Make file integrity path field analyzed #5625
Conversation
- Use a multi-field for the `audit.file.path` field in order to make the path searchable and aggregatable. - Update the file integrity dashboard to use `audit.file.path.raw` for aggs. - Modify the file integrity dashboard - Replace most active agent viz with number of world-writable files. - Add a table summarizing the number of events from each host. - Add a saved search viz showing the raw events. - Fix an issue where `audit.file.type` was not being sent for `file` (it was only send fir dir and symlink).
| TypeFile = 0 | ||
| TypeDir = 1 | ||
| TypeSymlink = 2 | ||
| TypeUnknown = 0 |
There was a problem hiding this comment.
exported const TypeUnknown should have comment (or a comment on this block) or be unexported
There was a problem hiding this comment.
Dear houndci-bot, this is generated code. Take it up with the flatbuffer compiler.
auditbeat/docs/fields.asciidoc
Outdated
|
|
||
| The path to the file. | ||
|
|
||
| [float] | ||
| === `audit.file.path.raw` |
There was a problem hiding this comment.
Do we want these to show up in the docs? I added code here to do it, but I'm on the fence.
There was a problem hiding this comment.
I am OK to have it in the doc since its useful for aggregation.
Even if we don't display it in our doc it will still be accessible in the UI :)
|
There's a test failure that I'm investigating. |
There was a problem hiding this comment.
The failling tests seem related to the change in flatbuffer. You might want to take a look @andrewkroh ?
Error: Not equal: file.Metadata{Inode:0x7b, UID:0x1f4, GID:0x1f4, SID:"", Owner:"", Group:"", Size:0x0, MTime:time.Time{wall:0x28499d28, ext:63646489003, loc:(*time.Location)(nil)}, CTime:time.Time{wall:0x28499d28, ext:63646489003, loc:(*time.Location)(nil)}, Type:0x0, Mode:0x180} (expected)
!= file.Metadata{Inode:0x7b, UID:0x1f4, GID:0x1f4, SID:"", Owner:"", Group:"", Size:0x0, MTime:time.Time{wall:0x0, ext:62135596800, loc:(*time.Location)(nil)}, CTime:time.Time{wall:0x0, ext:62135596800, loc:(*time.Location)(nil)}, Type:0x0, Mode:0x180} (actual)
auditbeat/docs/fields.asciidoc
Outdated
|
|
||
| The path to the file. | ||
|
|
||
| [float] | ||
| === `audit.file.path.raw` |
There was a problem hiding this comment.
I am OK to have it in the doc since its useful for aggregation.
Even if we don't display it in our doc it will still be accessible in the UI :)
| if "multi_fields" in field: | ||
| for subfield in field["multi_fields"]: | ||
| document_field(output, subfield, path + "." + subfield["name"]) | ||
|
|
There was a problem hiding this comment.
@simitt Mentioning you here as apm-server uses multi fields as far as I remember. Not really a bug but just in case you are surprised why the docs are update with the most recent beats version.
CHANGELOG.asciidoc
Outdated
| @@ -18,6 +18,8 @@ https://github.com/elastic/beats/compare/v6.0.0-beta2...master[Check the HEAD di | |||
|
|
|||
| *Auditbeat* | |||
|
|
|||
| - Changed `audit.file.path` to be a multi-field so that path is searchable. {pull}nnnn[nnnn] | |||
|
|
|||
|
@ph It should be fixed now. Attempts to debug after midnight are futile. It was much easier to debug after resting 🛌 . |
Somewhere in the Auditbeat module refactoring this multi-field got dropped. This was originally added in elastic#5625.
Somewhere in the Auditbeat module refactoring this multi-field got dropped. This was originally added in #5625.
audit.file.pathfield in order to make the path searchable and aggregatable.audit.file.path.rawfor aggs.audit.file.typewas not being sent forfile(it was only send for dir and symlink).