Filebeat: Elasticsearch module: Audit log #7365
Conversation
| type: group | ||
| description: > | ||
| fields: | ||
| - name: timestamp |
There was a problem hiding this comment.
I this timestamp still needed?
| fields: | ||
| - name: timestamp | ||
| description: Please add description | ||
| example: Please add example |
There was a problem hiding this comment.
Can you update descriptions and potential examples if needed.
| type: group | ||
| description: > | ||
| fields: | ||
| - name: node_name |
There was a problem hiding this comment.
Is this the Elasticsearch node name? If yes, this field should end up under elasticsearch.node.name. Like this we will be able to correlate it.
There was a problem hiding this comment.
I am investigating here a bit more, because we have several options and more fields can show up. I need to run different configurations to follow up on behaviour and best approach. I will keep in mind that this field could be moved.
| - name: origin_address | ||
| description: "The IP address from which the request originated" | ||
| example: "192.168.1.42" | ||
| type: keyword |
There was a problem hiding this comment.
Yeah, this can be an IP.
| description: "Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request)" | ||
| example: "local_node" | ||
| type: keyword | ||
| - name: origin_address |
There was a problem hiding this comment.
So this is the ip of the machine on which for example an Elasticsearch client is running which makes requests?
| description: "The REST endpoint URI" | ||
| example: /_xpack/security/_authenticate | ||
| type: keyword | ||
| - name: request |
There was a problem hiding this comment.
request could be confusing as I would expect more data to be inside. Perhaps this is request_type?
There was a problem hiding this comment.
I followed the documentation names for all of the fields from Auditing.
radoondas
force-pushed
the
filebeat-es-module
branch
2 times, most recently
from
8342cf1 to
143384f
Compare
…ct of modules hierarchy
Remove unnecesary timestamp from event Improve Grok pattern and add new field to document Add test file and expected JSON Add details to fields description
radoondas
force-pushed
the
filebeat-es-module
branch
from
26950a7 to
db37ed3
Compare
|
@ruflin - which versions was this merged into? Just master? Should we update the labels to reflect? |
|
@skearns64 This ended up in 6.4. At this time master and 6.4 were still identical and is why there are not backports or labels. Not sure it is worth adding labels as it applies to all 6.4 features. Best is to trust the changelog (in most cases ;-) ). |
This is initial PR for Audit logs in Elasticsearch. It successfully index basic events. Following PR's will improve grok patterns and add files for testing. Dashboards will come as bonus.