From 2b4c6b6f63b9246f449e2bfbca506aa12f73766f Mon Sep 17 00:00:00 2001 From: Larry Gregory Date: Tue, 15 Dec 2020 20:20:33 -0500 Subject: [PATCH] [Filebeat] Add module for Kibana audit logs (#22696) (#23147) Co-authored-by: Thom Heymann <190132+thomheymann@users.noreply.github.com> Co-authored-by: Thom Heymann <190132+thomheymann@users.noreply.github.com> --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/fields.asciidoc | 111 +++++++++++++++++ filebeat/docs/modules/kibana.asciidoc | 5 + filebeat/filebeat.reference.yml | 10 +- filebeat/module/kibana/_meta/config.yml | 10 +- filebeat/module/kibana/_meta/docs.asciidoc | 5 + filebeat/module/kibana/_meta/fields.yml | 41 +++++++ filebeat/module/kibana/audit/config/audit.yml | 16 +++ .../kibana/audit/ingest/pipeline-json.yml | 106 ++++++++++++++++ .../module/kibana/audit/ingest/pipeline.yml | 21 ++++ filebeat/module/kibana/audit/manifest.yml | 12 ++ .../kibana/audit/test/test-audit-711.log | 4 + .../test/test-audit-711.log-expected.json | 113 ++++++++++++++++++ filebeat/module/kibana/fields.go | 2 +- filebeat/modules.d/kibana.yml.disabled | 10 +- x-pack/filebeat/filebeat.reference.yml | 10 +- 16 files changed, 472 insertions(+), 5 deletions(-) create mode 100644 filebeat/module/kibana/audit/config/audit.yml create mode 100644 filebeat/module/kibana/audit/ingest/pipeline-json.yml create mode 100644 filebeat/module/kibana/audit/ingest/pipeline.yml create mode 100644 filebeat/module/kibana/audit/manifest.yml create mode 100644 filebeat/module/kibana/audit/test/test-audit-711.log create mode 100644 filebeat/module/kibana/audit/test/test-audit-711.log-expected.json diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 3e1e4b810fe4..bb853a439663 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -36,6 +36,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Filebeat* +- Add fileset to ingest Kibana's ECS audit logs. {pull}22696[22696] - Fix parsing of Elasticsearch node name by `elasticsearch/slowlog` fileset. {pull}14547[14547] - Improve ECS field mappings in panw module. event.outcome now only contains success/failure per ECS specification. {issue}16025[16025] {pull}17910[17910] - Improve ECS categorization field mappings for nginx module. http.request.referrer only populated when nginx sets a value {issue}16174[16174] {pull}17844[17844] diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 0d4d24fc3299..d3e67b628c7f 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -91044,9 +91044,120 @@ kibana Module [float] === kibana +Module for parsing Kibana logs. +*`kibana.session_id`*:: ++ +-- +The ID of the user session associated with this event. Each login attempt results in a unique session id. + +type: keyword + +example: 123e4567-e89b-12d3-a456-426614174000 + +-- + +*`kibana.space_id`*:: ++ +-- +The id of the space associated with this event. + +type: keyword + +example: default + +-- + +*`kibana.saved_object.type`*:: ++ +-- +The type of the saved object associated with this event. + +type: keyword + +example: dashboard + +-- + +*`kibana.saved_object.id`*:: ++ +-- +The id of the saved object associated with this event. + +type: keyword + +example: 6295bdd0-0a0e-11e7-825f-6748cda7d858 + +-- + +*`kibana.add_to_spaces`*:: ++ +-- +The set of space ids that a saved object was shared to. + +type: keyword + +example: ['default', 'marketing'] + +-- + +*`kibana.delete_from_spaces`*:: ++ +-- +The set of space ids that a saved object was removed from. + +type: keyword + +example: ['default', 'marketing'] + +-- + +*`kibana.authentication_provider`*:: ++ +-- +The authentication provider associated with a login event. + +type: keyword + +example: basic1 + +-- + +*`kibana.authentication_type`*:: ++ +-- +The authentication provider type associated with a login event. + +type: keyword + +example: basic + +-- + +*`kibana.authentication_realm`*:: ++ +-- +The Elasticsearch authentication realm name which fulfilled a login event. + +type: keyword + +example: native + +-- + +*`kibana.lookup_realm`*:: ++ +-- +The Elasticsearch lookup realm which fulfilled a login event. + +type: keyword + +example: native + +-- + [float] === log diff --git a/filebeat/docs/modules/kibana.asciidoc b/filebeat/docs/modules/kibana.asciidoc index 089936d60897..6110bc25178a 100644 --- a/filebeat/docs/modules/kibana.asciidoc +++ b/filebeat/docs/modules/kibana.asciidoc @@ -38,6 +38,11 @@ include::../include/var-paths.asciidoc[] :fileset_ex!: :modulename!: +[float] +==== `audit` fileset settings + +include::../include/var-paths.asciidoc[] + [float] diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index fa452a0610ec..7ffd5c099f2f 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -203,7 +203,7 @@ filebeat.modules: #-------------------------------- Kibana Module -------------------------------- - module: kibana - # All logs + # Server logs log: enabled: true @@ -211,6 +211,14 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: + # Audit logs + audit: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + #------------------------------- Logstash Module ------------------------------- #- module: logstash # logs diff --git a/filebeat/module/kibana/_meta/config.yml b/filebeat/module/kibana/_meta/config.yml index 176a9b263bc4..ffb82496fcae 100644 --- a/filebeat/module/kibana/_meta/config.yml +++ b/filebeat/module/kibana/_meta/config.yml @@ -1,8 +1,16 @@ - module: kibana - # All logs + # Server logs log: enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: + + # Audit logs + audit: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/filebeat/module/kibana/_meta/docs.asciidoc b/filebeat/module/kibana/_meta/docs.asciidoc index 1724d3b2c003..bf2bdb9b9eae 100644 --- a/filebeat/module/kibana/_meta/docs.asciidoc +++ b/filebeat/module/kibana/_meta/docs.asciidoc @@ -33,3 +33,8 @@ include::../include/var-paths.asciidoc[] :fileset_ex!: :modulename!: +[float] +==== `audit` fileset settings + +include::../include/var-paths.asciidoc[] + diff --git a/filebeat/module/kibana/_meta/fields.yml b/filebeat/module/kibana/_meta/fields.yml index 772ae8afffeb..45a194496237 100644 --- a/filebeat/module/kibana/_meta/fields.yml +++ b/filebeat/module/kibana/_meta/fields.yml @@ -6,4 +6,45 @@ - name: kibana type: group description: > + Module for parsing Kibana logs. fields: + - name: session_id + description: The ID of the user session associated with this event. Each login attempt results in a unique session id. + example: "123e4567-e89b-12d3-a456-426614174000" + type: keyword + - name: space_id + description: "The id of the space associated with this event." + example: "default" + type: keyword + - name: saved_object.type + description: "The type of the saved object associated with this event." + example: "dashboard" + type: keyword + - name: saved_object.id + description: "The id of the saved object associated with this event." + example: "6295bdd0-0a0e-11e7-825f-6748cda7d858" + type: keyword + - name: add_to_spaces + description: "The set of space ids that a saved object was shared to." + example: "['default', 'marketing']" + type: keyword + - name: delete_from_spaces + description: "The set of space ids that a saved object was removed from." + example: "['default', 'marketing']" + type: keyword + - name: authentication_provider + description: "The authentication provider associated with a login event." + example: "basic1" + type: keyword + - name: authentication_type + description: "The authentication provider type associated with a login event." + example: "basic" + type: keyword + - name: authentication_realm + description: "The Elasticsearch authentication realm name which fulfilled a login event." + example: "native" + type: keyword + - name: lookup_realm + description: "The Elasticsearch lookup realm which fulfilled a login event." + example: "native" + type: keyword diff --git a/filebeat/module/kibana/audit/config/audit.yml b/filebeat/module/kibana/audit/config/audit.yml new file mode 100644 index 000000000000..3806e65aaba7 --- /dev/null +++ b/filebeat/module/kibana/audit/config/audit.yml @@ -0,0 +1,16 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +processors: + - add_locale: ~ + - add_fields: + target: '' + fields: + ecs.version: 0.0.0 + - decode_json_fields: + fields: [message] + target: kibana._audit_temp diff --git a/filebeat/module/kibana/audit/ingest/pipeline-json.yml b/filebeat/module/kibana/audit/ingest/pipeline-json.yml new file mode 100644 index 000000000000..9cc9e6e64234 --- /dev/null +++ b/filebeat/module/kibana/audit/ingest/pipeline-json.yml @@ -0,0 +1,106 @@ +description: Pipeline for parsing Kibana audit logs in JSON format +processors: + +- set: + field: "@timestamp" + value: "{{kibana._audit_temp.@timestamp}}" + +- set: + field: message + value: "{{kibana._audit_temp.message}}" + +- set: + if: ctx.kibana._audit_temp.event.action != null + field: event.action + value: "{{kibana._audit_temp.event.action}}" +- set: + if: ctx.kibana._audit_temp.event.category != null + field: event.category + value: "{{kibana._audit_temp.event.category}}" +- set: + if: ctx.kibana._audit_temp.event.outcome != null + field: event.outcome + value: "{{kibana._audit_temp.event.outcome}}" +- set: + if: ctx.kibana._audit_temp.event.type != null + field: event.type + value: "{{kibana._audit_temp.event.type}}" + +- remove: + field: 'ecs' +- rename: + if: ctx.kibana._audit_temp.ecs != null + field: kibana._audit_temp.ecs + target_field: "ecs" + +- rename: + if: ctx.kibana._audit_temp.url != null + field: kibana._audit_temp.url + target_field: "url" + +- set: + if: ctx.url?.query == null + field: url.original + value: '{{url.path}}' + ignore_empty_value: true +- set: + if: ctx.url?.path != null && ctx.url?.query != null + field: url.original + value: '{{url.path}}?{{url.query}}' + +- rename: + if: ctx.kibana._audit_temp.http != null + field: kibana._audit_temp.http + target_field: http + +- rename: + if: ctx.kibana._audit_temp.user != null + field: kibana._audit_temp.user + target_field: user + +- rename: + if: ctx.kibana._audit_temp.trace != null + field: kibana._audit_temp.trace + target_field: trace + +- rename: + if: ctx.kibana._audit_temp.process?.pid != null + target_field: process + field: kibana._audit_temp.process + +- rename: + if: ctx.kibana._audit_temp.error != null + target_field: error + field: kibana._audit_temp.error + +- rename: + if: ctx.kibana._audit_temp.kibana.session_id != null + target_field: kibana.session_id + field: kibana._audit_temp.kibana.session_id + +- rename: + if: ctx.kibana._audit_temp.kibana.space_id != null + target_field: kibana.space_id + field: kibana._audit_temp.kibana.space_id + +- rename: + if: ctx.kibana._audit_temp.kibana.saved_object != null + target_field: kibana.saved_object + field: kibana._audit_temp.kibana.saved_object + +- rename: + if: ctx.kibana._audit_temp.kibana.add_to_spaces != null + target_field: kibana.add_to_spaces + field: kibana._audit_temp.kibana.add_to_spaces + +- rename: + if: ctx.kibana._audit_temp.kibana.delete_from_spaces != null + target_field: kibana.delete_from_spaces + field: kibana._audit_temp.kibana.delete_from_spaces + +- remove: + field: 'kibana._audit_temp' +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/filebeat/module/kibana/audit/ingest/pipeline.yml b/filebeat/module/kibana/audit/ingest/pipeline.yml new file mode 100644 index 000000000000..d4d2d9b03b81 --- /dev/null +++ b/filebeat/module/kibana/audit/ingest/pipeline.yml @@ -0,0 +1,21 @@ +description: Pipeline for parsing Kibana audit logs +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- rename: + field: '@timestamp' + target_field: event.created +- pipeline: + name: '{< IngestPipeline "pipeline-json" >}' +- set: + field: event.kind + value: event +- append: + field: related.user + value: "{{user.name}}" + if: "ctx?.user?.name != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/filebeat/module/kibana/audit/manifest.yml b/filebeat/module/kibana/audit/manifest.yml new file mode 100644 index 000000000000..3c7412937e71 --- /dev/null +++ b/filebeat/module/kibana/audit/manifest.yml @@ -0,0 +1,12 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/kibana/*_audit.json + +ingest_pipeline: + - ingest/pipeline.yml + - ingest/pipeline-json.yml + +input: config/audit.yml diff --git a/filebeat/module/kibana/audit/test/test-audit-711.log b/filebeat/module/kibana/audit/test/test-audit-711.log new file mode 100644 index 000000000000..aaa2209673ec --- /dev/null +++ b/filebeat/module/kibana/audit/test/test-audit-711.log @@ -0,0 +1,4 @@ +{"@timestamp":"2020-12-09T11:57:34.870-05:00","message":"User is requesting [/foo/spaces/enter] endpoint","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.6.0"},"event":{"action":"http_request","category":"web","outcome":"unknown"},"http":{"request":{"method":"get"}},"url":{"domain":"0.0.0.0","path":"/foo/spaces/enter","port":5603,"scheme":"https:"},"user":{"name":"elastic","roles":["superuser"]},"kibana":{"space_id":"default"},"trace":{"id":"71a7d4d1-e9ba-474c-a844-9d9c1dc11ba5"}} +{"@timestamp":"2020-12-09T11:59:21.458-05:00","message":"User [elastic] has logged in using basic provider [name=basic]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.6.0"},"event":{"action":"user_login","category":"authentication","outcome":"success"},"user":{"name":"elastic","roles":["superuser"]},"kibana":{"authentication_provider":"basic","authentication_type":"basic","authentication_realm":"reserved","lookup_realm":"reserved"},"trace":{"id":"a400bdb7-d279-44c1-b009-bc803809872f"}} +{"@timestamp":"2020-12-09T12:01:36.210-05:00","message":"User is creating index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.6.0"},"event":{"action":"saved_object_create","category":"database","type":"creation","outcome":"unknown"},"kibana":{"space_id":"default","saved_object":{"type":"index-pattern","id":"325b1500-3a40-11eb-a93c-7bbeae51ac96"}},"user":{"name":"elastic","roles":["superuser"]},"trace":{"id":"b1c237a9-5edd-4653-92bc-350feb8e1530"}} +{"@timestamp":"2020-12-09T12:01:37.281-05:00","message":"User has accessed index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.6.0"},"event":{"action":"saved_object_get","category":"database","type":"access","outcome":"success"},"kibana":{"space_id":"default","saved_object":{"type":"index-pattern","id":"325b1500-3a40-11eb-a93c-7bbeae51ac96"}},"user":{"name":"elastic","roles":["superuser"]},"trace":{"id":"17819e5b-187a-4107-944e-6295925d08be"}} diff --git a/filebeat/module/kibana/audit/test/test-audit-711.log-expected.json b/filebeat/module/kibana/audit/test/test-audit-711.log-expected.json new file mode 100644 index 000000000000..bfed337b0e3a --- /dev/null +++ b/filebeat/module/kibana/audit/test/test-audit-711.log-expected.json @@ -0,0 +1,113 @@ +[ + { + "@timestamp": "2020-12-09T11:57:34.870-05:00", + "event.action": "http_request", + "event.category": "web", + "event.dataset": "kibana.audit", + "event.kind": "event", + "event.module": "kibana", + "event.outcome": "unknown", + "event.timezone": "-02:00", + "fileset.name": "audit", + "http.request.method": "get", + "input.type": "log", + "kibana.space_id": "default", + "log.offset": 0, + "message": "User is requesting [/foo/spaces/enter] endpoint", + "process.pid": 20699, + "related.user": [ + "elastic" + ], + "service.type": "kibana", + "trace.id": "71a7d4d1-e9ba-474c-a844-9d9c1dc11ba5", + "url.domain": "0.0.0.0", + "url.original": "/foo/spaces/enter", + "url.path": "/foo/spaces/enter", + "url.port": 5603, + "url.scheme": "https:", + "user.name": "elastic", + "user.roles": [ + "superuser" + ] + }, + { + "@timestamp": "2020-12-09T11:59:21.458-05:00", + "event.action": "user_login", + "event.category": "authentication", + "event.dataset": "kibana.audit", + "event.kind": "event", + "event.module": "kibana", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "audit", + "input.type": "log", + "log.offset": 543, + "message": "User [elastic] has logged in using basic provider [name=basic]", + "process.pid": 20699, + "related.user": [ + "elastic" + ], + "service.type": "kibana", + "trace.id": "a400bdb7-d279-44c1-b009-bc803809872f", + "user.name": "elastic", + "user.roles": [ + "superuser" + ] + }, + { + "@timestamp": "2020-12-09T12:01:36.210-05:00", + "event.action": "saved_object_create", + "event.category": "database", + "event.dataset": "kibana.audit", + "event.kind": "event", + "event.module": "kibana", + "event.outcome": "unknown", + "event.timezone": "-02:00", + "event.type": "creation", + "fileset.name": "audit", + "input.type": "log", + "kibana.saved_object.id": "325b1500-3a40-11eb-a93c-7bbeae51ac96", + "kibana.saved_object.type": "index-pattern", + "kibana.space_id": "default", + "log.offset": 1093, + "message": "User is creating index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]", + "process.pid": 20699, + "related.user": [ + "elastic" + ], + "service.type": "kibana", + "trace.id": "b1c237a9-5edd-4653-92bc-350feb8e1530", + "user.name": "elastic", + "user.roles": [ + "superuser" + ] + }, + { + "@timestamp": "2020-12-09T12:01:37.281-05:00", + "event.action": "saved_object_get", + "event.category": "database", + "event.dataset": "kibana.audit", + "event.kind": "event", + "event.module": "kibana", + "event.outcome": "success", + "event.timezone": "-02:00", + "event.type": "access", + "fileset.name": "audit", + "input.type": "log", + "kibana.saved_object.id": "325b1500-3a40-11eb-a93c-7bbeae51ac96", + "kibana.saved_object.type": "index-pattern", + "kibana.space_id": "default", + "log.offset": 1655, + "message": "User has accessed index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]", + "process.pid": 20699, + "related.user": [ + "elastic" + ], + "service.type": "kibana", + "trace.id": "17819e5b-187a-4107-944e-6295925d08be", + "user.name": "elastic", + "user.roles": [ + "superuser" + ] + } +] \ No newline at end of file diff --git a/filebeat/module/kibana/fields.go b/filebeat/module/kibana/fields.go index d5733c14aa17..35d51bb2cf80 100644 --- a/filebeat/module/kibana/fields.go +++ b/filebeat/module/kibana/fields.go @@ -32,5 +32,5 @@ func init() { // AssetKibana returns asset data. // This is the base64 encoded gzipped contents of module/kibana. func AssetKibana() string { - return "eJzMlEHO2yAQhfc+xejfhwN4UanKsuoZookZY2oM7jCoyu0rG6dyCGnaKIuf5Uz43stjxgcY6dLCaM/osQEQK45a+MiFjwZAU+zYzmKDb+FLAwDbr+F70MlRA9Bbcjq2a+8AHifaEZcjl5laMBzSvFUq1FvOnuWC+VOrwR4C8/mG/YgLBJz1FNWuWSruVQVNvGlcpUe6/Aqsi95fDKwmcmYuGGO9WeGqKhsFhd6ne0zM5CVjIfSbkbr2RIJV6XD+QZ0UrVw81c1V+XkolAtGLVKK6acaCDVxVEw9MXFVHp3F8i1mlKGFQWReMImiZMQ9Y7KGMecjnOifnX0+R9esUiQ+oCFfPskzc8vF03pRBbbGenRvC2sKQl+1Zor1tXnsKobEHSmsXn7VUOLyrz0Nh907U1k2LsVj0PVtfjpBcQ4+0oY5dfecV0xNJEMoPyH/NdJVQmnldwAAAP//jzOwrA==" + return "eJzMlk1v4zYQhu/5FQNfcqkE2+uv9WGBYruHYtFbb0UhjMWRxJoiFc4waf59QclJFVmxHdctqiPJeed5R8OPBPb0vIW93qHFOwDRYmgLk25gcgegiHOvG9HObuHLHQAcVsMvTgVDdwCFJqN4284lYLGmnmL85LmhLZTeheYwMqIav04SCuehQc/alvC9S2ZcyelhXT9fPycTs3Y20+p1apDp14rg55/AFSAVQWDyL0GAzC7XKKTgSUsFUmkGeiQrKXzDvIoE2gKKUN0IeOJghCEOQbD6IdCrlFZpD4D+xLppizqbf6LFcrVOaPN5l8zm6lOCi+UqWcxXq9litl5Mp9NJL7Ir256en5xXx24bzOmE10k0q9WL2Xb5KZeTUWZFBQYjH8DCR1KZ2/1BuaRx6Um+uOCVMEZCF3kFKHK1c+jVlaiXF/IfYa7mn5c7pabJFKeUzGa0TjbzZZGs1otNrnCtNsvN5Q5QqUxc1v5bPsnPJNFA1wVaMUiFAvjWzRMycIWeFIh7x8Bv94eWuP8B7mv0exJty/vfL4dWZEgoK7yrb0ruqXZxKAr/a/AYpCIrOseImDXePWpF/qSDtzHwEnPUPHg4Y071zw5Z57Orec9uyPdY2416NfDVvJ7Q1CeBvxlk0TkT+rwa4rfhrTI8VTqvoAim0MaQuojdouhHuhzeOLcPzYehu7AD7H/DWR6t7d/OR9BfehMA37HYt1hgtCXuX3bDq7mfVbDkNxPvYZ4FaCFe3wVlfCZE8XQ0LQsK3S7v1+A9Welk48HUgYznrklwNHV3bA2musFsHG5Uv3tlpcaVaUyVenpIK0JFnlNPBfk3J9Pf6dFoHP6LBqXaQiXSRJlALJ3EsUatS49dfcQHupjs/0f0Uqv4EkywJDv8JefgYmDWBqbO61JbNDcrVu2EflTKE49vm/ep2AWfU4qjwdcCBT+0drY43tyyKnHHBf7q1PhuPttB3DjLdJDJ8mOda6BqksoNj5APtfSowhDlrwAAAP//r8joww==" } diff --git a/filebeat/modules.d/kibana.yml.disabled b/filebeat/modules.d/kibana.yml.disabled index 759452435bfb..a4956c4b65a5 100644 --- a/filebeat/modules.d/kibana.yml.disabled +++ b/filebeat/modules.d/kibana.yml.disabled @@ -2,10 +2,18 @@ # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-kibana.html - module: kibana - # All logs + # Server logs log: enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: + + # Audit logs + audit: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index ece51a25ecd6..18d1219f763c 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1311,7 +1311,7 @@ filebeat.modules: #-------------------------------- Kibana Module -------------------------------- - module: kibana - # All logs + # Server logs log: enabled: true @@ -1319,6 +1319,14 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: + # Audit logs + audit: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + #------------------------------- Logstash Module ------------------------------- #- module: logstash # logs