Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Convert the Filebeat auditd module to ECS #10192

Merged
merged 22 commits into from
Jan 30, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
1cd825c
First draft at migrating Filebeat's auditd module to ECS
Jan 19, 2019
269dc62
Add missing coercions for process ids
Jan 19, 2019
8f4d3fb
Add log file with more exciting content
Jan 21, 2019
a1c57a1
Update the user structure to represent what was discussed with @cwurm:
Jan 21, 2019
8941175
Turn fields that were defined into aliases...
Jan 21, 2019
395b076
Add a bunch of fields that weren't defined, but are being migrated.
Jan 21, 2019
ce10c80
Add missing `migration: true` to the fields.yml
Jan 21, 2019
1f981f9
Get rid of the `user.group_` workaround.
Jan 23, 2019
6770379
Arch goes to host.architecture, not host.os.architecture.
Jan 23, 2019
d638458
Document the field migrations in ecs-migration
Jan 23, 2019
c33fd94
Changelog
Jan 23, 2019
c233180
Define the fields representing the various permissions considered for…
Jan 25, 2019
4917ea2
tty and terminal are mapped to user.terminal instead of process.terminal
Jan 29, 2019
6482222
Add a few more interesting logs to the main test log
Jan 29, 2019
40963c2
Dig up a few more fields to transition.
Jan 29, 2019
b45465a
Fix big mistake: module's main fields def must end with opening of th…
Jan 29, 2019
b5753d5
Update test files with all of tonight's changes
Jan 29, 2019
3c762dc
Update reference documentation vs the auditd/_meta/fields.yml fix
Jan 29, 2019
adca8c8
Try getting the fields.yml right
Jan 29, 2019
3aa9189
Revert the tty => terminal mapping
Jan 29, 2019
b8e7a76
Undo another dubious translation: the local/remote address details
Jan 29, 2019
3b9eaf6
2nd changelog for the improvements
Jan 29, 2019
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Rename a few `mongodb.*` fields to map to ECS. {pull}10009[10009]
- Rename a few `mysql.*` fields to map to ECS. {pull}10008[10008]
- Rename a few `nginx.error.*` fields to map to ECS. {pull}10007[10007]
- Rename many `auditd.log.*` fields to map to ECS. {pull}10192[10192]
- Filesets with multiple ingest pipelines added in {pull}8914[8914] only work with Elasticsearch >= 6.5.0 {pull}10001[10001]
- Remove service.name from Elastcsearch module. Replace by service.type. {pull}10042[10042]
- Remove numeric coercions for `user.id` and `group.id`. IDs should be `keyword`. {pull}10233[10233]
Expand Down Expand Up @@ -161,6 +162,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add alias field support in Kibana index pattern. {pull}10075[10075]
- Add `add_fields` processor. {pull}10119[10119]
- Add Kibana field formatter to bytes fields. {pull}10184[10184]
- Document a few more `auditd.log.*` fields. {pull}10192[10192]

*Auditbeat*

Expand Down
153 changes: 153 additions & 0 deletions dev-tools/ecs-migration.yml
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,159 @@

# Filebeat modules

# Auditd module

- from: auditd.log.acct
to: user.name
alias: true
beat: filebeat

- from: auditd.log.pid
to: process.pid
alias: true
beat: filebeat

- from: auditd.log.ppid
to: process.ppid
alias: true
beat: filebeat

- from: auditd.log.res
to: event.outcome
alias: true
beat: filebeat

- from: auditd.log.record_type
to: event.action
alias: true
beat: filebeat

- from: auditd.log.arch
to: host.architecture
alias: true
beat: filebeat

- from: auditd.log.gid
to: user.group.id
alias: true
beat: filebeat

- from: auditd.log.uid
to: user.id
alias: true
beat: filebeat

- from: auditd.log.agid
to: user.audit.group.id
alias: true
beat: filebeat

- from: auditd.log.auid
to: user.audit.id
alias: true
beat: filebeat

- from: auditd.log.fsgid
to: user.filesystem.group.id
alias: true
beat: filebeat

- from: auditd.log.egid
to: user.effective.group.id
alias: true
beat: filebeat

- from: auditd.log.euid
to: user.effective.id
alias: true
beat: filebeat

- from: auditd.log.sgid
to: user.saved.group.id
alias: true
beat: filebeat

- from: auditd.log.suid
to: user.saved.id
alias: true
beat: filebeat

- from: auditd.log.ogid
to: user.owner.group.id
alias: true
beat: filebeat

- from: auditd.log.ouid
to: user.owner.id
alias: true
beat: filebeat

- from: auditd.log.terminal
to: user.terminal
alias: true
beat: filebeat

- from: auditd.log.comm
to: process.name
alias: true
beat: filebeat

- from: auditd.log.cmd
to: process.args
alias: false
beat: filebeat
comment: Was a cmdline string, whereas args is an array of keywords.

- from: auditd.log.exe
to: process.executable
alias: true
beat: filebeat

- from: auditd.log.msg
to: message
alias: true
beat: filebeat

- from: auditd.log.src
to: source.address
alias: true
beat: filebeat

- from: auditd.log.dst
to: destination.address
alias: true
beat: filebeat

- from: auditd.log.geoip.continent_name
to: source.geo.continent_name
alias: true
beat: filebeat

- from: auditd.log.geoip.country_iso_code
to: source.geo.country_iso_code
alias: true
beat: filebeat

- from: auditd.log.geoip.location
to: source.geo.location
alias: true
beat: filebeat

- from: auditd.log.geoip.region_name
to: source.geo.region_name
alias: true
beat: filebeat

- from: auditd.log.geoip.city_name
to: source.geo.city_name
alias: true
beat: filebeat

- from: auditd.log.geoip.region_iso_code
to: source.geo.region_iso_code
alias: true
beat: filebeat

# Suricata module

- from: source_ecs.ip
Expand Down
Loading