Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug][filebeat] system.auth module grok fails for pam_unix #34247

Open
brsolomon-deloitte opened this issue Jan 12, 2023 · 8 comments
Open

[bug][filebeat] system.auth module grok fails for pam_unix #34247

brsolomon-deloitte opened this issue Jan 12, 2023 · 8 comments
Assignees
@andrewkroh
Labels
Team:Elastic-Agent Label for the Agent team Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team

Comments

@brsolomon-deloitte
Copy link
Contributor

Filebeat system pipeline fails to grok pam_unix(sudo:session) messages in /var/log/secure.

beats/filebeat/module/system/auth/ingest/pipeline.yml

Line 40 in bb64650

- grok:

  • Version: 8.5.3
  • OS: Amazon Linux 2
  • Steps to Reproduce:

Enable system module with filebeat modules enable, and enable the auth fileset.

# modules.d/system.yml
# Module: system
# Docs: https://www.elastic.co/guide/en/beats/filebeat/8.5/filebeat-module-system.html

- module: system
  # Syslog
  syslog:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

  # Authorization logs
  auth:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

Then become root from ec2-user with sudo -i.

Redacted output:

{
    "agent": {
      "type": "filebeat",
      "version": "8.5.3"
    },
    "@timestamp": "2023-01-12T18:17:05.112Z",
    "ecs": {
      "version": "8.0.0"
    },
    "log": {
      "file": {
        "path": "/var/log/secure"
      },
      "offset": 27533
    },
    "fileset": {
      "name": "auth"
    },
    "message": [
      "Jan 12 18:10:48 REDACTED sudo: pam_unix(sudo:session): session opened for user root by ec2-user(uid=0)"
    ],
    "error.message": [
      "Provided Grok expressions do not match field value: [{\"@timestamp\":\"2023-01-12T18:17:05.112Z\",\"@metadata\":{\"beat\":\"filebeat\",\"type\":\"_doc\",\"version\":\"8.5.3\",\"pipeline\":\"filebeat-8.5.3-system-auth-pipeline\"},\"fileset\":{\"name\":\"auth\"},\"ecs\":{\"version\":\"8.0.0\"},\"log\":{\"file\":{\"path\":\"/var/log/secure\"},\"offset\":27533},\"service\":{\"type\":\"system\"},\"input\":{\"type\":\"log\"},\"agent\":{\"id\":\"REDACTED\",\"name\":\"REDACTED.compute.internal\",\"type\":\"filebeat\",\"version\":\"8.5.3\",\"ephemeral_id\":\"REDACTED\"},\"message\":\"Jan 12 18:10:48 REDACTED sudo: pam_unix(sudo:session): session opened for user root by ec2-user(uid=0)\",\"event\":{\"module\":\"system\",\"dataset\":\"system.auth\",\"timezone\":\"+00:00\"},\"host\":{\"name\":\"REDACTED.compute.internal\"}}]"
    ],
}
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jan 12, 2023
@brsolomon-deloitte
Copy link
Contributor Author

Another full example:

{
  "_index": ".ds-filebeat-8.5.3-2023.01.03-000001",
  "_id": "REDACTED",
  "_version": 1,
  "_score": 0,
  "_source": {
    "input": {
      "type": "log"
    },
    "agent": {
      "name": "ip-REDACTED.REDACTED.compute.internal",
      "id": "af433b61-1a37-4916-94f7-0e7d36f84d97",
      "type": "filebeat",
      "ephemeral_id": "c514d01a-c282-4c2b-a91c-09c05af19b35",
      "version": "8.5.3"
    },
    "@timestamp": "2023-01-12T18:17:05.111Z",
    "ecs": {
      "version": "8.0.0"
    },
    "log": {
      "file": {
        "path": "/var/log/secure"
      },
      "offset": 25919
    },
    "service": {
      "type": "system"
    },
    "@version": "1",
    "host": {
      "name": "ip-REDACTED.REDACTED.compute.internal"
    },
    "event": {
      "ingested": "2023-01-12T18:17:06.882875402Z",
      "original": "{\"@timestamp\":\"2023-01-12T18:17:05.111Z\",\"@metadata\":{\"beat\":\"filebeat\",\"type\":\"_doc\",\"version\":\"8.5.3\",\"pipeline\":\"filebeat-8.5.3-system-auth-pipeline\"},\"input\":{\"type\":\"log\"},\"fileset\":{\"name\":\"auth\"},\"agent\":{\"name\":\"ip-REDACTED.REDACTED.compute.internal\",\"type\":\"filebeat\",\"version\":\"8.5.3\",\"ephemeral_id\":\"c514d01a-c282-4c2b-a91c-09c05af19b35\",\"id\":\"af433b61-1a37-4916-94f7-0e7d36f84d97\"},\"ecs\":{\"version\":\"8.0.0\"},\"host\":{\"name\":\"ip-REDACTED.REDACTED.compute.internal\"},\"log\":{\"offset\":25919,\"file\":{\"path\":\"/var/log/secure\"}},\"message\":\"Jan 12 12:06:33 ip-REDACTED su: pam_unix(su-l:session): session closed for user root\",\"event\":{\"dataset\":\"system.auth\",\"module\":\"system\",\"timezone\":\"+00:00\"},\"service\":{\"type\":\"system\"}}",
      "timezone": "+00:00",
      "module": "system",
      "dataset": "system.auth"
    },
    "fileset": {
      "name": "auth"
    },
    "message": "Jan 12 12:06:33 ip-REDACTED su: pam_unix(su-l:session): session closed for user root",
    "error": {
      "message": "Provided Grok expressions do not match field value: [{\"@timestamp\":\"2023-01-12T18:17:05.111Z\",\"@metadata\":{\"beat\":\"filebeat\",\"type\":\"_doc\",\"version\":\"8.5.3\",\"pipeline\":\"filebeat-8.5.3-system-auth-pipeline\"},\"input\":{\"type\":\"log\"},\"fileset\":{\"name\":\"auth\"},\"agent\":{\"name\":\"ip-REDACTED.REDACTED.compute.internal\",\"type\":\"filebeat\",\"version\":\"8.5.3\",\"ephemeral_id\":\"c514d01a-c282-4c2b-a91c-09c05af19b35\",\"id\":\"af433b61-1a37-4916-94f7-0e7d36f84d97\"},\"ecs\":{\"version\":\"8.0.0\"},\"host\":{\"name\":\"ip-REDACTED.REDACTED.compute.internal\"},\"log\":{\"offset\":25919,\"file\":{\"path\":\"/var/log/secure\"}},\"message\":\"Jan 12 12:06:33 ip-REDACTED su: pam_unix(su-l:session): session closed for user root\",\"event\":{\"dataset\":\"system.auth\",\"module\":\"system\",\"timezone\":\"+00:00\"},\"service\":{\"type\":\"system\"}}]"
    }
  },
  "fields": {
    "event.original": [
      "{\"@timestamp\":\"2023-01-12T18:17:05.111Z\",\"@metadata\":{\"beat\":\"filebeat\",\"type\":\"_doc\",\"version\":\"8.5.3\",\"pipeline\":\"filebeat-8.5.3-system-auth-pipeline\"},\"input\":{\"type\":\"log\"},\"fileset\":{\"name\":\"auth\"},\"agent\":{\"name\":\"ip-REDACTED.REDACTED.compute.internal\",\"type\":\"filebeat\",\"version\":\"8.5.3\",\"ephemeral_id\":\"c514d01a-c282-4c2b-a91c-09c05af19b35\",\"id\":\"af433b61-1a37-4916-94f7-0e7d36f84d97\"},\"ecs\":{\"version\":\"8.0.0\"},\"host\":{\"name\":\"ip-REDACTED.REDACTED.compute.internal\"},\"log\":{\"offset\":25919,\"file\":{\"path\":\"/var/log/secure\"}},\"message\":\"Jan 12 12:06:33 ip-REDACTED su: pam_unix(su-l:session): session closed for user root\",\"event\":{\"dataset\":\"system.auth\",\"module\":\"system\",\"timezone\":\"+00:00\"},\"service\":{\"type\":\"system\"}}"
    ],
    "fileset.name": [
      "auth"
    ],
    "input.type": [
      "log"
    ],
    "log.offset": [
      25919
    ],
    "message": [
      "Jan 12 12:06:33 ip-REDACTED su: pam_unix(su-l:session): session closed for user root"
    ],
    "agent.hostname": [
      "ip-REDACTED.REDACTED.compute.internal"
    ],
    "service.type": [
      "system"
    ],
    "agent.type": [
      "filebeat"
    ],
    "event.ingested": [
      "2023-01-12T18:17:06.882Z"
    ],
    "@timestamp": [
      "2023-01-12T18:17:05.111Z"
    ],
    "event.module": [
      "system"
    ],
    "agent.id": [
      "af433b61-1a37-4916-94f7-0e7d36f84d97"
    ],
    "ecs.version": [
      "8.0.0"
    ],
    "error.message": [
      "Provided Grok expressions do not match field value: [{\"@timestamp\":\"2023-01-12T18:17:05.111Z\",\"@metadata\":{\"beat\":\"filebeat\",\"type\":\"_doc\",\"version\":\"8.5.3\",\"pipeline\":\"filebeat-8.5.3-system-auth-pipeline\"},\"input\":{\"type\":\"log\"},\"fileset\":{\"name\":\"auth\"},\"agent\":{\"name\":\"ip-REDACTED.REDACTED.compute.internal\",\"type\":\"filebeat\",\"version\":\"8.5.3\",\"ephemeral_id\":\"c514d01a-c282-4c2b-a91c-09c05af19b35\",\"id\":\"af433b61-1a37-4916-94f7-0e7d36f84d97\"},\"ecs\":{\"version\":\"8.0.0\"},\"host\":{\"name\":\"ip-REDACTED.REDACTED.compute.internal\"},\"log\":{\"offset\":25919,\"file\":{\"path\":\"/var/log/secure\"}},\"message\":\"Jan 12 12:06:33 ip-REDACTED su: pam_unix(su-l:session): session closed for user root\",\"event\":{\"dataset\":\"system.auth\",\"module\":\"system\",\"timezone\":\"+00:00\"},\"service\":{\"type\":\"system\"}}]"
    ],
    "log.file.path": [
      "/var/log/secure"
    ],
    "@version": [
      "1"
    ],
    "agent.ephemeral_id": [
      "c514d01a-c282-4c2b-a91c-09c05af19b35"
    ],
    "agent.name": [
      "ip-REDACTED.REDACTED.compute.internal"
    ],
    "agent.version": [
      "8.5.3"
    ],
    "host.name": [
      "ip-REDACTED.REDACTED.compute.internal"
    ],
    "event.dataset": [
      "system.auth"
    ],
    "event.timezone": [
      "+00:00"
    ]
  }
}

@brsolomon-deloitte brsolomon-deloitte changed the title [bug] system.auth module grok fails for pam_unix [bug][filebeat] system.auth module grok fails for pam_unix Jan 12, 2023
@brsolomon-deloitte
Copy link
Contributor Author

I have a suspicion of what's going on here and it seems more related to Beats.

First I set Logstash config to:

    output {
      file {
        path => "/tmp/logstash.log"
        codec => rubydebug {
          metadata => true
        }
      }
    }

and then tail -F -n0 /tmp/logstash.log

The output of an event is as follows:

{
         "input" => {
        "type" => "log"
    },
         "agent" => {
                "name" => "ip-REDACTED.REDACTED.compute.internal",
                  "id" => "af433b61-1a37-4916-94f7-0e7d36f84d97",
                "type" => "filebeat",
        "ephemeral_id" => "0574dc2d-f48b-4e5b-955a-1539e4212adf",
             "version" => "8.5.3"
    },
    "@timestamp" => 2023-01-12T23:57:21.928Z,
           "ecs" => {
        "version" => "8.0.0"
    },
           "log" => {
          "file" => {
            "path" => "/var/log/secure"
        },
        "offset" => 36158
    },
       "service" => {
        "type" => "system"
    },
     "@metadata" => {
            "beat" => "filebeat",
        "pipeline" => "filebeat-8.5.3-system-auth-pipeline",
         "version" => "8.5.3",
            "type" => "_doc"
    },
      "@version" => "1",
          "host" => {
        "name" => "ip-REDACTED.REDACTED.compute.internal"
    },
         "event" => {
        "original" => "{\"@timestamp\":\"2023-01-12T23:57:21.928Z\",\"@metadata\":{\"beat\":\"filebeat\",\"type\":\"_doc\",\"version\":\"8.5.3\",\"pipeline\":\"filebeat-8.5.3-system-auth-pipeline\"},\"fileset\":{\"name\":\"auth\"},\"service\":{\"type\":\"system\"},\"input\":{\"type\":\"log\"},\"ecs\":{\"version\":\"8.0.0\"},\"host\":{\"name\":\"ip-REDACTED.REDACTED.compute.internal\"},\"message\":\"Jan 12 23:57:17 ip-REDACTED sudo: pam_unix(sudo-i:session): session opened for user root by ec2-user(uid=0)\",\"event\":{\"dataset\":\"system.auth\",\"timezone\":\"+00:00\",\"module\":\"system\"},\"agent\":{\"name\":\"ip-REDACTED.REDACTED.compute.internal\",\"type\":\"filebeat\",\"version\":\"8.5.3\",\"ephemeral_id\":\"0574dc2d-f48b-4e5b-955a-1539e4212adf\",\"id\":\"af433b61-1a37-4916-94f7-0e7d36f84d97\"},\"log\":{\"offset\":36158,\"file\":{\"path\":\"/var/log/secure\"}}}",
        "timezone" => "+00:00",
          "module" => "system",
         "dataset" => "system.auth"
    },
       "fileset" => {
        "name" => "auth"
    },
       "message" => "Jan 12 23:57:17 ip-REDACTED sudo: pam_unix(sudo-i:session): session opened for user root by ec2-user(uid=0)"
}

now check out the grok: it attempts to grok event.original:

beats/filebeat/module/system/auth/ingest/pipeline.yml

Line 12 in bb64650

- grok:

However, it should be grok'ing the message field as does its cousin in the same module, system.syslog:

https://github.com/elastic/beats/blob/main/filebeat/module/system/syslog/ingest/pipeline.yml#L6

In other words, it would appear Elasticsearch ingest pipeline filebeat-8.5.3-system-auth-pipeline is attempting to grok an escaped JSON documented rather than just the raw message.

This will occur only if using Filebeat -> Logstash -> Elasticsearch.

@brsolomon-deloitte
Copy link
Contributor Author

The issue also occurs because of this conditional rename:

beats/filebeat/module/system/auth/ingest/pipeline.yml

Line 7 in bb64650

- rename:

@brsolomon-deloitte
Copy link
Contributor Author

See also: https://discuss.elastic.co/t/filebeat-kafka-logstash-elasticsearch-fails-for-system-auth-provided-grok-expressions-do-not-match-field-value/323068/7

@brsolomon-deloitte brsolomon-deloitte mentioned this issue Jan 13, 2023
Merged
6 tasks
@brsolomon-deloitte
Copy link
Contributor Author

Related: elastic/integrations#3451

@belimawr belimawr added the Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team label Jan 13, 2023
@elasticmachine
Copy link
Collaborator

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jan 13, 2023
@faec faec added the Team:Elastic-Agent Label for the Agent team label Apr 4, 2023
@faec
Copy link
Contributor

faec commented Apr 4, 2023

We are getting support requests from people running into this issue. It looks like it was caused by a known PR that already has a suggested fix: #32360, we should possibly bump the priority of addressing it.

@cmacknz
Copy link
Member

cmacknz commented Apr 4, 2023

@andrewkroh's PR appears to have broken this originally, so I'm assigning this issue to him to sort out :)

#32360 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andrewkroh andrewkroh

Labels
Team:Elastic-Agent Label for the Agent team Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@belimawr @cmacknz @andrewkroh @elasticmachine @faec @brsolomon-deloitte