From d3c38266a25366aa99d1904c3c4c3d5b088127ef Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Thu, 27 Aug 2020 10:12:48 +0200 Subject: [PATCH] [Filebeat][auditd] Fix event types and categories to comply with ECS (#20652) (#20794) * Fix event types and categories to comply with ECS * Add CHANGELOG entry * Regenerate test files (cherry picked from commit 2eef25770fe356ff9d3d1cbcc1ce36edccd1e098) --- CHANGELOG.next.asciidoc | 1 + .../module/auditd/log/ingest/pipeline.yml | 30 +++++++++++++++---- .../log/test/audit-rhel6.log-expected.json | 6 ++-- .../log/test/audit-rhel7.log-expected.json | 3 +- .../auditd/log/test/test.log-expected.json | 15 ++++++---- 5 files changed, 42 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 709fcb3044e..846ddbde2b4 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -72,6 +72,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fixing `ingress_controller.` fields to be of type keyword instead of text. {issue}17834[17834] - Fixed typo in log message. {pull}17897[17897] - Fix long registry migration times. {pull}20717[20717] {issue}20705[20705] +- Fix event types and categories in auditd module to comply with ECS {pull}20652[20652] *Heartbeat* diff --git a/filebeat/module/auditd/log/ingest/pipeline.yml b/filebeat/module/auditd/log/ingest/pipeline.yml index 2b7c114f10a..30ec300cf7e 100644 --- a/filebeat/module/auditd/log/ingest/pipeline.yml +++ b/filebeat/module/auditd/log/ingest/pipeline.yml @@ -137,24 +137,44 @@ processors: value: event - set: if: "ctx.auditd.log?.record_type == 'USER_AUTH'" - field: event.type + field: event.category value: authentication - set: - if: "ctx.auditd.log?.record_type == 'KERN_MODULE'" + if: "ctx.auditd.log?.record_type == 'USER_AUTH'" field: event.type + value: info +- set: + if: "ctx.auditd.log?.record_type == 'KERN_MODULE'" + field: event.category value: driver - set: - if: "ctx.auditd.log?.record_type == 'SOFTWARE_UPDATE'" + if: "ctx.auditd.log?.record_type == 'KERN_MODULE'" field: event.type + value: info +- set: + if: "ctx.auditd.log?.record_type == 'SOFTWARE_UPDATE'" + field: event.category value: package - set: - if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'" + if: "ctx.auditd.log?.record_type == 'SOFTWARE_UPDATE'" field: event.type + value: info +- set: + if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'" + field: event.category value: host - set: - if: "ctx.auditd.log?.record_type == 'SYSCALL' && ctx.auditd.log?.syscall == 'execve'" + if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'" field: event.type + value: info +- set: + if: "ctx.auditd.log?.record_type == 'SYSCALL' && ctx.auditd.log?.syscall == 'execve'" + field: event.category value: process +- set: + if: "ctx.auditd.log?.record_type == 'SYSCALL' && ctx.auditd.log?.syscall == 'execve'" + field: event.type + value: info - set: if: "ctx.auditd.log?.record_type == 'VIRT_CONTROL' || ctx.auditd.log?.record_type == 'VIRT_MACHINE_ID'" field: event.category diff --git a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json index a7bdfe6b83d..b2532651d2b 100644 --- a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json @@ -212,11 +212,12 @@ "auditd.log.sequence": 19623789, "auditd.log.ses": "6793", "event.action": "user_auth", + "event.category": "authentication", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "authentication", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 1926, @@ -234,11 +235,12 @@ "auditd.log.sequence": 19623807, "auditd.log.ses": "12286", "event.action": "user_auth", + "event.category": "authentication", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "authentication", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 2122, diff --git a/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json index 64ddfa2cc49..b25dde0881b 100644 --- a/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json @@ -45,11 +45,12 @@ "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "event.action": "system_boot", + "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "host", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 419, diff --git a/filebeat/module/auditd/log/test/test.log-expected.json b/filebeat/module/auditd/log/test/test.log-expected.json index 2306d330fa5..f122becadda 100644 --- a/filebeat/module/auditd/log/test/test.log-expected.json +++ b/filebeat/module/auditd/log/test/test.log-expected.json @@ -167,11 +167,12 @@ "auditd.log.sw": "gcc-4.8.5-39.el7.x86_64", "auditd.log.sw_type": "rpm", "event.action": "software_update", + "event.category": "package", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "package", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 1893, @@ -188,11 +189,12 @@ "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "event.action": "system_boot", + "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "host", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 2196, @@ -210,11 +212,12 @@ "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "event.action": "system_shutdown", + "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "host", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 2438, @@ -254,10 +257,11 @@ "auditd.log.syscall": "execve", "auditd.log.tty": "pts0", "event.action": "syscall", + "event.category": "process", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", - "event.type": "process", + "event.type": "info", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -283,10 +287,11 @@ "auditd.log.name": "mymodule", "auditd.log.sequence": 579397, "event.action": "kern_module", + "event.category": "driver", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", - "event.type": "driver", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 3153,