[Filebeat] Ensure Kibana audit event.category and event.type are …

…still processed as strings. (#25101) (#25185)
elastic · Apr 20, 2021 · c52c439 · c52c439
1 parent 82e1226
commit c52c439
Show file tree

Hide file tree

Showing 3 changed files with 127 additions and 2 deletions.
diff --git a/filebeat/module/kibana/audit/ingest/pipeline-json.yml b/filebeat/module/kibana/audit/ingest/pipeline-json.yml
@@ -14,15 +14,23 @@ processors:
     field: event.action
     value: "{{kibana._audit_temp.event.action}}"
 - set:
-    if: ctx.kibana._audit_temp.event.category != null
+    if: ctx.kibana._audit_temp.event.category != null && ctx.kibana._audit_temp.event.category instanceof List
+    field: event.category
+    value: "{{kibana._audit_temp.event.category.0}}"
+- set:
+    if: ctx.kibana._audit_temp.event.category != null && ctx.kibana._audit_temp.event.category instanceof String
     field: event.category
     value: "{{kibana._audit_temp.event.category}}"
 - set:
     if: ctx.kibana._audit_temp.event.outcome != null
     field: event.outcome
     value: "{{kibana._audit_temp.event.outcome}}"
 - set:
-    if: ctx.kibana._audit_temp.event.type != null
+    if: ctx.kibana._audit_temp.event.type != null && ctx.kibana._audit_temp.event.type instanceof List
+    field: event.type
+    value: "{{kibana._audit_temp.event.type.0}}"
+- set:
+    if: ctx.kibana._audit_temp.event.type != null && ctx.kibana._audit_temp.event.type instanceof String
     field: event.type
     value: "{{kibana._audit_temp.event.type}}"
 

diff --git a/filebeat/module/kibana/audit/test/test-audit-713.log b/filebeat/module/kibana/audit/test/test-audit-713.log
@@ -0,0 +1,4 @@
+{"@timestamp":"2020-12-09T11:57:34.870-05:00","message":"User is requesting [/foo/spaces/enter] endpoint","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.9.0"},"event":{"action":"http_request","category":["web"],"outcome":"unknown"},"http":{"request":{"method":"get"}},"url":{"domain":"0.0.0.0","path":"/foo/spaces/enter","port":5603,"scheme":"https:"},"user":{"name":"elastic","roles":["superuser"]},"kibana":{"space_id":"default"},"trace":{"id":"71a7d4d1-e9ba-474c-a844-9d9c1dc11ba5"}}
+{"@timestamp":"2020-12-09T11:59:21.458-05:00","message":"User [elastic] has logged in using basic provider [name=basic]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.9.0"},"event":{"action":"user_login","category":["authentication"],"outcome":"success"},"user":{"name":"elastic","roles":["superuser"]},"kibana":{"authentication_provider":"basic","authentication_type":"basic","authentication_realm":"reserved","lookup_realm":"reserved"},"trace":{"id":"a400bdb7-d279-44c1-b009-bc803809872f"}}
+{"@timestamp":"2020-12-09T12:01:36.210-05:00","message":"User is creating index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.9.0"},"event":{"action":"saved_object_create","category":["database"],"type":["creation"],"outcome":"unknown"},"kibana":{"space_id":"default","saved_object":{"type":"index-pattern","id":"325b1500-3a40-11eb-a93c-7bbeae51ac96"}},"user":{"name":"elastic","roles":["superuser"]},"trace":{"id":"b1c237a9-5edd-4653-92bc-350feb8e1530"}}
+{"@timestamp":"2020-12-09T12:01:37.281-05:00","message":"User has accessed index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.9.0"},"event":{"action":"saved_object_get","category":"database","type":"access","outcome":"success"},"kibana":{"space_id":"default","saved_object":{"type":"index-pattern","id":"325b1500-3a40-11eb-a93c-7bbeae51ac96"}},"user":{"name":"elastic","roles":["superuser"]},"trace":{"id":"17819e5b-187a-4107-944e-6295925d08be"}}
diff --git a/filebeat/module/kibana/audit/test/test-audit-713.log-expected.json b/filebeat/module/kibana/audit/test/test-audit-713.log-expected.json
@@ -0,0 +1,113 @@
+[
+    {
+        "@timestamp": "2020-12-09T11:57:34.870-05:00",
+        "event.action": "http_request",
+        "event.category": "web",
+        "event.dataset": "kibana.audit",
+        "event.kind": "event",
+        "event.module": "kibana",
+        "event.outcome": "unknown",
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "http.request.method": "get",
+        "input.type": "log",
+        "kibana.space_id": "default",
+        "log.offset": 0,
+        "message": "User is requesting [/foo/spaces/enter] endpoint",
+        "process.pid": 20699,
+        "related.user": [
+            "elastic"
+        ],
+        "service.type": "kibana",
+        "trace.id": "71a7d4d1-e9ba-474c-a844-9d9c1dc11ba5",
+        "url.domain": "0.0.0.0",
+        "url.original": "/foo/spaces/enter",
+        "url.path": "/foo/spaces/enter",
+        "url.port": 5603,
+        "url.scheme": "https:",
+        "user.name": "elastic",
+        "user.roles": [
+            "superuser"
+        ]
+    },
+    {
+        "@timestamp": "2020-12-09T11:59:21.458-05:00",
+        "event.action": "user_login",
+        "event.category": "authentication",
+        "event.dataset": "kibana.audit",
+        "event.kind": "event",
+        "event.module": "kibana",
+        "event.outcome": "success",
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "input.type": "log",
+        "log.offset": 545,
+        "message": "User [elastic] has logged in using basic provider [name=basic]",
+        "process.pid": 20699,
+        "related.user": [
+            "elastic"
+        ],
+        "service.type": "kibana",
+        "trace.id": "a400bdb7-d279-44c1-b009-bc803809872f",
+        "user.name": "elastic",
+        "user.roles": [
+            "superuser"
+        ]
+    },
+    {
+        "@timestamp": "2020-12-09T12:01:36.210-05:00",
+        "event.action": "saved_object_create",
+        "event.category": "database",
+        "event.dataset": "kibana.audit",
+        "event.kind": "event",
+        "event.module": "kibana",
+        "event.outcome": "unknown",
+        "event.timezone": "-02:00",
+        "event.type": "creation",
+        "fileset.name": "audit",
+        "input.type": "log",
+        "kibana.saved_object.id": "325b1500-3a40-11eb-a93c-7bbeae51ac96",
+        "kibana.saved_object.type": "index-pattern",
+        "kibana.space_id": "default",
+        "log.offset": 1097,
+        "message": "User is creating index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]",
+        "process.pid": 20699,
+        "related.user": [
+            "elastic"
+        ],
+        "service.type": "kibana",
+        "trace.id": "b1c237a9-5edd-4653-92bc-350feb8e1530",
+        "user.name": "elastic",
+        "user.roles": [
+            "superuser"
+        ]
+    },
+    {
+        "@timestamp": "2020-12-09T12:01:37.281-05:00",
+        "event.action": "saved_object_get",
+        "event.category": "database",
+        "event.dataset": "kibana.audit",
+        "event.kind": "event",
+        "event.module": "kibana",
+        "event.outcome": "success",
+        "event.timezone": "-02:00",
+        "event.type": "access",
+        "fileset.name": "audit",
+        "input.type": "log",
+        "kibana.saved_object.id": "325b1500-3a40-11eb-a93c-7bbeae51ac96",
+        "kibana.saved_object.type": "index-pattern",
+        "kibana.space_id": "default",
+        "log.offset": 1663,
+        "message": "User has accessed index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]",
+        "process.pid": 20699,
+        "related.user": [
+            "elastic"
+        ],
+        "service.type": "kibana",
+        "trace.id": "17819e5b-187a-4107-944e-6295925d08be",
+        "user.name": "elastic",
+        "user.roles": [
+            "superuser"
+        ]
+    }
+]