Skip to content

Commit

Permalink
Cherry-pick #11334 to 7.0: Adding categorization fields for the syste…
Browse files Browse the repository at this point in the history 
…m/auth module (#11363)

* Adding categorization fields for the system/auth module (#11334)

* Adding categorization fields for the system/auth module

This PR adds the following fields for the SSH login events:

* `event.category: authentication`
* `event.action: ssh_login`
* `event.type` either `authentication_success` or `authentication_failure`

The `event.outcome` is currently not quite ECS compliant, but I didn't touch it to
avoid a breaking change.

The PR doesn't attempt to categorize other logs besides the SSH login attempts,
so it's a subset of #9905, but it's what we need for the UI.

* Normalized event.outcome and brought back `system.auth.ssh.event`.

* changelog

(cherry picked from commit a9f567b)

* cleanup changelog
  • Loading branch information
@tsg
tsg committed Mar 21, 2019
1 parent f0ba5d6 commit 9ac3a4d
Show file tree
Hide file tree
Showing 7 changed files with 39 additions and 18 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,7 @@ https://github.com/elastic/beats/compare/v7.0.0-beta1...master[Check the HEAD di

- Add ISO8601 timestamp support in syslog metricset. {issue}8716[8716] {pull}10736[10736]
- Add support for loading custom NetFlow and IPFIX field definitions to netflow input. {pull}10945[10945] {pull}11223[11223]
- Added categorization fields for SSH login events in the system/auth fileset. {pull}11334[11334]

*Heartbeat*

Expand Down
5 changes: 0 additions & 5 deletions dev-tools/ecs-migration.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -486,11 +486,6 @@
alias: true
beat: filebeat

- from: system.auth.ssh.event
to: event.action
alias: true
beat: filebeat

- from: system.auth.program
to: process.name
alias: true
Expand Down
5 changes: 3 additions & 2 deletions filebeat/docs/fields.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13084,9 +13084,10 @@ The client IP from SSH connections that are open and immediately dropped.
*`system.auth.ssh.event`*::
+
--
type: alias
example: Accepted
The SSH event as found in the logs (Accepted, Invalid, Failed, etc.)
alias to: event.action
--
Expand Down
7 changes: 4 additions & 3 deletions filebeat/module/system/auth/_meta/fields.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,9 +43,10 @@
The client IP from SSH connections that are open and immediately dropped.
- name: event
type: alias
path: event.action
migration: true
example: Accepted
description: >
The SSH event as found in the logs (Accepted, Invalid, Failed, etc.)
- name: ip
type: alias
path: source.ip
Expand Down
11 changes: 9 additions & 2 deletions filebeat/module/system/auth/ingest/pipeline.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@
"GREEDYMULTILINE" : "(.|\n)*"
},
"patterns": [
"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:event.outcome} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?",
"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:event.outcome} user %{DATA:user.name} from %{IPORHOST:source.ip}",
"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?",
"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.ip}",
"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}",
"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: \\s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}",
"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}",
Expand Down Expand Up @@ -61,6 +61,13 @@
"target_field": "source.geo",
"ignore_failure": true
}
},
{
"script": {
"lang": "painless",
"ignore_failure": true,
"source": "if (ctx.system.auth.ssh.event == \"Accepted\") { if (!ctx.containsKey(\"event\")) { ctx.event = [:]; } ctx.event.type = \"authentication_success\"; ctx.event.category = \"authentication\"; ctx.event.action = \"ssh_login\"; ctx.event.outcome = \"success\"; } else if (ctx.system.auth.ssh.event == \"Invalid\" || ctx.system.auth.ssh.event == \"Failed\") { if (!ctx.containsKey(\"event\")) { ctx.event = [:]; } ctx.event.type = \"authentication_failure\"; ctx.event.category = \"authentication\"; ctx.event.action = \"ssh_login\"; ctx.event.outcome = \"failure\"; }"
}
}
],
"on_failure" : [{
Expand Down
26 changes: 21 additions & 5 deletions filebeat/module/system/auth/test/test.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,11 @@
"ecs.version": "1.0.0",
"event.dataset": "system.auth",
"event.module": "system",
"event.outcome": "Accepted",
"system.auth.ssh.event": "Accepted",
"event.outcome": "success",
"event.category": "authentication",
"event.action": "ssh_login",
"event.type": "authentication_success",
"fileset.name": "auth",
"host.hostname": "localhost",
"input.type": "log",
Expand All @@ -21,7 +25,11 @@
"ecs.version": "1.0.0",
"event.dataset": "system.auth",
"event.module": "system",
"event.outcome": "Accepted",
"system.auth.ssh.event": "Accepted",
"event.outcome": "success",
"event.category": "authentication",
"event.action": "ssh_login",
"event.type": "authentication_success",
"fileset.name": "auth",
"host.hostname": "localhost",
"input.type": "log",
Expand All @@ -38,7 +46,11 @@
"ecs.version": "1.0.0",
"event.dataset": "system.auth",
"event.module": "system",
"event.outcome": "Invalid",
"system.auth.ssh.event": "Invalid",
"event.outcome": "failure",
"event.category": "authentication",
"event.action": "ssh_login",
"event.type": "authentication_failure",
"fileset.name": "auth",
"host.hostname": "localhost",
"input.type": "log",
Expand All @@ -53,7 +65,11 @@
"ecs.version": "1.0.0",
"event.dataset": "system.auth",
"event.module": "system",
"event.outcome": "Failed",
"system.auth.ssh.event": "Failed",
"event.outcome": "failure",
"event.category": "authentication",
"event.action": "ssh_login",
"event.type": "authentication_failure",
"fileset.name": "auth",
"host.hostname": "slave22",
"input.type": "log",
Expand Down Expand Up @@ -170,4 +186,4 @@
"user.id": "48",
"user.name": "apache"
}
]
]
2 changes: 1 addition & 1 deletion filebeat/module/system/fields.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 9ac3a4d

Please sign in to comment.