diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index 55db1d0085cb..729e05bd3c3d 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -202,6 +202,7 @@ https://github.com/elastic/beats/compare/v6.2.3...master[Check the HEAD diff] - Add support for TLS with client authentication to the TCP input {pull}7056[7056] - Converted part of pipeline from treafik/access metricSet to dissect to improve efficeny. {pull}7209[7209] - Add GC fileset to the Elasticsearch module. {pull}7305[7305] +- Add Audit log fileset to the Elasticsearch module. {pull}7365[7365] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index f0a89dc82c09..2b2a811ca955 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -800,6 +800,122 @@ elasticsearch Module +[float] +== audit fields + + + + +*`elasticsearch.audit.node_name`*:: ++ +-- +type: keyword + +example: v_VJhjV + +The name of the node + +-- + +*`elasticsearch.audit.layer`*:: ++ +-- +type: keyword + +example: rest + +The layer from which this event originated: rest, transport or ip_filter + +-- + +*`elasticsearch.audit.event_type`*:: ++ +-- +type: keyword + +example: access_granted + +The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied + +-- + +*`elasticsearch.audit.origin_type`*:: ++ +-- +type: keyword + +example: local_node + +Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request) + +-- + +*`elasticsearch.audit.origin_address`*:: ++ +-- +type: ip + +example: 192.168.1.42 + +The IP address from which the request originated + +-- + +*`elasticsearch.audit.principal`*:: ++ +-- +type: keyword + +example: _anonymous + +The principal (username) that failed authentication + +-- + +*`elasticsearch.audit.action`*:: ++ +-- +type: keyword + +example: cluster:monitor/main + +The name of the action that was executed + +-- + +*`elasticsearch.audit.uri`*:: ++ +-- +type: keyword + +example: /_xpack/security/_authenticate + +The REST endpoint URI + +-- + +*`elasticsearch.audit.request`*:: ++ +-- +type: keyword + +example: ClearScrollRequest + +The type of request that was executed + +-- + +*`elasticsearch.audit.request_body`*:: ++ +-- +type: text + +example: body + +The body of the request, if enabled + +-- + [float] == gc fields diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index 493c09751b66..9aa56c1c828b 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -98,6 +98,12 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: + audit: + enabled: true + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + #------------------------------- Icinga Module ------------------------------- #- module: icinga # Main logs diff --git a/filebeat/include/fields.go b/filebeat/include/fields.go index f952cec848a6..0c58c181bd8a 100644 --- a/filebeat/include/fields.go +++ b/filebeat/include/fields.go @@ -31,5 +31,5 @@ func init() { // Asset returns asset data func Asset() string { - return "eJzsfVtz47ix//t+CpRfMvsvjXYzm+z/1KQqFcce7yqZW8bek3OeJIhsUYhJgAuAtrWf/hRuJEiCFClR9m6ieRpTZPcPQKPR6Avw1Wt0D7u3aA1YfoWQJDKFt+iv5q8YRMRJLgmjb9Gfv0IIoStGJSZUoIhlGaP6O7QhkMYC4QdMUrxOARGKcJoieAAqkdzlIOZfIfva2680odeI4gwM47n6r34a5Kn+3W1Bf4DYBsktaIRIAI0JTfSDlCUoAyFwAmKOFt5b+jMiSlICpAKofo8Y3ZCk4FixQxuSwkw9Vz9iiR5wWqgvUSEg1jSJVH9SJn1i+hO0ZUJaTvb9O6ZZ1XDM1G/60Ur9uSrpMN3iblzzdqc5jvs7rsSGBeIgC04hRuudZsVyUGxogsROSMgQo+hxS6JtBdzrO15QSmgSQCNJBr8wOgCNe/OUaB6AC8LofjD2RSdWWpz14CdAFRSIkdwSYUR5Xhfdi7+opgiJs/zCElWy/hbFWLp+4PBzQTjEb5HkhXu4YTzDsvYePOEsV1PvskgKIdGb7+UWvfn299/P0O/fvP3uj2//+N38u+/eDOtdDQk9GkEGOw3VBOEQMR6jRyyq9jUaJXEi+rlc8jWRHPOdftf0VoSVKtDyngM3A4VprP+QHFOBI1mNh+mnBmOjHWr9yNb/gsjNNfPH0vxyD7tHxuN+oKWuKgTwak4pBWWYNRAA54zXACScFXk/k3fqI6cBI8NRyS+OY6LexSkidMPUzI6w0PpL8xFzJwxWKzqCDo1VZuVzh0nCk/QedsCqoFk68xaDiMVt6imjyRjqikibtKLVIl0fs0HUjZjYJSpKWRFXa9SV+hPlnD2QGFQzJY6xxOFl64P9FW04ywyl8lOhxqpSQTiOl/qFpSOp3oxACMY7VzH16lx/NXdkmxMboj2z96O3vNURztFnJgRRgqvXJIEwB0VwhpIIZohxFJOESJyyCDCdd2IjVEhMI1iSPVNnYV9Ei2sHSS0iKMPRltDm1A1x2L8ylTz8dX0YF/vC0pOzsp/lm3kGMSmyfu4fDAktYuOYWzOHpETult6SVyIoxGvAQr7+fbRHkXqEkF4RSbXaEWHgEFEtcz0ip3VjOaolFPvL66fhomc/UVh+YCxJwcy0bu4ckr1L7Rf9zr722Ykes+hezx8706/d3wHi5jckJJZK/aYpRGrN1tPc/KbmrNgyLpdmBXiLNjgVatAwjbaMO36vy1n+VV0puyaXsFBwfejS43ZNAD4n8XE68SdKfi6gIohIHNLqJbsstHyM4ujLhSbnrFMLQBkS64KkEjHaB8VTBgciuSp5Klp9vFK8hlS0uNVsCdRvT+zBstA9YfiUQquEuRLZH81fASILZQx4gqpWuZbqqWRTPd8rmZb3OLk8fkx+tNuK9mhMJOlGQQSEHPNoSyREsuATtKFGDr2CeTJHT//1/fL7P8wQ5tkM5Xk0QxnJxddtKEzM8xRLZdIfh+TTLXKELIYIqGRihop1QWUxQ4+ExuyxA0R9x3M4BksnyGODM5LujmZhyNhGcoi3WM5QDGuC6QxtOMBaxH2tJXkLQu1RD/f3REil0BafX+M45iAEiDaDDEfHNdKx2WIeP2IOFbMZKkSB03SHPlxe+RicHrkv1sApSBCVNvm7/yzAtvq9NIPrNm1FFPm6pH9ZrD7aq4BqoNEoNZSzeILlweuBnMVGtwVZFceqpgYnRS+oWkWOo+kaVVFsM1M7sEl7UFHs6MKhi+swRoYaynDe5oQpZVL7vyZj55EM85zSYPH4RjXbpY/tBCZbkK+hazVMypJKtbxnifYv6peB7vP6pu71lNC6U9dvkGAFL4U/1IagV6zHqaVZapu+cgYqBNoA5YDjObpTOwoNxrVbmO38WrC0kIByLLdIMv2w8qiqfzeMVzum1TcPmH+TsuQb44GcpyxZNTY/bLMRULe4PL9J1TinUYe0ztDU6DjkjCvjUDdRSMylQLjpfaz7h1q+IZJQxmGJ1+wB3qJvD+x4KxVuD6ABqf42g+H87qY76yIgOeBskAgM6CUlpYai8WoqCIQmnoSnLBEz54b8nZAxK+TvEOP6/8D57+rwcs5EDpFkfO75EMb2DqF5YeIbTeE0Lte6n9UXUSJMbMCIowk0KEBkQ6Ca6G5zsFIsVo0YgWEuQDtW3QDdkBS0D9ss6mZk0Kvrd5+/vLu6vHt3/RYJALTSH+umr76u90z1y793p9RbrQRqWbrO+xu5sJ5cwy8BIVFOctBzI8dcgFE8lSO+NlfsjBIzRCQSknGo1jcdAeEkIRSnaFVFF1boFYecgwAqXbxL/Vi5+BXlmkL82vSIFyzRfdzyuacgQM4zFhfpgLEte9J8MDhS4vgMC1eVXOxng9mInUhZMt/gSPvUplPQliCCJ8lx5WAy7jLCOJG7MBT362RQHEEn24ZPX28IeAD1xVJbW1NpZB1WLDJsdLGOqThG/YNychiO0byl8dUWZp5zlvDpVqZmXNqS72Je7j4mkAQSe0w1+UY4S8uEG5XJ+DqCjnlQ9IA/kKi2LRkRt7s1X1tPX42wkqQUHnoFqNuGSJTy1J8HuyrioPRLjbQXou2gW/u2bnuqj+sR7GoJtB/My+WEbUqS5YwWRtcR0aPp1R7faUxDjWU55kR4zqBqKVG0PJFR2jS8TikeOudhzeRWx5tIrJafCKclWUbTnU9bbFmRxsoC0xkQbsOBcxxt4U216bi4NE8uwrsN+yv64Falup/CmiGhjUfFCY2J4TqGLipsnnZ5LHCkeq61S/P59PBC/nbKho2dSeNw/Hh39/na8tGW7dz7vAkL1cyYjElY1rxhXdNkAE6NNSVKZBefkXVWzYOcCwF82dg1H8lZKRsdudf6VUmUmQVrLEiEcCG3Rh6N/WezboLgMpBb1uTeh6zcDf7w7m48aKVSlVWohtHy7ug0nk7bXTXOP315H2a7lTJftv3FE/DXfFseZFSTUJEzKmDZyD5AXRkIYzg74o2sBJ//msW7pbKj5+udBDEUgcvYCX00AB0tsjVwtWJqAqXxBvwBeAVbgevqtg1wXkYf63iPGy5HOswYJ8Yp1ObayEMZwPLKXxsL+lpvlmIzxzUftccnNJmjT2phsRseRExnqddaJM1n71IsJIkEYB5tUZ4WCaE2Uc9LSmRcP+hWE1qHdTe4qeDHttg296equWZLNlVrq5ZiGgeaGV46/A6IQdldrZ/75WxAN6CQobzdCWVMWKZNqH4w5l+s3RU9c3UEIE27mQNYyWMPKEJPB0rRPgRUjmW0Pd3oafKH4AqYBUNglYvw1ZazIIUDxG4IXtbU8EPQHoClmezah2j57NNgHLrnng+j0B0ogJMPqYOUAOsw0Y9ZY34Atvisk02VraL6KsFyCxxiZTJDrHaiJrxgNwnOJdikGFqPDPFBS0+L3iFLkdpHEwpUPuPglTy7hSliBZV8tySChSzYiYBdGS5ocfspYMqimj/E7H86cSTAljkjLZNmRBep2UtkERu7IsVS/9GNyeQDnnjcDJNGMlgTSUTk7sQ4FIsGipbDwM8rR4f4C26sm8D5Z4yfwNAd5R/wXWdDOmLAHqJ0B2rabiq1ks59FJF2KUwLo/JPVCnU2nHRih3YfuvyFDST7tERGx4ze5IE4v4OyUnYOXHYVti69tDiOsxNTspNbrUTsotZLbJU53fwWNvgU85ZXERe/Vetn53vsYiJjH3Xo37Q4Xk0Hkftj1O7NV3Hod8vZ9lwV6RjjMZ4IpszvcEd9bglTVpHvYuP0DHvCS2eDH/tdUcf1WY6TctiPw4oZlGRAVXzStkZaA0RLkR9tOUWdublHcUZifQi8oD5Dq13lnxVJjjczxkxHi8bZSYDxaePqWc2pvESF62psof+jVHIhDb999o4TGPLfHFt/JnO8at3JTq0hyRrEdU0NNUwVAqPU0Ol8FhCnXu9trh2ORYafwgsxxGgTaFzaR1lVrVSPbJGJeE2piB3KNpimoBAr1Jy316u1xCxTM1Gzpj8unvAxFjn3N7xEiD0tmP6EZsWqxqwCuscLWRjoJAkgHDINlctaAzYeucTCzZBwM8F0Ja36JilxJ+Yjrx1nXY4J6PogBXZuAAibcob+x8LwSKi7YNHIrd+WDPEtr1cDzFQrlvR2iDtUxInErKjvNeagK7upn0dpF4bz0Z95TKBaEwiLEHY0Kn+iRVlHppkEqdNXO19gM4tsm8RgX4Bzl7rrfCfELb5RWyDvkUZYCpscbdJD+RCaqIdcvft+NYZmpgnesV0KtFWOUc4TTvjJeN5cRBFKr0UEccDvRKFiSoyjjaYpAWHDnX6sj6KlTF85sryUHb9qkWyx3d+9lU81+63hkjn3HSBeRangA/HMDx7cvz+6fLk2L0S+DPG2zLVnnfsnGrvVJkboZ1Rkw0avkHq2vsk7XqdwVuf/n2G6qQHWNpltUoRXQqIwtHjTcrwAVaJzufUu6+//fcHk/SNilyttQIiRmMxQ1ggbMgrU1jLQq95ZLbmYqlXy6WQLNf4J4X+A+ZrnICraCRaf2u2dpFWbE3jbDs6zEnJ8pzQZFmCnhrpncIgGbtXa69BZYH2AvPOw6hDOMh98cOVdlRopwVOAqVnJiXgNNIcsSxndFLXW32RLRmUKoVEhCbY0yUL/aBDiZgf+7VHSTHcOaPURgzr4iinSVcil22Ipj/KQdtIXZ5ghG5tAr0ypXUKvB0iXQVpYFrX2V6/bSOVdAJwoWMtLnSvXczQBWWSRKD+5xmM6s9HzCmhyQUKxBwvIk50luLFS3t4qwQG0i7LnU7IFPmzjP2Hy5i2F4p2XfR0YmY5nCXtP0zS3EJOhL+KL26HR1AWi9uySrCzZJSQ7tLxAbGSFg/07AncCsIBKdvG4Js0ZfuuSi3dl7Z9zoyusf25AL5bmizU0/DXHGye6wyRDcK0I+U3ZzxsqB/mXHcAFNneXeOvOpP/BAUOd1WuwL7Z8mJZ2C+dNS+K9VJILIvBCfNDmYtibQj3cH8k9Ls30/P/pzlgBu3lb6eOcUm0AihTTErtHyEUZSRNSb+fhEg4wexUZG0sjMaIlCfz9egJu3BNj8X34tplrFZDV55BAdq12jjMNAT1JQteIsbuycQ91DiVwbBAOgTCOOIQAXmAuH95aZwePBEyfWLXFnBslX0/ht9oMY6G7Xr5VwXdaJNu5OdqnqmreYpzNc+5mudczXOu5jlX85yreZpgztU8v/IMmXMOyLmax8cRqOaZrIiny2c8vornpZ1gmvvE7knLfK938mXd5Zb7xG23zPe2/SXdGOdAQY3tSztkOWDB6DLfciwmduFYCIo+MvQ7YyXFKVyROo6W56mLB+SMpYGV4Wx9lf/O1tfZ+vo3s77cYfh4c+9nD/5d/d2ReaB/q+pNg8fUW3Lo+NTBI6stDVh3zt5gy695Qu3ADr7rPo42tfeNtHmFasXLRf3in5dfPl6MR6FZmgMYQzxfpvz6BHmxV2Vikutooq/MJDTR/d9VGI9FOJQwvvF/ww/YEBwFQZdvTrWcInSnq0EJ7ZG3AetXoFvQNGqn0UumeLWvn9BeaUV9gzYQFkIfDG2UY15VvSl03XA2Rdqcr9Ng0eVrRZq67mmOplPWZI2pr63Ngw51bX7sz/UuKaLfrMKetHrg76bPwhUEqJ4OKic0y68Kzk1ATx9ou7FAOneKzTJjw7p1awfquoWruqhCSCz8UiT3qEOo3M/9YuXRRZMLlgX63gNa74ZjzmRwzRvjLZp2Te2I+nq3Lw82Jo7cJ5amROPMmZmpi48YN/toXfz+niV/+Jd5vSsT8nQHlTBul5hHfUpGdQ60Petfdtglpj5pooFbeHtZvGaFvWrEXL3oTnGpAKre3QMvZclSt2P4bN+D8R529niQtABTPaMVnbcP7zlmSaTs8Ugt3yZxnlnnmfXsM6t7Vo1H9wU/orjI8jKm6e4XaTMpMw+0L2pi117tilnNoI934GSfYyTGu+PXMHiLFjQvpJihG5JK4GKGPhVSPVEydcViiLrqQRm7XxK6NKmaQYzjXb/vniAqTPGsLgO2pTfOKTgkMdThopi2Mh5OBksz60NlhzPHHHckzo6X6FudVlad3+FBKu94b/nxgoCWwUXquPXr9Z/ryGqQTO67vZTRQAksaH3/saZxxmjC4rVnGdsnw8tyPqgPrv+6vzSn4oXGlOfUzVeP26lPMguEWrsQhFDsqRDbJ5yt4xBDi3fpR1vUHnepuH5H1R5ENwXVdfk4RRGWkDBOfjHCuA/c1acPHy4/Xo+ESFszeoDhA09yLxxCicQ0TomQQEeBCpEdYmRYH0yv+8rTYm5u7sTPqTczP+xu//F++LxUrPQn9Zk5+OBBxx4dWkvXAQD1zNjpkyPqQMbnSDynp9yYeMvJjtW81IndpuV/nP//+ZtZ7ag3a1GSeK6PhDPv2eC9KM+k879scQjck+lODSUdgfY94QBbw9rT0P6txkvHAybcRO6RZcVhlCgHkscHNNQwM8f76VJpe0GVAqKLELvLQsYz02Uf9rZHt8/pYe1Goet4xFZAf0jaQHUA8HRATD2oUghzAVFQDA897kcfjqPN6gqNsuFnRx35k7Lo/iR4caaPS1RGbR3zIybSOxdTAVDaZw1VIoM+QLRF1VjJRBzVXs4eha4gmkj11otsFHXEQRacVmZ7z+TRaJRSJBSmPGO5gUhEmA4D1LUKHgOmoOTJWyMlvgda6bjV7bs75F1c2gNO/zSev9afPWQnPd06YpTaY60W16WQW+7W3qMJoU+evfdR/T3O3tOfHGjvOfboGHsvAAC9yBV4BsgxV98t1QYhKAKYczxS4C6p+UrPPc3BW2hA6HN2idJZiqk7/9qeJBqxLGNUKUNCo7SIYYbWIEhs7wcOnoKPPPKzGiszVqa0UqCU3ANa/c/rG8YfMY8hVv9bzdEtAMKpMIeLrso+WYXS006YTty+NNA7AzUv1imJWgt2HbEexZXpfH0NJWXVhy1+VS9hDi7dzlrNAVvX4uDkAcu25RAC0uaogXXaa7/aAxTOebw1tuerEH9z1dfnqxD/bYqnz1chnounz8XT5+Lpc/H0uXi6BeZcvnMu3zmX7/w2y3fc45bj6CRV1JXf6MVvRHxnAOjY/yuYJ3MDaYbcOa4dt61MdwPg5zKOB1SSDQGOXn1eXHfwnfIuQBuVdGy7am2cQ3W6eOlV5aTdx376gKIROUfXuoSZcM5t5xT+ZJ50uIWtOxaecsZl5dlfWTqr/rK2ihs6Pp3d3B103BTVfs9NuE32bqIMJFerpxw6Uad3qPnrnY2/Ne8KJaLvmiscBdabI0DdMI4IjThkQKXaDmKJZyjD/F4nuCoDxqS4luce4jhuBZqQOQMwYw8Q+/fAMapbe6G/uZihC/vOxUx9cCEozsWWyY6DprdMyGU1u6YdCU9XOX2uI8q1Yx+tlNudPxEuw7a95n1UVl+a7kpC3dXjBSVPOl46kSr6qR4cs9KlZcgP7CJBaGTzlXMWbefoJ3e5YMSyvJAuMLT6ixdLi1haZF3HTOIUaIx5sDHFwaNjcy05WBu4TBwzRmJ15wvJQEdvjcVt57sdsjJSljMhEw719KjP5uHoHKnquwMDZzU06PDUxjqQ576ntasb3L9fTZIUyeAXRg+4r9V96ZIPNNvnycTyzamw/mj7JqukKBxnhI5KiXJJ8i2ypVsSS7xuH/lR8cx2Jgd4NMsg5WHJXzeXd5fvp079ikNZ3H1JLBWe776dfzsKzrVLz2YbhMemLFR8b9+9f3d1h/4fuvny6YMeQ/GnUTj+YQ+Hx1KbAC+VE2e1NYe4dunDF/V3h47Wv/VXXTpy6MVreQ3YUlsOVJanuqTdraYGlYmDdaUXTV1GpSjW+bujv+foqmY2rjIsJPDVDK1Eih9A/SfakjReoVdqZf5yffPN5acb9Kj2uTRB+revZyHbdKUMCUIhXQ3PNJ2qoq3VLF1kqBrzAHzNhG6Xuallpe3ilb2dpQPrSSZji+qEyam3LvtUZ0pwtQuDB2V6qlXciMADwQgjCvKR8Xtvwz7UqoiyMfkFg5KwsgzTGIEuR+oKWboFYz7ZJQE/6q6iCSKyvDjQYrD2r8Gl67Mi3l8JNan2qLRGz2J1DxPebaS43sOuviVzHaC2ov2Dg/mU5yDohFR7k7IwV3aHQUU4TRUku6KZQIS3pN3qB8P3HfYq5cP2GyV3dEymXggC6kvVK+R2yv3Ge0KLJ021KiR69sIMLJD2NpaoFJ7+Q3467jsYmNxOzTXxo7nmnCUcH3AZurMPDmY8qb753Lpg3vjKhDvhaD+g6VfKQeVZxxVRaHdOVT9QOQRNqpBAkgWCHT5fIZppCAdHN+1MFOYKvEitRre3P6p2E3sbf+sK/HBosa/MfMCWWHVMg3HTrLq4jCLIpfEz3mCSlm7GBX3AKYkv5t47AR7mRn6M7HX1myI17OYVBfuOHRibzmAznVzRbRnpDbCwUekSX5Ne1UQsJWS5RFss9KX57RBub3bliC5tZHLahMlm5+ZYCLVoXugeNVmx97C76ELVCrA7IQz8MAhqdVJwo9Sm3l9qBc5wOz5aWmyc5TnE7czjifGpnq3MWDvEyvxlOVBz4VGWQUywhHTnUHWBDpz925vbMQawPgH4qC4VJKFYFrwt8INwlJ+XLl4LzGRe30Prhv++PI4+XTcA0OhsjpWd0moWzTuS3s2/qdM6wokd3akdI5I79ofnBwXoR6V4DEsbOB0yIltyhgZnVZwMlmHb21v7U2ImQ7c/MWZQasyQ5JgR/bUvQSZsIxUxO6GRZEyjsvjTxdYV15XbLY40nBpZLOZf6QjWlsjHT3c64FfEDHg7i3KQOq7lFihqERZmVVBky51uv00iW1ccD+R+d/e/3jpU40i69vveOvl4oB0U2cMGY8IhkozvjgARTB0vx4kzdqD5KzFPQNqdAfOcD02A4pHIaBuIUntHemShFWVYVzUcY9p1pyDsmXAKN47DG8STzjnL+MBpF1T4gzqqqp1aA6GJyZvoFJrW1nmwgdfHfnHdaTtNzlAPYg/HbSiJfABd9R3asDT2MjUoPOoGdpqkWwicSzuAWQwbXKTSEOhhFxRx3QMvIuOO87MLuW+rqF7SQE4gc50AKidRgL3nBT3V+RqGtOchfWGnpMXz7G7JIXxP5JgcxLolelN4IIdwfkYfpI04SI5hQ+69kMOdeTIu18l+tP+stoofOibIEOSHXuRAAAflmCMBggM+UWF7p4F1LgE/l4CfS8BD6M4l4OhcAn4uAafnEvBzCfhgWOcS8HMJ+LkE/FwCfi4BP5eAt0D9ikvA632hN2RLLTcTbne88zENBxFkv+GMSqBx9878MCeQP2scDz3Nw3suHN0rEF3b3T0Ywo4BXt7VYsnboJnbAhPtUDFHBX71fwEAAP//RO6Irg==" + return "eJzsXd1347aVf89fgeOXzuzRaJJJm+1Oz+mpa48TtfPVsdPuPkkQCVGISYABQNvKX78HFwAJkiBFSrSdtPKTxY97fwAvgPsJfPUK3ZLdW7QmWH2FkKIqJW/RX82vmMhI0FxRzt6iP3+FEEIXnClMmUQRzzLO4D20oSSNJcJ3mKZ4nRJEGcJpisgdYQqpXU7k/CtkH3v7FRB6hRjOiGE81//C1SBP/XezJfAC4huktgQQIklYTFkCF1KeoIxIiRMi52jhPQWvUVmSkkRpgPp+xNmGJoXAmh3a0JTM9HV9Eyt0h9NCv4kKSWKgSZX+ybjyicEraMulspzs8zccWNVwzPQ9uLTSP1clHQ4t7sY1b3ea47i/40psWCJBVCEYidF6B6x4TjQbliC5k4pkiDN0v6XRtgLu9Z0oGKMsCaBRNCO/cDYAjXvyMdHcESEpZ/vB2AedWIE4w8dPCNNQSIzUlkojyvO66J79RTdFKpzlZ5aolvW3KMbK9YMgPxdUkPgtUqJwFzdcZFjVniMPOMv10DsvkkIq9OY7tUVvvv7muxn65s3bb//w9g/fzr/99s2w3gVI6N4IMrHDUA8QQSIuYnSPZdW+RqMUTmQ/l3OxpkpgsYNnTW9FWE8FIO85EeZDYRbDDyUwkzhS1fcw/dRgbGaHWj/y9U8kcmPN/FiaO7dkd89F3A+0nKsKSUQ1pvQEZZg1EBAhuKgBSAQv8n4m7/RLbgaMDEctvziOqX4Wp4iyDdcjO8IS5i/gI+dOGOys6Ag6NHYyK687TIo8KO9iB6wKmqUzbzGIeNymnnKWjKGuibRJa1ot0vVvNoi6ERO7REUpL+JqjbrQP1Eu+B2NiW6mwjFWOLxsfbB30UbwzFAqX5X6W1VTEI7jJTywdCT1kxGRkovOVUw/Ooe35o5sc2CTaM/o/egtb3WEc/SZS0m14MKaJBEWRBOcoSQiM8QFimlCFU55RDCbd2KjTCrMIrKke4bOwj6IFpcOkl5EUIajLWXNoRvisH9lKnn46/owLvaBpSdnZT+rN/OMxLTI+rl/MCRAxMYxt2oOTanaLb0lr0RQyFcES/Xqm2jPROoRQrAi0mq1o9LAobJa5npEDubG8quWUOydVw/DRc++orF8z3mSEjPSurkLkuxdar/AM/vaZwd6zKNbGD92pF+63wHi5h6SCis9/aYpifSaDcPc3NNjVm65UEuzArxFG5xK/dEwi7ZcOH6vylH+VX1Sdk0uYaHg+tA1j9s1gYg5jY+bE39k9OeCVAQRjUOzeskuCy0fozj6cgHknHZqAWhFYl3QVCHO+qB4k8GBSC5KnppWH68Ur0kqW9xqugTq1yf2YFlATxg+pdBqYa5E9gfzK0BkoZUBT1D1KteaeirZ1Nf3SqblPU4uj/8mP1izov01JpJ0M0EEhByLaEsViVQhJmhDjRx6QebJHD388bvld7+fISyyGcrzaIYymsuXbShczvMUK63SH4fk0zVyhCyGiDDF5QwV64KpYobuKYv5fQeIusVzOAZLJ8hjgzOa7o5mYcjYRgoSb7GaoZisKWYztBGErGXc11qatyDULvVwf0+l0hPa4vMrHMeCSElkm0GGo+Ma6dhssYjvsSAVsxkqZIHTdIc+nF/4GNw8clusiWBEEVnNJn/3rwXYVvdLNbiu01ZEkT+X9C+L1Ut7J6AaaDRqGsp5PMHy4PVAzmMztwVZFcdOTQ1Oml5wapU5jqZrVEWxzUxbYJP2oKbY0YVDF9dhjAw1lOG8zQkzxhX4vyZj55EM85xSYfH4RjXdpY/tBCpbkK+ha2eYlCfV1PKeJ+BfhIcJ2+f1Td3jKWV1p67fIMkLUQp/qA1Br1iPUwtYgk5fOQM1AlBABcHxHN1oiwLAuHZLY86vJU8LRVCO1RYpDhcrj6r+u+KisphWr++weJ3y5LXxQM5Tnqwaxg/fbCSpa1ye36RqnJtRh7TO0AR0guRcaOUQmigVFkoi3PQ+1v1DLd8QTRgXZInX/I68RV8f2PFWKpwNAIB0f5uP4fzupjvrIqAEwdkgERjQS1pKDUXj1dQQKEs8CU95ImfODfk7qWJeqN8hLuB/IsTv6vBywWVOIsXF3PMhjO0dyvLCxDeawmlcrnU/qy+iVJrYgBFHE2jQgOiGkmqgO+NgpVmsGjECw1wScKy6D3RFUwI+bLOomy+DXly++/zl3cX5zbvLt0gSglbwMjR99bLeM9Wdf+9OqbdaC9SydJ33N3JhPbmGX0KkQjnNCYyNHAtJzMRTOeJrY8WOKDlDVCGpuCDV+gYREEETynCKVlV0YYVeCJILIglTLt6lb1Yufk25NiG+ND3iBUugj1s+95RIouYZj4t0wLcte9K8MDhS4vgMC1eVXOxrg9nInUx5Mt/gCHxq003QliAiD0rgysFk3GWUC6p2YSju7mRQHEEn24ZPX29Ickf0G0vQtqaakSGsWGTYzMUQU3GM+j/Ko8NwjOatGV+bMPNc8ERMtzI149KWfBfz0vqYQBJo7DEF8o1wFsiE+yqT8XUEHfOg6BFxR6OaWTIibndt3raevhphLUkpuesVoG4dItGTJ7we7KpIED2/1Eh7IdoOurV367qnfrkewa6WQPvCvFxO+KYkWY5oaeY6Kntmem3juxnTUONZjgWVnjOoWko0LU9k9GwaXqc0D8h5WHO1hXgTjfXyE+G0JMtZuvNpyy0v0lhrYJAB4QwOnONoS95URsfZublyFrY27F30wa1KdT+FVUNChkfFCY2J4TqGLipsrnZ5LHCke65lpfl8engh35yyYWOn0jgcP9zcfL60fECznXuvN2GhmhqTcUWWNW9Y1zAZgBOwplSL7OIzss6qeZBzIYlYNqzmIznryQYi9zC/aokyo2CNJY0QLtTWyKPR/2zWTRBcRtSWN7n3ISutwe/f3YwHradUrRXqz2h5d3SaSKftrhrnH7+8D7PdKpUv2/7iCfgD35YHGdUkVOacSbJsZB+grgyEMZwd8UZWgs9/zePdUuvR8/VOETkUgcvYCb00AB0rsjUResUEAqXyRsQdERVsDa6r2zZEiDL6WMd73OdypMOMcWKcQm2ujTyUASwv/LWxYK/AWIrNGAc+2sanLJmjT3phsQYPoqaz9GMtkua1dymWikaSYBFtUZ4WCWU2Uc9LSuQCLnRPEzCHdTe4OcGPbbFt7o9Vc41JNlVrq5ZiFgeaGV46/A6Iida7Wrf75WxAN6CQorzdSa1MWKZNqH4w5ife7oqesToCENBu5gBW8tgDirLHA6VpHwIqxyraPt7XA/KH4AqoBUNglYvwxVbwIIUDxG4IXt6c4YegPQBLM9m1D9HyyYfBOHRPPR5GoTtQACf/pA5SQniHin7MGvM94YvPkGyqdRXdVwlWWyJIrFVmEmtL1IQXrJHgXIJNiqH1yBAftPS06B2yFGk7mjLC1BN+vJJntzBFvGBK7JZU8pAGOxGwC8MFLa4/BVRZVPOHGPunE0dC+DLntKXSjOgiPXqpKmKjV6RYwY9uTCYf8JG/m2HSSAZrIomo2j0yDs2igaLlMPDzytEh/oIr6yZw/hnjJzB0R/kHfNfZkI4YYEOU7kCg7YZSK+ncRxGBS2FaGJV/okqhBsdFK3Zg+63LU9BMukdHGDxm9CQJifs7JKdh58RhprB17aHFZZibmpSb2oITsotZLbJU53fwt7bBp1zwuIi8+q9aPzvfYxFTFfuuR7jQ4Xk0Hkfwx2lrDeo44PlylA13RTrGaIwnsjnSG9xRj1vSpHXUu/iIOeY9ZcWD4Q9ed/RRG9NpWhb7CYJiHhUZYXpcaT0DrUmEC1n/2mpLdubhHcMZjWARucNih9Y7S74qExzu54y4iJeNMpOB4tPH1FMb03iJi9ZQ2UP/ykzIlDX996AcprFlvrg0/kzn+AWrBEJ7SPEWUaABVMNQGbmfGioj9yXUuddri0uXYwH4Q2AFjgjaFJBL6yjzqpX6klUqqbAxBbVD0RazhEj0IqW37eV6TSKe6dEoOFcvuz+YHOuc2/u9JJFgdkz/xabFqj9YhXWOFqrxoZCiBOGQbq5b0Phg651PLNgESX4uCGt5i45ZSvyB6chb12mHczKKDliRjQsgAlXe6P9YSh5R0A/uqdr6Yc0Q2/ZyPURBuWxFa4O0H5M4VSQ7ynsNBKC6m/V1kH5sPBv9lssEYjGNsCLShk7hFi/KPDTFFU6buNp2AOQW2aeoRL8QwV+BKfwnhG1+Ed+gr1FGMJO2uNukBwqpgGiH3H09vnWGJhYJrJhuSrRVzhFO0854yXhegsgiVV6KiOOBXsjCRBW5QBtM00KQjun0eX0UK6P4zLXmofX6VYtkj+/85Kt4Kuu3hghybrrAPIlTwIdjGJ48OX7/dHlyrK1E/BHjmUy16x2WU+2ZKnMjZBk12aDhBlJnSoaeLQ63fvpMDcZjEhLbGrGzpvTpt84ab5TxjLO75T//tv3pn80HuuWtKr/YtcKCbSDwVD351iVMuvRSRWJYW9TMbM+Qc6HvIZovNzRVRHSD12+NRw7c9xpsAN9VZFsLbYsV4lFUCEhSw4yzXcYLuTTpMcuYMEriWSMfZKkXN7jceMr8TATWVutMT6PMJAsHr7nXFM5yvUgtbYLFDImCLbFHyP42L3R3Xp3/+G40n29/P/4L7HHlpYQ0Pzx60b5jZAajL++ub9D554V7+aUvJeV7JgEtIvSuWrerx7RBx0j6cgYzW7qEoqIXxlMTaeVN/6ZSFtYp51h1911F5+B+sy7CvSLoeRMbOeztTusG/M3/vJl/890f59/Mf/8mDLmhYVXpopRFNMdNV20baPkkeqHNGv36SzNkzABoDIturMtyYI3v3MbeLl1Y/fnRvGKQajkiDyQqejszSgupiHibcUYVF68zTFvN2Q+1EHQvTpB+wmJYbNGPXxadoF4vH3Ic3b6WJCoEVbvXS6+7hzs9Kx0JZGvwBOlkcUQvXqQEi+tI8DT9Yt4e34eW7XLN491erPqhSiWzkyfdIMK0Ct6DVL8Yxlbzw5fmSrtid5LlXxCtJt2RpTWsqyKRpSRROH9sk3J8gF8CKjpguvnbPz+Ysi9U5NraliTiLJYzhCXChjxlCTIC2ucgMc55uQR7eSkVzwH/pNC/x2KNE+L2NDDDGthaM12zNY2z7ehwKCme55QlyxL01EhvNAbF+a22vg0qC7QXmLcjVh3CQQGM7y8gVAFhC5wEis9NUuDjSHPEs5yzSYNvdTO7ZFAaFTSiLMGeNbGACx1mhLnZbz+UFMOdM8pwiMm6OCps0pXKbRsC9EeFaBvFSxN8oWtbQifRPWzV5j4R7INgYNrg2d7IbaOYZAJwoY2tzqDXzmbojHFFI6L/81xG+uc9Foyy5AwFso7OIkGhTuHsuWO8VQojbW/MMZ2QafInGfsPlzHQF4r2zijTiZnlcJK0/zBJcws5lf4qvrgenkOxWFyX+wR0bhpBaffmMQOyJVo80JOXcGkIBxRtGYVv0qKtm6q4ZF/h1qk2qsb254KI3dLUoTwOf+BgK13AFMaso+gn5yKsqB8WXncAwD3XZzX+qmv5HqHE8abKFtw3Wp6tDuu56+ZksV5KhVUxuGRuKHNZrA3hHu73lH37Znr+/zJbzKG9/J3LC1wSrRSKKQYl+EcoQxlNU9rvJ6EqGJA6drmgyrpoMYsRLffm7Zkn7MI1PRbfU2yXsVoVfbkLFYHgamM78xDU5yx5jTi/pRP3UGNfJsMCSRPhK6My/ctL4/yAiZDBnp1bgmM72fdj+I2W4wJs18u/KuhmNulGfqrnnbqetzjV857qeU/1vKd63lM976metwnmVM/7K8+RPWWBnup5fRyBet7Jyni7fMbj63if2wkG3Cd2T1rme72Tz+sut9wnbrtlvrftz+nGOAUKamyf2yErCJacLfOtwHJiF46FoOkjQ78zVlI8hisS4mh5nrp4QM55GlgZTtpX+XfSvk7a17+Z9uWOw8GbWz978O/6d0fmAdyrdpwIHlRjyaHjUweP3G/BgHU77Q7W/Jp71A/s4JvuDelTe+JYm1dot5gqQftf518+NhO0h2WXuC2YQzyfZwOWR8iLvSgTk1xHUzg0m7IE+r9raxzcKk85tPF/w3fYEBwFATZwmGo5RegG9oOgrEfeBqxfgW5B00w7jV4y21f09RPaK62o76MNhIXQB0Mb5VhUde8aXTecTZE2x+s0WKCAvUhT1z3Nr+kma7rGzJ+tzYWO6drc7M/1Limi3+yEPWn1wN9Nn4UrCFA9HXREBdL+2awQwgT0YEv7jQXSaSk2NxoxrFvndqGucziro6qkwtIvRnaXOoTK3e4XK48umlywLND3HtB6NxyzK5Nr3hhv0bRrakfUVw+MEKM+ZeJIO7FUJRq7zs1MwXPEhbGjYfub9zz5/U/m8a5MyMfbqowLu8Tcl3W5jXLsvvqtiT7cwrNl8ZoX9rAxc/iy28etAqh7dw+8lCdLaMfw0b4H4y3Z2Q3C0oKY6hmY6Dw7vGejRZny+yNn+TaJ08g6jawnH1ndo2o8ui/4HsVFlpcxTXfCWJtJmXkAvqiJXXu1Q+aBQR/vwBYHx0iMd8q/YfAWLVheKDlDV7DhhZyhT4XSV7RMXfCYRF31oJzfLilbmlTNIMbxrt93ULoNxbNQBmxLb5xTcEhiqMPFMGtlPDwaLGDWh8p+zhwL3JE4O16iryGtrNrBy4NkduYsRNuPFwS0DC5Sx61fr/5cR1aDZHLf7bHMBkpgQev7x6rGGWcJj9eeZmyvDC/L+aBfuPzr/tKcihcaU55TV189bo+9l2kg1NqFIIRiT4XYPuFsbYgcWrxLP9qidrlriut3VO1BdFUwqMvHKYqwIgkX9BcjjPvAXXz68OH84+VIiKw1ogcoPuRB7YVDGVWYxSmVirBRoEJkhygZ1gfT677yZjE3Nnfy59QbmR921/94P3xcalbwSn1kDt562LFHh9bSdQBAPSN2+uSIOpDxORJP6Sk3Kt5yso21zyGx27T8D/P/nr+Z1TZ7tRoljeewKax5zgbvZbkrrf9mi0PgpGy3bzjtCLTvCQfYGtaehvabGs8dD5jQiNwjy5rDKFEOJI8PaKhhZjb4hVJpe0SlBgJFiN1lIeOZQdmH3SvL2Tk9rN1X6NoguRXQH5I20Nq0awIgph5UTwhzSaKgGB663Q9sjgNqdYVG6/Czo7b8SXl0+yh4cQYbJmulto75HlPl7YytAejZZ02qRAbYQrxF1WjJVB7VXsHvJVQQTTT11otsNHUkiCoEq9T2nsEDaPSkSBmZ8pSFBiIZYTYMUNcqeAyYgtEHb41U+Jawao5bXb+7Qd7R5T3g4NZ4/jB/9pCd9HyLajdItLgshdxyt/oeSyh78PS9j/r3OH0PXjlQ33Ps0TH6XgAAepZDcA2QYw6/XWoDISgCWAg8UuDOmXnLbLinOXgLDZGw0z7Vc5Zm6k7AsHuJRzzLONOTIWVRWsRkhtZE0phI74SaFseK/KzGynwrU1opUUpvCVr976srLu6xiEms/1vN0TUhCKfSbC++KvtkFUpPe8R04vaxwd4u6HmxTmnUWrDriOErrkznw0HUjFcvtvhVvYQFcel2VmsO6LoWh6B3WLU1hxCQNkcA1qmv/Wo3UDjl8dbYng5D/s1VX58OQ/63KZ4+HYZ8Kp4+FU+fiqdPxdOn4ukWmFP5zql851S+89ss33GXW46jR6mirvxGz34m8jsDAGL/L8g8mRtIM+T2ce04b226M4A/l3E8whTdUCLQi8+Lyw6+U54GbKOSjm1XrU15vM5krC8qJ+0+9tMHFI3IObrWJcylc247p/Anc6XDLWzdseQh50JVnv2VpbPqL2uruKHj09nN6YHHDVHwe27CbbKnE2ZECb16qqEDdXqHmr/e2fhb87Rwd3BWh0MgdPLNEaCuuECURYJkhCltDmKFZyjD4hYSXLUCY1Jcy30PcRy3Ak3I7AGY8TsS+yfBcgatPYN3zmbozD5zNtMvnEmGc7nlqmOj6S2XalmNrmm/hDdXufkcIsq1bR+tlFvLn0qXYdte8z5qrS9NdyWh7urxgtEHiJdONBX9WA+OWekCGfIDu0hSFtl85ZxH2zn60R0vHPEsL5QLDK3+4sXSIp4WWdc2kzglLMYi2Jji4K9jcy0FsTpwmThmlMTqzBeaEYjeGo3bjnf7ycpIWc6lSgSpp0d9NhdH50hV7x0YOKuhQYenNtaBPPVJ7V3d4P5+NUlSNCO/cHbAie3uTZd8AGyfJhPLV6fC80fbN+kd9xdn7VPKelOiXJJ8i2zplsQKr9tbflQ8s53JAR7NMkh5WPLX1fnN+fupU7/iUBZ3XxJLhefbr+dfj4Jz6dKz+QbhsSkLFd/rd+/fXdyg/0JXXz59gG8o/zQKxz/s5vBYgQrwXDlxdrYWJK4d+vBF/+6Yo+Fef9WlI4eevZbXgC1ny4GT5XQm2o2Xblmd3W5QmThYV3rR1GVUmmKdv9v6e44uamrjKsNSEbGaoZVM8R3R/0RbmsYr9EKvzF8ur16ff7pC99rOZQmCey9nId10pRUJyki6Gp5pOlVFW6tZUGSoG3NHxJpLaJc5qWUFevHKns7SgfVRBmOL6oTJqdcu+xQyJYS2wsidO/vViMAdxQgjRtQ9F7eewT5Uq4iyMfkFg5KwsgyzuDzgsn/BmE92SMAP0FUsQVSVBwdaDFb/NbigPisS/ZVQk84e1azRs1jdkgnPNtJcb8mubpK5DvBPH+0wlcWU+yBAQqpICr1ISnRP1bYDVITTVEOyK5oJRHhL2jVcGG53GAIH2hsld3RMpl4IAuo9HF1tp7Q33lNWPADVqpDoyQsz4OxpHFeoNJ7+TX46zjsYmNwOvqIDuOaCJwJnh+sHBzOedL75XE04Dhj4yqTb4Wg/oOlXykHlWccVUYA7p6of8E7Sh1QhiRQPBDt8vlI20xAOjm7akSjNEXiRXo2ur3/Q7abMoJLDQot9ZeYDTGLdMQ3GTbXq7DyKSK6Mn/EKziK3bsYFu8Mpjc/m3jMBHhnBTCKMZAGZwJsiNezmFQX7jP0wNp3BZjq5otsy0htgYaPSJb4mvaqJWCmS5QptsbQHqzf7uTe7ckSXNjI5bcJks3NzLKVeNM+gR01W7C3ZnXWhagXYnRAGbgyCWu0U3Ci1qfeXXoEz3I6Plhqb4HlO4nbm8cT4dM9Waqz9xFr95Tlh5sCjLCMxxYqkO4eqC3Rg79/e3I4xgGEH4KO6VNKEYVWItsAPwlG+Xrp4LTCTeX1Ldl2MQ3kcfXPdAECjszlWdkjrUTTvSHo3f1OndYQTO7pTO0Ykd+wPzw8K0I9K8RiWNvB4yKhqyRkanFXxaLAM297e2p8SMxm6/Ykxg1JjhiTHjOivfQkyYR2piPkjKklGNSqLP11sXXNdOWtxpOLUyGIxf6UjGDSRj59uIOBXxJyIdhbloOm4llugqUVYmlVBky0t3X6dRLWOOB7I/ebm/7x1qMaRdtn73jp5f6AeFNnNBmMqSKS42B0BIpg6Xn4nwfmB6q/CIiHKWgbccz40Acp7qqJtIErtbemRhVaUYV3VcIyB605D2DPgNG4chw3ERx1zlvGBwy444Q/qqKp2ak0oS0zeRKfQtEznwQpeH/vFZafuNDlD+Ig9HLehJPIBdPV7aMPT2MvUYOQeGtipkm5JYF/aAcxissFFqgyBHnZBEYceeBYZd5yfXMh9XUX3EgB5BJnrBFA5iQLsPS/oY+2vYUh7HtJndkpaPE/ulhzC95Eck4NYt0RvCg/kEM5P6IO0EQclMNnQWy/kcGOujMt1si/t36ut4oeOCTIE+aFn2RDAQTlmS4DgB5+osL1TwTqVgJ9KwE8l4CF0pxJwdCoBP5WAs1MJ+KkEfDCsUwn4qQT8VAJ+KgE/lYCfSsBboH7FJeD1vgCDbAlyM6G54+2PaTjIIPuN4EwRFndb5oc5gfxR43jAMA/bXDi61SC6zN09GMKOAVGe1WLJ26CZM4EpOFTMVoFf/X8AAAD//+Nw3Wo=" } diff --git a/filebeat/module/elasticsearch/_meta/config.yml b/filebeat/module/elasticsearch/_meta/config.yml index bb5674c5bd90..98942fa54041 100644 --- a/filebeat/module/elasticsearch/_meta/config.yml +++ b/filebeat/module/elasticsearch/_meta/config.yml @@ -12,3 +12,9 @@ # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: + + audit: + enabled: true + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/filebeat/module/elasticsearch/audit/_meta/fields.yml b/filebeat/module/elasticsearch/audit/_meta/fields.yml new file mode 100644 index 000000000000..f0d5cb26cc92 --- /dev/null +++ b/filebeat/module/elasticsearch/audit/_meta/fields.yml @@ -0,0 +1,44 @@ +- name: audit + type: group + description: > + fields: + - name: node_name + description: "The name of the node" + example: "v_VJhjV" + type: keyword + - name: layer + description: "The layer from which this event originated: rest, transport or ip_filter" + example: "rest" + type: keyword + - name: event_type + description: "The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied" + example: "access_granted" + type: keyword + - name: origin_type + description: "Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request)" + example: "local_node" + type: keyword + - name: origin_address + description: "The IP address from which the request originated" + example: "192.168.1.42" + type: ip + - name: principal + description: "The principal (username) that failed authentication" + example: "_anonymous" + type: keyword + - name: action + description: "The name of the action that was executed" + example: "cluster:monitor/main" + type: keyword + - name: uri + description: "The REST endpoint URI" + example: /_xpack/security/_authenticate + type: keyword + - name: request + description: "The type of request that was executed" + example: "ClearScrollRequest" + type: keyword + - name: request_body + description: "The body of the request, if enabled" + example: "body" + type: text diff --git a/filebeat/module/elasticsearch/audit/config/audit.yml b/filebeat/module/elasticsearch/audit/config/audit.yml new file mode 100644 index 000000000000..8d9139a7115f --- /dev/null +++ b/filebeat/module/elasticsearch/audit/config/audit.yml @@ -0,0 +1,10 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +fields: + service.name: "elasticsearch" +fields_under_root: true diff --git a/filebeat/module/elasticsearch/audit/ingest/pipeline.json b/filebeat/module/elasticsearch/audit/ingest/pipeline.json new file mode 100644 index 000000000000..cb4ead1ed16f --- /dev/null +++ b/filebeat/module/elasticsearch/audit/ingest/pipeline.json @@ -0,0 +1,31 @@ +{ + "description": "Pipeline for parsing elasticsearch audit logs", + "processors": [ + { + "rename": { + "field": "@timestamp", + "target_field": "event.created" + } + }, + { + "grok": { + "field": "message", + "patterns": [ + "\\[%{TIMESTAMP_ISO8601:elasticsearch.audit.timestamp}\\]\\s*(\\[%{WORD:elasticsearch.audit.node_name}\\])?\\s*\\[%{WORD:elasticsearch.audit.layer}\\]\\s*\\[%{WORD:elasticsearch.audit.event_type}\\]\\s*(origin_type\\=\\[%{WORD:elasticsearch.audit.origin_type}\\])?,?\\s*(origin_address\\=\\[%{IPORHOST:elasticsearch.audit.origin_address}\\])?,?\\s*(principal\\=\\[%{WORD:elasticsearch.audit.principal}\\])?,?\\s*(action\\=\\[%{DATA:elasticsearch.audit.action}\\])?,?\\s*?(uri=\\[%{DATA:elasticsearch.audit.uri}\\])?,?\\s*(request\\=\\[%{WORD:elasticsearch.audit.request}\\])?,?\\s*(request_body\\=\\[%{DATA:elasticsearch.audit.request_body}\\])?,?" + ] + } + }, + { + "rename": { + "field": "elasticsearch.audit.timestamp", + "target_field": "@timestamp" + } + } + ], + "on_failure" : [{ + "set" : { + "field" : "error.message", + "value" : "{{ _ingest.on_failure_message }}" + } + }] +} diff --git a/filebeat/module/elasticsearch/audit/manifest.yml b/filebeat/module/elasticsearch/audit/manifest.yml new file mode 100644 index 000000000000..39598c99cb4d --- /dev/null +++ b/filebeat/module/elasticsearch/audit/manifest.yml @@ -0,0 +1,13 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/elasticsearch/*_access.log + os.darwin: + - /usr/local/elasticsearch/*_access.log + os.windows: + - c:/ProgramData/Elastic/Elasticsearch/logs/*_access.log + +ingest_pipeline: ingest/pipeline.json +input: config/audit.yml diff --git a/filebeat/module/elasticsearch/audit/test/test.log b/filebeat/module/elasticsearch/audit/test/test.log new file mode 100644 index 000000000000..cabc1ee67d9e --- /dev/null +++ b/filebeat/module/elasticsearch/audit/test/test.log @@ -0,0 +1,7 @@ +[2018-06-19T05:16:15,549] [rest] [authentication_failed] origin_address=[147.107.128.77], principal=[i030648], uri=[/_xpack/security/_authenticate] +[2018-06-19T05:07:52,304] [v_VJhjV] [rest] [authentication_failed] origin_address=[172.22.0.3], principal=[rado], uri=[/_xpack/security/_authenticate] +[2018-06-19T05:00:15,778] [transport] [access_granted] origin_type=[local_node], origin_address=[192.168.1.165], principal=[_xpack_security], action=[indices:data/read/scroll/clear], request=[ClearScrollRequest] +[2018-06-19T05:07:45,544] [v_VJhjV] [rest] [anonymous_access_denied] origin_address=[172.22.0.3], uri=[/_xpack/security/_authenticate] +[2018-06-19T05:26:27,268] [rest] [authentication_failed] origin_address=[147.107.128.77], principal=[N078801], uri=[/_xpack/security/_authenticate] +[2018-06-19T05:55:26,898] [transport] [access_denied] origin_type=[rest], origin_address=[147.107.128.77], principal=[_anonymous], action=[cluster:monitor/main], request=[MainRequest] +[2018-06-19T05:24:15,190] [v_VJhjV] [rest] [authentication_failed] origin_address=[172.18.0.3], principal=[elastic], uri=[/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip], request_body=[body] diff --git a/filebeat/module/elasticsearch/audit/test/test.log-expected.json b/filebeat/module/elasticsearch/audit/test/test.log-expected.json new file mode 100644 index 000000000000..a30d522efde1 --- /dev/null +++ b/filebeat/module/elasticsearch/audit/test/test.log-expected.json @@ -0,0 +1,114 @@ +[ + { + "@timestamp": "2018-06-19T05:16:15,549", + "elasticsearch.audit.event_type": "authentication_failed", + "elasticsearch.audit.layer": "rest", + "elasticsearch.audit.origin_address": "147.107.128.77", + "elasticsearch.audit.principal": "i030648", + "elasticsearch.audit.uri": "/_xpack/security/_authenticate", + "fileset.module": "elasticsearch", + "fileset.name": "audit", + "input.type": "log", + "message": "[2018-06-19T05:16:15,549] [rest] [authentication_failed] origin_address=[147.107.128.77], principal=[i030648], uri=[/_xpack/security/_authenticate]", + "offset": 0, + "prospector.type": "log", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2018-06-19T05:07:52,304", + "elasticsearch.audit.event_type": "authentication_failed", + "elasticsearch.audit.layer": "rest", + "elasticsearch.audit.node_name": "v_VJhjV", + "elasticsearch.audit.origin_address": "172.22.0.3", + "elasticsearch.audit.principal": "rado", + "elasticsearch.audit.uri": "/_xpack/security/_authenticate", + "fileset.module": "elasticsearch", + "fileset.name": "audit", + "input.type": "log", + "message": "[2018-06-19T05:07:52,304] [v_VJhjV] [rest] [authentication_failed]\torigin_address=[172.22.0.3], principal=[rado], uri=[/_xpack/security/_authenticate]", + "offset": 155, + "prospector.type": "log", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2018-06-19T05:00:15,778", + "elasticsearch.audit.action": "indices:data/read/scroll/clear", + "elasticsearch.audit.event_type": "access_granted", + "elasticsearch.audit.layer": "transport", + "elasticsearch.audit.origin_address": "192.168.1.165", + "elasticsearch.audit.origin_type": "local_node", + "elasticsearch.audit.principal": "_xpack_security", + "elasticsearch.audit.request": "ClearScrollRequest", + "fileset.module": "elasticsearch", + "fileset.name": "audit", + "input.type": "log", + "message": "[2018-06-19T05:00:15,778] [transport] [access_granted] origin_type=[local_node], origin_address=[192.168.1.165], principal=[_xpack_security], action=[indices:data/read/scroll/clear], request=[ClearScrollRequest]", + "offset": 306, + "prospector.type": "log", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2018-06-19T05:07:45,544", + "elasticsearch.audit.event_type": "anonymous_access_denied", + "elasticsearch.audit.layer": "rest", + "elasticsearch.audit.node_name": "v_VJhjV", + "elasticsearch.audit.origin_address": "172.22.0.3", + "elasticsearch.audit.uri": "/_xpack/security/_authenticate", + "fileset.module": "elasticsearch", + "fileset.name": "audit", + "input.type": "log", + "message": "[2018-06-19T05:07:45,544] [v_VJhjV] [rest] [anonymous_access_denied]\torigin_address=[172.22.0.3], uri=[/_xpack/security/_authenticate]", + "offset": 519, + "prospector.type": "log", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2018-06-19T05:26:27,268", + "elasticsearch.audit.event_type": "authentication_failed", + "elasticsearch.audit.layer": "rest", + "elasticsearch.audit.origin_address": "147.107.128.77", + "elasticsearch.audit.principal": "N078801", + "elasticsearch.audit.uri": "/_xpack/security/_authenticate", + "fileset.module": "elasticsearch", + "fileset.name": "audit", + "input.type": "log", + "message": "[2018-06-19T05:26:27,268] [rest] [authentication_failed]\torigin_address=[147.107.128.77], principal=[N078801], uri=[/_xpack/security/_authenticate]", + "offset": 654, + "prospector.type": "log", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2018-06-19T05:55:26,898", + "elasticsearch.audit.action": "cluster:monitor/main", + "elasticsearch.audit.event_type": "access_denied", + "elasticsearch.audit.layer": "transport", + "elasticsearch.audit.origin_address": "147.107.128.77", + "elasticsearch.audit.origin_type": "rest", + "elasticsearch.audit.principal": "_anonymous", + "elasticsearch.audit.request": "MainRequest", + "fileset.module": "elasticsearch", + "fileset.name": "audit", + "input.type": "log", + "message": "[2018-06-19T05:55:26,898] [transport] [access_denied]\torigin_type=[rest], origin_address=[147.107.128.77], principal=[_anonymous], action=[cluster:monitor/main], request=[MainRequest]", + "offset": 802, + "prospector.type": "log", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2018-06-19T05:24:15,190", + "elasticsearch.audit.event_type": "authentication_failed", + "elasticsearch.audit.layer": "rest", + "elasticsearch.audit.node_name": "v_VJhjV", + "elasticsearch.audit.origin_address": "172.18.0.3", + "elasticsearch.audit.principal": "elastic", + "elasticsearch.audit.request_body": "body", + "elasticsearch.audit.uri": "/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip", + "fileset.module": "elasticsearch", + "fileset.name": "audit", + "input.type": "log", + "message": "[2018-06-19T05:24:15,190] [v_VJhjV] [rest] [authentication_failed]\torigin_address=[172.18.0.3], principal=[elastic], uri=[/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip], request_body=[body]", + "offset": 986, + "prospector.type": "log", + "service.name": "elasticsearch" + } +] \ No newline at end of file diff --git a/filebeat/modules.d/elasticsearch.yml.disabled b/filebeat/modules.d/elasticsearch.yml.disabled index bb5674c5bd90..98942fa54041 100644 --- a/filebeat/modules.d/elasticsearch.yml.disabled +++ b/filebeat/modules.d/elasticsearch.yml.disabled @@ -12,3 +12,9 @@ # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: + + audit: + enabled: true + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: