Add dashboards for Google Cloud Audit and AWS CloudTrail (#17379)

Add dashboards for Google Cloud Audit and AWS Cloud Trail. Add images to docs googlecloud/audit was missing docs so I added them. (cherry picked from commit a7ada06)
elastic · May 6, 2020 · 51f5f95 · 51f5f95
1 parent 470834c
commit 51f5f95
Show file tree

Hide file tree

Showing 9 changed files with 1,724 additions and 4 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -385,6 +385,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Change the `json.*` input settings implementation to merge parsed json objects with existing objects in the event instead of fully replacing them. {pull}17958[17958]
 - Improve ECS categorization field mappings in osquery module. {issue}16176[16176] {pull}17881[17881]
 - Add support for v10, v11 and v12 logs on Postgres {issue}13810[13810] {pull}17732[17732]
+- Add dashboard for Google Cloud Audit and AWS CloudTrail. {pull}17379[17379]
 
 *Heartbeat*
 

diff --git a/filebeat/docs/images/filebeat-aws-cloudtrail.png b/filebeat/docs/images/filebeat-aws-cloudtrail.png
diff --git a/filebeat/docs/images/filebeat-googlecloud-audit.png b/filebeat/docs/images/filebeat-googlecloud-audit.png
diff --git a/filebeat/docs/modules/aws.asciidoc b/filebeat/docs/modules/aws.asciidoc
@@ -166,6 +166,9 @@ The `cloudtrail` fileset does not read the CloudTrail Digest files
 that are delivered to the S3 bucket when Log File Integrity is turned
 on, it only reads the CloudTrail logs.
 
+[role="screenshot"]
+image::./images/filebeat-aws-cloudtrail.png[]
+
 [float]
 === cloudwatch fileset
 

diff --git a/filebeat/docs/modules/googlecloud.asciidoc b/filebeat/docs/modules/googlecloud.asciidoc
@@ -11,7 +11,7 @@ This file is generated! See scripts/docs_collector.py
 == Google Cloud module
 
 
-This is a module for Google Cloud logs. It supports reading VPC flow
+This is a module for Google Cloud logs. It supports reading audit, VPC flow,
 and firewall logs that have been exported from Stackdriver to a
 Google Pub/Sub topic sink.
 
@@ -21,10 +21,58 @@ include::../include/gs-link.asciidoc[]
 
 include::../include/configuring-intro.asciidoc[]
 
-:fileset_ex: vpcflow
+:fileset_ex: audit
 
 include::../include/config-option-intro.asciidoc[]
 
+[float]
+==== `audit` fileset settings
+
+[role="screenshot"]
+image::./images/filebeat-googlecloud-audit.png[]
+
+Example config:
+
+[source,yaml]
+----
+- module: googleclcoud
+  audit:
+    enabled: true
+    var.project_id: my-gcp-project-id
+    var.topic: googlecloud-vpc-audit
+    var.subscription_name: filebeat-googlecloud-audit-sub
+    var.credentials_file: ${path.config}/gcp-service-account-xyz.json
+    var.keep_original_message: false
+----
+
+include::../include/var-paths.asciidoc[]
+
+*`var.project_id`*::
+
+Google Cloud project ID.
+
+*`var.topic`*::
+
+Google Cloud Pub/Sub topic name.
+
+*`var.subscription_name`*::
+
+Google Cloud Pub/Sub topic subscription name. If the subscription does not
+exist it will be created.
+
+*`var.credentials_file`*::
+
+Path to a JSON file containing the credentials and key used to subscribe.
+
+*`var.keep_original_message`*::
+
+Flag to control whether the original message is stored in the `log.original`
+field. Defaults to `false`, meaning the original message is not saved.
+
+:fileset_ex!:
+
+:fileset_ex: vpcflow
+
 [float]
 ==== `vpcflow` fileset settings
 

diff --git a/x-pack/filebeat/module/aws/_meta/docs.asciidoc b/x-pack/filebeat/module/aws/_meta/docs.asciidoc
@@ -161,6 +161,9 @@ The `cloudtrail` fileset does not read the CloudTrail Digest files
 that are delivered to the S3 bucket when Log File Integrity is turned
 on, it only reads the CloudTrail logs.
 
+[role="screenshot"]
+image::./images/filebeat-aws-cloudtrail.png[]
+
 [float]
 === cloudwatch fileset