Skip to content

Commit

Permalink
Rebasing...
Browse files Browse the repository at this point in the history
  • Loading branch information
@ycombinator
ycombinator committed Jan 26, 2019
1 parent 79765ad commit 2667c21
Show file tree
Hide file tree
Showing 8 changed files with 50 additions and 257 deletions.
25 changes: 7 additions & 18 deletions filebeat/docs/fields.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1171,17 +1171,6 @@ The body of the request, if enabled
--
*`elasticsearch.audit.indices`*::
+
--
type: array
example: ['.security-6']
The indices affected by the action
--
*`elasticsearch.audit.user_realm`*::
+
--
Expand Down Expand Up @@ -1304,7 +1293,7 @@ CPU time spent outside the kernel.
--
type: float
CPU time spent inside the kernel.
CPU time spent inside the kernel.
--
Expand Down Expand Up @@ -1474,7 +1463,7 @@ Young GC
--
type: long
example:
example:
Expand All @@ -1485,7 +1474,7 @@ example:
--
type: long
example:
example:
Expand Down Expand Up @@ -1557,7 +1546,7 @@ Time it took to execute the query
--
type: keyword
example:
example:
Types
Expand All @@ -1568,7 +1557,7 @@ Types
--
type: text
example:
example:
Statistics
Expand Down Expand Up @@ -1601,7 +1590,7 @@ Slow query
--
type: text
example:
example:
Extra source information
Expand Down Expand Up @@ -1656,7 +1645,7 @@ Routing
--
type: keyword
example:
example:
Id
Expand Down
2 changes: 1 addition & 1 deletion filebeat/include/fields.go
View file

Large diffs are not rendered by default.

4 changes: 0 additions & 4 deletions filebeat/module/elasticsearch/audit/_meta/fields.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,10 +54,6 @@
description: "The body of the request, if enabled"
example: "body"
type: text
- name: indices
description: "The indices affected by the action"
example: [ ".security-6" ]
type: array
- name: user_realm
description: "The name of the realm that authenticated the user"
example: "__attach"
Expand Down
17 changes: 5 additions & 12 deletions filebeat/module/elasticsearch/audit/ingest/pipeline-json.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,27 +112,27 @@
},
{
"set": {
"if": "ctx.first_char == '{' && ctx.elasticsearch.audit?.url?.path != null && ctx.elasticsearch.audit?.url?.query == null",
"if": "ctx.elasticsearch.audit?.url?.path != null && ctx.elasticsearch.audit?.url?.query == null",
"field": "elasticsearch.audit.uri",
"value": "{{elasticsearch.audit.url.path}}"
}
},
{
"set": {
"if": "ctx.first_char == '{' && ctx.elasticsearch.audit?.url?.path != null && ctx.elasticsearch.audit?.url?.query != null",
"if": "ctx.elasticsearch.audit?.url?.path != null && ctx.elasticsearch.audit?.url?.query != null",
"field": "elasticsearch.audit.uri",
"value": "{{elasticsearch.audit.url.path}}?{{elasticsearch.audit.url.query}}"
}
},
{
"remove": {
"if": "ctx.first_char == '{' && ctx.elasticsearch.audit?.url?.path != null",
"if": "ctx.elasticsearch.audit?.url?.path != null",
"field": "elasticsearch.audit.url.path"
}
},
{
"remove": {
"if": "ctx.first_char == '{' && ctx.elasticsearch.audit?.url?.query != null",
"if": "ctx.elasticsearch.audit?.url?.query != null",
"field": "elasticsearch.audit.url.query"
}
},
Expand Down Expand Up @@ -162,7 +162,7 @@
},
{
"rename": {
"if": "ctx.first_char == '{' && ctx.elasticsearch.audit?.user?.realm != null",
"if": "ctx.elasticsearch.audit?.user?.realm != null",
"field": "elasticsearch.audit.user.realm",
"target_field": "elasticsearch.audit.user_realm"
}
Expand All @@ -173,13 +173,6 @@
"path": "elasticsearch.audit"
}
},
{
"rename": {
"if": "ctx.first_char == '{' && ctx.elasticsearch.audit?.user?.roles != null",
"field": "elasticsearch.audit.user.roles",
"target_field": "elasticsearch.audit.user_roles"
}
},
{
"remove": {
"field": "elasticsearch.audit.user"
Expand Down
213 changes: 3 additions & 210 deletions filebeat/module/elasticsearch/audit/ingest/pipeline-plaintext.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,17 +5,17 @@
"grok": {
"field": "message",
"pattern_definitions": {
"ES_TIMESTAMP": "\\[%{TIMESTAMP_ISO8601:elasticsearch.audit.timestamp}\\]",
"ES_TIMESTAMP": "\\[%{TIMESTAMP_ISO8601:elasticsearch.audit.@timestamp}\\]",
"ES_NODE_NAME": "(\\[%{DATA:elasticsearch.node.name}\\])?",
"ES_AUDIT_LAYER": "\\[%{WORD:elasticsearch.audit.layer}\\]",
"ES_AUDIT_EVENT_TYPE": "\\[%{WORD:event.type}\\]",
"ES_AUDIT_EVENT_TYPE": "\\[%{WORD:elasticsearch.audit.event_type}\\]",
"ES_AUDIT_ORIGIN_TYPE": "(origin_type\\=\\[%{WORD:elasticsearch.audit.origin_type}\\])?",
"ES_AUDIT_ORIGIN_ADDRESS": "(origin_address\\=\\[%{IPORHOST:elasticsearch.audit.origin_address}\\])?",
"ES_AUDIT_PRINCIPAL": "(principal\\=\\[%{WORD:elasticsearch.audit.principal}\\])?",
"ES_AUDIT_REALM": "(realm\\=\\[%{WORD:elasticsearch.audit.realm}\\])?",
"ES_AUDIT_ROLES": "(roles\\=\\[%{DATA:elasticsearch.audit.roles}\\])?",
"ES_AUDIT_ACTION": "(action\\=\\[%{DATA:elasticsearch.audit.action}(\\[%{DATA:elasticsearch.audit.sub_action}\\])?\\])?",
"ES_AUDIT_URI": "(uri=\\[%{DATA:elasticsearch.audit.uri\\])?",
"ES_AUDIT_URI": "(uri=\\[%{DATA:elasticsearch.audit.uri}\\])?",
"ES_AUDIT_INDICES": "(indices\\=\\[%{DATA:elasticsearch.audit.indices}\\])?",
"ES_AUDIT_REQUEST": "(request\\=\\[%{WORD:elasticsearch.audit.request}\\])?",
"ES_AUDIT_REQUEST_BODY": "(request_body\\=\\[%{DATA:elasticsearch.audit.request_body}\\])?"
Expand Down Expand Up @@ -45,218 +45,11 @@
"source": "if (ctx.elasticsearch.audit.sub_action != null) { ctx.elasticsearch.audit.action += '[' + ctx.elasticsearch.audit.sub_action + ']' }"
}
},
{
"json": {
"if": "ctx.first_char == '{'",
"field": "message",
"target_field": "elasticsearch.audit"
}
},
{
"dot_expander": {
"if": "ctx.first_char == '{'",
"field": "event.action",
"path": "elasticsearch.audit"
}
},
{
"rename": {
"if": "ctx.first_char == '{'",
"field": "elasticsearch.audit.event.action",
"target_field": "elasticsearch.audit.event_type"
}
},
{
"dot_expander": {
"if": "ctx.first_char == '{'",
"field": "event.type",
"path": "elasticsearch.audit"
}
},
{
"rename": {
"if": "ctx.first_char == '{'",
"field": "elasticsearch.audit.event.type",
"target_field": "elasticsearch.audit.layer"
}
},
{
"remove": {
"if": "ctx.first_char == '{'",
"field": "elasticsearch.audit.event"
}
},
{
"dot_expander": {
"if": "ctx.first_char == '{'",
"field": "origin.type",
"path": "elasticsearch.audit"
}
},
{
"rename": {
"if": "ctx.first_char == '{'",
"field": "elasticsearch.audit.origin.type",
"target_field": "elasticsearch.audit.origin_type"
}
},
{
"dot_expander": {
"if": "ctx.first_char == '{'",
"field": "origin.address",
"path": "elasticsearch.audit"
}
},
{
"grok": {
"if": "ctx.first_char == '{'",
"field": "elasticsearch.audit.origin.address",
"patterns": [
"\\[%{IPORHOST:elasticsearch.audit.origin_address}\\]:%{INT:elasticsearch.audit.origin_port:int}",
"%{IPORHOST:elasticsearch.audit.origin_address}:%{INT:elasticsearch.audit.origin_port:int}"
]
}
},
{
"remove": {
"if": "ctx.first_char == '{'",
"field": "elasticsearch.audit.origin"
}
},
{
"dot_expander": {
"if": "ctx.first_char == '{'",
"field": "user.name",
"path": "elasticsearch.audit"
}
},
{
"rename": {
"if": "ctx.first_char == '{'",
"field": "elasticsearch.audit.user.name",
"target_field": "elasticsearch.audit.principal"
}
},
{
"dot_expander": {
"if": "ctx.first_char == '{'",
"field": "request.name",
"path": "elasticsearch.audit"
}
},
{
"set": {
"if": "ctx.first_char == '{'",
"value": "{{elasticsearch.audit.request.name}}",
"field": "elasticsearch.audit.request"
}
},
{
"remove": {
"if": "ctx.elasticsearch.audit.request == ''",
"field": "elasticsearch.audit.request"
}
},
{
"dot_expander": {
"if": "ctx.first_char == '{'",
"field": "url.path",
"path": "elasticsearch.audit"
}
},
{
"dot_expander": {
"if": "ctx.first_char == '{'",
"field": "url.query",
"path": "elasticsearch.audit"
}
},
{
"set": {
"if": "ctx.first_char == '{' && ctx.elasticsearch.audit?.url?.path != null && ctx.elasticsearch.audit?.url?.query == null",
"field": "elasticsearch.audit.uri",
"value": "{{elasticsearch.audit.url.path}}"
}
},
{
"set": {
"if": "ctx.first_char == '{' && ctx.elasticsearch.audit?.url?.path != null && ctx.elasticsearch.audit?.url?.query != null",
"field": "elasticsearch.audit.uri",
"value": "{{elasticsearch.audit.url.path}}?{{elasticsearch.audit.url.query}}"
}
},
{
"remove": {
"field": "elasticsearch.audit.sub_action",
"ignore_missing": true
}
},
{
"remove": {
"if": "ctx.first_char == '{' && ctx.elasticsearch.audit?.url?.path != null",
"field": "elasticsearch.audit.url.path"
}
},
{
"remove": {
"if": "ctx.first_char == '{' && ctx.elasticsearch.audit?.url?.query != null",
"field": "elasticsearch.audit.url.query"
}
},
{
"dot_expander": {
"if": "ctx.first_char == '{'",
"field": "node.id",
"path": "elasticsearch.audit"
}
},
{
"dot_expander": {
"if": "ctx.first_char == '{'",
"field": "node.name",
"path": "elasticsearch.audit"
}
},
{
"rename": {
"if": "ctx.first_char == '{'",
"field": "elasticsearch.audit.node",
"target_field": "elasticsearch.node"
}
},
{
"dot_expander": {
"if": "ctx.first_char == '{'",
"field": "user.realm",
"path": "elasticsearch.audit"
}
},
{
"rename": {
"if": "ctx.first_char == '{' && ctx.elasticsearch.audit?.user?.realm != null",
"field": "elasticsearch.audit.user.realm",
"target_field": "elasticsearch.audit.user_realm"
}
},
{
"dot_expander": {
"if": "ctx.first_char == '{'",
"field": "user.roles",
"path": "elasticsearch.audit"
}
},
{
"rename": {
"if": "ctx.first_char == '{' && ctx.elasticsearch.audit?.user?.roles != null",
"field": "elasticsearch.audit.user.roles",
"target_field": "elasticsearch.audit.user_roles"
}
},
{
"remove": {
"field": "elasticsearch.audit.url",
"ignore_missing": true
}
}
],
"on_failure": [
Expand Down
1 change: 1 addition & 0 deletions filebeat/module/elasticsearch/audit/test/test-access.log
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,4 @@
[2018-06-19T05:26:27,268] [rest] [authentication_failed] origin_address=[147.107.128.77], principal=[N078801], uri=[/_xpack/security/_authenticate]
[2018-06-19T05:55:26,898] [transport] [access_denied] origin_type=[rest], origin_address=[147.107.128.77], principal=[_anonymous], action=[cluster:monitor/main], request=[MainRequest]
[2018-06-19T05:24:15,190] [v_VJhjV] [rest] [authentication_failed] origin_address=[172.18.0.3], principal=[elastic], uri=[/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip], request_body=[body]
[2019-01-08T14:15:02,011] [NodeName-0] [transport] [access_granted] origin_type=[transport], origin_address=[192.168.2.1], principal=[username], realm=[active_directory], roles=[kibana_user,my_custom_role_1,foo_reader], action=[indices:data/read/search[free_context]], indices=[foo-2019.01.04,foo-2019.01.03,foo-2019.01.06,foo-2019.01.05,foo-2019.01.08,servicelog-2019.01.07], request=[SearchFreeContextRequest]
Loading

0 comments on commit 2667c21

Please sign in to comment.