Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes parsing of @timestamp for Elasticsearch Audit JSON logs #13532

Closed
wants to merge 1 commit into from
Closed

Fixes parsing of @timestamp for Elasticsearch Audit JSON logs #13532

wants to merge 1 commit into from

Conversation

lucabelluccini
Copy link
Contributor

Fixes parsing of @timestamp for Elasticsearch Audit JSON logs.

E.g. of audit JSON logs:

{"@timestamp":"2019-09-05T14:02:37,921", "node.id":"UwRu4mReRtyJO1-FWAPvIQ", "event.type":"transport", "event.action":"authentication_success", "user.name":"_system", "origin.type":"local_node", "origin.address":"127.0.0.1:9300", "realm":"__fallback", "request.id":"474ZciqtQteOhjLO3OdZIw", "action":"indices:monitor/stats", "request.name":"IndicesStatsRequest"}

Related to #13367

Would it be possible to review @jsoriano @ycombinator ?

@lucabelluccini
Fixes parsing of @timestamp for Elasticsearch Audit JSON logs
bd3c1aa 
Fixes parsing of @timestamp for Elasticsearch Audit JSON logs.
E.g. of logs:
```
{"@timestamp":"2019-09-05T14:02:37,921", "node.id":"UwRu4mReRtyJO1-FWAPvIQ", "event.type":"transport", "event.action":"authentication_success", "user.name":"_system", "origin.type":"local_node", "origin.address":"127.0.0.1:9300", "realm":"__fallback", "request.id":"474ZciqtQteOhjLO3OdZIw", "action":"indices:monitor/stats", "request.name":"IndicesStatsRequest"}
```
@lucabelluccini lucabelluccini requested a review from a team as a code owner September 6, 2019 15:16
@jsoriano
Copy link
Member

jsoriano commented Sep 6, 2019

@lucabelluccini thanks for opening this PR, it seems that it is failing for our current test files. Most of them seem to be ISO8601 dates with timezone included, but we have some of them without timezone. I wonder if the ones without timezones are from older versions.

From what version is the log entry you posted?

@elasticmachine
Copy link
Collaborator

Pinging @elastic/stack-monitoring

@lucabelluccini
Copy link
Contributor Author

lucabelluccini commented Sep 6, 2019
edited
Loading

Hello @jsoriano, this is Filebeat 7.1.1 with Elasticsearch 7.1.1.
The timezone conversion was not working there.
I'll take a look with Filebeat 7.1.1 with ES 7.3.1.
Maybe we can specify multiple formats so we can cover different cases?

@andresrc andresrc added :infrastructure and removed Team:Integrations Label for the Integrations team labels Jan 28, 2020
@ycombinator ycombinator mentioned this pull request Jan 29, 2020
Merged
3 tasks
@ycombinator
Copy link
Contributor

Hi @lucabelluccini, I'm able to reproduce the issue you are seeing with Elasticsearch 7.1.1. This is because in that version of ES the audit logs (JSON format) contain a @timestamp field which does not contain a time zone. However, in later versions of ES the audit logs (JSON format) instead contain a timestamp (notice the lack of @ prefix) field which does contain a timestamp. 🤦‍♂🤦‍♀

Thanks for bringing this to our attention with this PR. However, the fixes in this PR are not compatible across all versions of ES, as @jsoriano pointed out in his comment above.

After much experimentation (and learning a few special cases in Painless syntax 😅) I believe I finally have the correct configuration necessary for the elasticsearch/audit fileset to parse audit logs (JSON format) from all supported ES versions correctly. I've put up this change in #15942. Please take a look at that PR and if you're happy with it, I think we can close this one out in favor of #15942. Thanks!

@ycombinator
Copy link
Contributor

#15942 has already been reviewed and merged now. So I'm closing this PR unmerged in favor of #15942.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@ycombinator ycombinator

Labels
Feature:Stack Monitoring Filebeat Filebeat :infrastructure module review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@lucabelluccini @jsoriano @elasticmachine @ycombinator @andresrc