Add Suricata module to Filebeat #8693
Conversation
This is the code as of commit #c346ff7 over [there](https://github.com/elastic/filebeat-module-suricata/pull/1)
This patch updates the packaging scripts to copy modules from x-pack/filebeat into Elastic-licensed packages.
This updates the suricata module: - Added fields from eve.json - Copy fields of interest into ECS equivalent - Updated dashboards
This PR adds an intermediate solution for packaging X-Pack modules with Filebeat. In this PR the dashboards, configuration files, and fields are generated in x-pack/filebeat. Packaging is still done entirely from the OSS filebeat directory by making the build run `mage update` in x-pack/filebeat then customizing the packaging configuration to point to different dashboards, config, and fields.yml for the Elastic licensed packages. Long term we will build, test, and package the OSS and Elastic licensed Beats from their respective directories, but this gives us a smaller step in order to be able to release the X-Pack content before the build system is fully transitioned. Co-authored-by: Adrian Serrano <adrisr83@gmail.com> Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
Mostly making all vis and searches end in [Suricata]. Part of #8153.
The ingest pipeline for suricata's eve fileset uses the user-agent plugin. This updates the manifest to include this requirement.
Added Filebeat module test cases for suricata/eve. To support to running Filebeat module tests from x-pack/filebeat an env var MODULES_PATH was added to allow the existing tests to run against a different module directory than the OSS module dir. Added some missing fields to pass validation. Added sample eve.json files for validation.
|
|
||
| This module comes with a sample dashboard. For example: | ||
|
|
||
| TODO: include an image of a sample dashboard |
There was a problem hiding this comment.
The docs still have some work to be done. But we can update them in a separate PR. From what I see they are not yet included in the Filebeat docs tree.
There was a problem hiding this comment.
@dedemorton This might be the first documentation for an X-Pack only module. Should I simply link it into the filebeat/docs/module_list.asciidoc?
There was a problem hiding this comment.
@andrewkroh You should use the x-pack role to flag X-pack features.
[role="xpack"]
Here's an example where we use the flag: https://github.com/elastic/beats/edit/6.4/libbeat/docs/security/securing-beats.asciidoc.
AFAIK modules_list.asciidoc is a generated file, so your module should get added when you run make update.
There was a problem hiding this comment.
Thanks. That works. I now see the tag.
|
CI is green for this, but there is a Jenkins issue with archiving artifacts from the Filebeat build. I opened a ticket to get some help debugging this on Jenkins. |
| @@ -54,3 +55,9 @@ The list below covers the major changes between 6.3.0 and master only. | |||
| - Set current year in generator templates. {pull}8396[8396] | |||
| - You can now override default settings of libbeat by using instance.Settings. {pull}8449[8449] | |||
| - Add `-space-id` option to `export_dashboards.go` script to support Kibana Spaces {pull}7942[7942] | |||
| - Add `-name` option to `asset.go` script to explicitly name the asset rather than using its filename. {pull}8693[8693] | |||
There was a problem hiding this comment.
Was at first surprised by this long dev changelog but it seems all of these actually go into this PR.
| #var.paths: | ||
|
|
||
| #-------------------------------- Haproxy Module -------------------------------- | ||
| - module: haproxy |
There was a problem hiding this comment.
Not related to this PR but I realised we have a bit of inconsistency here related to what we comment out and what not across modules.
| @@ -0,0 +1,60 @@ | |||
| # Suricata module | |||
|
|
|||
| Shove the content of this repo under `filebeats/module/suricata` for testing, | |||
There was a problem hiding this comment.
I'll clean this up along with the documentation in a separate PR.
There was a problem hiding this comment.
I cleaned up this file now. But perhaps you're questioning if we should remove this file entirely?
There was a problem hiding this comment.
Yeah I put this file in there as a convenience for the handoff. I tend to think that having a bit of a readme this deep down in the module can be helpful to people who will collaborate on this in the future, while not being in the way otherwise. I would leave it in there after a cleanup. I'd probably remove the whole "Caveats" section but leave the getting started tips.
| } | ||
| , {"convert": | ||
| {"field": "suricata.eve.http.hostname" | ||
| ,"target_field": "url.host.name" |
There was a problem hiding this comment.
This will be url.hostname in the next days in ECS. @webmat Please correct me if I'm wrong.
We can still adjust this a bug fix if needed.
There was a problem hiding this comment.
It's imminent indeed: elastic/ecs#147
Jenkins is failing during artifact archival. This might fix it.
Jenkins is failing during artifact archival. This might fix it.
Run make fix-permissions on the x-pack/filebeat after executing tests.
The problem was the ownership of files rather than the symlinks.
This adds a Filebeat module for ingesting the logs created by Suricata IDS/IPS/NSM. The module collects the logs from the Suricata Eve JSON output (https://suricata.readthedocs.io/en/latest/output/eve/eve-json-format.html). elastic#8153 The module is included in the Elastic licensed Filebeat package. It is considered beta at this stage. It includes two sample dashboards. It uses Elastic Common Schema (ECS) for field naming were applicable, but it has to work-around the conflict with the existing source field in Filebeat. source_ecs holds the data that goes into the ECS source field. This will be rectified in the next major release when we can make a breaking change. The development tooling for the building/testing/packaging of x-pack modules is still a bit of a WIP. So at the moment testing and packaging continues to happen through the OSS filebeat directory. Co-authored-by: Adrian Serrano <adrisr83@gmail.com> Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> Co-authored-by: Mathieu Martin <mathieu.martin@elastic.co> Co-authored-by: Tudor Golubenco <tudor@elastic.co> (cherry picked from commit 3e1b03e)
* Add Suricata module to Filebeat (#8693) This adds a Filebeat module for ingesting the logs created by Suricata IDS/IPS/NSM. The module collects the logs from the Suricata Eve JSON output (https://suricata.readthedocs.io/en/latest/output/eve/eve-json-format.html). #8153 The module is included in the Elastic licensed Filebeat package. It is considered beta at this stage. It includes two sample dashboards. It uses Elastic Common Schema (ECS) for field naming were applicable, but it has to work-around the conflict with the existing source field in Filebeat. source_ecs holds the data that goes into the ECS source field. This will be rectified in the next major release when we can make a breaking change. The development tooling for the building/testing/packaging of x-pack modules is still a bit of a WIP. So at the moment testing and packaging continues to happen through the OSS filebeat directory. Co-authored-by: Adrian Serrano <adrisr83@gmail.com> Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> Co-authored-by: Mathieu Martin <mathieu.martin@elastic.co> Co-authored-by: Tudor Golubenco <tudor@elastic.co> (cherry picked from commit 3e1b03e) * Change url.host.name to url.hostname (#8732) This update the Filebeat Suricata module to use url.hostname instead of url.host.name. * Add fields used by Suricata module Add fields used by Suricata module to fields.yml. Some of these are in ECS. event.type destination.ip destination.port user_agent.original user_agent.device user_agent.version user_agent.major user_agent.minor user_agent.patch user_agent.name user_agent.os.name user_agent.os.full_name (non-ECS) user_agent.os.version user_agent.os.major user_agent.os.minor file.path file.size
This adds a Filebeat module for ingesting the logs created by Suricata IDS/IPS/NSM. The module collects the logs from the Suricata Eve JSON output.
#8153