filebeat/module/auditd: teach kv about quoted spaces (#34069) (#34297)

Audit messages may contain spaces when the value is quoted, so let the kv processor know how to deal with this case. (cherry picked from commit f5054f7) Co-authored-by: Dan Kortschak <[email protected]>
elastic · Jan 18, 2023 · 1710838 · 1710838
1 parent 19fbdb0
commit 1710838
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 2 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -42,6 +42,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Rename identity as identity_name when the value is a string in Azure Platform Logs. {pull}33654[33654]
 - Fix 'requires pointer' error while getting cursor metadata. {pull}33956[33956]
 - [google_workspace] Fix pagination and cursor value update. {pull}34274[34274]
+- Fix handling of quoted values in auditd module. {issue}22587[22587] {pull}34069[34069]
 
 
 *Heartbeat*

diff --git a/filebeat/module/auditd/log/ingest/pipeline.yml b/filebeat/module/auditd/log/ingest/pipeline.yml
@@ -22,8 +22,8 @@ processors:
     - "%{AUDIT_TYPE} %{AUDIT_KEY_VALUES:auditd.log.kv}"
 - kv:
     field: auditd.log.kv
-    field_split: "\\s+"
-    value_split: "="
+    field_split: '\s(?![\w\"]+?(\s+|$))'
+    value_split: '(?<!\\)='
     target_field: auditd.log
 - kv:
     field: auditd.log.sub_kv

diff --git a/filebeat/module/auditd/log/test/audit-rhel7_2.log b/filebeat/module/auditd/log/test/audit-rhel7_2.log
@@ -0,0 +1 @@
+type=ANOM_ABEND msg=audit(1605431420.026:123): auid=12345 uid=123 gid=123 ses=123456789 pid=1234 comm="extproc" reason="memory violation" sig=6
diff --git a/filebeat/module/auditd/log/test/audit-rhel7_2.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel7_2.log-expected.json
@@ -0,0 +1,32 @@
+[
+    {
+        "@timestamp": "2020-11-15T09:10:20.026Z",
+        "auditd.log.reason": "memory violation",
+        "auditd.log.record_type": "ANOM_ABEND",
+        "auditd.log.sequence": 123,
+        "auditd.log.ses": "123456789",
+        "auditd.log.sig": "6",
+        "event.action": [
+            "crashed-program"
+        ],
+        "event.category": [
+            "process"
+        ],
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=ANOM_ABEND msg=audit(1605431420.026:123): auid=12345 uid=123 gid=123 ses=123456789 pid=1234 comm=\"extproc\" reason=\"memory violation\" sig=6",
+        "event.type": [
+            "end"
+        ],
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 0,
+        "process.name": "extproc",
+        "process.pid": 1234,
+        "service.type": "auditd",
+        "user.audit.id": "12345",
+        "user.group.id": "123",
+        "user.id": "123"
+    }
+]
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		type=ANOM_ABEND msg=audit(1605431420.026:123): auid=12345 uid=123 gid=123 ses=123456789 pid=1234 comm="extproc" reason="memory violation" sig=6