Skip to content

Commit

Permalink
Document all fields used in auditd dashboards (#3962)
Browse files Browse the repository at this point in the history
* Document all fields used in auditd dashboards

To allow the dashboards to load all fields used in the dashboards need to be in the Kibana index pattern.

I also change pid, ppid, item, and item to just be keywords. There wasn’t really a good reason reason for these to be stored as numbers and sometime in the events these were set to characters like “?”.

* Fix typo in field docs
  • Loading branch information
andrewkroh authored and tsg committed Apr 9, 2017
1 parent ee07419 commit 2ebc2c8
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 43 deletions.
26 changes: 18 additions & 8 deletions filebeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -346,37 +346,47 @@ The audit event sequence number.
[float]
=== auditd.log.pid
=== auditd.log.acct
type: long
The user account name associated with the event.
[float]
=== auditd.log.pid
The ID of the process.
[float]
=== auditd.log.ppid
type: long
The ID of the process.
[float]
=== auditd.log.items
type: long
The number of items in an event.
[float]
=== auditd.log.item
type: long
The item field indicates which item out of the total number of items. This number is zero-based; a value of 0 means it is the first item.
[float]
=== auditd.log.a0
The first argument to the system call.
[float]
=== auditd.log.res
The result of the system call (success or failure).
[float]
== geoip Fields
Expand Down
13 changes: 9 additions & 4 deletions filebeat/module/auditd/log/_meta/fields.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,23 +28,28 @@
type: long
description: >
The audit event sequence number.
- name: acct
description: >
The user account name associated with the event.
- name: pid
type: long
description: >
The ID of the process.
- name: ppid
type: long
description: >
The ID of the process.
- name: items
type: long
description: >
The number of items in an event.
- name: item
type: long
description: >
The item field indicates which item out of the total number of items.
This number is zero-based; a value of 0 means it is the first item.
- name: a0
description: >
The first argument to the system call.
- name: res
description: >
The result of the system call (success or failure).
- name: geoip
type: group
description: >
Expand Down
28 changes: 0 additions & 28 deletions filebeat/module/auditd/log/ingest/pipeline.json
Original file line number Diff line number Diff line change
Expand Up @@ -76,34 +76,6 @@
"ignore_missing": true
}
},
{
"convert": {
"field" : "auditd.log.pid",
"type": "integer",
"ignore_missing": true
}
},
{
"convert": {
"field" : "auditd.log.ppid",
"type": "integer",
"ignore_missing": true
}
},
{
"convert": {
"field" : "auditd.log.item",
"type": "integer",
"ignore_missing": true
}
},
{
"convert": {
"field" : "auditd.log.items",
"type": "integer",
"ignore_missing": true
}
},
{
"script": {
"lang": "painless",
Expand Down
6 changes: 3 additions & 3 deletions filebeat/module/auditd/log/test/test.log-expected.json
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@
"syscall": "44",
"gid": "0",
"fsgid": "0",
"pid": 1281,
"pid": "1281",
"suid": "0",
"record_type": "SYSCALL",
"uid": "0",
Expand All @@ -72,7 +72,7 @@
"euid": "0",
"sequence": 18877199,
"a0": "9",
"ppid": 1240,
"ppid": "1240",
"a1": "7f564b2672a0",
"fsuid": "0",
"exit": "184",
Expand All @@ -81,7 +81,7 @@
"success": "yes",
"tty": "(none)",
"arch": "x86_64",
"items": 0
"items": "0"
}
},
"beat": {
Expand Down

0 comments on commit 2ebc2c8

Please sign in to comment.