ViPNet Coordinator
ViPNet Coordinator VPN gateway events from InfoTeCS — a Russian cryptographic platform for secure network communication using GOST encryption. Covers IPsec tunnel lifecycle, authentication, firewall decisions, packet encryption/decryption, configuration changes, keepalives, and time synchronization errors.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/vpn-vipnet/generator.yml \
--id vpn-vipnet \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| tunnel-established | IPsec tunnel successfully established with peer | ~12.0% | network |
| tunnel-destroyed | IPsec tunnel torn down with peer | ~8.0% | network |
| auth-success | Successful administrator or peer authentication | ~10.0% | authentication |
| auth-failure | Failed authentication attempt with reason | ~3.0% | authentication |
| firewall-allowed | Firewall rule permitted traffic through the gateway | ~20.0% | network |
| firewall-blocked | Firewall rule denied traffic through the gateway | ~8.0% | network |
| packet-encrypted | Packet encrypted with GOST algorithm before transmission | ~15.0% | network |
| packet-unencrypted | Received packet decrypted with GOST algorithm | ~15.0% | network |
| config-changed | Configuration modification by administrator | ~3.0% | configuration |
| keepalive | Tunnel keepalive probe sent or received | ~4.0% | network |
| time-sync-error | NTP time synchronization failure detected | ~2.0% | network |
Realism Features
- Correlated tunnel sessions — establish events produce tunnel context consumed by destroy with matching peer/tunnel ID
- GOST encryption suite selection — GOST R 34.12-2015 (Magma/Kuznyechik) with realistic cipher negotiation
- Authentication failure scenarios — expired certificates, wrong credentials, revoked keys
- Firewall rule distribution — allow/block ratio with realistic protocol and port distributions
- Configuration change audit — parameter names, old/new values, administrator identity
- Time sync errors with realistic NTP server addresses and drift values
Sample Output
{
"@timestamp": "2026-03-07T09:32:15.000000+00:00",
"event": {
"action": "tunnel-established",
"category": ["network"],
"dataset": "vipnet.log",
"kind": "event",
"module": "vipnet",
"outcome": "success",
"type": ["connection", "start"]
},
"vipnet": {
"tunnel_id": "TUN-00048271",
"peer_id": "0x1A2B3C4D",
"cipher_suite": "GOST R 34.12-2015 Kuznyechik",
"hostname": "vipnet-gw-01"
},
"source": { "ip": "10.1.1.1", "port": 55777 },
"destination": { "ip": "10.2.1.1", "port": 55777 },
"observer": {
"product": "ViPNet Coordinator",
"type": "vpn",
"vendor": "InfoTeCS"
},
"network": { "transport": "udp", "protocol": "ipsec" }
}Parameters
| Parameter | Default | Description |
|---|---|---|
| hostname | vipnet-gw-01 | ViPNet Coordinator hostname |
| domain | corp.example.com | Corporate domain name |
| gateway_ip | 10.1.1.1 | Gateway management IP address |
| agent_id | a1b2c3d4-... | Filebeat agent ID |
| agent_version | 8.17.0 | Filebeat version |
Related Generators
Nginx Access & Error Logs
Nginx reverse proxy and web server — access logs with upstream timing, error logs with module context, bot/crawler traffic, scanner probes, and correlated 4xx/5xx error entries.
Apache HTTP Server
Apache httpd access and error logs — page/asset/API requests, bot crawlers (Googlebot, GPTBot), scanner probes, 3xx redirects, and correlated 4xx/5xx error log entries with module context.
Cisco AnyConnect VPN
Cisco ASA AnyConnect SSL VPN — session lifecycle from RADIUS authentication through tunnel establishment, IP assignment, DAP policy evaluation, session roaming between gateways, to graceful disconnection.