From b5753d59f3e2fa75ac0d9473551bc323bee74a04 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Mon, 28 Jan 2019 22:33:56 -0500 Subject: [PATCH] Update test files with all of tonight's changes --- .../log/test/audit-rhel6.log-expected.json | 28 ++++---- .../auditd/log/test/test.log-expected.json | 65 ++++++++++++++++++- 2 files changed, 79 insertions(+), 14 deletions(-) diff --git a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json index 63aa98711d8..f0d073fdfc4 100644 --- a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json @@ -41,7 +41,6 @@ }, { "@timestamp": "2017-03-14T19:20:56.192Z", - "auditd.log.cmd": "/usr/lib64/nagios/plugins/check_asterisk_sip_peers -p 202", "auditd.log.sequence": 19600329, "auditd.log.ses": "11988", "ecs.version": "1.0.0-beta2", @@ -53,6 +52,11 @@ "input.type": "log", "log.offset": 373, "message": "cwd=\"/", + "process.args": [ + "/usr/lib64/nagios/plugins/check_asterisk_sip_peers", + "-p", + "202" + ], "process.pid": 4151, "service.type": "auditd", "user.audit.id": "700", @@ -143,7 +147,6 @@ "process.name": "charon", "process.pid": 1275, "process.ppid": 1240, - "process.terminal": "(none)", "service.type": "auditd", "user.audit.id": "4294967295", "user.effective.group.id": "0", @@ -153,7 +156,8 @@ "user.group.id": "0", "user.id": "0", "user.saved.group.id": "0", - "user.saved.id": "0" + "user.saved.id": "0", + "user.terminal": "(none)" }, { "@timestamp": "2017-03-16T04:02:40.072Z", @@ -177,12 +181,11 @@ "@timestamp": "2017-03-16T04:02:40.070Z", "auditd.log.direction": "both", "auditd.log.kind": "session", - "auditd.log.laddr": "107.170.139.210", - "auditd.log.lport": "50022", - "auditd.log.rport": "58994", "auditd.log.sequence": 19623788, "auditd.log.ses": "6793", "auditd.log.spid": "28282", + "destination.address": "107.170.139.210", + "destination.port": 50022, "ecs.version": "1.0.0-beta2", "event.action": "crypto_key_user", "event.dataset": "auditd.log", @@ -204,6 +207,7 @@ "source.geo.region_iso_code": "US-VA", "source.geo.region_name": "Virginia", "source.ip": "96.241.146.97", + "source.port": 58994, "user.audit.id": "700", "user.id": "0", "user.saved.id": "74" @@ -223,7 +227,6 @@ "message": "op=success", "process.executable": "/usr/sbin/sshd", "process.pid": 28281, - "process.terminal": "ssh", "service.type": "auditd", "source.address": "96.241.146.97", "source.geo.city_name": "Chantilly", @@ -236,7 +239,8 @@ "source.ip": "96.241.146.97", "user.audit.id": "700", "user.id": "0", - "user.name": "admin" + "user.name": "admin", + "user.terminal": "ssh" }, { "@timestamp": "2017-03-16T04:02:57.804Z", @@ -253,11 +257,11 @@ "message": "op=PAM:authentication", "process.executable": "/bin/su", "process.pid": 28395, - "process.terminal": "pts/0", "service.type": "auditd", "user.audit.id": "700", "user.id": "0", - "user.name": "root" + "user.name": "root", + "user.terminal": "pts/0" }, { "@timestamp": "2017-03-16T04:02:57.805Z", @@ -274,10 +278,10 @@ "message": "op=PAM:accounting", "process.executable": "/bin/su", "process.pid": 28395, - "process.terminal": "pts/0", "service.type": "auditd", "user.audit.id": "700", "user.id": "0", - "user.name": "root" + "user.name": "root", + "user.terminal": "pts/0" } ] \ No newline at end of file diff --git a/filebeat/module/auditd/log/test/test.log-expected.json b/filebeat/module/auditd/log/test/test.log-expected.json index 38d11a105c2..fa7daca5504 100644 --- a/filebeat/module/auditd/log/test/test.log-expected.json +++ b/filebeat/module/auditd/log/test/test.log-expected.json @@ -44,7 +44,6 @@ "process.name": "charon", "process.pid": 1281, "process.ppid": 1240, - "process.terminal": "(none)", "service.type": "auditd", "user.audit.id": "4294967295", "user.effective.group.id": "0", @@ -54,6 +53,68 @@ "user.group.id": "0", "user.id": "0", "user.saved.group.id": "0", - "user.saved.id": "0" + "user.saved.id": "0", + "user.terminal": "(none)" + }, + { + "@timestamp": "2017-03-14T19:20:56.192Z", + "auditd.log.sequence": 19600329, + "auditd.log.ses": "11988", + "ecs.version": "1.0.0-beta2", + "event.action": "user_cmd", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 536, + "message": "cwd=\"/", + "process.args": [ + "/usr/lib64/nagios/plugins/check_asterisk_sip_peers", + "-p", + "202" + ], + "process.pid": 4151, + "service.type": "auditd", + "user.audit.id": "700", + "user.id": "497" + }, + { + "@timestamp": "2016-12-07T02:17:21.515Z", + "auditd.log.cipher": "chacha20-poly1305@openssh.com", + "auditd.log.direction": "from-server", + "auditd.log.ksize": "512", + "auditd.log.pfs": "curve25519-sha256@libssh.org", + "auditd.log.sequence": 406, + "auditd.log.ses": "4294967295", + "auditd.log.spid": "1299", + "auditd.log.subj": "system_u:system_r:sshd_t:s0-s0:c0.c1023", + "destination.address": "10.142.0.2", + "destination.port": 22, + "ecs.version": "1.0.0-beta2", + "event.action": "crypto_session", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 783, + "message": "op=start", + "process.executable": "/usr/sbin/sshd", + "process.pid": 1298, + "service.type": "auditd", + "source.address": "96.241.146.97", + "source.geo.city_name": "Chantilly", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 38.9148, + "source.geo.location.lon": -77.4883, + "source.geo.region_iso_code": "US-VA", + "source.geo.region_name": "Virginia", + "source.ip": "96.241.146.97", + "source.port": 63927, + "user.audit.id": "4294967295", + "user.id": "0", + "user.saved.id": "74" } ] \ No newline at end of file