From a7a45baf848b25a981e7cc961fa61189dd45eed6 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Thu, 11 Feb 2021 10:39:22 +0100 Subject: [PATCH] Update mysqlenterprise module to ECS 1.8 (#23978) Updates mysqlenterprise: - Improve related.* field mapping. - Populate event.original. - Generate iam user creation and deletion from CREATE USER and DROP USER. --- CHANGELOG.next.asciidoc | 1 + .../mysqlenterprise/audit/config/config.yml | 2 +- .../mysqlenterprise/audit/ingest/pipeline.yml | 52 ++- .../audit/test/mysql_audit_test.log | 5 +- .../test/mysql_audit_test.log-expected.json | 323 ++++++++++++++++-- 5 files changed, 353 insertions(+), 30 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index e39271645f9..6613793aca2 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -842,6 +842,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Upgrade panw module to ecs 1.8 {issue}23118[23118] {pull}23931[23931] - Updated aws/cloudtrail fileset to ECS 1.8. {issue}23118[23118] {pull}23911[23911] - Upgrade juniper/srx to ecs 1.8.0. {issue}23118[23118] {pull}23936[23936] +- Update mysqlenterprise module to ECS 1.8. {issue}23118[23118] {pull}23978[23978] *Heartbeat* diff --git a/x-pack/filebeat/module/mysqlenterprise/audit/config/config.yml b/x-pack/filebeat/module/mysqlenterprise/audit/config/config.yml index ec1ee8b0903..c62863d5ac8 100644 --- a/x-pack/filebeat/module/mysqlenterprise/audit/config/config.yml +++ b/x-pack/filebeat/module/mysqlenterprise/audit/config/config.yml @@ -13,4 +13,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.6.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/mysqlenterprise/audit/ingest/pipeline.yml b/x-pack/filebeat/module/mysqlenterprise/audit/ingest/pipeline.yml index c9ec7375e71..c0bb73d049e 100644 --- a/x-pack/filebeat/module/mysqlenterprise/audit/ingest/pipeline.yml +++ b/x-pack/filebeat/module/mysqlenterprise/audit/ingest/pipeline.yml @@ -23,7 +23,7 @@ processors: - append: field: event.category value: iam - if: '["create_user", "delete_user", "grant", "flush_privileges"].contains(ctx.mysqlenterprise.audit?.general_data?.sql_command)' + if: '["create_user", "delete_user", "drop_user", "grant", "flush_privileges"].contains(ctx.mysqlenterprise.audit?.general_data?.sql_command)' - append: field: event.type value: access @@ -128,6 +128,38 @@ processors: if (ctx.process.args.length > 0) { ctx.process.executable = ctx.process.args[0]; } +# Query parsing +- grok: + field: mysqlenterprise.audit.general_data.query + if: '["create_user", "delete_user", "drop_user"].contains(ctx.mysqlenterprise?.audit?.general_data?.sql_command)' + ignore_failure: true + patterns: + - '(?i)(?:CREATE|DROP)\s+USER(?:\s+IF\s+(?:NOT\s+)?EXISTS)?\s+(?:%{START_QUOTE}%{QUOTED:user.target.name}%{END_QUOTE}|%{UNQUOTED:user.target.name})(?:@(?:%{START_QUOTE}%{QUOTED:user.target.domain}%{END_QUOTE}|%{UNQUOTED:user.target.domain}))?' + pattern_definitions: + START_QUOTE: (?<__quote>['"`]) + QUOTED: (?~\k<__quote>) + END_QUOTE: (?:\k<__quote>) + UNQUOTED: (?:[^\s@;]*+) +- remove: + field: __quote + ignore_missing: true +- set: + field: user.name + value: '{{server.user.name}}' + ignore_empty_value: true + if: 'ctx.user?.target != null' +- append: + field: event.type + value: + - user + - creation + if: 'ctx.mysqlenterprise?.audit?.general_data?.sql_command == "create_user"' +- append: + field: event.type + value: + - user + - deletion + if: 'ctx.mysqlenterprise?.audit?.general_data?.sql_command == "drop_user" || ctx.mysqlenterprise?.audit?.general_data?.sql_command == "delete_user"' # Attributes starting with _ is only supported by MySQL 8.0.19 and above. - convert: @@ -138,23 +170,39 @@ processors: - append: field: related.user value: '{{server.user.name}}' + allow_duplicates: false if: ctx?.server?.user?.name != null - append: field: related.user value: '{{client.user.name}}' + allow_duplicates: false if: ctx?.client?.user?.name != null +- append: + field: related.user + value: '{{user.target.name}}' + allow_duplicates: false + if: ctx?.user?.target?.name != null - append: field: related.ip value: '{{client.ip}}' + allow_duplicates: false if: ctx?.client?.ip != null +- append: + field: related.hosts + value: '{{client.domain}}' + allow_duplicates: false + if: ctx?.client?.domain != null - date: field: mysqlenterprise.audit.timestamp formats: - yyyy-MM-dd HH:mm:ss if: ctx?.mysqlenterprise?.audit?.timestamp != null +- rename: + field: message + target_field: event.original + ignore_missing: true - remove: field: - - message - mysqlenterprise.audit.event - mysqlenterprise.audit.timestamp - mysqlenterprise.audit.connection_data.connection_attributes._pid diff --git a/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log b/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log index 2bf3e31f37b..79e8ac2cd21 100644 --- a/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log +++ b/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log @@ -9,7 +9,7 @@ { "timestamp": "2020-10-19 19:28:27", "id": 0, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "grant", "query": "GRANT ALL PRIVILEGES ON *.* TO 'root'@'hades.home' IDENTIFIED BY 'password'", "status": 1064 } }, { "timestamp": "2020-10-19 19:28:54", "id": 0, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "grant", "query": "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%'", "status": 1410 } }, { "timestamp": "2020-10-19 19:29:36", "id": 0, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "create_user", "query": "CREATE USER 'audit_test_user'@'localhost' IDENTIFIED BY ", "status": 1396 } }, -{ "timestamp": "2020-10-19 19:30:00", "id": 0, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "create_user", "query": "CREATE USER 'audit_test_user2'@'hades.home' IDENTIFIED BY ", "status": 0 } }, +{ "timestamp": "2020-10-19 19:30:00", "id": 0, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "create_user", "query": "CREATE USER IF NOT EXISTS 'audit_test_user2'@'hades.home' IDENTIFIED BY ", "status": 0 } }, { "timestamp": "2020-10-19 19:30:18", "id": 0, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "grant", "query": "GRANT ALL PRIVILEGES ON *.* TO ‘audit_test_user2’@’hades.home’", "status": 1410 } }, { "timestamp": "2020-10-19 19:30:32", "id": 0, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "grant", "query": "GRANT ALL PRIVILEGES ON *.* TO 'audit_test_user'@'hades.home'", "status": 1410 } }, { "timestamp": "2020-10-19 19:30:49", "id": 0, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "grant", "query": "GRANT ALL PRIVILEGES ON *.* TO 'audit_test_user'@'hades.home'", "status": 1410 } }, @@ -29,3 +29,6 @@ { "timestamp": "2020-10-19 19:32:10", "id": 0, "class": "connection", "event": "disconnect", "connection_id": 16, "account": { "user": "audit_test_user2", "host": "hades.home" }, "login": { "user": "audit_test_user2", "os": "", "ip": "192.168.2.5", "proxy": "" }, "connection_data": { "connection_type": "ssl" } }, { "timestamp": "2020-10-19 19:32:12", "id": 0, "class": "connection", "event": "disconnect", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "connection_data": { "connection_type": "socket" } }, { "timestamp": "2020-10-19 19:32:16", "id": 0, "class": "audit", "event": "shutdown", "connection_id": 0, "shutdown_data": { "server_id": 1 } } +{ "timestamp": "2021-02-10 19:05:42", "id": 2, "class": "audit", "event": "status", "connection_id": 42, "account": { "user": "adrian", "host": "elastic" }, "login": { "user": "adrian", "os": "", "ip": "192.168.7.76", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "create_user", "query": "crEAtE uSeR 'evil user'@elastic IDENTIFIED BY ", "status": 1396 } }, +{ "timestamp": "2021-02-10 19:05:42", "id": 2, "class": "audit", "event": "status", "connection_id": 42, "account": { "user": "adrian", "host": "elastic" }, "login": { "user": "evil user", "os": "", "ip": "192.168.7.76", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "drop_db", "query": "DROP DATABASE prod", "status": 1396 } }, +{ "timestamp": "2021-02-10 19:05:42", "id": 2, "class": "audit", "event": "status", "connection_id": 42, "account": { "user": "adrian", "host": "elastic" }, "login": { "user": "evil user", "os": "", "ip": "192.168.7.76", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "drop_user", "query": "DrOp usEr IF EXISTS 'evil user'@%", "status": 1396 } }, diff --git a/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log-expected.json b/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log-expected.json index 48e4c2fa161..e563f918ac7 100644 --- a/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log-expected.json +++ b/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log-expected.json @@ -8,6 +8,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:21:33\", \"id\": 0, \"class\": \"audit\", \"event\": \"startup\", \"connection_id\": 0, \"account\": { \"user\": \"skip-grants user\", \"host\": \"\" }, \"login\": { \"user\": \"\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"startup_data\": { \"server_id\": 1, \"os_version\": \"x86_64-Linux\", \"mysql_version\": \"8.0.22-commercial\", \"args\": [\"/usr/local/mysql/bin/mysqld\", \"--loose-audit-log-format=JSON\", \"--log-error=log.err\", \"--pid-file=mysqld.pid\", \"--port=3306\" ] } },", "event.outcome": "unknown", "event.timezone": "-02:00", "fileset.name": "audit", @@ -50,6 +51,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:25:51\", \"id\": 0, \"class\": \"connection\", \"event\": \"connect\", \"connection_id\": 13, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"connection_data\": { \"connection_type\": \"socket\", \"status\": 0, \"db\": \"\", \"connection_attributes\": { \"_pid\": \"33038\", \"_platform\": \"x86_64\", \"_os\": \"Linux\", \"_client_name\": \"libmysql\", \"os_user\": \"root\", \"_client_version\": \"8.0.22\" } } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -73,6 +75,9 @@ "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", "process.pid": 33038, + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -92,6 +97,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:25:51\", \"id\": 1, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 13, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"select\", \"query\": \"select @@version_comment limit 1\", \"status\": 0 } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -110,6 +116,9 @@ "mysqlenterprise.audit.id": 1, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -129,6 +138,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:25:52\", \"id\": 0, \"class\": \"connection\", \"event\": \"disconnect\", \"connection_id\": 13, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"connection_data\": { \"connection_type\": \"socket\" } },", "event.outcome": "unknown", "event.timezone": "-02:00", "event.type": [ @@ -145,6 +155,9 @@ "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -165,6 +178,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:27:45\", \"id\": 0, \"class\": \"connection\", \"event\": \"connect\", \"connection_id\": 15, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"connection_data\": { \"connection_type\": \"socket\", \"status\": 0, \"db\": \"\", \"connection_attributes\": { \"_pid\": \"33197\", \"_platform\": \"x86_64\", \"_os\": \"Linux\", \"_client_name\": \"libmysql\", \"os_user\": \"root\", \"_client_version\": \"8.0.22\" } } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -188,6 +202,9 @@ "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", "process.pid": 33197, + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -207,6 +224,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:27:45\", \"id\": 1, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 15, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"select\", \"query\": \"select @@version_comment limit 1\", \"status\": 0 } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -225,6 +243,9 @@ "mysqlenterprise.audit.id": 1, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -245,6 +266,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:27:50\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 15, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"grant\", \"query\": \"GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'password'\", \"status\": 1064 } },", "event.outcome": "failure", "event.timezone": "-02:00", "event.type": [ @@ -263,6 +285,9 @@ "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -283,6 +308,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:28:04\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 15, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"grant\", \"query\": \"GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'password'\", \"status\": 1064 } },", "event.outcome": "failure", "event.timezone": "-02:00", "event.type": [ @@ -301,6 +327,9 @@ "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -321,6 +350,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:28:27\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 15, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"grant\", \"query\": \"GRANT ALL PRIVILEGES ON *.* TO 'root'@'hades.home' IDENTIFIED BY 'password'\", \"status\": 1064 } },", "event.outcome": "failure", "event.timezone": "-02:00", "event.type": [ @@ -339,6 +369,9 @@ "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -359,6 +392,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:28:54\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 15, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"grant\", \"query\": \"GRANT ALL PRIVILEGES ON *.* TO 'root'@'%'\", \"status\": 1410 } },", "event.outcome": "failure", "event.timezone": "-02:00", "event.type": [ @@ -377,6 +411,9 @@ "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -397,11 +434,14 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:29:36\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 15, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"create_user\", \"query\": \"CREATE USER 'audit_test_user'@'localhost' IDENTIFIED BY \", \"status\": 1396 } },", "event.outcome": "failure", "event.timezone": "-02:00", "event.type": [ "access", - "connection" + "connection", + "user", + "creation" ], "fileset.name": "audit", "input.type": "log", @@ -415,14 +455,21 @@ "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ - "root" + "root", + "audit_test_user" ], "server.user.name": "root", "service.type": "mysqlenterprise", "tags": [ "mysqlenterprise-audit" - ] + ], + "user.name": "root", + "user.target.domain": "localhost", + "user.target.name": "audit_test_user" }, { "@timestamp": "2020-10-19T19:30:00.000Z", @@ -435,11 +482,14 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:30:00\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 15, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"create_user\", \"query\": \"CREATE USER IF NOT EXISTS 'audit_test_user2'@'hades.home' IDENTIFIED BY \", \"status\": 0 } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ "access", - "connection" + "connection", + "user", + "creation" ], "fileset.name": "audit", "input.type": "log", @@ -447,20 +497,27 @@ "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 15, "mysqlenterprise.audit.general_data.command": "Query", - "mysqlenterprise.audit.general_data.query": "CREATE USER 'audit_test_user2'@'hades.home' IDENTIFIED BY ", + "mysqlenterprise.audit.general_data.query": "CREATE USER IF NOT EXISTS 'audit_test_user2'@'hades.home' IDENTIFIED BY ", "mysqlenterprise.audit.general_data.sql_command": "create_user", "mysqlenterprise.audit.general_data.status": 0, "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ - "root" + "root", + "audit_test_user2" ], "server.user.name": "root", "service.type": "mysqlenterprise", "tags": [ "mysqlenterprise-audit" - ] + ], + "user.name": "root", + "user.target.domain": "hades.home", + "user.target.name": "audit_test_user2" }, { "@timestamp": "2020-10-19T19:30:18.000Z", @@ -473,6 +530,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:30:18\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 15, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"grant\", \"query\": \"GRANT ALL PRIVILEGES ON *.* TO \u2018audit_test_user2\u2019@\u2019hades.home\u2019\", \"status\": 1410 } },", "event.outcome": "failure", "event.timezone": "-02:00", "event.type": [ @@ -481,7 +539,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 4645, + "log.offset": 4659, "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 15, "mysqlenterprise.audit.general_data.command": "Query", @@ -491,6 +549,9 @@ "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -511,6 +572,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:30:32\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 15, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"grant\", \"query\": \"GRANT ALL PRIVILEGES ON *.* TO 'audit_test_user'@'hades.home'\", \"status\": 1410 } },", "event.outcome": "failure", "event.timezone": "-02:00", "event.type": [ @@ -519,7 +581,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 5031, + "log.offset": 5045, "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 15, "mysqlenterprise.audit.general_data.command": "Query", @@ -529,6 +591,9 @@ "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -549,6 +614,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:30:49\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 15, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"grant\", \"query\": \"GRANT ALL PRIVILEGES ON *.* TO 'audit_test_user'@'hades.home'\", \"status\": 1410 } },", "event.outcome": "failure", "event.timezone": "-02:00", "event.type": [ @@ -557,7 +623,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 5408, + "log.offset": 5422, "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 15, "mysqlenterprise.audit.general_data.command": "Query", @@ -567,6 +633,9 @@ "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -587,6 +656,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:31:01\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 15, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"grant\", \"query\": \"GRANT ALL PRIVILEGES ON *.* TO 'audit_test_user2'@'hades.home'\", \"status\": 0 } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -595,7 +665,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 5785, + "log.offset": 5799, "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 15, "mysqlenterprise.audit.general_data.command": "Query", @@ -605,6 +675,9 @@ "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -626,6 +699,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:31:25\", \"id\": 0, \"class\": \"connection\", \"event\": \"connect\", \"connection_id\": 16, \"account\": { \"user\": \"audit_test_user2\", \"host\": \"hades.home\" }, \"login\": { \"user\": \"audit_test_user2\", \"os\": \"\", \"ip\": \"192.168.2.5\", \"proxy\": \"\" }, \"connection_data\": { \"connection_type\": \"ssl\", \"status\": 0, \"db\": \"\", \"connection_attributes\": { \"_os\": \"Linux\", \"_client_name\": \"libmysql\", \"_pid\": \"394499\", \"_client_version\": \"5.7.30\", \"_platform\": \"x86_64\" } } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -635,7 +709,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 6160, + "log.offset": 6174, "mysqlenterprise.audit.class": "connection", "mysqlenterprise.audit.connection_data.connection_attributes._client_name": "libmysql", "mysqlenterprise.audit.connection_data.connection_attributes._client_version": "5.7.30", @@ -648,6 +722,9 @@ "mysqlenterprise.audit.login.user": "audit_test_user2", "process.name": "mysqld", "process.pid": 394499, + "related.hosts": [ + "hades.home" + ], "related.ip": [ "192.168.2.5" ], @@ -671,6 +748,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:31:25\", \"id\": 1, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 16, \"account\": { \"user\": \"audit_test_user2\", \"host\": \"hades.home\" }, \"login\": { \"user\": \"audit_test_user2\", \"os\": \"\", \"ip\": \"192.168.2.5\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"select\", \"query\": \"select @@version_comment limit 1\", \"status\": 0 } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -679,7 +757,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 6638, + "log.offset": 6652, "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 16, "mysqlenterprise.audit.general_data.command": "Query", @@ -689,6 +767,9 @@ "mysqlenterprise.audit.id": 1, "mysqlenterprise.audit.login.user": "audit_test_user2", "process.name": "mysqld", + "related.hosts": [ + "hades.home" + ], "related.ip": [ "192.168.2.5" ], @@ -712,6 +793,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:31:31\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 16, \"account\": { \"user\": \"audit_test_user2\", \"host\": \"hades.home\" }, \"login\": { \"user\": \"audit_test_user2\", \"os\": \"\", \"ip\": \"192.168.2.5\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"create_db\", \"query\": \"create database audit_test\", \"status\": 0 } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -720,7 +802,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 7020, + "log.offset": 7034, "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 16, "mysqlenterprise.audit.general_data.command": "Query", @@ -730,6 +812,9 @@ "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "audit_test_user2", "process.name": "mysqld", + "related.hosts": [ + "hades.home" + ], "related.ip": [ "192.168.2.5" ], @@ -753,6 +838,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:31:40\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 16, \"account\": { \"user\": \"audit_test_user2\", \"host\": \"hades.home\" }, \"login\": { \"user\": \"audit_test_user2\", \"os\": \"\", \"ip\": \"192.168.2.5\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"select\", \"query\": \"SELECT DATABASE()\", \"status\": 0 } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -761,7 +847,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 7399, + "log.offset": 7413, "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 16, "mysqlenterprise.audit.general_data.command": "Query", @@ -771,6 +857,9 @@ "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "audit_test_user2", "process.name": "mysqld", + "related.hosts": [ + "hades.home" + ], "related.ip": [ "192.168.2.5" ], @@ -794,6 +883,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:31:40\", \"id\": 1, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 16, \"account\": { \"user\": \"audit_test_user2\", \"host\": \"hades.home\" }, \"login\": { \"user\": \"audit_test_user2\", \"os\": \"\", \"ip\": \"192.168.2.5\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Init DB\", \"sql_command\": \"error\", \"status\": 0 } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -802,7 +892,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 7766, + "log.offset": 7780, "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 16, "mysqlenterprise.audit.general_data.command": "Init DB", @@ -811,6 +901,9 @@ "mysqlenterprise.audit.id": 1, "mysqlenterprise.audit.login.user": "audit_test_user2", "process.name": "mysqld", + "related.hosts": [ + "hades.home" + ], "related.ip": [ "192.168.2.5" ], @@ -834,6 +927,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:31:40\", \"id\": 2, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 16, \"account\": { \"user\": \"audit_test_user2\", \"host\": \"hades.home\" }, \"login\": { \"user\": \"audit_test_user2\", \"os\": \"\", \"ip\": \"192.168.2.5\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"show_databases\", \"query\": \"show databases\", \"status\": 0 } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -842,7 +936,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 8104, + "log.offset": 8118, "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 16, "mysqlenterprise.audit.general_data.command": "Query", @@ -852,6 +946,9 @@ "mysqlenterprise.audit.id": 2, "mysqlenterprise.audit.login.user": "audit_test_user2", "process.name": "mysqld", + "related.hosts": [ + "hades.home" + ], "related.ip": [ "192.168.2.5" ], @@ -875,6 +972,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:31:40\", \"id\": 3, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 16, \"account\": { \"user\": \"audit_test_user2\", \"host\": \"hades.home\" }, \"login\": { \"user\": \"audit_test_user2\", \"os\": \"\", \"ip\": \"192.168.2.5\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"show_tables\", \"query\": \"show tables\", \"status\": 0 } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -883,7 +981,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 8476, + "log.offset": 8490, "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 16, "mysqlenterprise.audit.general_data.command": "Query", @@ -893,6 +991,9 @@ "mysqlenterprise.audit.id": 3, "mysqlenterprise.audit.login.user": "audit_test_user2", "process.name": "mysqld", + "related.hosts": [ + "hades.home" + ], "related.ip": [ "192.168.2.5" ], @@ -916,6 +1017,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:31:47\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 16, \"account\": { \"user\": \"audit_test_user2\", \"host\": \"hades.home\" }, \"login\": { \"user\": \"audit_test_user2\", \"os\": \"\", \"ip\": \"192.168.2.5\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"create_table\", \"query\": \"CREATE TABLE audit_test_table (firstname VARCHAR(20), lastname VARCHAR(20))\", \"status\": 0 } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -924,7 +1026,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 8842, + "log.offset": 8856, "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 16, "mysqlenterprise.audit.general_data.command": "Query", @@ -934,6 +1036,9 @@ "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "audit_test_user2", "process.name": "mysqld", + "related.hosts": [ + "hades.home" + ], "related.ip": [ "192.168.2.5" ], @@ -957,6 +1062,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:31:57\", \"id\": 0, \"class\": \"table_access\", \"event\": \"insert\", \"connection_id\": 16, \"account\": { \"user\": \"audit_test_user2\", \"host\": \"hades.home\" }, \"login\": { \"user\": \"audit_test_user2\", \"os\": \"\", \"ip\": \"192.168.2.5\", \"proxy\": \"\" }, \"table_access_data\": { \"db\": \"audit_test\", \"table\": \"audit_test_table\", \"query\": \"INSERT INTO audit_test_table values ('John', 'Smith')\", \"sql_command\": \"insert\" } },", "event.outcome": "unknown", "event.timezone": "-02:00", "event.type": [ @@ -965,7 +1071,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 9273, + "log.offset": 9287, "mysqlenterprise.audit.class": "table_access", "mysqlenterprise.audit.connection_id": 16, "mysqlenterprise.audit.id": 0, @@ -975,6 +1081,9 @@ "mysqlenterprise.audit.table_access_data.sql_command": "insert", "mysqlenterprise.audit.table_access_data.table": "audit_test_table", "process.name": "mysqld", + "related.hosts": [ + "hades.home" + ], "related.ip": [ "192.168.2.5" ], @@ -998,6 +1107,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:31:57\", \"id\": 1, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 16, \"account\": { \"user\": \"audit_test_user2\", \"host\": \"hades.home\" }, \"login\": { \"user\": \"audit_test_user2\", \"os\": \"\", \"ip\": \"192.168.2.5\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"insert\", \"query\": \"INSERT INTO audit_test_table values ('John', 'Smith')\", \"status\": 0 } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -1006,7 +1116,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 9702, + "log.offset": 9716, "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 16, "mysqlenterprise.audit.general_data.command": "Query", @@ -1016,6 +1126,9 @@ "mysqlenterprise.audit.id": 1, "mysqlenterprise.audit.login.user": "audit_test_user2", "process.name": "mysqld", + "related.hosts": [ + "hades.home" + ], "related.ip": [ "192.168.2.5" ], @@ -1039,6 +1152,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:32:05\", \"id\": 0, \"class\": \"table_access\", \"event\": \"read\", \"connection_id\": 16, \"account\": { \"user\": \"audit_test_user2\", \"host\": \"hades.home\" }, \"login\": { \"user\": \"audit_test_user2\", \"os\": \"\", \"ip\": \"192.168.2.5\", \"proxy\": \"\" }, \"table_access_data\": { \"db\": \"audit_test\", \"table\": \"audit_test_table\", \"query\": \"select * from audit_test_table\", \"sql_command\": \"select\" } },", "event.outcome": "unknown", "event.timezone": "-02:00", "event.type": [ @@ -1047,7 +1161,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 10105, + "log.offset": 10119, "mysqlenterprise.audit.class": "table_access", "mysqlenterprise.audit.connection_id": 16, "mysqlenterprise.audit.id": 0, @@ -1057,6 +1171,9 @@ "mysqlenterprise.audit.table_access_data.sql_command": "select", "mysqlenterprise.audit.table_access_data.table": "audit_test_table", "process.name": "mysqld", + "related.hosts": [ + "hades.home" + ], "related.ip": [ "192.168.2.5" ], @@ -1080,6 +1197,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:32:05\", \"id\": 1, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 16, \"account\": { \"user\": \"audit_test_user2\", \"host\": \"hades.home\" }, \"login\": { \"user\": \"audit_test_user2\", \"os\": \"\", \"ip\": \"192.168.2.5\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"select\", \"query\": \"select * from audit_test_table\", \"status\": 0 } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -1088,7 +1206,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 10509, + "log.offset": 10523, "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 16, "mysqlenterprise.audit.general_data.command": "Query", @@ -1098,6 +1216,9 @@ "mysqlenterprise.audit.id": 1, "mysqlenterprise.audit.login.user": "audit_test_user2", "process.name": "mysqld", + "related.hosts": [ + "hades.home" + ], "related.ip": [ "192.168.2.5" ], @@ -1121,6 +1242,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:32:10\", \"id\": 0, \"class\": \"connection\", \"event\": \"disconnect\", \"connection_id\": 16, \"account\": { \"user\": \"audit_test_user2\", \"host\": \"hades.home\" }, \"login\": { \"user\": \"audit_test_user2\", \"os\": \"\", \"ip\": \"192.168.2.5\", \"proxy\": \"\" }, \"connection_data\": { \"connection_type\": \"ssl\" } },", "event.outcome": "unknown", "event.timezone": "-02:00", "event.type": [ @@ -1130,13 +1252,16 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 10889, + "log.offset": 10903, "mysqlenterprise.audit.class": "connection", "mysqlenterprise.audit.connection_data.connection_type": "ssl", "mysqlenterprise.audit.connection_id": 16, "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "audit_test_user2", "process.name": "mysqld", + "related.hosts": [ + "hades.home" + ], "related.ip": [ "192.168.2.5" ], @@ -1159,6 +1284,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:32:12\", \"id\": 0, \"class\": \"connection\", \"event\": \"disconnect\", \"connection_id\": 15, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"connection_data\": { \"connection_type\": \"socket\" } },", "event.outcome": "unknown", "event.timezone": "-02:00", "event.type": [ @@ -1168,13 +1294,16 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 11204, + "log.offset": 11218, "mysqlenterprise.audit.class": "connection", "mysqlenterprise.audit.connection_data.connection_type": "socket", "mysqlenterprise.audit.connection_id": 15, "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -1193,11 +1322,12 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:32:16\", \"id\": 0, \"class\": \"audit\", \"event\": \"shutdown\", \"connection_id\": 0, \"shutdown_data\": { \"server_id\": 1 } }", "event.outcome": "unknown", "event.timezone": "-02:00", "fileset.name": "audit", "input.type": "log", - "log.offset": 11486, + "log.offset": 11500, "mysqlenterprise.audit.class": "audit", "mysqlenterprise.audit.connection_id": 0, "mysqlenterprise.audit.id": 0, @@ -1207,5 +1337,146 @@ "tags": [ "mysqlenterprise-audit" ] + }, + { + "@timestamp": "2021-02-10T19:05:42.000Z", + "client.domain": "elastic", + "client.ip": "192.168.7.76", + "event.action": "mysql-status", + "event.category": [ + "database", + "iam" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2021-02-10 19:05:42\", \"id\": 2, \"class\": \"audit\", \"event\": \"status\", \"connection_id\": 42, \"account\": { \"user\": \"adrian\", \"host\": \"elastic\" }, \"login\": { \"user\": \"adrian\", \"os\": \"\", \"ip\": \"192.168.7.76\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"create_user\", \"query\": \"crEAtE uSeR 'evil user'@elastic IDENTIFIED BY \", \"status\": 1396 } },", + "event.outcome": "failure", + "event.timezone": "-02:00", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 11644, + "mysqlenterprise.audit.class": "audit", + "mysqlenterprise.audit.connection_id": 42, + "mysqlenterprise.audit.general_data.command": "Query", + "mysqlenterprise.audit.general_data.query": "crEAtE uSeR 'evil user'@elastic IDENTIFIED BY ", + "mysqlenterprise.audit.general_data.sql_command": "create_user", + "mysqlenterprise.audit.general_data.status": 1396, + "mysqlenterprise.audit.id": 2, + "mysqlenterprise.audit.login.user": "adrian", + "process.name": "mysqld", + "related.hosts": [ + "elastic" + ], + "related.ip": [ + "192.168.7.76" + ], + "related.user": [ + "adrian", + "evil user" + ], + "server.user.name": "adrian", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ], + "user.name": "adrian", + "user.target.domain": "elastic", + "user.target.name": "evil user" + }, + { + "@timestamp": "2021-02-10T19:05:42.000Z", + "client.domain": "elastic", + "client.ip": "192.168.7.76", + "event.action": "mysql-status", + "event.category": [ + "database" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2021-02-10 19:05:42\", \"id\": 2, \"class\": \"audit\", \"event\": \"status\", \"connection_id\": 42, \"account\": { \"user\": \"adrian\", \"host\": \"elastic\" }, \"login\": { \"user\": \"evil user\", \"os\": \"\", \"ip\": \"192.168.7.76\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"drop_db\", \"query\": \"DROP DATABASE prod\", \"status\": 1396 } },", + "event.outcome": "failure", + "event.timezone": "-02:00", + "fileset.name": "audit", + "input.type": "log", + "log.offset": 12034, + "mysqlenterprise.audit.class": "audit", + "mysqlenterprise.audit.connection_id": 42, + "mysqlenterprise.audit.general_data.command": "Query", + "mysqlenterprise.audit.general_data.query": "DROP DATABASE prod", + "mysqlenterprise.audit.general_data.sql_command": "drop_db", + "mysqlenterprise.audit.general_data.status": 1396, + "mysqlenterprise.audit.id": 2, + "mysqlenterprise.audit.login.user": "evil user", + "process.name": "mysqld", + "related.hosts": [ + "elastic" + ], + "related.ip": [ + "192.168.7.76" + ], + "related.user": [ + "adrian" + ], + "server.user.name": "adrian", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2021-02-10T19:05:42.000Z", + "client.domain": "elastic", + "client.ip": "192.168.7.76", + "event.action": "mysql-status", + "event.category": [ + "database", + "iam" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2021-02-10 19:05:42\", \"id\": 2, \"class\": \"audit\", \"event\": \"status\", \"connection_id\": 42, \"account\": { \"user\": \"adrian\", \"host\": \"elastic\" }, \"login\": { \"user\": \"evil user\", \"os\": \"\", \"ip\": \"192.168.7.76\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"drop_user\", \"query\": \"DrOp usEr IF EXISTS 'evil user'@%\", \"status\": 1396 } },", + "event.outcome": "failure", + "event.timezone": "-02:00", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 12385, + "mysqlenterprise.audit.class": "audit", + "mysqlenterprise.audit.connection_id": 42, + "mysqlenterprise.audit.general_data.command": "Query", + "mysqlenterprise.audit.general_data.query": "DrOp usEr IF EXISTS 'evil user'@%", + "mysqlenterprise.audit.general_data.sql_command": "drop_user", + "mysqlenterprise.audit.general_data.status": 1396, + "mysqlenterprise.audit.id": 2, + "mysqlenterprise.audit.login.user": "evil user", + "process.name": "mysqld", + "related.hosts": [ + "elastic" + ], + "related.ip": [ + "192.168.7.76" + ], + "related.user": [ + "adrian", + "evil user" + ], + "server.user.name": "adrian", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ], + "user.name": "adrian", + "user.target.domain": "%", + "user.target.name": "evil user" } ] \ No newline at end of file