Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Elasticsearch/audit fileset does not parse some fields #10134

Closed
ycombinator opened this issue Jan 16, 2019 · 1 comment
Closed

Elasticsearch/audit fileset does not parse some fields #10134

ycombinator opened this issue Jan 16, 2019 · 1 comment
Labels
enhancement Feature:Stack Monitoring Filebeat Filebeat module

Comments

@ycombinator
Copy link
Contributor

Consider the following valid Elasticsearch audit log line:

[2019-01-08T14:15:02,011] [NodeName-0] [transport] [access_granted]     origin_type=[transport], origin_address=[192.168.2.1], principal=[username], realm=[active_directory], roles=[kibana_user,my_custom_role_1,foo_reader], action=[indices:data/read/search[free_context]], indices=[foo-2019.01.04,foo-2019.01.03,foo-2019.01.06,foo-2019.01.05,foo-2019.01.08,servicelog-2019.01.07], request=[SearchFreeContextRequest]

The elasticsearch/audit fileset is currently unable to parse the realm, roles, and indices fields from that log line.
@elasticmachine
Copy link
Collaborator

Pinging @elastic/stack-monitoring

@ycombinator ycombinator mentioned this issue Jan 17, 2019
Merged
This was referenced Jan 23, 2019
Merged
Closed
@ycombinator ycombinator mentioned this issue Feb 1, 2019
Merged
ycombinator added a commit that referenced this issue Feb 1, 2019
@ycombinator
Cherry-pick #10137 to 6.6: Teach elasticsearch/audit fileset to parse…
c105e53 
… out some more fields (#10484)

Cherry-pick of PR #10137 to 6.6 branch. Original message: 

Resolves #10134.

This PR teaches the `elasticsearch/audit` fileset to parse out a few more fields, viz:

* `elasticsearch.audit.realm`,
* `elasticsearch.audit.roles`
* `elasticsearch.audit.indices`

It also teaches the fileset to parse `elasticsearch.audit.action` values that themselves contain `[` and `]` delimiters around sub-actions, e.g. `action=[indices:data/read/search[free_context]]`.
leweafan pushed a commit to leweafan/beats that referenced this issue Apr 28, 2023
@ycombinator
Cherry-pick elastic#10137 to 6.6: Teach elasticsearch/audit fileset t…
780e756 
…o parse out some more fields (elastic#10484)

Cherry-pick of PR elastic#10137 to 6.6 branch. Original message: 

Resolves elastic#10134.

This PR teaches the `elasticsearch/audit` fileset to parse out a few more fields, viz:

* `elasticsearch.audit.realm`,
* `elasticsearch.audit.roles`
* `elasticsearch.audit.indices`

It also teaches the fileset to parse `elasticsearch.audit.action` values that themselves contain `[` and `]` delimiters around sub-actions, e.g. `action=[indices:data/read/search[free_context]]`.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Feature:Stack Monitoring Filebeat Filebeat module
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ycombinator @elasticmachine