Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Filebeat Okta module #16362

Merged
merged 33 commits into from
Mar 18, 2020
Merged
Show file tree
Hide file tree
Changes from 27 commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
a223aee
initial commit for okta
Feb 13, 2020
ce70c8d
Add a TLS test and more debug output to httpjson input
Feb 13, 2020
9c169e0
Add okta module
Feb 14, 2020
eba83af
Add Rate Limit support
Feb 16, 2020
eaed64c
Merge in httpjson input updates
Feb 16, 2020
0be2725
Update fields and add test cases for OKTA module
Feb 16, 2020
7603b21
Update documentation
Feb 16, 2020
8d3bf6e
Merge httpjson input changes
Mar 2, 2020
c2b7af2
Update pipeline.js
Mar 2, 2020
20feaac
Use *regexp.Regexp in config instead of String
Mar 2, 2020
1178d9e
Change OKTA to Okta
Mar 3, 2020
c09c80f
Address some review changes
Mar 9, 2020
377128f
Address review comments
Mar 9, 2020
13d2b36
Address review comments
Mar 9, 2020
a813b5f
merge with master
Mar 11, 2020
89bd3d9
merge with master
Mar 11, 2020
663eeaa
Copy okta.uuid to _id field
Mar 12, 2020
e87d543
Update document and some pipeline funcs
Mar 16, 2020
3293fc9
More renaming from OKTA to Okta
Mar 16, 2020
d004227
More renaming from OKTA to Okta
Mar 16, 2020
d24155c
More renaming from OKTA to Okta
Mar 16, 2020
d00c7c9
Update test result file for Okta
Mar 16, 2020
7893176
Update fields
Mar 17, 2020
7a4996f
Add dashboard
Mar 17, 2020
3432c5f
Add setEventOutcome to set event.outcome properly
Mar 17, 2020
84a5a2c
Add function to drop null fields
Mar 17, 2020
5968252
Update visualization titles
Mar 17, 2020
49dc1b3
Add description for dashboard
Mar 17, 2020
6ecbe17
Address title format for dashboard
Mar 17, 2020
18113c3
Update CHANGELOG. Remove a debug statement.
Mar 18, 2020
95e5923
Update CHANGELOG. Remove a debug statement.
Mar 18, 2020
4163dd4
Update module.yml with help information on disabling SSL verification.
Mar 18, 2020
643f578
Merge branch 'master' into filebeat-okta
Mar 18, 2020
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
569 changes: 569 additions & 0 deletions filebeat/docs/fields.asciidoc

Large diffs are not rendered by default.

Binary file added filebeat/docs/images/filebeat-okta-dashboard.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
32 changes: 32 additions & 0 deletions filebeat/docs/modules/okta.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
////
This file is generated! See scripts/docs_collector.py
////

[[filebeat-module-okta]]
[role="xpack"]

:modulename: okta
:has-dashboards: false

== Okta module

beta[]

This is a filebeat module for retrieving system logs from Okta (www.okta.com) via API.

:has-dashboards!:

This module comes with a sample dashboard. For example:

[role="screenshot"]
image::./images/filebeat-okta-dashboard.png[]

:modulename!:


[float]
=== Fields

For a description of each field in the module, see the
<<exported-fields-okta,exported fields>> section.

2 changes: 2 additions & 0 deletions filebeat/docs/modules_list.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ This file is generated! See scripts/docs_collector.py
* <<filebeat-module-nats>>
* <<filebeat-module-netflow>>
* <<filebeat-module-nginx>>
* <<filebeat-module-okta>>
* <<filebeat-module-osquery>>
* <<filebeat-module-panw>>
* <<filebeat-module-postgresql>>
Expand Down Expand Up @@ -70,6 +71,7 @@ include::modules/mysql.asciidoc[]
include::modules/nats.asciidoc[]
include::modules/netflow.asciidoc[]
include::modules/nginx.asciidoc[]
include::modules/okta.asciidoc[]
include::modules/osquery.asciidoc[]
include::modules/panw.asciidoc[]
include::modules/postgresql.asciidoc[]
Expand Down
10 changes: 10 additions & 0 deletions x-pack/filebeat/filebeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -669,6 +669,16 @@ filebeat.modules:
# # Filebeat will choose the paths depending on your OS.
# #var.paths:

#--------------------------------- Okta Module ---------------------------------
- module: okta
system:
enabled: true
# API key to access Okta
#var.api_key

# URL of the Okta REST API
#var.url

#------------------------------- Osquery Module -------------------------------
- module: osquery
result:
Expand Down
1 change: 1 addition & 0 deletions x-pack/filebeat/include/list.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions x-pack/filebeat/input/httpjson/input.go
Original file line number Diff line number Diff line change
Expand Up @@ -312,12 +312,14 @@ func (in *HttpjsonInput) processHTTPRequest(ctx context.Context, client *http.Cl
switch obj := m.(type) {
// Top level Array
case []interface{}:
in.log.Info("Processed:", len(obj))
alakahakai marked this conversation as resolved.
Show resolved Hide resolved
mm, err = in.processEventArray(obj)
if err != nil {
return err
}
case map[string]interface{}:
if in.config.JSONObjects == "" {
in.log.Info("Processed:", len(obj))
mm, err = in.processEventArray([]interface{}{obj})
if err != nil {
return err
Expand All @@ -329,6 +331,7 @@ func (in *HttpjsonInput) processHTTPRequest(ctx context.Context, client *http.Cl
}
switch ts := v.(type) {
case []interface{}:
in.log.Info("Processed:", len(ts))
mm, err = in.processEventArray(ts)
if err != nil {
return err
Expand Down
24 changes: 24 additions & 0 deletions x-pack/filebeat/module/okta/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# Okta module

## Caveats

* Module is to be considered _beta_.

## How to try the module from distribution install


```
./filebeat setup --modules=okta -e --dashboards
```

Enable the Okta module

```
./filebeat modules enable okta
```

Start Filebeat

```
./filebeat -e
```
8 changes: 8 additions & 0 deletions x-pack/filebeat/module/okta/_meta/config.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
- module: okta
system:
enabled: true
# API key to access Okta
#var.api_key

# URL of the Okta REST API
#var.url
19 changes: 19 additions & 0 deletions x-pack/filebeat/module/okta/_meta/docs.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
[role="xpack"]

:modulename: okta
:has-dashboards: false

== Okta module

beta[]

This is a filebeat module for retrieving system logs from Okta (www.okta.com) via API.

:has-dashboards!:

This module comes with a sample dashboard. For example:

[role="screenshot"]
image::./images/filebeat-okta-dashboard.png[]

:modulename!:
11 changes: 11 additions & 0 deletions x-pack/filebeat/module/okta/_meta/fields.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
- key: okta
title: Okta
description: >
Module for handling system logs from Okta.
fields:
- name: okta
type: group
default_field: false
description: >
Fields from Okta.
fields:
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading