From 8d77c1ce3add45db9a2392d5d99337344cdbb537 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Wed, 26 Aug 2020 11:01:45 +0200 Subject: [PATCH] [Filebeat][auditd] Fix event types and categories to comply with ECS (#20652) * Fix event types and categories to comply with ECS * Add CHANGELOG entry * Regenerate test files --- CHANGELOG.next.asciidoc | 1 + .../module/auditd/log/ingest/pipeline.yml | 30 +++++++++++++++---- .../test/audit-cent7-node.log-expected.json | 3 +- .../log/test/audit-rhel6.log-expected.json | 6 ++-- .../log/test/audit-rhel7.log-expected.json | 3 +- .../auditd/log/test/test.log-expected.json | 15 ++++++---- 6 files changed, 44 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 2e963bac692..f11d6b40a2e 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -252,6 +252,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Clone value when copy fields in processors to avoid crash. {issue}19206[19206] {pull}20500[20500] - Fix event.type for zeek/ssl and duplicate event.category for zeek/connection {pull}20696[20696] - Fix long registry migration times. {pull}20717[20717] {issue}20705[20705] +- Fix event types and categories in auditd module to comply with ECS {pull}20652[20652] *Heartbeat* diff --git a/filebeat/module/auditd/log/ingest/pipeline.yml b/filebeat/module/auditd/log/ingest/pipeline.yml index c36875e8c48..4f6d8ba2d0d 100644 --- a/filebeat/module/auditd/log/ingest/pipeline.yml +++ b/filebeat/module/auditd/log/ingest/pipeline.yml @@ -141,24 +141,44 @@ processors: value: event - set: if: "ctx.auditd.log?.record_type == 'USER_AUTH'" - field: event.type + field: event.category value: authentication - set: - if: "ctx.auditd.log?.record_type == 'KERN_MODULE'" + if: "ctx.auditd.log?.record_type == 'USER_AUTH'" field: event.type + value: info +- set: + if: "ctx.auditd.log?.record_type == 'KERN_MODULE'" + field: event.category value: driver - set: - if: "ctx.auditd.log?.record_type == 'SOFTWARE_UPDATE'" + if: "ctx.auditd.log?.record_type == 'KERN_MODULE'" field: event.type + value: info +- set: + if: "ctx.auditd.log?.record_type == 'SOFTWARE_UPDATE'" + field: event.category value: package - set: - if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'" + if: "ctx.auditd.log?.record_type == 'SOFTWARE_UPDATE'" field: event.type + value: info +- set: + if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'" + field: event.category value: host - set: - if: "ctx.auditd.log?.record_type == 'SYSCALL' && ctx.auditd.log?.syscall == 'execve'" + if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'" field: event.type + value: info +- set: + if: "ctx.auditd.log?.record_type == 'SYSCALL' && ctx.auditd.log?.syscall == 'execve'" + field: event.category value: process +- set: + if: "ctx.auditd.log?.record_type == 'SYSCALL' && ctx.auditd.log?.syscall == 'execve'" + field: event.type + value: info - set: if: "ctx.auditd.log?.record_type == 'VIRT_CONTROL' || ctx.auditd.log?.record_type == 'VIRT_MACHINE_ID'" field: event.category diff --git a/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json b/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json index 70e98f6e87a..6001a762f9f 100644 --- a/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json @@ -89,11 +89,12 @@ "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "event.action": "system_boot", + "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "host", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 862, diff --git a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json index a7bdfe6b83d..b2532651d2b 100644 --- a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json @@ -212,11 +212,12 @@ "auditd.log.sequence": 19623789, "auditd.log.ses": "6793", "event.action": "user_auth", + "event.category": "authentication", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "authentication", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 1926, @@ -234,11 +235,12 @@ "auditd.log.sequence": 19623807, "auditd.log.ses": "12286", "event.action": "user_auth", + "event.category": "authentication", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "authentication", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 2122, diff --git a/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json index 64ddfa2cc49..b25dde0881b 100644 --- a/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json @@ -45,11 +45,12 @@ "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "event.action": "system_boot", + "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "host", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 419, diff --git a/filebeat/module/auditd/log/test/test.log-expected.json b/filebeat/module/auditd/log/test/test.log-expected.json index 2306d330fa5..f122becadda 100644 --- a/filebeat/module/auditd/log/test/test.log-expected.json +++ b/filebeat/module/auditd/log/test/test.log-expected.json @@ -167,11 +167,12 @@ "auditd.log.sw": "gcc-4.8.5-39.el7.x86_64", "auditd.log.sw_type": "rpm", "event.action": "software_update", + "event.category": "package", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "package", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 1893, @@ -188,11 +189,12 @@ "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "event.action": "system_boot", + "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "host", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 2196, @@ -210,11 +212,12 @@ "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "event.action": "system_shutdown", + "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "host", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 2438, @@ -254,10 +257,11 @@ "auditd.log.syscall": "execve", "auditd.log.tty": "pts0", "event.action": "syscall", + "event.category": "process", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", - "event.type": "process", + "event.type": "info", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -283,10 +287,11 @@ "auditd.log.name": "mymodule", "auditd.log.sequence": 579397, "event.action": "kern_module", + "event.category": "driver", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", - "event.type": "driver", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 3153,