filebeat/module/auditd: teach kv about quoted spaces (#34069)

Audit messages may contain spaces when the value is quoted, so let the kv processor know how to deal with this case. (cherry picked from commit f5054f7)
elastic · Jan 18, 2023 · 787bc86 · 787bc86
1 parent 6c31bf8
commit 787bc86
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 2 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -45,6 +45,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]
 
 *Filebeat*
 - [google_workspace] Fix pagination and cursor value update. {pull}34274[34274]
+- Fix handling of quoted values in auditd module. {issue}22587[22587] {pull}34069[34069]
 
 
 *Heartbeat*

diff --git a/filebeat/module/auditd/log/ingest/pipeline.yml b/filebeat/module/auditd/log/ingest/pipeline.yml
@@ -22,8 +22,8 @@ processors:
     - "%{AUDIT_TYPE} %{AUDIT_KEY_VALUES:auditd.log.kv}"
 - kv:
     field: auditd.log.kv
-    field_split: "\\s+"
-    value_split: "="
+    field_split: '\s(?![\w\"]+?(\s+|$))'
+    value_split: '(?<!\\)='
     target_field: auditd.log
 - kv:
     field: auditd.log.sub_kv

diff --git a/filebeat/module/auditd/log/test/audit-rhel7_2.log b/filebeat/module/auditd/log/test/audit-rhel7_2.log
@@ -0,0 +1 @@
+type=ANOM_ABEND msg=audit(1605431420.026:123): auid=12345 uid=123 gid=123 ses=123456789 pid=1234 comm="extproc" reason="memory violation" sig=6
diff --git a/filebeat/module/auditd/log/test/audit-rhel7_2.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel7_2.log-expected.json
@@ -0,0 +1,32 @@
+[
+    {
+        "@timestamp": "2020-11-15T09:10:20.026Z",
+        "auditd.log.reason": "memory violation",
+        "auditd.log.record_type": "ANOM_ABEND",
+        "auditd.log.sequence": 123,
+        "auditd.log.ses": "123456789",
+        "auditd.log.sig": "6",
+        "event.action": [
+            "crashed-program"
+        ],
+        "event.category": [
+            "process"
+        ],
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=ANOM_ABEND msg=audit(1605431420.026:123): auid=12345 uid=123 gid=123 ses=123456789 pid=1234 comm=\"extproc\" reason=\"memory violation\" sig=6",
+        "event.type": [
+            "end"
+        ],
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 0,
+        "process.name": "extproc",
+        "process.pid": 1234,
+        "service.type": "auditd",
+        "user.audit.id": "12345",
+        "user.group.id": "123",
+        "user.id": "123"
+    }
+]
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		type=ANOM_ABEND msg=audit(1605431420.026:123): auid=12345 uid=123 gid=123 ses=123456789 pid=1234 comm="extproc" reason="memory violation" sig=6