Merge branch 'main' into patch-1

elastic · Mar 19, 2024 · 193054b · 193054b
2 parents 26609d1 + 1b13c64
commit 193054b
Show file tree

Hide file tree

Showing 8 changed files with 208 additions and 4 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -157,6 +157,7 @@ Setting environmental variable ELASTIC_NETINFO:false in Elastic Agent pod will d
 
 *Filebeat*
 
+- Adding Saved Object name field to Kibana audit logs {pull}38307[38307]
 - Update SQL input documentation regarding Oracle DSNs {pull}37590[37590]
 - add documentation for decode_xml_wineventlog processor field mappings.  {pull}32456[32456]
 - httpjson input: Add request tracing logger. {issue}32402[32402] {pull}32412[32412]
@@ -272,6 +273,7 @@ Setting environmental variable ELASTIC_NETINFO:false in Elastic Agent pod will d
 
 *Filebeat*
 
+- Deprecate `syslog` input in favor of `syslog` processor. {issue}37555[37555] {pull}38277[38277]
 
 *Heartbeat*
 

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -86793,6 +86793,17 @@ example: 6295bdd0-0a0e-11e7-825f-6748cda7d858
 
 --
 
+*`kibana.saved_object.name`*::
++
+--
+The name of the saved object associated with this event.
+
+type: keyword
+
+example: my-saved-object
+
+--
+
 *`kibana.add_to_spaces`*::
 +
 --

diff --git a/filebeat/docs/inputs/input-syslog.asciidoc b/filebeat/docs/inputs/input-syslog.asciidoc
@@ -3,6 +3,10 @@
 [id="{beatname_lc}-input-{type}"]
 === Syslog input
 
+deprecated:[8.14.0]
+
+The syslog input is deprecated. Please use the <<syslog, `syslog`>> processor for processing syslog messages.
+
 ++++
 <titleabbrev>Syslog</titleabbrev>
 ++++

diff --git a/filebeat/input/syslog/input.go b/filebeat/input/syslog/input.go
@@ -28,6 +28,7 @@ import (
 	"github.com/elastic/beats/v7/filebeat/input"
 	"github.com/elastic/beats/v7/filebeat/inputsource"
 	"github.com/elastic/beats/v7/libbeat/beat"
+	"github.com/elastic/beats/v7/libbeat/common/cfgwarn"
 	conf "github.com/elastic/elastic-agent-libs/config"
 	"github.com/elastic/elastic-agent-libs/logp"
 	"github.com/elastic/elastic-agent-libs/mapstr"
@@ -85,6 +86,8 @@ var (
 		"local6",
 		"local7",
 	}
+
+	deprecatedNotificationOnce sync.Once
 )
 
 func init() {
@@ -112,6 +115,10 @@ func NewInput(
 ) (input.Input, error) {
 	log := logp.NewLogger("syslog")
 
+	deprecatedNotificationOnce.Do(func() {
+		cfgwarn.Deprecate("", "Syslog input. Use Syslog processor instead.")
+	})
+
 	out, err := outlet.Connect(cfg)
 	if err != nil {
 		return nil, err
@@ -180,7 +187,7 @@ func GetCbByConfig(cfg config, forwarder *harvester.Forwarder, log *logp.Logger)
 	case syslogFormatRFC5424:
 		return func(data []byte, metadata inputsource.NetworkMetadata) {
 			ev := parseAndCreateEvent5424(data, metadata, cfg.Timezone.Location(), log)
-			forwarder.Send(ev)
+			_ = forwarder.Send(ev)
 		}
 
 	case syslogFormatAuto:
@@ -191,15 +198,15 @@ func GetCbByConfig(cfg config, forwarder *harvester.Forwarder, log *logp.Logger)
 			} else {
 				ev = parseAndCreateEvent3164(data, metadata, cfg.Timezone.Location(), log)
 			}
-			forwarder.Send(ev)
+			_ = forwarder.Send(ev)
 		}
 	case syslogFormatRFC3164:
 		break
 	}
 
 	return func(data []byte, metadata inputsource.NetworkMetadata) {
 		ev := parseAndCreateEvent3164(data, metadata, cfg.Timezone.Location(), log)
-		forwarder.Send(ev)
+		_ = forwarder.Send(ev)
 	}
 }
 

diff --git a/filebeat/module/kibana/_meta/fields.yml b/filebeat/module/kibana/_meta/fields.yml
@@ -27,6 +27,10 @@
           description: "The id of the saved object associated with this event."
           example: "6295bdd0-0a0e-11e7-825f-6748cda7d858"
           type: keyword
+        - name: saved_object.name
+          description: "The name of the saved object associated with this event."
+          example: "my-saved-object"
+          type: keyword
         - name: add_to_spaces
           description: "The set of space ids that a saved object was shared to."
           example: "['default', 'marketing']"

diff --git a/filebeat/module/kibana/audit/test/test-audit-814.log b/filebeat/module/kibana/audit/test/test-audit-814.log
@@ -0,0 +1,5 @@
+{"event":{"action":"saved_object_create","category":["database"],"outcome":"unknown","type":["access"]},"kibana":{"saved_object":{"id":"fleet-default-settings","type":"ingest_manager_settings"}},"labels":{"application":"elastic/fleet"},"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.6.1"},"@timestamp":"2023-06-19T15:18:47.298+00:00","message":"User is accessing ingest_manager_settings [id=fleet-default-settings]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":7},"trace":{"id":"809d3449277aba205a3ac539d23dbf7e"},"transaction":{"id":"49a38064b0f1dc1e"}}
+{"event":{"action":"saved_object_create","category":["database"],"outcome":"unknown","type":["access"]},"kibana":{"saved_object":{"id":"a09a5397-7b9a-5a73-a622-e29f4c635658","type":"ingest-outputs"}},"labels":{"application":"elastic/fleet"},"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.6.1"},"@timestamp":"2023-06-19T15:18:48.987+00:00","message":"User is accessing ingest-outputs [id=a09a5397-7b9a-5a73-a622-e29f4c635658]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":7},"trace":{"id":"809d3449277aba205a3ac539d23dbf7e"},"transaction":{"id":"49a38064b0f1dc1e"}}
+{"event":{"action":"saved_object_create","category":["database"],"outcome":"unknown","type":["access"]},"kibana":{"saved_object":{"id":"synthetics","type":"epm-packages"}},"labels":{"application":"elastic/fleet"},"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.6.1"},"@timestamp":"2023-06-19T15:18:53.426+00:00","message":"User is accessing epm-packages [id=synthetics]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":7},"trace":{"id":"809d3449277aba205a3ac539d23dbf7e"},"transaction":{"id":"49a38064b0f1dc1e"}}
+{"event":{"action":"http_request","category":["web"],"outcome":"unknown"},"http":{"request":{"method":"get"}},"url":{"domain":"kibana","path":"/api/features","port":5601,"scheme":"http"},"user":{"name":"elastic","roles":["superuser"]},"kibana":{"space_id":"default"},"trace":{"id":"e2792f3f-4cf1-4f6d-b4eb-5b491724c295"},"client":{"ip":"172.22.0.2"},"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.6.1"},"@timestamp":"2023-06-19T15:19:18.882+00:00","message":"User is requesting [/api/features] endpoint","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":7},"transaction":{"id":"cf44f52888b9ec5a"}}
+{"event":{"action":"saved_object_create","category":["database"],"outcome":"unknown","type":["access"]},"kibana":{"saved_object":{"id":"abcde-fghijk","type":"ingest_manager_settings","name":"fleet-object-name"}},"labels":{"application":"elastic/fleet"},"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.6.1"},"@timestamp":"2023-06-19T16:18:47.298+00:00","message":"User is accessing ingest_manager_settings [id=fleet-default-settings]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":7},"trace":{"id":"809d3449277aba205a3ac539d23dbf7e"},"transaction":{"id":"49a38064b0f1dc1e"}}
diff --git a/filebeat/module/kibana/audit/test/test-audit-814.log-expected.json b/filebeat/module/kibana/audit/test/test-audit-814.log-expected.json
@@ -0,0 +1,171 @@
+[
+    {
+        "@timestamp": "2023-06-19T15:18:47.298+00:00",
+        "event.action": "saved_object_create",
+        "event.category": [
+            "database"
+        ],
+        "event.dataset": "kibana.audit",
+        "event.kind": "event",
+        "event.module": "kibana",
+        "event.outcome": "unknown",
+        "event.timezone": "-02:00",
+        "event.type": [
+            "access"
+        ],
+        "fileset.name": "audit",
+        "input.type": "log",
+        "kibana.saved_object.id": "fleet-default-settings",
+        "kibana.saved_object.type": "ingest_manager_settings",
+        "labels.application": "elastic/fleet",
+        "log.level": "INFO",
+        "log.logger": "plugins.security.audit.ecs",
+        "log.offset": 0,
+        "message": "User is accessing ingest_manager_settings [id=fleet-default-settings]",
+        "process.pid": 7,
+        "service.node.roles": [
+            "background_tasks",
+            "ui"
+        ],
+        "service.type": "kibana",
+        "trace.id": "809d3449277aba205a3ac539d23dbf7e",
+        "transaction.id": "49a38064b0f1dc1e"
+    },
+    {
+        "@timestamp": "2023-06-19T15:18:48.987+00:00",
+        "event.action": "saved_object_create",
+        "event.category": [
+            "database"
+        ],
+        "event.dataset": "kibana.audit",
+        "event.kind": "event",
+        "event.module": "kibana",
+        "event.outcome": "unknown",
+        "event.timezone": "-02:00",
+        "event.type": [
+            "access"
+        ],
+        "fileset.name": "audit",
+        "input.type": "log",
+        "kibana.saved_object.id": "a09a5397-7b9a-5a73-a622-e29f4c635658",
+        "kibana.saved_object.type": "ingest-outputs",
+        "labels.application": "elastic/fleet",
+        "log.level": "INFO",
+        "log.logger": "plugins.security.audit.ecs",
+        "log.offset": 616,
+        "message": "User is accessing ingest-outputs [id=a09a5397-7b9a-5a73-a622-e29f4c635658]",
+        "process.pid": 7,
+        "service.node.roles": [
+            "background_tasks",
+            "ui"
+        ],
+        "service.type": "kibana",
+        "trace.id": "809d3449277aba205a3ac539d23dbf7e",
+        "transaction.id": "49a38064b0f1dc1e"
+    },
+    {
+        "@timestamp": "2023-06-19T15:18:53.426+00:00",
+        "event.action": "saved_object_create",
+        "event.category": [
+            "database"
+        ],
+        "event.dataset": "kibana.audit",
+        "event.kind": "event",
+        "event.module": "kibana",
+        "event.outcome": "unknown",
+        "event.timezone": "-02:00",
+        "event.type": [
+            "access"
+        ],
+        "fileset.name": "audit",
+        "input.type": "log",
+        "kibana.saved_object.id": "synthetics",
+        "kibana.saved_object.type": "epm-packages",
+        "labels.application": "elastic/fleet",
+        "log.level": "INFO",
+        "log.logger": "plugins.security.audit.ecs",
+        "log.offset": 1242,
+        "message": "User is accessing epm-packages [id=synthetics]",
+        "process.pid": 7,
+        "service.node.roles": [
+            "background_tasks",
+            "ui"
+        ],
+        "service.type": "kibana",
+        "trace.id": "809d3449277aba205a3ac539d23dbf7e",
+        "transaction.id": "49a38064b0f1dc1e"
+    },
+    {
+        "@timestamp": "2023-06-19T15:19:18.882+00:00",
+        "client.ip": "172.22.0.2",
+        "event.action": "http_request",
+        "event.category": [
+            "web"
+        ],
+        "event.dataset": "kibana.audit",
+        "event.kind": "event",
+        "event.module": "kibana",
+        "event.outcome": "unknown",
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "http.request.method": "get",
+        "input.type": "log",
+        "kibana.space_id": "default",
+        "log.level": "INFO",
+        "log.logger": "plugins.security.audit.ecs",
+        "log.offset": 1812,
+        "message": "User is requesting [/api/features] endpoint",
+        "process.pid": 7,
+        "related.user": [
+            "elastic"
+        ],
+        "service.node.roles": [
+            "background_tasks",
+            "ui"
+        ],
+        "service.type": "kibana",
+        "trace.id": "e2792f3f-4cf1-4f6d-b4eb-5b491724c295",
+        "transaction.id": "cf44f52888b9ec5a",
+        "url.domain": "kibana",
+        "url.path": "/api/features",
+        "url.port": 5601,
+        "url.scheme": "http",
+        "user.name": "elastic",
+        "user.roles": [
+            "superuser"
+        ]
+    },
+    {
+        "@timestamp": "2023-06-19T16:18:47.298+00:00",
+        "event.action": "saved_object_create",
+        "event.category": [
+            "database"
+        ],
+        "event.dataset": "kibana.audit",
+        "event.kind": "event",
+        "event.module": "kibana",
+        "event.outcome": "unknown",
+        "event.timezone": "-02:00",
+        "event.type": [
+            "access"
+        ],
+        "fileset.name": "audit",
+        "input.type": "log",
+        "kibana.saved_object.id": "abcde-fghijk",
+        "kibana.saved_object.type": "ingest_manager_settings",
+        "kibana.saved_object.name": "fleet-object-name",
+        "labels.application": "elastic/fleet",
+        "log.level": "INFO",
+        "log.logger": "plugins.security.audit.ecs",
+        "log.offset": 2466,
+        "message": "User is accessing ingest_manager_settings [id=fleet-default-settings]",
+        "process.pid": 7,
+        "service.node.roles": [
+            "background_tasks",
+            "ui"
+        ],
+        "service.type": "kibana",
+        "trace.id": "809d3449277aba205a3ac539d23dbf7e",
+        "transaction.id": "49a38064b0f1dc1e"
+    }
+]
diff --git a/filebeat/module/kibana/fields.go b/filebeat/module/kibana/fields.go