Update test files with all of tonight's changes

elastic · Jan 29, 2019 · b5753d5 · b5753d5
1 parent b45465a
commit b5753d5
Show file tree

Hide file tree

Showing 2 changed files with 79 additions and 14 deletions.
diff --git a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json
@@ -41,7 +41,6 @@
     },
     {
         "@timestamp": "2017-03-14T19:20:56.192Z",
-        "auditd.log.cmd": "/usr/lib64/nagios/plugins/check_asterisk_sip_peers -p 202",
         "auditd.log.sequence": 19600329,
         "auditd.log.ses": "11988",
         "ecs.version": "1.0.0-beta2",
@@ -53,6 +52,11 @@
         "input.type": "log",
         "log.offset": 373,
         "message": "cwd=\"/",
+        "process.args": [
+            "/usr/lib64/nagios/plugins/check_asterisk_sip_peers",
+            "-p",
+            "202"
+        ],
         "process.pid": 4151,
         "service.type": "auditd",
         "user.audit.id": "700",
@@ -143,7 +147,6 @@
         "process.name": "charon",
         "process.pid": 1275,
         "process.ppid": 1240,
-        "process.terminal": "(none)",
         "service.type": "auditd",
         "user.audit.id": "4294967295",
         "user.effective.group.id": "0",
@@ -153,7 +156,8 @@
         "user.group.id": "0",
         "user.id": "0",
         "user.saved.group.id": "0",
-        "user.saved.id": "0"
+        "user.saved.id": "0",
+        "user.terminal": "(none)"
     },
     {
         "@timestamp": "2017-03-16T04:02:40.072Z",
@@ -177,12 +181,11 @@
         "@timestamp": "2017-03-16T04:02:40.070Z",
         "auditd.log.direction": "both",
         "auditd.log.kind": "session",
-        "auditd.log.laddr": "107.170.139.210",
-        "auditd.log.lport": "50022",
-        "auditd.log.rport": "58994",
         "auditd.log.sequence": 19623788,
         "auditd.log.ses": "6793",
         "auditd.log.spid": "28282",
+        "destination.address": "107.170.139.210",
+        "destination.port": 50022,
         "ecs.version": "1.0.0-beta2",
         "event.action": "crypto_key_user",
         "event.dataset": "auditd.log",
@@ -204,6 +207,7 @@
         "source.geo.region_iso_code": "US-VA",
         "source.geo.region_name": "Virginia",
         "source.ip": "96.241.146.97",
+        "source.port": 58994,
         "user.audit.id": "700",
         "user.id": "0",
         "user.saved.id": "74"
@@ -223,7 +227,6 @@
         "message": "op=success",
         "process.executable": "/usr/sbin/sshd",
         "process.pid": 28281,
-        "process.terminal": "ssh",
         "service.type": "auditd",
         "source.address": "96.241.146.97",
         "source.geo.city_name": "Chantilly",
@@ -236,7 +239,8 @@
         "source.ip": "96.241.146.97",
         "user.audit.id": "700",
         "user.id": "0",
-        "user.name": "admin"
+        "user.name": "admin",
+        "user.terminal": "ssh"
     },
     {
         "@timestamp": "2017-03-16T04:02:57.804Z",
@@ -253,11 +257,11 @@
         "message": "op=PAM:authentication",
         "process.executable": "/bin/su",
         "process.pid": 28395,
-        "process.terminal": "pts/0",
         "service.type": "auditd",
         "user.audit.id": "700",
         "user.id": "0",
-        "user.name": "root"
+        "user.name": "root",
+        "user.terminal": "pts/0"
     },
     {
         "@timestamp": "2017-03-16T04:02:57.805Z",
@@ -274,10 +278,10 @@
         "message": "op=PAM:accounting",
         "process.executable": "/bin/su",
         "process.pid": 28395,
-        "process.terminal": "pts/0",
         "service.type": "auditd",
         "user.audit.id": "700",
         "user.id": "0",
-        "user.name": "root"
+        "user.name": "root",
+        "user.terminal": "pts/0"
     }
 ]
diff --git a/filebeat/module/auditd/log/test/test.log-expected.json b/filebeat/module/auditd/log/test/test.log-expected.json
@@ -44,7 +44,6 @@
         "process.name": "charon",
         "process.pid": 1281,
         "process.ppid": 1240,
-        "process.terminal": "(none)",
         "service.type": "auditd",
         "user.audit.id": "4294967295",
         "user.effective.group.id": "0",
@@ -54,6 +53,68 @@
         "user.group.id": "0",
         "user.id": "0",
         "user.saved.group.id": "0",
-        "user.saved.id": "0"
+        "user.saved.id": "0",
+        "user.terminal": "(none)"
+    },
+    {
+        "@timestamp": "2017-03-14T19:20:56.192Z",
+        "auditd.log.sequence": 19600329,
+        "auditd.log.ses": "11988",
+        "ecs.version": "1.0.0-beta2",
+        "event.action": "user_cmd",
+        "event.dataset": "auditd.log",
+        "event.module": "auditd",
+        "event.outcome": "success",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 536,
+        "message": "cwd=\"/",
+        "process.args": [
+            "/usr/lib64/nagios/plugins/check_asterisk_sip_peers",
+            "-p",
+            "202"
+        ],
+        "process.pid": 4151,
+        "service.type": "auditd",
+        "user.audit.id": "700",
+        "user.id": "497"
+    },
+    {
+        "@timestamp": "2016-12-07T02:17:21.515Z",
+        "auditd.log.cipher": "chacha20-poly1305@openssh.com",
+        "auditd.log.direction": "from-server",
+        "auditd.log.ksize": "512",
+        "auditd.log.pfs": "curve25519-sha256@libssh.org",
+        "auditd.log.sequence": 406,
+        "auditd.log.ses": "4294967295",
+        "auditd.log.spid": "1299",
+        "auditd.log.subj": "system_u:system_r:sshd_t:s0-s0:c0.c1023",
+        "destination.address": "10.142.0.2",
+        "destination.port": 22,
+        "ecs.version": "1.0.0-beta2",
+        "event.action": "crypto_session",
+        "event.dataset": "auditd.log",
+        "event.module": "auditd",
+        "event.outcome": "success",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 783,
+        "message": "op=start",
+        "process.executable": "/usr/sbin/sshd",
+        "process.pid": 1298,
+        "service.type": "auditd",
+        "source.address": "96.241.146.97",
+        "source.geo.city_name": "Chantilly",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.location.lat": 38.9148,
+        "source.geo.location.lon": -77.4883,
+        "source.geo.region_iso_code": "US-VA",
+        "source.geo.region_name": "Virginia",
+        "source.ip": "96.241.146.97",
+        "source.port": 63927,
+        "user.audit.id": "4294967295",
+        "user.id": "0",
+        "user.saved.id": "74"
     }
 ]