[Filebeat][New Module] Mysql Enterprise Audit log #22273
Conversation
P1llus
added
enhancement
Filebeat
|
Pinging @elastic/integrations-services (Team:Services) |
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
botelastic
bot
added
needs_team
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
x-pack/filebeat/module/mysql/audit/test/mysql_audit_test.log-expected.json
Outdated
Show resolved
Hide resolved
|
After discussion whether we want to merge this with the current OSS module we decided to rename the module into mysqlenterprise. Once this is created into a package, both the OSS and the X-Pack module will merge into one. |
|
Seems to be getting there now. @sayden anything you would want to add to this as well? |
x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log-expected.json
Show resolved
Hide resolved
x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log-expected.json
Outdated
Show resolved
Hide resolved
x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log-expected.json
Outdated
Show resolved
Hide resolved
| "input.type": "log", | ||
| "log.offset": 0, | ||
| "mysqlenterprise.audit.class": "audit", | ||
| "mysqlenterprise.audit.connection_id": 0, |
There was a problem hiding this comment.
do we know what it means if you have a connection_id field at startup? Just wondering if we should try and figure out an ECS mapping for it or not
There was a problem hiding this comment.
I don't think there is any. At first I tried to find a "session ID" field we could use in ECS; but it seems that the session ID is only unique to the current active connections, so it will reset and use the same connection_id for another connection later according to its docs:
https://dev.mysql.com/doc/refman/8.0/en/information-functions.html#function_connection-id
Do you know any other field that might match? I tried to look in client, user and network but could not find anything that matches well
| "mysqlenterprise.audit.class": "connection", | ||
| "mysqlenterprise.audit.connection_data.connection_attributes._client_name": "libmysql", | ||
| "mysqlenterprise.audit.connection_data.connection_attributes._client_version": "8.0.22", | ||
| "mysqlenterprise.audit.connection_data.connection_attributes._os": "Linux", |
There was a problem hiding this comment.
should these map to host.os fields?
There was a problem hiding this comment.
These should be in the client fields, connection_data is for client data and startup_data is for the host. However there was no *.os fields for client in the ECS definition :(
x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log-expected.json
Outdated
Show resolved
Hide resolved
x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log-expected.json
Show resolved
Hide resolved
x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log-expected.json
Show resolved
Hide resolved
x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log-expected.json
Show resolved
Hide resolved
|
@andrewstucki Added a better test log example for processes, added most of the different fields and left comments on the rest. |
|
|
||
| This is a module for different types of MySQL logs. Currently focusing on data from the MySQL Enterprise Audit Plugin in JSON format. | ||
|
|
||
| To configure the the Enterprise Audit Plugin to output in JSON format please follow the directions in the https://dev.mysql.com/doc/refman/8.0/en/audit-log-file-formats.html[MySQL Documentation] |
There was a problem hiding this comment.
Nit: Missing dot at the end.
| To configure the the Enterprise Audit Plugin to output in JSON format please follow the directions in the https://dev.mysql.com/doc/refman/8.0/en/audit-log-file-formats.html[MySQL Documentation] | |
| To configure the the Enterprise Audit Plugin to output in JSON format please follow the directions in the https://dev.mysql.com/doc/refman/8.0/en/audit-log-file-formats.html[MySQL Documentation.] |
| | login.ip | client.ip | | ||
| | startup_data.os_version | host.os.full | | ||
| | startup_data.args | process.args | | ||
| | onnection_attributes._pid | process.pid | |
There was a problem hiding this comment.
| | onnection_attributes._pid | process.pid | | |
| | connection_attributes._pid | process.pid | |
| MySQL Enterprise Audit fields are mapped to ECS in the following way: | ||
| [options="header"] | ||
| |============================================================== | ||
| | Check Point Fields | ECS Fields | |
There was a problem hiding this comment.
Is "Check Point" a concept in MySQL Audit logs or was this copied over from Check Point docs?
| @@ -0,0 +1,10 @@ | |||
| - key: mysqlenterprise | |||
| title: Mysql Enterprise | |||
There was a problem hiding this comment.
| title: Mysql Enterprise | |
| title: MySQL Enterprise |
| - key: mysqlenterprise | ||
| title: Mysql Enterprise | ||
| description: > | ||
| Mysql Enterprise Audit module |
There was a problem hiding this comment.
Same
| Mysql Enterprise Audit module | |
| MySQL Enterprise Audit module |
| lang: painless | ||
| if: ctx?.process?.args != null | ||
| source: | | ||
| ctx.process.args_count = ctx.process.args.length - 1; |
There was a problem hiding this comment.
According to ECS this should be the "length of the process.args array", not the length minus 1.
| if: ctx?.process?.args != null | ||
| source: | | ||
| ctx.process.args_count = ctx.process.args.length - 1; | ||
| ctx.process.executable = ctx.process.args[0]; |
There was a problem hiding this comment.
Being extra paranoid here, this will cause an exception when process.args is an empty list (non-null, but zero length).
|
|
||
| # Set paths for the log files when file input is used. | ||
| # Should only be used together with file input | ||
| # var.paths: /home/user/mysqlauditlogs/audit.*.log |
There was a problem hiding this comment.
I think this won't work if the user uncomments the line, as vars.paths is expected to be a list not a string.
| # var.paths: /home/user/mysqlauditlogs/audit.*.log | |
| # var.paths: | |
| # - /home/user/mysqlauditlogs/audit.*.log |
* initial stash of mysql module * initial commit for filebeat mysql module * removing syslog from manifest currently * changing module and field names to mysqlenterprise * fixing some wrong types and adding related fields * adding changelog entry * adding some more process fields and event category/types * fixing merge changelog * adding changes based on PR feedback (cherry picked from commit 03383be)
…dit log (#23021) * [Filebeat][New Module] Mysql Enterprise Audit log (#22273) * initial stash of mysql module * initial commit for filebeat mysql module * removing syslog from manifest currently * changing module and field names to mysqlenterprise * fixing some wrong types and adding related fields * adding changelog entry * adding some more process fields and event category/types * fixing merge changelog * adding changes based on PR feedback (cherry picked from commit 03383be) * regenerate docs Co-authored-by: Marius Iversen <pillus@chasenet.org>
What does this PR do?
This creates a module that focuses on logs and files created by MySQL. Currently this only has support for Enterprise Audit logs but can be extended in the future.
Why is it important?
Adding support for more OOTB solutions for filebeat.
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Field references: https://dev.mysql.com/doc/refman/8.0/en/audit-log-file-formats.html