Update filebeat auditd module to ECS 1.8 #23723
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
adriansr
added
in progress
botelastic
bot
added
needs_team
89 tasks
adriansr
force-pushed
the
ecs-1.8-fb-auditd
branch
from
7f156c2
to
3e52c43
Compare
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
adriansr
force-pushed
the
feature-ecs-1.8
branch
from
8979980
to
376b26f
Compare
adriansr
force-pushed
the
ecs-1.8-fb-auditd
branch
from
3e52c43
to
42f14fc
Compare
adriansr
changed the title
adriansr
force-pushed
the
ecs-1.8-fb-auditd
branch
from
a7eb33a
to
7693806
Compare
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
adriansr
added
ecs
Filebeat
adriansr
requested review from
marc-gr,
leehinman,
andrewstucki and
andrewkroh
marc-gr
approved these changes
Feb 8, 2021
adriansr
force-pushed
the
ecs-1.8-fb-auditd
branch
from
7693806
to
ca66d0f
Compare
The kv processor wouldn't parse messages that contain spaces in values (quoted or not). > ... msg='op=adding group to /etc/group id=NNN[...] Failed with the error: > field [auditd.log.sub_kv] does not contain value_split [=]
Replaces wrong usages of `group.effective`.
adriansr
force-pushed
the
ecs-1.8-fb-auditd
branch
from
ca66d0f
to
be668f3
Compare
adriansr
added a commit
that referenced
this pull request
Feb 16, 2021
Incorporates ECS 1.8 changes from the following PRs: Support host.type field in add_host_metadata processor and Auditbeat's system/host #23513 Winlogbeat #23563 Auditbeat auditd #23594 Journalbeat #23737 Packetbeat #23783 Filebeat: auditd #23723 cisco #23819 cef #23832 crowdstrike falcon #23875 fortinet firewall #23902 microsoft #23897 elasticsearch/audit #24000 Gsuite/Workspace #23709 o365 #23896 zoom #23904 okta #23929 aws/cloudtrail #23911 aws/s3access #23920 azure #23927 juniper/srx #23936 panw #23931 sophos/xg #23967 system/auth #23961 mysqlenterprise #23978 zeek #23847 Make all Beats and modules report ECS 1.8.0 #23992 Closes #23118 Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com>
28 tasks
adriansr
added a commit
to adriansr/beats
that referenced
this pull request
Feb 17, 2021
Incorporates ECS 1.8 changes from the following PRs: Support host.type field in add_host_metadata processor and Auditbeat's system/host elastic#23513 Winlogbeat elastic#23563 Auditbeat auditd elastic#23594 Journalbeat elastic#23737 Packetbeat elastic#23783 Filebeat: auditd elastic#23723 cisco elastic#23819 cef elastic#23832 crowdstrike falcon elastic#23875 fortinet firewall elastic#23902 microsoft elastic#23897 elasticsearch/audit elastic#24000 Gsuite/Workspace elastic#23709 o365 elastic#23896 zoom elastic#23904 okta elastic#23929 aws/cloudtrail elastic#23911 aws/s3access elastic#23920 azure elastic#23927 juniper/srx elastic#23936 panw elastic#23931 sophos/xg elastic#23967 system/auth elastic#23961 mysqlenterprise elastic#23978 zeek elastic#23847 Make all Beats and modules report ECS 1.8.0 elastic#23992 Closes elastic#23118 Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com> (cherry picked from commit 048c3cc)
adriansr
added a commit
that referenced
this pull request
Feb 17, 2021
Incorporates ECS 1.8 changes from the following PRs: Support host.type field in add_host_metadata processor and Auditbeat's system/host #23513 Winlogbeat #23563 Auditbeat auditd #23594 Journalbeat #23737 Packetbeat #23783 Filebeat: auditd #23723 cisco #23819 cef #23832 crowdstrike falcon #23875 fortinet firewall #23902 microsoft #23897 elasticsearch/audit #24000 Gsuite/Workspace #23709 o365 #23896 zoom #23904 okta #23929 aws/cloudtrail #23911 aws/s3access #23920 azure #23927 juniper/srx #23936 panw #23931 sophos/xg #23967 system/auth #23961 mysqlenterprise #23978 zeek #23847 Make all Beats and modules report ECS 1.8.0 #23992 Closes #23118 Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com> (cherry picked from commit 048c3cc)
leweafan
pushed a commit
to leweafan/beats
that referenced
this pull request
Apr 28, 2023
Update the auditd module in Filebeat to apply the same ECS enrichments as Auditbeat / go-libaudit. This is achieved by an autogenerated processor that performs the enrichments defined in go-libaudit's normalizations.yaml.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Update the auditd module in Filebeat to apply the same ECS enrichments as Auditbeat / go-libaudit. This is achieved by an autogenerated processor that performs the enrichments defined in go-libaudit's normalizations.yaml.