From a2e6d3a4c0cbb56a1c758fe39081d6e30061e08d Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Mon, 18 Mar 2019 16:48:46 +0100 Subject: [PATCH] Add process name to system auth events (#11231) --- .../module/system/auth/ingest/pipeline.json | 12 ++++++------ .../system/auth/test/test.log-expected.json | 18 ++++++++++++++---- 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/filebeat/module/system/auth/ingest/pipeline.json b/filebeat/module/system/auth/ingest/pipeline.json index c6b91e067ac..a5496839970 100644 --- a/filebeat/module/system/auth/ingest/pipeline.json +++ b/filebeat/module/system/auth/ingest/pipeline.json @@ -9,12 +9,12 @@ "GREEDYMULTILINE" : "(.|\n)*" }, "patterns": [ - "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} sshd(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:event.action} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?", - "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} sshd(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:event.action} user %{DATA:user.name} from %{IPORHOST:source.ip}", - "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} sshd(?:\\[%{POSINT:process.pid:long}\\])?: Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}", - "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} sudo(?:\\[%{POSINT:process.pid:long}\\])?: \\s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}", - "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} groupadd(?:\\[%{POSINT:process.pid:long}\\])?: new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}", - "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} useradd(?:\\[%{POSINT:process.pid:long}\\])?: new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$", + "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:event.outcome} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?", + "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:event.outcome} user %{DATA:user.name} from %{IPORHOST:source.ip}", + "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}", + "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: \\s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}", + "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}", + "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$", "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.auth.message}" ] } diff --git a/filebeat/module/system/auth/test/test.log-expected.json b/filebeat/module/system/auth/test/test.log-expected.json index afa5e4854c5..c780956e8a5 100644 --- a/filebeat/module/system/auth/test/test.log-expected.json +++ b/filebeat/module/system/auth/test/test.log-expected.json @@ -1,13 +1,14 @@ [ { "ecs.version": "1.0.0", - "event.action": "Accepted", "event.dataset": "system.auth", "event.module": "system", + "event.outcome": "Accepted", "fileset.name": "auth", "host.hostname": "localhost", "input.type": "log", "log.offset": 0, + "process.name": "sshd", "process.pid": 3402, "service.type": "system", "source.ip": "10.0.2.2", @@ -18,13 +19,14 @@ }, { "ecs.version": "1.0.0", - "event.action": "Accepted", "event.dataset": "system.auth", "event.module": "system", + "event.outcome": "Accepted", "fileset.name": "auth", "host.hostname": "localhost", "input.type": "log", "log.offset": 152, + "process.name": "sshd", "process.pid": 7483, "service.type": "system", "source.ip": "192.168.33.1", @@ -34,13 +36,14 @@ }, { "ecs.version": "1.0.0", - "event.action": "Invalid", "event.dataset": "system.auth", "event.module": "system", + "event.outcome": "Invalid", "fileset.name": "auth", "host.hostname": "localhost", "input.type": "log", "log.offset": 254, + "process.name": "sshd", "process.pid": 3430, "service.type": "system", "source.ip": "10.0.2.2", @@ -48,13 +51,14 @@ }, { "ecs.version": "1.0.0", - "event.action": "Failed", "event.dataset": "system.auth", "event.module": "system", + "event.outcome": "Failed", "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 324, + "process.name": "sshd", "process.pid": 5774, "service.type": "system", "source.geo.continent_name": "Asia", @@ -76,6 +80,7 @@ "host.hostname": "localhost", "input.type": "log", "log.offset": 420, + "process.name": "sudo", "service.type": "system", "system.auth.sudo.command": "/bin/ls", "system.auth.sudo.pwd": "/home/vagrant", @@ -91,6 +96,7 @@ "host.hostname": "slave22", "input.type": "log", "log.offset": 522, + "process.name": "sshd", "process.pid": 18406, "service.type": "system", "source.geo.continent_name": "Asia", @@ -108,6 +114,7 @@ "host.hostname": "localhost", "input.type": "log", "log.offset": 617, + "process.name": "sudo", "service.type": "system", "system.auth.sudo.command": "/bin/cat /var/log/secure", "system.auth.sudo.pwd": "/home/vagrant", @@ -123,6 +130,7 @@ "host.hostname": "precise32", "input.type": "log", "log.offset": 736, + "process.name": "sudo", "service.type": "system", "system.auth.sudo.command": "/bin/ls", "system.auth.sudo.error": "user NOT in sudoers", @@ -141,6 +149,7 @@ "host.hostname": "localhost", "input.type": "log", "log.offset": 861, + "process.name": "groupadd", "process.pid": 6991, "service.type": "system" }, @@ -153,6 +162,7 @@ "host.hostname": "localhost", "input.type": "log", "log.offset": 934, + "process.name": "useradd", "process.pid": 6995, "service.type": "system", "system.auth.useradd.home": "/usr/share/httpd",