diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index fc743436c56..df3f472d2d2 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -141,6 +141,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add support for MariaDB in the `slowlog` fileset of `mysql` module. {pull}9731[9731] - Elasticsearch module's slowlog now populates `event.duration` (ECS). {pull}9293[9293] - HAProxy module now populates `event.duration` and `http.response.bytes` (ECS). {pull}10143[10143] +- Teach elasticsearch/audit fileset to parse out some more fields. {issue}10134[10134] {pull}10137[10137] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index b89806d781a..a096d871733 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -3965,6 +3965,26 @@ Where the request originated: rest (request originated from a REST API request), -- +*`elasticsearch.audit.realm`*:: ++ +-- +type: keyword + +The authentication realm + +-- + +*`elasticsearch.audit.roles`*:: ++ +-- +type: array + +example: ['kibana_user', 'beats_admin'] + +Roles to which the principal belongs + +-- + *`elasticsearch.audit.action`*:: + -- @@ -3976,6 +3996,17 @@ The name of the action that was executed -- +*`elasticsearch.audit.indices`*:: ++ +-- +type: array + +example: ['foo-2019.01.04', 'foo-2019.01.03', 'foo-2019.01.06'] + +Indices accessed by action + +-- + *`elasticsearch.audit.request`*:: + -- diff --git a/filebeat/module/elasticsearch/audit/_meta/fields.yml b/filebeat/module/elasticsearch/audit/_meta/fields.yml index ff6195e31c6..f8a75b662ee 100644 --- a/filebeat/module/elasticsearch/audit/_meta/fields.yml +++ b/filebeat/module/elasticsearch/audit/_meta/fields.yml @@ -10,15 +10,26 @@ description: "Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request)" example: "local_node" type: keyword + - name: realm + description: "The authentication realm" + example": "active_directory" + type: keyword + - name: roles + description: "Roles to which the principal belongs" + example: [ "kibana_user", "beats_admin" ] + type: array - name: action description: "The name of the action that was executed" example: "cluster:monitor/main" type: keyword + - name: indices + description: "Indices accessed by action" + example: [ "foo-2019.01.04", "foo-2019.01.03", "foo-2019.01.06" ] + type: array - name: request description: "The type of request that was executed" example: "ClearScrollRequest" type: keyword - - name: event_type type: alias path: event.type diff --git a/filebeat/module/elasticsearch/audit/ingest/pipeline.json b/filebeat/module/elasticsearch/audit/ingest/pipeline.json index 8ca89a15c73..9c97beb4574 100644 --- a/filebeat/module/elasticsearch/audit/ingest/pipeline.json +++ b/filebeat/module/elasticsearch/audit/ingest/pipeline.json @@ -18,16 +18,45 @@ "ES_AUDIT_ORIGIN_TYPE": "(origin_type\\=\\[%{WORD:elasticsearch.audit.origin_type}\\])?", "ES_AUDIT_ORIGIN_ADDRESS": "(origin_address\\=\\[%{IPORHOST:source.ip}\\])?", "ES_AUDIT_PRINCIPAL": "(principal\\=\\[%{WORD:user.name}\\])?", - "ES_AUDIT_ACTION": "(action\\=\\[%{DATA:elasticsearch.audit.action}\\])?", + "ES_AUDIT_REALM": "(realm\\=\\[%{WORD:elasticsearch.audit.realm}\\])?", + "ES_AUDIT_ROLES": "(roles\\=\\[%{DATA:elasticsearch.audit.roles}\\])?", + "ES_AUDIT_ACTION": "(action\\=\\[%{DATA:elasticsearch.audit.action}(\\[%{DATA:elasticsearch.audit.sub_action}\\])?\\])?", "ES_AUDIT_URI": "(uri=\\[%{DATA:url.original}\\])?", + "ES_AUDIT_INDICES": "(indices\\=\\[%{DATA:elasticsearch.audit.indices}\\])?", "ES_AUDIT_REQUEST": "(request\\=\\[%{WORD:elasticsearch.audit.request}\\])?", "ES_AUDIT_REQUEST_BODY": "(request_body\\=\\[%{DATA:http.request.body.content}\\])?" }, "patterns": [ - "%{ES_TIMESTAMP}\\s*%{ES_NODE_NAME}\\s*%{ES_AUDIT_LAYER}\\s*%{ES_AUDIT_EVENT_TYPE}\\s*%{ES_AUDIT_ORIGIN_TYPE},?\\s*%{ES_AUDIT_ORIGIN_ADDRESS},?\\s*%{ES_AUDIT_PRINCIPAL},?\\s*%{ES_AUDIT_ACTION},?\\s*%{ES_AUDIT_URI},?\\s*%{ES_AUDIT_REQUEST},?\\s*%{ES_AUDIT_REQUEST_BODY},?" + "%{ES_TIMESTAMP}\\s*%{ES_NODE_NAME}\\s*%{ES_AUDIT_LAYER}\\s*%{ES_AUDIT_EVENT_TYPE}\\s*%{ES_AUDIT_ORIGIN_TYPE},?\\s*%{ES_AUDIT_ORIGIN_ADDRESS},?\\s*%{ES_AUDIT_PRINCIPAL},?\\s*%{ES_AUDIT_REALM},?\\s*%{ES_AUDIT_ROLES},?\\s*%{ES_AUDIT_ACTION},?\\s*%{ES_AUDIT_INDICES},?\\s*%{ES_AUDIT_URI},?\\s*%{ES_AUDIT_REQUEST},?\\s*%{ES_AUDIT_REQUEST_BODY},?" ] } }, + { + "split": { + "field": "elasticsearch.audit.roles", + "separator": ",", + "ignore_missing": true + } + }, + { + "split": { + "field": "elasticsearch.audit.indices", + "separator": ",", + "ignore_missing": true + } + }, + { + "script": { + "lang": "painless", + "source": "if (ctx.elasticsearch.audit.sub_action != null) { ctx.elasticsearch.audit.action += '[' + ctx.elasticsearch.audit.sub_action + ']' }" + } + }, + { + "remove": { + "field": "elasticsearch.audit.sub_action", + "ignore_missing": true + } + }, { "date": { "field": "elasticsearch.audit.timestamp", diff --git a/filebeat/module/elasticsearch/audit/test/test.log-expected.json b/filebeat/module/elasticsearch/audit/test/test.log-expected.json index 29fe668a96d..7f40df72788 100644 --- a/filebeat/module/elasticsearch/audit/test/test.log-expected.json +++ b/filebeat/module/elasticsearch/audit/test/test.log-expected.json @@ -121,8 +121,24 @@ { "@timestamp": "2019-01-08T14:15:02.011Z", "ecs.version": "1.0.0-beta2", + "elasticsearch.audit.action": "indices:data/read/search[free_context]", + "elasticsearch.audit.indices": [ + "foo-2019.01.04", + "foo-2019.01.03", + "foo-2019.01.06", + "foo-2019.01.05", + "foo-2019.01.08", + "servicelog-2019.01.07" + ], "elasticsearch.audit.layer": "transport", "elasticsearch.audit.origin_type": "transport", + "elasticsearch.audit.realm": "active_directory", + "elasticsearch.audit.request": "SearchFreeContextRequest", + "elasticsearch.audit.roles": [ + "kibana_user", + "my_custom_role_1", + "foo_reader" + ], "elasticsearch.node.name": "NodeName-0", "event.dataset": "elasticsearch.audit", "event.module": "elasticsearch", @@ -135,4 +151,4 @@ "source.ip": "192.168.2.1", "user.name": "username" } -] \ No newline at end of file +] diff --git a/filebeat/module/elasticsearch/fields.go b/filebeat/module/elasticsearch/fields.go index 417f0a720a8..e6933656562 100644 --- a/filebeat/module/elasticsearch/fields.go +++ b/filebeat/module/elasticsearch/fields.go @@ -31,5 +31,5 @@ func init() { // Asset returns asset data func Asset() string { - return "eJzUmt9v2zgSx9/7Vwz8tAUSnfOjuY0fDtjzpmmL649N0i523UCgybHEhiIVkrLjW/R/P5CUHVmWZDtNc12/tLYofj8zQw6HZPbhBucDQEGM5dQg0TR9BmC5FTiA3srvvWcADA3VPLdcyQH86xkArL4LbxUrBD4DmHAUzAx8k32QJMN1Gfex8xwHkGhV5OUvDRqr3VW7lIph5P67fFLroPeOZAhqAjZF37pXaYl3JMu9pdPf370xfx5VHwayG5zPlGZrwlwyvOtWfu2a+ObNmhMucIzE7ls0dp/LvLC76nO2QZ2zZm3y/jz5dTb+eDEZfnrxz18u6e14mMy2lzcp0axTni2c7ps2U/S3FyQF43atdXXctI4daBg/1a4FmaNeeVI35irF0AomWmUwSzlNwabcAE5RWlCaJ1wSi2wAGo3dA6uJNLnS7hnwPJ5wYVH3air3nnBv1Z82O6RKHnRj17CT//cUNfpgaLwt0KwTw0/rT4KxBC7OLq/glw+vFy8/r5q3fG9GDGikyKfIQEmvdt+MpkRKFM/3QChKROxmIvzk2vjvfmYCN6ZAVuV83u6x+3529xuhzjEbQy4rqSO8AjYlwVS8Q1pYZO2AVBTGoh5kSnKr9D8ywuXuqKUjNrK6nhzrIhw7gA4FEn1JtRLiIry9HWYjr58QTSMy9EEEJ6b2JCc2LV+MGl7MeKJJsNTqArsmAmFMo6n3v0nZqEJTjHj+AOFC8x3VCi2ico6JBwiW8Y3His13VE6tzaPy/ci9H1ElLcr64NoGI9dcUp6vmbDReoO6vmp2aS70GOYaKalN229cBBadJ/ThfQKcD8Gt5AZtKRBtue7kKTHNs6SuvoHAfV56ITA5Uj7hFKxyYF4iqjVuYqpyNYQHOnPVVoDuU63FzodAlRAY8mojaCX8RRgdsUHaijYRitTH8pZgwxrJUhAIpUozLhPnUcf9hkwJTLm2BRGQEZpy2QFuqC7GsZlnYyViS8YCY8sz/F52wAdSGAQnAVyCQaokM0AFEulsKHIILOBZzEZwq7lMngB8C26PspF7huQm1jgxca4VRWM8/3ckv3LMJndl4L2ixwCNE9QoKZqKUe3oOdFECBSxRkOJfCrqir8zom8cveBTBDX+gtQaV+0KBJLngocEDNyAsSrPkbUbQwUxJi6kUIQ9lSVBzY8XWRhkAWJL79O88JytjE1JeUvGD2FgwPDDxzDGy/GCeqJ05oDvU2EDYnvKrhrgltYWJ8NGR29piPvUjFCFNZyF3cUNaomiyYBKYpmb/wMll3VI6KTUSMRTYF4pSwSgILkbrzVoq4AqV6TbQF5ZL/3WzFiifasJl9ykUWOV8WWaxbqQLVOw3ZANBvg9h0P1JG8+vS1pirwy2/aAGCChezfKc8WlBVlkY9TNtDbVSJiJrfNL7LJMW/J4MPk50WOSrHizVAWv6nNbGYampLEcyC4F+tVlwfzYLnYIVqkbF+IAVXJ2clmSNO+Amku3Td4aglBJEpbepEUyRVLPjA8uZF8hyYEIt70PBZhki7jw/+5cy7p34ptxa1Ln0mKydvqzBSYsJ68z3uu4gX/DhRrPbVeF4lam74b00aURT9QOs9w0CxYnWD8GeXDg3gsGCUosC2dFaZETSec/fgR98NTEOaRqwQ8Qzlafbo7uXBUyecz4/uE6/JtHeF634QeIcYdfm+mWfkM9XRFdPRW89I9d9vbnE+tH7fUxsB6nZW2sslzJ+knRqtx/VHLfbvUA8f6oUUUY0SiL3qIlvxJLhhqJRX9V4XA5rR3mti1cjSc3daKwdDV1uD76u85p/KDpmiu9EMLzYfsZa/OJatMsbJ4ty5wt1zcoqyx1pS6KBYdQawYuq4mZegrBpX1T1CkSFhu87XT5Jd4WbmtdVpOtnj86Pj49PT1sdH8rxX1pGC8OgqKsXlTVzuBXNtTnwz33T8aF4GWx1kp4cNLvb1kyLr00dnOf7AboE6Eva52Ty0usShE8I6bsGNkO9D9vRb/MWULNhErak1Z4Hm4DTNhcnNVvodcgeqPD/sHP+/2T/cPTq4P+oH8yODjeOz06uh69fvfyPVyPwnVp6CIqIaLbAvX8GkbT+NOb9MunaxhlaDWn/lL2JDqK+vuu36h/Eh2eXI/6174aHx1HLzJzvee/xMFJo2P/3e1ZUm7N6OD0+OiF+2meoxld77nNkQ3/8Qj+gmT028eziz/iq1dn7+KXZ1fDV8s+/JWpGR249v5yYvTX556n/dwb/PW5lxFL05gIEb6OlTL2c29wEPW/fv16vfctqd4V+7WVbC3PJ6jXrrWr0Wh09gTtavQ2Z3fn4A4SP+W4XW6Rypsuv1X2zmrjO+r3M9OEYvHONnG4KHaBuOdtYruZ7MdJh9SlJZb72bCLXotdlbHYJRn+ssO1atOsD+QdbfZDPPYh6+IQatYd1x0myQ5ewjurSRwgO/DOXLPSFuByonTm8/IjxKmSaDZNBz8XOnP3kuD4cMfJuMhuXQxhR8zto4qGdLhR1sWeIwt/cNIGcLgbgFaF5bUqYVX7IrRoC7PpH7z68/C3f9+cfpkdJzYhL63cbXpw1q7+mj1K1tmQAa46pj5TtEvrfwEAAP//K1Eplw==" + return "eJzUml9v2zgSwN/7KQZ+2gKJzk7S3MYPB+x507TF9c82aRe7riHQ1FhiTZEKSdnxLfrdDyRlR5Yl2cqluZ5fEksk5zd/OBySPoY5roaAnGjDqEaiaPIMwDDDcQi9ree9ZwARaqpYZpgUQ/jHMwDY7gtvZZRzfAYwY8gjPXRNjkGQFHfF2I9ZZTiEWMk8K57UyNgerjykkBEG9t/Nm8oAvXckRZAzMAm61r1SS7wjaeY0Xfz+7o3+87T80pPNcbWUKtoRzESEd+2SX9smrnm9zBnjOEVijg1qc8xElpuu8lm0RzqL6mWT91fxr8vpp4+z0ecXf//lmt5OR/HycPE6ISpqFR+tje6a1lP0DxdI8oiZndbluGmMHaiJn/LQnKxQbb2pKnOToG8FMyVTWCaMJmASpgEXKAxIxWImiMFoCAq1OQKjiNCZVPYdsCycMW5Q9SpS7i1he1Xf1hukTO7lhrZhK//vCSp0zlB4m6PeJYafdt94ZQl8vLy+gV8+vF53fl5Wb9NvSTQopMgWGIEUTtp9M5oQIZA/PwIuKeGhnYnwk23jvruZCUzrHKMy5/Nmi92P091uCglP93qc5CZBYRgl9qHv1MDTs1OKGrbAMGIKqZFq9QAsyVG3Yn20LcDITQgiZIoJyjLCYYpcilg3mmwMvTmbEkHCXKPqHUHPZh8dkihlogeTWl6iFFnV0lp9pdhrRVHKv74LmIT4eME7pLnBqNnLlOfaoBqmUjAj1d9SwkR3wzIRMbrHtK99GyCUotYYwXRV8LYZdCbl8Ul/cBH0B0H/zNp068npzpPz7oYu5sJeS9txrKXXM7KDmUccibqmSnL+0ffubmSXCutyUaEfZ6TqgYyYpOgY1HRMWayIV9CoHNtSIIkihbo6/j7JWuaKYsCyBwjOFesoLVc8KLIrf4DAwq3hVEarjpITY7Kg6B/Y/gGVwqCoxtQhGJt801V7japaL7XJXMuLMFPoU/DjLf/rwWP68DEBrkZgaziNphAQHFhxZAnR9bOkKn0Pgf28dIJAZ0jZjFG7OlyNvIig0riOqcxV4x5onfsHAdpPuQq/GgGVnKNfDGpBS+7PfXSEGmkj2oxLUo3lA8FGFZKNQLsQSBUxEVuLWu43ZEFgwZTJCYeU0ISJFnBNVT4N9SqdSh4aMuUYGpbi99IDPpBcI1gRwARopFJEGihHIqwOeQaeBRyL3gtuFBPxE4AfwO1Q9nIvkcxDhTMdZkraNdzxf0fyG8usM7sBuJfoMEDhDBUKW0/cK9WMnhFFOEceKtSUiKeiLtk7JWpu6TlbIMjpV6RG2yKTI5As4+samGnQRmYZRs3KUE60DnPBJYmeShMvzcWLyG3x5iAOtD7NcsfZyFiXlA9k/OADA0YfPvkYL+IF1Uyq1ALfp8IaxOaUXVbALq0NRoa9hj5QEfupKCFzo1nk95VzVAJ5nQKlxLLS/wNKJqqQ0Eppt3lPgXkjDeGAnGQ2XivQRgKVtjY3nry0XrpNuTZEuVYzJphOgtoq4+siDVUuGqZgsyJ7FHBbDYvqSN58flvQ5Flpth0B0UD88DbKM8mEAZGnU1T1tCZRSCIdGmuX0GaZpuTxYPIroqYk3rJmIRWcVJfbCjfUJY1NINsU6FaXNfNjm9giGCnn1sUequBs5TIkrt8B1Zdu+6w1Ai7j2C+9cYPIBEk1Mz64kH2FJAPCuSwWGyKitV/YvzvXsrZPOJ82JnUmDMY7534HYMJm8lrlnRwb+HPG5XRl2ioUuzJ9N6RPNo04omaYzaaZR2GM1bObBzvuPY8gRoFF4SwpzTMi6OrH96BznpxZg5Q1+AHc2WjT/d5dyVzEj+nfP+yA/+ceXlV1+AF83GLXerqN3VAttoRuHwZeu9c2e7vzid1LlmoM7PppUxvLNJOielK0Le5fMr5vt31ueH/CKAMMaJAGb9GQX4khI4XEoLuksriMVo7xmxau2pObKpFfuuoG3I3+tnMaFzRtc6XnXXg1aj5arT9IrZuF9bNlk7PF7gZlm6UqqY1izcHljoKbamIpn0LgRr8FqgRJFGq8bTX5Nd7mdmtdVJONlj89O7u4uDipNX8jxX1pGK4PgoK0/eJge0N9NTqyf1LGOSuKtUbCwXm/f2DJuLHS1M590g3QJUJX1lojF3dHpSJ4SXQxMEYd6H8+iH6Ts7hcchk3Jy3/3t8GaL+5uKz+/mAHojc+6Q9+Pu6fH59c3Az6w/75cHB2dHF6Ohm/fvfyPUzG/qLcDxEUEMFtjmo1gfEi/Pwm+fp5AuMUjWLUXcefB6dB/9iOG/TPg5Pzybg/cdX4+Cx4kerJkfsSeiONz9x3u2dJmNHjwcXZ6Qv7aJWhHk+O7ObI+H8cgrsgGf/26fLjH+HNq8t34cvLm9GrzRjuslyPB7a9u5wY//Wl52i/9IZ/femlxNAkJJz7r1MptfnSGw6C/rdv3yZH/02qt8V+ZSXbyfMxqp0fNJS9UWvsGZpt7+3P7tbALSRuyjGz2SIVF1xuq+yM1cR32u+nug7F4J2p47BebAOx75uEdVPZxUmLqGtDDHOzoYu8Br1Ksdgm0v+mx7ZqklkN5I46uxAPncvaOLhctvu1wyTpYCW8M4qEHrIF79I2K3QBJmZSpWT33vhBfiolmn3Twc2F1ty9ITg76TgZ19mtjcHviJl5VKE+He4Va33PMPI/NWoCOOkGoGRuWKVKqP4Yw7VocrPuD179efLbP+cXX5dnsYnJSyO6TQ8WNUt/HT1K1tmTAW5apn4kaZus/wQAAP//KBSxQg==" }