Clarify capabilities of the Filebeat auditd module #17068

rwaight · 2020-03-17T22:53:02Z

Update filebeat/docs/modules/auditd.asciidoc - Add note regarding capabilities of the Filebeat auditd module

What does this PR do?

Update Filebeat auditd module documentation

Why is it important?

Clarify capabilities of the Filebeat auditd module

Checklist

~~- [ ] My code follows the style guidelines of this project~~
~~- [ ] I have commented my code, particularly in hard-to-understand areas~~
~~- [ ] I have made corresponding changes to the documentation~~
~~- [ ] I have made corresponding change to the default configuration files~~
~~- [ ] I have added tests that prove my fix is effective or that my feature works~~

Author's Checklist

[ ]

Related issues

Use cases

Update `filebeat/docs/modules/auditd.asciidoc` - Add note regarding capabilities of the Filebeat auditd module

elasticmachine · 2020-03-18T11:28:24Z

Pinging @elastic/siem (Team:SIEM)

dedemorton · 2020-03-20T18:25:18Z

Hope you don't mind me commenting on this draft-level PR. The CI intake job is failing because you've updated a generated file. You need to update this file instead: beats/filebeat/module/auditd/_meta/docs.asciidoc

Then run make update in the beats directory.

If you don't have your development environment set up, I can always run the update and push it to your branch. (I'm on vacation next week, though, so remind me when I'm back.)

elasticmachine · 2020-05-08T15:52:09Z

💔 Build Failed

Expand to view the summary

Build stats

Build Cause: [Branch indexing]
Start Time: 2020-05-20T20:02:45.859+0000
Duration: 10 min 23 sec (622684)

Steps errors

Expand to view the steps failures

Name: Make check
- Description: make check
- Result: FAILURE
- Duration: 3 min 52 sec
- Start Time: 2020-05-20T20:09:22.899+0000
- log

Log output

Expand to view the last 100 lines of log output

[2020-05-20T20:12:25.892Z] Stage "Generators" skipped due to earlier failure(s)
[2020-05-20T20:12:25.896Z] Stage "Kubernetes" skipped due to earlier failure(s)
[2020-05-20T20:12:26.349Z] Stage "Heartbeat" skipped due to earlier failure(s)
[2020-05-20T20:12:26.351Z] Stage "Auditbeat oss" skipped due to earlier failure(s)
[2020-05-20T20:12:26.354Z] Stage "Libbeat" skipped due to earlier failure(s)
[2020-05-20T20:12:26.356Z] Stage "Metricbeat x-pack" skipped due to earlier failure(s)
[2020-05-20T20:12:26.358Z] Stage "Packetbeat" skipped due to earlier failure(s)
[2020-05-20T20:12:26.360Z] Stage "dockerlogbeat" skipped due to earlier failure(s)
[2020-05-20T20:12:26.361Z] Stage "Winlogbeat" skipped due to earlier failure(s)
[2020-05-20T20:12:26.363Z] Stage "Functionbeat" skipped due to earlier failure(s)
[2020-05-20T20:12:26.365Z] Stage "Journalbeat" skipped due to earlier failure(s)
[2020-05-20T20:12:26.366Z] Stage "Generators" skipped due to earlier failure(s)
[2020-05-20T20:12:27.516Z] Failed in branch Elastic Agent x-pack
[2020-05-20T20:12:27.519Z] Failed in branch Elastic Agent x-pack Windows
[2020-05-20T20:12:27.523Z] Failed in branch Elastic Agent Mac OS X
[2020-05-20T20:12:27.528Z] Failed in branch Filebeat oss
[2020-05-20T20:12:27.529Z] Failed in branch Filebeat x-pack
[2020-05-20T20:12:27.555Z] Failed in branch Filebeat Mac OS X
[2020-05-20T20:12:27.556Z] Failed in branch Filebeat x-pack Mac OS X
[2020-05-20T20:12:27.558Z] Failed in branch Filebeat Windows
[2020-05-20T20:12:27.559Z] Failed in branch Filebeat x-pack Windows
[2020-05-20T20:12:27.560Z] Failed in branch Auditbeat x-pack
[2020-05-20T20:12:27.562Z] Failed in branch Libbeat x-pack
[2020-05-20T20:12:27.562Z] Failed in branch Metricbeat OSS Unit tests
[2020-05-20T20:12:27.563Z] Failed in branch Metricbeat OSS Integration tests
[2020-05-20T20:12:27.564Z] Failed in branch Metricbeat Python integration tests
[2020-05-20T20:12:27.565Z] Failed in branch Metricbeat crosscompile
[2020-05-20T20:12:27.566Z] Failed in branch Metricbeat Mac OS X
[2020-05-20T20:12:27.568Z] Failed in branch Metricbeat x-pack Mac OS X
[2020-05-20T20:12:27.569Z] Failed in branch Metricbeat Windows
[2020-05-20T20:12:27.569Z] Failed in branch Metricbeat x-pack Windows
[2020-05-20T20:12:27.571Z] Failed in branch Winlogbeat Windows x-pack
[2020-05-20T20:12:27.574Z] Failed in branch Kubernetes
[2020-05-20T20:12:29.469Z] Stage "Heartbeat" skipped due to earlier failure(s)
[2020-05-20T20:12:29.471Z] Stage "Auditbeat oss" skipped due to earlier failure(s)
[2020-05-20T20:12:29.472Z] Stage "Libbeat" skipped due to earlier failure(s)
[2020-05-20T20:12:29.473Z] Stage "Metricbeat x-pack" skipped due to earlier failure(s)
[2020-05-20T20:12:29.493Z] Stage "Winlogbeat" skipped due to earlier failure(s)
[2020-05-20T20:12:29.531Z] Stage "Functionbeat" skipped due to earlier failure(s)
[2020-05-20T20:12:29.533Z] Stage "Generators" skipped due to earlier failure(s)
[2020-05-20T20:12:29.834Z] Failed in branch Packetbeat
[2020-05-20T20:12:29.835Z] Failed in branch dockerlogbeat
[2020-05-20T20:12:29.836Z] Failed in branch Journalbeat
[2020-05-20T20:12:31.471Z] Stage "Heartbeat" skipped due to earlier failure(s)
[2020-05-20T20:12:31.474Z] Stage "Auditbeat oss" skipped due to earlier failure(s)
[2020-05-20T20:12:31.476Z] Stage "Libbeat" skipped due to earlier failure(s)
[2020-05-20T20:12:31.477Z] Stage "Functionbeat" skipped due to earlier failure(s)
[2020-05-20T20:12:31.480Z] Stage "Generators" skipped due to earlier failure(s)
[2020-05-20T20:12:31.647Z] Failed in branch Metricbeat x-pack
[2020-05-20T20:12:31.648Z] Failed in branch Winlogbeat
[2020-05-20T20:12:32.699Z] Failed in branch Heartbeat
[2020-05-20T20:12:32.701Z] Failed in branch Libbeat
[2020-05-20T20:12:32.702Z] Failed in branch Functionbeat
[2020-05-20T20:12:32.703Z] Stage "Auditbeat oss" skipped due to earlier failure(s)
[2020-05-20T20:12:32.705Z] Stage "Generators" skipped due to earlier failure(s)
[2020-05-20T20:12:33.777Z] Failed in branch Auditbeat oss
[2020-05-20T20:12:33.778Z] Failed in branch Generators
[2020-05-20T20:12:34.502Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-17068/src/github.com/elastic/beats
[2020-05-20T20:12:35.604Z] + find . -type f -name TEST*.xml -path */build/* -delete
[2020-05-20T20:12:35.792Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-17068/src/github.com/elastic/beats/Lint
[2020-05-20T20:12:37.152Z] + cat
[2020-05-20T20:12:37.153Z] + /usr/local/bin/runbld ./runbld-script
[2020-05-20T20:12:37.153Z] Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
[2020-05-20T20:12:42.818Z] runbld>>> runbld started
[2020-05-20T20:12:42.819Z] runbld>>> 1.6.11/a66728ff8f4356963772e6e6d2069392fa06acbe
[2020-05-20T20:12:44.740Z] runbld>>> The following profiles matched the job 'Beats/beats-beats-mbp/PR-17068' in order of occurrence in the config (last value wins).
[2020-05-20T20:12:46.119Z] runbld>>> Debug logging enabled.
[2020-05-20T20:12:46.119Z] runbld>>> Storing result
[2020-05-20T20:12:46.119Z] runbld>>> Store result: created {:total 2, :successful 2, :failed 0} 1
[2020-05-20T20:12:46.120Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200520201245-DC7774B7
[2020-05-20T20:12:46.120Z] runbld>>> Adding system facts.
[2020-05-20T20:12:46.739Z] runbld>>> Adding vcs info for the latest commit:  2da23410be5ed39cae03fd0884cb24c5082c7ff5
[2020-05-20T20:12:46.739Z] runbld>>> >>>>>>>>>>>> SCRIPT EXECUTION BEGIN >>>>>>>>>>>>
[2020-05-20T20:12:46.739Z] runbld>>> Adding /usr/lib/jvm/java-8-openjdk-amd64/bin to the path.
[2020-05-20T20:12:47.443Z] Processing JUnit reports with runbld...
[2020-05-20T20:12:47.443Z] + echo 'Processing JUnit reports with runbld...'
[2020-05-20T20:12:47.443Z] runbld>>> <<<<<<<<<<<< SCRIPT EXECUTION END <<<<<<<<<<<<
[2020-05-20T20:12:47.443Z] runbld>>> DURATION: 10ms
[2020-05-20T20:12:47.443Z] runbld>>> STDOUT: 40 bytes
[2020-05-20T20:12:47.443Z] runbld>>> STDERR: 49 bytes
[2020-05-20T20:12:47.443Z] runbld>>> WRAPPED PROCESS: SUCCESS (0)
[2020-05-20T20:12:47.443Z] runbld>>> Searching for build metadata in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-17068/src/github.com/elastic/beats
[2020-05-20T20:12:48.628Z] runbld>>> Storing build metadata: 
[2020-05-20T20:12:48.628Z] runbld>>> Adding test report.
[2020-05-20T20:12:48.628Z] runbld>>> Searching for junit test output files with the pattern: TEST-.*\.xml$ in: /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-17068/src/github.com/elastic/beats
[2020-05-20T20:12:49.285Z] runbld>>> Found 0 test output files
[2020-05-20T20:12:49.285Z] runbld>>> Test output logs contained: Errors: 0 Failures: 0 Tests: 0 Skipped: 0
[2020-05-20T20:12:49.285Z] runbld>>> Storing result
[2020-05-20T20:12:49.923Z] runbld>>> Store result: updated {:total 2, :successful 2, :failed 0} 2
[2020-05-20T20:12:49.923Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200520201245-DC7774B7
[2020-05-20T20:12:49.923Z] runbld>>> Email notification disabled by environment variable.
[2020-05-20T20:12:49.923Z] runbld>>> Slack notification disabled by environment variable.
[2020-05-20T20:13:03.605Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-17068
[2020-05-20T20:13:05.172Z] [INFO] getVaultSecret: Getting secrets
[2020-05-20T20:13:05.892Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-05-20T20:13:08.921Z] + chmod 755 generate-build-data.sh
[2020-05-20T20:13:08.921Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-17068/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-17068/runs/15 FAILURE 622684
[2020-05-20T20:13:09.472Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-17068/runs/15/steps/?limit=10000 -o steps-info.json
[2020-05-20T20:13:14.667Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-17068/runs/15/tests/?status=FAILED -o tests-errors.json
[2020-05-20T20:13:15.218Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-17068/runs/15/log/ -o pipeline-log.txt

elasticmachine · 2020-05-26T21:25:17Z

💚 Build Succeeded

Expand to view the summary

Build stats

Build Cause: [dedemorton commented: jenkins run the tests please]
Start Time: 2020-05-27T19:13:37.631+0000
Duration: 21 min 0 sec

rwaight · 2020-05-26T21:38:53Z

Hey @dedemorton, sorry I forgot about this one and do not have a dev environment. As mentioned in #17068 (comment), would you be able to update the branch for me?

dedemorton · 2020-05-27T00:49:54Z

So I made a little edit to your text, but it's weird because my second edit didn't get picked up by the update script. Anyhow, I'll figure out what's wrong and push another commit soon.

dedemorton · 2020-05-27T19:13:06Z

jenkins run the tests please

* Update filebeat/docs/modules/auditd.asciidoc Update `filebeat/docs/modules/auditd.asciidoc` - Add note regarding capabilities of the Filebeat auditd module * Edit text and run make update * Run make update again Co-authored-by: DeDe Morton <dede.morton@elastic.co>

…-stage-level * upstream/master: (30 commits) Add a GRPC listener service for Agent (elastic#18827) Disable host.* fields by default for iptables module (elastic#18756) [WIP] Clarify capabilities of the Filebeat auditd module (elastic#17068) fix: rename file and remove extra separator (elastic#18881) ci: enable JJBB (elastic#18812) Disable host.* fields by default for Checkpoint module (elastic#18754) Disable host.* fields by default for Cisco module (elastic#18753) Update latest.yml testing env to 7.7.0 (elastic#18535) Upgrade k8s.io/client-go and k8s keystore tests (elastic#18817) Add missing Jenkins stages for Auditbeat (elastic#18835) [Elastic Log Driver] Create a config shim between libbeat and the user (elastic#18605) Use indexers and matchers in config when defaults are enabled (elastic#18818) Fix panic on `metricbeat test modules` (elastic#18797) [CI] Fix permissions in MacOSX agents (elastic#18847) [Ingest Manager] When not port are specified and the https is used fallback to 443 (elastic#18844) [Ingest Manager] Fix install service script for windows (elastic#18814) [Metricbeat] Fix getting compute instance metadata with partial zone/region config (elastic#18757) Improve error messages in s3 input (elastic#18824) Add memory metrics into compute googlecloud (elastic#18802) include bucket name when logging error (elastic#18679) ...

…8884) * Update filebeat/docs/modules/auditd.asciidoc Update `filebeat/docs/modules/auditd.asciidoc` - Add note regarding capabilities of the Filebeat auditd module * Edit text and run make update * Run make update again Co-authored-by: DeDe Morton <dede.morton@elastic.co> Co-authored-by: Rob Waight <43173714+rwaight@users.noreply.github.com>

…8885) * Update filebeat/docs/modules/auditd.asciidoc Update `filebeat/docs/modules/auditd.asciidoc` - Add note regarding capabilities of the Filebeat auditd module * Edit text and run make update * Run make update again Co-authored-by: DeDe Morton <dede.morton@elastic.co> Co-authored-by: Rob Waight <43173714+rwaight@users.noreply.github.com>

…8886) * Update filebeat/docs/modules/auditd.asciidoc Update `filebeat/docs/modules/auditd.asciidoc` - Add note regarding capabilities of the Filebeat auditd module * Edit text and run make update * Run make update again Co-authored-by: DeDe Morton <dede.morton@elastic.co> Co-authored-by: Rob Waight <43173714+rwaight@users.noreply.github.com>

…) (elastic#18886) * Update filebeat/docs/modules/auditd.asciidoc Update `filebeat/docs/modules/auditd.asciidoc` - Add note regarding capabilities of the Filebeat auditd module * Edit text and run make update * Run make update again Co-authored-by: DeDe Morton <dede.morton@elastic.co> Co-authored-by: Rob Waight <43173714+rwaight@users.noreply.github.com>

Update filebeat/docs/modules/auditd.asciidoc

806abbb

Update `filebeat/docs/modules/auditd.asciidoc` - Add note regarding capabilities of the Filebeat auditd module

rwaight self-assigned this Mar 17, 2020

rwaight added docs needs_edit Indicates that the doc changes need an edit after merging. Filebeat Filebeat labels Mar 17, 2020

andresrc added [zube]: Inbox Team:SIEM labels Mar 18, 2020

rwaight mentioned this pull request Mar 18, 2020

[Docs] Filebeat auditd module capabilities are unclear #17094

Closed

Edit text and run make update

57bc4c4

Run make update again

c2a24d0

dedemorton approved these changes May 27, 2020

View reviewed changes

rwaight marked this pull request as ready for review May 27, 2020 13:56

dedemorton removed the needs_edit Indicates that the doc changes need an edit after merging. label May 27, 2020

dedemorton added the needs_backport PR is waiting to be backported to other branches. label May 27, 2020

dedemorton merged commit 2644743 into master Jun 1, 2020

dedemorton deleted the rwaight-patch-20200317 branch June 1, 2020 17:52

zube bot added [zube]: Done and removed [zube]: Inbox labels Jun 1, 2020

dedemorton added v7.7.1 v7.8.0 v8.0.0 labels Jun 1, 2020

dedemorton mentioned this pull request Jun 1, 2020

[7.x] Clarify capabilities of the Filebeat auditd module (#17068) #18884

Merged

dedemorton mentioned this pull request Jun 1, 2020

[7.8] Clarify capabilities of the Filebeat auditd module (#17068) #18885

Merged

dedemorton mentioned this pull request Jun 1, 2020

[7.7] Clarify capabilities of the Filebeat auditd module (#17068) #18886

Merged

dedemorton changed the title ~~[WIP] Clarify capabilities of the Filebeat auditd module~~ Clarify capabilities of the Filebeat auditd module Jun 1, 2020

dedemorton removed the needs_backport PR is waiting to be backported to other branches. label Jun 1, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Clarify capabilities of the Filebeat auditd module #17068

Clarify capabilities of the Filebeat auditd module #17068

rwaight commented Mar 17, 2020 •

edited

Loading

elasticmachine commented Mar 18, 2020

dedemorton commented Mar 20, 2020

elasticmachine commented May 8, 2020 •

edited

Loading

Build stats

elasticmachine commented May 26, 2020 •

edited

Loading

Build stats

rwaight commented May 26, 2020

dedemorton commented May 27, 2020

dedemorton commented May 27, 2020

Clarify capabilities of the Filebeat auditd module #17068

Clarify capabilities of the Filebeat auditd module #17068

Conversation

rwaight commented Mar 17, 2020 • edited Loading

What does this PR do?

Why is it important?

Checklist

Author's Checklist

Related issues

Use cases

elasticmachine commented Mar 18, 2020

dedemorton commented Mar 20, 2020

elasticmachine commented May 8, 2020 • edited Loading

💔 Build Failed

Build stats

Steps errors

Log output

elasticmachine commented May 26, 2020 • edited Loading

💚 Build Succeeded

Build stats

rwaight commented May 26, 2020

dedemorton commented May 27, 2020

dedemorton commented May 27, 2020

rwaight commented Mar 17, 2020 •

edited

Loading

elasticmachine commented May 8, 2020 •

edited

Loading

elasticmachine commented May 26, 2020 •

edited

Loading