Add process name to system auth events (#11231) (#11290)

Before migration to ECS (#9138), we could rely on the presence of specific
fields to know the process originating the events, but this is not so reliable
after some of these fields have been moved to common places. Add
process.name also for known messages so we keep this info in a known
place.

Also use event.outcome instead of event.action for the result of the
logged action.

(cherry picked from commit a2e6d3a)

filebeat/module/system/auth/ingest/pipeline.json

@@ -9,12 +9,12 @@
                     "GREEDYMULTILINE" : "(.|\n)*"
                 },
                 "patterns": [
-                    "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} sshd(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:event.action} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?",
-                    "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} sshd(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:event.action} user %{DATA:user.name} from %{IPORHOST:source.ip}",
-                    "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} sshd(?:\\[%{POSINT:process.pid:long}\\])?: Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}",
-                    "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} sudo(?:\\[%{POSINT:process.pid:long}\\])?: \\s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}",
-                    "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} groupadd(?:\\[%{POSINT:process.pid:long}\\])?: new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}",
-                    "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} useradd(?:\\[%{POSINT:process.pid:long}\\])?: new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$",
+                    "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:event.outcome} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?",
+                    "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:event.outcome} user %{DATA:user.name} from %{IPORHOST:source.ip}",
+                    "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}",
+                    "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: \\s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}",
+                    "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}",
+                    "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$",
                     "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.auth.message}"
                 ]
             }

filebeat/module/system/auth/test/test.log-expected.json

@@ -1,13 +1,14 @@
 [
     {
         "ecs.version": "1.0.0",
-        "event.action": "Accepted",
         "event.dataset": "system.auth",
         "event.module": "system",
+        "event.outcome": "Accepted",
         "fileset.name": "auth",
         "host.hostname": "localhost",
         "input.type": "log",
         "log.offset": 0,
+        "process.name": "sshd",
         "process.pid": 3402,
         "service.type": "system",
         "source.ip": "10.0.2.2",
@@ -18,13 +19,14 @@
     },
     {
         "ecs.version": "1.0.0",
-        "event.action": "Accepted",
         "event.dataset": "system.auth",
         "event.module": "system",
+        "event.outcome": "Accepted",
         "fileset.name": "auth",
         "host.hostname": "localhost",
         "input.type": "log",
         "log.offset": 152,
+        "process.name": "sshd",
         "process.pid": 7483,
         "service.type": "system",
         "source.ip": "192.168.33.1",
@@ -34,27 +36,29 @@
     },
     {
         "ecs.version": "1.0.0",
-        "event.action": "Invalid",
         "event.dataset": "system.auth",
         "event.module": "system",
+        "event.outcome": "Invalid",
         "fileset.name": "auth",
         "host.hostname": "localhost",
         "input.type": "log",
         "log.offset": 254,
+        "process.name": "sshd",
         "process.pid": 3430,
         "service.type": "system",
         "source.ip": "10.0.2.2",
         "user.name": "test"
     },
     {
         "ecs.version": "1.0.0",
-        "event.action": "Failed",
         "event.dataset": "system.auth",
         "event.module": "system",
+        "event.outcome": "Failed",
         "fileset.name": "auth",
         "host.hostname": "slave22",
         "input.type": "log",
         "log.offset": 324,
+        "process.name": "sshd",
         "process.pid": 5774,
         "service.type": "system",
         "source.geo.continent_name": "Asia",
@@ -76,6 +80,7 @@
         "host.hostname": "localhost",
         "input.type": "log",
         "log.offset": 420,
+        "process.name": "sudo",
         "service.type": "system",
         "system.auth.sudo.command": "/bin/ls",
         "system.auth.sudo.pwd": "/home/vagrant",
@@ -91,6 +96,7 @@
         "host.hostname": "slave22",
         "input.type": "log",
         "log.offset": 522,
+        "process.name": "sshd",
         "process.pid": 18406,
         "service.type": "system",
         "source.geo.continent_name": "Asia",
@@ -108,6 +114,7 @@
         "host.hostname": "localhost",
         "input.type": "log",
         "log.offset": 617,
+        "process.name": "sudo",
         "service.type": "system",
         "system.auth.sudo.command": "/bin/cat /var/log/secure",
         "system.auth.sudo.pwd": "/home/vagrant",
@@ -123,6 +130,7 @@
         "host.hostname": "precise32",
         "input.type": "log",
         "log.offset": 736,
+        "process.name": "sudo",
         "service.type": "system",
         "system.auth.sudo.command": "/bin/ls",
         "system.auth.sudo.error": "user NOT in sudoers",
@@ -141,6 +149,7 @@
         "host.hostname": "localhost",
         "input.type": "log",
         "log.offset": 861,
+        "process.name": "groupadd",
         "process.pid": 6991,
         "service.type": "system"
     },
@@ -153,6 +162,7 @@
         "host.hostname": "localhost",
         "input.type": "log",
         "log.offset": 934,
+        "process.name": "useradd",
         "process.pid": 6995,
         "service.type": "system",
         "system.auth.useradd.home": "/usr/share/httpd",