session opened for user root by (uid=0)", - "process": { - "name": "CRON", - "pid": 4642 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "root" - }, - "id": "0", - "name": "" - } - }, - { - "@timestamp": "2023-02-24T09:17:01.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(cron:session): session closed for user root", - "process": { - "name": "CRON", - "pid": 4642 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "root" - } - }, - { - "@timestamp": "2023-02-24T09:18:35.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "ssh_login", - "category": [ - "authentication", - "session" - ], - "kind": "event", - "outcome": "success", - "timezone": "+0000", - "type": [ - "info" - ] - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sshd", - "pid": 4645 - }, - "related": { - "hosts": [ - "precise32" - ], - "ip": [ - "10.0.2.2" - ], - "user": [ - "vagrant" - ] - }, - "source": { - "address": "10.0.2.2", - "ip": "10.0.2.2", - "port": 53513 - }, - "system": { - "auth": { - "ssh": { - "event": "Accepted", - "method": "publickey" - } - } - }, - "user": { - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T09:18:35.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", - "process": { - "name": "sshd", - "pid": 4645 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "vagrant" - }, - "id": "0", - "name": "" - } - }, - { - "@timestamp": "2023-02-24T09:18:40.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": { - "sudo": { - "command": "/usr/bin/apt-get install nginx", - "pwd": "/home/vagrant", - "tty": "pts/0", - "user": "root" - } - } - }, - "user": { - "effective": { - "name": "root" - }, - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T09:18:40.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "root" - }, - "id": "1000", - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T09:18:46.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session closed for user root", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "root" - } - }, - { - "@timestamp": "2023-02-24T09:18:53.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": { - "sudo": { - "command": "/bin/cat /var/log/auth.log", - "pwd": "/home/vagrant", - "tty": "pts/0", - "user": "root" - } - } - }, - "user": { - "effective": { - "name": "root" - }, - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T09:18:53.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "root" - }, - "id": "1000", - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T09:18:53.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session closed for user root", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "root" - } - }, - { - "@timestamp": "2023-02-24T09:19:04.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": { - "sudo": { - "command": "/bin/cat /var/log/auth.log", - "pwd": "/home/vagrant", - "tty": "pts/0", - "user": "root" - } - } - }, - "user": { - "effective": { - "name": "root" - }, - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T09:19:04.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "root" - }, - "id": "1000", - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T09:19:04.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session closed for user root", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "root" - } - }, - { - "@timestamp": "2023-02-24T09:19:09.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": { - "sudo": { - "command": "/bin/cat /var/log/auth.log", - "pwd": "/home/vagrant", - "tty": "pts/0", - "user": "root" - } - } - }, - "user": { - "effective": { - "name": "root" - }, - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T09:19:09.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "root" - }, - "id": "1000", - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T09:19:09.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session closed for user root", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "root" - } - }, - { - "@timestamp": "2023-02-24T09:19:29.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": { - "sudo": { - "command": "/usr/bin/apt-get install mysql-server", - "pwd": "/home/vagrant", - "tty": "pts/0", - "user": "root" - } - } - }, - "user": { - "effective": { - "name": "root" - }, - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T09:19:29.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "root" - }, - "id": "1000", - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T09:19:55.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "category": [ - "iam" - ], - "kind": "event", - "outcome": "success", - "timezone": "+0000", - "type": [ - "group", - "creation" - ] - }, - "host": { - "hostname": "precise32" - }, - "message": "group added to /etc/group: name=mysql, GID=111", - "process": { - "name": "groupadd", - "pid": 7996 - }, - "related": { - "hosts": [ - "precise32" - ] - }, - "system": { - "auth": {} - } - }, - { - "@timestamp": "2023-02-24T09:19:55.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "category": [ - "iam" - ], - "kind": "event", - "outcome": "success", - "timezone": "+0000", - "type": [ - "group", - "creation" - ] - }, - "host": { - "hostname": "precise32" - }, - "message": "group added to /etc/gshadow: name=mysql", - "process": { - "name": "groupadd", - "pid": 7996 - }, - "related": { - "hosts": [ - "precise32" - ] - }, - "system": { - "auth": {} - } - }, - { - "@timestamp": "2023-02-24T09:19:55.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "category": [ - "iam" - ], - "kind": "event", - "outcome": "success", - "timezone": "+0000", - "type": [ - "group", - "creation" - ] - }, - "group": { - "id": "111", - "name": "mysql" - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "groupadd", - "pid": 7996 - }, - "related": { - "hosts": [ - "precise32" - ] - }, - "system": { - "auth": {} - } - }, - { - "@timestamp": "2023-02-24T09:19:55.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "category": [ - "iam" - ], - "kind": "event", - "outcome": "success", - "timezone": "+0000", - "type": [ - "user", - "creation" - ] - }, - "group": { - "id": "111" - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "useradd", - "pid": 8002 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "mysql" - ] - }, - "system": { - "auth": { - "useradd": { - "home": "/nonexistent", - "shell": "/bin/false" - } - } - }, - "user": { - "id": "106", - "name": "mysql" - } - }, - { - "@timestamp": "2023-02-24T09:19:55.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "changed password expiry for mysql", - "process": { - "name": "chage", - "pid": 8007 - }, - "related": { - "hosts": [ - "precise32" - ] - }, - "system": { - "auth": {} - } - }, - { - "@timestamp": "2023-02-24T09:19:55.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "changed user 'mysql' information", - "process": { - "name": "chfn", - "pid": 8010 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "mysql" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "mysql" - } - }, - { - "@timestamp": "2023-02-24T09:20:08.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session closed for user root", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "root" - } - }, - { - "@timestamp": "2023-02-24T09:20:10.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": { - "sudo": { - "command": "/bin/cat /var/log/auth.log", - "pwd": "/home/vagrant", - "tty": "pts/0", - "user": "root" - } - } - }, - "user": { - "effective": { - "name": "root" - }, - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T09:20:10.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "root" - }, - "id": "1000", - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T09:20:10.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session closed for user root", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "root" - } - }, - { - "@timestamp": "2023-02-24T09:26:29.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": { - "sudo": { - "command": "/bin/cat /var/log/auth.log", - "pwd": "/home/vagrant", - "tty": "pts/0", - "user": "root" - } - } - }, - "user": { - "effective": { - "name": "root" - }, - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T09:26:29.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant", - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "root" - }, - "id": "1000", - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T09:26:29.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sudo:session): session closed for user root", - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "root" - } - }, - { - "@timestamp": "2023-02-24T09:26:59.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "ssh_login", - "category": [ - "authentication", - "session" - ], - "kind": "event", - "outcome": "success", - "timezone": "+0000", - "type": [ - "info" - ] - }, - "host": { - "hostname": "precise32" - }, - "process": { - "name": "sshd", - "pid": 10535 - }, - "related": { - "hosts": [ - "precise32" - ], - "ip": [ - "10.0.2.2" - ], - "user": [ - "vagrant" - ] - }, - "source": { - "address": "10.0.2.2", - "ip": "10.0.2.2", - "port": 58988 - }, - "system": { - "auth": { - "ssh": { - "event": "Accepted", - "method": "publickey" - } - } - }, - "user": { - "name": "vagrant" - } - }, - { - "@timestamp": "2023-02-24T09:26:59.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "precise32" - }, - "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", - "process": { - "name": "sshd", - "pid": 10535 - }, - "related": { - "hosts": [ - "precise32" - ], - "user": [ - "vagrant" - ] - }, - "system": { - "auth": {} - }, - "user": { - "effective": { - "name": "vagrant" - }, - "id": "0", - "name": "" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-multiline.log b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-multiline.log deleted file mode 100644 index 408cdbf8e..000000000 --- a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-multiline.log +++ /dev/null @@ -1,3 +0,0 @@ -May 21 21:54:44 localhost foo[1234]: This message - spans multiple lines. -May 21 21:54:45 localhost foo[1234]: Single-line message. \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-multiline.log-config.yml b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-multiline.log-config.yml deleted file mode 100644 index 08132afc4..000000000 --- a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-multiline.log-config.yml +++ /dev/null @@ -1,7 +0,0 @@ -dynamic_fields: - "@timestamp": "^[0-9]{4}(-[0-9]{2}){2}T[0-9]{2}(:[0-9]{2}){2}\\.[0-9]{3}" -fields: - event.timezone: "+0000" -multiline: - # Pattern to match what is configured in log.yml.hbs. - first_line_pattern: '^[^\s]' diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-multiline.log-expected.json b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-multiline.log-expected.json deleted file mode 100644 index b741b6644..000000000 --- a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-multiline.log-expected.json +++ /dev/null @@ -1,56 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2023-05-21T21:54:44.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "localhost" - }, - "message": "This message\n spans multiple lines.", - "process": { - "name": "foo", - "pid": 1234 - }, - "related": { - "hosts": [ - "localhost" - ] - }, - "system": { - "auth": {} - } - }, - { - "@timestamp": "2023-05-21T21:54:45.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "localhost" - }, - "message": "Single-line message.", - "process": { - "name": "foo", - "pid": 1234 - }, - "related": { - "hosts": [ - "localhost" - ] - }, - "system": { - "auth": {} - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log deleted file mode 100644 index f22060fef..000000000 --- a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log +++ /dev/null @@ -1,7 +0,0 @@ -Feb 22 16:45:20 slave22 sshd[2738]: Failed password for root from 89.160.20.156 port 1786 ssh2 -Feb 22 16:45:20 slave22 sshd[2738]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" -Feb 22 16:45:26 slave22 sshd[2738]: fatal: Read from socket failed: Connection reset by peer [preauth] -Feb 22 16:45:26 slave22 sshd[2738]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.160.20.156 user=root -Feb 22 16:45:26 slave22 sshd[2738]: PAM service(sshd) ignoring max retries; 5 > 3 -Feb 22 16:45:32 slave22 sshd[2742]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.160.20.156 user=root -Feb 22 17:04:51 slave22 sudo: tsg : TTY=pts/0 ; PWD=/home/tsg ; USER=root ; COMMAND=/bin/cp /var/log/secure . diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-config.yml b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-config.yml deleted file mode 100644 index 98cc18212..000000000 --- a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -fields: - event.timezone: "+0000" -dynamic_fields: - event.ingested: "^.*$" - "@timestamp": "^[0-9]{4}(-[0-9]{2}){2}T[0-9]{2}(:[0-9]{2}){2}\\.[0-9]{3}Z$" diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-expected.json b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-expected.json deleted file mode 100644 index 81a77f6f1..000000000 --- a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-expected.json +++ /dev/null @@ -1,251 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2023-02-22T16:45:20.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "ssh_login", - "category": [ - "authentication" - ], - "kind": "event", - "outcome": "failure", - "timezone": "+0000", - "type": [ - "info" - ] - }, - "host": { - "hostname": "slave22" - }, - "process": { - "name": "sshd", - "pid": 2738 - }, - "related": { - "hosts": [ - "slave22" - ], - "ip": [ - "89.160.20.156" - ], - "user": [ - "root" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 1786 - }, - "system": { - "auth": { - "ssh": { - "event": "Failed", - "method": "password" - } - } - }, - "user": { - "name": "root" - } - }, - { - "@timestamp": "2023-02-22T16:45:20.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "slave22" - }, - "message": "pam_succeed_if(sshd:auth): requirement \"uid \u003e= 1000\" not met by user \"root\"", - "process": { - "name": "sshd", - "pid": 2738 - }, - "related": { - "hosts": [ - "slave22" - ], - "user": [ - "root" - ] - }, - "system": { - "auth": {} - }, - "user": { - "name": "root" - } - }, - { - "@timestamp": "2023-02-22T16:45:26.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "slave22" - }, - "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", - "process": { - "name": "sshd", - "pid": 2738 - }, - "related": { - "hosts": [ - "slave22" - ] - }, - "system": { - "auth": {} - } - }, - { - "@timestamp": "2023-02-22T16:45:26.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "slave22" - }, - "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.160.20.156 user=root", - "process": { - "name": "sshd", - "pid": 2738 - }, - "related": { - "hosts": [ - "slave22" - ] - }, - "system": { - "auth": {} - } - }, - { - "@timestamp": "2023-02-22T16:45:26.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "slave22" - }, - "message": "PAM service(sshd) ignoring max retries; 5 \u003e 3", - "process": { - "name": "sshd", - "pid": 2738 - }, - "related": { - "hosts": [ - "slave22" - ] - }, - "system": { - "auth": {} - } - }, - { - "@timestamp": "2023-02-22T16:45:32.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "slave22" - }, - "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.160.20.156 user=root", - "process": { - "name": "sshd", - "pid": 2742 - }, - "related": { - "hosts": [ - "slave22" - ] - }, - "system": { - "auth": {} - } - }, - { - "@timestamp": "2023-02-22T17:04:51.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "kind": "event", - "timezone": "+0000" - }, - "host": { - "hostname": "slave22" - }, - "process": { - "name": "sudo" - }, - "related": { - "hosts": [ - "slave22" - ], - "user": [ - "tsg", - "root" - ] - }, - "system": { - "auth": { - "sudo": { - "command": "/bin/cp /var/log/secure .", - "pwd": "/home/tsg", - "tty": "pts/0", - "user": "root" - } - } - }, - "user": { - "effective": { - "name": "root" - }, - "name": "tsg" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/core/agent/stream/stream.yml.hbs b/test/packages/parallel/system/data_stream/core/agent/stream/stream.yml.hbs deleted file mode 100644 index e7ef08bc7..000000000 --- a/test/packages/parallel/system/data_stream/core/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,18 +0,0 @@ -metricsets: ["core"] -core.metrics: -{{#each core.metrics}} -- {{this}} -{{/each}} -{{#if system.hostfs}} -system.hostfs: {{system.hostfs}} -{{/if}} -{{#if processors.length}} -processors: -{{processors}} -{{/if}} -{{#if tags.length}} -tags: -{{#each tags as |tag i|}} -- {{tag}} -{{/each}} -{{/if}} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/core/fields/agent.yml b/test/packages/parallel/system/data_stream/core/fields/agent.yml deleted file mode 100644 index da4e652c5..000000000 --- a/test/packages/parallel/system/data_stream/core/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/test/packages/parallel/system/data_stream/core/fields/base-fields.yml b/test/packages/parallel/system/data_stream/core/fields/base-fields.yml deleted file mode 100644 index 754551896..000000000 --- a/test/packages/parallel/system/data_stream/core/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: system -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: system.core diff --git a/test/packages/parallel/system/data_stream/core/fields/ecs.yml b/test/packages/parallel/system/data_stream/core/fields/ecs.yml deleted file mode 100644 index 9e69e9781..000000000 --- a/test/packages/parallel/system/data_stream/core/fields/ecs.yml +++ /dev/null @@ -1,24 +0,0 @@ -- external: ecs - name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type diff --git a/test/packages/parallel/system/data_stream/core/fields/fields.yml b/test/packages/parallel/system/data_stream/core/fields/fields.yml deleted file mode 100644 index dab186321..000000000 --- a/test/packages/parallel/system/data_stream/core/fields/fields.yml +++ /dev/null @@ -1,103 +0,0 @@ -- name: system.core - type: group - fields: - - name: id - type: keyword - description: | - CPU Core number. - - name: user.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in user space. - - name: system.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: system.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in kernel space. - - name: nice.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: nice.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent on low-priority processes. - - name: idle.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: idle.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent idle. - - name: iowait.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: iowait.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in wait (on disk). - - name: irq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: irq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling hardware interrupts. - - name: softirq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: softirq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling software interrupts. - - name: steal.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: steal.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. diff --git a/test/packages/parallel/system/data_stream/core/manifest.yml b/test/packages/parallel/system/data_stream/core/manifest.yml deleted file mode 100644 index b37ff3f61..000000000 --- a/test/packages/parallel/system/data_stream/core/manifest.yml +++ /dev/null @@ -1,39 +0,0 @@ -title: System core metrics -type: metrics -streams: - - input: system/metrics - enabled: false - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: core.metrics - type: text - title: Core Metrics - multi: true - required: true - show_user: true - description: > - How to report core metrics. Can be "percentages" or "ticks" - - default: - - percentages - - name: tags - type: text - title: Tags - multi: true - show_user: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - title: System core metrics - description: Collect System core metrics diff --git a/test/packages/parallel/system/data_stream/cpu/agent/stream/stream.yml.hbs b/test/packages/parallel/system/data_stream/cpu/agent/stream/stream.yml.hbs deleted file mode 100644 index 2d52d8f73..000000000 --- a/test/packages/parallel/system/data_stream/cpu/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,19 +0,0 @@ -metricsets: ["cpu"] -cpu.metrics: -{{#each cpu.metrics}} -- {{this}} -{{/each}} -period: {{period}} -{{#if system.hostfs}} -system.hostfs: {{system.hostfs}} -{{/if}} -{{#if processors.length}} -processors: -{{processors}} -{{/if}} -{{#if tags.length}} -tags: -{{#each tags as |tag i|}} -- {{tag}} -{{/each}} -{{/if}} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/cpu/fields/agent.yml b/test/packages/parallel/system/data_stream/cpu/fields/agent.yml deleted file mode 100644 index 4b259da80..000000000 --- a/test/packages/parallel/system/data_stream/cpu/fields/agent.yml +++ /dev/null @@ -1,205 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - dimension: true - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - dimension: true - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - dimension: true - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - dimension: true - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - dimension: true - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - dimension: true - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - dimension: true - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/test/packages/parallel/system/data_stream/cpu/fields/base-fields.yml b/test/packages/parallel/system/data_stream/cpu/fields/base-fields.yml deleted file mode 100644 index d14502e64..000000000 --- a/test/packages/parallel/system/data_stream/cpu/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: system -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: system.cpu diff --git a/test/packages/parallel/system/data_stream/cpu/fields/ecs.yml b/test/packages/parallel/system/data_stream/cpu/fields/ecs.yml deleted file mode 100644 index baad5c245..000000000 --- a/test/packages/parallel/system/data_stream/cpu/fields/ecs.yml +++ /dev/null @@ -1,27 +0,0 @@ -- external: ecs - name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type -- external: ecs - name: agent.id - dimension: true diff --git a/test/packages/parallel/system/data_stream/cpu/fields/fields.yml b/test/packages/parallel/system/data_stream/cpu/fields/fields.yml deleted file mode 100644 index ca46bc7e2..000000000 --- a/test/packages/parallel/system/data_stream/cpu/fields/fields.yml +++ /dev/null @@ -1,183 +0,0 @@ -- name: system.cpu - type: group - fields: - - name: cores - type: long - metric_type: gauge - description: | - The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%. - - name: user.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. - - name: system.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: nice.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: idle.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: iowait.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: irq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: softirq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: steal.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: total.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in states other than Idle and IOWait. - - name: user.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. - - name: system.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: nice.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: idle.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: iowait.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: irq.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: softirq.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: steal.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: total.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in user space. - - name: system.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in kernel space. - - name: nice.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent on low-priority processes. - - name: idle.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent idle. - - name: iowait.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in wait (on disk). - - name: irq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling hardware interrupts. - - name: softirq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling software interrupts. - - name: steal.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. -- name: host - type: group - fields: - - name: cpu.pct - type: scaled_float - unit: percent - metric_type: gauge - description: | - Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. diff --git a/test/packages/parallel/system/data_stream/cpu/manifest.yml b/test/packages/parallel/system/data_stream/cpu/manifest.yml deleted file mode 100644 index 32db486f8..000000000 --- a/test/packages/parallel/system/data_stream/cpu/manifest.yml +++ /dev/null @@ -1,41 +0,0 @@ -title: System cpu metrics -type: metrics -elasticsearch: - index_mode: "time_series" -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: cpu.metrics - type: text - title: Cpu Metrics - multi: true - required: true - show_user: true - description: > - How to report CPU metrics. Can be "percentages", "normalized_percentages", or "ticks" - - default: - - percentages - - normalized_percentages - - name: tags - type: text - title: Tags - multi: true - show_user: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - title: System cpu metrics - description: Collect System cpu metrics diff --git a/test/packages/parallel/system/data_stream/diskio/agent/stream/stream.yml.hbs b/test/packages/parallel/system/data_stream/diskio/agent/stream/stream.yml.hbs deleted file mode 100644 index d72f59250..000000000 --- a/test/packages/parallel/system/data_stream/diskio/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,19 +0,0 @@ -metricsets: ["diskio"] -diskio.include_devices: -{{#each diskio.include_devices}} -- {{this}} -{{/each}} -period: {{period}} -{{#if system.hostfs}} -system.hostfs: {{system.hostfs}} -{{/if}} -{{#if processors.length}} -processors: -{{processors}} -{{/if}} -{{#if tags.length}} -tags: -{{#each tags as |tag i|}} -- {{tag}} -{{/each}} -{{/if}} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/diskio/fields/agent.yml b/test/packages/parallel/system/data_stream/diskio/fields/agent.yml deleted file mode 100644 index 5e2fd81c4..000000000 --- a/test/packages/parallel/system/data_stream/diskio/fields/agent.yml +++ /dev/null @@ -1,205 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - dimension: true - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - dimension: true - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - dimension: true - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - dimension: true - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - dimension: true - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - dimension: true - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - dimension: true - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: disk.read.bytes - type: long - format: bytes - description: > - The total number of bytes read successfully in a given period of time. - - - name: disk.write.bytes - type: long - format: bytes - description: >- - The total number of bytes write successfully in a given period of time. diff --git a/test/packages/parallel/system/data_stream/diskio/fields/base-fields.yml b/test/packages/parallel/system/data_stream/diskio/fields/base-fields.yml deleted file mode 100644 index 4a5ecc011..000000000 --- a/test/packages/parallel/system/data_stream/diskio/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: system -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: system.diskio diff --git a/test/packages/parallel/system/data_stream/diskio/fields/ecs.yml b/test/packages/parallel/system/data_stream/diskio/fields/ecs.yml deleted file mode 100644 index 98cf5ad73..000000000 --- a/test/packages/parallel/system/data_stream/diskio/fields/ecs.yml +++ /dev/null @@ -1,29 +0,0 @@ -- external: ecs - name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.hostname -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type -- external: ecs - name: agent.id - dimension: true diff --git a/test/packages/parallel/system/data_stream/diskio/fields/fields.yml b/test/packages/parallel/system/data_stream/diskio/fields/fields.yml deleted file mode 100644 index 70913cd16..000000000 --- a/test/packages/parallel/system/data_stream/diskio/fields/fields.yml +++ /dev/null @@ -1,137 +0,0 @@ -- name: system.diskio - type: group - fields: - - name: name - type: keyword - dimension: true - description: | - The disk name. - - name: serial_number - type: keyword - description: | - The disk's serial number. This may not be provided by all operating systems. - - name: read.count - type: long - metric_type: counter - description: | - The total number of reads completed successfully. - - name: write.count - type: long - metric_type: counter - description: | - The total number of writes completed successfully. - - name: read.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. - - name: write.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. - - name: read.time - type: long - metric_type: counter - description: | - The total number of milliseconds spent by all reads. - - name: write.time - type: long - metric_type: counter - description: | - The total number of milliseconds spent by all writes. - - name: io.time - type: long - metric_type: counter - description: | - The total number of of milliseconds spent doing I/Os. - - name: iostat.read.request.merges_per_sec - type: float - metric_type: gauge - description: | - The number of read requests merged per second that were queued to the device. - - name: iostat.write.request.merges_per_sec - type: float - metric_type: gauge - description: | - The number of write requests merged per second that were queued to the device. - - name: iostat.read.request.per_sec - type: float - metric_type: gauge - description: | - The number of read requests that were issued to the device per second - - name: iostat.write.request.per_sec - type: float - metric_type: gauge - description: | - The number of write requests that were issued to the device per second - - name: iostat.read.per_sec.bytes - type: float - format: bytes - metric_type: gauge - description: | - The number of Bytes read from the device per second. - - name: iostat.read.await - type: float - metric_type: gauge - description: | - The average time spent for read requests issued to the device to be served. - - name: iostat.write.per_sec.bytes - type: float - format: bytes - metric_type: gauge - description: | - The number of Bytes write from the device per second. - - name: iostat.write.await - type: float - metric_type: gauge - description: | - The average time spent for write requests issued to the device to be served. - - name: iostat.request.avg_size - type: float - format: bytes - unit: byte - metric_type: gauge - description: | - The average size (in bytes) of the requests that were issued to the device. - - name: iostat.queue.avg_size - type: float - unit: byte - metric_type: gauge - description: | - The average queue length of the requests that were issued to the device. - - name: iostat.await - type: float - metric_type: gauge - description: | - The average time spent for requests issued to the device to be served. - - name: iostat.service_time - type: float - unit: ms - metric_type: gauge - description: | - The average service time (in milliseconds) for I/O requests that were issued to the device. - - name: iostat.busy - type: float - metric_type: gauge - description: | - Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. -- name: host - type: group - fields: - - name: disk.read.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes read successfully in a given period of time. - - name: disk.write.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes write successfully in a given period of time. diff --git a/test/packages/parallel/system/data_stream/diskio/manifest.yml b/test/packages/parallel/system/data_stream/diskio/manifest.yml deleted file mode 100644 index f54b9094e..000000000 --- a/test/packages/parallel/system/data_stream/diskio/manifest.yml +++ /dev/null @@ -1,38 +0,0 @@ -title: System diskio metrics -type: metrics -elasticsearch: - index_mode: "time_series" -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: diskio.include_devices - type: text - title: Include Devices - multi: true - required: false - show_user: true - description: > - Provide a specific list of devices to monitor. By default, all devices are monitored. - - - name: tags - type: text - title: Tags - multi: true - show_user: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - title: System diskio metrics - description: Collect System diskio metrics diff --git a/test/packages/parallel/system/data_stream/filesystem/agent/stream/stream.yml.hbs b/test/packages/parallel/system/data_stream/filesystem/agent/stream/stream.yml.hbs deleted file mode 100644 index 13a98485e..000000000 --- a/test/packages/parallel/system/data_stream/filesystem/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,15 +0,0 @@ -metricsets: ["filesystem"] -period: {{period}} -processors: {{processors}} -{{#if filesystem.ignore_types}} -filesystem.ignore_types: {{filesystem.ignore_types}} -{{/if}} -{{#if system.hostfs}} -system.hostfs: {{system.hostfs}} -{{/if}} -{{#if tags.length}} -tags: -{{#each tags as |tag i|}} -- {{tag}} -{{/each}} -{{/if}} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/filesystem/fields/agent.yml b/test/packages/parallel/system/data_stream/filesystem/fields/agent.yml deleted file mode 100644 index bcbae612b..000000000 --- a/test/packages/parallel/system/data_stream/filesystem/fields/agent.yml +++ /dev/null @@ -1,205 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - dimension: true - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - dimension: true - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - dimension: true - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - dimension: true - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - dimension: true - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - dimension: true - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - dimension: true - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/test/packages/parallel/system/data_stream/filesystem/fields/base-fields.yml b/test/packages/parallel/system/data_stream/filesystem/fields/base-fields.yml deleted file mode 100644 index c83912bc9..000000000 --- a/test/packages/parallel/system/data_stream/filesystem/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: system -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: system.filesystem diff --git a/test/packages/parallel/system/data_stream/filesystem/fields/ecs.yml b/test/packages/parallel/system/data_stream/filesystem/fields/ecs.yml deleted file mode 100644 index 3014c8de4..000000000 --- a/test/packages/parallel/system/data_stream/filesystem/fields/ecs.yml +++ /dev/null @@ -1,3 +0,0 @@ -- external: ecs - name: agent.id - dimension: true diff --git a/test/packages/parallel/system/data_stream/filesystem/fields/fields.yml b/test/packages/parallel/system/data_stream/filesystem/fields/fields.yml deleted file mode 100644 index d670be584..000000000 --- a/test/packages/parallel/system/data_stream/filesystem/fields/fields.yml +++ /dev/null @@ -1,62 +0,0 @@ -- name: system.filesystem - type: group - fields: - - name: available - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The disk space available to an unprivileged user in bytes. - - name: device_name - type: keyword - dimension: true - description: | - The disk name. For example: `/dev/disk1` - - name: type - type: keyword - description: | - The disk type. For example: `ext4` - - name: mount_point - type: keyword - dimension: true - description: | - The mounting point. For example: `/` - - name: files - type: long - metric_type: gauge - description: | - The total number of file nodes in the file system. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The disk space available in bytes. - - name: free_files - type: long - metric_type: gauge - description: | - The number of free file nodes in the file system. - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total disk space in bytes. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The used disk space in bytes. - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used disk space. diff --git a/test/packages/parallel/system/data_stream/filesystem/manifest.yml b/test/packages/parallel/system/data_stream/filesystem/manifest.yml deleted file mode 100644 index 3e3b7f67b..000000000 --- a/test/packages/parallel/system/data_stream/filesystem/manifest.yml +++ /dev/null @@ -1,43 +0,0 @@ -title: System filesystem metrics -type: metrics -elasticsearch: - index_mode: "time_series" -streams: - - input: system/metrics - enabled: true - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: filesystem.ignore_types - type: text - title: List of filesystem types to ignore - multi: true - required: false - show_user: true - description: > - The filesystem datastream will ignore any filesystems with a matching type as specified here. By default, this will exclude any filesystems marked as "nodev" in /proc/filesystems on linux. - - - name: tags - type: text - title: Tags - multi: true - show_user: false - - name: processors - type: yaml - title: Processors - multi: false - required: true - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata. - - default: | - - drop_event.when.regexp: - system.filesystem.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) - title: System filesystem metrics - description: Collect System filesystem metrics diff --git a/test/packages/parallel/system/data_stream/fsstat/agent/stream/stream.yml.hbs b/test/packages/parallel/system/data_stream/fsstat/agent/stream/stream.yml.hbs deleted file mode 100644 index 5d9457402..000000000 --- a/test/packages/parallel/system/data_stream/fsstat/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,12 +0,0 @@ -metricsets: ["fsstat"] -period: {{period}} -processors: {{processors}} -{{#if system.hostfs}} -system.hostfs: {{system.hostfs}} -{{/if}} -{{#if tags.length}} -tags: -{{#each tags as |tag i|}} -- {{tag}} -{{/each}} -{{/if}} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/fsstat/fields/agent.yml b/test/packages/parallel/system/data_stream/fsstat/fields/agent.yml deleted file mode 100644 index 48add32f2..000000000 --- a/test/packages/parallel/system/data_stream/fsstat/fields/agent.yml +++ /dev/null @@ -1,205 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - dimension: true - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - dimension: true - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - dimension: true - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - dimension: true - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - dimension: true - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - dimension: true - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - dimension: true - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/test/packages/parallel/system/data_stream/fsstat/fields/base-fields.yml b/test/packages/parallel/system/data_stream/fsstat/fields/base-fields.yml deleted file mode 100644 index b435b5d34..000000000 --- a/test/packages/parallel/system/data_stream/fsstat/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: system -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: system.fsstat diff --git a/test/packages/parallel/system/data_stream/fsstat/fields/ecs.yml b/test/packages/parallel/system/data_stream/fsstat/fields/ecs.yml deleted file mode 100644 index baad5c245..000000000 --- a/test/packages/parallel/system/data_stream/fsstat/fields/ecs.yml +++ /dev/null @@ -1,27 +0,0 @@ -- external: ecs - name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type -- external: ecs - name: agent.id - dimension: true diff --git a/test/packages/parallel/system/data_stream/fsstat/fields/fields.yml b/test/packages/parallel/system/data_stream/fsstat/fields/fields.yml deleted file mode 100644 index f995eaa84..000000000 --- a/test/packages/parallel/system/data_stream/fsstat/fields/fields.yml +++ /dev/null @@ -1,36 +0,0 @@ -- name: system.fsstat - type: group - fields: - - name: count - type: long - metric_type: gauge - description: Number of file systems found. - - name: total_files - type: long - metric_type: gauge - description: Total number of files. - - name: total_size - type: group - format: bytes - fields: - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total free space. - - name: used - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total used space. - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total space (used plus free). diff --git a/test/packages/parallel/system/data_stream/fsstat/manifest.yml b/test/packages/parallel/system/data_stream/fsstat/manifest.yml deleted file mode 100644 index 6d602ed12..000000000 --- a/test/packages/parallel/system/data_stream/fsstat/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: System fsstat metrics -type: metrics -elasticsearch: - index_mode: "time_series" -streams: - - input: system/metrics - enabled: true - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: tags - type: text - title: Tags - multi: true - show_user: false - - name: processors - type: yaml - title: Processors - multi: false - required: true - show_user: true - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata. - - default: | - - drop_event.when.regexp: - system.fsstat.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) - title: System fsstat metrics - description: Collect System fsstat metrics diff --git a/test/packages/parallel/system/data_stream/load/agent/stream/stream.yml.hbs b/test/packages/parallel/system/data_stream/load/agent/stream/stream.yml.hbs deleted file mode 100644 index cbb6fc7d6..000000000 --- a/test/packages/parallel/system/data_stream/load/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,13 +0,0 @@ -metricsets: ["load"] -condition: ${host.platform} != 'windows' -period: {{period}} -{{#if processors.length}} -processors: -{{processors}} -{{/if}} -{{#if tags.length}} -tags: -{{#each tags as |tag i|}} -- {{tag}} -{{/each}} -{{/if}} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/load/fields/agent.yml b/test/packages/parallel/system/data_stream/load/fields/agent.yml deleted file mode 100644 index f7fba4ae7..000000000 --- a/test/packages/parallel/system/data_stream/load/fields/agent.yml +++ /dev/null @@ -1,194 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - dimension: true - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - dimension: true - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - dimension: true - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - dimension: true - - name: region - level: extended - type: keyword - dimension: true - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - dimension: true - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - dimension: true - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/test/packages/parallel/system/data_stream/load/fields/base-fields.yml b/test/packages/parallel/system/data_stream/load/fields/base-fields.yml deleted file mode 100644 index 492a19258..000000000 --- a/test/packages/parallel/system/data_stream/load/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: system -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: system.load diff --git a/test/packages/parallel/system/data_stream/load/fields/ecs.yml b/test/packages/parallel/system/data_stream/load/fields/ecs.yml deleted file mode 100644 index baad5c245..000000000 --- a/test/packages/parallel/system/data_stream/load/fields/ecs.yml +++ /dev/null @@ -1,27 +0,0 @@ -- external: ecs - name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type -- external: ecs - name: agent.id - dimension: true diff --git a/test/packages/parallel/system/data_stream/load/fields/fields.yml b/test/packages/parallel/system/data_stream/load/fields/fields.yml deleted file mode 100644 index ae0130fae..000000000 --- a/test/packages/parallel/system/data_stream/load/fields/fields.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: system.load - type: group - fields: - - name: "1" - type: scaled_float - metric_type: gauge - description: | - Load average for the last minute. - - name: "5" - type: scaled_float - metric_type: gauge - description: | - Load average for the last 5 minutes. - - name: "15" - type: scaled_float - metric_type: gauge - description: | - Load average for the last 15 minutes. - - name: norm.1 - type: scaled_float - metric_type: gauge - description: | - Load for the last minute divided by the number of cores. - - name: norm.5 - type: scaled_float - metric_type: gauge - description: | - Load for the last 5 minutes divided by the number of cores. - - name: norm.15 - type: scaled_float - metric_type: gauge - description: | - Load for the last 15 minutes divided by the number of cores. - - name: cores - type: long - metric_type: gauge - description: | - The number of CPU cores present on the host. diff --git a/test/packages/parallel/system/data_stream/load/manifest.yml b/test/packages/parallel/system/data_stream/load/manifest.yml deleted file mode 100644 index d5cbe4f4a..000000000 --- a/test/packages/parallel/system/data_stream/load/manifest.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: System load metrics -type: metrics -elasticsearch: - index_mode: "time_series" -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: tags - type: text - title: Tags - multi: true - show_user: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - title: System load metrics - description: Collect System load metrics diff --git a/test/packages/parallel/system/data_stream/memory/agent/stream/stream.yml.hbs b/test/packages/parallel/system/data_stream/memory/agent/stream/stream.yml.hbs deleted file mode 100644 index f873ce7e6..000000000 --- a/test/packages/parallel/system/data_stream/memory/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,15 +0,0 @@ -metricsets: ["memory"] -period: {{period}} -{{#if system.hostfs}} -system.hostfs: {{system.hostfs}} -{{/if}} -{{#if processors.length}} -processors: -{{processors}} -{{/if}} -{{#if tags.length}} -tags: -{{#each tags as |tag i|}} -- {{tag}} -{{/each}} -{{/if}} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/memory/fields/agent.yml b/test/packages/parallel/system/data_stream/memory/fields/agent.yml deleted file mode 100644 index 37de0dc01..000000000 --- a/test/packages/parallel/system/data_stream/memory/fields/agent.yml +++ /dev/null @@ -1,205 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - dimension: true - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - dimension: true - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - dimension: true - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - dimension: true - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - dimension: true - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - dimension: true - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - dimension: true - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/test/packages/parallel/system/data_stream/memory/fields/base-fields.yml b/test/packages/parallel/system/data_stream/memory/fields/base-fields.yml deleted file mode 100644 index 4ba8a2b65..000000000 --- a/test/packages/parallel/system/data_stream/memory/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: system -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: system.memory diff --git a/test/packages/parallel/system/data_stream/memory/fields/ecs.yml b/test/packages/parallel/system/data_stream/memory/fields/ecs.yml deleted file mode 100644 index baad5c245..000000000 --- a/test/packages/parallel/system/data_stream/memory/fields/ecs.yml +++ /dev/null @@ -1,27 +0,0 @@ -- external: ecs - name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type -- external: ecs - name: agent.id - dimension: true diff --git a/test/packages/parallel/system/data_stream/memory/fields/fields.yml b/test/packages/parallel/system/data_stream/memory/fields/fields.yml deleted file mode 100644 index c986aec2e..000000000 --- a/test/packages/parallel/system/data_stream/memory/fields/fields.yml +++ /dev/null @@ -1,200 +0,0 @@ -- name: system.memory - type: group - fields: - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Used memory. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used memory. - - name: actual - type: group - fields: - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of actual used memory. - - name: swap - type: group - fields: - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total swap memory. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Used swap memory. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Available swap memory. - - name: out.pages - type: long - metric_type: counter - description: count of pages swapped out - - name: in.pages - type: long - metric_type: gauge - description: count of pages swapped in - - name: readahead.pages - type: long - metric_type: counter - description: swap readahead pages - - name: readahead.cached - type: long - metric_type: counter - description: swap readahead cache hits - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used swap memory. - - name: page_stats - type: group - fields: - - name: pgscan_kswapd.pages - type: long - format: number - metric_type: counter - description: pages scanned by kswapd - - name: pgscan_direct.pages - type: long - format: number - metric_type: counter - description: pages scanned directly - - name: pgfree.pages - type: long - format: number - metric_type: counter - description: pages freed by the system - - name: pgsteal_kswapd.pages - type: long - format: number - metric_type: counter - description: number of pages reclaimed by kswapd - - name: pgsteal_direct.pages - type: long - format: number - metric_type: counter - description: number of pages reclaimed directly - - name: direct_efficiency.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. - - name: kswapd_efficiency.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. - - name: hugepages - type: group - fields: - - name: total - type: long - format: number - metric_type: gauge - description: | - Number of huge pages in the pool. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory used in allocated huge pages. - - name: used.pct - type: long - format: percent - unit: percent - metric_type: gauge - description: | - Percentage of huge pages used. - - name: free - type: long - format: number - metric_type: gauge - description: | - Number of available huge pages in the pool. - - name: reserved - type: long - format: number - metric_type: gauge - description: | - Number of reserved but not allocated huge pages in the pool. - - name: surplus - type: long - format: number - metric_type: gauge - description: | - Number of overcommited huge pages. - - name: default_size - type: long - format: bytes - metric_type: gauge - description: | - Default size for huge pages. - - name: swap.out - type: group - fields: - - name: pages - type: long - metric_type: gauge - description: pages swapped out - - name: fallback - type: long - metric_type: gauge - description: Count of huge pages that must be split before swapout diff --git a/test/packages/parallel/system/data_stream/memory/manifest.yml b/test/packages/parallel/system/data_stream/memory/manifest.yml deleted file mode 100644 index 785bb737d..000000000 --- a/test/packages/parallel/system/data_stream/memory/manifest.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: System memory metrics -type: metrics -elasticsearch: - index_mode: "time_series" -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: tags - type: text - title: Tags - multi: true - show_user: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - title: System memory metrics - description: Collect System memory metrics diff --git a/test/packages/parallel/system/data_stream/network/agent/stream/stream.yml.hbs b/test/packages/parallel/system/data_stream/network/agent/stream/stream.yml.hbs deleted file mode 100644 index 63c1be47b..000000000 --- a/test/packages/parallel/system/data_stream/network/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,16 +0,0 @@ -metricsets: ["network"] -period: {{period}} -network.interfaces: -{{#each network.interfaces}} -- {{this}} -{{/each}} -{{#if processors.length}} -processors: -{{processors}} -{{/if}} -{{#if tags.length}} -tags: -{{#each tags as |tag i|}} -- {{tag}} -{{/each}} -{{/if}} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/network/fields/agent.yml b/test/packages/parallel/system/data_stream/network/fields/agent.yml deleted file mode 100644 index da7e7451a..000000000 --- a/test/packages/parallel/system/data_stream/network/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - dimension: true - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - dimension: true - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - dimension: true - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - dimension: true - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - dimension: true - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - dimension: true - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - dimension: true - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/test/packages/parallel/system/data_stream/network/fields/base-fields.yml b/test/packages/parallel/system/data_stream/network/fields/base-fields.yml deleted file mode 100644 index 4650bf6b3..000000000 --- a/test/packages/parallel/system/data_stream/network/fields/base-fields.yml +++ /dev/null @@ -1,17 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: system -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: system.network diff --git a/test/packages/parallel/system/data_stream/network/fields/ecs.yml b/test/packages/parallel/system/data_stream/network/fields/ecs.yml deleted file mode 100644 index 8840ed262..000000000 --- a/test/packages/parallel/system/data_stream/network/fields/ecs.yml +++ /dev/null @@ -1,49 +0,0 @@ -- external: ecs - name: '@timestamp' -- external: ecs - name: message -- external: ecs - name: group -- external: ecs - name: group.id -- external: ecs - name: group.name -- external: ecs - name: host -- external: ecs - name: host.hostname -- external: ecs - name: process -- external: ecs - name: process.name -- external: ecs - name: process.pid -- external: ecs - name: source -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: source.port -- external: ecs - name: user -- external: ecs - name: user.id -- external: ecs - name: user.name -- external: ecs - name: agent.id - dimension: true diff --git a/test/packages/parallel/system/data_stream/network/fields/fields.yml b/test/packages/parallel/system/data_stream/network/fields/fields.yml deleted file mode 100644 index a8e2f2754..000000000 --- a/test/packages/parallel/system/data_stream/network/fields/fields.yml +++ /dev/null @@ -1,78 +0,0 @@ -- name: system.network - type: group - fields: - - name: name - type: keyword - dimension: true - description: | - The network interface name. - - name: out.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes sent. - - name: in.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes received. - - name: out.packets - type: long - metric_type: counter - description: | - The number of packets sent. - - name: in.packets - type: long - metric_type: counter - description: | - The number or packets received. - - name: in.errors - type: long - metric_type: counter - description: | - The number of errors while receiving. - - name: out.errors - type: long - metric_type: counter - description: | - The number of errors while sending. - - name: in.dropped - type: long - metric_type: counter - description: | - The number of incoming packets that were dropped. - - name: out.dropped - type: long - metric_type: counter - description: | - The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. -- name: host - type: group - fields: - - name: network.in.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes received on all network interfaces by the host in a given period of time. - - name: network.out.bytes - type: long - unit: byte - metric_type: counter - description: | - The number of bytes sent out on all network interfaces by the host in a given period of time. - - name: network.in.packets - type: long - metric_type: counter - description: | - The number of packets received on all network interfaces by the host in a given period of time. - - name: network.out.packets - type: long - metric_type: counter - description: | - The number of packets sent out on all network interfaces by the host in a given period of time. diff --git a/test/packages/parallel/system/data_stream/network/manifest.yml b/test/packages/parallel/system/data_stream/network/manifest.yml deleted file mode 100644 index 5a3f4eb03..000000000 --- a/test/packages/parallel/system/data_stream/network/manifest.yml +++ /dev/null @@ -1,38 +0,0 @@ -title: System network metrics -type: metrics -elasticsearch: - index_mode: "time_series" -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: network.interfaces - type: text - title: Interfaces - multi: true - required: false - show_user: true - description: > - List of interfaces to monitor. Will monitor all by default. - - - name: tags - type: text - title: Tags - multi: true - show_user: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - title: System network metrics - description: Collect System network metrics diff --git a/test/packages/parallel/system/data_stream/process_summary/agent/stream/stream.yml.hbs b/test/packages/parallel/system/data_stream/process_summary/agent/stream/stream.yml.hbs deleted file mode 100644 index f72228d9f..000000000 --- a/test/packages/parallel/system/data_stream/process_summary/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,15 +0,0 @@ -metricsets: ["process_summary"] -period: {{period}} -{{#if system.hostfs}} -system.hostfs: {{system.hostfs}} -{{/if}} -{{#if processors.length}} -processors: -{{processors}} -{{/if}} -{{#if tags.length}} -tags: -{{#each tags as |tag i|}} -- {{tag}} -{{/each}} -{{/if}} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/process_summary/fields/agent.yml b/test/packages/parallel/system/data_stream/process_summary/fields/agent.yml deleted file mode 100644 index 37de0dc01..000000000 --- a/test/packages/parallel/system/data_stream/process_summary/fields/agent.yml +++ /dev/null @@ -1,205 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - dimension: true - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - dimension: true - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - dimension: true - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - dimension: true - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - dimension: true - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - dimension: true - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - dimension: true - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/test/packages/parallel/system/data_stream/process_summary/fields/base-fields.yml b/test/packages/parallel/system/data_stream/process_summary/fields/base-fields.yml deleted file mode 100644 index 8ba4e88da..000000000 --- a/test/packages/parallel/system/data_stream/process_summary/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: system -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: system.process.summary diff --git a/test/packages/parallel/system/data_stream/process_summary/fields/ecs.yml b/test/packages/parallel/system/data_stream/process_summary/fields/ecs.yml deleted file mode 100644 index 8840ed262..000000000 --- a/test/packages/parallel/system/data_stream/process_summary/fields/ecs.yml +++ /dev/null @@ -1,49 +0,0 @@ -- external: ecs - name: '@timestamp' -- external: ecs - name: message -- external: ecs - name: group -- external: ecs - name: group.id -- external: ecs - name: group.name -- external: ecs - name: host -- external: ecs - name: host.hostname -- external: ecs - name: process -- external: ecs - name: process.name -- external: ecs - name: process.pid -- external: ecs - name: source -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: source.port -- external: ecs - name: user -- external: ecs - name: user.id -- external: ecs - name: user.name -- external: ecs - name: agent.id - dimension: true diff --git a/test/packages/parallel/system/data_stream/process_summary/fields/fields.yml b/test/packages/parallel/system/data_stream/process_summary/fields/fields.yml deleted file mode 100644 index bc9254a2a..000000000 --- a/test/packages/parallel/system/data_stream/process_summary/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: system.process.summary - title: Process Summary - type: group - fields: - - name: total - type: long - metric_type: gauge - description: | - Total number of processes on this host. - - name: running - type: long - metric_type: gauge - description: | - Number of running processes on this host. - - name: idle - type: long - metric_type: gauge - description: | - Number of idle processes on this host. - - name: sleeping - type: long - metric_type: gauge - description: | - Number of sleeping processes on this host. - - name: stopped - type: long - metric_type: gauge - description: | - Number of stopped processes on this host. - - name: zombie - type: long - metric_type: gauge - description: | - Number of zombie processes on this host. - - name: dead - type: long - metric_type: gauge - description: | - Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. - - name: unknown - type: long - metric_type: gauge - description: | - Number of processes for which the state couldn't be retrieved or is unknown. diff --git a/test/packages/parallel/system/data_stream/process_summary/manifest.yml b/test/packages/parallel/system/data_stream/process_summary/manifest.yml deleted file mode 100644 index c58d8cc8e..000000000 --- a/test/packages/parallel/system/data_stream/process_summary/manifest.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: System process_summary metrics -dataset: system.process.summary -type: metrics -elasticsearch: - index_mode: "time_series" -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: tags - type: text - title: Tags - multi: true - show_user: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - title: System process_summary metrics - description: Collect System process_summary metrics diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1100.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1100.json deleted file mode 100644 index 874f22895..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1100.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:07:13.883Z", - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1100.xml" - }, - "level": "information" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "agent": { - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "bcbde3d3-6558-46d7-aaee-ed9cf67e04d3" - }, - "ecs": { - "version": "1.8.0" - }, - "winlog": { - "keywords": [ - "Audit Success" - ], - "time_created": "2019-11-07T10:37:04.226Z", - "outcome": "success", - "level": "information", - "process": { - "pid": 1144, - "thread": { - "id": 4532 - } - }, - "channel": "Security", - "event_id": 1100, - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "opcode": "Info", - "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", - "provider_name": "Microsoft-Windows-Eventlog", - "record_id": 14257 - }, - "event": { - "code": 1100, - "provider": "Microsoft-Windows-Eventlog", - "outcome": "success", - "kind": "event" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1100.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1100.json-expected.json deleted file mode 100644 index ba8907c94..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1100.json-expected.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-11-07T10:37:04.226Z", - "agent": { - "ephemeral_id": "bcbde3d3-6558-46d7-aaee-ed9cf67e04d3", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "logging-service-shutdown", - "category": [ - "process" - ], - "code": "1100", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Eventlog", - "type": [ - "end" - ] - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1100.xml" - }, - "level": "information" - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "event_id": "1100", - "keywords": [ - "Audit Success" - ], - "level": "information", - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 1144, - "thread": { - "id": 4532 - } - }, - "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", - "provider_name": "Microsoft-Windows-Eventlog", - "record_id": "14257", - "time_created": "2019-11-07T10:37:04.226Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1102.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1102.json deleted file mode 100644 index 32c199221..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1102.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:07:33.932Z", - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1102.xml" - }, - "level": "information" - }, - "agent": { - "ephemeral_id": "737c4709-1498-44d4-b1e6-d21cac1470e5", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "opcode": "Info", - "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", - "time_created": "2019-11-07T10:34:29.055Z", - "outcome": "success", - "level": "information", - "event_id": 1102, - "provider_name": "Microsoft-Windows-Eventlog", - "user_data": { - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "SubjectUserName": "Administrator", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x50e87", - "xml_name": "LogFileCleared" - }, - "keywords": [ - "Audit Success" - ], - "process": { - "pid": 1144, - "thread": { - "id": 1824 - } - }, - "channel": "Security", - "record_id": 14224 - }, - "event": { - "provider": "Microsoft-Windows-Eventlog", - "outcome": "success", - "kind": "event", - "code": 1102 - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1102.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1102.json-expected.json deleted file mode 100644 index af2f03a72..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1102.json-expected.json +++ /dev/null @@ -1,81 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-11-07T10:34:29.055Z", - "agent": { - "ephemeral_id": "737c4709-1498-44d4-b1e6-d21cac1470e5", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "audit-log-cleared", - "category": [ - "iam" - ], - "code": "1102", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Eventlog", - "type": [ - "admin", - "change" - ] - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1102.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "event_id": "1102", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x50e87" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 1144, - "thread": { - "id": 1824 - } - }, - "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", - "provider_name": "Microsoft-Windows-Eventlog", - "record_id": "14224", - "time_created": "2019-11-07T10:34:29.055Z", - "user_data": { - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x50e87", - "SubjectUserName": "Administrator", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "xml_name": "LogFileCleared" - } - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1104.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1104.json deleted file mode 100644 index db23db5c8..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1104.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:06:48.792Z", - "event": { - "code": 1104, - "provider": "Microsoft-Windows-Eventlog", - "outcome": "success", - "kind": "event" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1104.xml" - }, - "level": "error" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "agent": { - "version": "8.0.0", - "ephemeral_id": "ba338c91-ffb8-4b65-8c25-7990b1cf0e01", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat" - }, - "ecs": { - "version": "1.8.0" - }, - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 1096, - "thread": { - "id": 1444 - } - }, - "channel": "Security", - "event_id": 1104, - "record_id": 19352, - "time_created": "2019-11-08T07:56:17.321Z", - "level": "error", - "provider_name": "Microsoft-Windows-Eventlog", - "keywords": [ - "Audit Success" - ], - "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1104.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1104.json-expected.json deleted file mode 100644 index eb9a575b6..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1104.json-expected.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-11-08T07:56:17.321Z", - "agent": { - "ephemeral_id": "ba338c91-ffb8-4b65-8c25-7990b1cf0e01", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "logging-full", - "category": [ - "iam" - ], - "code": "1104", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Eventlog", - "type": [ - "admin" - ] - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1104.xml" - }, - "level": "error" - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "event_id": "1104", - "keywords": [ - "Audit Success" - ], - "level": "error", - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 1096, - "thread": { - "id": 1444 - } - }, - "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", - "provider_name": "Microsoft-Windows-Eventlog", - "record_id": "19352", - "time_created": "2019-11-08T07:56:17.321Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1105.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1105.json deleted file mode 100644 index e66a080f5..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1105.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:06:53.816Z", - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "winlog": { - "time_created": "2019-11-07T16:22:14.842Z", - "outcome": "success", - "user_data": { - "xml_name": "AutoBackup", - "Channel": "Security", - "BackupPath": "C:\\Windows\\System32\\Winevt\\Logs\\Archive-Security-2019-11-07-16-22-14-780.evtx" - }, - "process": { - "pid": 1156, - "thread": { - "id": 1484 - } - }, - "channel": "Security", - "event_id": 1105, - "provider_name": "Microsoft-Windows-Eventlog", - "opcode": "Info", - "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", - "level": "information", - "record_id": 18197, - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "keywords": [ - "Audit Success" - ] - }, - "event": { - "provider": "Microsoft-Windows-Eventlog", - "outcome": "success", - "kind": "event", - "code": 1105 - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1105.xml" - }, - "level": "information" - }, - "agent": { - "version": "8.0.0", - "ephemeral_id": "1b3ec690-31c3-4062-acdc-2afa56638178", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1105.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1105.json-expected.json deleted file mode 100644 index 9d3b8c773..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-1105.json-expected.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-11-07T16:22:14.842Z", - "agent": { - "ephemeral_id": "1b3ec690-31c3-4062-acdc-2afa56638178", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "auditlog-archieved", - "category": [ - "iam" - ], - "code": "1105", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Eventlog", - "type": [ - "admin" - ] - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1105.xml" - }, - "level": "information" - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "event_id": "1105", - "keywords": [ - "Audit Success" - ], - "level": "information", - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 1156, - "thread": { - "id": 1484 - } - }, - "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", - "provider_name": "Microsoft-Windows-Eventlog", - "record_id": "18197", - "time_created": "2019-11-07T16:22:14.842Z", - "user_data": { - "BackupPath": "C:\\Windows\\System32\\Winevt\\Logs\\Archive-Security-2019-11-07-16-22-14-780.evtx", - "Channel": "Security", - "xml_name": "AutoBackup" - } - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4663.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4663.json deleted file mode 100644 index 6eba23512..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4663.json +++ /dev/null @@ -1,74 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-11-11T04:51:32.660Z", - "ecs": { - "version": "1.11.0" - }, - "host": { - "name": "DC01.contoso.local" - }, - "agent": { - "version": "7.15.2", - "hostname": "hostname", - "ephemeral_id": "1e53eccd-9d5b-4001-9e6b-13b66625bb16", - "id": "7d1ef343-9372-428d-bd10-0a78e6894797", - "name": "AgentName", - "type": "filebeat" - }, - "winlog": { - "event_id": "4663", - "opcode": "Info", - "time_created": "2015-09-18T22:13:54.770Z", - "level": "information", - "process": { - "pid": 516, - "thread": { - "id": 524 - } - }, - "keywords": [ - "Audit Success" - ], - "outcome": "success", - "event_data": { - "AccessMask": "0x6", - "ProcessName": "C:\\\\Windows\\\\System32\\\\notepad.exe", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x4367b", - "ObjectType": "File", - "ObjectName": "C:\\\\Documents\\\\HBI Data.txt", - "AccessList": "%%4417 %%4418", - "ProcessId": "0x458", - "ResourceAttributes": "S:AI(RA;ID;;;;WD;(\"Impact\\_MS\",TI,0x10020,3000))", - "SubjectUserSid": "S-1-5-21-3457937927-2839227994-823803824-1104", - "SubjectUserName": "dadmin", - "ObjectServer": "Security", - "HandleId": "0x1bc" - }, - "computer_name": "DC01.contoso.local", - "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "version": 1, - "channel": "Security", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 273866 - }, - "event": { - "code": "4663", - "kind": "event", - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/file/path/4663.xml" - }, - "level": "information" - }, - "message": "\u003cEvent xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"\u003e\u003cSystem\u003e \u003cProvider Name=\"Microsoft-Windows-Security-Auditing\" Guid=\"{54849625-5478-4994-A5BA-3E3B0328C30D}\" /\u003e\u003cEventID\u003e4663\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e0\u003c/Level\u003e\u003cTask\u003e12800\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8020000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime=\"2015-09-18T22:13:54.770429700Z\" /\u003e\u003cEventRecordID\u003e273866\u003c/EventRecordID\u003e\u003cCorrelation /\u003e\u003cExecution ProcessID=\"516\" ThreadID=\"524\" /\u003e\u003cChannel\u003eSecurity\u003c/Channel\u003e\u003cComputer\u003eDC01.contoso.local\u003c/Computer\u003e\u003cSecurity /\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name=\"SubjectUserSid\"\u003eS-1-5-21-3457937927-2839227994-823803824-1104\u003c/Data\u003e\u003cData Name=\"SubjectUserName\"\u003edadmin\u003c/Data\u003e\u003cData Name=\"SubjectDomainName\"\u003eCONTOSO\u003c/Data\u003e\u003cData Name=\"SubjectLogonId\"\u003e0x4367b\u003c/Data\u003e\u003cData Name=\"ObjectServer\"\u003eSecurity\u003c/Data\u003e\u003cData Name=\"ObjectType\"\u003eFile\u003c/Data\u003e\u003cData Name=\"ObjectName\"\u003eC:\\\\Documents\\\\HBI Data.txt\u003c/Data\u003e\u003cData Name=\"HandleId\"\u003e0x1bc\u003c/Data\u003e\u003cData Name=\"AccessList\"\u003e%%4417 %%4418\u003c/Data\u003e\u003cData Name=\"AccessMask\"\u003e0x6\u003c/Data\u003e\u003cData Name=\"ProcessId\"\u003e0x458\u003c/Data\u003e\u003cData Name=\"ProcessName\"\u003eC:\\\\Windows\\\\System32\\\\notepad.exe\u003c/Data\u003e\u003cData Name=\"ResourceAttributes\"\u003eS:AI(RA;ID;;;;WD;(\"Impact\\_MS\",TI,0x10020,3000))\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "input": { - "type": "log" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json deleted file mode 100644 index 7b99c5d76..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2015-09-18T22:13:54.770Z", - "agent": { - "ephemeral_id": "1e53eccd-9d5b-4001-9e6b-13b66625bb16", - "hostname": "hostname", - "id": "7d1ef343-9372-428d-bd10-0a78e6894797", - "name": "AgentName", - "type": "filebeat", - "version": "7.15.2" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "code": "4663", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "DC01.contoso.local" - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/file/path/4663.xml" - }, - "level": "information" - }, - "message": "\u003cEvent xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"\u003e\u003cSystem\u003e \u003cProvider Name=\"Microsoft-Windows-Security-Auditing\" Guid=\"{54849625-5478-4994-A5BA-3E3B0328C30D}\" /\u003e\u003cEventID\u003e4663\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e0\u003c/Level\u003e\u003cTask\u003e12800\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8020000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime=\"2015-09-18T22:13:54.770429700Z\" /\u003e\u003cEventRecordID\u003e273866\u003c/EventRecordID\u003e\u003cCorrelation /\u003e\u003cExecution ProcessID=\"516\" ThreadID=\"524\" /\u003e\u003cChannel\u003eSecurity\u003c/Channel\u003e\u003cComputer\u003eDC01.contoso.local\u003c/Computer\u003e\u003cSecurity /\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name=\"SubjectUserSid\"\u003eS-1-5-21-3457937927-2839227994-823803824-1104\u003c/Data\u003e\u003cData Name=\"SubjectUserName\"\u003edadmin\u003c/Data\u003e\u003cData Name=\"SubjectDomainName\"\u003eCONTOSO\u003c/Data\u003e\u003cData Name=\"SubjectLogonId\"\u003e0x4367b\u003c/Data\u003e\u003cData Name=\"ObjectServer\"\u003eSecurity\u003c/Data\u003e\u003cData Name=\"ObjectType\"\u003eFile\u003c/Data\u003e\u003cData Name=\"ObjectName\"\u003eC:\\\\Documents\\\\HBI Data.txt\u003c/Data\u003e\u003cData Name=\"HandleId\"\u003e0x1bc\u003c/Data\u003e\u003cData Name=\"AccessList\"\u003e%%4417 %%4418\u003c/Data\u003e\u003cData Name=\"AccessMask\"\u003e0x6\u003c/Data\u003e\u003cData Name=\"ProcessId\"\u003e0x458\u003c/Data\u003e\u003cData Name=\"ProcessName\"\u003eC:\\\\Windows\\\\System32\\\\notepad.exe\u003c/Data\u003e\u003cData Name=\"ResourceAttributes\"\u003eS:AI(RA;ID;;;;WD;(\"Impact\\_MS\",TI,0x10020,3000))\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "winlog": { - "channel": "Security", - "computer_name": "DC01.contoso.local", - "event_data": { - "AccessList": "%%4417 %%4418", - "AccessListDescription": [ - "WriteData (or AddFile)", - "AppendData (or AddSubdirectory or CreatePipeInstance)" - ], - "AccessMask": "0x6", - "AccessMaskDescription": [ - "Delete Child", - "List Contents" - ], - "HandleId": "0x1bc", - "ObjectName": "C:\\\\Documents\\\\HBI Data.txt", - "ObjectServer": "Security", - "ObjectType": "File", - "ProcessId": "0x458", - "ProcessName": "C:\\\\Windows\\\\System32\\\\notepad.exe", - "ResourceAttributes": "S:AI(RA;ID;;;;WD;(\"Impact\\_MS\",TI,0x10020,3000))", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x4367b", - "SubjectUserName": "dadmin", - "SubjectUserSid": "S-1-5-21-3457937927-2839227994-823803824-1104" - }, - "event_id": "4663", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4367b" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 516, - "thread": { - "id": 524 - } - }, - "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "273866", - "time_created": "2015-09-18T22:13:54.770Z", - "version": 1 - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json deleted file mode 100644 index 5e3a49302..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:09:09.111Z", - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "agent": { - "ephemeral_id": "3d760cf7-94ed-4415-85cd-588f6adf9376", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "winlog": { - "provider_name": "Microsoft-Windows-Security-Auditing", - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "level": "information", - "time_created": "2020-07-28T13:22:18.799Z", - "outcome": "success", - "channel": "Security", - "event_id": 4670, - "record_id": 31932, - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "event_data": { - "HandleId": "0x56c", - "OldSd": "D:(A;;GA;;;SY)(A;;GA;;;NS)", - "NewSd": "D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)", - "ProcessId": "0x2fc", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x3e7", - "ObjectName": "-", - "ProcessName": "C:\\Windows\\System32\\services.exe", - "SubjectUserSid": "S-1-5-18", - "ObjectServer": "Security", - "ObjectType": "Token" - }, - "process": { - "pid": 4, - "thread": { - "id": 4604 - } - } - }, - "event": { - "kind": "event", - "code": 4670, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.xml" - } - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json-expected.json deleted file mode 100644 index ab0423443..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json-expected.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2020-07-28T13:22:18.799Z", - "agent": { - "ephemeral_id": "3d760cf7-94ed-4415-85cd-588f6adf9376", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "permissions-changed", - "category": [ - "iam", - "configuration" - ], - "code": "4670", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "change" - ] - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.xml" - }, - "level": "information" - }, - "process": { - "executable": "C:\\Windows\\System32\\services.exe", - "name": "services.exe", - "pid": 764 - }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-18", - "name": "WIN-BVM4LI1L1Q6$" - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "event_data": { - "HandleId": "0x56c", - "NewSd": "D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)", - "NewSdDacl0": "Local system :Access Allowed ([Generic All])", - "NewSdDacl1": "OW :Access Allowed ([Read Permissions])", - "NewSdDacl2": "S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628 :Access Allowed ([Generic All])", - "ObjectName": "-", - "ObjectServer": "Security", - "ObjectType": "Token", - "OldSd": "D:(A;;GA;;;SY)(A;;GA;;;NS)", - "OldSdDacl0": "Local system :Access Allowed ([Generic All])", - "OldSdDacl1": "Network service account :Access Allowed ([Generic All])", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectUserSid": "S-1-5-18" - }, - "event_id": "4670", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 4, - "thread": { - "id": 4604 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "31932", - "time_created": "2020-07-28T13:22:18.799Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4674.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4674.json deleted file mode 100644 index dc8434259..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4674.json +++ /dev/null @@ -1,125 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-11-11T17:14:52.001Z", - "agent": { - "name": "AgentName", - "type": "filebeat", - "version": "7.15.2", - "hostname": "hostname", - "ephemeral_id": "8c285603-b2ba-4891-8f1a-862ca3388614", - "id": "7d1ef343-9372-428d-bd10-0a78e6894797" - }, - "winlog": { - "time_created": "2015-10-09T00:22:36.237Z", - "event_id": "4674", - "provider_name": "Microsoft-Windows-Security-Auditing", - "keywords": [ - "Audit Failure" - ], - "opcode": "Info", - "outcome": "failure", - "level": "information", - "event_data": { - "ProcessId": "0x1f0", - "SubjectDomainName": "NT AUTHORITY", - "SubjectLogonId": "0x3e5", - "ObjectType": "-", - "ObjectName": "-", - "AccessMask": "16777216", - "PrivilegeList": "SeSecurityPrivilege", - "ProcessName": "C:\\\\Windows\\\\System32\\\\lsass.exe", - "SubjectUserSid": "S-1-5-19", - "SubjectUserName": "LOCAL SERVICE", - "ObjectServer": "LSA", - "HandleId": "0x0" - }, - "process": { - "pid": 496, - "thread": { - "id": 504 - } - }, - "channel": "Security", - "record_id": 1099680, - "computer_name": "DC01.contoso.local", - "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}" - }, - "event": { - "code": "4674", - "kind": "event", - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "failure" - }, - "log": { - "file": { - "path": "/file/path/4674.xml" - }, - "level": "information" - }, - "message": "\u003cEvent xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"\u003e\u003cSystem\u003e\u003cProvider Name=\"Microsoft-Windows-Security-Auditing\" Guid=\"{54849625-5478-4994-A5BA-3E3B0328C30D}\" /\u003e\u003cEventID\u003e4674\u003c/EventID\u003e\u003cVersion\u003e0\u003c/Version\u003e\u003cLevel\u003e0\u003c/Level\u003e\u003cTask\u003e13056\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8010000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime=\"2015-10-09T00:22:36.237816000Z\" /\u003e\u003cEventRecordID\u003e1099680\u003c/EventRecordID\u003e\u003cCorrelation /\u003e\u003cExecution ProcessID=\"496\" ThreadID=\"504\" /\u003e\u003cChannel\u003eSecurity\u003c/Channel\u003e\u003cComputer\u003eDC01.contoso.local\u003c/Computer\u003e\u003cSecurity /\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name=\"SubjectUserSid\"\u003eS-1-5-19\u003c/Data\u003e\u003cData Name=\"SubjectUserName\"\u003eLOCAL SERVICE\u003c/Data\u003e\u003cData Name=\"SubjectDomainName\"\u003eNT AUTHORITY\u003c/Data\u003e\u003cData Name=\"SubjectLogonId\"\u003e0x3e5\u003c/Data\u003e\u003cData Name=\"ObjectServer\"\u003eLSA\u003c/Data\u003e\u003cData Name=\"ObjectType\"\u003e-\u003c/Data\u003e\u003cData Name=\"ObjectName\"\u003e-\u003c/Data\u003e\u003cData Name=\"HandleId\"\u003e0x0\u003c/Data\u003e\u003cData Name=\"AccessMask\"\u003e16777216\u003c/Data\u003e\u003cData Name=\"PrivilegeList\"\u003eSeSecurityPrivilege\u003c/Data\u003e\u003cData Name=\"ProcessId\"\u003e0x1f0\u003c/Data\u003e\u003cData Name=\"ProcessName\"\u003eC:\\\\Windows\\\\System32\\\\lsass.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "input": { - "type": "log" - }, - "ecs": { - "version": "1.11.0" - }, - "host": { - "name": "DC01.contoso.local" - } - }, - { - "@timestamp": "2021-11-11T17:14:53.001Z", - "event": { - "action": "Sensitive Privilege Use", - "code": "4674", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "log": { - "level": "information" - }, - "message": "An operation was attempted on a privileged object.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x5E2887\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tFile\n\tObject Name:\tC:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor\n\tObject Handle:\t0x1684\n\nProcess Information:\n\tProcess ID:\t0x3e4\n\tProcess Name:\tC:\\Windows\\System32\\svchost.exe\n\nRequested Operation:\n\tDesired Access:\tREAD_CONTROL\n\t\t\t\tACCESS_SYS_SEC\n\n\tPrivileges:\t\tSeSecurityPrivilege", - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "AccessMask": "%%1538\n\t\t\t\t%%1542\n\t\t\t\t", - "HandleId": "0x1684", - "ObjectName": "C:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor", - "ObjectServer": "Security", - "ObjectType": "File", - "PrivilegeList": "SeSecurityPrivilege", - "ProcessId": "0x3e4", - "ProcessName": "C:\\Windows\\System32\\svchost.exe", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x5e2887", - "SubjectUserName": "at_adm", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "event_id": "4674", - "keywords": [ - "Audit Success" - ], - "level": "information", - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 604, - "thread": { - "id": 612 - } - }, - "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 18232147, - "task": "Sensitive Privilege Use", - "time_created": "2022-08-01T08:53:50.3336583Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json deleted file mode 100644 index 6e388d03e..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json +++ /dev/null @@ -1,184 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2015-10-09T00:22:36.237Z", - "agent": { - "ephemeral_id": "8c285603-b2ba-4891-8f1a-862ca3388614", - "hostname": "hostname", - "id": "7d1ef343-9372-428d-bd10-0a78e6894797", - "name": "AgentName", - "type": "filebeat", - "version": "7.15.2" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "privileged-operation", - "category": [ - "iam" - ], - "code": "4674", - "kind": "event", - "outcome": "failure", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin" - ] - }, - "host": { - "name": "DC01.contoso.local" - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/file/path/4674.xml" - }, - "level": "information" - }, - "message": "\u003cEvent xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"\u003e\u003cSystem\u003e\u003cProvider Name=\"Microsoft-Windows-Security-Auditing\" Guid=\"{54849625-5478-4994-A5BA-3E3B0328C30D}\" /\u003e\u003cEventID\u003e4674\u003c/EventID\u003e\u003cVersion\u003e0\u003c/Version\u003e\u003cLevel\u003e0\u003c/Level\u003e\u003cTask\u003e13056\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8010000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime=\"2015-10-09T00:22:36.237816000Z\" /\u003e\u003cEventRecordID\u003e1099680\u003c/EventRecordID\u003e\u003cCorrelation /\u003e\u003cExecution ProcessID=\"496\" ThreadID=\"504\" /\u003e\u003cChannel\u003eSecurity\u003c/Channel\u003e\u003cComputer\u003eDC01.contoso.local\u003c/Computer\u003e\u003cSecurity /\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name=\"SubjectUserSid\"\u003eS-1-5-19\u003c/Data\u003e\u003cData Name=\"SubjectUserName\"\u003eLOCAL SERVICE\u003c/Data\u003e\u003cData Name=\"SubjectDomainName\"\u003eNT AUTHORITY\u003c/Data\u003e\u003cData Name=\"SubjectLogonId\"\u003e0x3e5\u003c/Data\u003e\u003cData Name=\"ObjectServer\"\u003eLSA\u003c/Data\u003e\u003cData Name=\"ObjectType\"\u003e-\u003c/Data\u003e\u003cData Name=\"ObjectName\"\u003e-\u003c/Data\u003e\u003cData Name=\"HandleId\"\u003e0x0\u003c/Data\u003e\u003cData Name=\"AccessMask\"\u003e16777216\u003c/Data\u003e\u003cData Name=\"PrivilegeList\"\u003eSeSecurityPrivilege\u003c/Data\u003e\u003cData Name=\"ProcessId\"\u003e0x1f0\u003c/Data\u003e\u003cData Name=\"ProcessName\"\u003eC:\\\\Windows\\\\System32\\\\lsass.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "process": { - "executable": "C:\\\\Windows\\\\System32\\\\lsass.exe", - "name": "lsass.exe", - "pid": 496 - }, - "related": { - "user": [ - "LOCAL SERVICE" - ] - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-19", - "name": "LOCAL SERVICE" - }, - "winlog": { - "channel": "Security", - "computer_name": "DC01.contoso.local", - "event_data": { - "AccessMask": "16777216", - "AccessMaskDescription": [ - "ADS_RIGHT_ACCESS_SYSTEM_SECURITY" - ], - "HandleId": "0x0", - "ObjectName": "-", - "ObjectServer": "LSA", - "ObjectType": "-", - "PrivilegeList": [ - "SeSecurityPrivilege" - ], - "SubjectDomainName": "NT AUTHORITY", - "SubjectLogonId": "0x3e5", - "SubjectUserName": "LOCAL SERVICE", - "SubjectUserSid": "S-1-5-19" - }, - "event_id": "4674", - "keywords": [ - "Audit Failure" - ], - "level": "information", - "logon": { - "id": "0x3e5" - }, - "opcode": "Info", - "outcome": "failure", - "process": { - "pid": 496, - "thread": { - "id": 504 - } - }, - "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "1099680", - "time_created": "2015-10-09T00:22:36.237Z" - } - }, - { - "@timestamp": "2022-08-01T08:53:50.333Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "privileged-operation", - "category": [ - "iam" - ], - "code": "4674", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin" - ] - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "log": { - "level": "information" - }, - "message": "An operation was attempted on a privileged object.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x5E2887\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tFile\n\tObject Name:\tC:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor\n\tObject Handle:\t0x1684\n\nProcess Information:\n\tProcess ID:\t0x3e4\n\tProcess Name:\tC:\\Windows\\System32\\svchost.exe\n\nRequested Operation:\n\tDesired Access:\tREAD_CONTROL\n\t\t\t\tACCESS_SYS_SEC\n\n\tPrivileges:\t\tSeSecurityPrivilege", - "process": { - "executable": "C:\\Windows\\System32\\svchost.exe", - "name": "svchost.exe", - "pid": 996 - }, - "related": { - "user": [ - "at_adm" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "AccessMask": "%%1538\n\t\t\t\t%%1542\n\t\t\t\t", - "AccessMaskDescription": [ - "Delete Child", - "List Contents" - ], - "HandleId": "0x1684", - "ObjectName": "C:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor", - "ObjectServer": "Security", - "ObjectType": "File", - "PrivilegeList": [ - "SeSecurityPrivilege" - ], - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x5e2887", - "SubjectUserName": "at_adm", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "event_id": "4674", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x5e2887" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 604, - "thread": { - "id": 612 - } - }, - "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "18232147", - "task": "Sensitive Privilege Use", - "time_created": "2022-08-01T08:53:50.3336583Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json deleted file mode 100644 index 71b628dde..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:08:19.021Z", - "event": { - "kind": "event", - "code": 4706, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.xml" - }, - "level": "information" - }, - "agent": { - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "9e4d57e6-8caa-43f7-aa64-6b78dc45ae4d", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "winlog": { - "event_id": 4706, - "provider_name": "Microsoft-Windows-Security-Auditing", - "keywords": [ - "Audit Success" - ], - "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", - "process": { - "pid": 776, - "thread": { - "id": 3056 - } - }, - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "outcome": "success", - "event_data": { - "DomainName": "192.168.230.153", - "SubjectUserName": "Administrator", - "SubjectLogonId": "0x6a868", - "TdoType": "3", - "DomainSid": "S-1-0-0", - "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500", - "SubjectDomainName": "TEST", - "TdoDirection": "3", - "TdoAttributes": "1", - "SidFilteringEnabled": "%%1796" - }, - "time_created": "2020-07-27T09:42:48.369Z", - "channel": "Security", - "record_id": 6017, - "opcode": "Info", - "level": "information" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json-expected.json deleted file mode 100644 index 8fb08637e..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json-expected.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2020-07-27T09:42:48.369Z", - "agent": { - "ephemeral_id": "9e4d57e6-8caa-43f7-aa64-6b78dc45ae4d", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "domain-trust-added", - "category": [ - "configuration" - ], - "code": "4706", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "creation" - ] - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-2024912787-2692429404-2351956786-500", - "name": "Administrator" - }, - "winlog": { - "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", - "channel": "Security", - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "event_data": { - "DomainName": "192.168.230.153", - "DomainSid": "S-1-0-0", - "SidFilteringEnabled": "%%1796", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x6a868", - "SubjectUserName": "Administrator", - "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500", - "TdoAttributes": "1", - "TdoDirection": "3", - "TdoType": "3" - }, - "event_id": "4706", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x6a868" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 776, - "thread": { - "id": 3056 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "6017", - "time_created": "2020-07-27T09:42:48.369Z", - "trustAttribute": "TRUST_ATTRIBUTE_NON_TRANSITIVE", - "trustDirection": "TRUST_DIRECTION_BIDIRECTIONAL", - "trustType": "TRUST_TYPE_MIT" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json deleted file mode 100644 index ada3ae0d3..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json +++ /dev/null @@ -1,61 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:04:18.060Z", - "agent": { - "version": "8.0.0", - "ephemeral_id": "3d917dba-6707-4ee1-be70-ba855a9e5b1c", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "winlog": { - "channel": "Security", - "event_id": 4707, - "provider_name": "Microsoft-Windows-Security-Auditing", - "time_created": "2020-07-28T06:18:04.600Z", - "level": "information", - "process": { - "pid": 776, - "thread": { - "id": 2012 - } - }, - "record_id": 13679, - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "outcome": "success", - "event_data": { - "SubjectLogonId": "0x6a868", - "DomainName": "192.168.230.153", - "DomainSid": "S-1-0-0", - "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500", - "SubjectUserName": "Administrator", - "SubjectDomainName": "TEST" - } - }, - "event": { - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success", - "kind": "event", - "code": 4707 - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.xml" - }, - "level": "information" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json-expected.json deleted file mode 100644 index d258bfedc..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json-expected.json +++ /dev/null @@ -1,81 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2020-07-28T06:18:04.600Z", - "agent": { - "ephemeral_id": "3d917dba-6707-4ee1-be70-ba855a9e5b1c", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "domain-trust-removed", - "category": [ - "configuration" - ], - "code": "4707", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "deletion" - ] - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-2024912787-2692429404-2351956786-500", - "name": "Administrator" - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "event_data": { - "DomainName": "192.168.230.153", - "DomainSid": "S-1-0-0", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x6a868", - "SubjectUserName": "Administrator", - "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500" - }, - "event_id": "4707", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x6a868" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 776, - "thread": { - "id": 2012 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "13679", - "time_created": "2020-07-28T06:18:04.600Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json deleted file mode 100644 index b2cea0250..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json +++ /dev/null @@ -1,61 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:05:43.545Z", - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "winlog": { - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 776, - "thread": { - "id": 2012 - } - }, - "channel": "Security", - "event_id": 4713, - "provider_name": "Microsoft-Windows-Security-Auditing", - "time_created": "2020-07-28T10:15:43.495Z", - "level": "information", - "keywords": [ - "Audit Success" - ], - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "record_id": 21265, - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "event_data": { - "SubjectUserSid": "S-1-5-18", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x3e7", - "KerberosPolicyChange": "KerMinT: 0x53d1ac1000 (0x53ade8ca00); KerMaxR: 0x649534e0000 (0x58028e44000); KerProxy: 0xd693a400 (0xb2d05e00); " - }, - "activity_id": "{be129571-63f8-0000-a795-12bef863d601}" - }, - "event": { - "kind": "event", - "code": 4713, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.xml" - }, - "level": "information" - }, - "agent": { - "version": "8.0.0", - "ephemeral_id": "00d05603-1d0f-476c-99f7-059a70f43625", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json-expected.json deleted file mode 100644 index 7f197a8b7..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json-expected.json +++ /dev/null @@ -1,81 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2020-07-28T10:15:43.495Z", - "agent": { - "ephemeral_id": "00d05603-1d0f-476c-99f7-059a70f43625", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "kerberos-policy-changed", - "category": [ - "configuration" - ], - "code": "4713", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "change" - ] - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-18", - "name": "WIN-BVM4LI1L1Q6$" - }, - "winlog": { - "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", - "channel": "Security", - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "event_data": { - "KerberosPolicyChange": "KerMinT: 0x53d1ac1000 (0x53ade8ca00); KerMaxR: 0x649534e0000 (0x58028e44000); KerProxy: 0xd693a400 (0xb2d05e00); ", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectUserSid": "S-1-5-18" - }, - "event_id": "4713", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 776, - "thread": { - "id": 2012 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "21265", - "time_created": "2020-07-28T10:15:43.495Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json deleted file mode 100644 index 9959d2738..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:08:54.080Z", - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.xml" - }, - "level": "information" - }, - "agent": { - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "73327973-22b1-49d2-ba3c-f467e39c81a0", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "winlog": { - "event_id": 4716, - "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", - "channel": "Security", - "time_created": "2020-07-28T08:17:00.470Z", - "record_id": 14929, - "keywords": [ - "Audit Success" - ], - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "outcome": "success", - "event_data": { - "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500", - "DomainSid": "S-1-0-0", - "TdoAttributes": "1", - "SidFilteringEnabled": "-", - "SubjectUserName": "Administrator", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x6a868", - "DomainName": "-", - "TdoType": "3", - "TdoDirection": "3" - }, - "provider_name": "Microsoft-Windows-Security-Auditing", - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "opcode": "Info", - "level": "information", - "process": { - "pid": 776, - "thread": { - "id": 3776 - } - } - }, - "event": { - "kind": "event", - "code": 4716, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json-expected.json deleted file mode 100644 index 58b0730cf..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json-expected.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2020-07-28T08:17:00.470Z", - "agent": { - "ephemeral_id": "73327973-22b1-49d2-ba3c-f467e39c81a0", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "trusted-domain-information-changed", - "category": [ - "configuration" - ], - "code": "4716", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "change" - ] - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-2024912787-2692429404-2351956786-500", - "name": "Administrator" - }, - "winlog": { - "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", - "channel": "Security", - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "event_data": { - "DomainName": "-", - "DomainSid": "S-1-0-0", - "SidFilteringEnabled": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x6a868", - "SubjectUserName": "Administrator", - "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500", - "TdoAttributes": "1", - "TdoDirection": "3", - "TdoType": "3" - }, - "event_id": "4716", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x6a868" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 776, - "thread": { - "id": 3776 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "14929", - "time_created": "2020-07-28T08:17:00.470Z", - "trustAttribute": "TRUST_ATTRIBUTE_NON_TRANSITIVE", - "trustDirection": "TRUST_DIRECTION_BIDIRECTIONAL", - "trustType": "TRUST_TYPE_MIT" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json deleted file mode 100644 index 50d6b908d..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:04:08.002Z", - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-BVM4LI1L1Q6" - }, - "agent": { - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "1271c200-5f2f-42c7-bc2f-abbdc1211f37" - }, - "winlog": { - "computer_name": "WIN-BVM4LI1L1Q6", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-07-27T09:30:41.903Z", - "channel": "Security", - "event_id": 4717, - "outcome": "success", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 1571, - "level": "information", - "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}", - "process": { - "pid": 776, - "thread": { - "id": 820 - } - }, - "event_data": { - "SubjectUserSid": "S-1-5-18", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "TargetSid": "S-1-5-9", - "AccessGranted": "SeNetworkLogonRight" - } - }, - "event": { - "kind": "event", - "code": 4717, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4717_WindowsSrv2016.xml" - }, - "level": "information" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json-expected.json deleted file mode 100644 index 02be43b6a..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json-expected.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2020-07-27T09:30:41.903Z", - "agent": { - "ephemeral_id": "1271c200-5f2f-42c7-bc2f-abbdc1211f37", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "system-security-access-granted", - "category": [ - "iam", - "configuration" - ], - "code": "4717", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "change" - ] - }, - "host": { - "name": "WIN-BVM4LI1L1Q6" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4717_WindowsSrv2016.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$" - ] - }, - "user": { - "domain": "WORKGROUP", - "id": "S-1-5-18", - "name": "WIN-BVM4LI1L1Q6$" - }, - "winlog": { - "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}", - "channel": "Security", - "computer_name": "WIN-BVM4LI1L1Q6", - "event_data": { - "AccessGranted": "SeNetworkLogonRight", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectUserSid": "S-1-5-18", - "TargetSid": "S-1-5-9" - }, - "event_id": "4717", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 776, - "thread": { - "id": 820 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "1571", - "time_created": "2020-07-27T09:30:41.903Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json deleted file mode 100644 index 240edb06f..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:09:59.181Z", - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-BVM4LI1L1Q6" - }, - "agent": { - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "2ab86036-bb3b-4131-a797-34f5dca7b048" - }, - "winlog": { - "time_created": "2020-07-27T09:30:41.877Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "keywords": [ - "Audit Success" - ], - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "outcome": "success", - "event_data": { - "SubjectUserSid": "S-1-5-18", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "TargetSid": "S-1-5-32-545", - "AccessRemoved": "SeNetworkLogonRight" - }, - "channel": "Security", - "computer_name": "WIN-BVM4LI1L1Q6", - "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}", - "record_id": 1565, - "opcode": "Info", - "level": "information", - "process": { - "pid": 776, - "thread": { - "id": 820 - } - }, - "event_id": 4718 - }, - "event": { - "kind": "event", - "code": 4718, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4718_WindowsSrv2016.xml" - }, - "level": "information" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json-expected.json deleted file mode 100644 index b35c42e93..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json-expected.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2020-07-27T09:30:41.877Z", - "agent": { - "ephemeral_id": "2ab86036-bb3b-4131-a797-34f5dca7b048", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "system-security-access-removed", - "category": [ - "iam", - "configuration" - ], - "code": "4718", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "deletion" - ] - }, - "host": { - "name": "WIN-BVM4LI1L1Q6" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4718_WindowsSrv2016.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$" - ] - }, - "user": { - "domain": "WORKGROUP", - "id": "S-1-5-18", - "name": "WIN-BVM4LI1L1Q6$" - }, - "winlog": { - "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}", - "channel": "Security", - "computer_name": "WIN-BVM4LI1L1Q6", - "event_data": { - "AccessRemoved": "SeNetworkLogonRight", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectUserSid": "S-1-5-18", - "TargetSid": "S-1-5-32-545" - }, - "event_id": "4718", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 776, - "thread": { - "id": 820 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "1565", - "time_created": "2020-07-27T09:30:41.877Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json deleted file mode 100644 index 11b58fcaf..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:03:47.877Z", - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "agent": { - "version": "8.0.0", - "ephemeral_id": "615d6dcc-ad38-494d-a4d6-bc35a1bcb7fe", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat" - }, - "winlog": { - "channel": "Security", - "outcome": "success", - "event_id": 4719, - "provider_name": "Microsoft-Windows-Security-Auditing", - "opcode": "Info", - "record_id": 123879, - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "level": "information", - "activity_id": "{65461d39-753f-0000-731d-46653f75d601}", - "process": { - "pid": 780, - "thread": { - "id": 2764 - } - }, - "keywords": [ - "Audit Success" - ], - "time_created": "2020-08-18T13:45:57.480Z", - "event_data": { - "SubcategoryGuid": "{0cce9227-69ae-11d9-bed3-505054503030}", - "AuditPolicyChanges": "%%8448", - "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500", - "SubjectUserName": "Administrator", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x44d7d", - "CategoryId": "%%8274", - "SubcategoryId": "%%12804" - } - }, - "event": { - "kind": "event", - "code": 4719, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4719_WindowsSrv2016.xml" - } - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json-expected.json deleted file mode 100644 index 51c28011e..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json-expected.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2020-08-18T13:45:57.480Z", - "agent": { - "ephemeral_id": "615d6dcc-ad38-494d-a4d6-bc35a1bcb7fe", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "changed-audit-config", - "category": [ - "iam", - "configuration" - ], - "code": "4719", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "change" - ] - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4719_WindowsSrv2016.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-2024912787-2692429404-2351956786-500", - "name": "Administrator" - }, - "winlog": { - "activity_id": "{65461d39-753f-0000-731d-46653f75d601}", - "channel": "Security", - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "event_data": { - "AuditPolicyChanges": "%%8448", - "AuditPolicyChangesDescription": [ - "Success removed" - ], - "Category": "Object Access", - "CategoryId": "%%8274", - "SubCategory": "Other Object Access Events", - "SubcategoryGuid": "{0cce9227-69ae-11d9-bed3-505054503030}", - "SubcategoryId": "%%12804", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x44d7d", - "SubjectUserName": "Administrator", - "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500" - }, - "event_id": "4719", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x44d7d" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 780, - "thread": { - "id": 2764 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "123879", - "time_created": "2020-08-18T13:45:57.480Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719.json deleted file mode 100644 index 4731be62d..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:05:53.569Z", - "agent": { - "ephemeral_id": "a5d5ef8c-c4b4-402a-9d5d-a3643947e76a", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "winlog": { - "provider_name": "Microsoft-Windows-Security-Auditing", - "level": "information", - "time_created": "2019-11-07T15:22:57.655Z", - "event_data": { - "SubjectLogonId": "0x3e7", - "CategoryId": "%%8273", - "SubcategoryId": "%%12552", - "SubcategoryGuid": "{0cce9243-69ae-11d9-bed3-505054503030}", - "AuditPolicyChanges": "%%8449, %%8451", - "SubjectUserSid": "S-1-5-18", - "SubjectUserName": "WIN-41OB2LO92CR$", - "SubjectDomainName": "WLBEAT" - }, - "activity_id": "{3eef0a0d-9551-0000-140c-ef3e5195d501}", - "process": { - "thread": { - "id": 2944 - }, - "pid": 772 - }, - "channel": "Security", - "event_id": 4719, - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "record_id": 17154, - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "outcome": "success" - }, - "event": { - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success", - "kind": "event", - "code": 4719 - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4719.xml" - }, - "level": "information" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719.json-expected.json deleted file mode 100644 index c23e65ecc..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4719.json-expected.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-11-07T15:22:57.655Z", - "agent": { - "ephemeral_id": "a5d5ef8c-c4b4-402a-9d5d-a3643947e76a", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "changed-audit-config", - "category": [ - "iam", - "configuration" - ], - "code": "4719", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "change" - ] - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4719.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "WIN-41OB2LO92CR$" - ] - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-18", - "name": "WIN-41OB2LO92CR$" - }, - "winlog": { - "activity_id": "{3eef0a0d-9551-0000-140c-ef3e5195d501}", - "channel": "Security", - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "event_data": { - "AuditPolicyChanges": "%%8449, %%8451", - "AuditPolicyChangesDescription": [ - "Success Added", - "Failure Added" - ], - "Category": "Logon/Logoff", - "CategoryId": "%%8273", - "SubCategory": "Network Policy Server", - "SubcategoryGuid": "{0cce9243-69ae-11d9-bed3-505054503030}", - "SubcategoryId": "%%12552", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "WIN-41OB2LO92CR$", - "SubjectUserSid": "S-1-5-18" - }, - "event_id": "4719", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 772, - "thread": { - "id": 2944 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "17154", - "time_created": "2019-11-07T15:22:57.655Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4738.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4738.json deleted file mode 100644 index e23bd7817..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4738.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-11-11T17:14:52.001Z", - "event": { - "action": "User Account Management", - "code": "4738", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "DC_TEST2k12" - }, - "log": { - "level": "information" - }, - "message": "A user account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x5E2887\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-8884\n\tAccount Name:\t\tanatest1\n\tAccount Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tDisplay Name:\t\t-\n\tUser Principal Name:\tanatest12@TEST\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t-\n\tAccount Expires:\t\t-\n\tPrimary Group ID:\t-\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t-\n\tNew UAC Value:\t\t-\n\tUser Account Control:\t-\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12", - "event_data": { - "AccountExpires": "-", - "AllowedToDelegateTo": "-", - "DisplayName": "-", - "Dummy": "-", - "HomeDirectory": "-", - "HomePath": "-", - "LogonHours": "-", - "NewUacValue": "-", - "OldUacValue": "-", - "PasswordLastSet": "-", - "PrimaryGroupId": "-", - "PrivilegeList": "-", - "ProfilePath": "-", - "SamAccountName": "-", - "ScriptPath": "-", - "SidHistory": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x5e2887", - "SubjectUserName": "at_adm", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-8884", - "TargetUserName": "anatest1", - "UserAccountControl": "-", - "UserParameters": "-", - "UserPrincipalName": "anatest12@TEST", - "UserWorkstations": "-" - }, - "event_id": "4738", - "keywords": [ - "Audit Success" - ], - "level": "information", - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 604, - "thread": { - "id": 864 - } - }, - "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 18232108, - "task": "User Account Management", - "time_created": "2022-08-01T08:49:58.8259888Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4738.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4738.json-expected.json deleted file mode 100644 index 0c6f66fc8..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4738.json-expected.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2022-08-01T08:49:58.825Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "modified-user-account", - "category": [ - "iam" - ], - "code": "4738", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "change" - ] - }, - "host": { - "name": "DC_TEST2k12" - }, - "log": { - "level": "information" - }, - "message": "A user account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x5E2887\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-8884\n\tAccount Name:\t\tanatest1\n\tAccount Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tDisplay Name:\t\t-\n\tUser Principal Name:\tanatest12@TEST\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t-\n\tAccount Expires:\t\t-\n\tPrimary Group ID:\t-\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t-\n\tNew UAC Value:\t\t-\n\tUser Account Control:\t-\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", - "related": { - "user": [ - "at_adm", - "anatest1" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm", - "target": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-8884", - "name": "anatest1" - } - }, - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12", - "event_data": { - "AccountExpires": "-", - "AllowedToDelegateTo": "-", - "DisplayName": "-", - "Dummy": "-", - "HomeDirectory": "-", - "HomePath": "-", - "LogonHours": "-", - "NewUacValue": "-", - "OldUacValue": "-", - "PasswordLastSet": "-", - "PrimaryGroupId": "-", - "PrivilegeList": "-", - "ProfilePath": "-", - "SamAccountName": "-", - "ScriptPath": "-", - "SidHistory": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x5e2887", - "SubjectUserName": "at_adm", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-8884", - "TargetUserName": "anatest1", - "UserAccountControl": "-", - "UserParameters": "-", - "UserPrincipalName": "anatest12@TEST", - "UserWorkstations": "-" - }, - "event_id": "4738", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x5e2887" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 604, - "thread": { - "id": 864 - } - }, - "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "18232108", - "task": "User Account Management", - "time_created": "2022-08-01T08:49:58.8259888Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json deleted file mode 100644 index c4235d797..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:03:12.598Z", - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4739_WindowsSrv2016.xml" - }, - "level": "information" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "agent": { - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "bd63c19a-cad0-4833-9b84-5ed4e7e27cc5" - }, - "winlog": { - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "event_data": { - "DomainBehaviorVersion": "-", - "DomainName": "TEST", - "SubjectUserSid": "S-1-5-18", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "MixedDomainMode": "-", - "DomainPolicyChanged": "Password Policy", - "DomainSid": "S-1-5-21-2024912787-2692429404-2351956786", - "SubjectLogonId": "0x3e7", - "PrivilegeList": "-", - "OemInformation": "-", - "SubjectDomainName": "TEST", - "PasswordHistoryLength": "-", - "MachineAccountQuota": "-" - }, - "provider_name": "Microsoft-Windows-Security-Auditing", - "event_id": 4739, - "record_id": 3532, - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "keywords": [ - "Audit Success" - ], - "time_created": "2020-07-27T09:34:50.157Z", - "outcome": "success", - "level": "information", - "channel": "Security", - "process": { - "pid": 776, - "thread": { - "id": 812 - } - } - }, - "event": { - "kind": "event", - "code": 4739, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json-expected.json deleted file mode 100644 index e661faa33..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json-expected.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2020-07-27T09:34:50.157Z", - "agent": { - "ephemeral_id": "bd63c19a-cad0-4833-9b84-5ed4e7e27cc5", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "domain-policy-changed", - "category": [ - "configuration" - ], - "code": "4739", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "change" - ] - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4739_WindowsSrv2016.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-18", - "name": "WIN-BVM4LI1L1Q6$" - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "event_data": { - "DomainBehaviorVersion": "-", - "DomainName": "TEST", - "DomainPolicyChanged": "Password Policy", - "DomainSid": "S-1-5-21-2024912787-2692429404-2351956786", - "MachineAccountQuota": "-", - "MixedDomainMode": "-", - "OemInformation": "-", - "PasswordHistoryLength": "-", - "PrivilegeList": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectUserSid": "S-1-5-18" - }, - "event_id": "4739", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 776, - "thread": { - "id": 812 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "3532", - "time_created": "2020-07-27T09:34:50.157Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4742.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4742.json deleted file mode 100644 index 524720e31..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4742.json +++ /dev/null @@ -1,74 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-11-11T17:14:52.001Z", - "event": { - "action": "Computer Account Management", - "code": "4742", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "DC_TEST2k12.TEST." - }, - "log": { - "level": "information" - }, - "message": "A computer account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-7\n\tAccount Name:\t\tANONYMOUS LOGON\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E6\n\nComputer Account That Was Changed:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-11556\n\tAccount Name:\t\tTEST4642$\n\tAccount Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tDisplay Name:\t\t-\n\tUser Principal Name:\t-\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t01/08/2022 10:56:47\n\tAccount Expires:\t\t-\n\tPrimary Group ID:\t-\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t-\n\tNew UAC Value:\t\t-\n\tUser Account Control:\t-\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t-\n\tDNS Host Name:\t\t-\n\tService Principal Names:\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.", - "event_data": { - "AccountExpires": "-", - "AllowedToDelegateTo": "-", - "ComputerAccountChange": "-", - "DisplayName": "-", - "DnsHostName": "-", - "HomeDirectory": "-", - "HomePath": "-", - "LogonHours": "-", - "NewUacValue": "-", - "OldUacValue": "-", - "PasswordLastSet": "01/08/2022 10:56:47", - "PrimaryGroupId": "-", - "PrivilegeList": "-", - "ProfilePath": "-", - "SamAccountName": "-", - "ScriptPath": "-", - "ServicePrincipalNames": "-", - "SidHistory": "-", - "SubjectDomainName": "NT AUTHORITY", - "SubjectLogonId": "0x3e6", - "SubjectUserName": "ANONYMOUS LOGON", - "SubjectUserSid": "S-1-5-7", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-11556", - "TargetUserName": "TEST4642$", - "UserAccountControl": "-", - "UserParameters": "-", - "UserPrincipalName": "-", - "UserWorkstations": "-" - }, - "event_id": "4742", - "keywords": [ - "Audit Success" - ], - "level": "information", - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 604, - "thread": { - "id": 864 - } - }, - "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 18232202, - "task": "Computer Account Management", - "time_created": "2022-08-01T08:56:47.9740262Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4742.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4742.json-expected.json deleted file mode 100644 index 77d449f58..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4742.json-expected.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2022-08-01T08:56:47.974Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "changed-computer-account", - "category": [ - "iam" - ], - "code": "4742", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "change", - "admin" - ] - }, - "host": { - "name": "DC_TEST2k12.TEST." - }, - "log": { - "level": "information" - }, - "message": "A computer account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-7\n\tAccount Name:\t\tANONYMOUS LOGON\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E6\n\nComputer Account That Was Changed:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-11556\n\tAccount Name:\t\tTEST4642$\n\tAccount Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tDisplay Name:\t\t-\n\tUser Principal Name:\t-\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t01/08/2022 10:56:47\n\tAccount Expires:\t\t-\n\tPrimary Group ID:\t-\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t-\n\tNew UAC Value:\t\t-\n\tUser Account Control:\t-\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t-\n\tDNS Host Name:\t\t-\n\tService Principal Names:\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", - "related": { - "user": [ - "ANONYMOUS LOGON" - ] - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-7", - "name": "ANONYMOUS LOGON" - }, - "winlog": { - "channel": "Security", - "computerObject": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-11556", - "name": "TEST4642$" - }, - "computer_name": "DC_TEST2k12.TEST.", - "event_data": { - "AccountExpires": "-", - "AllowedToDelegateTo": "-", - "ComputerAccountChange": "-", - "DisplayName": "-", - "DnsHostName": "-", - "HomeDirectory": "-", - "HomePath": "-", - "LogonHours": "-", - "NewUacValue": "-", - "OldUacValue": "-", - "PasswordLastSet": "01/08/2022 10:56:47", - "PrimaryGroupId": "-", - "PrivilegeList": [ - "-" - ], - "ProfilePath": "-", - "SamAccountName": "-", - "ScriptPath": "-", - "ServicePrincipalNames": "-", - "SidHistory": "-", - "SubjectDomainName": "NT AUTHORITY", - "SubjectLogonId": "0x3e6", - "SubjectUserName": "ANONYMOUS LOGON", - "SubjectUserSid": "S-1-5-7", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-11556", - "TargetUserName": "TEST4642$", - "UserAccountControl": "-", - "UserParameters": "-", - "UserPrincipalName": "-", - "UserWorkstations": "-" - }, - "event_id": "4742", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e6" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 604, - "thread": { - "id": 864 - } - }, - "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "18232202", - "task": "Computer Account Management", - "time_created": "2022-08-01T08:56:47.9740262Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4743.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4743.json deleted file mode 100644 index d9faf0bd6..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4743.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:09:49.144Z", - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "agent": { - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "851a38b2-b036-44b2-9c64-2ee2c4567d73", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain" - }, - "winlog": { - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "outcome": "success", - "level": "information", - "event_data": { - "TargetUserName": "TESTCOMPUTEROBJ$", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2902", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "SubjectUserName": "at_adm", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "PrivilegeList": "-" - }, - "event_id": 4743, - "record_id": 3699966, - "computer_name": "DC_TEST2k12.TEST.SAAS", - "opcode": "Info", - "process": { - "pid": 492, - "thread": { - "id": 664 - } - }, - "channel": "Security", - "provider_name": "Microsoft-Windows-Security-Auditing", - "keywords": [ - "Audit Success" - ], - "time_created": "2019-12-18T16:25:21.578Z" - }, - "event": { - "kind": "event", - "code": 4743, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4743.xml" - } - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json deleted file mode 100644 index f2ad8d323..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-12-18T16:25:21.578Z", - "agent": { - "ephemeral_id": "851a38b2-b036-44b2-9c64-2ee2c4567d73", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "deleted-computer-account", - "category": [ - "iam" - ], - "code": "4743", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "deletion", - "admin" - ] - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4743.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "at_adm" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, - "winlog": { - "channel": "Security", - "computerObject": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2902", - "name": "TESTCOMPUTEROBJ$" - }, - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "PrivilegeList": [ - "-" - ], - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "SubjectUserName": "at_adm", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2902", - "TargetUserName": "TESTCOMPUTEROBJ$" - }, - "event_id": "4743", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 492, - "thread": { - "id": 664 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "3699966", - "time_created": "2019-12-18T16:25:21.578Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4744.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4744.json deleted file mode 100644 index 522996830..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4744.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:09:19.113Z", - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "agent": { - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "8110911f-6b3a-4c77-9d29-41319d5bfa08", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" - }, - "ecs": { - "version": "1.8.0" - }, - "winlog": { - "process": { - "pid": 492, - "thread": { - "id": 664 - } - }, - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "outcome": "success", - "record_id": 3699973, - "computer_name": "DC_TEST2k12.TEST.SAAS", - "keywords": [ - "Audit Success" - ], - "time_created": "2019-12-18T16:26:46.874Z", - "level": "information", - "channel": "Security", - "event_id": 4744, - "provider_name": "Microsoft-Windows-Security-Auditing", - "event_data": { - "TargetUserName": "testdistlocal", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", - "SubjectUserName": "at_adm", - "SubjectDomainName": "TEST", - "SamAccountName": "testdistlocal", - "TargetDomainName": "TEST", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "SubjectLogonId": "0x2e67800", - "PrivilegeList": "-", - "SidHistory": "-" - } - }, - "event": { - "kind": "event", - "code": 4744, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4744.xml" - }, - "level": "information" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json deleted file mode 100644 index 633a3e5ca..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-12-18T16:26:46.874Z", - "agent": { - "ephemeral_id": "8110911f-6b3a-4c77-9d29-41319d5bfa08", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "added-distribution-group-account", - "category": [ - "iam" - ], - "code": "4744", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "creation" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903", - "name": "testdistlocal" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4744.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "at_adm" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "PrivilegeList": "-", - "SamAccountName": "testdistlocal", - "SidHistory": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "SubjectUserName": "at_adm", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", - "TargetUserName": "testdistlocal" - }, - "event_id": "4744", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 492, - "thread": { - "id": 664 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "3699973", - "time_created": "2019-12-18T16:26:46.874Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4745.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4745.json deleted file mode 100644 index a1a517277..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4745.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:08:59.093Z", - "agent": { - "version": "8.0.0", - "ephemeral_id": "cd7f1761-3be1-4d56-bcc6-c0d761791c5c", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat" - }, - "winlog": { - "keywords": [ - "Audit Success" - ], - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "outcome": "success", - "event_data": { - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "SamAccountName": "testdistlocal1", - "TargetUserName": "testdistlocal1", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", - "SubjectUserName": "at_adm", - "PrivilegeList": "-", - "SidHistory": "-" - }, - "process": { - "pid": 492, - "thread": { - "id": 1076 - } - }, - "channel": "Security", - "event_id": 4745, - "computer_name": "DC_TEST2k12.TEST.SAAS", - "time_created": "2019-12-18T16:29:05.017Z", - "level": "information", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 3700000, - "opcode": "Info" - }, - "event": { - "kind": "event", - "code": 4745, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4745.xml" - }, - "level": "information" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json deleted file mode 100644 index 0bdc88273..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-12-18T16:29:05.017Z", - "agent": { - "ephemeral_id": "cd7f1761-3be1-4d56-bcc6-c0d761791c5c", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "changed-distribution-group-account", - "category": [ - "iam" - ], - "code": "4745", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903", - "name": "testdistlocal1" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4745.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "at_adm" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "PrivilegeList": "-", - "SamAccountName": "testdistlocal1", - "SidHistory": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "SubjectUserName": "at_adm", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", - "TargetUserName": "testdistlocal1" - }, - "event_id": "4745", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 492, - "thread": { - "id": 1076 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "3700000", - "time_created": "2019-12-18T16:29:05.017Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4746.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4746.json deleted file mode 100644 index 155999dc6..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4746.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:08:14.021Z", - "winlog": { - "event_id": 4746, - "computer_name": "DC_TEST2k12.TEST.SAAS", - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "process": { - "pid": 492, - "thread": { - "id": 1076 - } - }, - "event_data": { - "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", - "TargetUserName": "testdistlocal1", - "SubjectDomainName": "TEST", - "PrivilegeList": "-", - "SubjectLogonId": "0x2e67800", - "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "SubjectUserName": "at_adm" - }, - "channel": "Security", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 3700022, - "keywords": [ - "Audit Success" - ], - "time_created": "2019-12-18T16:31:01.611Z", - "outcome": "success", - "level": "information" - }, - "event": { - "kind": "event", - "code": 4746, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4746.xml" - }, - "level": "information" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "agent": { - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "fc9e565f-bcec-4532-805f-3f5b942b5642" - }, - "ecs": { - "version": "1.8.0" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json deleted file mode 100644 index 706c7be48..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-12-18T16:31:01.611Z", - "agent": { - "ephemeral_id": "fc9e565f-bcec-4532-805f-3f5b942b5642", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "added-member-to-distribution-group", - "category": [ - "iam" - ], - "code": "4746", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903", - "name": "testdistlocal1" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4746.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator", - "at_adm" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm", - "target": { - "domain": "SAAS", - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903", - "name": "testdistlocal1" - }, - "name": "Administrator" - } - }, - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", - "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", - "PrivilegeList": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "SubjectUserName": "at_adm", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", - "TargetUserName": "testdistlocal1" - }, - "event_id": "4746", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 492, - "thread": { - "id": 1076 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "3700022", - "time_created": "2019-12-18T16:31:01.611Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4747.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4747.json deleted file mode 100644 index 7fb4ed4ce..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4747.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:08:34.042Z", - "agent": { - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "0475a24c-6c58-4fe5-bcca-e508c2ba84a2", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "outcome": "success", - "level": "information", - "event_id": 4747, - "provider_name": "Microsoft-Windows-Security-Auditing", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-18T16:35:16.681Z", - "event_data": { - "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", - "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", - "TargetUserName": "testdistlocal1", - "TargetDomainName": "TEST", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "SubjectUserName": "at_adm", - "SubjectDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", - "SubjectLogonId": "0x2e67800", - "PrivilegeList": "-" - }, - "process": { - "pid": 492, - "thread": { - "id": 664 - } - }, - "channel": "Security", - "record_id": 3700064 - }, - "event": { - "kind": "event", - "code": 4747, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4747.xml" - }, - "level": "information" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json deleted file mode 100644 index b2062c4a3..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-12-18T16:35:16.681Z", - "agent": { - "ephemeral_id": "0475a24c-6c58-4fe5-bcca-e508c2ba84a2", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "removed-member-from-distribution-group", - "category": [ - "iam" - ], - "code": "4747", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903", - "name": "testdistlocal1" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4747.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator", - "at_adm" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm", - "target": { - "domain": "SAAS", - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903", - "name": "testdistlocal1" - }, - "name": "Administrator" - } - }, - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", - "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", - "PrivilegeList": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "SubjectUserName": "at_adm", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", - "TargetUserName": "testdistlocal1" - }, - "event_id": "4747", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 492, - "thread": { - "id": 664 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "3700064", - "time_created": "2019-12-18T16:35:16.681Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4748.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4748.json deleted file mode 100644 index 097ca310e..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4748.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:04:23.086Z", - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "agent": { - "ephemeral_id": "92ff57cc-8a87-45ee-a407-525b380b8b06", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "1.8.0" - }, - "winlog": { - "keywords": [ - "Audit Success" - ], - "level": "information", - "event_data": { - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "PrivilegeList": "-", - "TargetUserName": "testdistlocal1", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "SubjectUserName": "at_adm" - }, - "process": { - "pid": 492, - "thread": { - "id": 1076 - } - }, - "channel": "Security", - "event_id": 4748, - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 3707490, - "computer_name": "DC_TEST2k12.TEST.SAAS", - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:01:45.982Z", - "outcome": "success" - }, - "event": { - "code": 4748, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success", - "kind": "event" - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4748.xml" - } - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json deleted file mode 100644 index dc0a383cf..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-12-19T08:01:45.982Z", - "agent": { - "ephemeral_id": "92ff57cc-8a87-45ee-a407-525b380b8b06", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "deleted-distribution-group-account", - "category": [ - "iam" - ], - "code": "4748", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "deletion" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903", - "name": "testdistlocal1" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4748.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "at_adm" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "PrivilegeList": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "SubjectUserName": "at_adm", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", - "TargetUserName": "testdistlocal1" - }, - "event_id": "4748", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 492, - "thread": { - "id": 1076 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "3707490", - "time_created": "2019-12-19T08:01:45.982Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4749.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4749.json deleted file mode 100644 index bb2024815..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4749.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:04:02.974Z", - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "agent": { - "ephemeral_id": "45230148-94bf-45cf-8eb1-339760e041d3", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "keywords": [ - "Audit Success" - ], - "outcome": "success", - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:03:42.723Z", - "level": "information", - "channel": "Security", - "event_id": 4749, - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 3707497, - "event_data": { - "TargetUserName": "testglobal", - "SubjectUserName": "at_adm", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "PrivilegeList": "-", - "SamAccountName": "testglobal", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "SidHistory": "-" - }, - "process": { - "pid": 492, - "thread": { - "id": 1348 - } - } - }, - "event": { - "kind": "event", - "code": 4749, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4749.xml" - }, - "level": "information" - }, - "ecs": { - "version": "1.8.0" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json deleted file mode 100644 index c33b185fe..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-12-19T08:03:42.723Z", - "agent": { - "ephemeral_id": "45230148-94bf-45cf-8eb1-339760e041d3", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "added-distribution-group-account", - "category": [ - "iam" - ], - "code": "4749", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "creation" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904", - "name": "testglobal" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4749.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "at_adm" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "PrivilegeList": "-", - "SamAccountName": "testglobal", - "SidHistory": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "SubjectUserName": "at_adm", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", - "TargetUserName": "testglobal" - }, - "event_id": "4749", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 492, - "thread": { - "id": 1348 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "3707497", - "time_created": "2019-12-19T08:03:42.723Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4750.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4750.json deleted file mode 100644 index db997bfc6..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4750.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:09:14.108Z", - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "winlog": { - "channel": "Security", - "record_id": 3707550, - "opcode": "Info", - "event_data": { - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", - "TargetDomainName": "TEST", - "SubjectUserName": "at_adm", - "PrivilegeList": "-", - "SamAccountName": "testglobal1", - "SidHistory": "-", - "TargetUserName": "testglobal1" - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:10:57.473Z", - "outcome": "success", - "level": "information", - "event_id": 4750, - "provider_name": "Microsoft-Windows-Security-Auditing", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "keywords": [ - "Audit Success" - ], - "process": { - "pid": 492, - "thread": { - "id": 664 - } - } - }, - "event": { - "kind": "event", - "code": 4750, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4750.xml" - } - }, - "agent": { - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "764fe6a7-38ac-43f0-b125-6388fd0c33e6", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json deleted file mode 100644 index 97d6c3127..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-12-19T08:10:57.473Z", - "agent": { - "ephemeral_id": "764fe6a7-38ac-43f0-b125-6388fd0c33e6", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "changed-distribution-group-account", - "category": [ - "iam" - ], - "code": "4750", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904", - "name": "testglobal1" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4750.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "at_adm" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "PrivilegeList": "-", - "SamAccountName": "testglobal1", - "SidHistory": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "SubjectUserName": "at_adm", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", - "TargetUserName": "testglobal1" - }, - "event_id": "4750", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 492, - "thread": { - "id": 664 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "3707550", - "time_created": "2019-12-19T08:10:57.473Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4751.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4751.json deleted file mode 100644 index 995f5ebaa..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4751.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:09:04.095Z", - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "agent": { - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "217ae042-3cca-46d1-bfa9-e65a2044307b" - }, - "ecs": { - "version": "1.8.0" - }, - "winlog": { - "record_id": 3707667, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "channel": "Security", - "provider_name": "Microsoft-Windows-Security-Auditing", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "time_created": "2019-12-19T08:20:29.088Z", - "outcome": "success", - "level": "information", - "event_id": 4751, - "process": { - "pid": 492, - "thread": { - "id": 1076 - } - }, - "event_data": { - "PrivilegeList": "-", - "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", - "TargetUserName": "testglobal1", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", - "SubjectUserName": "at_adm" - } - }, - "event": { - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success", - "kind": "event", - "code": 4751 - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4751.xml" - }, - "level": "information" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json deleted file mode 100644 index ec431cdf4..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-12-19T08:20:29.088Z", - "agent": { - "ephemeral_id": "217ae042-3cca-46d1-bfa9-e65a2044307b", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "added-member-to-distribution-group", - "category": [ - "iam" - ], - "code": "4751", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904", - "name": "testglobal1" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4751.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator", - "at_adm" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm", - "target": { - "domain": "SAAS", - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904", - "name": "testglobal1" - }, - "name": "Administrator" - } - }, - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", - "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", - "PrivilegeList": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "SubjectUserName": "at_adm", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", - "TargetUserName": "testglobal1" - }, - "event_id": "4751", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 492, - "thread": { - "id": 1076 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "3707667", - "time_created": "2019-12-19T08:20:29.088Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4752.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4752.json deleted file mode 100644 index bed53cfb8..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4752.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:08:09.007Z", - "ecs": { - "version": "1.8.0" - }, - "winlog": { - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "channel": "Security", - "provider_name": "Microsoft-Windows-Security-Auditing", - "keywords": [ - "Audit Success" - ], - "time_created": "2019-12-19T08:21:23.644Z", - "outcome": "success", - "level": "information", - "event_data": { - "TargetUserName": "testglobal1", - "SubjectUserName": "at_adm", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", - "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "PrivilegeList": "-" - }, - "process": { - "pid": 492, - "thread": { - "id": 1076 - } - }, - "event_id": 4752, - "record_id": 3707686, - "computer_name": "DC_TEST2k12.TEST.SAAS" - }, - "event": { - "code": 4752, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success", - "kind": "event" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4752.xml" - }, - "level": "information" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "agent": { - "version": "8.0.0", - "ephemeral_id": "60028370-f07b-4e9d-a025-de2a73da6d62", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json deleted file mode 100644 index 4cce57269..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-12-19T08:21:23.644Z", - "agent": { - "ephemeral_id": "60028370-f07b-4e9d-a025-de2a73da6d62", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "removed-member-from-distribution-group", - "category": [ - "iam" - ], - "code": "4752", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904", - "name": "testglobal1" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4752.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator", - "at_adm" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm", - "target": { - "domain": "SAAS", - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904", - "name": "testglobal1" - }, - "name": "Administrator" - } - }, - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", - "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", - "PrivilegeList": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "SubjectUserName": "at_adm", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", - "TargetUserName": "testglobal1" - }, - "event_id": "4752", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 492, - "thread": { - "id": 1076 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "3707686", - "time_created": "2019-12-19T08:21:23.644Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4753.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4753.json deleted file mode 100644 index 4d2d181c1..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4753.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:08:44.066Z", - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "agent": { - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "35c58767-a921-4503-a9ea-086fb7326910" - }, - "winlog": { - "keywords": [ - "Audit Success" - ], - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:24:36.595Z", - "channel": "Security", - "event_id": 4753, - "record_id": 3707709, - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "SubjectUserName": "at_adm", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "PrivilegeList": "-", - "TargetUserName": "testglobal1" - }, - "process": { - "pid": 492, - "thread": { - "id": 1076 - } - }, - "provider_name": "Microsoft-Windows-Security-Auditing", - "opcode": "Info", - "outcome": "success", - "level": "information" - }, - "event": { - "code": 4753, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success", - "kind": "event" - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4753.xml" - } - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json deleted file mode 100644 index 7a07ac8e1..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-12-19T08:24:36.595Z", - "agent": { - "ephemeral_id": "35c58767-a921-4503-a9ea-086fb7326910", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "deleted-distribution-group-account", - "category": [ - "iam" - ], - "code": "4753", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "deletion" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904", - "name": "testglobal1" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4753.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "at_adm" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "PrivilegeList": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "SubjectUserName": "at_adm", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", - "TargetUserName": "testglobal1" - }, - "event_id": "4753", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 492, - "thread": { - "id": 1076 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "3707709", - "time_created": "2019-12-19T08:24:36.595Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4759.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4759.json deleted file mode 100644 index 218699029..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4759.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:03:32.738Z", - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "agent": { - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "c67ac17a-6afd-4a2e-a1e9-5177024c937c", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain" - }, - "winlog": { - "level": "information", - "event_data": { - "TargetDomainName": "TEST", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "PrivilegeList": "-", - "SidHistory": "-", - "TargetUserName": "testuni", - "SubjectUserName": "at_adm", - "SamAccountName": "testuni", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905" - }, - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 3707737, - "computer_name": "DC_TEST2k12.TEST.SAAS", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "time_created": "2019-12-19T08:26:26.143Z", - "channel": "Security", - "event_id": 4759, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "outcome": "success", - "process": { - "pid": 492, - "thread": { - "id": 1348 - } - } - }, - "event": { - "kind": "event", - "code": 4759, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4759.xml" - }, - "level": "information" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json deleted file mode 100644 index 878534a97..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-12-19T08:26:26.143Z", - "agent": { - "ephemeral_id": "c67ac17a-6afd-4a2e-a1e9-5177024c937c", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "added-distribution-group-account", - "category": [ - "iam" - ], - "code": "4759", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "creation" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905", - "name": "testuni" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4759.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "at_adm" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "PrivilegeList": "-", - "SamAccountName": "testuni", - "SidHistory": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "SubjectUserName": "at_adm", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", - "TargetUserName": "testuni" - }, - "event_id": "4759", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 492, - "thread": { - "id": 1348 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "3707737", - "time_created": "2019-12-19T08:26:26.143Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4760.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4760.json deleted file mode 100644 index bc7196376..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4760.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:04:28.122Z", - "event": { - "kind": "event", - "code": 4760, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4760.xml" - }, - "level": "information" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "agent": { - "ephemeral_id": "9bad4bd9-375e-474f-b410-74962cfaccd0", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "winlog": { - "process": { - "pid": 492, - "thread": { - "id": 664 - } - }, - "channel": "Security", - "record_id": 3707745, - "computer_name": "DC_TEST2k12.TEST.SAAS", - "opcode": "Info", - "event_data": { - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "PrivilegeList": "-", - "SamAccountName": "testuni2", - "SidHistory": "-", - "TargetUserName": "testuni2", - "TargetDomainName": "TEST", - "SubjectUserName": "at_adm" - }, - "outcome": "success", - "level": "information", - "event_id": 4760, - "provider_name": "Microsoft-Windows-Security-Auditing", - "keywords": [ - "Audit Success" - ], - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:28:21.030Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json deleted file mode 100644 index 7ee77583c..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-12-19T08:28:21.030Z", - "agent": { - "ephemeral_id": "9bad4bd9-375e-474f-b410-74962cfaccd0", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "changed-distribution-group-account", - "category": [ - "iam" - ], - "code": "4760", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905", - "name": "testuni2" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4760.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "at_adm" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "PrivilegeList": "-", - "SamAccountName": "testuni2", - "SidHistory": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "SubjectUserName": "at_adm", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", - "TargetUserName": "testuni2" - }, - "event_id": "4760", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 492, - "thread": { - "id": 664 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "3707745", - "time_created": "2019-12-19T08:28:21.030Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4761.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4761.json deleted file mode 100644 index ed62f8fa1..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4761.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:03:57.937Z", - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "agent": { - "ephemeral_id": "cae437da-c042-490f-95a6-c9e54a2d15db", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "winlog": { - "channel": "Security", - "provider_name": "Microsoft-Windows-Security-Auditing", - "keywords": [ - "Audit Success" - ], - "time_created": "2019-12-19T08:29:38.448Z", - "level": "information", - "event_data": { - "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", - "TargetUserName": "testuni2", - "SubjectUserName": "at_adm", - "SubjectLogonId": "0x2e67800", - "PrivilegeList": "-", - "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "SubjectDomainName": "TEST" - }, - "process": { - "pid": 492, - "thread": { - "id": 1348 - } - }, - "event_id": 4761, - "record_id": 3707755, - "computer_name": "DC_TEST2k12.TEST.SAAS", - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "outcome": "success" - }, - "event": { - "outcome": "success", - "kind": "event", - "code": 4761, - "provider": "Microsoft-Windows-Security-Auditing" - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4761.xml" - } - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json deleted file mode 100644 index 7a0d92843..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-12-19T08:29:38.448Z", - "agent": { - "ephemeral_id": "cae437da-c042-490f-95a6-c9e54a2d15db", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "added-member-to-distribution-group", - "category": [ - "iam" - ], - "code": "4761", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905", - "name": "testuni2" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4761.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator", - "at_adm" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm", - "target": { - "domain": "SAAS", - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905", - "name": "testuni2" - }, - "name": "Administrator" - } - }, - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", - "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", - "PrivilegeList": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "SubjectUserName": "at_adm", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", - "TargetUserName": "testuni2" - }, - "event_id": "4761", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 492, - "thread": { - "id": 1348 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "3707755", - "time_created": "2019-12-19T08:29:38.448Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4762.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4762.json deleted file mode 100644 index a5c8712d4..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4762.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:04:38.185Z", - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "agent": { - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "41db62b1-ba4b-4ca5-b44a-41d30f14b154", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" - }, - "winlog": { - "time_created": "2019-12-19T08:33:25.967Z", - "event_data": { - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "SubjectUserName": "at_adm", - "PrivilegeList": "-", - "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", - "TargetUserName": "testuni2", - "SubjectLogonId": "0x2e67800", - "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", - "SubjectDomainName": "TEST" - }, - "process": { - "pid": 492, - "thread": { - "id": 1348 - } - }, - "provider_name": "Microsoft-Windows-Security-Auditing", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "outcome": "success", - "level": "information", - "channel": "Security", - "event_id": 4762, - "record_id": 3707841 - }, - "event": { - "code": 4762, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success", - "kind": "event" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4762.xml" - }, - "level": "information" - }, - "ecs": { - "version": "1.8.0" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json deleted file mode 100644 index ee41c5f4c..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-12-19T08:33:25.967Z", - "agent": { - "ephemeral_id": "41db62b1-ba4b-4ca5-b44a-41d30f14b154", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "removed-member-from-distribution-group", - "category": [ - "iam" - ], - "code": "4762", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905", - "name": "testuni2" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4762.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator", - "at_adm" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm", - "target": { - "domain": "SAAS", - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905", - "name": "testuni2" - }, - "name": "Administrator" - } - }, - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", - "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", - "PrivilegeList": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "SubjectUserName": "at_adm", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", - "TargetUserName": "testuni2" - }, - "event_id": "4762", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 492, - "thread": { - "id": 1348 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "3707841", - "time_created": "2019-12-19T08:33:25.967Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4763.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4763.json deleted file mode 100644 index 891b7dd63..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4763.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:04:48.224Z", - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4763.xml" - }, - "level": "information" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "agent": { - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "34714bdd-4b69-48f1-a4c6-c02799139342", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain" - }, - "winlog": { - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 3707847, - "computer_name": "DC_TEST2k12.TEST.SAAS", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "level": "information", - "channel": "Security", - "event_id": 4763, - "process": { - "pid": 492, - "thread": { - "id": 1348 - } - }, - "outcome": "success", - "event_data": { - "TargetUserName": "testuni2", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "SubjectUserName": "at_adm", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "PrivilegeList": "-" - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:34:23.162Z" - }, - "event": { - "kind": "event", - "code": 4763, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json deleted file mode 100644 index 1c0b9338d..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-12-19T08:34:23.162Z", - "agent": { - "ephemeral_id": "34714bdd-4b69-48f1-a4c6-c02799139342", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "deleted-distribution-group-account", - "category": [ - "iam" - ], - "code": "4763", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "deletion" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905", - "name": "testuni2" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4763.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "at_adm" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "PrivilegeList": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "SubjectUserName": "at_adm", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "TargetDomainName": "TEST", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", - "TargetUserName": "testuni2" - }, - "event_id": "4763", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 492, - "thread": { - "id": 1348 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "3707847", - "time_created": "2019-12-19T08:34:23.162Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4797.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4797.json deleted file mode 100644 index 479b72e55..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4797.json +++ /dev/null @@ -1,219 +0,0 @@ -{ - "events": [ - { - "event": { - "code": "4797", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "HOSTNAME.contoso.com" - }, - "log": { - "level": "information" - }, - "winlog": { - "activity_id": "{a895d499-2626-0001-2ad5-95a82626d901}", - "channel": "Security", - "computer_name": "HOSTNAME.contoso.com", - "event_data": { - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x61ccd940", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", - "TargetDomainName": "HOSTNAME", - "TargetUserName": "Guest", - "Workstation": "HOSTNAME" - }, - "event_id": "4797", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "process": { - "pid": 868, - "thread": { - "id": 12248 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 39956816, - "time_created": "2023-01-17T22:10:41.5550438Z" - } - }, - { - "event": { - "code": "4797", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "HOSTNAME.contoso.com" - }, - "log": { - "level": "information" - }, - "winlog": { - "activity_id": "{a895d499-2626-0001-2ad5-95a82626d901}", - "channel": "Security", - "computer_name": "HOSTNAME.contoso.com", - "event_data": { - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x61ccd940", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", - "TargetDomainName": "HOSTNAME", - "TargetUserName": "WDAGUtilityAccount", - "Workstation": "HOSTNAME" - }, - "event_id": "4797", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "process": { - "pid": 868, - "thread": { - "id": 12248 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 39956815, - "time_created": "2023-01-17T22:10:41.5328919Z" - } - }, - { - "event": { - "code": "4797", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "HOSTNAME.contoso.com" - }, - "log": { - "level": "information" - }, - "winlog": { - "activity_id": "{a895d499-2626-0001-2ad5-95a82626d901}", - "channel": "Security", - "computer_name": "HOSTNAME.contoso.com", - "event_data": { - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x61ccd940", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", - "TargetDomainName": "HOSTNAME", - "TargetUserName": "DefaultAccount", - "Workstation": "HOSTNAME" - }, - "event_id": "4797", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "process": { - "pid": 868, - "thread": { - "id": 65356 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 39956814, - "time_created": "2023-01-17T22:10:41.5127873Z" - } - }, - { - "event": { - "code": "4797", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "HOSTNAME.contoso.com" - }, - "log": { - "level": "information" - }, - "winlog": { - "activity_id": "{a895d499-2626-0001-2ad5-95a82626d901}", - "channel": "Security", - "computer_name": "HOSTNAME.contoso.com", - "event_data": { - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x61ccd940", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", - "TargetDomainName": "HOSTNAME", - "TargetUserName": "contoso", - "Workstation": "HOSTNAME" - }, - "event_id": "4797", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "process": { - "pid": 868, - "thread": { - "id": 12248 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 39956813, - "time_created": "2023-01-17T22:10:41.4905578Z" - } - }, - { - "event": { - "code": "4797", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "HOSTNAME.contoso.com" - }, - "log": { - "level": "information" - }, - "winlog": { - "activity_id": "{a895d499-2626-0001-2ad5-95a82626d901}", - "channel": "Security", - "computer_name": "HOSTNAME.contoso.com", - "event_data": { - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x61ccd940", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", - "TargetDomainName": "HOSTNAME", - "TargetUserName": "Administrator", - "Workstation": "HOSTNAME" - }, - "event_id": "4797", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "process": { - "pid": 868, - "thread": { - "id": 12248 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 39956812, - "time_created": "2023-01-17T22:10:41.4680297Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4797.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4797.json-expected.json deleted file mode 100644 index fe6bc0bc2..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4797.json-expected.json +++ /dev/null @@ -1,369 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2023-01-17T22:10:41.555Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "query-existence-of-blank-password", - "category": [ - "iam" - ], - "code": "4797", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] - }, - "host": { - "name": "HOSTNAME.contoso.com" - }, - "log": { - "level": "information" - }, - "related": { - "user": [ - "user1", - "Guest" - ] - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-21-000000000-000000000-000000000-00000", - "name": "user1", - "target": { - "domain": "HOSTNAME", - "name": "Guest" - } - }, - "winlog": { - "activity_id": "{a895d499-2626-0001-2ad5-95a82626d901}", - "channel": "Security", - "computer_name": "HOSTNAME.contoso.com", - "event_data": { - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x61ccd940", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", - "TargetDomainName": "HOSTNAME", - "TargetUserName": "Guest", - "Workstation": "HOSTNAME" - }, - "event_id": "4797", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x61ccd940" - }, - "opcode": "Info", - "process": { - "pid": 868, - "thread": { - "id": 12248 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "39956816", - "time_created": "2023-01-17T22:10:41.5550438Z" - } - }, - { - "@timestamp": "2023-01-17T22:10:41.532Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "query-existence-of-blank-password", - "category": [ - "iam" - ], - "code": "4797", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] - }, - "host": { - "name": "HOSTNAME.contoso.com" - }, - "log": { - "level": "information" - }, - "related": { - "user": [ - "user1", - "WDAGUtilityAccount" - ] - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-21-000000000-000000000-000000000-00000", - "name": "user1", - "target": { - "domain": "HOSTNAME", - "name": "WDAGUtilityAccount" - } - }, - "winlog": { - "activity_id": "{a895d499-2626-0001-2ad5-95a82626d901}", - "channel": "Security", - "computer_name": "HOSTNAME.contoso.com", - "event_data": { - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x61ccd940", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", - "TargetDomainName": "HOSTNAME", - "TargetUserName": "WDAGUtilityAccount", - "Workstation": "HOSTNAME" - }, - "event_id": "4797", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x61ccd940" - }, - "opcode": "Info", - "process": { - "pid": 868, - "thread": { - "id": 12248 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "39956815", - "time_created": "2023-01-17T22:10:41.5328919Z" - } - }, - { - "@timestamp": "2023-01-17T22:10:41.512Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "query-existence-of-blank-password", - "category": [ - "iam" - ], - "code": "4797", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] - }, - "host": { - "name": "HOSTNAME.contoso.com" - }, - "log": { - "level": "information" - }, - "related": { - "user": [ - "user1", - "DefaultAccount" - ] - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-21-000000000-000000000-000000000-00000", - "name": "user1", - "target": { - "domain": "HOSTNAME", - "name": "DefaultAccount" - } - }, - "winlog": { - "activity_id": "{a895d499-2626-0001-2ad5-95a82626d901}", - "channel": "Security", - "computer_name": "HOSTNAME.contoso.com", - "event_data": { - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x61ccd940", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", - "TargetDomainName": "HOSTNAME", - "TargetUserName": "DefaultAccount", - "Workstation": "HOSTNAME" - }, - "event_id": "4797", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x61ccd940" - }, - "opcode": "Info", - "process": { - "pid": 868, - "thread": { - "id": 65356 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "39956814", - "time_created": "2023-01-17T22:10:41.5127873Z" - } - }, - { - "@timestamp": "2023-01-17T22:10:41.490Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "query-existence-of-blank-password", - "category": [ - "iam" - ], - "code": "4797", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] - }, - "host": { - "name": "HOSTNAME.contoso.com" - }, - "log": { - "level": "information" - }, - "related": { - "user": [ - "user1", - "contoso" - ] - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-21-000000000-000000000-000000000-00000", - "name": "user1", - "target": { - "domain": "HOSTNAME", - "name": "contoso" - } - }, - "winlog": { - "activity_id": "{a895d499-2626-0001-2ad5-95a82626d901}", - "channel": "Security", - "computer_name": "HOSTNAME.contoso.com", - "event_data": { - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x61ccd940", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", - "TargetDomainName": "HOSTNAME", - "TargetUserName": "contoso", - "Workstation": "HOSTNAME" - }, - "event_id": "4797", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x61ccd940" - }, - "opcode": "Info", - "process": { - "pid": 868, - "thread": { - "id": 12248 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "39956813", - "time_created": "2023-01-17T22:10:41.4905578Z" - } - }, - { - "@timestamp": "2023-01-17T22:10:41.468Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "query-existence-of-blank-password", - "category": [ - "iam" - ], - "code": "4797", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] - }, - "host": { - "name": "HOSTNAME.contoso.com" - }, - "log": { - "level": "information" - }, - "related": { - "user": [ - "user1", - "Administrator" - ] - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-21-000000000-000000000-000000000-00000", - "name": "user1", - "target": { - "domain": "HOSTNAME", - "name": "Administrator" - } - }, - "winlog": { - "activity_id": "{a895d499-2626-0001-2ad5-95a82626d901}", - "channel": "Security", - "computer_name": "HOSTNAME.contoso.com", - "event_data": { - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x61ccd940", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", - "TargetDomainName": "HOSTNAME", - "TargetUserName": "Administrator", - "Workstation": "HOSTNAME" - }, - "event_id": "4797", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x61ccd940" - }, - "opcode": "Info", - "process": { - "pid": 868, - "thread": { - "id": 12248 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "39956812", - "time_created": "2023-01-17T22:10:41.4680297Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json deleted file mode 100644 index b3950a765..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:04:43.216Z", - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "winlog": { - "channel": "Security", - "level": "information", - "event_data": { - "SubjectLogonId": "0x3e7", - "ObjectServer": "LSA", - "ObjectType": "Global SACL", - "ObjectName": "File", - "NewSd": "S:(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-500)(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-1000)", - "SubjectUserSid": "S-1-5-18", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectDomainName": "TEST" - }, - "provider_name": "Microsoft-Windows-Security-Auditing", - "keywords": [ - "Audit Success" - ], - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{dfcd2c2a-7481-0000-682c-cddf8174d601}", - "process": { - "thread": { - "id": 3052 - }, - "pid": 776 - }, - "record_id": 114278, - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "time_created": "2020-08-17T12:49:09.494Z", - "outcome": "success", - "event_id": 4817, - "opcode": "Info" - }, - "event": { - "kind": "event", - "code": 4817, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4817_WindowsSrv2016.xml" - }, - "level": "information" - }, - "agent": { - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "c7c0a49b-a78b-4dd9-8928-44e2fc4322a9", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json-expected.json deleted file mode 100644 index d62f0f64d..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json-expected.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2020-08-17T12:49:09.494Z", - "agent": { - "ephemeral_id": "c7c0a49b-a78b-4dd9-8928-44e2fc4322a9", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "object-audit-changed", - "category": [ - "iam", - "configuration" - ], - "code": "4817", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "change" - ] - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4817_WindowsSrv2016.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$", - "Administrator" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-18", - "name": "WIN-BVM4LI1L1Q6$" - }, - "winlog": { - "activity_id": "{dfcd2c2a-7481-0000-682c-cddf8174d601}", - "channel": "Security", - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "event_data": { - "NewSd": "S:(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-500)(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-1000)", - "NewSdSacl0": "Administrator :System Audit ([Create All Child Objects, Delete All Child Objects, List Contents, All Validated, Read All Properties, Write All Properties, Delete Subtree, List Object, All Extended Rights, Delete, Read Permissions, Modify Permissions, Modify Owner])", - "NewSdSacl1": "null :System Audit ([Create All Child Objects, Delete All Child Objects, List Contents, All Validated, Read All Properties, Write All Properties, Delete Subtree, List Object, All Extended Rights, Delete, Read Permissions, Modify Permissions, Modify Owner])", - "ObjectName": "File", - "ObjectServer": "LSA", - "ObjectType": "Global SACL", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectUserSid": "S-1-5-18" - }, - "event_id": "4817", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 776, - "thread": { - "id": 3052 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "114278", - "time_created": "2020-08-17T12:49:09.494Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json deleted file mode 100644 index e73bf02dd..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:04:13.030Z", - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "agent": { - "version": "8.0.0", - "ephemeral_id": "fc71c55d-e66b-404f-933a-7bf02109440e", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat" - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "event_data": { - "PuaCount": "0", - "PuaPolicyId": "0x9fd2" - }, - "process": { - "pid": 784, - "thread": { - "id": 832 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-08-19T06:07:08.801Z", - "outcome": "success", - "event_id": 4902, - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 140273, - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "level": "information" - }, - "event": { - "kind": "event", - "code": 4902, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4902_WindowsSrv2016.xml" - }, - "level": "information" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json-expected.json deleted file mode 100644 index 90ff128ff..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json-expected.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2020-08-19T06:07:08.801Z", - "agent": { - "ephemeral_id": "fc71c55d-e66b-404f-933a-7bf02109440e", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "user-audit-policy-created", - "category": [ - "iam", - "configuration" - ], - "code": "4902", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "creation" - ] - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4902_WindowsSrv2016.xml" - }, - "level": "information" - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "event_data": { - "PuaCount": "0", - "PuaPolicyId": "0x9fd2" - }, - "event_id": "4902", - "keywords": [ - "Audit Success" - ], - "level": "information", - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 784, - "thread": { - "id": 832 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "140273", - "time_created": "2020-08-19T06:07:08.801Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json deleted file mode 100644 index b41340b17..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:05:08.356Z", - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "agent": { - "version": "8.0.0", - "ephemeral_id": "14ac41cb-35f1-42cd-abe2-03f4a8a6a47c", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat" - }, - "winlog": { - "record_id": 146939, - "outcome": "success", - "process": { - "pid": 784, - "thread": { - "id": 824 - } - }, - "time_created": "2020-08-19T07:56:52.019Z", - "channel": "Security", - "event_id": 4904, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "level": "information", - "event_data": { - "SubjectLogonId": "0x3e7", - "AuditSourceName": "IIS-METABASE", - "EventSourceId": "0x460422", - "ProcessId": "0xe18", - "ProcessName": "C:\\Windows\\System32\\inetsrv\\inetinfo.exe", - "SubjectUserSid": "S-1-5-18", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectDomainName": "TEST" - }, - "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "keywords": [ - "Audit Success" - ], - "opcode": "Info" - }, - "event": { - "kind": "event", - "code": 4904, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.xml" - }, - "level": "information" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json-expected.json deleted file mode 100644 index 0cff5cf19..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json-expected.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2020-08-19T07:56:52.019Z", - "agent": { - "ephemeral_id": "14ac41cb-35f1-42cd-abe2-03f4a8a6a47c", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "security-event-source-added", - "category": [ - "iam", - "configuration" - ], - "code": "4904", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "change" - ] - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.xml" - }, - "level": "information" - }, - "process": { - "executable": "C:\\Windows\\System32\\inetsrv\\inetinfo.exe", - "name": "inetinfo.exe", - "pid": 3608 - }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-18", - "name": "WIN-BVM4LI1L1Q6$" - }, - "winlog": { - "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}", - "channel": "Security", - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "event_data": { - "AuditSourceName": "IIS-METABASE", - "EventSourceId": "0x460422", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectUserSid": "S-1-5-18" - }, - "event_id": "4904", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 784, - "thread": { - "id": 824 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "146939", - "time_created": "2020-08-19T07:56:52.019Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json deleted file mode 100644 index f9e3a5d8d..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:07:38.937Z", - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "agent": { - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "5006f11d-fa2c-4238-810b-aa5e25ec5399", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" - }, - "winlog": { - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-08-19T07:56:51.579Z", - "event_id": 4905, - "keywords": [ - "Audit Success" - ], - "level": "information", - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 146938, - "opcode": "Info", - "channel": "Security", - "event_data": { - "SubjectUserSid": "S-1-5-18", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x3e7", - "AuditSourceName": "IIS-METABASE", - "EventSourceId": "0x457b22", - "ProcessId": "0x1364", - "ProcessName": "-" - }, - "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}", - "process": { - "pid": 784, - "thread": { - "id": 824 - } - }, - "outcome": "success" - }, - "event": { - "kind": "event", - "code": 4905, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.xml" - }, - "level": "information" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json-expected.json deleted file mode 100644 index d82389c57..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json-expected.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2020-08-19T07:56:51.579Z", - "agent": { - "ephemeral_id": "5006f11d-fa2c-4238-810b-aa5e25ec5399", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "security-event-source-removed", - "category": [ - "iam", - "configuration" - ], - "code": "4905", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "deletion" - ] - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.xml" - }, - "level": "information" - }, - "process": { - "executable": "-", - "name": "-", - "pid": 4964 - }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-18", - "name": "WIN-BVM4LI1L1Q6$" - }, - "winlog": { - "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}", - "channel": "Security", - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "event_data": { - "AuditSourceName": "IIS-METABASE", - "EventSourceId": "0x457b22", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectUserSid": "S-1-5-18" - }, - "event_id": "4905", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 784, - "thread": { - "id": 824 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "146938", - "time_created": "2020-08-19T07:56:51.579Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json deleted file mode 100644 index e07c7b600..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json +++ /dev/null @@ -1,56 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:06:33.772Z", - "winlog": { - "record_id": 123786, - "time_created": "2020-08-18T09:19:00.237Z", - "outcome": "success", - "process": { - "pid": 780, - "thread": { - "id": 804 - } - }, - "channel": "Security", - "event_id": 4906, - "provider_name": "Microsoft-Windows-Security-Auditing", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "level": "information", - "event_data": { - "CrashOnAuditFailValue": "1" - }, - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "keywords": [ - "Audit Success" - ], - "opcode": "Info" - }, - "event": { - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success", - "kind": "event", - "code": 4906 - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4906_WindowsSrv2016.xml" - }, - "level": "information" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "agent": { - "ephemeral_id": "00431590-51a2-47a6-a2bf-f0ceaed9fa0f", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json-expected.json deleted file mode 100644 index 799d71df1..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json-expected.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2020-08-18T09:19:00.237Z", - "agent": { - "ephemeral_id": "00431590-51a2-47a6-a2bf-f0ceaed9fa0f", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "crash-on-audit-changed", - "category": [ - "iam", - "configuration" - ], - "code": "4906", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "change" - ] - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4906_WindowsSrv2016.xml" - }, - "level": "information" - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "event_data": { - "CrashOnAuditFailValue": "1" - }, - "event_id": "4906", - "keywords": [ - "Audit Success" - ], - "level": "information", - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 780, - "thread": { - "id": 804 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "123786", - "time_created": "2020-08-18T09:19:00.237Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json deleted file mode 100644 index fba2f0422..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:05:13.376Z", - "event": { - "kind": "event", - "code": 4907, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.xml" - }, - "level": "information" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "agent": { - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "d42932a5-9237-4c88-b833-60e3b66915d8", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" - }, - "winlog": { - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "opcode": "Info", - "time_created": "2020-08-19T07:56:17.112Z", - "process": { - "pid": 4, - "thread": { - "id": 408 - } - }, - "channel": "Security", - "event_id": 4907, - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success", - "level": "information", - "event_data": { - "ObjectType": "File", - "HandleId": "0x93c", - "NewSd": "S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)", - "ProcessId": "0x10cc", - "ObjectServer": "Security", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x3e7", - "ObjectName": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\RemoteAccess\\RemoteAccess.psd1", - "ProcessName": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\\TiWorker.exe", - "SubjectUserSid": "S-1-5-18" - }, - "record_id": 146933, - "keywords": [ - "Audit Success" - ], - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json-expected.json deleted file mode 100644 index 5b929d394..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json-expected.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2020-08-19T07:56:17.112Z", - "agent": { - "ephemeral_id": "d42932a5-9237-4c88-b833-60e3b66915d8", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "audit-setting-changed", - "category": [ - "iam", - "configuration" - ], - "code": "4907", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "change" - ] - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.xml" - }, - "level": "information" - }, - "process": { - "executable": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\\TiWorker.exe", - "name": "TiWorker.exe", - "pid": 4300 - }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-18", - "name": "WIN-BVM4LI1L1Q6$" - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "event_data": { - "HandleId": "0x93c", - "NewSd": "S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)", - "NewSdSacl0": "Everyone :System Audit ([Delete All Child Objects, List Contents, Read All Properties, All Extended Rights, Delete, Modify Permissions, Modify Owner])", - "ObjectName": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\RemoteAccess\\RemoteAccess.psd1", - "ObjectServer": "Security", - "ObjectType": "File", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectUserSid": "S-1-5-18" - }, - "event_id": "4907", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 4, - "thread": { - "id": 408 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "146933", - "time_created": "2020-08-19T07:56:17.112Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5379.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5379.json deleted file mode 100644 index 71d2b8864..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5379.json +++ /dev/null @@ -1,239 +0,0 @@ -{ - "events": [ - { - "event": { - "code": "5379", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "winlog": { - "activity_id": "{1cd3afa7-265d-0001-54b0-d31c5d26d901}", - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "10428", - "CountOfCredentialsReturned": "1", - "ProcessCreationTime": "2023-01-17T22:17:36.2114738Z", - "ReadOperation": "%%8099", - "ReturnCode": "3221226021", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x278a6ed9", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", - "TargetName": "MicrosoftOffice16_Data:ADAL:d2462c77-a0fd-467e-857f-2b0d3cc6f451@@@8.000000", - "Type": "1" - }, - "event_id": "5379", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "process": { - "pid": 924, - "thread": { - "id": 12672 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 7959006, - "time_created": "2023-01-17T22:18:03.5577972Z" - } - }, - { - "event": { - "code": "5379", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "winlog": { - "activity_id": "{1cd3afa7-265d-0001-54b0-d31c5d26d901}", - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "10428", - "CountOfCredentialsReturned": "1", - "ProcessCreationTime": "2023-01-17T22:17:36.2114738Z", - "ReadOperation": "%%8099", - "ReturnCode": "0", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x278a6ed9", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", - "TargetName": "MicrosoftOffice16_Data:ADAL:d2462c77-a0fd-467e-857f-2b0d3cc6f451@@@7.000000", - "Type": "1" - }, - "event_id": "5379", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "process": { - "pid": 924, - "thread": { - "id": 12672 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 7959005, - "time_created": "2023-01-17T22:18:03.5530981Z" - } - }, - { - "event": { - "code": "5379", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "winlog": { - "activity_id": "{1cd3afa7-265d-0001-54b0-d31c5d26d901}", - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "10428", - "CountOfCredentialsReturned": "1", - "ProcessCreationTime": "2023-01-17T22:17:36.2114738Z", - "ReadOperation": "%%8099", - "ReturnCode": "0", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x278a6ed9", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", - "TargetName": "MicrosoftOffice16_Data:ADAL:d2462c77-a0fd-467e-857f-2b0d3cc6f451@@@6.000000", - "Type": "1" - }, - "event_id": "5379", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "process": { - "pid": 924, - "thread": { - "id": 12672 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 7959004, - "time_created": "2023-01-17T22:18:03.5480672Z" - } - }, - { - "event": { - "code": "5379", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "winlog": { - "activity_id": "{1cd3afa7-265d-0001-54b0-d31c5d26d901}", - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "10428", - "CountOfCredentialsReturned": "1", - "ProcessCreationTime": "2023-01-17T22:17:36.2114738Z", - "ReadOperation": "%%8099", - "ReturnCode": "0", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x278a6ed9", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", - "TargetName": "MicrosoftOffice16_Data:ADAL:d2462c77-a0fd-467e-857f-2b0d3cc6f451@@@5.000000", - "Type": "1" - }, - "event_id": "5379", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "process": { - "pid": 924, - "thread": { - "id": 12672 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 7959003, - "time_created": "2023-01-17T22:18:03.5437073Z" - } - }, - { - "event": { - "code": "5379", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "winlog": { - "activity_id": "{1cd3afa7-265d-0001-54b0-d31c5d26d901}", - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "10428", - "CountOfCredentialsReturned": "1", - "ProcessCreationTime": "2023-01-17T22:17:36.2114738Z", - "ReadOperation": "%%8099", - "ReturnCode": "0", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x278a6ed9", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", - "TargetName": "MicrosoftOffice16_Data:ADAL:d2462c77-a0fd-467e-857f-2b0d3cc6f451@@@4.000000", - "Type": "1" - }, - "event_id": "5379", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "process": { - "pid": 924, - "thread": { - "id": 12672 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 7959002, - "time_created": "2023-01-17T22:18:03.5397904Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5379.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5379.json-expected.json deleted file mode 100644 index e89379f94..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5379.json-expected.json +++ /dev/null @@ -1,364 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2023-01-17T22:18:03.557Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "credential-manager-credentials-were-read", - "category": [ - "iam" - ], - "code": "5379", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "related": { - "user": [ - "user1" - ] - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-21-000000000-000000000-000000000-00000", - "name": "user1" - }, - "winlog": { - "activity_id": "{1cd3afa7-265d-0001-54b0-d31c5d26d901}", - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "10428", - "CountOfCredentialsReturned": "1", - "ProcessCreationTime": "2023-01-17T22:17:36.2114738Z", - "ReadOperation": "%%8099", - "ReturnCode": "3221226021", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x278a6ed9", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", - "TargetName": "MicrosoftOffice16_Data:ADAL:d2462c77-a0fd-467e-857f-2b0d3cc6f451@@@8.000000", - "Type": "1" - }, - "event_id": "5379", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x278a6ed9" - }, - "opcode": "Info", - "process": { - "pid": 924, - "thread": { - "id": 12672 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "7959006", - "time_created": "2023-01-17T22:18:03.5577972Z" - } - }, - { - "@timestamp": "2023-01-17T22:18:03.553Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "credential-manager-credentials-were-read", - "category": [ - "iam" - ], - "code": "5379", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "related": { - "user": [ - "user1" - ] - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-21-000000000-000000000-000000000-00000", - "name": "user1" - }, - "winlog": { - "activity_id": "{1cd3afa7-265d-0001-54b0-d31c5d26d901}", - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "10428", - "CountOfCredentialsReturned": "1", - "ProcessCreationTime": "2023-01-17T22:17:36.2114738Z", - "ReadOperation": "%%8099", - "ReturnCode": "0", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x278a6ed9", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", - "TargetName": "MicrosoftOffice16_Data:ADAL:d2462c77-a0fd-467e-857f-2b0d3cc6f451@@@7.000000", - "Type": "1" - }, - "event_id": "5379", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x278a6ed9" - }, - "opcode": "Info", - "process": { - "pid": 924, - "thread": { - "id": 12672 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "7959005", - "time_created": "2023-01-17T22:18:03.5530981Z" - } - }, - { - "@timestamp": "2023-01-17T22:18:03.548Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "credential-manager-credentials-were-read", - "category": [ - "iam" - ], - "code": "5379", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "related": { - "user": [ - "user1" - ] - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-21-000000000-000000000-000000000-00000", - "name": "user1" - }, - "winlog": { - "activity_id": "{1cd3afa7-265d-0001-54b0-d31c5d26d901}", - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "10428", - "CountOfCredentialsReturned": "1", - "ProcessCreationTime": "2023-01-17T22:17:36.2114738Z", - "ReadOperation": "%%8099", - "ReturnCode": "0", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x278a6ed9", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", - "TargetName": "MicrosoftOffice16_Data:ADAL:d2462c77-a0fd-467e-857f-2b0d3cc6f451@@@6.000000", - "Type": "1" - }, - "event_id": "5379", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x278a6ed9" - }, - "opcode": "Info", - "process": { - "pid": 924, - "thread": { - "id": 12672 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "7959004", - "time_created": "2023-01-17T22:18:03.5480672Z" - } - }, - { - "@timestamp": "2023-01-17T22:18:03.543Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "credential-manager-credentials-were-read", - "category": [ - "iam" - ], - "code": "5379", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "related": { - "user": [ - "user1" - ] - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-21-000000000-000000000-000000000-00000", - "name": "user1" - }, - "winlog": { - "activity_id": "{1cd3afa7-265d-0001-54b0-d31c5d26d901}", - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "10428", - "CountOfCredentialsReturned": "1", - "ProcessCreationTime": "2023-01-17T22:17:36.2114738Z", - "ReadOperation": "%%8099", - "ReturnCode": "0", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x278a6ed9", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", - "TargetName": "MicrosoftOffice16_Data:ADAL:d2462c77-a0fd-467e-857f-2b0d3cc6f451@@@5.000000", - "Type": "1" - }, - "event_id": "5379", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x278a6ed9" - }, - "opcode": "Info", - "process": { - "pid": 924, - "thread": { - "id": 12672 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "7959003", - "time_created": "2023-01-17T22:18:03.5437073Z" - } - }, - { - "@timestamp": "2023-01-17T22:18:03.539Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "credential-manager-credentials-were-read", - "category": [ - "iam" - ], - "code": "5379", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "related": { - "user": [ - "user1" - ] - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-21-000000000-000000000-000000000-00000", - "name": "user1" - }, - "winlog": { - "activity_id": "{1cd3afa7-265d-0001-54b0-d31c5d26d901}", - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "10428", - "CountOfCredentialsReturned": "1", - "ProcessCreationTime": "2023-01-17T22:17:36.2114738Z", - "ReadOperation": "%%8099", - "ReturnCode": "0", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x278a6ed9", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000", - "TargetName": "MicrosoftOffice16_Data:ADAL:d2462c77-a0fd-467e-857f-2b0d3cc6f451@@@4.000000", - "Type": "1" - }, - "event_id": "5379", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x278a6ed9" - }, - "opcode": "Info", - "process": { - "pid": 924, - "thread": { - "id": 12672 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "7959002", - "time_created": "2023-01-17T22:18:03.5397904Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5380.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5380.json deleted file mode 100644 index e9658bba1..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5380.json +++ /dev/null @@ -1,229 +0,0 @@ -{ - "events": [ - { - "event": { - "code": "5380", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "21196", - "CountOfCredentialsReturned": "16", - "ProcessCreationTime": "2023-01-17T10:11:06.2991958Z", - "Schema": "{3ccd5499-87a8-4b10-a215-608888dd3b55}", - "SchemaFriendlyName": "Windows Web Password Credential", - "SearchString": "eqIbCZfcLIdQZ7KOF0olDjCeH3Ex8xHgPVIq5ufbYzI", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x1771180", - "SubjectUserName": "USER1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" - }, - "event_id": "5380", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "process": { - "pid": 664, - "thread": { - "id": 3284 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 2254401, - "time_created": "2023-01-17T10:11:25.5570183Z" - } - }, - { - "event": { - "code": "5380", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "21196", - "CountOfCredentialsReturned": "16", - "ProcessCreationTime": "2023-01-17T10:11:06.2991958Z", - "Schema": "{3ccd5499-87a8-4b10-a215-608888dd3b55}", - "SchemaFriendlyName": "Windows Web Password Credential", - "SearchString": "eqIbCZfcLIdQZ7KOF0olDjCeH3Ex8xHgPVIq5ufbYzI", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x1771180", - "SubjectUserName": "USER1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" - }, - "event_id": "5380", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "process": { - "pid": 664, - "thread": { - "id": 3284 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 2254384, - "time_created": "2023-01-17T10:11:25.532896Z" - } - }, - { - "event": { - "code": "5380", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "21196", - "CountOfCredentialsReturned": "16", - "ProcessCreationTime": "2023-01-17T10:11:06.2991958Z", - "Schema": "{3ccd5499-87a8-4b10-a215-608888dd3b55}", - "SchemaFriendlyName": "Windows Web Password Credential", - "SearchString": "eqIbCZfcLIdQZ7KOF0olDjCeH3Ex8xHgPVIq5ufbYzI", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x1771180", - "SubjectUserName": "USER1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" - }, - "event_id": "5380", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "process": { - "pid": 664, - "thread": { - "id": 3284 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 2254367, - "time_created": "2023-01-17T10:11:25.4987379Z" - } - }, - { - "event": { - "code": "5380", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "21196", - "CountOfCredentialsReturned": "16", - "ProcessCreationTime": "2023-01-17T10:11:06.2991958Z", - "Schema": "{3ccd5499-87a8-4b10-a215-608888dd3b55}", - "SchemaFriendlyName": "Windows Web Password Credential", - "SearchString": "eqIbCZfcLIdQZ7KOF0olDjCeH3Ex8xHgPVIq5ufbYzI", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x1771180", - "SubjectUserName": "USER1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" - }, - "event_id": "5380", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "process": { - "pid": 664, - "thread": { - "id": 9312 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 2254350, - "time_created": "2023-01-17T10:11:24.7759283Z" - } - }, - { - "event": { - "code": "5380", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "21196", - "CountOfCredentialsReturned": "16", - "ProcessCreationTime": "2023-01-17T10:11:06.2991958Z", - "Schema": "{3ccd5499-87a8-4b10-a215-608888dd3b55}", - "SchemaFriendlyName": "Windows Web Password Credential", - "SearchString": "eqIbCZfcLIdQZ7KOF0olDjCeH3Ex8xHgPVIq5ufbYzI", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x1771180", - "SubjectUserName": "USER1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" - }, - "event_id": "5380", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "process": { - "pid": 664, - "thread": { - "id": 9312 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 2254333, - "time_created": "2023-01-17T10:11:24.5421935Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5380.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5380.json-expected.json deleted file mode 100644 index d72f615b9..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5380.json-expected.json +++ /dev/null @@ -1,354 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2023-01-17T10:11:25.557Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "vault-credential-find", - "category": [ - "iam" - ], - "code": "5380", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "related": { - "user": [ - "USER1" - ] - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-21-000000000-000000000-000000000-00000", - "name": "USER1" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "21196", - "CountOfCredentialsReturned": "16", - "ProcessCreationTime": "2023-01-17T10:11:06.2991958Z", - "Schema": "{3ccd5499-87a8-4b10-a215-608888dd3b55}", - "SchemaFriendlyName": "Windows Web Password Credential", - "SearchString": "eqIbCZfcLIdQZ7KOF0olDjCeH3Ex8xHgPVIq5ufbYzI", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x1771180", - "SubjectUserName": "USER1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" - }, - "event_id": "5380", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x1771180" - }, - "opcode": "Info", - "process": { - "pid": 664, - "thread": { - "id": 3284 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "2254401", - "time_created": "2023-01-17T10:11:25.5570183Z" - } - }, - { - "@timestamp": "2023-01-17T10:11:25.532Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "vault-credential-find", - "category": [ - "iam" - ], - "code": "5380", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "related": { - "user": [ - "USER1" - ] - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-21-000000000-000000000-000000000-00000", - "name": "USER1" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "21196", - "CountOfCredentialsReturned": "16", - "ProcessCreationTime": "2023-01-17T10:11:06.2991958Z", - "Schema": "{3ccd5499-87a8-4b10-a215-608888dd3b55}", - "SchemaFriendlyName": "Windows Web Password Credential", - "SearchString": "eqIbCZfcLIdQZ7KOF0olDjCeH3Ex8xHgPVIq5ufbYzI", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x1771180", - "SubjectUserName": "USER1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" - }, - "event_id": "5380", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x1771180" - }, - "opcode": "Info", - "process": { - "pid": 664, - "thread": { - "id": 3284 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "2254384", - "time_created": "2023-01-17T10:11:25.532896Z" - } - }, - { - "@timestamp": "2023-01-17T10:11:25.498Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "vault-credential-find", - "category": [ - "iam" - ], - "code": "5380", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "related": { - "user": [ - "USER1" - ] - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-21-000000000-000000000-000000000-00000", - "name": "USER1" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "21196", - "CountOfCredentialsReturned": "16", - "ProcessCreationTime": "2023-01-17T10:11:06.2991958Z", - "Schema": "{3ccd5499-87a8-4b10-a215-608888dd3b55}", - "SchemaFriendlyName": "Windows Web Password Credential", - "SearchString": "eqIbCZfcLIdQZ7KOF0olDjCeH3Ex8xHgPVIq5ufbYzI", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x1771180", - "SubjectUserName": "USER1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" - }, - "event_id": "5380", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x1771180" - }, - "opcode": "Info", - "process": { - "pid": 664, - "thread": { - "id": 3284 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "2254367", - "time_created": "2023-01-17T10:11:25.4987379Z" - } - }, - { - "@timestamp": "2023-01-17T10:11:24.775Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "vault-credential-find", - "category": [ - "iam" - ], - "code": "5380", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "related": { - "user": [ - "USER1" - ] - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-21-000000000-000000000-000000000-00000", - "name": "USER1" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "21196", - "CountOfCredentialsReturned": "16", - "ProcessCreationTime": "2023-01-17T10:11:06.2991958Z", - "Schema": "{3ccd5499-87a8-4b10-a215-608888dd3b55}", - "SchemaFriendlyName": "Windows Web Password Credential", - "SearchString": "eqIbCZfcLIdQZ7KOF0olDjCeH3Ex8xHgPVIq5ufbYzI", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x1771180", - "SubjectUserName": "USER1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" - }, - "event_id": "5380", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x1771180" - }, - "opcode": "Info", - "process": { - "pid": 664, - "thread": { - "id": 9312 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "2254350", - "time_created": "2023-01-17T10:11:24.7759283Z" - } - }, - { - "@timestamp": "2023-01-17T10:11:24.542Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "vault-credential-find", - "category": [ - "iam" - ], - "code": "5380", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "related": { - "user": [ - "USER1" - ] - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-21-000000000-000000000-000000000-00000", - "name": "USER1" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "21196", - "CountOfCredentialsReturned": "16", - "ProcessCreationTime": "2023-01-17T10:11:06.2991958Z", - "Schema": "{3ccd5499-87a8-4b10-a215-608888dd3b55}", - "SchemaFriendlyName": "Windows Web Password Credential", - "SearchString": "eqIbCZfcLIdQZ7KOF0olDjCeH3Ex8xHgPVIq5ufbYzI", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x1771180", - "SubjectUserName": "USER1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" - }, - "event_id": "5380", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x1771180" - }, - "opcode": "Info", - "process": { - "pid": 664, - "thread": { - "id": 9312 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "2254333", - "time_created": "2023-01-17T10:11:24.5421935Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5381.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5381.json deleted file mode 100644 index e6bf5b18f..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5381.json +++ /dev/null @@ -1,219 +0,0 @@ -{ - "events": [ - { - "event": { - "code": "5381", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "5048", - "CountOfCredentialsReturned": "0", - "Flags": "0", - "ProcessCreationTime": "2023-01-17T21:15:02.4069136Z", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "COMPUTER1$", - "SubjectUserSid": "S-1-5-18" - }, - "event_id": "5381", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "process": { - "pid": 772, - "thread": { - "id": 820 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 13342699, - "time_created": "2023-01-17T21:15:02.5490822Z" - } - }, - { - "event": { - "code": "5381", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "4920", - "CountOfCredentialsReturned": "0", - "Flags": "0", - "ProcessCreationTime": "2023-01-17T17:52:51.3438795Z", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "COMPUTER1$", - "SubjectUserSid": "S-1-5-18" - }, - "event_id": "5381", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "process": { - "pid": 640, - "thread": { - "id": 1036 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 13334924, - "time_created": "2023-01-17T17:52:51.4882586Z" - } - }, - { - "event": { - "code": "5381", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "4960", - "CountOfCredentialsReturned": "0", - "Flags": "0", - "ProcessCreationTime": "2023-01-17T15:34:59.6524351Z", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "COMPUTER1$", - "SubjectUserSid": "S-1-5-18" - }, - "event_id": "5381", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "process": { - "pid": 632, - "thread": { - "id": 8 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 13333282, - "time_created": "2023-01-17T15:35:00.493786Z" - } - }, - { - "event": { - "code": "5381", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "4604", - "CountOfCredentialsReturned": "0", - "Flags": "0", - "ProcessCreationTime": "2023-01-17T15:06:27.3440799Z", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "COMPUTER1$", - "SubjectUserSid": "S-1-5-18" - }, - "event_id": "5381", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "process": { - "pid": 1020, - "thread": { - "id": 784 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 13332174, - "time_created": "2023-01-17T15:06:28.1323896Z" - } - }, - { - "event": { - "code": "5381", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "4772", - "CountOfCredentialsReturned": "0", - "Flags": "0", - "ProcessCreationTime": "2023-01-17T14:55:55.9592157Z", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "COMPUTER1$", - "SubjectUserSid": "S-1-5-18" - }, - "event_id": "5381", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "process": { - "pid": 640, - "thread": { - "id": 876 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 13331466, - "time_created": "2023-01-17T14:55:56.2978479Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5381.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5381.json-expected.json deleted file mode 100644 index 0c05e53db..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5381.json-expected.json +++ /dev/null @@ -1,344 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2023-01-17T21:15:02.549Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "vault-credentials-were-read", - "category": [ - "iam" - ], - "code": "5381", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "related": { - "user": [ - "COMPUTER1$" - ] - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-18", - "name": "COMPUTER1$" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "5048", - "CountOfCredentialsReturned": "0", - "Flags": "0", - "ProcessCreationTime": "2023-01-17T21:15:02.4069136Z", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "COMPUTER1$", - "SubjectUserSid": "S-1-5-18" - }, - "event_id": "5381", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x3e7" - }, - "opcode": "Info", - "process": { - "pid": 772, - "thread": { - "id": 820 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "13342699", - "time_created": "2023-01-17T21:15:02.5490822Z" - } - }, - { - "@timestamp": "2023-01-17T17:52:51.488Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "vault-credentials-were-read", - "category": [ - "iam" - ], - "code": "5381", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "related": { - "user": [ - "COMPUTER1$" - ] - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-18", - "name": "COMPUTER1$" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "4920", - "CountOfCredentialsReturned": "0", - "Flags": "0", - "ProcessCreationTime": "2023-01-17T17:52:51.3438795Z", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "COMPUTER1$", - "SubjectUserSid": "S-1-5-18" - }, - "event_id": "5381", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x3e7" - }, - "opcode": "Info", - "process": { - "pid": 640, - "thread": { - "id": 1036 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "13334924", - "time_created": "2023-01-17T17:52:51.4882586Z" - } - }, - { - "@timestamp": "2023-01-17T15:35:00.493Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "vault-credentials-were-read", - "category": [ - "iam" - ], - "code": "5381", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "related": { - "user": [ - "COMPUTER1$" - ] - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-18", - "name": "COMPUTER1$" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "4960", - "CountOfCredentialsReturned": "0", - "Flags": "0", - "ProcessCreationTime": "2023-01-17T15:34:59.6524351Z", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "COMPUTER1$", - "SubjectUserSid": "S-1-5-18" - }, - "event_id": "5381", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x3e7" - }, - "opcode": "Info", - "process": { - "pid": 632, - "thread": { - "id": 8 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "13333282", - "time_created": "2023-01-17T15:35:00.493786Z" - } - }, - { - "@timestamp": "2023-01-17T15:06:28.132Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "vault-credentials-were-read", - "category": [ - "iam" - ], - "code": "5381", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "related": { - "user": [ - "COMPUTER1$" - ] - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-18", - "name": "COMPUTER1$" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "4604", - "CountOfCredentialsReturned": "0", - "Flags": "0", - "ProcessCreationTime": "2023-01-17T15:06:27.3440799Z", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "COMPUTER1$", - "SubjectUserSid": "S-1-5-18" - }, - "event_id": "5381", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x3e7" - }, - "opcode": "Info", - "process": { - "pid": 1020, - "thread": { - "id": 784 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "13332174", - "time_created": "2023-01-17T15:06:28.1323896Z" - } - }, - { - "@timestamp": "2023-01-17T14:55:56.297Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "vault-credentials-were-read", - "category": [ - "iam" - ], - "code": "5381", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "related": { - "user": [ - "COMPUTER1$" - ] - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-18", - "name": "COMPUTER1$" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "4772", - "CountOfCredentialsReturned": "0", - "Flags": "0", - "ProcessCreationTime": "2023-01-17T14:55:55.9592157Z", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "COMPUTER1$", - "SubjectUserSid": "S-1-5-18" - }, - "event_id": "5381", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x3e7" - }, - "opcode": "Info", - "process": { - "pid": 640, - "thread": { - "id": 876 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "13331466", - "time_created": "2023-01-17T14:55:56.2978479Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5382.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5382.json deleted file mode 100644 index a7999a1ed..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5382.json +++ /dev/null @@ -1,239 +0,0 @@ -{ - "events": [ - { - "event": { - "code": "5382", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "10992", - "Flags": "0", - "Identity": "010500000000000515000000135E3A229957100F0052CF12FC9C0000", - "ProcessCreationTime": "2023-01-17T22:25:52.5801675Z", - "Resource": "NGC Local Accoount Logon Vault Resource", - "ReturnCode": "1168", - "Schema": "{1d4350a3-330d-4af9-b3ff-a927a45998ac}", - "SchemaFriendlyName": "NGC Local Accoount Logon Vault Resource Schema", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "COMPUTER1$", - "SubjectUserSid": "S-1-5-18" - }, - "event_id": "5382", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "process": { - "pid": 964, - "thread": { - "id": 1348 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 5474106, - "time_created": "2023-01-17T22:25:53.1638862Z" - } - }, - { - "event": { - "code": "5382", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "18228", - "Flags": "0", - "Identity": "ActiveSyncCredentialDefaultUser", - "ProcessCreationTime": "2023-01-17T21:33:15.0527484Z", - "Resource": "SYNC_POLICY{000000000-0000-0000-00000-000000000000}", - "ReturnCode": "0", - "Schema": "{a8fb7545-9029-4cb4-bc2c-7640bfaa234e}", - "SchemaFriendlyName": "ActiveSyncCredentialSchema", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x12a119b2", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" - }, - "event_id": "5382", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "process": { - "pid": 1008, - "thread": { - "id": 11604 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 5472528, - "time_created": "2023-01-17T21:53:44.4175183Z" - } - }, - { - "event": { - "code": "5382", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "18228", - "Flags": "0", - "Identity": "ActiveSyncCredentialDefaultUser", - "ProcessCreationTime": "2023-01-17T21:33:15.0527484Z", - "Resource": "SyncPassword{000000000-0000-0000-00000-000000000000}Exchange", - "ReturnCode": "0", - "Schema": "{a8fb7545-9029-4cb4-bc2c-7640bfaa234e}", - "SchemaFriendlyName": "ActiveSyncCredentialSchema", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x12a119b2", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" - }, - "event_id": "5382", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "process": { - "pid": 1008, - "thread": { - "id": 11604 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 5472527, - "time_created": "2023-01-17T21:53:44.4122464Z" - } - }, - { - "event": { - "code": "5382", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "18228", - "Flags": "0", - "Identity": "ActiveSyncCredentialDefaultUser", - "ProcessCreationTime": "2023-01-17T21:33:15.0527484Z", - "Resource": "SyncUseSSL{000000000-0000-0000-00000-000000000000}Exchange", - "ReturnCode": "0", - "Schema": "{a8fb7545-9029-4cb4-bc2c-7640bfaa234e}", - "SchemaFriendlyName": "ActiveSyncCredentialSchema", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x12a119b2", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" - }, - "event_id": "5382", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "process": { - "pid": 1008, - "thread": { - "id": 11604 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 5472526, - "time_created": "2023-01-17T21:53:44.4119963Z" - } - }, - { - "event": { - "code": "5382", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "18228", - "Flags": "0", - "Identity": "ActiveSyncCredentialDefaultUser", - "ProcessCreationTime": "2023-01-17T21:33:15.0527484Z", - "Resource": "SyncServer{000000000-0000-0000-00000-000000000000}Exchange", - "ReturnCode": "0", - "Schema": "{a8fb7545-9029-4cb4-bc2c-7640bfaa234e}", - "SchemaFriendlyName": "ActiveSyncCredentialSchema", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x12a119b2", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" - }, - "event_id": "5382", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "process": { - "pid": 1008, - "thread": { - "id": 9708 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 5472525, - "time_created": "2023-01-17T21:53:44.4117359Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5382.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5382.json-expected.json deleted file mode 100644 index 1de868541..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-5382.json-expected.json +++ /dev/null @@ -1,364 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2023-01-17T22:25:53.163Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "vault-credentials-were-read", - "category": [ - "iam" - ], - "code": "5382", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "related": { - "user": [ - "COMPUTER1$" - ] - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-18", - "name": "COMPUTER1$" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "10992", - "Flags": "0", - "Identity": "010500000000000515000000135E3A229957100F0052CF12FC9C0000", - "ProcessCreationTime": "2023-01-17T22:25:52.5801675Z", - "Resource": "NGC Local Accoount Logon Vault Resource", - "ReturnCode": "1168", - "Schema": "{1d4350a3-330d-4af9-b3ff-a927a45998ac}", - "SchemaFriendlyName": "NGC Local Accoount Logon Vault Resource Schema", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "COMPUTER1$", - "SubjectUserSid": "S-1-5-18" - }, - "event_id": "5382", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x3e7" - }, - "opcode": "Info", - "process": { - "pid": 964, - "thread": { - "id": 1348 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "5474106", - "time_created": "2023-01-17T22:25:53.1638862Z" - } - }, - { - "@timestamp": "2023-01-17T21:53:44.417Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "vault-credentials-were-read", - "category": [ - "iam" - ], - "code": "5382", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "related": { - "user": [ - "user1" - ] - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-21-000000000-000000000-000000000-00000", - "name": "user1" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "18228", - "Flags": "0", - "Identity": "ActiveSyncCredentialDefaultUser", - "ProcessCreationTime": "2023-01-17T21:33:15.0527484Z", - "Resource": "SYNC_POLICY{000000000-0000-0000-00000-000000000000}", - "ReturnCode": "0", - "Schema": "{a8fb7545-9029-4cb4-bc2c-7640bfaa234e}", - "SchemaFriendlyName": "ActiveSyncCredentialSchema", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x12a119b2", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" - }, - "event_id": "5382", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x12a119b2" - }, - "opcode": "Info", - "process": { - "pid": 1008, - "thread": { - "id": 11604 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "5472528", - "time_created": "2023-01-17T21:53:44.4175183Z" - } - }, - { - "@timestamp": "2023-01-17T21:53:44.412Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "vault-credentials-were-read", - "category": [ - "iam" - ], - "code": "5382", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "related": { - "user": [ - "user1" - ] - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-21-000000000-000000000-000000000-00000", - "name": "user1" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "18228", - "Flags": "0", - "Identity": "ActiveSyncCredentialDefaultUser", - "ProcessCreationTime": "2023-01-17T21:33:15.0527484Z", - "Resource": "SyncPassword{000000000-0000-0000-00000-000000000000}Exchange", - "ReturnCode": "0", - "Schema": "{a8fb7545-9029-4cb4-bc2c-7640bfaa234e}", - "SchemaFriendlyName": "ActiveSyncCredentialSchema", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x12a119b2", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" - }, - "event_id": "5382", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x12a119b2" - }, - "opcode": "Info", - "process": { - "pid": 1008, - "thread": { - "id": 11604 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "5472527", - "time_created": "2023-01-17T21:53:44.4122464Z" - } - }, - { - "@timestamp": "2023-01-17T21:53:44.411Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "vault-credentials-were-read", - "category": [ - "iam" - ], - "code": "5382", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "related": { - "user": [ - "user1" - ] - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-21-000000000-000000000-000000000-00000", - "name": "user1" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "18228", - "Flags": "0", - "Identity": "ActiveSyncCredentialDefaultUser", - "ProcessCreationTime": "2023-01-17T21:33:15.0527484Z", - "Resource": "SyncUseSSL{000000000-0000-0000-00000-000000000000}Exchange", - "ReturnCode": "0", - "Schema": "{a8fb7545-9029-4cb4-bc2c-7640bfaa234e}", - "SchemaFriendlyName": "ActiveSyncCredentialSchema", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x12a119b2", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" - }, - "event_id": "5382", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x12a119b2" - }, - "opcode": "Info", - "process": { - "pid": 1008, - "thread": { - "id": 11604 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "5472526", - "time_created": "2023-01-17T21:53:44.4119963Z" - } - }, - { - "@timestamp": "2023-01-17T21:53:44.411Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "vault-credentials-were-read", - "category": [ - "iam" - ], - "code": "5382", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] - }, - "host": { - "name": "COMPUTER1.contoso.com" - }, - "log": { - "level": "information" - }, - "related": { - "user": [ - "user1" - ] - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-21-000000000-000000000-000000000-00000", - "name": "user1" - }, - "winlog": { - "channel": "Security", - "computer_name": "COMPUTER1.contoso.com", - "event_data": { - "ClientProcessId": "18228", - "Flags": "0", - "Identity": "ActiveSyncCredentialDefaultUser", - "ProcessCreationTime": "2023-01-17T21:33:15.0527484Z", - "Resource": "SyncServer{000000000-0000-0000-00000-000000000000}Exchange", - "ReturnCode": "0", - "Schema": "{a8fb7545-9029-4cb4-bc2c-7640bfaa234e}", - "SchemaFriendlyName": "ActiveSyncCredentialSchema", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x12a119b2", - "SubjectUserName": "user1", - "SubjectUserSid": "S-1-5-21-000000000-000000000-000000000-00000" - }, - "event_id": "5382", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x12a119b2" - }, - "opcode": "Info", - "process": { - "pid": 1008, - "thread": { - "id": 9708 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "5472525", - "time_created": "2023-01-17T21:53:44.4117359Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json deleted file mode 100644 index 6752b73fd..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json +++ /dev/null @@ -1,110 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:06:03.636Z", - "winlog": { - "version": 1, - "process": { - "pid": 4, - "thread": { - "id": 772 - } - }, - "api": "wineventlog", - "channel": "Security", - "record_id": 268495, - "computer_name": "DC01.contoso.local", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2015-09-18T02:45:13.581231400Z", - "event_id": 5140, - "provider_name": "Microsoft-Windows-Security-Auditing", - "opcode": "Info", - "keywords": [ - "Audit Success" - ], - "task": "File Share", - "event_data": { - "SubjectUserSid": "S-1-5-21-3457937927-2839227994-823803824-1104", - "SubjectUserName": "dadmin", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x541f35", - "ObjectType": "File", - "IpAddress": "10.0.0.100", - "IpPort": "49212", - "ShareName": "\\\\\\*\\Documents", - "ShareLocalPath": "\\??\\C:\\Documents", - "AccessMask": "0x1", - "AccessList": "%%4416" - } - }, - "event": { - "action": "File Share", - "created": "2022-02-03T18:51:05.143Z", - "outcome": "success", - "kind": "event", - "code": 5140, - "provider": "Microsoft-Windows-Security-Auditing" - }, - "log": { - "level": "information" - }, - "host": { - "name": "DC01.contoso.local" - } - }, - { - "@timestamp": "2021-04-15T19:06:03.636Z", - "winlog": { - "version": 0, - "process": { - "pid": 4, - "thread": { - "id": 772 - } - }, - "api": "wineventlog", - "channel": "Security", - "record_id": 268495, - "computer_name": "DC01.contoso.local", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2015-09-18T02:45:13.581231400Z", - "event_id": 5145, - "provider_name": "Microsoft-Windows-Security-Auditing", - "opcode": "Info", - "task": "Detailed File Share", - "keywords": [ - "Audit Success" - ], - "event_data": { - "SubjectUserSid": "S-1-5-21-3457937927-2839227994-823803824-1104", - "SubjectUserName": "dadmin", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x541f35", - "ObjectType": "File", - "IpAddress": "fe80::31ea:6c3c:f40d:1973", - "IpPort": "49212", - "ShareName": "\\\\\\*\\Documents", - "ShareLocalPath": "\\??\\C:\\Documents", - "RelativeTargetName": "Bginfo.exe", - "AccessMask": "0x100081", - "AccessList": "%%1541 %%4416 %%4423", - "AccessReason": "%%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:(A;;FA;;;WD)" - } - }, - "event": { - "action": "Detailed File Share", - "created": "2022-02-03T18:51:05.143Z", - "outcome": "success", - "kind": "event", - "code": 5145, - "provider": "Microsoft-Windows-Security-Auditing" - }, - "log": { - "level": "information" - }, - "host": { - "name": "DC01.contoso.local" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json-expected.json deleted file mode 100644 index e49f103d8..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json-expected.json +++ /dev/null @@ -1,194 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2015-09-18T02:45:13.581Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "network-share-object-accessed", - "category": [ - "network", - "file" - ], - "code": "5140", - "created": "2022-02-03T18:51:05.143Z", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "info", - "access" - ] - }, - "file": { - "directory": "\\??\\C:\\Documents" - }, - "host": { - "name": "DC01.contoso.local" - }, - "log": { - "level": "information" - }, - "related": { - "ip": [ - "10.0.0.100" - ], - "user": [ - "dadmin" - ] - }, - "source": { - "ip": "10.0.0.100", - "port": 49212 - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-21-3457937927-2839227994-823803824-1104", - "name": "dadmin" - }, - "winlog": { - "api": "wineventlog", - "channel": "Security", - "computer_name": "DC01.contoso.local", - "event_data": { - "AccessList": "%%4416", - "AccessListDescription": [ - "ReadData (or ListDirectory)" - ], - "AccessMask": "0x1", - "AccessMaskDescription": [ - "Create Child" - ], - "ObjectType": "File", - "ShareLocalPath": "\\??\\C:\\Documents", - "ShareName": "\\\\\\*\\Documents", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x541f35", - "SubjectUserName": "dadmin", - "SubjectUserSid": "S-1-5-21-3457937927-2839227994-823803824-1104" - }, - "event_id": "5140", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x541f35" - }, - "opcode": "Info", - "process": { - "pid": 4, - "thread": { - "id": 772 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "268495", - "task": "File Share", - "time_created": "2015-09-18T02:45:13.581231400Z", - "version": 1 - } - }, - { - "@timestamp": "2015-09-18T02:45:13.581Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "network-share-object-access-checked", - "category": [ - "network", - "file" - ], - "code": "5145", - "created": "2022-02-03T18:51:05.143Z", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "info", - "access" - ] - }, - "file": { - "directory": "\\??\\C:\\Documents", - "extension": "exe", - "name": "Bginfo.exe", - "path": "\\\\??\\\\C:\\\\Documents\\Bginfo.exe", - "target_path": "\\\\\\\\\\\\*\\\\Documents\\Bginfo.exe" - }, - "host": { - "name": "DC01.contoso.local" - }, - "log": { - "level": "information" - }, - "related": { - "ip": [ - "fe80::31ea:6c3c:f40d:1973" - ], - "user": [ - "dadmin" - ] - }, - "source": { - "ip": "fe80::31ea:6c3c:f40d:1973", - "port": 49212 - }, - "user": { - "domain": "CONTOSO", - "id": "S-1-5-21-3457937927-2839227994-823803824-1104", - "name": "dadmin" - }, - "winlog": { - "api": "wineventlog", - "channel": "Security", - "computer_name": "DC01.contoso.local", - "event_data": { - "AccessList": "%%1541 %%4416 %%4423", - "AccessListDescription": [ - "SYNCHRONIZE", - "ReadData (or ListDirectory)", - "ReadAttributes" - ], - "AccessMask": "0x100081", - "AccessMaskDescription": [ - "List Object", - "Create Child", - "SYNCHRONIZE" - ], - "AccessReason": "%%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:(A;;FA;;;WD)", - "ObjectType": "File", - "RelativeTargetName": "Bginfo.exe", - "ShareLocalPath": "\\??\\C:\\Documents", - "ShareName": "\\\\\\*\\Documents", - "SubjectDomainName": "CONTOSO", - "SubjectLogonId": "0x541f35", - "SubjectUserName": "dadmin", - "SubjectUserSid": "S-1-5-21-3457937927-2839227994-823803824-1104" - }, - "event_id": "5145", - "keywords": [ - "Audit Success" - ], - "logon": { - "id": "0x541f35" - }, - "opcode": "Info", - "process": { - "pid": 4, - "thread": { - "id": 772 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "268495", - "task": "Detailed File Share", - "time_created": "2015-09-18T02:45:13.581231400Z", - "version": 0 - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json deleted file mode 100644 index 75b582297..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:06:03.636Z", - "winlog": { - "level": "information", - "process": { - "pid": 496, - "thread": { - "id": 504 - } - }, - "channel": "Security", - "record_id": 5109160, - "computer_name": "DC_TEST2k12.TEST.SAAS", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-04-06T06:39:04.549Z", - "outcome": "success", - "event_id": 4673, - "provider_name": "Microsoft-Windows-Security-Auditing", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "event_data": { - "ProcessId": "0x1f0", - "ProcessName": "C:\\Windows\\System32\\lsass.exe", - "SubjectUserName": "DC_TEST2K12$", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x3e7", - "PrivilegeList": "SeTcbPrivilege", - "SubjectUserSid": "S-1-5-18", - "ObjectServer": "NT Local Security Authority / Authentication Service", - "Service": "LsaRegisterLogonProcess()" - } - }, - "event": { - "kind": "event", - "code": 4673, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4673.xml" - }, - "level": "information" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "agent": { - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "f86f8f87-0401-4d4d-a9b3-d3a9a524dde2" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json deleted file mode 100644 index a50b4fc2e..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2020-04-06T06:39:04.549Z", - "agent": { - "ephemeral_id": "f86f8f87-0401-4d4d-a9b3-d3a9a524dde2", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "privileged-service-called", - "category": [ - "iam" - ], - "code": "4673", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin" - ] - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4673.xml" - }, - "level": "information" - }, - "process": { - "executable": "C:\\Windows\\System32\\lsass.exe", - "name": "lsass.exe", - "pid": 496 - }, - "related": { - "user": [ - "DC_TEST2K12$" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-18", - "name": "DC_TEST2K12$" - }, - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "ObjectServer": "NT Local Security Authority / Authentication Service", - "PrivilegeList": [ - "SeTcbPrivilege" - ], - "Service": "LsaRegisterLogonProcess()", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "DC_TEST2K12$", - "SubjectUserSid": "S-1-5-18" - }, - "event_id": "4673", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 496, - "thread": { - "id": 504 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "5109160", - "time_created": "2020-04-06T06:39:04.549Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json deleted file mode 100644 index 2cc659dcb..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:05:18.399Z", - "agent": { - "ephemeral_id": "961c8568-c795-47e6-8d9f-661cdab1fac0", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "winlog": { - "time_created": "2020-04-02T14:34:08.889Z", - "level": "information", - "process": { - "pid": 792, - "thread": { - "id": 2492 - } - }, - "channel": "Security", - "record_id": 90108, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "outcome": "success", - "activity_id": "{74b64d41-08ce-0000-454f-b674ce08d601}", - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "event_data": { - "ServiceStartType": "2", - "ServiceAccount": "LocalSystem", - "SubjectLogonId": "0x4c323", - "ServiceName": "winlogbeat", - "ServiceFileName": "\"C:\\Program Files\\Winlogbeat\\winlogbeat.exe\" -c \"C:\\Program Files\\Winlogbeat\\winlogbeat.yml\" -path.home \"C:\\Program Files\\Winlogbeat\" -path.data \"C:\\ProgramData\\winlogbeat\" -path.logs \"C:\\ProgramData\\winlogbeat\\logs\" -E logging.files.redirect_stderr=true", - "ServiceType": "0x10", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "SubjectUserName": "Administrator", - "SubjectDomainName": "WLBEAT" - }, - "event_id": 4697, - "provider_name": "Microsoft-Windows-Security-Auditing" - }, - "event": { - "kind": "event", - "code": 4697, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4697.xml" - }, - "level": "information" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json deleted file mode 100644 index 073bab476..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2020-04-02T14:34:08.889Z", - "agent": { - "ephemeral_id": "961c8568-c795-47e6-8d9f-661cdab1fac0", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "service-installed", - "category": [ - "iam", - "configuration" - ], - "code": "4697", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "change" - ] - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4697.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "service": { - "name": "winlogbeat", - "type": "Win32 Own Process" - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - }, - "winlog": { - "activity_id": "{74b64d41-08ce-0000-454f-b674ce08d601}", - "channel": "Security", - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "event_data": { - "ServiceAccount": "LocalSystem", - "ServiceFileName": "\"C:\\Program Files\\Winlogbeat\\winlogbeat.exe\" -c \"C:\\Program Files\\Winlogbeat\\winlogbeat.yml\" -path.home \"C:\\Program Files\\Winlogbeat\" -path.data \"C:\\ProgramData\\winlogbeat\" -path.logs \"C:\\ProgramData\\winlogbeat\\logs\" -E logging.files.redirect_stderr=true", - "ServiceName": "winlogbeat", - "ServiceStartType": "2", - "ServiceType": "0x10", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4c323", - "SubjectUserName": "Administrator", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "event_id": "4697", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4c323" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 792, - "thread": { - "id": 2492 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "90108", - "time_created": "2020-04-02T14:34:08.889Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json deleted file mode 100644 index 24d8e5dea..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:04:58.290Z", - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "agent": { - "version": "8.0.0", - "ephemeral_id": "2e71c92e-5c70-4ea4-aad7-d3a2174f2a6d", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat" - }, - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "outcome": "success", - "level": "information", - "event_data": { - "ServiceName": "krbtgt", - "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-502", - "TicketEncryptionType": "0x12", - "PreAuthType": "2", - "TargetUserName": "at_adm", - "Status": "0x0", - "IpAddress": "::1", - "TicketOptions": "0x40810010", - "TargetDomainName": "TEST.SAAS", - "IpPort": "0", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "channel": "Security", - "record_id": 5040235, - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "time_created": "2020-04-01T08:45:44.171Z", - "process": { - "pid": 496, - "thread": { - "id": 2868 - } - }, - "event_id": 4768, - "provider_name": "Microsoft-Windows-Security-Auditing" - }, - "event": { - "outcome": "success", - "kind": "event", - "code": 4768, - "provider": "Microsoft-Windows-Security-Auditing" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.xml" - }, - "level": "information" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json deleted file mode 100644 index 8762189d3..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2020-04-01T08:45:44.171Z", - "agent": { - "ephemeral_id": "2e71c92e-5c70-4ea4-aad7-d3a2174f2a6d", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "kerberos-authentication-ticket-requested", - "category": [ - "authentication" - ], - "code": "4768", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.xml" - }, - "level": "information" - }, - "related": { - "ip": [ - "::1" - ], - "user": [ - "at_adm" - ] - }, - "service": { - "name": "krbtgt" - }, - "source": { - "ip": "::1", - "port": 0 - }, - "user": { - "domain": "TEST.SAAS", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "PreAuthType": "2", - "ServiceName": "krbtgt", - "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-502", - "Status": "0x0", - "StatusDescription": "KDC_ERR_NONE", - "TargetDomainName": "TEST.SAAS", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "TargetUserName": "at_adm", - "TicketEncryptionType": "0x12", - "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96", - "TicketOptions": "0x40810010", - "TicketOptionsDescription": [ - "Forwardable", - "Renewable-ok", - "Name-canonicalize", - "Renewable" - ] - }, - "event_id": "4768", - "keywords": [ - "Audit Success" - ], - "level": "information", - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 496, - "thread": { - "id": 2868 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "5040235", - "time_created": "2020-04-01T08:45:44.171Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json deleted file mode 100644 index f80653aaf..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:04:33.160Z", - "agent": { - "ephemeral_id": "d417a772-3290-465f-97d4-7e1221f76934", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "winlog": { - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-04-01T08:45:44.171Z", - "event_data": { - "TargetUserName": "at_adm@TEST.SAAS", - "TargetDomainName": "TEST.SAAS", - "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-1110", - "TicketEncryptionType": "0x12", - "TransmittedServices": "-", - "ServiceName": "DC_TEST2K12$", - "TicketOptions": "0x40810000", - "IpAddress": "::1", - "IpPort": "0", - "Status": "0x0", - "LogonGuid": "{46f85809-d26e-96f5-fbf2-73bd761a2d68}" - }, - "channel": "Security", - "event_id": 4769, - "record_id": 5040236, - "process": { - "pid": 496, - "thread": { - "id": 2868 - } - }, - "level": "information", - "provider_name": "Microsoft-Windows-Security-Auditing", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "outcome": "success" - }, - "event": { - "kind": "event", - "code": 4769, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4769.xml" - }, - "level": "information" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json deleted file mode 100644 index ac8d7d2cc..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2020-04-01T08:45:44.171Z", - "agent": { - "ephemeral_id": "d417a772-3290-465f-97d4-7e1221f76934", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "kerberos-service-ticket-requested", - "category": [ - "authentication" - ], - "code": "4769", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4769.xml" - }, - "level": "information" - }, - "related": { - "ip": [ - "::1" - ], - "user": [ - "at_adm" - ] - }, - "service": { - "name": "DC_TEST2K12$" - }, - "source": { - "ip": "::1", - "port": 0 - }, - "user": { - "domain": "TEST.SAAS", - "name": "at_adm" - }, - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "LogonGuid": "{46f85809-d26e-96f5-fbf2-73bd761a2d68}", - "ServiceName": "DC_TEST2K12$", - "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-1110", - "Status": "0x0", - "StatusDescription": "KDC_ERR_NONE", - "TargetDomainName": "TEST.SAAS", - "TargetUserName": "at_adm@TEST.SAAS", - "TicketEncryptionType": "0x12", - "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96", - "TicketOptions": "0x40810000", - "TicketOptionsDescription": [ - "Forwardable", - "Name-canonicalize", - "Renewable" - ], - "TransmittedServices": "-" - }, - "event_id": "4769", - "keywords": [ - "Audit Success" - ], - "level": "information", - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 496, - "thread": { - "id": 2868 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "5040236", - "time_created": "2020-04-01T08:45:44.171Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json deleted file mode 100644 index 2b4c2a2c3..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:08:49.077Z", - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "agent": { - "version": "8.0.0", - "ephemeral_id": "ecb4944b-a4a6-4a12-be3c-2aa7175c6f7c", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat" - }, - "ecs": { - "version": "1.8.0" - }, - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-04-01T07:32:55.010Z", - "channel": "Security", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 5039598, - "event_data": { - "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-502", - "TicketOptions": "0x10002", - "TicketEncryptionType": "0x12", - "IpAddress": "::1", - "IpPort": "0", - "TargetUserName": "DC_TEST2K12$@TEST.SAAS", - "TargetDomainName": "TEST.SAAS", - "ServiceName": "krbtgt" - }, - "process": { - "pid": 496, - "thread": { - "id": 4468 - } - }, - "event_id": 4770, - "outcome": "success", - "level": "information" - }, - "event": { - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success", - "kind": "event", - "code": 4770 - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4770.xml" - }, - "level": "information" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json deleted file mode 100644 index 9bf1289ff..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2020-04-01T07:32:55.010Z", - "agent": { - "ephemeral_id": "ecb4944b-a4a6-4a12-be3c-2aa7175c6f7c", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "kerberos-service-ticket-renewed", - "category": [ - "authentication" - ], - "code": "4770", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4770.xml" - }, - "level": "information" - }, - "related": { - "ip": [ - "::1" - ], - "user": [ - "DC_TEST2K12$" - ] - }, - "service": { - "name": "krbtgt" - }, - "source": { - "ip": "::1", - "port": 0 - }, - "user": { - "domain": "TEST.SAAS", - "name": "DC_TEST2K12$" - }, - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "ServiceName": "krbtgt", - "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-502", - "TargetDomainName": "TEST.SAAS", - "TargetUserName": "DC_TEST2K12$@TEST.SAAS", - "TicketEncryptionType": "0x12", - "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96", - "TicketOptions": "0x10002", - "TicketOptionsDescription": [ - "Name-canonicalize", - "Renew" - ] - }, - "event_id": "4770", - "keywords": [ - "Audit Success" - ], - "level": "information", - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 496, - "thread": { - "id": 4468 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "5039598", - "time_created": "2020-04-01T07:32:55.010Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json deleted file mode 100644 index 4c57b533f..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:08:03.991Z", - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "agent": { - "ephemeral_id": "ac571f8c-8d98-4d24-8463-f0e5d0a13bdd", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "winlog": { - "event_data": { - "TicketOptions": "0x40810010", - "Status": "0x12", - "PreAuthType": "0", - "IpAddress": "::ffff:192.168.5.44", - "IpPort": "53366", - "TargetUserName": "MPUIG", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-3057", - "ServiceName": "krbtgt/test.saas" - }, - "channel": "Security", - "event_id": 4771, - "record_id": 5027836, - "outcome": "failure", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-03-31T07:50:27.168Z", - "level": "information", - "process": { - "pid": 496, - "thread": { - "id": 4552 - } - }, - "provider_name": "Microsoft-Windows-Security-Auditing", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "keywords": [ - "Audit Failure" - ], - "opcode": "Info" - }, - "event": { - "code": 4771, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "failure", - "kind": "event" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.xml" - }, - "level": "information" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json deleted file mode 100644 index 3b8265c25..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2020-03-31T07:50:27.168Z", - "agent": { - "ephemeral_id": "ac571f8c-8d98-4d24-8463-f0e5d0a13bdd", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "kerberos-preauth-failed", - "category": [ - "authentication" - ], - "code": "4771", - "kind": "event", - "outcome": "failure", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.xml" - }, - "level": "information" - }, - "related": { - "ip": [ - "192.168.5.44" - ], - "user": [ - "MPUIG" - ] - }, - "service": { - "name": "krbtgt/test.saas" - }, - "source": { - "ip": "192.168.5.44", - "port": 53366 - }, - "user": { - "id": "S-1-5-21-1717121054-434620538-60925301-3057", - "name": "MPUIG" - }, - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "PreAuthType": "0", - "ServiceName": "krbtgt/test.saas", - "Status": "0x12", - "StatusDescription": "KDC_ERR_CLIENT_REVOKED", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-3057", - "TargetUserName": "MPUIG", - "TicketOptions": "0x40810010", - "TicketOptionsDescription": [ - "Forwardable", - "Renewable-ok", - "Name-canonicalize", - "Renewable" - ] - }, - "event_id": "4771", - "keywords": [ - "Audit Failure" - ], - "level": "information", - "opcode": "Info", - "outcome": "failure", - "process": { - "pid": 496, - "thread": { - "id": 4552 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "5027836", - "time_created": "2020-03-31T07:50:27.168Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json deleted file mode 100644 index 55d04a038..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:09:39.132Z", - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "agent": { - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "e3bf3bc5-3815-4ca8-ad10-d40daaa047fc" - }, - "winlog": { - "channel": "Security", - "provider_name": "Microsoft-Windows-Security-Auditing", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "process": { - "pid": 496, - "thread": { - "id": 1864 - } - }, - "event_id": 4776, - "record_id": 5040222, - "computer_name": "DC_TEST2k12.TEST.SAAS", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "time_created": "2020-04-01T08:45:42.187Z", - "outcome": "success", - "level": "information", - "event_data": { - "PackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", - "TargetUserName": "at_adm", - "Workstation": "EQP01777", - "Status": "0x0" - } - }, - "event": { - "kind": "event", - "code": 4776, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4776.xml" - }, - "level": "information" - }, - "ecs": { - "version": "1.8.0" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json deleted file mode 100644 index c2482777b..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json +++ /dev/null @@ -1,79 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2020-04-01T08:45:42.187Z", - "agent": { - "ephemeral_id": "e3bf3bc5-3815-4ca8-ad10-d40daaa047fc", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "credential-validated", - "category": [ - "authentication" - ], - "code": "4776", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4776.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "at_adm" - ] - }, - "user": { - "name": "at_adm" - }, - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "PackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", - "Status": "0x0", - "TargetUserName": "at_adm", - "Workstation": "EQP01777" - }, - "event_id": "4776", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "failure": { - "status": "Status OK." - } - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 496, - "thread": { - "id": 1864 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "5040222", - "time_created": "2020-04-01T08:45:42.187Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json deleted file mode 100644 index c03ef805d..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json +++ /dev/null @@ -1,61 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:03:02.655Z", - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "agent": { - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "f305e9f9-96b1-4f18-a864-144e6a3fc46d" - }, - "winlog": { - "event_id": 4778, - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 5101675, - "keywords": [ - "Audit Success" - ], - "time_created": "2020-04-05T16:33:32.388Z", - "outcome": "success", - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "level": "information", - "event_data": { - "SessionName": "RDP-Tcp#127", - "ClientName": "EQP01777", - "ClientAddress": "216.160.83.57", - "AccountName": "at_adm", - "AccountDomain": "TEST", - "LogonID": "0x76fea87" - }, - "process": { - "pid": 496, - "thread": { - "id": 4184 - } - } - }, - "event": { - "kind": "event", - "code": 4778, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.xml" - }, - "level": "information" - }, - "ecs": { - "version": "1.8.0" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json deleted file mode 100644 index eba663813..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json +++ /dev/null @@ -1,103 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2020-04-05T16:33:32.388Z", - "agent": { - "ephemeral_id": "f305e9f9-96b1-4f18-a864-144e6a3fc46d", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "session-reconnected", - "category": [ - "authentication", - "session" - ], - "code": "4778", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.xml" - }, - "level": "information" - }, - "related": { - "ip": [ - "216.160.83.57" - ], - "user": [ - "at_adm" - ] - }, - "source": { - "as": { - "number": 209 - }, - "domain": "EQP01777", - "geo": { - "city_name": "Milton", - "continent_name": "North America", - "country_iso_code": "US", - "country_name": "United States", - "location": { - "lat": 47.2513, - "lon": -122.3149 - }, - "region_iso_code": "US-WA", - "region_name": "Washington" - }, - "ip": "216.160.83.57" - }, - "user": { - "domain": "TEST", - "name": "at_adm" - }, - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "AccountDomain": "TEST", - "AccountName": "at_adm", - "ClientAddress": "216.160.83.57", - "ClientName": "EQP01777", - "LogonID": "0x76fea87", - "SessionName": "RDP-Tcp#127" - }, - "event_id": "4778", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x76fea87" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 496, - "thread": { - "id": 4184 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "5101675", - "time_created": "2020-04-05T16:33:32.388Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json deleted file mode 100644 index 23983ce6e..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json +++ /dev/null @@ -1,61 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:03:22.673Z", - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.xml" - } - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "agent": { - "ephemeral_id": "d9d93a3d-3242-4f55-a4de-4ded8ae26301", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "winlog": { - "channel": "Security", - "provider_name": "Microsoft-Windows-Security-Auditing", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "time_created": "2020-04-03T10:18:01.882Z", - "level": "information", - "event_data": { - "AccountDomain": "TEST", - "LogonID": "0x60d1ccb", - "SessionName": "RDP-Tcp#116", - "ClientName": "EQP01777", - "ClientAddress": "10.100.150.17", - "AccountName": "at_adm" - }, - "event_id": 4779, - "record_id": 5069070, - "computer_name": "DC_TEST2k12.TEST.SAAS", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "outcome": "success", - "process": { - "pid": 496, - "thread": { - "id": 3852 - } - } - }, - "event": { - "kind": "event", - "code": 4779, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json deleted file mode 100644 index bc3cf0630..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2020-04-03T10:18:01.882Z", - "agent": { - "ephemeral_id": "d9d93a3d-3242-4f55-a4de-4ded8ae26301", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "session-disconnected", - "category": [ - "authentication", - "session" - ], - "code": "4779", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "end" - ] - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.xml" - }, - "level": "information" - }, - "related": { - "ip": [ - "10.100.150.17" - ], - "user": [ - "at_adm" - ] - }, - "source": { - "domain": "EQP01777", - "ip": "10.100.150.17" - }, - "user": { - "domain": "TEST", - "name": "at_adm" - }, - "winlog": { - "channel": "Security", - "computer_name": "DC_TEST2k12.TEST.SAAS", - "event_data": { - "AccountDomain": "TEST", - "AccountName": "at_adm", - "ClientAddress": "10.100.150.17", - "ClientName": "EQP01777", - "LogonID": "0x60d1ccb", - "SessionName": "RDP-Tcp#116" - }, - "event_id": "4779", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x60d1ccb" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 496, - "thread": { - "id": 3852 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "5069070", - "time_created": "2020-04-03T10:18:01.882Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json deleted file mode 100644 index 1dae9ccfc..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json +++ /dev/null @@ -1,1303 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:10:09.188Z", - "event": { - "kind": "event", - "code": 4624, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "vagrant-2012-r2" - }, - "agent": { - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain" - }, - "winlog": { - "version": 1, - "outcome": "success", - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "level": "information", - "event_data": { - "SubjectUserSid": "S-1-5-18", - "AuthenticationPackageName": "Negotiate", - "SubjectUserName": "VAGRANT-2012-R2$", - "SubjectDomainName": "WORKGROUP", - "TargetDomainName": "NT AUTHORITY", - "TargetLogonId": "0x3e7", - "LogonType": "5", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "ProcessName": "C:\\Windows\\System32\\services.exe", - "IpPort": "-", - "SubjectLogonId": "0x3e7", - "LogonProcessName": "Advapi ", - "LmPackageName": "-", - "IpAddress": "-", - "TargetUserSid": "S-1-5-18", - "TargetUserName": "SYSTEM", - "TransmittedServices": "-", - "KeyLength": "0", - "ProcessId": "0x1fc", - "ImpersonationLevel": "%%1833" - }, - "channel": "Security", - "computer_name": "vagrant-2012-r2", - "provider_name": "Microsoft-Windows-Security-Auditing", - "keywords": [ - "Audit Success" - ], - "time_created": "2019-03-29T21:10:39.786Z", - "process": { - "pid": 516, - "thread": { - "id": 536 - } - }, - "event_id": 4624, - "record_id": 1535 - } - }, - { - "@timestamp": "2021-04-15T19:10:09.188Z", - "agent": { - "version": "8.0.0", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat" - }, - "winlog": { - "channel": "Security", - "outcome": "success", - "process": { - "pid": 516, - "thread": { - "id": 556 - } - }, - "computer_name": "vagrant-2012-r2", - "opcode": "Info", - "version": 1, - "time_created": "2019-03-29T21:10:40.255Z", - "event_id": 4624, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "keywords": [ - "Audit Success" - ], - "level": "information", - "event_data": { - "ImpersonationLevel": "%%1833", - "TransmittedServices": "-", - "LmPackageName": "-", - "ProcessId": "0x1fc", - "ProcessName": "C:\\Windows\\System32\\services.exe", - "IpAddress": "-", - "SubjectUserName": "VAGRANT-2012-R2$", - "LogonType": "5", - "AuthenticationPackageName": "Negotiate", - "KeyLength": "0", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "TargetUserSid": "S-1-5-18", - "TargetUserName": "SYSTEM", - "TargetDomainName": "NT AUTHORITY", - "SubjectUserSid": "S-1-5-18", - "TargetLogonId": "0x3e7", - "LogonProcessName": "Advapi ", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "IpPort": "-" - }, - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 1538 - }, - "event": { - "kind": "event", - "code": 4624, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "vagrant-2012-r2" - } - }, - { - "@timestamp": "2021-04-15T19:10:09.188Z", - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "vagrant-2012-r2" - }, - "winlog": { - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "keywords": [ - "Audit Success" - ], - "provider_name": "Microsoft-Windows-Security-Auditing", - "channel": "Security", - "opcode": "Info", - "version": 1, - "time_created": "2019-03-29T21:10:40.380Z", - "level": "information", - "computer_name": "vagrant-2012-r2", - "record_id": 1542, - "outcome": "success", - "event_data": { - "LogonProcessName": "User32 ", - "WorkstationName": "VAGRANT-2012-R2", - "LmPackageName": "-", - "KeyLength": "0", - "TransmittedServices": "-", - "ImpersonationLevel": "%%1833", - "SubjectUserName": "VAGRANT-2012-R2$", - "TargetDomainName": "VAGRANT-2012-R2", - "LogonType": "2", - "AuthenticationPackageName": "Negotiate", - "IpAddress": "127.0.0.1", - "IpPort": "0", - "SubjectLogonId": "0x3e7", - "TargetLogonId": "0x1008e", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "ProcessName": "C:\\Windows\\System32\\winlogon.exe", - "ProcessId": "0x1c0", - "SubjectUserSid": "S-1-5-18", - "SubjectDomainName": "WORKGROUP", - "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "TargetUserName": "vagrant" - }, - "process": { - "pid": 516, - "thread": { - "id": 556 - } - }, - "event_id": 4624 - }, - "event": { - "kind": "event", - "code": 4624, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "agent": { - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain" - } - }, - { - "@timestamp": "2021-04-15T19:10:09.189Z", - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "vagrant-2012-r2" - }, - "agent": { - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" - }, - "winlog": { - "channel": "Security", - "provider_name": "Microsoft-Windows-Security-Auditing", - "computer_name": "vagrant-2012-r2", - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "level": "information", - "record_id": 1545, - "keywords": [ - "Audit Success" - ], - "process": { - "pid": 516, - "thread": { - "id": 556 - } - }, - "event_id": 4624, - "time_created": "2019-03-29T21:10:40.505Z", - "event_data": { - "LogonProcessName": "Advapi ", - "TransmittedServices": "-", - "IpAddress": "-", - "ProcessName": "C:\\Windows\\System32\\services.exe", - "SubjectUserSid": "S-1-5-18", - "SubjectDomainName": "WORKGROUP", - "AuthenticationPackageName": "Negotiate", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LmPackageName": "-", - "KeyLength": "0", - "ProcessId": "0x1fc", - "TargetUserSid": "S-1-5-18", - "TargetDomainName": "NT AUTHORITY", - "TargetLogonId": "0x3e7", - "LogonType": "5", - "SubjectUserName": "VAGRANT-2012-R2$", - "SubjectLogonId": "0x3e7", - "TargetUserName": "SYSTEM", - "IpPort": "-", - "ImpersonationLevel": "%%1833" - }, - "version": 1, - "outcome": "success" - }, - "event": { - "kind": "event", - "code": 4624, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - } - }, - { - "@timestamp": "2021-04-15T19:10:09.189Z", - "host": { - "name": "vagrant-2012-r2" - }, - "agent": { - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50" - }, - "winlog": { - "outcome": "success", - "level": "information", - "process": { - "pid": 516, - "thread": { - "id": 556 - } - }, - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 1547, - "keywords": [ - "Audit Success" - ], - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "version": 1, - "time_created": "2019-03-29T21:10:40.630Z", - "event_id": 4624, - "opcode": "Info", - "event_data": { - "LogonType": "3", - "KeyLength": "0", - "ProcessId": "0x0", - "ProcessName": "-", - "SubjectUserSid": "S-1-0-0", - "SubjectLogonId": "0x0", - "TargetUserName": "ANONYMOUS LOGON", - "TargetDomainName": "NT AUTHORITY", - "TargetLogonId": "0x129f1", - "LmPackageName": "NTLM V1", - "SubjectUserName": "-", - "LogonProcessName": "NtLmSsp ", - "AuthenticationPackageName": "NTLM", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "TransmittedServices": "-", - "SubjectDomainName": "-", - "TargetUserSid": "S-1-5-7", - "IpAddress": "-", - "IpPort": "-", - "ImpersonationLevel": "%%1833" - }, - "computer_name": "vagrant-2012-r2", - "channel": "Security" - }, - "event": { - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success", - "kind": "event", - "code": 4624 - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "ecs": { - "version": "1.8.0" - } - }, - { - "@timestamp": "2021-04-15T19:10:09.189Z", - "winlog": { - "version": 1, - "event_data": { - "TargetDomainName": "VAGRANT-2012-R2", - "LogonType": "3", - "IpAddress": "-", - "SubjectLogonId": "0x0", - "LogonProcessName": "NtLmSsp ", - "LmPackageName": "NTLM V2", - "KeyLength": "128", - "ProcessId": "0x0", - "ProcessName": "-", - "SubjectUserName": "-", - "TargetLogonId": "0x28d31", - "TransmittedServices": "-", - "IpPort": "-", - "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "SubjectDomainName": "-", - "TargetUserName": "vagrant", - "AuthenticationPackageName": "NTLM", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "ImpersonationLevel": "%%1833", - "SubjectUserSid": "S-1-0-0" - }, - "event_id": 4624, - "keywords": [ - "Audit Success" - ], - "record_id": 1550, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:10:53.661Z", - "level": "information", - "channel": "Security", - "computer_name": "vagrant-2012-r2", - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 516, - "thread": { - "id": 556 - } - }, - "provider_name": "Microsoft-Windows-Security-Auditing" - }, - "event": { - "kind": "event", - "code": 4624, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "host": { - "name": "vagrant-2012-r2" - }, - "agent": { - "version": "8.0.0", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat" - }, - "ecs": { - "version": "1.8.0" - } - }, - { - "@timestamp": "2021-04-15T19:10:09.189Z", - "agent": { - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "vagrant-2012-r2" - }, - "winlog": { - "provider_name": "Microsoft-Windows-Security-Auditing", - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "computer_name": "vagrant-2012-r2", - "event_data": { - "SubjectUserSid": "S-1-0-0", - "SubjectUserName": "-", - "SubjectLogonId": "0x0", - "KeyLength": "128", - "IpAddress": "-", - "ProcessName": "-", - "SubjectDomainName": "-", - "TargetUserName": "vagrant", - "TargetLogonId": "0x29f0f", - "LogonProcessName": "NtLmSsp ", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LmPackageName": "NTLM V2", - "ProcessId": "0x0", - "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "IpPort": "-", - "ImpersonationLevel": "%%1833", - "TargetDomainName": "VAGRANT-2012-R2", - "LogonType": "3", - "AuthenticationPackageName": "NTLM", - "TransmittedServices": "-" - }, - "record_id": 1553, - "keywords": [ - "Audit Success" - ], - "version": 1, - "outcome": "success", - "level": "information", - "channel": "Security", - "event_id": 4624, - "time_created": "2019-03-29T21:10:54.661Z", - "process": { - "pid": 516, - "thread": { - "id": 548 - } - } - }, - "event": { - "kind": "event", - "code": 4624, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - } - }, - { - "@timestamp": "2021-04-15T19:10:09.189Z", - "ecs": { - "version": "1.8.0" - }, - "winlog": { - "event_data": { - "SubjectUserSid": "S-1-0-0", - "TargetUserName": "vagrant", - "TransmittedServices": "-", - "KeyLength": "128", - "ProcessId": "0x0", - "IpPort": "-", - "LogonProcessName": "NtLmSsp ", - "ImpersonationLevel": "%%1833", - "SubjectUserName": "-", - "TargetDomainName": "VAGRANT-2012-R2", - "LogonType": "3", - "AuthenticationPackageName": "NTLM", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "IpAddress": "-", - "SubjectDomainName": "-", - "SubjectLogonId": "0x0", - "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "TargetLogonId": "0x2a362", - "LmPackageName": "NTLM V2", - "ProcessName": "-" - }, - "computer_name": "vagrant-2012-r2", - "keywords": [ - "Audit Success" - ], - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:10:55.458Z", - "outcome": "success", - "event_id": 4624, - "record_id": 1556, - "version": 1, - "provider_name": "Microsoft-Windows-Security-Auditing", - "channel": "Security", - "opcode": "Info", - "level": "information", - "process": { - "pid": 516, - "thread": { - "id": 548 - } - } - }, - "event": { - "kind": "event", - "code": 4624, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "host": { - "name": "vagrant-2012-r2" - }, - "agent": { - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50" - } - }, - { - "@timestamp": "2021-04-15T19:10:09.189Z", - "host": { - "name": "vagrant-2012-r2" - }, - "agent": { - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "1.8.0" - }, - "winlog": { - "process": { - "pid": 516, - "thread": { - "id": 808 - } - }, - "computer_name": "vagrant-2012-r2", - "keywords": [ - "Audit Success" - ], - "time_created": "2019-03-29T21:13:17.302Z", - "record_id": 1561, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "event_id": 4624, - "opcode": "Info", - "outcome": "success", - "level": "information", - "event_data": { - "IpPort": "-", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LmPackageName": "NTLM V2", - "IpAddress": "-", - "ImpersonationLevel": "%%1833", - "SubjectUserSid": "S-1-0-0", - "SubjectUserName": "-", - "SubjectDomainName": "-", - "AuthenticationPackageName": "NTLM", - "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "LogonProcessName": "NtLmSsp ", - "WorkstationName": "127.0.0.1", - "ProcessName": "-", - "LogonType": "3", - "TransmittedServices": "-", - "KeyLength": "128", - "ProcessId": "0x0", - "SubjectLogonId": "0x0", - "TargetUserName": "vagrant", - "TargetDomainName": "VAGRANT-2012-R2", - "TargetLogonId": "0x324f8" - }, - "channel": "Security", - "provider_name": "Microsoft-Windows-Security-Auditing", - "version": 1 - }, - "event": { - "kind": "event", - "code": 4624, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - } - }, - { - "@timestamp": "2021-04-15T19:10:09.189Z", - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "vagrant-2012-r2" - }, - "agent": { - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" - }, - "winlog": { - "event_data": { - "SubjectUserSid": "S-1-5-18", - "LogonType": "2", - "TransmittedServices": "-", - "LmPackageName": "-", - "ImpersonationLevel": "%%1833", - "SubjectUserName": "VAGRANT-2012-R2$", - "SubjectLogonId": "0x3e7", - "LogonProcessName": "Advapi ", - "AuthenticationPackageName": "Negotiate", - "KeyLength": "0", - "IpPort": "-", - "TargetUserSid": "S-1-5-90-2", - "TargetDomainName": "Window Manager", - "TargetLogonId": "0x33444", - "IpAddress": "-", - "SubjectDomainName": "WORKGROUP", - "TargetUserName": "DWM-2", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "ProcessId": "0xafc", - "ProcessName": "C:\\Windows\\System32\\winlogon.exe" - }, - "record_id": 1563, - "opcode": "Info", - "version": 1, - "time_created": "2019-03-29T21:13:17.521Z", - "level": "information", - "process": { - "pid": 516, - "thread": { - "id": 548 - } - }, - "event_id": 4624, - "computer_name": "vagrant-2012-r2", - "keywords": [ - "Audit Success" - ], - "outcome": "success", - "channel": "Security", - "provider_name": "Microsoft-Windows-Security-Auditing", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}" - }, - "event": { - "kind": "event", - "code": 4624, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - } - }, - { - "@timestamp": "2021-04-15T19:10:09.189Z", - "event": { - "kind": "event", - "code": 4624, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "agent": { - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "vagrant-2012-r2" - }, - "winlog": { - "provider_name": "Microsoft-Windows-Security-Auditing", - "keywords": [ - "Audit Success" - ], - "time_created": "2019-03-29T21:13:17.614Z", - "level": "information", - "event_data": { - "SubjectLogonId": "0x3e7", - "TargetUserName": "vagrant", - "TargetDomainName": "VAGRANT-2012-R2", - "LmPackageName": "-", - "ProcessName": "C:\\Windows\\System32\\winlogon.exe", - "SubjectDomainName": "WORKGROUP", - "SubjectUserName": "VAGRANT-2012-R2$", - "AuthenticationPackageName": "Negotiate", - "TransmittedServices": "-", - "IpPort": "0", - "ImpersonationLevel": "%%1833", - "SubjectUserSid": "S-1-5-18", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "KeyLength": "0", - "LogonProcessName": "User32 ", - "TargetLogonId": "0x3444f", - "LogonType": "10", - "WorkstationName": "VAGRANT-2012-R2", - "ProcessId": "0xafc", - "IpAddress": "10.0.2.2", - "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001" - }, - "channel": "Security", - "computer_name": "vagrant-2012-r2", - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "version": 1, - "process": { - "pid": 516, - "thread": { - "id": 808 - } - }, - "record_id": 1567, - "outcome": "success", - "event_id": 4624 - } - }, - { - "@timestamp": "2021-04-15T19:10:09.190Z", - "agent": { - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "winlog": { - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "event_data": { - "SubjectDomainName": "WORKGROUP", - "KeyLength": "0", - "ProcessId": "0x88c", - "SubjectUserSid": "S-1-5-18", - "TargetUserName": "DWM-3", - "TargetDomainName": "Window Manager", - "TargetLogonId": "0x357fd", - "LogonType": "2", - "AuthenticationPackageName": "Negotiate", - "TransmittedServices": "-", - "IpPort": "-", - "SubjectLogonId": "0x3e7", - "ImpersonationLevel": "%%1833", - "SubjectUserName": "VAGRANT-2012-R2$", - "TargetUserSid": "S-1-5-90-3", - "LogonProcessName": "Advapi ", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LmPackageName": "-", - "ProcessName": "C:\\Windows\\System32\\winlogon.exe", - "IpAddress": "-" - }, - "channel": "Security", - "provider_name": "Microsoft-Windows-Security-Auditing", - "opcode": "Info", - "process": { - "thread": { - "id": 556 - }, - "pid": 516 - }, - "computer_name": "vagrant-2012-r2", - "keywords": [ - "Audit Success" - ], - "version": 1, - "time_created": "2019-03-29T21:13:18.786Z", - "outcome": "success", - "level": "information", - "event_id": 4624, - "record_id": 1570 - }, - "event": { - "code": 4624, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success", - "kind": "event" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "vagrant-2012-r2" - } - }, - { - "@timestamp": "2021-04-15T19:10:09.190Z", - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "vagrant-2012-r2" - }, - "agent": { - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "winlog": { - "time_created": "2019-03-29T21:20:48.740Z", - "level": "information", - "computer_name": "vagrant-2012-r2", - "outcome": "success", - "event_data": { - "SubjectDomainName": "WORKGROUP", - "TargetUserSid": "S-1-5-18", - "TargetLogonId": "0x3e7", - "LogonProcessName": "Advapi ", - "IpAddress": "-", - "ImpersonationLevel": "%%1833", - "SubjectUserName": "VAGRANT-2012-R2$", - "LogonType": "5", - "AuthenticationPackageName": "Negotiate", - "SubjectUserSid": "S-1-5-18", - "TargetUserName": "SYSTEM", - "TransmittedServices": "-", - "LmPackageName": "-", - "KeyLength": "0", - "ProcessId": "0x1fc", - "IpPort": "-", - "SubjectLogonId": "0x3e7", - "TargetDomainName": "NT AUTHORITY", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "ProcessName": "C:\\Windows\\System32\\services.exe" - }, - "process": { - "pid": 516, - "thread": { - "id": 1132 - } - }, - "event_id": 4624, - "keywords": [ - "Audit Success" - ], - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 1574, - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "version": 1, - "channel": "Security" - }, - "event": { - "kind": "event", - "code": 4624, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - } - }, - { - "@timestamp": "2021-04-15T19:10:09.190Z", - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "vagrant-2012-r2" - }, - "agent": { - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50" - }, - "winlog": { - "event_id": 4624, - "record_id": 1576, - "computer_name": "vagrant-2012-r2", - "channel": "Security", - "provider_name": "Microsoft-Windows-Security-Auditing", - "level": "information", - "event_data": { - "IpAddress": "-", - "TargetUserSid": "S-1-5-18", - "TargetUserName": "SYSTEM", - "KeyLength": "0", - "ProcessId": "0x1fc", - "LogonType": "5", - "ProcessName": "C:\\Windows\\System32\\services.exe", - "IpPort": "-", - "ImpersonationLevel": "%%1833", - "SubjectUserSid": "S-1-5-18", - "SubjectUserName": "VAGRANT-2012-R2$", - "SubjectDomainName": "WORKGROUP", - "TargetLogonId": "0x3e7", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "TransmittedServices": "-", - "LmPackageName": "-", - "SubjectLogonId": "0x3e7", - "TargetDomainName": "NT AUTHORITY", - "LogonProcessName": "Advapi ", - "AuthenticationPackageName": "Negotiate" - }, - "process": { - "pid": 516, - "thread": { - "id": 1132 - } - }, - "keywords": [ - "Audit Success" - ], - "time_created": "2019-03-29T21:20:48.740Z", - "outcome": "success", - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "version": 1 - }, - "event": { - "code": 4624, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success", - "kind": "event" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - } - }, - { - "@timestamp": "2021-04-15T19:10:09.190Z", - "agent": { - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50" - }, - "winlog": { - "version": 1, - "outcome": "success", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 1578, - "keywords": [ - "Audit Success" - ], - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "level": "information", - "event_data": { - "TargetUserName": "SYSTEM", - "AuthenticationPackageName": "Negotiate", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LmPackageName": "-", - "ProcessId": "0x1fc", - "SubjectUserSid": "S-1-5-18", - "SubjectLogonId": "0x3e7", - "LogonType": "5", - "LogonProcessName": "Advapi ", - "IpAddress": "-", - "SubjectUserName": "VAGRANT-2012-R2$", - "TargetUserSid": "S-1-5-18", - "TransmittedServices": "-", - "KeyLength": "0", - "ProcessName": "C:\\Windows\\System32\\services.exe", - "IpPort": "-", - "ImpersonationLevel": "%%1833", - "SubjectDomainName": "WORKGROUP", - "TargetDomainName": "NT AUTHORITY", - "TargetLogonId": "0x3e7" - }, - "channel": "Security", - "event_id": 4624, - "process": { - "pid": 516, - "thread": { - "id": 504 - } - }, - "computer_name": "vagrant-2012-r2", - "opcode": "Info", - "time_created": "2019-03-29T21:20:50.584Z" - }, - "event": { - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success", - "kind": "event", - "code": 4624 - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "vagrant-2012-r2" - } - }, - { - "@timestamp": "2021-04-15T19:10:09.190Z", - "agent": { - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "vagrant-2012-r2" - }, - "winlog": { - "channel": "Security", - "level": "information", - "process": { - "pid": 516, - "thread": { - "id": 1132 - } - }, - "time_created": "2019-03-29T21:23:42.520Z", - "event_id": 4624, - "keywords": [ - "Audit Success" - ], - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "version": 1, - "event_data": { - "SubjectUserName": "VAGRANT-2012-R2$", - "SubjectDomainName": "WORKGROUP", - "TargetUserName": "SYSTEM", - "AuthenticationPackageName": "Negotiate", - "ProcessName": "C:\\Windows\\System32\\services.exe", - "ImpersonationLevel": "%%1833", - "SubjectLogonId": "0x3e7", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LmPackageName": "-", - "KeyLength": "0", - "ProcessId": "0x1fc", - "TargetUserSid": "S-1-5-18", - "IpAddress": "-", - "IpPort": "-", - "TransmittedServices": "-", - "SubjectUserSid": "S-1-5-18", - "TargetDomainName": "NT AUTHORITY", - "TargetLogonId": "0x3e7", - "LogonType": "5", - "LogonProcessName": "Advapi " - }, - "record_id": 1581, - "computer_name": "vagrant-2012-r2", - "opcode": "Info", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "event": { - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success", - "kind": "event", - "code": 4624 - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - } - }, - { - "@timestamp": "2021-04-15T19:10:09.191Z", - "host": { - "name": "vagrant-2012-r2" - }, - "agent": { - "version": "8.0.0", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat" - }, - "winlog": { - "outcome": "success", - "level": "information", - "event_data": { - "TargetUserName": "SYSTEM", - "LogonProcessName": "Advapi ", - "IpPort": "-", - "SubjectUserName": "VAGRANT-2012-R2$", - "SubjectLogonId": "0x3e7", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "IpAddress": "-", - "TargetDomainName": "NT AUTHORITY", - "TargetLogonId": "0x3e7", - "LmPackageName": "-", - "SubjectUserSid": "S-1-5-18", - "TargetUserSid": "S-1-5-18", - "AuthenticationPackageName": "Negotiate", - "TransmittedServices": "-", - "KeyLength": "0", - "ProcessId": "0x1fc", - "ProcessName": "C:\\Windows\\System32\\services.exe", - "ImpersonationLevel": "%%1833", - "SubjectDomainName": "WORKGROUP", - "LogonType": "5" - }, - "channel": "Security", - "opcode": "Info", - "computer_name": "vagrant-2012-r2", - "keywords": [ - "Audit Success" - ], - "time_created": "2019-03-29T21:26:24.176Z", - "process": { - "pid": 516, - "thread": { - "id": 344 - } - }, - "event_id": 4624, - "provider_name": "Microsoft-Windows-Security-Auditing", - "version": 1, - "record_id": 1583, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}" - }, - "event": { - "kind": "event", - "code": 4624, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "ecs": { - "version": "1.8.0" - } - }, - { - "@timestamp": "2021-04-15T19:10:09.191Z", - "event": { - "kind": "event", - "code": 4625, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "failure" - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "vagrant-2012-r2" - }, - "agent": { - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain" - }, - "winlog": { - "event_id": 4625, - "computer_name": "vagrant-2012-r2", - "opcode": "Info", - "time_created": "2019-03-29T21:45:35.177Z", - "event_data": { - "SubjectDomainName": "VAGRANT-2012-R2", - "TargetUserSid": "S-1-0-0", - "TargetDomainName": "VAGRANT-2012-R2", - "FailureReason": "%%2313", - "ProcessId": "0x344", - "IpAddress": "::1", - "TargetUserName": "bosch", - "AuthenticationPackageName": "Negotiate", - "WorkstationName": "VAGRANT-2012-R2", - "LmPackageName": "-", - "SubStatus": "0xc0000064", - "LogonProcessName": "seclogo", - "TransmittedServices": "-", - "KeyLength": "0", - "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "SubjectUserName": "vagrant", - "SubjectLogonId": "0x1008e", - "Status": "0xc000006d", - "LogonType": "2", - "ProcessName": "C:\\Windows\\System32\\svchost.exe", - "IpPort": "0" - }, - "channel": "Security", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 1585, - "keywords": [ - "Audit Failure" - ], - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "outcome": "failure", - "level": "information", - "process": { - "thread": { - "id": 2756 - }, - "pid": 516 - } - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json deleted file mode 100644 index 2dc52b95f..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json +++ /dev/null @@ -1,1769 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-03-29T21:10:39.786Z", - "agent": { - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "logged-in", - "category": [ - "authentication" - ], - "code": "4624", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "process": { - "executable": "C:\\Windows\\System32\\services.exe", - "name": "services.exe", - "pid": 508 - }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, - "winlog": { - "channel": "Security", - "computer_name": "vagrant-2012-r2", - "event_data": { - "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", - "IpAddress": "-", - "IpPort": "-", - "KeyLength": "0", - "LmPackageName": "-", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonProcessName": "Advapi ", - "LogonType": "5", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "SubjectUserSid": "S-1-5-18", - "TargetDomainName": "NT AUTHORITY", - "TargetLogonId": "0x3e7", - "TargetUserName": "SYSTEM", - "TargetUserSid": "S-1-5-18", - "TransmittedServices": "-" - }, - "event_id": "4624", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7", - "type": "Service" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 516, - "thread": { - "id": 536 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "1535", - "time_created": "2019-03-29T21:10:39.786Z", - "version": 1 - } - }, - { - "@timestamp": "2019-03-29T21:10:40.255Z", - "agent": { - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "logged-in", - "category": [ - "authentication" - ], - "code": "4624", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "process": { - "executable": "C:\\Windows\\System32\\services.exe", - "name": "services.exe", - "pid": 508 - }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, - "winlog": { - "channel": "Security", - "computer_name": "vagrant-2012-r2", - "event_data": { - "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", - "IpAddress": "-", - "IpPort": "-", - "KeyLength": "0", - "LmPackageName": "-", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonProcessName": "Advapi ", - "LogonType": "5", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "SubjectUserSid": "S-1-5-18", - "TargetDomainName": "NT AUTHORITY", - "TargetLogonId": "0x3e7", - "TargetUserName": "SYSTEM", - "TargetUserSid": "S-1-5-18", - "TransmittedServices": "-" - }, - "event_id": "4624", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7", - "type": "Service" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 516, - "thread": { - "id": 556 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "1538", - "time_created": "2019-03-29T21:10:40.255Z", - "version": 1 - } - }, - { - "@timestamp": "2019-03-29T21:10:40.380Z", - "agent": { - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "logged-in", - "category": [ - "authentication" - ], - "code": "4624", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "process": { - "executable": "C:\\Windows\\System32\\winlogon.exe", - "name": "winlogon.exe", - "pid": 448 - }, - "related": { - "ip": [ - "127.0.0.1" - ], - "user": [ - "vagrant", - "VAGRANT-2012-R2$" - ] - }, - "source": { - "domain": "VAGRANT-2012-R2", - "ip": "127.0.0.1", - "port": 0 - }, - "user": { - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "name": "vagrant" - }, - "winlog": { - "channel": "Security", - "computer_name": "vagrant-2012-r2", - "event_data": { - "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", - "KeyLength": "0", - "LmPackageName": "-", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonProcessName": "User32 ", - "LogonType": "2", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "SubjectUserSid": "S-1-5-18", - "TargetDomainName": "VAGRANT-2012-R2", - "TargetLogonId": "0x1008e", - "TargetUserName": "vagrant", - "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "TransmittedServices": "-" - }, - "event_id": "4624", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7", - "type": "Interactive" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 516, - "thread": { - "id": 556 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "1542", - "time_created": "2019-03-29T21:10:40.380Z", - "version": 1 - } - }, - { - "@timestamp": "2019-03-29T21:10:40.505Z", - "agent": { - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "logged-in", - "category": [ - "authentication" - ], - "code": "4624", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "process": { - "executable": "C:\\Windows\\System32\\services.exe", - "name": "services.exe", - "pid": 508 - }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, - "winlog": { - "channel": "Security", - "computer_name": "vagrant-2012-r2", - "event_data": { - "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", - "IpAddress": "-", - "IpPort": "-", - "KeyLength": "0", - "LmPackageName": "-", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonProcessName": "Advapi ", - "LogonType": "5", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "SubjectUserSid": "S-1-5-18", - "TargetDomainName": "NT AUTHORITY", - "TargetLogonId": "0x3e7", - "TargetUserName": "SYSTEM", - "TargetUserSid": "S-1-5-18", - "TransmittedServices": "-" - }, - "event_id": "4624", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7", - "type": "Service" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 516, - "thread": { - "id": 556 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "1545", - "time_created": "2019-03-29T21:10:40.505Z", - "version": 1 - } - }, - { - "@timestamp": "2019-03-29T21:10:40.630Z", - "agent": { - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "logged-in", - "category": [ - "authentication" - ], - "code": "4624", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "process": { - "executable": "-", - "name": "-", - "pid": 0 - }, - "related": { - "user": [ - "ANONYMOUS LOGON" - ] - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-7", - "name": "ANONYMOUS LOGON" - }, - "winlog": { - "channel": "Security", - "computer_name": "vagrant-2012-r2", - "event_data": { - "AuthenticationPackageName": "NTLM", - "ImpersonationLevel": "%%1833", - "IpAddress": "-", - "IpPort": "-", - "KeyLength": "0", - "LmPackageName": "NTLM V1", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonProcessName": "NtLmSsp ", - "LogonType": "3", - "SubjectDomainName": "-", - "SubjectLogonId": "0x0", - "SubjectUserName": "-", - "SubjectUserSid": "S-1-0-0", - "TargetDomainName": "NT AUTHORITY", - "TargetLogonId": "0x129f1", - "TargetUserName": "ANONYMOUS LOGON", - "TargetUserSid": "S-1-5-7", - "TransmittedServices": "-" - }, - "event_id": "4624", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x0", - "type": "Network" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 516, - "thread": { - "id": 556 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "1547", - "time_created": "2019-03-29T21:10:40.630Z", - "version": 1 - } - }, - { - "@timestamp": "2019-03-29T21:10:53.661Z", - "agent": { - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "logged-in", - "category": [ - "authentication" - ], - "code": "4624", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "process": { - "executable": "-", - "name": "-", - "pid": 0 - }, - "related": { - "user": [ - "vagrant" - ] - }, - "user": { - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "name": "vagrant" - }, - "winlog": { - "channel": "Security", - "computer_name": "vagrant-2012-r2", - "event_data": { - "AuthenticationPackageName": "NTLM", - "ImpersonationLevel": "%%1833", - "IpAddress": "-", - "IpPort": "-", - "KeyLength": "128", - "LmPackageName": "NTLM V2", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonProcessName": "NtLmSsp ", - "LogonType": "3", - "SubjectDomainName": "-", - "SubjectLogonId": "0x0", - "SubjectUserName": "-", - "SubjectUserSid": "S-1-0-0", - "TargetDomainName": "VAGRANT-2012-R2", - "TargetLogonId": "0x28d31", - "TargetUserName": "vagrant", - "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "TransmittedServices": "-" - }, - "event_id": "4624", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x0", - "type": "Network" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 516, - "thread": { - "id": 556 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "1550", - "time_created": "2019-03-29T21:10:53.661Z", - "version": 1 - } - }, - { - "@timestamp": "2019-03-29T21:10:54.661Z", - "agent": { - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "logged-in", - "category": [ - "authentication" - ], - "code": "4624", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "process": { - "executable": "-", - "name": "-", - "pid": 0 - }, - "related": { - "user": [ - "vagrant" - ] - }, - "user": { - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "name": "vagrant" - }, - "winlog": { - "channel": "Security", - "computer_name": "vagrant-2012-r2", - "event_data": { - "AuthenticationPackageName": "NTLM", - "ImpersonationLevel": "%%1833", - "IpAddress": "-", - "IpPort": "-", - "KeyLength": "128", - "LmPackageName": "NTLM V2", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonProcessName": "NtLmSsp ", - "LogonType": "3", - "SubjectDomainName": "-", - "SubjectLogonId": "0x0", - "SubjectUserName": "-", - "SubjectUserSid": "S-1-0-0", - "TargetDomainName": "VAGRANT-2012-R2", - "TargetLogonId": "0x29f0f", - "TargetUserName": "vagrant", - "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "TransmittedServices": "-" - }, - "event_id": "4624", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x0", - "type": "Network" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 516, - "thread": { - "id": 548 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "1553", - "time_created": "2019-03-29T21:10:54.661Z", - "version": 1 - } - }, - { - "@timestamp": "2019-03-29T21:10:55.458Z", - "agent": { - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "logged-in", - "category": [ - "authentication" - ], - "code": "4624", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "process": { - "executable": "-", - "name": "-", - "pid": 0 - }, - "related": { - "user": [ - "vagrant" - ] - }, - "user": { - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "name": "vagrant" - }, - "winlog": { - "channel": "Security", - "computer_name": "vagrant-2012-r2", - "event_data": { - "AuthenticationPackageName": "NTLM", - "ImpersonationLevel": "%%1833", - "IpAddress": "-", - "IpPort": "-", - "KeyLength": "128", - "LmPackageName": "NTLM V2", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonProcessName": "NtLmSsp ", - "LogonType": "3", - "SubjectDomainName": "-", - "SubjectLogonId": "0x0", - "SubjectUserName": "-", - "SubjectUserSid": "S-1-0-0", - "TargetDomainName": "VAGRANT-2012-R2", - "TargetLogonId": "0x2a362", - "TargetUserName": "vagrant", - "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "TransmittedServices": "-" - }, - "event_id": "4624", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x0", - "type": "Network" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 516, - "thread": { - "id": 548 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "1556", - "time_created": "2019-03-29T21:10:55.458Z", - "version": 1 - } - }, - { - "@timestamp": "2019-03-29T21:13:17.302Z", - "agent": { - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "logged-in", - "category": [ - "authentication" - ], - "code": "4624", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "process": { - "executable": "-", - "name": "-", - "pid": 0 - }, - "related": { - "user": [ - "vagrant" - ] - }, - "source": { - "domain": "127.0.0.1" - }, - "user": { - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "name": "vagrant" - }, - "winlog": { - "channel": "Security", - "computer_name": "vagrant-2012-r2", - "event_data": { - "AuthenticationPackageName": "NTLM", - "ImpersonationLevel": "%%1833", - "IpAddress": "-", - "IpPort": "-", - "KeyLength": "128", - "LmPackageName": "NTLM V2", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonProcessName": "NtLmSsp ", - "LogonType": "3", - "SubjectDomainName": "-", - "SubjectLogonId": "0x0", - "SubjectUserName": "-", - "SubjectUserSid": "S-1-0-0", - "TargetDomainName": "VAGRANT-2012-R2", - "TargetLogonId": "0x324f8", - "TargetUserName": "vagrant", - "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "TransmittedServices": "-" - }, - "event_id": "4624", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x0", - "type": "Network" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 516, - "thread": { - "id": 808 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "1561", - "time_created": "2019-03-29T21:13:17.302Z", - "version": 1 - } - }, - { - "@timestamp": "2019-03-29T21:13:17.521Z", - "agent": { - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "logged-in", - "category": [ - "authentication" - ], - "code": "4624", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "process": { - "executable": "C:\\Windows\\System32\\winlogon.exe", - "name": "winlogon.exe", - "pid": 2812 - }, - "related": { - "user": [ - "DWM-2", - "VAGRANT-2012-R2$" - ] - }, - "user": { - "domain": "Window Manager", - "id": "S-1-5-90-2", - "name": "DWM-2" - }, - "winlog": { - "channel": "Security", - "computer_name": "vagrant-2012-r2", - "event_data": { - "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", - "IpAddress": "-", - "IpPort": "-", - "KeyLength": "0", - "LmPackageName": "-", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonProcessName": "Advapi ", - "LogonType": "2", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "SubjectUserSid": "S-1-5-18", - "TargetDomainName": "Window Manager", - "TargetLogonId": "0x33444", - "TargetUserName": "DWM-2", - "TargetUserSid": "S-1-5-90-2", - "TransmittedServices": "-" - }, - "event_id": "4624", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7", - "type": "Interactive" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 516, - "thread": { - "id": 548 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "1563", - "time_created": "2019-03-29T21:13:17.521Z", - "version": 1 - } - }, - { - "@timestamp": "2019-03-29T21:13:17.614Z", - "agent": { - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "logged-in", - "category": [ - "authentication" - ], - "code": "4624", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "process": { - "executable": "C:\\Windows\\System32\\winlogon.exe", - "name": "winlogon.exe", - "pid": 2812 - }, - "related": { - "ip": [ - "10.0.2.2" - ], - "user": [ - "vagrant", - "VAGRANT-2012-R2$" - ] - }, - "source": { - "domain": "VAGRANT-2012-R2", - "ip": "10.0.2.2", - "port": 0 - }, - "user": { - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "name": "vagrant" - }, - "winlog": { - "channel": "Security", - "computer_name": "vagrant-2012-r2", - "event_data": { - "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", - "KeyLength": "0", - "LmPackageName": "-", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonProcessName": "User32 ", - "LogonType": "10", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "SubjectUserSid": "S-1-5-18", - "TargetDomainName": "VAGRANT-2012-R2", - "TargetLogonId": "0x3444f", - "TargetUserName": "vagrant", - "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "TransmittedServices": "-" - }, - "event_id": "4624", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7", - "type": "RemoteInteractive" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 516, - "thread": { - "id": 808 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "1567", - "time_created": "2019-03-29T21:13:17.614Z", - "version": 1 - } - }, - { - "@timestamp": "2019-03-29T21:13:18.786Z", - "agent": { - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "logged-in", - "category": [ - "authentication" - ], - "code": "4624", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "process": { - "executable": "C:\\Windows\\System32\\winlogon.exe", - "name": "winlogon.exe", - "pid": 2188 - }, - "related": { - "user": [ - "DWM-3", - "VAGRANT-2012-R2$" - ] - }, - "user": { - "domain": "Window Manager", - "id": "S-1-5-90-3", - "name": "DWM-3" - }, - "winlog": { - "channel": "Security", - "computer_name": "vagrant-2012-r2", - "event_data": { - "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", - "IpAddress": "-", - "IpPort": "-", - "KeyLength": "0", - "LmPackageName": "-", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonProcessName": "Advapi ", - "LogonType": "2", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "SubjectUserSid": "S-1-5-18", - "TargetDomainName": "Window Manager", - "TargetLogonId": "0x357fd", - "TargetUserName": "DWM-3", - "TargetUserSid": "S-1-5-90-3", - "TransmittedServices": "-" - }, - "event_id": "4624", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7", - "type": "Interactive" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 516, - "thread": { - "id": 556 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "1570", - "time_created": "2019-03-29T21:13:18.786Z", - "version": 1 - } - }, - { - "@timestamp": "2019-03-29T21:20:48.740Z", - "agent": { - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "logged-in", - "category": [ - "authentication" - ], - "code": "4624", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "process": { - "executable": "C:\\Windows\\System32\\services.exe", - "name": "services.exe", - "pid": 508 - }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, - "winlog": { - "channel": "Security", - "computer_name": "vagrant-2012-r2", - "event_data": { - "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", - "IpAddress": "-", - "IpPort": "-", - "KeyLength": "0", - "LmPackageName": "-", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonProcessName": "Advapi ", - "LogonType": "5", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "SubjectUserSid": "S-1-5-18", - "TargetDomainName": "NT AUTHORITY", - "TargetLogonId": "0x3e7", - "TargetUserName": "SYSTEM", - "TargetUserSid": "S-1-5-18", - "TransmittedServices": "-" - }, - "event_id": "4624", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7", - "type": "Service" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 516, - "thread": { - "id": 1132 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "1574", - "time_created": "2019-03-29T21:20:48.740Z", - "version": 1 - } - }, - { - "@timestamp": "2019-03-29T21:20:48.740Z", - "agent": { - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "logged-in", - "category": [ - "authentication" - ], - "code": "4624", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "process": { - "executable": "C:\\Windows\\System32\\services.exe", - "name": "services.exe", - "pid": 508 - }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, - "winlog": { - "channel": "Security", - "computer_name": "vagrant-2012-r2", - "event_data": { - "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", - "IpAddress": "-", - "IpPort": "-", - "KeyLength": "0", - "LmPackageName": "-", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonProcessName": "Advapi ", - "LogonType": "5", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "SubjectUserSid": "S-1-5-18", - "TargetDomainName": "NT AUTHORITY", - "TargetLogonId": "0x3e7", - "TargetUserName": "SYSTEM", - "TargetUserSid": "S-1-5-18", - "TransmittedServices": "-" - }, - "event_id": "4624", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7", - "type": "Service" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 516, - "thread": { - "id": 1132 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "1576", - "time_created": "2019-03-29T21:20:48.740Z", - "version": 1 - } - }, - { - "@timestamp": "2019-03-29T21:20:50.584Z", - "agent": { - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "logged-in", - "category": [ - "authentication" - ], - "code": "4624", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "process": { - "executable": "C:\\Windows\\System32\\services.exe", - "name": "services.exe", - "pid": 508 - }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, - "winlog": { - "channel": "Security", - "computer_name": "vagrant-2012-r2", - "event_data": { - "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", - "IpAddress": "-", - "IpPort": "-", - "KeyLength": "0", - "LmPackageName": "-", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonProcessName": "Advapi ", - "LogonType": "5", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "SubjectUserSid": "S-1-5-18", - "TargetDomainName": "NT AUTHORITY", - "TargetLogonId": "0x3e7", - "TargetUserName": "SYSTEM", - "TargetUserSid": "S-1-5-18", - "TransmittedServices": "-" - }, - "event_id": "4624", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7", - "type": "Service" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 516, - "thread": { - "id": 504 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "1578", - "time_created": "2019-03-29T21:20:50.584Z", - "version": 1 - } - }, - { - "@timestamp": "2019-03-29T21:23:42.520Z", - "agent": { - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "logged-in", - "category": [ - "authentication" - ], - "code": "4624", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "process": { - "executable": "C:\\Windows\\System32\\services.exe", - "name": "services.exe", - "pid": 508 - }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, - "winlog": { - "channel": "Security", - "computer_name": "vagrant-2012-r2", - "event_data": { - "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", - "IpAddress": "-", - "IpPort": "-", - "KeyLength": "0", - "LmPackageName": "-", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonProcessName": "Advapi ", - "LogonType": "5", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "SubjectUserSid": "S-1-5-18", - "TargetDomainName": "NT AUTHORITY", - "TargetLogonId": "0x3e7", - "TargetUserName": "SYSTEM", - "TargetUserSid": "S-1-5-18", - "TransmittedServices": "-" - }, - "event_id": "4624", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7", - "type": "Service" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 516, - "thread": { - "id": 1132 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "1581", - "time_created": "2019-03-29T21:23:42.520Z", - "version": 1 - } - }, - { - "@timestamp": "2019-03-29T21:26:24.176Z", - "agent": { - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "logged-in", - "category": [ - "authentication" - ], - "code": "4624", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "process": { - "executable": "C:\\Windows\\System32\\services.exe", - "name": "services.exe", - "pid": 508 - }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, - "winlog": { - "channel": "Security", - "computer_name": "vagrant-2012-r2", - "event_data": { - "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", - "IpAddress": "-", - "IpPort": "-", - "KeyLength": "0", - "LmPackageName": "-", - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonProcessName": "Advapi ", - "LogonType": "5", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "SubjectUserSid": "S-1-5-18", - "TargetDomainName": "NT AUTHORITY", - "TargetLogonId": "0x3e7", - "TargetUserName": "SYSTEM", - "TargetUserSid": "S-1-5-18", - "TransmittedServices": "-" - }, - "event_id": "4624", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7", - "type": "Service" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 516, - "thread": { - "id": 344 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "1583", - "time_created": "2019-03-29T21:26:24.176Z", - "version": 1 - } - }, - { - "@timestamp": "2019-03-29T21:45:35.177Z", - "agent": { - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "logon-failed", - "category": [ - "authentication" - ], - "code": "4625", - "kind": "event", - "outcome": "failure", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - }, - "level": "information" - }, - "process": { - "executable": "C:\\Windows\\System32\\svchost.exe", - "name": "svchost.exe", - "pid": 836 - }, - "related": { - "ip": [ - "::1" - ], - "user": [ - "bosch" - ] - }, - "source": { - "domain": "VAGRANT-2012-R2", - "ip": "::1", - "port": 0 - }, - "user": { - "domain": "VAGRANT-2012-R2", - "id": "S-1-0-0", - "name": "bosch" - }, - "winlog": { - "channel": "Security", - "computer_name": "vagrant-2012-r2", - "event_data": { - "AuthenticationPackageName": "Negotiate", - "FailureReason": "%%2313", - "KeyLength": "0", - "LmPackageName": "-", - "LogonProcessName": "seclogo", - "LogonType": "2", - "Status": "0xc000006d", - "SubStatus": "0xc0000064", - "SubjectDomainName": "VAGRANT-2012-R2", - "SubjectLogonId": "0x1008e", - "SubjectUserName": "vagrant", - "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "TargetDomainName": "VAGRANT-2012-R2", - "TargetUserName": "bosch", - "TargetUserSid": "S-1-0-0", - "TransmittedServices": "-" - }, - "event_id": "4625", - "keywords": [ - "Audit Failure" - ], - "level": "information", - "logon": { - "failure": { - "reason": "Unknown user name or bad password.", - "status": "This is either due to a bad username or authentication information", - "sub_status": "User logon with misspelled or bad user account" - }, - "id": "0x1008e", - "type": "Interactive" - }, - "opcode": "Info", - "outcome": "failure", - "process": { - "pid": 516, - "thread": { - "id": 2756 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "1585", - "time_created": "2019-03-29T21:45:35.177Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json deleted file mode 100644 index 290dd41ef..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:06:38.787Z", - "agent": { - "version": "8.0.0", - "ephemeral_id": "a6c7bf33-4c58-473a-b21e-ff14cfa0876c", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat" - }, - "ecs": { - "version": "1.8.0" - }, - "winlog": { - "time_created": "2019-10-22T11:26:12.495Z", - "channel": "Security", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 4105, - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "event_data": { - "SubjectDomainName": "WLBEAT", - "SidHistory": "-", - "TargetUserName": "DnsUpdateProxy", - "TargetDomainName": "WLBEAT", - "SubjectUserSid": "S-1-5-18", - "SubjectUserName": "WIN-41OB2LO92CR$", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1110", - "SubjectLogonId": "0x27438", - "PrivilegeList": "-", - "SamAccountName": "DnsUpdateProxy" - }, - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "event_id": 4727, - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "outcome": "success", - "level": "information" - }, - "event": { - "kind": "event", - "code": 4727, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.xml" - }, - "level": "information" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json deleted file mode 100644 index 2f4c95483..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-10-22T11:26:12.495Z", - "agent": { - "ephemeral_id": "a6c7bf33-4c58-473a-b21e-ff14cfa0876c", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "added-group-account", - "category": [ - "iam" - ], - "code": "4727", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "creation" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1110", - "name": "DnsUpdateProxy" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "WIN-41OB2LO92CR$" - ] - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-18", - "name": "WIN-41OB2LO92CR$" - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "event_data": { - "PrivilegeList": "-", - "SamAccountName": "DnsUpdateProxy", - "SidHistory": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x27438", - "SubjectUserName": "WIN-41OB2LO92CR$", - "SubjectUserSid": "S-1-5-18", - "TargetDomainName": "WLBEAT", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1110", - "TargetUserName": "DnsUpdateProxy" - }, - "event_id": "4727", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x27438" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "4105", - "time_created": "2019-10-22T11:26:12.495Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json deleted file mode 100644 index f229c7297..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:05:33.475Z", - "winlog": { - "channel": "Security", - "event_id": 4728, - "keywords": [ - "Audit Success" - ], - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "level": "information", - "event_data": { - "TargetUserName": "test_group2", - "TargetDomainName": "WLBEAT", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "SubjectUserName": "Administrator", - "SubjectLogonId": "0x4a727", - "PrivilegeList": "-", - "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", - "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", - "SubjectDomainName": "WLBEAT" - }, - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 4657, - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "opcode": "Info", - "time_created": "2019-10-22T11:33:26.861Z", - "outcome": "success", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - } - }, - "event": { - "kind": "event", - "code": 4728, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.xml" - }, - "level": "information" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "agent": { - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "20391a81-820a-4b74-9022-d7e336c7a6a5" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json deleted file mode 100644 index 5dd8b6c92..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-10-22T11:33:26.861Z", - "agent": { - "ephemeral_id": "20391a81-820a-4b74-9022-d7e336c7a6a5", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "added-member-to-group", - "category": [ - "iam" - ], - "code": "4728", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112", - "name": "test_group2" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "local", - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112", - "name": "test_group2" - }, - "name": "Administrator" - } - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "event_data": { - "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", - "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "PrivilegeList": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "SubjectUserName": "Administrator", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetDomainName": "WLBEAT", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", - "TargetUserName": "test_group2" - }, - "event_id": "4728", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "4657", - "time_created": "2019-10-22T11:33:26.861Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json deleted file mode 100644 index b099bec10..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:05:38.499Z", - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.xml" - }, - "level": "information" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "agent": { - "ephemeral_id": "7634b57b-f6ad-4530-9332-efe87a928e1e", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "1.8.0" - }, - "winlog": { - "channel": "Security", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 4665, - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "opcode": "Info", - "time_created": "2019-10-22T11:33:45.543Z", - "outcome": "success", - "event_id": 4729, - "keywords": [ - "Audit Success" - ], - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "level": "information", - "event_data": { - "SubjectUserName": "Administrator", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "PrivilegeList": "-", - "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", - "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetUserName": "test_group2v2", - "TargetDomainName": "WLBEAT", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "process": { - "thread": { - "id": 1664 - }, - "pid": 772 - } - }, - "event": { - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success", - "kind": "event", - "code": 4729 - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json deleted file mode 100644 index 776df6ccd..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-10-22T11:33:45.543Z", - "agent": { - "ephemeral_id": "7634b57b-f6ad-4530-9332-efe87a928e1e", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "removed-member-from-group", - "category": [ - "iam" - ], - "code": "4729", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112", - "name": "test_group2v2" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "local", - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112", - "name": "test_group2v2" - }, - "name": "Administrator" - } - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "event_data": { - "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", - "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "PrivilegeList": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "SubjectUserName": "Administrator", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetDomainName": "WLBEAT", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", - "TargetUserName": "test_group2v2" - }, - "event_id": "4729", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "4665", - "time_created": "2019-10-22T11:33:45.543Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json deleted file mode 100644 index 96d467893..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:05:48.555Z", - "winlog": { - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:34:01.610Z", - "level": "information", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 4670, - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "event_data": { - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "SubjectUserName": "Administrator", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "PrivilegeList": "-", - "TargetUserName": "test_group2v2", - "TargetDomainName": "WLBEAT" - }, - "channel": "Security", - "event_id": 4730, - "outcome": "success", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - } - }, - "event": { - "kind": "event", - "code": 4730, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.xml" - } - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "agent": { - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "b88ce36d-4f81-470b-8142-61f8152521db", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json deleted file mode 100644 index 108a37ed1..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-10-22T11:34:01.610Z", - "agent": { - "ephemeral_id": "b88ce36d-4f81-470b-8142-61f8152521db", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "deleted-group-account", - "category": [ - "iam" - ], - "code": "4730", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "deletion" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112", - "name": "test_group2v2" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "event_data": { - "PrivilegeList": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "SubjectUserName": "Administrator", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetDomainName": "WLBEAT", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", - "TargetUserName": "test_group2v2" - }, - "event_id": "4730", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "4670", - "time_created": "2019-10-22T11:34:01.610Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json deleted file mode 100644 index 27001f880..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:06:18.693Z", - "agent": { - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "e2d64d83-2a92-4e42-be65-f582b54806c0", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "winlog": { - "channel": "Security", - "event_id": 4731, - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 4569, - "level": "information", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:29:49.358Z", - "outcome": "success", - "event_data": { - "SubjectUserName": "Administrator", - "PrivilegeList": "-", - "TargetUserName": "test_group1", - "TargetDomainName": "WLBEAT", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", - "SamAccountName": "test_group1", - "SidHistory": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727" - } - }, - "event": { - "kind": "event", - "code": 4731, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.xml" - }, - "level": "information" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json deleted file mode 100644 index 25ee03f04..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-10-22T11:29:49.358Z", - "agent": { - "ephemeral_id": "e2d64d83-2a92-4e42-be65-f582b54806c0", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "added-group-account", - "category": [ - "iam" - ], - "code": "4731", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "creation" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111", - "name": "test_group1" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "event_data": { - "PrivilegeList": "-", - "SamAccountName": "test_group1", - "SidHistory": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "SubjectUserName": "Administrator", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetDomainName": "WLBEAT", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", - "TargetUserName": "test_group1" - }, - "event_id": "4731", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "4569", - "time_created": "2019-10-22T11:29:49.358Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json deleted file mode 100644 index fc88e96d1..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:06:58.824Z", - "agent": { - "version": "8.0.0", - "ephemeral_id": "55e8e30a-98a5-48de-86a3-772d01e6cb34", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "winlog": { - "event_data": { - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "SubjectUserName": "Administrator", - "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", - "TargetDomainName": "WLBEAT", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "PrivilegeList": "-", - "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetUserName": "test_group1" - }, - "process": { - "thread": { - "id": 1664 - }, - "pid": 772 - }, - "event_id": 4732, - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "level": "information", - "outcome": "success", - "channel": "Security", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 4625, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:31:58.039Z" - }, - "event": { - "kind": "event", - "code": 4732, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.xml" - }, - "level": "information" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json deleted file mode 100644 index 98874d39a..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-10-22T11:31:58.039Z", - "agent": { - "ephemeral_id": "55e8e30a-98a5-48de-86a3-772d01e6cb34", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "added-member-to-group", - "category": [ - "iam" - ], - "code": "4732", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111", - "name": "test_group1" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "local", - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111", - "name": "test_group1" - }, - "name": "Administrator" - } - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "event_data": { - "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", - "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "PrivilegeList": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "SubjectUserName": "Administrator", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetDomainName": "WLBEAT", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", - "TargetUserName": "test_group1" - }, - "event_id": "4732", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "4625", - "time_created": "2019-10-22T11:31:58.039Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json deleted file mode 100644 index 56153d7f5..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:06:43.790Z", - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.xml" - }, - "level": "information" - }, - "agent": { - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "f4bfea9b-4505-4540-a5d6-ff3d901ddab0", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "winlog": { - "event_data": { - "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", - "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", - "PrivilegeList": "-", - "TargetUserName": "test_group1", - "TargetDomainName": "WLBEAT", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "SubjectUserName": "Administrator", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727" - }, - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "outcome": "success", - "level": "information", - "record_id": 4627, - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:32:14.894Z", - "channel": "Security", - "event_id": 4733, - "provider_name": "Microsoft-Windows-Security-Auditing" - }, - "event": { - "code": 4733, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success", - "kind": "event" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json deleted file mode 100644 index 68b986619..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-10-22T11:32:14.894Z", - "agent": { - "ephemeral_id": "f4bfea9b-4505-4540-a5d6-ff3d901ddab0", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "removed-member-from-group", - "category": [ - "iam" - ], - "code": "4733", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111", - "name": "test_group1" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "local", - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111", - "name": "test_group1" - }, - "name": "Administrator" - } - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "event_data": { - "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", - "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "PrivilegeList": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "SubjectUserName": "Administrator", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetDomainName": "WLBEAT", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", - "TargetUserName": "test_group1" - }, - "event_id": "4733", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "4627", - "time_created": "2019-10-22T11:32:14.894Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json deleted file mode 100644 index e5c993a12..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:07:48.945Z", - "ecs": { - "version": "1.8.0" - }, - "winlog": { - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 4630, - "keywords": [ - "Audit Success" - ], - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "level": "information", - "event_id": 4734, - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "opcode": "Info", - "time_created": "2019-10-22T11:32:35.127Z", - "outcome": "success", - "event_data": { - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "SubjectUserName": "Administrator", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "PrivilegeList": "-", - "TargetUserName": "test_group1v1", - "TargetDomainName": "WLBEAT", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111" - }, - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "channel": "Security" - }, - "event": { - "outcome": "success", - "kind": "event", - "code": 4734, - "provider": "Microsoft-Windows-Security-Auditing" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.xml" - }, - "level": "information" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "agent": { - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "932fe4f8-6220-47bc-8713-250d259a8d06", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json deleted file mode 100644 index f4b6a57e4..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-10-22T11:32:35.127Z", - "agent": { - "ephemeral_id": "932fe4f8-6220-47bc-8713-250d259a8d06", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "deleted-group-account", - "category": [ - "iam" - ], - "code": "4734", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "deletion" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111", - "name": "test_group1v1" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "event_data": { - "PrivilegeList": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "SubjectUserName": "Administrator", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetDomainName": "WLBEAT", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", - "TargetUserName": "test_group1v1" - }, - "event_id": "4734", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "4630", - "time_created": "2019-10-22T11:32:35.127Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json deleted file mode 100644 index 9acf41ce4..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:07:28.919Z", - "agent": { - "version": "8.0.0", - "ephemeral_id": "302d5f9e-c923-4bd9-8747-1fe456a97546", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "event_data": { - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "SubjectLogonId": "0x4a727", - "PrivilegeList": "-", - "SidHistory": "-", - "TargetUserName": "test_group1v1", - "TargetDomainName": "WLBEAT", - "SubjectUserName": "Administrator", - "SubjectDomainName": "WLBEAT", - "SamAccountName": "test_group1v1" - }, - "level": "information", - "channel": "Security", - "event_id": 4735, - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 4628, - "keywords": [ - "Audit Success" - ], - "time_created": "2019-10-22T11:32:30.425Z", - "outcome": "success", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - } - }, - "event": { - "kind": "event", - "code": 4735, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.xml" - }, - "level": "information" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json deleted file mode 100644 index d0bb16cb4..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-10-22T11:32:30.425Z", - "agent": { - "ephemeral_id": "302d5f9e-c923-4bd9-8747-1fe456a97546", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "modified-group-account", - "category": [ - "iam" - ], - "code": "4735", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111", - "name": "test_group1v1" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "event_data": { - "PrivilegeList": "-", - "SamAccountName": "test_group1v1", - "SidHistory": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "SubjectUserName": "Administrator", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetDomainName": "WLBEAT", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", - "TargetUserName": "test_group1v1" - }, - "event_id": "4735", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "4628", - "time_created": "2019-10-22T11:32:30.425Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json deleted file mode 100644 index ab0a42cce..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:07:18.907Z", - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "agent": { - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "751eaf5d-fe35-4c8f-9712-3ad2a1fbccc4", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain" - }, - "winlog": { - "event_id": 4737, - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 4668, - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "level": "information", - "channel": "Security", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "event_data": { - "TargetUserName": "test_group2v2", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "SamAccountName": "-", - "TargetDomainName": "WLBEAT", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", - "SubjectUserName": "Administrator", - "PrivilegeList": "-", - "SidHistory": "-" - }, - "time_created": "2019-10-22T11:33:57.271Z", - "outcome": "success", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}" - }, - "event": { - "kind": "event", - "code": 4737, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.xml" - } - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json deleted file mode 100644 index 8ed0e2acb..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-10-22T11:33:57.271Z", - "agent": { - "ephemeral_id": "751eaf5d-fe35-4c8f-9712-3ad2a1fbccc4", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "modified-group-account", - "category": [ - "iam" - ], - "code": "4737", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112", - "name": "test_group2v2" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "event_data": { - "PrivilegeList": "-", - "SamAccountName": "-", - "SidHistory": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "SubjectUserName": "Administrator", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetDomainName": "WLBEAT", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", - "TargetUserName": "test_group2v2" - }, - "event_id": "4737", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "4668", - "time_created": "2019-10-22T11:33:57.271Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json deleted file mode 100644 index 242cf8851..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:09:34.141Z", - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "agent": { - "version": "8.0.0", - "ephemeral_id": "fea32ff4-794a-4eb4-bd70-9683cab0491a", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat" - }, - "ecs": { - "version": "1.8.0" - }, - "winlog": { - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "channel": "Security", - "event_id": 4754, - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 4676, - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "outcome": "success", - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:34:33.783Z", - "level": "information", - "event_data": { - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", - "SubjectUserName": "Administrator", - "SamAccountName": "Test_group3", - "SubjectLogonId": "0x4a727", - "PrivilegeList": "-", - "SidHistory": "-", - "TargetUserName": "Test_group3", - "TargetDomainName": "WLBEAT", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "SubjectDomainName": "WLBEAT" - } - }, - "event": { - "kind": "event", - "code": 4754, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.xml" - }, - "level": "information" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json deleted file mode 100644 index 4ef6c222c..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-10-22T11:34:33.783Z", - "agent": { - "ephemeral_id": "fea32ff4-794a-4eb4-bd70-9683cab0491a", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "added-group-account", - "category": [ - "iam" - ], - "code": "4754", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "creation" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113", - "name": "Test_group3" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "event_data": { - "PrivilegeList": "-", - "SamAccountName": "Test_group3", - "SidHistory": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "SubjectUserName": "Administrator", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetDomainName": "WLBEAT", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", - "TargetUserName": "Test_group3" - }, - "event_id": "4754", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "4676", - "time_created": "2019-10-22T11:34:33.783Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json deleted file mode 100644 index 1f6fe5a1f..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:09:24.116Z", - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.xml" - }, - "level": "information" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "agent": { - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "bf0291c9-a8c8-4380-8767-3edd8e19e7e0" - }, - "winlog": { - "outcome": "success", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "channel": "Security", - "record_id": 4685, - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:35:09.070Z", - "event_id": 4755, - "provider_name": "Microsoft-Windows-Security-Auditing", - "keywords": [ - "Audit Success" - ], - "level": "information", - "event_data": { - "SubjectLogonId": "0x4a727", - "PrivilegeList": "-", - "SamAccountName": "-", - "SidHistory": "-", - "TargetUserName": "Test_group3v2", - "TargetDomainName": "WLBEAT", - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "SubjectDomainName": "WLBEAT" - } - }, - "event": { - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success", - "kind": "event", - "code": 4755 - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json deleted file mode 100644 index 21356aea0..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-10-22T11:35:09.070Z", - "agent": { - "ephemeral_id": "bf0291c9-a8c8-4380-8767-3edd8e19e7e0", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "modified-group-account", - "category": [ - "iam" - ], - "code": "4755", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113", - "name": "Test_group3v2" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "event_data": { - "PrivilegeList": "-", - "SamAccountName": "-", - "SidHistory": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "SubjectUserName": "Administrator", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetDomainName": "WLBEAT", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", - "TargetUserName": "Test_group3v2" - }, - "event_id": "4755", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "4685", - "time_created": "2019-10-22T11:35:09.070Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json deleted file mode 100644 index df6ad1b6a..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:09:44.157Z", - "event": { - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success", - "kind": "event", - "code": 4756 - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.xml" - }, - "level": "information" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "agent": { - "ephemeral_id": "bb4b02fe-1669-4fc2-9334-59658aa314bd", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "winlog": { - "record_id": 4684, - "keywords": [ - "Audit Success" - ], - "level": "information", - "event_data": { - "TargetDomainName": "WLBEAT", - "SubjectDomainName": "WLBEAT", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "SubjectUserName": "Administrator", - "SubjectLogonId": "0x4a727", - "PrivilegeList": "-", - "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", - "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetUserName": "Test_group3v2" - }, - "channel": "Security", - "event_id": 4756, - "provider_name": "Microsoft-Windows-Security-Auditing", - "time_created": "2019-10-22T11:34:58.413Z", - "outcome": "success", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json deleted file mode 100644 index 4bf17583b..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-10-22T11:34:58.413Z", - "agent": { - "ephemeral_id": "bb4b02fe-1669-4fc2-9334-59658aa314bd", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "added-member-to-group", - "category": [ - "iam" - ], - "code": "4756", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113", - "name": "Test_group3v2" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "local", - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113", - "name": "Test_group3v2" - }, - "name": "Administrator" - } - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "event_data": { - "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", - "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "PrivilegeList": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "SubjectUserName": "Administrator", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetDomainName": "WLBEAT", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", - "TargetUserName": "Test_group3v2" - }, - "event_id": "4756", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "4684", - "time_created": "2019-10-22T11:34:58.413Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json deleted file mode 100644 index 7984036f3..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:10:19.245Z", - "winlog": { - "event_data": { - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "SubjectUserName": "Administrator", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", - "TargetDomainName": "WLBEAT", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", - "PrivilegeList": "-", - "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetUserName": "Test_group3v2" - }, - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "channel": "Security", - "event_id": 4757, - "provider_name": "Microsoft-Windows-Security-Auditing", - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "keywords": [ - "Audit Success" - ], - "time_created": "2019-10-22T11:35:09.070Z", - "record_id": 4686, - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "outcome": "success", - "level": "information" - }, - "event": { - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success", - "kind": "event", - "code": 4757 - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.xml" - }, - "level": "information" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "agent": { - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "108404d6-5e5a-4fc8-af1c-882b4a9e776a", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json deleted file mode 100644 index 6ecfc0c43..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-10-22T11:35:09.070Z", - "agent": { - "ephemeral_id": "108404d6-5e5a-4fc8-af1c-882b4a9e776a", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "removed-member-from-group", - "category": [ - "iam" - ], - "code": "4757", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113", - "name": "Test_group3v2" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "local", - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113", - "name": "Test_group3v2" - }, - "name": "Administrator" - } - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "event_data": { - "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", - "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "PrivilegeList": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "SubjectUserName": "Administrator", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetDomainName": "WLBEAT", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", - "TargetUserName": "Test_group3v2" - }, - "event_id": "4757", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "4686", - "time_created": "2019-10-22T11:35:09.070Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json deleted file mode 100644 index b2f8b0809..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:03:42.861Z", - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "agent": { - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "a8b7cf01-1874-48ac-9ba5-359576812e03", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" - }, - "ecs": { - "version": "1.8.0" - }, - "winlog": { - "event_data": { - "SubjectUserName": "Administrator", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "PrivilegeList": "-", - "TargetUserName": "Test_group3v2", - "TargetDomainName": "WLBEAT", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "record_id": 4687, - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "opcode": "Info", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "outcome": "success", - "level": "information", - "channel": "Security", - "event_id": 4758, - "provider_name": "Microsoft-Windows-Security-Auditing", - "keywords": [ - "Audit Success" - ], - "time_created": "2019-10-22T11:35:13.550Z" - }, - "event": { - "kind": "event", - "code": 4758, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.xml" - }, - "level": "information" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json deleted file mode 100644 index 54e7ff49a..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-10-22T11:35:13.550Z", - "agent": { - "ephemeral_id": "a8b7cf01-1874-48ac-9ba5-359576812e03", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "deleted-group-account", - "category": [ - "iam" - ], - "code": "4758", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "deletion" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113", - "name": "Test_group3v2" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "event_data": { - "PrivilegeList": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "SubjectUserName": "Administrator", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetDomainName": "WLBEAT", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", - "TargetUserName": "Test_group3v2" - }, - "event_id": "4758", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "4687", - "time_created": "2019-10-22T11:35:13.550Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json deleted file mode 100644 index cc968e389..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:03:37.772Z", - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "agent": { - "ephemeral_id": "5d24bfd7-c07c-4458-8a1d-8742d5cb6166", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "winlog": { - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "channel": "Security", - "record_id": 4669, - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "time_created": "2019-10-22T11:33:57.271Z", - "outcome": "success", - "level": "information", - "event_data": { - "GroupTypeChange": "Security Enabled Universal Group Changed to Security Enabled Global Group.", - "TargetDomainName": "WLBEAT", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "SubjectUserName": "Administrator", - "SubjectLogonId": "0x4a727", - "TargetUserName": "test_group2v2", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", - "SubjectDomainName": "WLBEAT", - "PrivilegeList": "-" - }, - "event_id": 4764, - "provider_name": "Microsoft-Windows-Security-Auditing", - "computer_name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "event": { - "kind": "event", - "code": 4764, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.xml" - }, - "level": "information" - }, - "ecs": { - "version": "1.8.0" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json deleted file mode 100644 index b9536acbb..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-10-22T11:33:57.271Z", - "agent": { - "ephemeral_id": "5d24bfd7-c07c-4458-8a1d-8742d5cb6166", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "type-changed-group-account", - "category": [ - "iam" - ], - "code": "4764", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112", - "name": "test_group2v2" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - }, - "winlog": { - "channel": "Security", - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "event_data": { - "GroupTypeChange": "Security Enabled Universal Group Changed to Security Enabled Global Group.", - "PrivilegeList": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "SubjectUserName": "Administrator", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetDomainName": "WLBEAT", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", - "TargetUserName": "test_group2v2" - }, - "event_id": "4764", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "4669", - "time_created": "2019-10-22T11:33:57.271Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json deleted file mode 100644 index 20bdbb24c..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:03:17.623Z", - "event": { - "kind": "event", - "code": 4798, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.xml" - }, - "level": "information" - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, - "agent": { - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "d7c725da-6710-4bcf-b920-15c37a8b1d86" - }, - "ecs": { - "version": "1.8.0" - }, - "winlog": { - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": 2996, - "computer_name": "WIN-41OB2LO92CR", - "outcome": "success", - "channel": "Security", - "level": "information", - "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}", - "event_id": 4798, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "process": { - "pid": 780, - "thread": { - "id": 1740 - } - }, - "keywords": [ - "Audit Success" - ], - "opcode": "Info", - "time_created": "2019-10-08T10:20:34.053Z", - "event_data": { - "SubjectUserSid": "S-1-5-18", - "SubjectLogonId": "0x3e7", - "TargetUserName": "elastictest1", - "TargetDomainName": "WIN-41OB2LO92CR", - "SubjectDomainName": "WORKGROUP", - "CallerProcessId": "0x3f0", - "CallerProcessName": "C:\\Windows\\System32\\LogonUI.exe", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", - "SubjectUserName": "WIN-41OB2LO92CR$" - } - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json deleted file mode 100644 index 241bd74fe..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-10-08T10:20:34.053Z", - "agent": { - "ephemeral_id": "d7c725da-6710-4bcf-b920-15c37a8b1d86", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "group-membership-enumerated", - "category": [ - "iam" - ], - "code": "4798", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "WIN-41OB2LO92CR$", - "elastictest1" - ] - }, - "user": { - "domain": "WORKGROUP", - "id": "S-1-5-18", - "name": "WIN-41OB2LO92CR$", - "target": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1005", - "name": "elastictest1" - } - }, - "winlog": { - "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}", - "channel": "Security", - "computer_name": "WIN-41OB2LO92CR", - "event_data": { - "CallerProcessId": "0x3f0", - "CallerProcessName": "C:\\Windows\\System32\\LogonUI.exe", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "WIN-41OB2LO92CR$", - "SubjectUserSid": "S-1-5-18", - "TargetDomainName": "WIN-41OB2LO92CR", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", - "TargetUserName": "elastictest1" - }, - "event_id": "4798", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 780, - "thread": { - "id": 1740 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "2996", - "time_created": "2019-10-08T10:20:34.053Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json deleted file mode 100644 index da6e8c590..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2021-04-15T19:03:07.571Z", - "agent": { - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0", - "ephemeral_id": "3e299efc-a8d9-4a33-9acf-dbf6c4cd8ba4", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17" - }, - "ecs": { - "version": "1.8.0" - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, - "winlog": { - "channel": "Security", - "provider_name": "Microsoft-Windows-Security-Auditing", - "computer_name": "WIN-41OB2LO92CR", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "outcome": "success", - "level": "information", - "time_created": "2019-10-08T10:20:44.472Z", - "event_data": { - "TargetUserName": "Administrators", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "CallerProcessId": "0x494", - "CallerProcessName": "C:\\Windows\\System32\\svchost.exe", - "TargetDomainName": "Builtin", - "TargetSid": "S-1-5-32-544", - "SubjectUserSid": "S-1-5-18", - "SubjectUserName": "WIN-41OB2LO92CR$" - }, - "event_id": 4799, - "record_id": 3002, - "keywords": [ - "Audit Success" - ], - "process": { - "pid": 780, - "thread": { - "id": 820 - } - }, - "opcode": "Info", - "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}" - }, - "event": { - "kind": "event", - "code": 4799, - "provider": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.xml" - }, - "level": "information" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json deleted file mode 100644 index d741c0b47..000000000 --- a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2019-10-08T10:20:44.472Z", - "agent": { - "ephemeral_id": "3e299efc-a8d9-4a33-9acf-dbf6c4cd8ba4", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "name": "Lees-MBP.localdomain", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "event": { - "action": "user-member-enumerated", - "category": [ - "iam" - ], - "code": "4799", - "kind": "event", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "info" - ] - }, - "group": { - "domain": "Builtin", - "id": "S-1-5-32-544", - "name": "Administrators" - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, - "log": { - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.xml" - }, - "level": "information" - }, - "related": { - "user": [ - "WIN-41OB2LO92CR$" - ] - }, - "user": { - "domain": "WORKGROUP", - "id": "S-1-5-18", - "name": "WIN-41OB2LO92CR$" - }, - "winlog": { - "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}", - "channel": "Security", - "computer_name": "WIN-41OB2LO92CR", - "event_data": { - "CallerProcessId": "0x494", - "CallerProcessName": "C:\\Windows\\System32\\svchost.exe", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "WIN-41OB2LO92CR$", - "SubjectUserSid": "S-1-5-18", - "TargetDomainName": "Builtin", - "TargetSid": "S-1-5-32-544", - "TargetUserName": "Administrators" - }, - "event_id": "4799", - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "opcode": "Info", - "outcome": "success", - "process": { - "pid": 780, - "thread": { - "id": 820 - } - }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "3002", - "time_created": "2019-10-08T10:20:44.472Z" - } - } - ] -} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/socket_summary/agent/stream/stream.yml.hbs b/test/packages/parallel/system/data_stream/socket_summary/agent/stream/stream.yml.hbs deleted file mode 100644 index e7da2422b..000000000 --- a/test/packages/parallel/system/data_stream/socket_summary/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,15 +0,0 @@ -metricsets: ["socket_summary"] -period: {{period}} -{{#if system.hostfs}} -system.hostfs: {{system.hostfs}} -{{/if}} -{{#if processors.length}} -processors: -{{processors}} -{{/if}} -{{#if tags.length}} -tags: -{{#each tags as |tag i|}} -- {{tag}} -{{/each}} -{{/if}} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/socket_summary/fields/agent.yml b/test/packages/parallel/system/data_stream/socket_summary/fields/agent.yml deleted file mode 100644 index dc30327e9..000000000 --- a/test/packages/parallel/system/data_stream/socket_summary/fields/agent.yml +++ /dev/null @@ -1,205 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - dimension: true - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - dimension: true - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - dimension: true - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - dimension: true - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - dimension: true - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - dimension: true - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - dimension: true - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/test/packages/parallel/system/data_stream/socket_summary/fields/base-fields.yml b/test/packages/parallel/system/data_stream/socket_summary/fields/base-fields.yml deleted file mode 100644 index 0e1c05609..000000000 --- a/test/packages/parallel/system/data_stream/socket_summary/fields/base-fields.yml +++ /dev/null @@ -1,17 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: system -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: system.socket_summary diff --git a/test/packages/parallel/system/data_stream/socket_summary/fields/ecs.yml b/test/packages/parallel/system/data_stream/socket_summary/fields/ecs.yml deleted file mode 100644 index 8840ed262..000000000 --- a/test/packages/parallel/system/data_stream/socket_summary/fields/ecs.yml +++ /dev/null @@ -1,49 +0,0 @@ -- external: ecs - name: '@timestamp' -- external: ecs - name: message -- external: ecs - name: group -- external: ecs - name: group.id -- external: ecs - name: group.name -- external: ecs - name: host -- external: ecs - name: host.hostname -- external: ecs - name: process -- external: ecs - name: process.name -- external: ecs - name: process.pid -- external: ecs - name: source -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: source.port -- external: ecs - name: user -- external: ecs - name: user.id -- external: ecs - name: user.name -- external: ecs - name: agent.id - dimension: true diff --git a/test/packages/parallel/system/data_stream/socket_summary/fields/fields.yml b/test/packages/parallel/system/data_stream/socket_summary/fields/fields.yml deleted file mode 100644 index fca58be0c..000000000 --- a/test/packages/parallel/system/data_stream/socket_summary/fields/fields.yml +++ /dev/null @@ -1,106 +0,0 @@ -- name: system.socket.summary - title: Socket summary - type: group - fields: - - name: all - type: group - fields: - - name: count - type: integer - metric_type: gauge - description: | - All open connections - - name: listening - type: integer - metric_type: gauge - description: | - All listening ports - - name: tcp - type: group - fields: - - name: memory - type: integer - format: bytes - unit: byte - metric_type: gauge - description: "Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. \n" - - name: all - type: group - fields: - - name: orphan - type: integer - metric_type: gauge - description: | - A count of all orphaned tcp sockets. Only available on Linux. - - name: count - type: integer - metric_type: gauge - description: | - All open TCP connections - - name: listening - type: integer - metric_type: gauge - description: | - All TCP listening ports - - name: established - type: integer - metric_type: gauge - description: | - Number of established TCP connections - - name: close_wait - type: integer - metric_type: gauge - description: | - Number of TCP connections in _close_wait_ state - - name: time_wait - type: integer - metric_type: gauge - description: | - Number of TCP connections in _time_wait_ state - - name: syn_sent - type: integer - metric_type: gauge - description: | - Number of TCP connections in _syn_sent_ state - - name: syn_recv - type: integer - metric_type: gauge - description: | - Number of TCP connections in _syn_recv_ state - - name: fin_wait1 - type: integer - metric_type: gauge - description: | - Number of TCP connections in _fin_wait1_ state - - name: fin_wait2 - type: integer - metric_type: gauge - description: | - Number of TCP connections in _fin_wait2_ state - - name: last_ack - type: integer - metric_type: gauge - description: | - Number of TCP connections in _last_ack_ state - - name: closing - type: integer - metric_type: gauge - description: | - Number of TCP connections in _closing_ state - - name: udp - type: group - fields: - - name: memory - type: integer - format: bytes - unit: byte - metric_type: gauge - description: "Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. \n" - - name: all - type: group - fields: - - name: count - type: integer - metric_type: gauge - description: | - All open UDP connections diff --git a/test/packages/parallel/system/data_stream/socket_summary/manifest.yml b/test/packages/parallel/system/data_stream/socket_summary/manifest.yml deleted file mode 100644 index b4fc6fcf4..000000000 --- a/test/packages/parallel/system/data_stream/socket_summary/manifest.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: System socket_summary metrics -type: metrics -elasticsearch: - index_mode: "time_series" -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: tags - type: text - title: Tags - multi: true - show_user: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - title: System socket_summary metrics - description: Collect System socket_summary metrics diff --git a/test/packages/parallel/system/data_stream/uptime/agent/stream/stream.yml.hbs b/test/packages/parallel/system/data_stream/uptime/agent/stream/stream.yml.hbs deleted file mode 100644 index e7e66ab35..000000000 --- a/test/packages/parallel/system/data_stream/uptime/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,12 +0,0 @@ -metricsets: ["uptime"] -period: {{period}} -{{#if processors.length}} -processors: -{{processors}} -{{/if}} -{{#if tags.length}} -tags: -{{#each tags as |tag i|}} -- {{tag}} -{{/each}} -{{/if}} \ No newline at end of file diff --git a/test/packages/parallel/system/data_stream/uptime/fields/agent.yml b/test/packages/parallel/system/data_stream/uptime/fields/agent.yml deleted file mode 100644 index 37de0dc01..000000000 --- a/test/packages/parallel/system/data_stream/uptime/fields/agent.yml +++ /dev/null @@ -1,205 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - dimension: true - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - dimension: true - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - dimension: true - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - dimension: true - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - dimension: true - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - dimension: true - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - dimension: true - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/test/packages/parallel/system/data_stream/uptime/fields/base-fields.yml b/test/packages/parallel/system/data_stream/uptime/fields/base-fields.yml deleted file mode 100644 index 402b646ca..000000000 --- a/test/packages/parallel/system/data_stream/uptime/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: system -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: system.uptime diff --git a/test/packages/parallel/system/data_stream/uptime/fields/ecs.yml b/test/packages/parallel/system/data_stream/uptime/fields/ecs.yml deleted file mode 100644 index 3014c8de4..000000000 --- a/test/packages/parallel/system/data_stream/uptime/fields/ecs.yml +++ /dev/null @@ -1,3 +0,0 @@ -- external: ecs - name: agent.id - dimension: true diff --git a/test/packages/parallel/system/data_stream/uptime/fields/fields.yml b/test/packages/parallel/system/data_stream/uptime/fields/fields.yml deleted file mode 100644 index 7c61a1372..000000000 --- a/test/packages/parallel/system/data_stream/uptime/fields/fields.yml +++ /dev/null @@ -1,10 +0,0 @@ -- name: system.uptime - type: group - fields: - - name: duration.ms - type: long - format: duration - unit: ms - metric_type: counter - description: | - The OS uptime in milliseconds. diff --git a/test/packages/parallel/system/data_stream/uptime/manifest.yml b/test/packages/parallel/system/data_stream/uptime/manifest.yml deleted file mode 100644 index eda926bd0..000000000 --- a/test/packages/parallel/system/data_stream/uptime/manifest.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: System uptime metrics -type: metrics -elasticsearch: - index_mode: "time_series" -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: tags - type: text - title: Tags - multi: true - show_user: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - title: System uptime metrics - description: Collect System uptime metrics From 3d8d1219b45a1133f14c3a099f34774e37702c1d Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 20 Jun 2023 11:46:54 +0200 Subject: [PATCH 7/9] Update README test package system --- test/packages/parallel/system/docs/README.md | 861 +------------------ 1 file changed, 12 insertions(+), 849 deletions(-) diff --git a/test/packages/parallel/system/docs/README.md b/test/packages/parallel/system/docs/README.md index af0d9aa2c..1606a3aac 100644 --- a/test/packages/parallel/system/docs/README.md +++ b/test/packages/parallel/system/docs/README.md @@ -95,182 +95,7 @@ The Windows `application` data stream provides events from the Windows **Exported fields** -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| error.message | Error message. | match_only_text | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | +(no fields available) ### System @@ -1152,64 +977,7 @@ This data should be available without elevated permissions. **Exported fields** -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | | -| cloud.instance.name | Instance name of the host machine. | keyword | | | -| cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | -| container.id | Unique container id. | keyword | | | -| container.image.name | Name of the image the container was built on. | keyword | | | -| container.labels | Image labels. | object | | | -| container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| event.dataset | Event dataset. | constant_keyword | | | -| event.module | Event module | constant_keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | -| host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | -| host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | -| host.os.full | Operating system name, including the version or code name. | keyword | | | -| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | -| host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | -| host.os.version | Operating system version as a raw string. | keyword | | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | -| system.core.id | CPU Core number. | keyword | | | -| system.core.idle.pct | The percentage of CPU time spent idle. | scaled_float | percent | gauge | -| system.core.idle.ticks | The amount of CPU time spent idle. | long | | counter | -| system.core.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | percent | gauge | -| system.core.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | | counter | -| system.core.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | percent | gauge | -| system.core.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | | counter | -| system.core.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | percent | gauge | -| system.core.nice.ticks | The amount of CPU time spent on low-priority processes. | long | | counter | -| system.core.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | percent | gauge | -| system.core.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | | counter | -| system.core.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | percent | gauge | -| system.core.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | | counter | -| system.core.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | percent | gauge | -| system.core.system.ticks | The amount of CPU time spent in kernel space. | long | | counter | -| system.core.user.pct | The percentage of CPU time spent in user space. | scaled_float | percent | gauge | -| system.core.user.ticks | The amount of CPU time spent in user space. | long | | counter | +(no fields available) ### CPU @@ -1230,76 +998,7 @@ This data should be available without elevated permissions. **Exported fields** -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | -| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | | -| cloud.instance.name | Instance name of the host machine. | keyword | | | -| cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | -| container.id | Unique container id. | keyword | | | -| container.image.name | Name of the image the container was built on. | keyword | | | -| container.labels | Image labels. | object | | | -| container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| event.dataset | Event dataset. | constant_keyword | | | -| event.module | Event module | constant_keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | -| host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | -| host.cpu.pct | Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | percent | gauge | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | -| host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | -| host.os.full | Operating system name, including the version or code name. | keyword | | | -| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | -| host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | -| host.os.version | Operating system version as a raw string. | keyword | | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | -| system.cpu.cores | The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% \* cores`. The normalized percentages already take this value into account and have a maximum value of 100%. | long | | gauge | -| system.cpu.idle.norm.pct | The percentage of CPU time spent idle. | scaled_float | percent | gauge | -| system.cpu.idle.pct | The percentage of CPU time spent idle. | scaled_float | percent | gauge | -| system.cpu.idle.ticks | The amount of CPU time spent idle. | long | | counter | -| system.cpu.iowait.norm.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | percent | gauge | -| system.cpu.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | percent | gauge | -| system.cpu.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | | counter | -| system.cpu.irq.norm.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | percent | gauge | -| system.cpu.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | percent | gauge | -| system.cpu.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | | counter | -| system.cpu.nice.norm.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | percent | gauge | -| system.cpu.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | percent | gauge | -| system.cpu.nice.ticks | The amount of CPU time spent on low-priority processes. | long | | counter | -| system.cpu.softirq.norm.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | percent | gauge | -| system.cpu.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | percent | gauge | -| system.cpu.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | | counter | -| system.cpu.steal.norm.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | percent | gauge | -| system.cpu.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | percent | gauge | -| system.cpu.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | | counter | -| system.cpu.system.norm.pct | The percentage of CPU time spent in kernel space. | scaled_float | percent | gauge | -| system.cpu.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | percent | gauge | -| system.cpu.system.ticks | The amount of CPU time spent in kernel space. | long | | counter | -| system.cpu.total.norm.pct | The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. | scaled_float | percent | gauge | -| system.cpu.total.pct | The percentage of CPU time spent in states other than Idle and IOWait. | scaled_float | percent | gauge | -| system.cpu.user.norm.pct | The percentage of CPU time spent in user space. | scaled_float | percent | gauge | -| system.cpu.user.pct | The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. | scaled_float | percent | gauge | -| system.cpu.user.ticks | The amount of CPU time spent in user space. | long | | counter | +(no fields available) ### Disk IO @@ -1320,72 +1019,7 @@ This data should be available without elevated permissions. **Exported fields** -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | -| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | | -| cloud.instance.name | Instance name of the host machine. | keyword | | | -| cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | -| container.id | Unique container id. | keyword | | | -| container.image.name | Name of the image the container was built on. | keyword | | | -| container.labels | Image labels. | object | | | -| container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| event.dataset | Event dataset. | constant_keyword | | | -| event.module | Event module | constant_keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | -| host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | -| host.disk.read.bytes | The total number of bytes read successfully in a given period of time. | long | | | -| host.disk.write.bytes | The total number of bytes write successfully in a given period of time. | long | | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | -| host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | -| host.os.full | Operating system name, including the version or code name. | keyword | | | -| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | -| host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | -| host.os.version | Operating system version as a raw string. | keyword | | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | -| system.diskio.io.time | The total number of of milliseconds spent doing I/Os. | long | | counter | -| system.diskio.iostat.await | The average time spent for requests issued to the device to be served. | float | | gauge | -| system.diskio.iostat.busy | Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. | float | | gauge | -| system.diskio.iostat.queue.avg_size | The average queue length of the requests that were issued to the device. | float | byte | gauge | -| system.diskio.iostat.read.await | The average time spent for read requests issued to the device to be served. | float | | gauge | -| system.diskio.iostat.read.per_sec.bytes | The number of Bytes read from the device per second. | float | | gauge | -| system.diskio.iostat.read.request.merges_per_sec | The number of read requests merged per second that were queued to the device. | float | | gauge | -| system.diskio.iostat.read.request.per_sec | The number of read requests that were issued to the device per second | float | | gauge | -| system.diskio.iostat.request.avg_size | The average size (in bytes) of the requests that were issued to the device. | float | byte | gauge | -| system.diskio.iostat.service_time | The average service time (in milliseconds) for I/O requests that were issued to the device. | float | ms | gauge | -| system.diskio.iostat.write.await | The average time spent for write requests issued to the device to be served. | float | | gauge | -| system.diskio.iostat.write.per_sec.bytes | The number of Bytes write from the device per second. | float | | gauge | -| system.diskio.iostat.write.request.merges_per_sec | The number of write requests merged per second that were queued to the device. | float | | gauge | -| system.diskio.iostat.write.request.per_sec | The number of write requests that were issued to the device per second | float | | gauge | -| system.diskio.name | The disk name. | keyword | | | -| system.diskio.read.bytes | The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. | long | byte | counter | -| system.diskio.read.count | The total number of reads completed successfully. | long | | counter | -| system.diskio.read.time | The total number of milliseconds spent by all reads. | long | | counter | -| system.diskio.serial_number | The disk's serial number. This may not be provided by all operating systems. | keyword | | | -| system.diskio.write.bytes | The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. | long | byte | counter | -| system.diskio.write.count | The total number of writes completed successfully. | long | | counter | -| system.diskio.write.time | The total number of milliseconds spent by all writes. | long | | counter | +(no fields available) ### Filesystem @@ -1407,55 +1041,7 @@ This data should be available without elevated permissions. **Exported fields** -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | -| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | | -| cloud.instance.name | Instance name of the host machine. | keyword | | | -| cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | -| container.id | Unique container id. | keyword | | | -| container.image.name | Name of the image the container was built on. | keyword | | | -| container.labels | Image labels. | object | | | -| container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| event.dataset | Event dataset. | constant_keyword | | | -| event.module | Event module | constant_keyword | | | -| host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | -| host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | -| host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | -| host.os.version | Operating system version as a raw string. | keyword | | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | -| system.filesystem.available | The disk space available to an unprivileged user in bytes. | long | byte | gauge | -| system.filesystem.device_name | The disk name. For example: `/dev/disk1` | keyword | | | -| system.filesystem.files | The total number of file nodes in the file system. | long | | gauge | -| system.filesystem.free | The disk space available in bytes. | long | byte | gauge | -| system.filesystem.free_files | The number of free file nodes in the file system. | long | | gauge | -| system.filesystem.mount_point | The mounting point. For example: `/` | keyword | | | -| system.filesystem.total | The total disk space in bytes. | long | byte | gauge | -| system.filesystem.type | The disk type. For example: `ext4` | keyword | | | -| system.filesystem.used.bytes | The used disk space in bytes. | long | byte | gauge | -| system.filesystem.used.pct | The percentage of used disk space. | scaled_float | percent | gauge | +(no fields available) ### Fsstat @@ -1476,53 +1062,7 @@ This data should be available without elevated permissions. **Exported fields** -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | -| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | | -| cloud.instance.name | Instance name of the host machine. | keyword | | | -| cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | -| container.id | Unique container id. | keyword | | | -| container.image.name | Name of the image the container was built on. | keyword | | | -| container.labels | Image labels. | object | | | -| container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| event.dataset | Event dataset. | constant_keyword | | | -| event.module | Event module | constant_keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | -| host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | -| host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | -| host.os.full | Operating system name, including the version or code name. | keyword | | | -| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | -| host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | -| host.os.version | Operating system version as a raw string. | keyword | | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | -| system.fsstat.count | Number of file systems found. | long | | gauge | -| system.fsstat.total_files | Total number of files. | long | | gauge | -| system.fsstat.total_size.free | Total free space. | long | byte | gauge | -| system.fsstat.total_size.total | Total space (used plus free). | long | byte | gauge | -| system.fsstat.total_size.used | Total used space. | long | byte | gauge | +(no fields available) ### Load @@ -1542,55 +1082,7 @@ This data should be available without elevated permissions. **Exported fields** -| Field | Description | Type | Metric Type | -|---|---|---|---| -| @timestamp | Event timestamp. | date | | -| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | -| cloud.instance.name | Instance name of the host machine. | keyword | | -| cloud.machine.type | Machine type of the host machine. | keyword | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | -| cloud.region | Region in which this host is running. | keyword | | -| container.id | Unique container id. | keyword | | -| container.image.name | Name of the image the container was built on. | keyword | | -| container.labels | Image labels. | object | | -| container.name | Container name. | keyword | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | -| data_stream.type | Data stream type. | constant_keyword | | -| event.dataset | Event dataset. | constant_keyword | | -| event.module | Event module | constant_keyword | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | -| host.architecture | Operating system architecture. | keyword | | -| host.containerized | If the host is a container. | boolean | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | -| host.ip | Host ip addresses. | ip | | -| host.mac | Host mac addresses. | keyword | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | -| host.os.build | OS build information. | keyword | | -| host.os.codename | OS codename, if any. | keyword | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | -| host.os.full | Operating system name, including the version or code name. | keyword | | -| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | -| host.os.name | Operating system name, without the version. | keyword | | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | -| host.os.version | Operating system version as a raw string. | keyword | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | -| system.load.1 | Load average for the last minute. | scaled_float | gauge | -| system.load.15 | Load average for the last 15 minutes. | scaled_float | gauge | -| system.load.5 | Load average for the last 5 minutes. | scaled_float | gauge | -| system.load.cores | The number of CPU cores present on the host. | long | gauge | -| system.load.norm.1 | Load for the last minute divided by the number of cores. | scaled_float | gauge | -| system.load.norm.15 | Load for the last 15 minutes divided by the number of cores. | scaled_float | gauge | -| system.load.norm.5 | Load for the last 5 minutes divided by the number of cores. | scaled_float | gauge | +(no fields available) ### Memory @@ -1611,79 +1103,7 @@ This data should be available without elevated permissions. **Exported fields** -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | -| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | | -| cloud.instance.name | Instance name of the host machine. | keyword | | | -| cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | -| container.id | Unique container id. | keyword | | | -| container.image.name | Name of the image the container was built on. | keyword | | | -| container.labels | Image labels. | object | | | -| container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| event.dataset | Event dataset. | constant_keyword | | | -| event.module | Event module | constant_keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | -| host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | -| host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | -| host.os.full | Operating system name, including the version or code name. | keyword | | | -| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | -| host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | -| host.os.version | Operating system version as a raw string. | keyword | | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | -| system.memory.actual.free | Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. | long | byte | gauge | -| system.memory.actual.used.bytes | Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. | long | byte | gauge | -| system.memory.actual.used.pct | The percentage of actual used memory. | scaled_float | percent | gauge | -| system.memory.free | The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). | long | byte | gauge | -| system.memory.hugepages.default_size | Default size for huge pages. | long | | gauge | -| system.memory.hugepages.free | Number of available huge pages in the pool. | long | | gauge | -| system.memory.hugepages.reserved | Number of reserved but not allocated huge pages in the pool. | long | | gauge | -| system.memory.hugepages.surplus | Number of overcommited huge pages. | long | | gauge | -| system.memory.hugepages.swap.out.fallback | Count of huge pages that must be split before swapout | long | | gauge | -| system.memory.hugepages.swap.out.pages | pages swapped out | long | | gauge | -| system.memory.hugepages.total | Number of huge pages in the pool. | long | | gauge | -| system.memory.hugepages.used.bytes | Memory used in allocated huge pages. | long | byte | gauge | -| system.memory.hugepages.used.pct | Percentage of huge pages used. | long | percent | gauge | -| system.memory.page_stats.direct_efficiency.pct | direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. | scaled_float | percent | gauge | -| system.memory.page_stats.kswapd_efficiency.pct | kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. | scaled_float | percent | gauge | -| system.memory.page_stats.pgfree.pages | pages freed by the system | long | | counter | -| system.memory.page_stats.pgscan_direct.pages | pages scanned directly | long | | counter | -| system.memory.page_stats.pgscan_kswapd.pages | pages scanned by kswapd | long | | counter | -| system.memory.page_stats.pgsteal_direct.pages | number of pages reclaimed directly | long | | counter | -| system.memory.page_stats.pgsteal_kswapd.pages | number of pages reclaimed by kswapd | long | | counter | -| system.memory.swap.free | Available swap memory. | long | byte | gauge | -| system.memory.swap.in.pages | count of pages swapped in | long | | gauge | -| system.memory.swap.out.pages | count of pages swapped out | long | | counter | -| system.memory.swap.readahead.cached | swap readahead cache hits | long | | counter | -| system.memory.swap.readahead.pages | swap readahead pages | long | | counter | -| system.memory.swap.total | Total swap memory. | long | byte | gauge | -| system.memory.swap.used.bytes | Used swap memory. | long | byte | gauge | -| system.memory.swap.used.pct | The percentage of used swap memory. | scaled_float | percent | gauge | -| system.memory.total | Total memory. | long | byte | gauge | -| system.memory.used.bytes | Used memory. | long | byte | gauge | -| system.memory.used.pct | The percentage of used memory. | scaled_float | percent | gauge | +(no fields available) ### Network @@ -1704,80 +1124,7 @@ This data should be available without elevated permissions. **Exported fields** -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | -| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | | -| cloud.instance.name | Instance name of the host machine. | keyword | | | -| cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | -| container.id | Unique container id. | keyword | | | -| container.image.name | Name of the image the container was built on. | keyword | | | -| container.labels | Image labels. | object | | | -| container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| event.dataset | Event dataset. | constant_keyword | | | -| event.module | Event module | constant_keyword | | | -| group | The group fields are meant to represent groups that are relevant to the event. | group | | | -| group.id | Unique identifier for the group on the system/platform. | keyword | | | -| group.name | Name of the group. | keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | -| host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | -| host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.network.in.bytes | The number of bytes received on all network interfaces by the host in a given period of time. | long | byte | counter | -| host.network.in.packets | The number of packets received on all network interfaces by the host in a given period of time. | long | | counter | -| host.network.out.bytes | The number of bytes sent out on all network interfaces by the host in a given period of time. | long | byte | counter | -| host.network.out.packets | The number of packets sent out on all network interfaces by the host in a given period of time. | long | | counter | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | -| host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | -| host.os.version | Operating system version as a raw string. | keyword | | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | | -| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group | | | -| process.name | Process name. Sometimes called program name or similar. | keyword | | | -| process.name.text | Multi-field of `process.name`. | match_only_text | | | -| process.pid | Process id. | long | | | -| source | Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. | group | | | -| source.geo.city_name | City name. | keyword | | | -| source.geo.continent_name | Name of the continent. | keyword | | | -| source.geo.country_iso_code | Country ISO code. | keyword | | | -| source.geo.location | Longitude and latitude. | geo_point | | | -| source.geo.region_iso_code | Region ISO code. | keyword | | | -| source.geo.region_name | Region name. | keyword | | | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | | | -| source.port | Port of the source. | long | | | -| system.network.in.bytes | The number of bytes received. | long | byte | counter | -| system.network.in.dropped | The number of incoming packets that were dropped. | long | | counter | -| system.network.in.errors | The number of errors while receiving. | long | | counter | -| system.network.in.packets | The number or packets received. | long | | counter | -| system.network.name | The network interface name. | keyword | | | -| system.network.out.bytes | The number of bytes sent. | long | byte | counter | -| system.network.out.dropped | The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. | long | | counter | -| system.network.out.errors | The number of errors while sending. | long | | counter | -| system.network.out.packets | The number of packets sent. | long | | counter | -| user | The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. | group | | | -| user.id | Unique identifier of the user. | keyword | | | -| user.name | Short name or login of the user. | keyword | | | -| user.name.text | Multi-field of `user.name`. | match_only_text | | | +(no fields available) ### Process @@ -2016,75 +1363,7 @@ If the process data belongs to the other users, it will be counted as unknown va **Exported fields** -| Field | Description | Type | Metric Type | -|---|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | -| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | -| cloud.instance.name | Instance name of the host machine. | keyword | | -| cloud.machine.type | Machine type of the host machine. | keyword | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | -| cloud.region | Region in which this host is running. | keyword | | -| container.id | Unique container id. | keyword | | -| container.image.name | Name of the image the container was built on. | keyword | | -| container.labels | Image labels. | object | | -| container.name | Container name. | keyword | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | -| data_stream.type | Data stream type. | constant_keyword | | -| event.dataset | Event dataset. | constant_keyword | | -| event.module | Event module | constant_keyword | | -| group | The group fields are meant to represent groups that are relevant to the event. | group | | -| group.id | Unique identifier for the group on the system/platform. | keyword | | -| group.name | Name of the group. | keyword | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | -| host.architecture | Operating system architecture. | keyword | | -| host.containerized | If the host is a container. | boolean | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | -| host.ip | Host ip addresses. | ip | | -| host.mac | Host mac addresses. | keyword | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | -| host.os.build | OS build information. | keyword | | -| host.os.codename | OS codename, if any. | keyword | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | -| host.os.name | Operating system name, without the version. | keyword | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | -| host.os.version | Operating system version as a raw string. | keyword | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | -| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group | | -| process.name | Process name. Sometimes called program name or similar. | keyword | | -| process.name.text | Multi-field of `process.name`. | match_only_text | | -| process.pid | Process id. | long | | -| source | Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. | group | | -| source.geo.city_name | City name. | keyword | | -| source.geo.continent_name | Name of the continent. | keyword | | -| source.geo.country_iso_code | Country ISO code. | keyword | | -| source.geo.location | Longitude and latitude. | geo_point | | -| source.geo.region_iso_code | Region ISO code. | keyword | | -| source.geo.region_name | Region name. | keyword | | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | | -| source.port | Port of the source. | long | | -| system.process.summary.dead | Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. | long | gauge | -| system.process.summary.idle | Number of idle processes on this host. | long | gauge | -| system.process.summary.running | Number of running processes on this host. | long | gauge | -| system.process.summary.sleeping | Number of sleeping processes on this host. | long | gauge | -| system.process.summary.stopped | Number of stopped processes on this host. | long | gauge | -| system.process.summary.total | Total number of processes on this host. | long | gauge | -| system.process.summary.unknown | Number of processes for which the state couldn't be retrieved or is unknown. | long | gauge | -| system.process.summary.zombie | Number of zombie processes on this host. | long | gauge | -| user | The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. | group | | -| user.id | Unique identifier of the user. | keyword | | -| user.name | Short name or login of the user. | keyword | | -| user.name.text | Multi-field of `user.name`. | match_only_text | | +(no fields available) ### Socket summary @@ -2108,84 +1387,7 @@ This data should be available without elevated permissions. **Exported fields** -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | -| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | | -| cloud.instance.name | Instance name of the host machine. | keyword | | | -| cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | -| container.id | Unique container id. | keyword | | | -| container.image.name | Name of the image the container was built on. | keyword | | | -| container.labels | Image labels. | object | | | -| container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| event.dataset | Event dataset. | constant_keyword | | | -| event.module | Event module | constant_keyword | | | -| group | The group fields are meant to represent groups that are relevant to the event. | group | | | -| group.id | Unique identifier for the group on the system/platform. | keyword | | | -| group.name | Name of the group. | keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | -| host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | -| host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | -| host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | -| host.os.version | Operating system version as a raw string. | keyword | | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | | -| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group | | | -| process.name | Process name. Sometimes called program name or similar. | keyword | | | -| process.name.text | Multi-field of `process.name`. | match_only_text | | | -| process.pid | Process id. | long | | | -| source | Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. | group | | | -| source.geo.city_name | City name. | keyword | | | -| source.geo.continent_name | Name of the continent. | keyword | | | -| source.geo.country_iso_code | Country ISO code. | keyword | | | -| source.geo.location | Longitude and latitude. | geo_point | | | -| source.geo.region_iso_code | Region ISO code. | keyword | | | -| source.geo.region_name | Region name. | keyword | | | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | | | -| source.port | Port of the source. | long | | | -| system.socket.summary.all.count | All open connections | integer | | gauge | -| system.socket.summary.all.listening | All listening ports | integer | | gauge | -| system.socket.summary.tcp.all.close_wait | Number of TCP connections in _close_wait_ state | integer | | gauge | -| system.socket.summary.tcp.all.closing | Number of TCP connections in _closing_ state | integer | | gauge | -| system.socket.summary.tcp.all.count | All open TCP connections | integer | | gauge | -| system.socket.summary.tcp.all.established | Number of established TCP connections | integer | | gauge | -| system.socket.summary.tcp.all.fin_wait1 | Number of TCP connections in _fin_wait1_ state | integer | | gauge | -| system.socket.summary.tcp.all.fin_wait2 | Number of TCP connections in _fin_wait2_ state | integer | | gauge | -| system.socket.summary.tcp.all.last_ack | Number of TCP connections in _last_ack_ state | integer | | gauge | -| system.socket.summary.tcp.all.listening | All TCP listening ports | integer | | gauge | -| system.socket.summary.tcp.all.orphan | A count of all orphaned tcp sockets. Only available on Linux. | integer | | gauge | -| system.socket.summary.tcp.all.syn_recv | Number of TCP connections in _syn_recv_ state | integer | | gauge | -| system.socket.summary.tcp.all.syn_sent | Number of TCP connections in _syn_sent_ state | integer | | gauge | -| system.socket.summary.tcp.all.time_wait | Number of TCP connections in _time_wait_ state | integer | | gauge | -| system.socket.summary.tcp.memory | Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. | integer | byte | gauge | -| system.socket.summary.udp.all.count | All open UDP connections | integer | | gauge | -| system.socket.summary.udp.memory | Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. | integer | byte | gauge | -| user | The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. | group | | | -| user.id | Unique identifier of the user. | keyword | | | -| user.name | Short name or login of the user. | keyword | | | -| user.name.text | Multi-field of `user.name`. | match_only_text | | | +(no fields available) ### Uptime @@ -2206,44 +1408,5 @@ This data should be available without elevated permissions. **Exported fields** -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | -| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | | -| cloud.instance.name | Instance name of the host machine. | keyword | | | -| cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | -| container.id | Unique container id. | keyword | | | -| container.image.name | Name of the image the container was built on. | keyword | | | -| container.labels | Image labels. | object | | | -| container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| event.dataset | Event dataset. | constant_keyword | | | -| event.module | Event module | constant_keyword | | | -| host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | -| host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | -| host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | -| host.os.version | Operating system version as a raw string. | keyword | | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | -| system.uptime.duration.ms | The OS uptime in milliseconds. | long | ms | counter | +(no fields available) From 29a492e79fbfee592c4770d721c29383610d1bea Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 20 Jun 2023 12:27:38 +0200 Subject: [PATCH 8/9] Just log in case of packages different to system --- internal/testrunner/runners/asset/runner.go | 10 ++-------- internal/testrunner/runners/system/runner.go | 16 ++-------------- 2 files changed, 4 insertions(+), 22 deletions(-) diff --git a/internal/testrunner/runners/asset/runner.go b/internal/testrunner/runners/asset/runner.go index 3d287de78..58579c5d3 100644 --- a/internal/testrunner/runners/asset/runner.go +++ b/internal/testrunner/runners/asset/runner.go @@ -103,18 +103,12 @@ func (r *runner) run() ([]testrunner.TestResult, error) { logger.Debug("removing package...") err = packageInstaller.Uninstall() - if err == nil { - return nil - } + // by default system package is part of an agent policy and it cannot be uninstalled // https://github.com/elastic/elastic-package/blob/5f65dc29811c57454bc7142aaf73725b6d4dc8e6/internal/stack/_static/kibana.yml.tmpl#L62 - switch pkgManifest.Name { - case "system": - logger.Debugf("failed to uninstall package %q: %s", pkgManifest.Name, err.Error()) - default: + if err != nil && pkgManifest.Name != "system" { logger.Warnf("failed to uninstall package %q: %s", pkgManifest.Name, err.Error()) } - return nil } diff --git a/internal/testrunner/runners/system/runner.go b/internal/testrunner/runners/system/runner.go index f6b18423f..1b388a4d3 100644 --- a/internal/testrunner/runners/system/runner.go +++ b/internal/testrunner/runners/system/runner.go @@ -496,25 +496,13 @@ func (r *runner) runTest(config *testConfig, ctxt servicedeployer.ServiceContext } r.deletePackageHandler = func() error { err := installer.Uninstall() - if err == nil { - return nil - } + // by default system package is part of an agent policy and it cannot be uninstalled // https://github.com/elastic/elastic-package/blob/5f65dc29811c57454bc7142aaf73725b6d4dc8e6/internal/stack/_static/kibana.yml.tmpl#L62 - switch pkgManifest.Name { - case "system": - logger.Debugf("failed to uninstall package %q: %s", pkgManifest.Name, err.Error()) - default: + if err != nil && pkgManifest.Name != "system" { logger.Warnf("failed to uninstall package %q: %s", pkgManifest.Name, err.Error()) } - return nil - // by default system package is part of an agent policy and it cannot be uninstalled - // https://github.com/elastic/elastic-package/blob/5f65dc29811c57454bc7142aaf73725b6d4dc8e6/internal/stack/_static/kibana.yml.tmpl#L62 - // if err != nil && pkgManifest.Name != "system" { - // logger.Warnf("failed to uninstall package %q: %s", pkgManifest.Name, err.Error()) - // } - // return nil } // Configure package (single data stream) via Ingest Manager APIs. From 6e0af5e22b72d2b9f7e285301a0a290376fd18ac Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 20 Jun 2023 17:05:46 +0200 Subject: [PATCH 9/9] Add comment for not returning uninstall error --- internal/testrunner/runners/system/runner.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/internal/testrunner/runners/system/runner.go b/internal/testrunner/runners/system/runner.go index 1b388a4d3..b9ca09d4b 100644 --- a/internal/testrunner/runners/system/runner.go +++ b/internal/testrunner/runners/system/runner.go @@ -500,6 +500,8 @@ func (r *runner) runTest(config *testConfig, ctxt servicedeployer.ServiceContext // by default system package is part of an agent policy and it cannot be uninstalled // https://github.com/elastic/elastic-package/blob/5f65dc29811c57454bc7142aaf73725b6d4dc8e6/internal/stack/_static/kibana.yml.tmpl#L62 if err != nil && pkgManifest.Name != "system" { + // logging the error as a warning and not returning it since there could be other reasons that could make fail this process + // for instance being defined a test agent policy where this package is used for debugging purposes logger.Warnf("failed to uninstall package %q: %s", pkgManifest.Name, err.Error()) } return nil