Rename Filebeat module from system.audit to auditd.log (#3941)

* Rename Filebeat module from system.audit to auditd.log

This moves the `audit` fileset from the `system` module into its own module named `auditd`. The new fileset name is `log`.

* Add changelog entry for auditd module.

CHANGELOG.asciidoc

@@ -99,6 +99,7 @@ https://github.com/elastic/beats/compare/v5.1.1...master[Check the HEAD diff]
 - Improve handling of different path variants on Windows. {pull}3781[3781]
 - Restructure input.Event to be inline with outputs.Data {pull}3823[3823]
 - Add base for supporting prospector level processors {pull}3853[3853]
+- Add auditd module for reading audit logs on Linux. {pull}3750[3750] {pull}3941[3941]
 
 *Heartbeat*
 

filebeat/docs/fields.asciidoc

@@ -13,6 +13,7 @@ This document describes the fields that are exported by Filebeat. They are
 grouped in the following categories:
 
 * <<exported-fields-apache2>>
+* <<exported-fields-auditd>>
 * <<exported-fields-beat>>
 * <<exported-fields-cloud>>
 * <<exported-fields-log>>
@@ -285,6 +286,144 @@ type: keyword
 The module producing the logged message.
 
 
+[[exported-fields-auditd]]
+== Auditd Fields
+
+Module for parsing auditd logs.
+
+
+
+[float]
+== auditd Fields
+
+Fields from the auditd logs.
+
+
+
+[float]
+== log Fields
+
+Fields from the Linux audit log. Not all fields are documented here because they are dynamic and vary by audit event type.
+
+
+
+[float]
+=== auditd.log.record_type
+
+The audit event type.
+
+
+[float]
+=== auditd.log.old_auid
+
+For login events this is the old audit ID used for the user prior to this login.
+
+
+[float]
+=== auditd.log.new_auid
+
+For login events this is the new audit ID. The audit ID can be used to trace future events to the user even if their identity changes (like becoming root).
+
+
+[float]
+=== auditd.log.old_ses
+
+For login events this is the old session ID used for the user prior to this login.
+
+
+[float]
+=== auditd.log.new_ses
+
+For login events this is the new session ID. It can be used to tie a user to future events by session ID.
+
+
+[float]
+=== auditd.log.sequence
+
+type: long
+
+The audit event sequence number.
+
+
+[float]
+=== auditd.log.pid
+
+type: long
+
+The ID of the process.
+
+
+[float]
+=== auditd.log.ppid
+
+type: long
+
+The ID of the process.
+
+
+[float]
+=== auditd.log.items
+
+type: long
+
+The number of items in an event.
+
+
+[float]
+=== auditd.log.item
+
+type: long
+
+The item field indicates which item out of the total number of items. This number is zero-based; a value of 0 means it is the first item.
+
+
+[float]
+== geoip Fields
+
+Contains GeoIP information gathered based on the `auditd.log.addr` field. Only present if the GeoIP Elasticsearch plugin is available and used.
+
+
+
+[float]
+=== auditd.log.geoip.continent_name
+
+type: keyword
+
+The name of the continent.
+
+
+[float]
+=== auditd.log.geoip.city_name
+
+type: keyword
+
+The name of the city.
+
+
+[float]
+=== auditd.log.geoip.region_name
+
+type: keyword
+
+The name of the region.
+
+
+[float]
+=== auditd.log.geoip.country_iso_code
+
+type: keyword
+
+Country ISO code.
+
+
+[float]
+=== auditd.log.geoip.location
+
+type: geo_point
+
+The longitude and latitude.
+
+
 [[exported-fields-beat]]
 == Beat Fields
 
@@ -871,130 +1010,6 @@ Fields from the system log files.
 
 
 
-[float]
-== audit Fields
-
-Fields from the Linux audit logs. Not all fields are documented here because they are dynamic and vary by audit event type.
-
-
-
-[float]
-=== system.audit.record_type
-
-The audit event type.
-
-
-[float]
-=== system.audit.old_auid
-
-For login events this is the old audit ID used for the user prior to this login.
-
-
-[float]
-=== system.audit.new_auid
-
-For login events this is the new audit ID. The audit ID can be used to trace future events to the user even if their identity changes (like becoming root).
-
-
-[float]
-=== system.audit.old_ses
-
-For login events this is the old session ID used for the user prior to this login.
-
-
-[float]
-=== system.audit.new_ses
-
-For login events this is the new session ID. It can be used to tie a user to future events by session ID.
-
-
-[float]
-=== system.audit.sequence
-
-type: long
-
-The audit event sequence number.
-
-
-[float]
-=== system.audit.pid
-
-type: long
-
-The ID of the process.
-
-
-[float]
-=== system.audit.ppid
-
-type: long
-
-The ID of the process.
-
-
-[float]
-=== system.audit.items
-
-type: long
-
-The number of items in an event.
-
-
-[float]
-=== system.audit.item
-
-type: long
-
-The item field indicates which item out of the total number of items. This number is zero-based; a value of 0 means it is the first item.
-
-
-[float]
-== geoip Fields
-
-Contains GeoIP information gathered based on the `system.audit.addr` field. Only present if the GeoIP Elasticsearch plugin is available and used.
-
-
-
-[float]
-=== system.audit.geoip.continent_name
-
-type: keyword
-
-The name of the continent.
-
-
-[float]
-=== system.audit.geoip.city_name
-
-type: keyword
-
-The name of the city.
-
-
-[float]
-=== system.audit.geoip.region_name
-
-type: keyword
-
-The name of the region.
-
-
-[float]
-=== system.audit.geoip.country_iso_code
-
-type: keyword
-
-Country ISO code.
-
-
-[float]
-=== system.audit.geoip.location
-
-type: geo_point
-
-The longitude and latitude.
-
-
 [float]
 == auth Fields
 

filebeat/docs/modules/auditd.asciidoc

@@ -0,0 +1,41 @@
+////
+This file is generated! See scripts/docs_collector.py
+////
+
+[[filebeat-module-auditd]]
+== Auditd module
+
+This module collects and parses logs from the audit daemon (`auditd`).
+
+[float]
+=== Compatibility
+
+This module was tested with logs from `auditd` on OSes like CentOS 6 and
+CentOS 7.
+
+This module is not available for Windows.
+
+[float]
+=== Dashboard
+
+This module comes with a sample dashboard showing an overview of the audit log
+data. You can build more specific dashboards that are tailored to the audit
+rules that you use on your systems.
+
+image::./images/kibana-audit-auditd.png[]
+
+[float]
+=== Syslog fileset settings
+
+[float]
+==== var.paths
+
+An array of paths where to look for the log files. If left empty, Filebeat
+will choose the paths depending on your operating systems.
+
+
+=== Fields
+
+For a description of each field in the metricset, see the
+<<exported-fields-auditd,exported fields>> section.
+

filebeat/docs/modules/system.asciidoc

@@ -19,15 +19,10 @@ This module is not available for Windows.
 [float]
 === Dashboard
 
-This module comes with sample dashboards. The first is a more generic syslog
-dashboard that shows syslog data.
+This module comes with a sample dashboard showing syslog data.
 
 image::./images/kibana-system.png[]
 
-And second is the audit dashboard that shows audit log data.
-
-image::./images/kibana-system-audit.png[]
-
 [float]
 === Syslog fileset settings
 

filebeat/docs/modules_list.asciidoc

@@ -4,6 +4,7 @@ This file is generated! See scripts/docs_collector.py
 
   * <<filebeat-modules-overview>>
   * <<filebeat-module-apache2>>
+  * <<filebeat-module-auditd>>
   * <<filebeat-module-mysql>>
   * <<filebeat-module-nginx>>
   * <<filebeat-module-system>>
@@ -14,6 +15,7 @@ This file is generated! See scripts/docs_collector.py
 
 include::modules-overview.asciidoc[]
 include::modules/apache2.asciidoc[]
+include::modules/auditd.asciidoc[]
 include::modules/mysql.asciidoc[]
 include::modules/nginx.asciidoc[]
 include::modules/system.asciidoc[]

filebeat/filebeat.full.yml

@@ -56,6 +56,19 @@ filebeat.modules:
     # can be added under this section.
     #prospector:
 
+#------------------------------- Auditd Module -------------------------------
+#- module: auditd
+  #log:
+    #enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+    # Prospector configuration (advanced). Any prospector configuration option
+    # can be added under this section.
+    #prospector:
+
 #-------------------------------- MySQL Module -------------------------------
 #- module: mysql
   # Error logs

filebeat/filebeat.yml

@@ -14,6 +14,9 @@ filebeat.modules:
 #------------------------------- System Module -------------------------------
 #- module: system
 
+#------------------------------- Auditd Module -------------------------------
+#- module: auditd
+
 #-------------------------------- MySQL Module -------------------------------
 #- module: mysql