From 2ac28e9e82cc4131df1e8454ae25eaa84936c676 Mon Sep 17 00:00:00 2001 From: leweafan Date: Wed, 19 Apr 2023 13:55:20 +0300 Subject: [PATCH 01/14] added oracle authentication messages parsing --- .../oracle/database_audit/_meta/fields.yml | 40 ++ .../database_audit/ingest/pipeline.json | 365 ++++++++++++++++++ .../oracle/database_audit/ingest/pipeline.yml | 15 + .../module/oracle/database_audit/manifest.yml | 4 +- ...ra_9680_20230419130542916949215077.aud.log | 18 + ...19130542916949215077.aud.log-expected.json | 44 +++ x-pack/filebeat/module/oracle/fields.go | 2 +- 7 files changed, 485 insertions(+), 3 deletions(-) create mode 100644 x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.json create mode 100644 x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20230419130542916949215077.aud.log create mode 100644 x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20230419130542916949215077.aud.log-expected.json diff --git a/x-pack/filebeat/module/oracle/database_audit/_meta/fields.yml b/x-pack/filebeat/module/oracle/database_audit/_meta/fields.yml index 3ad920796c0..a6b406b08cc 100644 --- a/x-pack/filebeat/module/oracle/database_audit/_meta/fields.yml +++ b/x-pack/filebeat/module/oracle/database_audit/_meta/fields.yml @@ -3,6 +3,46 @@ description: > Module for parsing Oracle Database audit logs fields: + - name: priv_used + type: integer + description: > + System privilege used to execute the action. + + - name: returncode + type: integer + description: > + Oracle error code generated by the action. + + - name: statement + type: integer + description: > + nth statement in the user session. + + - name: userid + type: keyword + description: > + Name of the user whose actions were audited. + + - name: entryid + type: integer + description: > + Numeric ID for each audit trail entry in the session. The entry ID is an index of a session's audit entries that starts at 1 and increases to the number of entries that are written. + + - name: comment_text + type: text + description: > + Text comment on the audit trail entry, providing more information about the statement audited. + + - name: os_userid + type: keyword + description: > + Operating system login username of the user whose actions were audited. + + - name: terminal + type: text + description: > + Identifier of the user's terminal. + - name: status type: keyword description: > diff --git a/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.json b/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.json new file mode 100644 index 00000000000..c1e7f9b8e3c --- /dev/null +++ b/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.json @@ -0,0 +1,365 @@ +{ + "description": "Pipeline for parsing Oracle Audit logs", + "processors": [ + { + "set": { + "field": "event.ingested", + "value": "{{_ingest.timestamp}}" + } + }, + { + "set": { + "field": "event.action", + "value": "database_audit" + } + }, + { + "set": { + "field": "event.kind", + "value": "event" + } + }, + { + "set": { + "value": "database", + "field": "event.category" + } + }, + { + "set": { + "value": "access", + "field": "event.type" + } + }, + { + "set": { + "value": "success", + "field": "event.outcome" + } + }, + { + "grok": { + "field": "message", + "patterns": [ + "%{GREEDYDATA:tmp_timestamp}\\\nLENGTH : '%{GREEDYDATA:LENGTH}'\\\n(?m)%{GREEDYDATA:audit}", + "%{GREEDYDATA:tmp_timestamp}\\\nLENGTH: \"%{GREEDYDATA:LENGTH}\"\\\n(?m)%{GREEDYDATA:auth}" + ] + } + }, + { + "gsub": { + "field": "auth", + "pattern": "\" ", + "replacement": "\"\\|", + "ignore_missing": true + } + }, + { + "kv": { + "field": "audit", + "field_split": "\\\n(?=[a-zA-Z])", + "value_split": ":\\S\\d+\\S(?= ')", + "prefix": "oracle.database_audit.", + "trim_key": " ", + "trim_value": " '", + "if": "ctx?.audit != null && ctx?.auth == null" + } + }, + { + "kv": { + "field": "auth", + "field_split": "\\|", + "value_split": ":\\S\\d+\\S(?= \")", + "prefix": "oracle.database_audit.", + "trim_key": " ", + "trim_value": "\" ", + "if": "ctx?.auth != null" + } + }, + { + "rename": { + "field": "auth", + "target_field": "audit", + "ignore_missing": true + } + }, + { + "grok": { + "field": "log.file.path", + "patterns": [ + "%{BASE10NUM:process.pid}\\_%{BASE10NUM}\\.aud(\\.log)?$" + ] + } + }, + { + "script": { + "lang": "painless", + "source": "ctx.oracle.database_audit = ctx.oracle.database_audit.entrySet().stream().collect(Collectors.toMap(entry -> entry.getKey().toLowerCase(), Map.Entry::getValue));", + "if": "ctx?.oracle?.database_audit != null" + } + }, + { + "script": { + "lang": "painless", + "source": "ctx.oracle.database_audit = ctx?.oracle?.database_audit.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace(' ', '_'), e -> e.getValue()));", + "if": "ctx?.oracle?.database_audit != null" + } + }, + { + "script": { + "lang": "painless", + "source": "ctx.oracle.database_audit = ctx?.oracle?.database_audit.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace('$', '_'), e -> e.getValue()));", + "if": "ctx?.oracle?.database_audit != null" + } + }, + { + "grok": { + "field": "oracle.database_audit.comment$text", + "patterns": [ + "Authenticated by: DATABASE; Client address: \\(ADDRESS=\\(PROTOCOL=%{WORD:network.transport}\\)\\(HOST=%{IP:source.ip}\\)\\(PORT=%{INT:source.port}\\)\\)" + ], + "ignore_missing": true + } + }, + { + "script": { + "source": "def x = ctx.oracle.database_audit.action_number;\nif (x == 100) {\n ctx.oracle.database_audit.action = \"LOGON\";\n}\nif (x == 101) {\n ctx.oracle.database_audit.action = \"LOGOFF\";\n}\nif (x == 102) {\n ctx.oracle.database_audit.action = \"LOGOFF BY CLEANUP\";\n}", + "if": "[100, 101, 102].contains(ctx?.oracle?.database_audit?.action_number)" + } + }, + { + "append": { + "field": "event.category", + "value": [ + "authentication" + ], + "if": "(ctx?.oracle?.database_audit?.action == '100' && ['0', '1017'].contains(ctx?.oracle?.database_audit?.returncode)) || ['101', '102'].contains(ctx?.oracle?.database_audit?.action)" + } + }, + { + "append": { + "field": "event.action", + "value": [ + "logon-failed" + ], + "if": "ctx?.oracle?.database_audit?.action == '100' && ctx?.oracle?.database_audit?.returncode == '1017'" + } + }, + { + "append": { + "field": "event.action", + "value": [ + "logged-in" + ], + "if": "ctx?.oracle?.database_audit?.action == '100' && ctx?.oracle?.database_audit?.returncode == '0'" + } + }, + { + "append": { + "field": "event.action", + "value": [ + "logout" + ], + "if": "['101', '102'].contains(ctx?.oracle?.database_audit?.action)" + } + }, + { + "set": { + "field": "event.outcome", + "value": "failure", + "if": "ctx?.oracle?.database_audit?.action == '100' && ctx?.oracle?.database_audit?.returncode == '1017'" + } + }, + { + "gsub": { + "field": "oracle.database_audit.action", + "pattern": "\\n", + "replacement": "", + "if": "ctx?.oracle?.database_audit?.action != null" + } + }, + { + "gsub": { + "field": "oracle.database_audit.action", + "pattern": "\\s{2,}", + "replacement": " ", + "if": "ctx?.oracle?.database_audit?.action != null" + } + }, + { + "trim": { + "field": "oracle.database_audit.action_number", + "ignore_missing": true + } + }, + { + "script": { + "if": "ctx?.oracle?.database_audit != null", + "source": "void handleMap(Map map) {\n for (def x : map.values()) {\n if (x instanceof Map) {\n handleMap(x);\n } else if (x instanceof List) {\n handleList(x);\n }\n }\n map.values().removeIf(v -> v instanceof String && v.isEmpty() == true);\n}\nvoid handleList(List list) {\n for (def x : list) {\n if (x instanceof Map) {\n handleMap(x);\n } else if (x instanceof List) {\n handleList(x);\n }\n }\n}\nhandleMap(ctx);\n", + "lang": "painless" + } + }, + { + "remove": { + "field": [ + "@timestamp" + ], + "ignore_missing": true + } + }, + { + "date": { + "target_field": "@timestamp", + "formats": [ + "EEE MMM [ d][dd] HH:mm:ss uuuu XXX" + ], + "field": "tmp_timestamp" + } + }, + { + "grok": { + "patterns": [ + "%{ISO8601_TIMEZONE:event.timezone}$" + ], + "field": "tmp_timestamp" + } + }, + { + "rename": { + "ignore_missing": true, + "field": "oracle.database_audit.privilege", + "target_field": "user.roles" + } + }, + { + "rename": { + "field": "LENGTH", + "target_field": "oracle.database_audit.length", + "ignore_missing": true + } + }, + { + "rename": { + "ignore_missing": true, + "field": "oracle.database_audit.client_user", + "target_field": "client.user.name" + } + }, + { + "rename": { + "field": "oracle.database_audit.client_address", + "target_field": "client.address", + "ignore_missing": true + } + }, + { + "rename": { + "target_field": "server.address", + "ignore_missing": true, + "field": "oracle.database_audit.userhost" + } + }, + { + "rename": { + "field": "oracle.database_audit.database_user", + "target_field": "server.user.name", + "ignore_missing": true + } + }, + { + "convert": { + "field": "oracle.database_audit.length", + "type": "long", + "ignore_missing": true, + "if": "ctx?.oracle?.database_audit != null" + } + }, + { + "grok": { + "patterns": [ + "(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})" + ], + "ignore_failure": true, + "ignore_missing": true, + "field": "client.address" + } + }, + { + "grok": { + "patterns": [ + "(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})" + ], + "ignore_failure": true, + "ignore_missing": true, + "field": "server.address" + } + }, + { + "rename": { + "field": "oracle.database_audit.sessionid", + "target_field": "oracle.database_audit.session_id", + "ignore_missing": true + } + }, + { + "rename": { + "ignore_missing": true, + "field": "oracle.database_audit.client_terminal", + "target_field": "oracle.database_audit.client.terminal" + } + }, + { + "rename": { + "field": "oracle.database_audit.client_address", + "target_field": "oracle.database_audit.client.address", + "ignore_missing": true + } + }, + { + "rename": { + "field": "oracle.database_audit.database_user", + "target_field": "oracle.database_audit.database.user", + "ignore_missing": true + } + }, + { + "rename": { + "field": "oracle.database_audit.userhost", + "target_field": "oracle.database_audit.database.host", + "ignore_missing": true + } + }, + { + "rename": { + "field": "oracle.database_audit.dbid", + "target_field": "oracle.database_audit.database.id", + "ignore_missing": true + } + }, + { + "rename": { + "ignore_missing": true, + "field": "oracle.database_audit.entry_id", + "target_field": "oracle.database_audit.entry.id" + } + }, + { + "remove": { + "field": [ + "tmp_timestamp", + "audit", + "message" + ], + "ignore_missing": true + } + } + ], + "on_failure": [ + { + "set": { + "field": "error.message", + "value": "{{ _ingest.on_failure_message }}" + } + } + ] +} diff --git a/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml b/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml index b6da775a852..657d0116ccb 100644 --- a/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml +++ b/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml @@ -22,6 +22,13 @@ processors: field: message patterns: - "%{GREEDYDATA:tmp_timestamp}\\\nLENGTH : '%{GREEDYDATA:LENGTH}'\\\n(?m)%{GREEDYDATA:audit}" + - "%{GREEDYDATA:tmp_timestamp}\\\nLENGTH: \"%{GREEDYDATA:LENGTH}\"\\\n(?m)%{GREEDYDATA:auth}" + - gsub: + field: "auth" + pattern: "\"\s" + replacement: "\"|" + ignore_missing: true + if: ctx?.auth != null - kv: field: audit field_split: "\\\n(?=[a-zA-Z])" @@ -29,6 +36,7 @@ processors: trim_value: " '" trim_key: " " prefix: oracle.database_audit. + if: ctx?.audit != null - grok: field: log.file.path patterns: @@ -37,21 +45,26 @@ processors: - script: source: "ctx.oracle.database_audit = ctx.oracle.database_audit.entrySet().stream().collect(Collectors.toMap(entry -> entry.getKey().toLowerCase(), Map.Entry::getValue));" lang: painless + if: ctx?.oracle?.database_audit != null # Replace all field names that has spaces in them with _ - script: lang: painless source: "ctx.oracle.database_audit = ctx?.oracle?.database_audit.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace(' ', '_'), e -> e.getValue()));" + if: ctx?.oracle?.database_audit != null - gsub: field: "oracle.database_audit.action" pattern: "\\n" replacement: "" + if: ctx?.oracle?.database_audit != null - gsub: field: "oracle.database_audit.action" pattern: "\\s{2,}" replacement: " " + if: ctx?.oracle?.database_audit != null - trim: field: "oracle.database_audit.action_number" ignore_missing: true + if: ctx?.oracle?.database_audit != null # Removes all null values from ctx.* - script: lang: painless @@ -118,6 +131,7 @@ processors: field: oracle.database_audit.length type: long ignore_missing: true + if: ctx?.oracle?.database_audit != null - grok: field: client.address patterns: @@ -165,6 +179,7 @@ processors: - tmp_timestamp - audit - message + - auth ignore_missing: true on_failure: - set: diff --git a/x-pack/filebeat/module/oracle/database_audit/manifest.yml b/x-pack/filebeat/module/oracle/database_audit/manifest.yml index f297355c48c..9729fc203e7 100644 --- a/x-pack/filebeat/module/oracle/database_audit/manifest.yml +++ b/x-pack/filebeat/module/oracle/database_audit/manifest.yml @@ -10,5 +10,5 @@ var: default: file ingest_pipeline: - - ingest/pipeline.yml -input: config/config.yml \ No newline at end of file + - ingest/pipeline.json +input: config/config.yml diff --git a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20230419130542916949215077.aud.log b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20230419130542916949215077.aud.log new file mode 100644 index 00000000000..43844dc0f93 --- /dev/null +++ b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20230419130542916949215077.aud.log @@ -0,0 +1,18 @@ +Audit file /opt/oracle/admin/ORCLCDB/adump/ORCLCDB_m005_24958_20201007115707242540239811.aud +Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production +Version 19.3.0.0.0 +Build label: RDBMS_19.3.0.0.0DBRU_LINUX.X64_190417 +ORACLE_HOME: /opt/oracle/product/19c/dbhome_1 +System name: Linux +Node name: testlab.local +Release: 3.10.0-1127.el7.x86_64 +Version: #1 SMP Tue Mar 31 23:36:51 UTC 2020 +Machine: x86_64 +Instance name: ORCLCDB +Redo thread mounted by this instance: 1 +Oracle process number: 50 +Unix process pid: 24958, image: oracle@testlab.local (M005) + +Tue Apr 18 14:38:18 2023 +03:00 +LENGTH: "357" +SESSIONID:[10] "4294967295" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[6] "ZABBIX" USERHOST:[14] "9mmtdmz-gdzp02" TERMINAL:[5] "pts/0" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT$TEXT:[100] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.232.109.62)(PORT=58864))" OS$USERID:[6] "zabbix" DBID:[10] "1956306463" PRIV$USED:[1] "5" diff --git a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20230419130542916949215077.aud.log-expected.json b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20230419130542916949215077.aud.log-expected.json new file mode 100644 index 00000000000..64839e9994a --- /dev/null +++ b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20230419130542916949215077.aud.log-expected.json @@ -0,0 +1,44 @@ +[ + { + "@timestamp": "2023-04-18T11:38:18.000Z", + "event.action": [ + "database_audit", + "logged-in" + ], + "event.category": [ + "authentication", + "database" + ], + "event.dataset": "oracle.database_audit", + "event.kind": "event", + "event.module": "oracle", + "event.outcome": "success", + "event.timezone": "+03:00", + "event.type": "access", + "fileset.name": "database_audit", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 573, + "oracle.database_audit.action": "100", + "oracle.database_audit.comment_text": "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.232.109.62)(PORT=58864))", + "oracle.database_audit.database.id": "1956306463", + "oracle.database_audit.entryid": "1", + "oracle.database_audit.length": 357, + "oracle.database_audit.os_userid": "zabbix", + "oracle.database_audit.priv_used": "5", + "oracle.database_audit.returncode": "0", + "oracle.database_audit.session_id": "4294967295", + "oracle.database_audit.statement": "1", + "oracle.database_audit.terminal": "pts/0", + "oracle.database_audit.userid": "ZABBIX", + "process.pid": "9680", + "server.address": "9mmtdmz-gdzp02", + "server.domain": "9mmtdmz-gdzp02", + "service.type": "oracle", + "tags": [ + "oracle-database-audit" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/oracle/fields.go b/x-pack/filebeat/module/oracle/fields.go index b79bd76718e..fd0a900a36f 100644 --- a/x-pack/filebeat/module/oracle/fields.go +++ b/x-pack/filebeat/module/oracle/fields.go @@ -19,5 +19,5 @@ func init() { // AssetOracle returns asset data. // This is the base64 encoded zlib format compressed contents of module/oracle. func AssetOracle() string { - return "eJy0Vl2P4zQUfZ9fcbXiAaROtLz2ASm7ZVEl2EFM4QlpdGvfJNY6dvbabsm/R7bjkI6qaRHBb+21zzn367SP8IXGLVhGoekBwCuvaQtP5bMkJ1gNXlmzhR8eAGCKwS9WhnSlUaSl26bYIxjsaYEXjx8H2kLLNgzTN1dQ4/mUkKBh2xcWbVtXTReWREsyiR6P6OgFg1R+Dl8jfoM8npwTNJZhQHbKtEXHbuKAxJFkLV6+VrZU5zz64C5CRdkXGs+W5avYG/rimZXUSclzgq/ma9c1kHPKmhf1mus/6NgbqQR6cuC7UpaJB/Y7MKE/Et/QJbQi4ytP3CuDekVxDeAJlcajpk0SmKmgUCXwTeo0/YX9oAneDX58d59glJLJrdjUQ0ew/xXqjAuWYWd7VAaCIwnHcZHCfQqDI15XXkQEDsbErVhU1DIIawyJ+Bi8TbGykjfEztfWl1ugs+5URm8Bg+/I+DS4N7QNrE5KU0vr6pphsy8Bk0afxfnXsm8oJON5rP6/nRaBOXY473Zim9Z6A+icak3WTSi66ZJnVBqYhGVZpXwXjyslwdHXQEbQBATKgeuQ45CTPxMZaJShx5ZRRfT8OuM5QCOBqQ0a+TJy75h11vn1qvUxL0AEhR5FpwwlwhtqMG3KulOVMWEgbiz3JEEGLns6deAUbQEOnXIgbNDywvuOlK4ynuFrIB7vSuEl93C9TOqchXKAcT6IlYAT6kDANDC5uLklqcluijHNmeepE5aZ3GCNjA+iaLDNxcNxoEikMkb9+25/eKk/HvZPn5/Bx5+NCj79U6BNeff9+/fA1BC7OPk/P/309Pne4VtzUec/AUrGojSKGARqEbKZnDsyl3YSu84UgxXs/aI+rjjP7sN+B8Lq0JtSqz++2dWH+kP9/GMCAqlSEZBHOCk630hck2l9dzVnbU377xL+ba55FOatR10sxDZwHKNnJZNPDY0TtPCHaeyL5Rihg5w8LhlWmhE667jAGerbP813G1ANoBk3gD7dJSPnKVqiP/wdAAD//88oJno=" + return "eJy0V01v4zYQvedXDBYFtgUcY/eaQwHvulsYaJOicXsqYIzJsUQsRWqHpB39+4KkqMipG7mBqlsy5JvHmTcfvoWv1N2BZRSabgC88pru4KH8LckJVq1X1tzBjzcA0NvgVytDOnJQpKW7S7ZbMNjQCC9+vmvpDiq2oe3/cwE1fl8SEhzYNsWLtpVb9gfGjsbOJHrco6MdBqn8YL7k+BXn8ctvgoNlaJGdMlXhse59QPKRaI1uvmQ2ZteyOu6CI3lmLeSU8VQRv7C9QjF+j53z1CRkpakiiPDgLdATieAJfE2AIl5fDpcvkmPygY2wkuZj10eMmC1DhIaKDDF6krDvrufmPHpqyPj5qBlfP8OCMolMcMTgyLlpSvGoupzIr9SdLL+0TfC5x4bAHp5pnGrrSngcnIh7wZGcYEbGc/cv1N4UqvvQECsBm3UqB0JR99r3jEpnhyWEJXqwram3bNagHKABZSQ9xUdiOfbe9UjxpCIHvkYf88LeAXr4CGgkKCOY0EWzTU5MaPbEEensHjLBiZX3NJU9YZuY952np8uaumCYiNKWnnzBBZuD8Y8oLaBle1QytpPGMoEyB8sNRlDAvQ0+B3EQ5nUpt243tx4f2linkafLLUbbSpkkTTObVD1xowzqmVKwkWS8OqgsjULvvRv8XNFmgpsvhsOkWCUdPCb4KQ65MHZz5nJjpBLoU5kUUfZ+YnHmapqqGK3I+OWrGXsbuQPgEZXGvaZFIphdDUlL4Ivcep6waTXBu9Z3764jjFIyuRmTGvva5jdYZVywDGvbYC6NYar1zq9iGDU6L71UlByMieU7imgawsZQKtTSS8vKNEF2ODY/3QKdeZcFBoOvYzlH4U5wG7afeXk9L1VpbwQmnTaXF4FLtK+Zycv/r6ZFYB7GRT92c1kvAJ1Tlem3wpezm0lYlnlajy4vlQRH3wIZMUxb5cDVyFHk5E9EBg7K0G3FqCJ6vp3xXBrbTFXQyOeWa2VWW3d5Mr8pWp9zAURQaFDUylByOMEmj7R5VZUxoSWOk58kyMClTvsMHGNbgG2tHAgbtDzrffu80zOe4Fsg7q56wi7ncL6XrPIr4l4X9ZH2wyPqQMDUMrlYueVRfbspjWl4eVadsMzkWmvSUjTeLcrFrqXoqF8wV3+sN9vd6vN283D/CD6OjSV8eQ7Qotz7+OEDMB2I09r4y8PPD/fXim/OQh2WAPW8nQjUIuRmcqrJnLeTmHWmaFzCxo/iM6y/60+bNQirQ2NKrP78br3arj6tHn9KQCBVCgJyB0dFp4mHazKVry++WVtT/bcH/z7EPBLz1qMeLez7Lvas1ORTQpU76w+97EvLMUIH2fe41LCSRuikYwFnqO//Mj8sQB0ATbeIvxl8+uEhBxWN0W/+DgAA//+Xs6/R" } From 55ae81950f9feb9c84eba7f06c4dba4fbe930ed3 Mon Sep 17 00:00:00 2001 From: leweafan Date: Wed, 19 Apr 2023 15:36:46 +0300 Subject: [PATCH 02/14] added oracle new authentication messages parsing --- .../oracle/database_audit/_meta/fields.yml | 25 +++++++ ...ra_9680_20230419130542916949215077.aud.log | 12 +++- ...19130542916949215077.aud.log-expected.json | 67 +++++++++++++++---- x-pack/filebeat/module/oracle/fields.go | 2 +- 4 files changed, 89 insertions(+), 17 deletions(-) diff --git a/x-pack/filebeat/module/oracle/database_audit/_meta/fields.yml b/x-pack/filebeat/module/oracle/database_audit/_meta/fields.yml index a6b406b08cc..65e288cae0a 100644 --- a/x-pack/filebeat/module/oracle/database_audit/_meta/fields.yml +++ b/x-pack/filebeat/module/oracle/database_audit/_meta/fields.yml @@ -8,6 +8,31 @@ description: > System privilege used to execute the action. + - name: logoff_pread + type: integer + description: > + Physical reads for the session. + + - name: logoff_lread + type: integer + description: > + Logical reads for the session. + + - name: logoff_lwrite + type: integer + description: > + Logical writes for the session. + + - name: logoff_dead + type: integer + description: > + Deadlocks detected during the session. + + - name: sessioncpu + type: integer + description: > + Amount of CPU time used by each Oracle session. + - name: returncode type: integer description: > diff --git a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20230419130542916949215077.aud.log b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20230419130542916949215077.aud.log index 43844dc0f93..93097a288fa 100644 --- a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20230419130542916949215077.aud.log +++ b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20230419130542916949215077.aud.log @@ -13,6 +13,14 @@ Redo thread mounted by this instance: 1 Oracle process number: 50 Unix process pid: 24958, image: oracle@testlab.local (M005) -Tue Apr 18 14:38:18 2023 +03:00 +Tue Apr 18 14:37:18 2023 +03:00 LENGTH: "357" -SESSIONID:[10] "4294967295" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[6] "ZABBIX" USERHOST:[14] "9mmtdmz-gdzp02" TERMINAL:[5] "pts/0" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT$TEXT:[100] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.232.109.62)(PORT=58864))" OS$USERID:[6] "zabbix" DBID:[10] "1956306463" PRIV$USED:[1] "5" +SESSIONID:[10] "4294967295" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[8] "SHERLOCK" USERHOST:[8] "testhost" TERMINAL:[5] "pts/0" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT$TEXT:[100] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.10.10.10)(PORT=58864))" OS$USERID:[8] "sherlock" DBID:[10] "1956306463" PRIV$USED:[1] "5" + +Tue Apr 18 14:38:18 2023 +03:00 +LENGTH: "340" +SESSIONID:[7] "4993385" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[6] "SYSTEM" USERHOST:[8] "testhost" TERMINAL:[5] "pts/1" ACTION:[3] "100" RETURNCODE:[4] "1017" COMMENT$TEXT:[97] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.10.10.10)(PORT=34254))" OS$USERID:[6] "oracle" DBID:[10] "1956306463" + +Tue Apr 18 14:39:18 2023 +03:00 +LENGTH: "226" +SESSIONID:[8] "10188168" ENTRYID:[1] "1" USERID:[8] "SHERLOCK" ACTION:[3] "101" RETURNCODE:[1] "0" LOGOFF$PREAD:[1] "0" LOGOFF$LREAD:[2] "94" LOGOFF$LWRITE:[1] "4" LOGOFF$DEAD:[1] "0" DBID:[10] "2433780671" SESSIONCPU:[1] "0" diff --git a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20230419130542916949215077.aud.log-expected.json b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20230419130542916949215077.aud.log-expected.json index 64839e9994a..be78709d56a 100644 --- a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20230419130542916949215077.aud.log-expected.json +++ b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20230419130542916949215077.aud.log-expected.json @@ -3,7 +3,7 @@ "@timestamp": "2023-04-18T11:38:18.000Z", "event.action": [ "database_audit", - "logged-in" + "logon-failed" ], "event.category": [ "authentication", @@ -12,7 +12,7 @@ "event.dataset": "oracle.database_audit", "event.kind": "event", "event.module": "oracle", - "event.outcome": "success", + "event.outcome": "failure", "event.timezone": "+03:00", "event.type": "access", "fileset.name": "database_audit", @@ -20,22 +20,61 @@ "log.flags": [ "multiline" ], - "log.offset": 573, + "log.offset": 971, "oracle.database_audit.action": "100", - "oracle.database_audit.comment_text": "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.232.109.62)(PORT=58864))", - "oracle.database_audit.database.id": "1956306463", + "oracle.database_audit.comment_text": "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.10.10.10)(PORT=34254))", + "oracle.database_audit.database.id": "1956306463\n", "oracle.database_audit.entryid": "1", - "oracle.database_audit.length": 357, - "oracle.database_audit.os_userid": "zabbix", - "oracle.database_audit.priv_used": "5", - "oracle.database_audit.returncode": "0", - "oracle.database_audit.session_id": "4294967295", + "oracle.database_audit.length": 340, + "oracle.database_audit.os_userid": "oracle", + "oracle.database_audit.returncode": "1017", + "oracle.database_audit.session_id": "4993385", "oracle.database_audit.statement": "1", - "oracle.database_audit.terminal": "pts/0", - "oracle.database_audit.userid": "ZABBIX", + "oracle.database_audit.terminal": "pts/1", + "oracle.database_audit.userid": "SYSTEM", + "process.pid": "9680", + "server.address": "testhost", + "server.domain": "testhost", + "service.type": "oracle", + "tags": [ + "oracle-database-audit" + ] + }, + { + "@timestamp": "2023-04-18T11:39:18.000Z", + "event.action": [ + "database_audit", + "logout" + ], + "event.category": [ + "authentication", + "database" + ], + "event.dataset": "oracle.database_audit", + "event.kind": "event", + "event.module": "oracle", + "event.outcome": "success", + "event.timezone": "+03:00", + "event.type": "access", + "fileset.name": "database_audit", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 1345, + "oracle.database_audit.action": "101", + "oracle.database_audit.database.id": "2433780671", + "oracle.database_audit.entryid": "1", + "oracle.database_audit.length": 226, + "oracle.database_audit.logoff_dead": "0", + "oracle.database_audit.logoff_lread": "94", + "oracle.database_audit.logoff_lwrite": "4", + "oracle.database_audit.logoff_pread": "0", + "oracle.database_audit.returncode": "0", + "oracle.database_audit.session_id": "10188168", + "oracle.database_audit.sessioncpu": "0", + "oracle.database_audit.userid": "SHERLOCK", "process.pid": "9680", - "server.address": "9mmtdmz-gdzp02", - "server.domain": "9mmtdmz-gdzp02", "service.type": "oracle", "tags": [ "oracle-database-audit" diff --git a/x-pack/filebeat/module/oracle/fields.go b/x-pack/filebeat/module/oracle/fields.go index fd0a900a36f..0a43da288a2 100644 --- a/x-pack/filebeat/module/oracle/fields.go +++ b/x-pack/filebeat/module/oracle/fields.go @@ -19,5 +19,5 @@ func init() { // AssetOracle returns asset data. // This is the base64 encoded zlib format compressed contents of module/oracle. func AssetOracle() string { - return "eJy0V01v4zYQvedXDBYFtgUcY/eaQwHvulsYaJOicXsqYIzJsUQsRWqHpB39+4KkqMipG7mBqlsy5JvHmTcfvoWv1N2BZRSabgC88pru4KH8LckJVq1X1tzBjzcA0NvgVytDOnJQpKW7S7ZbMNjQCC9+vmvpDiq2oe3/cwE1fl8SEhzYNsWLtpVb9gfGjsbOJHrco6MdBqn8YL7k+BXn8ctvgoNlaJGdMlXhse59QPKRaI1uvmQ2ZteyOu6CI3lmLeSU8VQRv7C9QjF+j53z1CRkpakiiPDgLdATieAJfE2AIl5fDpcvkmPygY2wkuZj10eMmC1DhIaKDDF6krDvrufmPHpqyPj5qBlfP8OCMolMcMTgyLlpSvGoupzIr9SdLL+0TfC5x4bAHp5pnGrrSngcnIh7wZGcYEbGc/cv1N4UqvvQECsBm3UqB0JR99r3jEpnhyWEJXqwram3bNagHKABZSQ9xUdiOfbe9UjxpCIHvkYf88LeAXr4CGgkKCOY0EWzTU5MaPbEEensHjLBiZX3NJU9YZuY952np8uaumCYiNKWnnzBBZuD8Y8oLaBle1QytpPGMoEyB8sNRlDAvQ0+B3EQ5nUpt243tx4f2linkafLLUbbSpkkTTObVD1xowzqmVKwkWS8OqgsjULvvRv8XNFmgpsvhsOkWCUdPCb4KQ65MHZz5nJjpBLoU5kUUfZ+YnHmapqqGK3I+OWrGXsbuQPgEZXGvaZFIphdDUlL4Ivcep6waTXBu9Z3764jjFIyuRmTGvva5jdYZVywDGvbYC6NYar1zq9iGDU6L71UlByMieU7imgawsZQKtTSS8vKNEF2ODY/3QKdeZcFBoOvYzlH4U5wG7afeXk9L1VpbwQmnTaXF4FLtK+Zycv/r6ZFYB7GRT92c1kvAJ1Tlem3wpezm0lYlnlajy4vlQRH3wIZMUxb5cDVyFHk5E9EBg7K0G3FqCJ6vp3xXBrbTFXQyOeWa2VWW3d5Mr8pWp9zAURQaFDUylByOMEmj7R5VZUxoSWOk58kyMClTvsMHGNbgG2tHAgbtDzrffu80zOe4Fsg7q56wi7ncL6XrPIr4l4X9ZH2wyPqQMDUMrlYueVRfbspjWl4eVadsMzkWmvSUjTeLcrFrqXoqF8wV3+sN9vd6vN283D/CD6OjSV8eQ7Qotz7+OEDMB2I09r4y8PPD/fXim/OQh2WAPW8nQjUIuRmcqrJnLeTmHWmaFzCxo/iM6y/60+bNQirQ2NKrP78br3arj6tHn9KQCBVCgJyB0dFp4mHazKVry++WVtT/bcH/z7EPBLz1qMeLez7Lvas1ORTQpU76w+97EvLMUIH2fe41LCSRuikYwFnqO//Mj8sQB0ATbeIvxl8+uEhBxWN0W/+DgAA//+Xs6/R" + return "eJy0V02P2zYQvedXDIICaQHHSK57KODETWEg3Q26Tk8FDJocSUQoUhkO7dW/L0iKWnvrrtWtqptN8s3jzJsPvoVv2N+AIyENvgJgzQZv4K78Vugl6Y61szfw8ysAGNbgN6dC2lJpNMrfpLW3YEWLJ3jx477DG6jJhW745wJq/D4lJKjItcWKcbVfDhtODZ0aU4LFXnjciaA0j8uXDD9jPH75TlA5gk6Q17YuPNaDDUg2Eq2Tk0+ZnbLrSB92waM6Wy3ktGWskZ6sPUMxfve9Z2wTsjZYI0R4YAf4gDIwAjcIQsbjy/HwRXLG1a6qdh2hmJHfl6b3WgoDEdYnd0ZGHr2fTMnMS+mzq/8zoyNpxvkpJdgXclKzOmmNQhknv3lQyCgZFahAMQumExt2yS7Mx2vVumAZXAUfv3wF1u2g+H0PKGRTcnQaQUIOZKVTM4ZyIIBEjiBCQ40WSXAmOTkdPQvGFi3PR81y8wgL2iYywSNNdFfcqi9r7Bv2R0dP167wuRUtxkiONI6N88U9Ho5IQ41FdYUZWqb+H6i9yFW3oUXSEjbrlIxJWrncMwltssHiwuI92DY4rGzWoD0IC9oqfIiXFGXbGz8gxZ0aPXAjOMaF2INgeA/CKtBWEgofl10yYkO7R4pIZ+cEYaoajNeiJ10b475jfLisqQsLV7y0xQcuuOCyM/7mpQV05A5axdrROkLQtnLUiggKYu8CZyeOwpwWcud3c+vxrot5Gnn63FWNq7VN0rSzSZWRWm2FmSkEG4WWdaWzNAq9N360M6HMBD+fD8fhaJV0cJ/gp/WJ3Zyx3FilpeCUJkWUg52YnDmbrmWM0Wh5+WzEXkauAnEQ2oi9wUUimE2NQUvgi1x6HkTbGYTXHfevpxEWShH6GYMa69rmC6wyLjiCtWtFTo2xqw3GJzGMGp2XXkpKCtaWEWXwaGrC1mJK1FJLyyvhCtlx2/x0C3TmXWZ2EbiJ6RyFe4XbOPDPy+vxHZGeSkBo0uTyxHGJ9pSevPz/cloGorFdDG03p/UChPe6tsND6GnvJpSOVO7WJ4eXWoHH7wGtHLut9uAbQVHkyEdEC5W2+LYmoSN6Pp3xfGrbhHUwgs5Xpsqscf5yZ36Rtz7mBIig0ArZaIvJ4BU2uaXNq6qMCR1S7PznT4khAodYFmDbaA/SBaPOat8+P2NJHOF7QOonXWGXYzjfTVb5FnGui/pI8+FBmIBA2BH6mLnlUkO5KYVpvHlWnXRE6Dtn01B0OluUg32H0dAwYK6+rjfb3erjdnN3ew8c28YSPj06aFHOvX/3DggrpDQ2fr779e52qvjmTNRxCNCP04kURoZcTI4N2vNyEqNOGBeXsOET/4zj7/rDZg3SmdDa4qs/flivtqsPq/tfEhAonZwgqIeDxuO1VzPampuLdzbO1v/uwr+PPo/E2LEwJwP7vo81KxX5FFDtz+rDIPtScqw0QQ01LhWspBE8mpjAGerHP+1PC9AVCNsv4puB08NDjSo6RX/1VwAAAP//7QNwfw==" } From 572f695b2d2c34e2242ddbba7148980b2991afd3 Mon Sep 17 00:00:00 2001 From: leweafan Date: Wed, 19 Apr 2023 15:42:11 +0300 Subject: [PATCH 03/14] Updated for PR 35127 --- CHANGELOG.next.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 7fd26011588..93421b4da64 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -258,6 +258,7 @@ automatic splitting at root level, if root level element is an array. {pull}3415 - Mention `mito` CEL tool in CEL input docs. {pull}34959[34959] - Add nginx ingress_controller parsing if one of upstreams fails to return response {pull}34787[34787] - Allow neflow v9 and ipfix templates to be shared between source addresses. {pull}35036[35036] +- Add oracle authentication messages parsing {pull}35127[35127] *Auditbeat* - Migration of system/package module storage from gob encoding to flatbuffer encoding in bolt db. {pull}34817[34817] From 35766e523cbb46c4ee9b70e23898a48d305c45af Mon Sep 17 00:00:00 2001 From: leweafan Date: Wed, 19 Apr 2023 15:55:22 +0300 Subject: [PATCH 04/14] added oracle new fields --- filebeat/docs/fields.asciidoc | 130 ++++++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 4472b073854..c4ab88ea485 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -112476,6 +112476,136 @@ Module for parsing Oracle Database audit logs +*`oracle.database_audit.priv_used`*:: ++ +-- +System privilege used to execute the action. + + +type: integer + +-- + +*`oracle.database_audit.logoff_pread`*:: ++ +-- +Physical reads for the session. + + +type: integer + +-- + +*`oracle.database_audit.logoff_lread`*:: ++ +-- +Logical reads for the session. + + +type: integer + +-- + +*`oracle.database_audit.logoff_lwrite`*:: ++ +-- +Logical writes for the session. + + +type: integer + +-- + +*`oracle.database_audit.logoff_dead`*:: ++ +-- +Deadlocks detected during the session. + + +type: integer + +-- + +*`oracle.database_audit.sessioncpu`*:: ++ +-- +Amount of CPU time used by each Oracle session. + + +type: integer + +-- + +*`oracle.database_audit.returncode`*:: ++ +-- +Oracle error code generated by the action. + + +type: integer + +-- + +*`oracle.database_audit.statement`*:: ++ +-- +nth statement in the user session. + + +type: integer + +-- + +*`oracle.database_audit.userid`*:: ++ +-- +Name of the user whose actions were audited. + + +type: keyword + +-- + +*`oracle.database_audit.entryid`*:: ++ +-- +Numeric ID for each audit trail entry in the session. The entry ID is an index of a session's audit entries that starts at 1 and increases to the number of entries that are written. + + +type: integer + +-- + +*`oracle.database_audit.comment_text`*:: ++ +-- +Text comment on the audit trail entry, providing more information about the statement audited. + + +type: text + +-- + +*`oracle.database_audit.os_userid`*:: ++ +-- +Operating system login username of the user whose actions were audited. + + +type: keyword + +-- + +*`oracle.database_audit.terminal`*:: ++ +-- +Identifier of the user's terminal. + + +type: text + +-- + *`oracle.database_audit.status`*:: + -- From 8ac98502fe3f9279a710be7b7d4641195c8c6f49 Mon Sep 17 00:00:00 2001 From: leweafan Date: Wed, 19 Apr 2023 19:56:23 +0300 Subject: [PATCH 05/14] updated oracle database_audit pipeline --- .../database_audit/ingest/pipeline.json | 89 +++ ...07122838056263426565.aud.log-expected.json | 24 + ...07115808319837620840.aud.log-expected.json | 76 +++ ...07123022392204603031.aud.log-expected.json | 234 +++++++ ...07113805036530435635.aud.log-expected.json | 36 ++ ...07130106080227473114.aud.log-expected.json | 3 + ...07130106085635422771.aud.log-expected.json | 3 + ...07115707242540239811.aud.log-expected.json | 300 +++++++++ ...07131744782913507561.aud.log-expected.json | 24 + ...07105245091084628324.aud.log-expected.json | 3 + ...07105751018661587803.aud.log-expected.json | 6 + ...07105751904399925443.aud.log-expected.json | 18 + ...07105801980871631378.aud.log-expected.json | 42 ++ ...07105802970031936241.aud.log-expected.json | 42 ++ ...07105803021897922657.aud.log-expected.json | 72 +++ ...07105803053277493103.aud.log-expected.json | 42 ++ ...07105804019827529526.aud.log-expected.json | 24 + ...07105804045603856206.aud.log-expected.json | 600 ++++++++++++++++++ ...07130533504494345257.aud.log-expected.json | 18 + ...07130542916949215077.aud.log-expected.json | 12 + ...19130542916949215077.aud.log-expected.json | 3 + 21 files changed, 1671 insertions(+) diff --git a/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.json b/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.json index c1e7f9b8e3c..f0b3dedfea3 100644 --- a/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.json +++ b/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.json @@ -352,6 +352,95 @@ ], "ignore_missing": true } + }, + { + "geoip": { + "field": "source.ip", + "target_field": "source.geo", + "ignore_missing": true + } + }, + { + "geoip": { + "target_field": "source.as", + "properties": [ + "asn", + "organization_name" + ], + "ignore_missing": true, + "database_file": "GeoLite2-ASN.mmdb", + "field": "source.ip" + } + }, + { + "rename": { + "target_field": "source.as.number", + "ignore_missing": true, + "field": "source.as.asn" + } + }, + { + "rename": { + "field": "source.as.organization_name", + "target_field": "source.as.organization.name", + "ignore_missing": true + } + }, + { + "append": { + "value": "{{source.ip}}", + "if": "ctx?.source?.ip != null", + "allow_duplicates": false, + "field": "related.ip" + } + }, + { + "append": { + "value": "{{client.ip}}", + "if": "ctx?.client?.ip != null", + "allow_duplicates": false, + "field": "related.ip" + } + }, + { + "append": { + "value": "{{server.ip}}", + "if": "ctx?.server?.ip != null", + "allow_duplicates": false, + "field": "related.ip" + } + }, + { + "append": { + "field": "related.user", + "value": "{{client.user.name}}", + "allow_duplicates": false, + "if": "ctx?.client?.user?.name != null && ctx?.client?.user?.name != '/'" + } + }, + { + "append": { + "field": "related.user", + "value": "{{server.user.name}}", + "allow_duplicates": false, + "if": "ctx?.server?.user?.name != null && ctx?.server?.user?.name != '/'" + } + }, + { + "append": { + "value": "{{server.domain}}", + "if": "ctx?.server?.domain != null", + "allow_duplicates": false, + "field": "related.hosts" + } + }, + { + "append": { + "value": "{{client.domain}}", + "if": "ctx?.client?.domain != null", + "allow_duplicates": false, + "field": "related.hosts" + } } ], "on_failure": [ diff --git a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_j002_28264_20201007122838056263426565.aud.log-expected.json b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_j002_28264_20201007122838056263426565.aud.log-expected.json index c699e73e9f8..851b3747a48 100644 --- a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_j002_28264_20201007122838056263426565.aud.log-expected.json +++ b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_j002_28264_20201007122838056263426565.aud.log-expected.json @@ -23,6 +23,12 @@ "oracle.database_audit.session_id": "20003", "oracle.database_audit.status": "0", "process.pid": "28264", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "SYS" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "SYS", @@ -56,6 +62,12 @@ "oracle.database_audit.session_id": "20003", "oracle.database_audit.status": "0", "process.pid": "28264", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "SYS" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "SYS", @@ -89,6 +101,12 @@ "oracle.database_audit.session_id": "20003", "oracle.database_audit.status": "0", "process.pid": "28264", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "SYS" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "SYS", @@ -122,6 +140,12 @@ "oracle.database_audit.session_id": "20003", "oracle.database_audit.status": "0", "process.pid": "28264", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "SYS" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "SYS", diff --git a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_m000_25412_20201007115808319837620840.aud.log-expected.json b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_m000_25412_20201007115808319837620840.aud.log-expected.json index f92299eedea..51b8b183c10 100644 --- a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_m000_25412_20201007115808319837620840.aud.log-expected.json +++ b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_m000_25412_20201007115808319837620840.aud.log-expected.json @@ -23,6 +23,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "25412", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -58,6 +61,12 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "25412", + "related.hosts": [ + "testlab.local" + ], + "related.ip": [ + "192.168.2.2" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -93,6 +102,10 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "25412", + "related.hosts": [ + "test.local", + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -126,6 +139,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "25412", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -159,6 +175,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "25412", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -192,6 +211,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "25412", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -225,6 +247,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "25412", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -258,6 +283,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "25412", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -291,6 +319,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "25412", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -324,6 +355,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "25412", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -357,6 +391,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "25412", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -390,6 +427,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "25412", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -423,6 +463,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "25412", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -456,6 +499,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "25412", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -489,6 +535,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "25412", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -522,6 +571,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "25412", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -555,6 +607,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "25412", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -588,6 +643,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "25412", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -621,6 +679,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "25412", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -654,6 +715,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "25412", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -687,6 +751,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "25412", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -720,6 +787,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "25412", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -753,6 +823,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "25412", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -786,6 +859,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "25412", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", diff --git a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_m002_28369_20201007123022392204603031.aud.log-expected.json b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_m002_28369_20201007123022392204603031.aud.log-expected.json index 5eb038221d3..a108d52dab3 100644 --- a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_m002_28369_20201007123022392204603031.aud.log-expected.json +++ b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_m002_28369_20201007123022392204603031.aud.log-expected.json @@ -23,6 +23,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -56,6 +59,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -89,6 +95,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -122,6 +131,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -155,6 +167,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -188,6 +203,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -221,6 +239,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -254,6 +275,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -287,6 +311,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -320,6 +347,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -353,6 +383,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -386,6 +419,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -419,6 +455,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -452,6 +491,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -485,6 +527,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -518,6 +563,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -551,6 +599,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -584,6 +635,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -617,6 +671,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -650,6 +707,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -683,6 +743,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -716,6 +779,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -749,6 +815,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -782,6 +851,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -815,6 +887,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -848,6 +923,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -881,6 +959,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -914,6 +995,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -947,6 +1031,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -980,6 +1067,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1013,6 +1103,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1046,6 +1139,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1079,6 +1175,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1112,6 +1211,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1145,6 +1247,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1178,6 +1283,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1211,6 +1319,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1244,6 +1355,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1277,6 +1391,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1310,6 +1427,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1343,6 +1463,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1376,6 +1499,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1409,6 +1535,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1442,6 +1571,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1475,6 +1607,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1508,6 +1643,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1541,6 +1679,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1574,6 +1715,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1607,6 +1751,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1640,6 +1787,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1673,6 +1823,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1706,6 +1859,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1739,6 +1895,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1772,6 +1931,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1805,6 +1967,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1838,6 +2003,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1871,6 +2039,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1904,6 +2075,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1937,6 +2111,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1970,6 +2147,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2003,6 +2183,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2036,6 +2219,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2069,6 +2255,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2102,6 +2291,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2135,6 +2327,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2168,6 +2363,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2201,6 +2399,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2234,6 +2435,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2267,6 +2471,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2300,6 +2507,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2333,6 +2543,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2366,6 +2579,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2399,6 +2615,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2432,6 +2651,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2465,6 +2687,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2498,6 +2723,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2531,6 +2759,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2564,6 +2795,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "28369", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", diff --git a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_m003_24705_20201007113805036530435635.aud.log-expected.json b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_m003_24705_20201007113805036530435635.aud.log-expected.json index dc4720e3095..43a2570bcbc 100644 --- a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_m003_24705_20201007113805036530435635.aud.log-expected.json +++ b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_m003_24705_20201007113805036530435635.aud.log-expected.json @@ -23,6 +23,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24705", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -56,6 +59,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24705", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -89,6 +95,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24705", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -122,6 +131,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24705", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -155,6 +167,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24705", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -188,6 +203,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24705", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -221,6 +239,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24705", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -254,6 +275,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24705", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -287,6 +311,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24705", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -320,6 +347,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24705", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -353,6 +383,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24705", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -386,6 +419,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24705", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", diff --git a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_m004_29815_20201007130106080227473114.aud.log-expected.json b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_m004_29815_20201007130106080227473114.aud.log-expected.json index 130d75eb51b..9542632f692 100644 --- a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_m004_29815_20201007130106080227473114.aud.log-expected.json +++ b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_m004_29815_20201007130106080227473114.aud.log-expected.json @@ -23,6 +23,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "29815", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", diff --git a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_m004_29815_20201007130106085635422771.aud.log-expected.json b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_m004_29815_20201007130106085635422771.aud.log-expected.json index 130d75eb51b..9542632f692 100644 --- a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_m004_29815_20201007130106085635422771.aud.log-expected.json +++ b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_m004_29815_20201007130106085635422771.aud.log-expected.json @@ -23,6 +23,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "29815", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", diff --git a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_m005_24958_20201007115707242540239811.aud.log-expected.json b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_m005_24958_20201007115707242540239811.aud.log-expected.json index c5fa4b100ae..7ce8b6c3a31 100644 --- a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_m005_24958_20201007115707242540239811.aud.log-expected.json +++ b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_m005_24958_20201007115707242540239811.aud.log-expected.json @@ -23,6 +23,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -56,6 +59,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -89,6 +95,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -122,6 +131,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -155,6 +167,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -188,6 +203,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -221,6 +239,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -254,6 +275,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -287,6 +311,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -320,6 +347,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -353,6 +383,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -386,6 +419,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -419,6 +455,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -452,6 +491,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -485,6 +527,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -518,6 +563,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -551,6 +599,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -584,6 +635,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -617,6 +671,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -650,6 +707,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -683,6 +743,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -716,6 +779,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -749,6 +815,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -782,6 +851,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -815,6 +887,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -848,6 +923,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -881,6 +959,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -914,6 +995,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -947,6 +1031,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -980,6 +1067,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1013,6 +1103,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1046,6 +1139,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1079,6 +1175,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1112,6 +1211,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1145,6 +1247,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1178,6 +1283,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1211,6 +1319,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1244,6 +1355,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1277,6 +1391,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1310,6 +1427,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1343,6 +1463,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1376,6 +1499,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1409,6 +1535,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1442,6 +1571,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1475,6 +1607,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1508,6 +1643,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1541,6 +1679,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1574,6 +1715,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1607,6 +1751,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1640,6 +1787,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1673,6 +1823,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1706,6 +1859,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1739,6 +1895,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1772,6 +1931,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1805,6 +1967,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1838,6 +2003,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1871,6 +2039,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1904,6 +2075,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1937,6 +2111,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1970,6 +2147,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2003,6 +2183,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2036,6 +2219,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2069,6 +2255,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2102,6 +2291,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2135,6 +2327,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2168,6 +2363,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2201,6 +2399,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2234,6 +2435,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2267,6 +2471,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2300,6 +2507,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2333,6 +2543,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2366,6 +2579,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2399,6 +2615,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2432,6 +2651,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2465,6 +2687,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2498,6 +2723,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2531,6 +2759,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2564,6 +2795,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2597,6 +2831,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2630,6 +2867,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2663,6 +2903,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2696,6 +2939,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2729,6 +2975,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2762,6 +3011,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2795,6 +3047,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2828,6 +3083,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2861,6 +3119,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2894,6 +3155,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2927,6 +3191,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2960,6 +3227,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2993,6 +3263,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -3026,6 +3299,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -3059,6 +3335,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -3092,6 +3371,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -3125,6 +3407,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -3158,6 +3443,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -3191,6 +3479,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -3224,6 +3515,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -3257,6 +3551,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -3290,6 +3587,9 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "24958", + "related.hosts": [ + "testlab.local" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", diff --git a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_10651_20201007131744782913507561.aud.log-expected.json b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_10651_20201007131744782913507561.aud.log-expected.json index 8b04537e84d..0979b1f84eb 100644 --- a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_10651_20201007131744782913507561.aud.log-expected.json +++ b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_10651_20201007131744782913507561.aud.log-expected.json @@ -24,6 +24,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "10651", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -58,6 +64,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "10651", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -92,6 +104,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "10651", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -126,6 +144,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "10651", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", diff --git a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13448_20201007105245091084628324.aud.log-expected.json b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13448_20201007105245091084628324.aud.log-expected.json index a725aac486c..95cd63917d8 100644 --- a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13448_20201007105245091084628324.aud.log-expected.json +++ b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13448_20201007105245091084628324.aud.log-expected.json @@ -22,6 +22,9 @@ "oracle.database_audit.length": 228, "oracle.database_audit.status": "0", "process.pid": "13448", + "related.user": [ + "oracle" + ], "server.user.name": "/", "service.type": "oracle", "tags": [ diff --git a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13448_20201007105751018661587803.aud.log-expected.json b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13448_20201007105751018661587803.aud.log-expected.json index 8706f288b7f..25d721d6172 100644 --- a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13448_20201007105751018661587803.aud.log-expected.json +++ b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13448_20201007105751018661587803.aud.log-expected.json @@ -23,6 +23,12 @@ "oracle.database_audit.session_id": "0", "oracle.database_audit.status": "0", "process.pid": "13448", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", diff --git a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13765_20201007105751904399925443.aud.log-expected.json b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13765_20201007105751904399925443.aud.log-expected.json index 1c0146752a5..f0d7518b449 100644 --- a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13765_20201007105751904399925443.aud.log-expected.json +++ b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13765_20201007105751904399925443.aud.log-expected.json @@ -23,6 +23,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13765", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -56,6 +62,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13765", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -90,6 +102,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13765", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", diff --git a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13779_20201007105801980871631378.aud.log-expected.json b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13779_20201007105801980871631378.aud.log-expected.json index 9e1aa1fb025..ded63f0b11c 100644 --- a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13779_20201007105801980871631378.aud.log-expected.json +++ b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13779_20201007105801980871631378.aud.log-expected.json @@ -24,6 +24,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13779", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -58,6 +64,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13779", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -92,6 +104,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13779", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -126,6 +144,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13779", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -160,6 +184,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13779", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -194,6 +224,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13779", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -228,6 +264,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13779", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", diff --git a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13788_20201007105802970031936241.aud.log-expected.json b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13788_20201007105802970031936241.aud.log-expected.json index 89edc7829fa..e385e4e2222 100644 --- a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13788_20201007105802970031936241.aud.log-expected.json +++ b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13788_20201007105802970031936241.aud.log-expected.json @@ -24,6 +24,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13788", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -58,6 +64,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13788", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -92,6 +104,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13788", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -126,6 +144,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13788", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -160,6 +184,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13788", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -194,6 +224,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13788", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -228,6 +264,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13788", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", diff --git a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13790_20201007105803021897922657.aud.log-expected.json b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13790_20201007105803021897922657.aud.log-expected.json index 4c10dc49cbb..1ece20e196b 100644 --- a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13790_20201007105803021897922657.aud.log-expected.json +++ b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13790_20201007105803021897922657.aud.log-expected.json @@ -24,6 +24,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13790", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -58,6 +64,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13790", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -92,6 +104,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13790", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -126,6 +144,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13790", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -160,6 +184,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13790", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -194,6 +224,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13790", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -228,6 +264,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13790", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -262,6 +304,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13790", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -296,6 +344,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13790", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -330,6 +384,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13790", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -364,6 +424,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13790", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -398,6 +464,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13790", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", diff --git a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13791_20201007105803053277493103.aud.log-expected.json b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13791_20201007105803053277493103.aud.log-expected.json index 41b3419feb5..3833ffa9c2b 100644 --- a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13791_20201007105803053277493103.aud.log-expected.json +++ b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13791_20201007105803053277493103.aud.log-expected.json @@ -24,6 +24,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13791", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -58,6 +64,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13791", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -92,6 +104,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13791", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -126,6 +144,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13791", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -160,6 +184,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13791", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -194,6 +224,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13791", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -228,6 +264,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13791", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", diff --git a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13792_20201007105804019827529526.aud.log-expected.json b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13792_20201007105804019827529526.aud.log-expected.json index ea498f27ce5..74d7113822f 100644 --- a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13792_20201007105804019827529526.aud.log-expected.json +++ b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13792_20201007105804019827529526.aud.log-expected.json @@ -24,6 +24,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13792", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -58,6 +64,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13792", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -92,6 +104,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13792", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -126,6 +144,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13792", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", diff --git a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13794_20201007105804045603856206.aud.log-expected.json b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13794_20201007105804045603856206.aud.log-expected.json index a8645d49f48..51b192b1f50 100644 --- a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13794_20201007105804045603856206.aud.log-expected.json +++ b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_13794_20201007105804045603856206.aud.log-expected.json @@ -24,6 +24,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -58,6 +64,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -92,6 +104,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -126,6 +144,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -160,6 +184,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -194,6 +224,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -228,6 +264,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -262,6 +304,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -296,6 +344,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -330,6 +384,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -364,6 +424,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -398,6 +464,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -432,6 +504,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -466,6 +544,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -500,6 +584,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -534,6 +624,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -568,6 +664,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -602,6 +704,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -636,6 +744,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -670,6 +784,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -704,6 +824,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -738,6 +864,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -772,6 +904,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -806,6 +944,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -840,6 +984,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -874,6 +1024,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -908,6 +1064,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -942,6 +1104,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -976,6 +1144,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1010,6 +1184,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1044,6 +1224,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1078,6 +1264,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1112,6 +1304,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1146,6 +1344,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1180,6 +1384,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1214,6 +1424,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1248,6 +1464,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1282,6 +1504,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1316,6 +1544,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1350,6 +1584,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1384,6 +1624,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1418,6 +1664,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1452,6 +1704,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1486,6 +1744,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1520,6 +1784,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1554,6 +1824,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1588,6 +1864,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1622,6 +1904,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1656,6 +1944,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1690,6 +1984,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1724,6 +2024,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1758,6 +2064,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1792,6 +2104,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1826,6 +2144,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1860,6 +2184,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1894,6 +2224,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1928,6 +2264,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1962,6 +2304,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -1996,6 +2344,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2030,6 +2384,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2064,6 +2424,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2098,6 +2464,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2132,6 +2504,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2166,6 +2544,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2200,6 +2584,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2234,6 +2624,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2268,6 +2664,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2302,6 +2704,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2336,6 +2744,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2370,6 +2784,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2404,6 +2824,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2438,6 +2864,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2472,6 +2904,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2506,6 +2944,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2540,6 +2984,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2574,6 +3024,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2608,6 +3064,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2642,6 +3104,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2676,6 +3144,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2710,6 +3184,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2744,6 +3224,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2778,6 +3264,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2812,6 +3304,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2846,6 +3344,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2880,6 +3384,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2914,6 +3424,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2948,6 +3464,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -2982,6 +3504,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -3016,6 +3544,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -3050,6 +3584,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -3084,6 +3624,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -3118,6 +3664,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -3152,6 +3704,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -3186,6 +3744,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -3220,6 +3784,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -3254,6 +3824,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -3288,6 +3864,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -3322,6 +3904,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -3356,6 +3944,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -3390,6 +3984,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "13794", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", diff --git a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9667_20201007130533504494345257.aud.log-expected.json b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9667_20201007130533504494345257.aud.log-expected.json index 8f12fe0e4fd..85b3165a75a 100644 --- a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9667_20201007130533504494345257.aud.log-expected.json +++ b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9667_20201007130533504494345257.aud.log-expected.json @@ -23,6 +23,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "9667", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -56,6 +62,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "9667", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -90,6 +102,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "9667", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", diff --git a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20201007130542916949215077.aud.log-expected.json b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20201007130542916949215077.aud.log-expected.json index b2e81e0c454..8beec9e9bd3 100644 --- a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20201007130542916949215077.aud.log-expected.json +++ b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20201007130542916949215077.aud.log-expected.json @@ -24,6 +24,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "9680", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", @@ -58,6 +64,12 @@ "oracle.database_audit.session_id": "4294967295", "oracle.database_audit.status": "0", "process.pid": "9680", + "related.hosts": [ + "testlab.local" + ], + "related.user": [ + "oracle" + ], "server.address": "testlab.local", "server.domain": "testlab.local", "server.user.name": "/", diff --git a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20230419130542916949215077.aud.log-expected.json b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20230419130542916949215077.aud.log-expected.json index be78709d56a..0c1c216ed74 100644 --- a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20230419130542916949215077.aud.log-expected.json +++ b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20230419130542916949215077.aud.log-expected.json @@ -33,6 +33,9 @@ "oracle.database_audit.terminal": "pts/1", "oracle.database_audit.userid": "SYSTEM", "process.pid": "9680", + "related.hosts": [ + "testhost" + ], "server.address": "testhost", "server.domain": "testhost", "service.type": "oracle", From 4fac406439fca25772853495dee0133e1e0488ee Mon Sep 17 00:00:00 2001 From: leweafan Date: Thu, 20 Apr 2023 14:18:30 +0300 Subject: [PATCH 06/14] updated oracle database_audit pipeline - added client.geo/as & server.geo/as --- .../database_audit/ingest/pipeline.json | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.json b/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.json index f0b3dedfea3..c15e48613c8 100644 --- a/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.json +++ b/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.json @@ -386,6 +386,72 @@ "ignore_missing": true } }, + { + "geoip": { + "field": "client.ip", + "target_field": "client.geo", + "ignore_missing": true + } + }, + { + "geoip": { + "target_field": "client.as", + "properties": [ + "asn", + "organization_name" + ], + "ignore_missing": true, + "database_file": "GeoLite2-ASN.mmdb", + "field": "client.ip" + } + }, + { + "rename": { + "target_field": "client.as.number", + "ignore_missing": true, + "field": "client.as.asn" + } + }, + { + "rename": { + "field": "client.as.organization_name", + "target_field": "client.as.organization.name", + "ignore_missing": true + } + }, + { + "geoip": { + "field": "server.ip", + "target_field": "server.geo", + "ignore_missing": true + } + }, + { + "geoip": { + "target_field": "server.as", + "properties": [ + "asn", + "organization_name" + ], + "ignore_missing": true, + "database_file": "GeoLite2-ASN.mmdb", + "field": "server.ip" + } + }, + { + "rename": { + "target_field": "server.as.number", + "ignore_missing": true, + "field": "server.as.asn" + } + }, + { + "rename": { + "field": "server.as.organization_name", + "target_field": "server.as.organization.name", + "ignore_missing": true + } + }, { "append": { "value": "{{source.ip}}", From 06a1a0623d7d4d6bcee5a7a4c4177d9f770fcc0c Mon Sep 17 00:00:00 2001 From: Alexander A Date: Thu, 20 Apr 2023 17:59:51 +0300 Subject: [PATCH 07/14] Update x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com> --- .../filebeat/module/oracle/database_audit/ingest/pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml b/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml index 657d0116ccb..c8cb78fc0ad 100644 --- a/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml +++ b/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml @@ -25,7 +25,7 @@ processors: - "%{GREEDYDATA:tmp_timestamp}\\\nLENGTH: \"%{GREEDYDATA:LENGTH}\"\\\n(?m)%{GREEDYDATA:auth}" - gsub: field: "auth" - pattern: "\"\s" + pattern: "\"\\s" replacement: "\"|" ignore_missing: true if: ctx?.auth != null From ba248b52de217adf1f911f7d1495688161596f12 Mon Sep 17 00:00:00 2001 From: Alexander A Date: Thu, 20 Apr 2023 18:00:02 +0300 Subject: [PATCH 08/14] Update x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com> --- .../filebeat/module/oracle/database_audit/ingest/pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml b/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml index c8cb78fc0ad..48ee1a873b9 100644 --- a/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml +++ b/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml @@ -45,7 +45,7 @@ processors: - script: source: "ctx.oracle.database_audit = ctx.oracle.database_audit.entrySet().stream().collect(Collectors.toMap(entry -> entry.getKey().toLowerCase(), Map.Entry::getValue));" lang: painless - if: ctx?.oracle?.database_audit != null + if: ctx.oracle?.database_audit != null # Replace all field names that has spaces in them with _ - script: lang: painless From 02405cbb73854a0985a2c662b73108fbff977464 Mon Sep 17 00:00:00 2001 From: leweafan Date: Thu, 20 Apr 2023 18:05:51 +0300 Subject: [PATCH 09/14] updated oracle database_audit pipeline --- .../database_audit/ingest/pipeline.json | 32 +-- .../oracle/database_audit/ingest/pipeline.yml | 187 ------------------ ...19130542916949215077.aud.log-expected.json | 47 ++++- 3 files changed, 62 insertions(+), 204 deletions(-) delete mode 100644 x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml diff --git a/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.json b/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.json index c15e48613c8..dbf46a1d268 100644 --- a/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.json +++ b/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.json @@ -49,7 +49,7 @@ { "gsub": { "field": "auth", - "pattern": "\" ", + "pattern": "\"\\s", "replacement": "\"\\|", "ignore_missing": true } @@ -95,21 +95,21 @@ "script": { "lang": "painless", "source": "ctx.oracle.database_audit = ctx.oracle.database_audit.entrySet().stream().collect(Collectors.toMap(entry -> entry.getKey().toLowerCase(), Map.Entry::getValue));", - "if": "ctx?.oracle?.database_audit != null" + "if": "ctx.oracle?.database_audit != null" } }, { "script": { "lang": "painless", - "source": "ctx.oracle.database_audit = ctx?.oracle?.database_audit.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace(' ', '_'), e -> e.getValue()));", - "if": "ctx?.oracle?.database_audit != null" + "source": "ctx.oracle.database_audit = ctx.oracle?.database_audit.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace(' ', '_'), e -> e.getValue()));", + "if": "ctx.oracle?.database_audit != null" } }, { "script": { "lang": "painless", - "source": "ctx.oracle.database_audit = ctx?.oracle?.database_audit.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace('$', '_'), e -> e.getValue()));", - "if": "ctx?.oracle?.database_audit != null" + "source": "ctx.oracle.database_audit = ctx.oracle?.database_audit.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace('$', '_'), e -> e.getValue()));", + "if": "ctx.oracle?.database_audit != null" } }, { @@ -124,7 +124,7 @@ { "script": { "source": "def x = ctx.oracle.database_audit.action_number;\nif (x == 100) {\n ctx.oracle.database_audit.action = \"LOGON\";\n}\nif (x == 101) {\n ctx.oracle.database_audit.action = \"LOGOFF\";\n}\nif (x == 102) {\n ctx.oracle.database_audit.action = \"LOGOFF BY CLEANUP\";\n}", - "if": "[100, 101, 102].contains(ctx?.oracle?.database_audit?.action_number)" + "if": "[100, 101, 102].contains(ctx.oracle?.database_audit?.action_number)" } }, { @@ -133,7 +133,7 @@ "value": [ "authentication" ], - "if": "(ctx?.oracle?.database_audit?.action == '100' && ['0', '1017'].contains(ctx?.oracle?.database_audit?.returncode)) || ['101', '102'].contains(ctx?.oracle?.database_audit?.action)" + "if": "(ctx.oracle?.database_audit?.action == '100' && ['0', '1017'].contains(ctx.oracle?.database_audit?.returncode)) || ['101', '102'].contains(ctx.oracle?.database_audit?.action)" } }, { @@ -142,7 +142,7 @@ "value": [ "logon-failed" ], - "if": "ctx?.oracle?.database_audit?.action == '100' && ctx?.oracle?.database_audit?.returncode == '1017'" + "if": "ctx.oracle?.database_audit?.action == '100' && ctx.oracle?.database_audit?.returncode == '1017'" } }, { @@ -151,7 +151,7 @@ "value": [ "logged-in" ], - "if": "ctx?.oracle?.database_audit?.action == '100' && ctx?.oracle?.database_audit?.returncode == '0'" + "if": "ctx.oracle?.database_audit?.action == '100' && ctx.oracle?.database_audit?.returncode == '0'" } }, { @@ -160,14 +160,14 @@ "value": [ "logout" ], - "if": "['101', '102'].contains(ctx?.oracle?.database_audit?.action)" + "if": "['101', '102'].contains(ctx.oracle?.database_audit?.action)" } }, { "set": { "field": "event.outcome", "value": "failure", - "if": "ctx?.oracle?.database_audit?.action == '100' && ctx?.oracle?.database_audit?.returncode == '1017'" + "if": "ctx.oracle?.database_audit?.action == '100' && ctx.oracle?.database_audit?.returncode == '1017'" } }, { @@ -175,7 +175,7 @@ "field": "oracle.database_audit.action", "pattern": "\\n", "replacement": "", - "if": "ctx?.oracle?.database_audit?.action != null" + "if": "ctx.oracle?.database_audit?.action != null" } }, { @@ -183,7 +183,7 @@ "field": "oracle.database_audit.action", "pattern": "\\s{2,}", "replacement": " ", - "if": "ctx?.oracle?.database_audit?.action != null" + "if": "ctx.oracle?.database_audit?.action != null" } }, { @@ -194,7 +194,7 @@ }, { "script": { - "if": "ctx?.oracle?.database_audit != null", + "if": "ctx.oracle?.database_audit != null", "source": "void handleMap(Map map) {\n for (def x : map.values()) {\n if (x instanceof Map) {\n handleMap(x);\n } else if (x instanceof List) {\n handleList(x);\n }\n }\n map.values().removeIf(v -> v instanceof String && v.isEmpty() == true);\n}\nvoid handleList(List list) {\n for (def x : list) {\n if (x instanceof Map) {\n handleMap(x);\n } else if (x instanceof List) {\n handleList(x);\n }\n }\n}\nhandleMap(ctx);\n", "lang": "painless" } @@ -271,7 +271,7 @@ "field": "oracle.database_audit.length", "type": "long", "ignore_missing": true, - "if": "ctx?.oracle?.database_audit != null" + "if": "ctx.oracle?.database_audit != null" } }, { diff --git a/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml b/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml deleted file mode 100644 index 48ee1a873b9..00000000000 --- a/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml +++ /dev/null @@ -1,187 +0,0 @@ -description: Pipeline for parsing Oracle Audit logs -processors: - - set: - field: event.ingested - value: "{{_ingest.timestamp}}" - - set: - field: event.action - value: database_audit - - set: - field: event.kind - value: event - - set: - field: event.category - value: database - - set: - field: event.type - value: access - - set: - field: event.outcome - value: success - - grok: - field: message - patterns: - - "%{GREEDYDATA:tmp_timestamp}\\\nLENGTH : '%{GREEDYDATA:LENGTH}'\\\n(?m)%{GREEDYDATA:audit}" - - "%{GREEDYDATA:tmp_timestamp}\\\nLENGTH: \"%{GREEDYDATA:LENGTH}\"\\\n(?m)%{GREEDYDATA:auth}" - - gsub: - field: "auth" - pattern: "\"\\s" - replacement: "\"|" - ignore_missing: true - if: ctx?.auth != null - - kv: - field: audit - field_split: "\\\n(?=[a-zA-Z])" - value_split: ":\\S\\d+\\S(?= ')" - trim_value: " '" - trim_key: " " - prefix: oracle.database_audit. - if: ctx?.audit != null - - grok: - field: log.file.path - patterns: - - "%{BASE10NUM:process.pid}\\_%{BASE10NUM}\\.aud(\\.log)?$" - # All field names are uppercase by default, converts them to lowercase - - script: - source: "ctx.oracle.database_audit = ctx.oracle.database_audit.entrySet().stream().collect(Collectors.toMap(entry -> entry.getKey().toLowerCase(), Map.Entry::getValue));" - lang: painless - if: ctx.oracle?.database_audit != null - # Replace all field names that has spaces in them with _ - - script: - lang: painless - source: "ctx.oracle.database_audit = ctx?.oracle?.database_audit.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace(' ', '_'), e -> e.getValue()));" - if: ctx?.oracle?.database_audit != null - - gsub: - field: "oracle.database_audit.action" - pattern: "\\n" - replacement: "" - if: ctx?.oracle?.database_audit != null - - gsub: - field: "oracle.database_audit.action" - pattern: "\\s{2,}" - replacement: " " - if: ctx?.oracle?.database_audit != null - - trim: - field: "oracle.database_audit.action_number" - ignore_missing: true - if: ctx?.oracle?.database_audit != null - # Removes all null values from ctx.* - - script: - lang: painless - if: ctx?.oracle?.database_audit != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v instanceof String && v.isEmpty() == true); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - - remove: - field: - - "@timestamp" - ignore_missing: true - - date: - field: tmp_timestamp - target_field: "@timestamp" - formats: - - EEE MMM [ d][dd] HH:mm:ss uuuu XXX - - grok: - field: tmp_timestamp - patterns: - - "%{ISO8601_TIMEZONE:event.timezone}$" - - rename: - field: oracle.database_audit.privilege - target_field: user.roles - ignore_missing: true - - rename: - field: LENGTH - target_field: oracle.database_audit.length - ignore_missing: true - - rename: - field: oracle.database_audit.client_user - target_field: client.user.name - ignore_missing: true - - rename: - field: oracle.database_audit.client_address - target_field: client.address - ignore_missing: true - - rename: - field: oracle.database_audit.userhost - target_field: server.address - ignore_missing: true - - rename: - field: oracle.database_audit.database_user - target_field: server.user.name - ignore_missing: true - - convert: - field: oracle.database_audit.length - type: long - ignore_missing: true - if: ctx?.oracle?.database_audit != null - - grok: - field: client.address - patterns: - - "(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})" - ignore_failure: true - ignore_missing: true - - grok: - field: server.address - patterns: - - "(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})" - ignore_failure: true - ignore_missing: true - # Renaming certain fields for better data structure - - rename: - field: oracle.database_audit.sessionid - target_field: oracle.database_audit.session_id - ignore_missing: true - - rename: - field: oracle.database_audit.client_terminal - target_field: oracle.database_audit.client.terminal - ignore_missing: true - - rename: - field: oracle.database_audit.client_address - target_field: oracle.database_audit.client.address - ignore_missing: true - - rename: - field: oracle.database_audit.database_user - target_field: oracle.database_audit.database.user - ignore_missing: true - - rename: - field: oracle.database_audit.userhost - target_field: oracle.database_audit.database.host - ignore_missing: true - - rename: - field: oracle.database_audit.dbid - target_field: oracle.database_audit.database.id - ignore_missing: true - - rename: - field: oracle.database_audit.entry_id - target_field: oracle.database_audit.entry.id - ignore_missing: true - - - remove: - field: - - tmp_timestamp - - audit - - message - - auth - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20230419130542916949215077.aud.log-expected.json b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20230419130542916949215077.aud.log-expected.json index 0c1c216ed74..ee6d94c4d4e 100644 --- a/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20230419130542916949215077.aud.log-expected.json +++ b/x-pack/filebeat/module/oracle/database_audit/test/ORCLCDB_ora_9680_20230419130542916949215077.aud.log-expected.json @@ -1,4 +1,49 @@ [ + { + "@timestamp": "2023-04-18T11:37:18.000Z", + "event.action": [ + "database_audit", + "logged-in" + ], + "event.category": [ + "authentication", + "database" + ], + "event.dataset": "oracle.database_audit", + "event.kind": "event", + "event.module": "oracle", + "event.outcome": "success", + "event.timezone": "+03:00", + "event.type": "access", + "fileset.name": "database_audit", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 573, + "oracle.database_audit.action": "100", + "oracle.database_audit.comment_text": "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.10.10.10)(PORT=58864))", + "oracle.database_audit.database.id": "1956306463", + "oracle.database_audit.entryid": "1", + "oracle.database_audit.length": 357, + "oracle.database_audit.os_userid": "sherlock", + "oracle.database_audit.priv_used": "5", + "oracle.database_audit.returncode": "0", + "oracle.database_audit.session_id": "4294967295", + "oracle.database_audit.statement": "1", + "oracle.database_audit.terminal": "pts/0", + "oracle.database_audit.userid": "SHERLOCK", + "process.pid": "9680", + "related.hosts": [ + "testhost" + ], + "server.address": "testhost", + "server.domain": "testhost", + "service.type": "oracle", + "tags": [ + "oracle-database-audit" + ] + }, { "@timestamp": "2023-04-18T11:38:18.000Z", "event.action": [ @@ -23,7 +68,7 @@ "log.offset": 971, "oracle.database_audit.action": "100", "oracle.database_audit.comment_text": "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.10.10.10)(PORT=34254))", - "oracle.database_audit.database.id": "1956306463\n", + "oracle.database_audit.database.id": "1956306463", "oracle.database_audit.entryid": "1", "oracle.database_audit.length": 340, "oracle.database_audit.os_userid": "oracle", From 7da1f7f4bf1c02321a2db0e5260d02b1ba429058 Mon Sep 17 00:00:00 2001 From: leweafan Date: Fri, 21 Apr 2023 01:47:19 +0300 Subject: [PATCH 10/14] changed oracle database_audit pipeline to yml format --- .../oracle/database_audit/ingest/pipeline.yml | 332 ++++++++++++++++++ .../module/oracle/database_audit/manifest.yml | 2 +- 2 files changed, 333 insertions(+), 1 deletion(-) create mode 100644 x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml diff --git a/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml b/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml new file mode 100644 index 00000000000..dcac94b1f47 --- /dev/null +++ b/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml @@ -0,0 +1,332 @@ +description: Pipeline for parsing Oracle Audit logs +processors: + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: event.action + value: database_audit + - set: + field: event.kind + value: event + - set: + value: database + field: event.category + - set: + value: access + field: event.type + - set: + value: success + field: event.outcome + - grok: + field: message + patterns: + - "%{GREEDYDATA:tmp_timestamp}\\\nLENGTH : '%{GREEDYDATA:LENGTH}'\\\n(?m)%{GREEDYDATA:audit}" + - "%{GREEDYDATA:tmp_timestamp}\\\nLENGTH: \"%{GREEDYDATA:LENGTH}\"\\\n(?m)%{GREEDYDATA:auth}" + - gsub: + field: auth + pattern: "\"\\s" + replacement: "\"\\|" + ignore_missing: true + - kv: + field: audit + field_split: "\\\n(?=[a-zA-Z])" + value_split: ":\\S\\d+\\S(?= ')" + prefix: oracle.database_audit. + trim_key: " " + trim_value: " '" + if: ctx?.audit != null && ctx?.auth == null + - kv: + field: auth + field_split: "\\|" + value_split: ':\S\d+\S(?= ")' + prefix: oracle.database_audit. + trim_key: " " + trim_value: "\" " + if: ctx?.auth != null + - rename: + field: auth + target_field: audit + ignore_missing: true + - grok: + field: log.file.path + patterns: + - "%{BASE10NUM:process.pid}\\_%{BASE10NUM}\\.aud(\\.log)?$" + - script: + source: "ctx.oracle.database_audit = ctx.oracle.database_audit.entrySet().stream().collect(Collectors.toMap(entry -> entry.getKey().toLowerCase(), Map.Entry::getValue));" + lang: painless + if: ctx.oracle?.database_audit != null + - script: + source: "ctx.oracle.database_audit = ctx.oracle.database_audit.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace(' ', '_'), e -> e.getValue()));" + lang: painless + if: ctx.oracle?.database_audit != null + - script: + lang: painless + source: "ctx.oracle.database_audit = ctx.oracle.database_audit.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace('$', '_'), e -> e.getValue()));" + if: ctx.oracle?.database_audit != null + - grok: + field: oracle.database_audit.comment$text + patterns: + - 'Authenticated by: DATABASE; Client address: \(ADDRESS=\(PROTOCOL=%{WORD:network.transport}\)\(HOST=%{IP:source.ip}\)\(PORT=%{INT:source.port}\)\)' + ignore_missing: true + - script: + source: |- + def x = ctx.oracle.database_audit.action_number; + if (x == 100) { + ctx.oracle.database_audit.action = "LOGON"; + } + if (x == 101) { + ctx.oracle.database_audit.action = "LOGOFF"; + } + if (x == 102) { + ctx.oracle.database_audit.action = "LOGOFF BY CLEANUP"; + } + if: "[100, 101, 102].contains(ctx.oracle?.database_audit?.action_number)" + - append: + field: event.category + value: + - authentication + if: "(ctx.oracle?.database_audit?.action == '100' && ['0', '1017'].contains(ctx.oracle?.database_audit?.returncode)) || ['101', '102'].contains(ctx.oracle?.database_audit?.action)" + - append: + field: event.action + value: + - logon-failed + if: ctx.oracle?.database_audit?.action == '100' && ctx.oracle?.database_audit?.returncode == '1017' + - append: + field: event.action + value: + - logged-in + if: ctx.oracle?.database_audit?.action == '100' && ctx.oracle?.database_audit?.returncode == '0' + - append: + field: event.action + value: + - logout + if: "['101', '102'].contains(ctx.oracle?.database_audit?.action)" + - set: + field: event.outcome + value: failure + if: ctx.oracle?.database_audit?.action == '100' && ctx.oracle?.database_audit?.returncode == '1017' + - gsub: + field: oracle.database_audit.action + pattern: "\\n" + replacement: '' + if: ctx.oracle?.database_audit?.action != null + - gsub: + field: oracle.database_audit.action + pattern: "\\s{2,}" + replacement: " " + if: ctx.oracle?.database_audit?.action != null + - trim: + field: oracle.database_audit.action_number + ignore_missing: true + - script: + if: ctx.oracle?.database_audit != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v instanceof String && v.isEmpty() == true); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + lang: painless + - remove: + field: + - "@timestamp" + ignore_missing: true + - date: + target_field: "@timestamp" + formats: + - EEE MMM [ d][dd] HH:mm:ss uuuu XXX + field: tmp_timestamp + - grok: + patterns: + - "%{ISO8601_TIMEZONE:event.timezone}$" + field: tmp_timestamp + - rename: + ignore_missing: true + field: oracle.database_audit.privilege + target_field: user.roles + - rename: + field: LENGTH + target_field: oracle.database_audit.length + ignore_missing: true + - rename: + ignore_missing: true + field: oracle.database_audit.client_user + target_field: client.user.name + - rename: + field: oracle.database_audit.client_address + target_field: client.address + ignore_missing: true + - rename: + target_field: server.address + ignore_missing: true + field: oracle.database_audit.userhost + - rename: + field: oracle.database_audit.database_user + target_field: server.user.name + ignore_missing: true + - convert: + field: oracle.database_audit.length + type: long + ignore_missing: true + if: ctx.oracle?.database_audit != null + - grok: + patterns: + - "(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})" + ignore_failure: true + ignore_missing: true + field: client.address + - grok: + patterns: + - "(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})" + ignore_failure: true + ignore_missing: true + field: server.address + - rename: + field: oracle.database_audit.sessionid + target_field: oracle.database_audit.session_id + ignore_missing: true + - rename: + ignore_missing: true + field: oracle.database_audit.client_terminal + target_field: oracle.database_audit.client.terminal + - rename: + field: oracle.database_audit.client_address + target_field: oracle.database_audit.client.address + ignore_missing: true + - rename: + field: oracle.database_audit.database_user + target_field: oracle.database_audit.database.user + ignore_missing: true + - rename: + field: oracle.database_audit.userhost + target_field: oracle.database_audit.database.host + ignore_missing: true + - rename: + field: oracle.database_audit.dbid + target_field: oracle.database_audit.database.id + ignore_missing: true + - rename: + ignore_missing: true + field: oracle.database_audit.entry_id + target_field: oracle.database_audit.entry.id + - remove: + field: + - tmp_timestamp + - audit + - message + ignore_missing: true + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + database_file: GeoLite2-ASN.mmdb + field: source.ip + - rename: + target_field: source.as.number + ignore_missing: true + field: source.as.asn + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - geoip: + field: client.ip + target_field: client.geo + ignore_missing: true + - geoip: + target_field: client.as + properties: + - asn + - organization_name + ignore_missing: true + database_file: GeoLite2-ASN.mmdb + field: client.ip + - rename: + target_field: client.as.number + ignore_missing: true + field: client.as.asn + - rename: + field: client.as.organization_name + target_field: client.as.organization.name + ignore_missing: true + - geoip: + field: server.ip + target_field: server.geo + ignore_missing: true + - geoip: + target_field: server.as + properties: + - asn + - organization_name + ignore_missing: true + database_file: GeoLite2-ASN.mmdb + field: server.ip + - rename: + target_field: server.as.number + ignore_missing: true + field: server.as.asn + - rename: + field: server.as.organization_name + target_field: server.as.organization.name + ignore_missing: true + - append: + value: "{{source.ip}}" + if: ctx?.source?.ip != null + allow_duplicates: false + field: related.ip + - append: + value: "{{client.ip}}" + if: ctx?.client?.ip != null + allow_duplicates: false + field: related.ip + - append: + value: "{{server.ip}}" + if: ctx?.server?.ip != null + allow_duplicates: false + field: related.ip + - append: + field: related.user + value: "{{client.user.name}}" + allow_duplicates: false + if: ctx?.client?.user?.name != null && ctx?.client?.user?.name != '/' + - append: + field: related.user + value: "{{server.user.name}}" + allow_duplicates: false + if: ctx?.server?.user?.name != null && ctx?.server?.user?.name != '/' + - append: + value: "{{server.domain}}" + if: ctx?.server?.domain != null + allow_duplicates: false + field: related.hosts + - append: + value: "{{client.domain}}" + if: ctx?.client?.domain != null + allow_duplicates: false + field: related.hosts +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/oracle/database_audit/manifest.yml b/x-pack/filebeat/module/oracle/database_audit/manifest.yml index 9729fc203e7..47de260dace 100644 --- a/x-pack/filebeat/module/oracle/database_audit/manifest.yml +++ b/x-pack/filebeat/module/oracle/database_audit/manifest.yml @@ -10,5 +10,5 @@ var: default: file ingest_pipeline: - - ingest/pipeline.json + - ingest/pipeline.yml input: config/config.yml From 8b52ab4702b66617644f0c1532c5b9e76d4756ad Mon Sep 17 00:00:00 2001 From: leweafan Date: Fri, 21 Apr 2023 01:55:33 +0300 Subject: [PATCH 11/14] changed oracle database_audit pipeline to yml format --- .../database_audit/ingest/pipeline.json | 520 ------------------ .../oracle/database_audit/ingest/pipeline.yml | 4 +- 2 files changed, 2 insertions(+), 522 deletions(-) delete mode 100644 x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.json diff --git a/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.json b/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.json deleted file mode 100644 index dbf46a1d268..00000000000 --- a/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.json +++ /dev/null @@ -1,520 +0,0 @@ -{ - "description": "Pipeline for parsing Oracle Audit logs", - "processors": [ - { - "set": { - "field": "event.ingested", - "value": "{{_ingest.timestamp}}" - } - }, - { - "set": { - "field": "event.action", - "value": "database_audit" - } - }, - { - "set": { - "field": "event.kind", - "value": "event" - } - }, - { - "set": { - "value": "database", - "field": "event.category" - } - }, - { - "set": { - "value": "access", - "field": "event.type" - } - }, - { - "set": { - "value": "success", - "field": "event.outcome" - } - }, - { - "grok": { - "field": "message", - "patterns": [ - "%{GREEDYDATA:tmp_timestamp}\\\nLENGTH : '%{GREEDYDATA:LENGTH}'\\\n(?m)%{GREEDYDATA:audit}", - "%{GREEDYDATA:tmp_timestamp}\\\nLENGTH: \"%{GREEDYDATA:LENGTH}\"\\\n(?m)%{GREEDYDATA:auth}" - ] - } - }, - { - "gsub": { - "field": "auth", - "pattern": "\"\\s", - "replacement": "\"\\|", - "ignore_missing": true - } - }, - { - "kv": { - "field": "audit", - "field_split": "\\\n(?=[a-zA-Z])", - "value_split": ":\\S\\d+\\S(?= ')", - "prefix": "oracle.database_audit.", - "trim_key": " ", - "trim_value": " '", - "if": "ctx?.audit != null && ctx?.auth == null" - } - }, - { - "kv": { - "field": "auth", - "field_split": "\\|", - "value_split": ":\\S\\d+\\S(?= \")", - "prefix": "oracle.database_audit.", - "trim_key": " ", - "trim_value": "\" ", - "if": "ctx?.auth != null" - } - }, - { - "rename": { - "field": "auth", - "target_field": "audit", - "ignore_missing": true - } - }, - { - "grok": { - "field": "log.file.path", - "patterns": [ - "%{BASE10NUM:process.pid}\\_%{BASE10NUM}\\.aud(\\.log)?$" - ] - } - }, - { - "script": { - "lang": "painless", - "source": "ctx.oracle.database_audit = ctx.oracle.database_audit.entrySet().stream().collect(Collectors.toMap(entry -> entry.getKey().toLowerCase(), Map.Entry::getValue));", - "if": "ctx.oracle?.database_audit != null" - } - }, - { - "script": { - "lang": "painless", - "source": "ctx.oracle.database_audit = ctx.oracle?.database_audit.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace(' ', '_'), e -> e.getValue()));", - "if": "ctx.oracle?.database_audit != null" - } - }, - { - "script": { - "lang": "painless", - "source": "ctx.oracle.database_audit = ctx.oracle?.database_audit.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace('$', '_'), e -> e.getValue()));", - "if": "ctx.oracle?.database_audit != null" - } - }, - { - "grok": { - "field": "oracle.database_audit.comment$text", - "patterns": [ - "Authenticated by: DATABASE; Client address: \\(ADDRESS=\\(PROTOCOL=%{WORD:network.transport}\\)\\(HOST=%{IP:source.ip}\\)\\(PORT=%{INT:source.port}\\)\\)" - ], - "ignore_missing": true - } - }, - { - "script": { - "source": "def x = ctx.oracle.database_audit.action_number;\nif (x == 100) {\n ctx.oracle.database_audit.action = \"LOGON\";\n}\nif (x == 101) {\n ctx.oracle.database_audit.action = \"LOGOFF\";\n}\nif (x == 102) {\n ctx.oracle.database_audit.action = \"LOGOFF BY CLEANUP\";\n}", - "if": "[100, 101, 102].contains(ctx.oracle?.database_audit?.action_number)" - } - }, - { - "append": { - "field": "event.category", - "value": [ - "authentication" - ], - "if": "(ctx.oracle?.database_audit?.action == '100' && ['0', '1017'].contains(ctx.oracle?.database_audit?.returncode)) || ['101', '102'].contains(ctx.oracle?.database_audit?.action)" - } - }, - { - "append": { - "field": "event.action", - "value": [ - "logon-failed" - ], - "if": "ctx.oracle?.database_audit?.action == '100' && ctx.oracle?.database_audit?.returncode == '1017'" - } - }, - { - "append": { - "field": "event.action", - "value": [ - "logged-in" - ], - "if": "ctx.oracle?.database_audit?.action == '100' && ctx.oracle?.database_audit?.returncode == '0'" - } - }, - { - "append": { - "field": "event.action", - "value": [ - "logout" - ], - "if": "['101', '102'].contains(ctx.oracle?.database_audit?.action)" - } - }, - { - "set": { - "field": "event.outcome", - "value": "failure", - "if": "ctx.oracle?.database_audit?.action == '100' && ctx.oracle?.database_audit?.returncode == '1017'" - } - }, - { - "gsub": { - "field": "oracle.database_audit.action", - "pattern": "\\n", - "replacement": "", - "if": "ctx.oracle?.database_audit?.action != null" - } - }, - { - "gsub": { - "field": "oracle.database_audit.action", - "pattern": "\\s{2,}", - "replacement": " ", - "if": "ctx.oracle?.database_audit?.action != null" - } - }, - { - "trim": { - "field": "oracle.database_audit.action_number", - "ignore_missing": true - } - }, - { - "script": { - "if": "ctx.oracle?.database_audit != null", - "source": "void handleMap(Map map) {\n for (def x : map.values()) {\n if (x instanceof Map) {\n handleMap(x);\n } else if (x instanceof List) {\n handleList(x);\n }\n }\n map.values().removeIf(v -> v instanceof String && v.isEmpty() == true);\n}\nvoid handleList(List list) {\n for (def x : list) {\n if (x instanceof Map) {\n handleMap(x);\n } else if (x instanceof List) {\n handleList(x);\n }\n }\n}\nhandleMap(ctx);\n", - "lang": "painless" - } - }, - { - "remove": { - "field": [ - "@timestamp" - ], - "ignore_missing": true - } - }, - { - "date": { - "target_field": "@timestamp", - "formats": [ - "EEE MMM [ d][dd] HH:mm:ss uuuu XXX" - ], - "field": "tmp_timestamp" - } - }, - { - "grok": { - "patterns": [ - "%{ISO8601_TIMEZONE:event.timezone}$" - ], - "field": "tmp_timestamp" - } - }, - { - "rename": { - "ignore_missing": true, - "field": "oracle.database_audit.privilege", - "target_field": "user.roles" - } - }, - { - "rename": { - "field": "LENGTH", - "target_field": "oracle.database_audit.length", - "ignore_missing": true - } - }, - { - "rename": { - "ignore_missing": true, - "field": "oracle.database_audit.client_user", - "target_field": "client.user.name" - } - }, - { - "rename": { - "field": "oracle.database_audit.client_address", - "target_field": "client.address", - "ignore_missing": true - } - }, - { - "rename": { - "target_field": "server.address", - "ignore_missing": true, - "field": "oracle.database_audit.userhost" - } - }, - { - "rename": { - "field": "oracle.database_audit.database_user", - "target_field": "server.user.name", - "ignore_missing": true - } - }, - { - "convert": { - "field": "oracle.database_audit.length", - "type": "long", - "ignore_missing": true, - "if": "ctx.oracle?.database_audit != null" - } - }, - { - "grok": { - "patterns": [ - "(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})" - ], - "ignore_failure": true, - "ignore_missing": true, - "field": "client.address" - } - }, - { - "grok": { - "patterns": [ - "(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})" - ], - "ignore_failure": true, - "ignore_missing": true, - "field": "server.address" - } - }, - { - "rename": { - "field": "oracle.database_audit.sessionid", - "target_field": "oracle.database_audit.session_id", - "ignore_missing": true - } - }, - { - "rename": { - "ignore_missing": true, - "field": "oracle.database_audit.client_terminal", - "target_field": "oracle.database_audit.client.terminal" - } - }, - { - "rename": { - "field": "oracle.database_audit.client_address", - "target_field": "oracle.database_audit.client.address", - "ignore_missing": true - } - }, - { - "rename": { - "field": "oracle.database_audit.database_user", - "target_field": "oracle.database_audit.database.user", - "ignore_missing": true - } - }, - { - "rename": { - "field": "oracle.database_audit.userhost", - "target_field": "oracle.database_audit.database.host", - "ignore_missing": true - } - }, - { - "rename": { - "field": "oracle.database_audit.dbid", - "target_field": "oracle.database_audit.database.id", - "ignore_missing": true - } - }, - { - "rename": { - "ignore_missing": true, - "field": "oracle.database_audit.entry_id", - "target_field": "oracle.database_audit.entry.id" - } - }, - { - "remove": { - "field": [ - "tmp_timestamp", - "audit", - "message" - ], - "ignore_missing": true - } - }, - { - "geoip": { - "field": "source.ip", - "target_field": "source.geo", - "ignore_missing": true - } - }, - { - "geoip": { - "target_field": "source.as", - "properties": [ - "asn", - "organization_name" - ], - "ignore_missing": true, - "database_file": "GeoLite2-ASN.mmdb", - "field": "source.ip" - } - }, - { - "rename": { - "target_field": "source.as.number", - "ignore_missing": true, - "field": "source.as.asn" - } - }, - { - "rename": { - "field": "source.as.organization_name", - "target_field": "source.as.organization.name", - "ignore_missing": true - } - }, - { - "geoip": { - "field": "client.ip", - "target_field": "client.geo", - "ignore_missing": true - } - }, - { - "geoip": { - "target_field": "client.as", - "properties": [ - "asn", - "organization_name" - ], - "ignore_missing": true, - "database_file": "GeoLite2-ASN.mmdb", - "field": "client.ip" - } - }, - { - "rename": { - "target_field": "client.as.number", - "ignore_missing": true, - "field": "client.as.asn" - } - }, - { - "rename": { - "field": "client.as.organization_name", - "target_field": "client.as.organization.name", - "ignore_missing": true - } - }, - { - "geoip": { - "field": "server.ip", - "target_field": "server.geo", - "ignore_missing": true - } - }, - { - "geoip": { - "target_field": "server.as", - "properties": [ - "asn", - "organization_name" - ], - "ignore_missing": true, - "database_file": "GeoLite2-ASN.mmdb", - "field": "server.ip" - } - }, - { - "rename": { - "target_field": "server.as.number", - "ignore_missing": true, - "field": "server.as.asn" - } - }, - { - "rename": { - "field": "server.as.organization_name", - "target_field": "server.as.organization.name", - "ignore_missing": true - } - }, - { - "append": { - "value": "{{source.ip}}", - "if": "ctx?.source?.ip != null", - "allow_duplicates": false, - "field": "related.ip" - } - }, - { - "append": { - "value": "{{client.ip}}", - "if": "ctx?.client?.ip != null", - "allow_duplicates": false, - "field": "related.ip" - } - }, - { - "append": { - "value": "{{server.ip}}", - "if": "ctx?.server?.ip != null", - "allow_duplicates": false, - "field": "related.ip" - } - }, - { - "append": { - "field": "related.user", - "value": "{{client.user.name}}", - "allow_duplicates": false, - "if": "ctx?.client?.user?.name != null && ctx?.client?.user?.name != '/'" - } - }, - { - "append": { - "field": "related.user", - "value": "{{server.user.name}}", - "allow_duplicates": false, - "if": "ctx?.server?.user?.name != null && ctx?.server?.user?.name != '/'" - } - }, - { - "append": { - "value": "{{server.domain}}", - "if": "ctx?.server?.domain != null", - "allow_duplicates": false, - "field": "related.hosts" - } - }, - { - "append": { - "value": "{{client.domain}}", - "if": "ctx?.client?.domain != null", - "allow_duplicates": false, - "field": "related.hosts" - } - } - ], - "on_failure": [ - { - "set": { - "field": "error.message", - "value": "{{ _ingest.on_failure_message }}" - } - } - ] -} diff --git a/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml b/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml index dcac94b1f47..743637bf88f 100644 --- a/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml +++ b/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml @@ -21,8 +21,8 @@ processors: - grok: field: message patterns: - - "%{GREEDYDATA:tmp_timestamp}\\\nLENGTH : '%{GREEDYDATA:LENGTH}'\\\n(?m)%{GREEDYDATA:audit}" - - "%{GREEDYDATA:tmp_timestamp}\\\nLENGTH: \"%{GREEDYDATA:LENGTH}\"\\\n(?m)%{GREEDYDATA:auth}" + - "%{GREEDYDATA:tmp_timestamp}\\\nLENGTH : '%{GREEDYDATA:LENGTH}'\\\n(?m)%{GREEDYDATA:audit}" + - "%{GREEDYDATA:tmp_timestamp}\\\nLENGTH: \"%{GREEDYDATA:LENGTH}\"\\\n(?m)%{GREEDYDATA:auth}" - gsub: field: auth pattern: "\"\\s" From dcd82cfb6cb52f2a01eb9873d3fc5d66ced1b70f Mon Sep 17 00:00:00 2001 From: leweafan Date: Fri, 21 Apr 2023 13:44:26 +0300 Subject: [PATCH 12/14] updated oracle database_audit pipeline --- .../oracle/database_audit/ingest/pipeline.yml | 57 ++++++++++--------- 1 file changed, 31 insertions(+), 26 deletions(-) diff --git a/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml b/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml index 743637bf88f..7fff8e5dc38 100644 --- a/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml +++ b/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml @@ -10,32 +10,32 @@ processors: field: event.kind value: event - set: - value: database field: event.category + value: database - set: - value: access field: event.type + value: access - set: - value: success field: event.outcome + value: success - grok: field: message patterns: - "%{GREEDYDATA:tmp_timestamp}\\\nLENGTH : '%{GREEDYDATA:LENGTH}'\\\n(?m)%{GREEDYDATA:audit}" - "%{GREEDYDATA:tmp_timestamp}\\\nLENGTH: \"%{GREEDYDATA:LENGTH}\"\\\n(?m)%{GREEDYDATA:auth}" - - gsub: - field: auth - pattern: "\"\\s" - replacement: "\"\\|" - ignore_missing: true - kv: field: audit field_split: "\\\n(?=[a-zA-Z])" value_split: ":\\S\\d+\\S(?= ')" - prefix: oracle.database_audit. - trim_key: " " trim_value: " '" + trim_key: " " + prefix: oracle.database_audit. if: ctx?.audit != null && ctx?.auth == null + - gsub: + field: auth + pattern: "\"\\s" + replacement: "\"\\|" + ignore_missing: true - kv: field: auth field_split: "\\|" @@ -52,13 +52,15 @@ processors: field: log.file.path patterns: - "%{BASE10NUM:process.pid}\\_%{BASE10NUM}\\.aud(\\.log)?$" + # All field names are uppercase by default, converts them to lowercase - script: source: "ctx.oracle.database_audit = ctx.oracle.database_audit.entrySet().stream().collect(Collectors.toMap(entry -> entry.getKey().toLowerCase(), Map.Entry::getValue));" lang: painless if: ctx.oracle?.database_audit != null + # Replace all field names that has spaces in them with _ - script: - source: "ctx.oracle.database_audit = ctx.oracle.database_audit.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace(' ', '_'), e -> e.getValue()));" lang: painless + source: "ctx.oracle.database_audit = ctx?.oracle?.database_audit.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace(' ', '_'), e -> e.getValue()));" if: ctx.oracle?.database_audit != null - script: lang: painless @@ -107,20 +109,22 @@ processors: value: failure if: ctx.oracle?.database_audit?.action == '100' && ctx.oracle?.database_audit?.returncode == '1017' - gsub: - field: oracle.database_audit.action + field: "oracle.database_audit.action" pattern: "\\n" - replacement: '' + replacement: "" if: ctx.oracle?.database_audit?.action != null - gsub: - field: oracle.database_audit.action + field: "oracle.database_audit.action" pattern: "\\s{2,}" replacement: " " if: ctx.oracle?.database_audit?.action != null - trim: - field: oracle.database_audit.action_number + field: "oracle.database_audit.action_number" ignore_missing: true + # Removes all null values from ctx.* - script: - if: ctx.oracle?.database_audit != null + lang: painless + if: ctx?.oracle?.database_audit != null source: | void handleMap(Map map) { for (def x : map.values()) { @@ -142,40 +146,39 @@ processors: } } handleMap(ctx); - lang: painless - remove: field: - "@timestamp" ignore_missing: true - date: + field: tmp_timestamp target_field: "@timestamp" formats: - EEE MMM [ d][dd] HH:mm:ss uuuu XXX - field: tmp_timestamp - grok: + field: tmp_timestamp patterns: - "%{ISO8601_TIMEZONE:event.timezone}$" - field: tmp_timestamp - rename: - ignore_missing: true field: oracle.database_audit.privilege target_field: user.roles + ignore_missing: true - rename: field: LENGTH target_field: oracle.database_audit.length ignore_missing: true - rename: - ignore_missing: true field: oracle.database_audit.client_user target_field: client.user.name + ignore_missing: true - rename: field: oracle.database_audit.client_address target_field: client.address ignore_missing: true - rename: + field: oracle.database_audit.userhost target_field: server.address ignore_missing: true - field: oracle.database_audit.userhost - rename: field: oracle.database_audit.database_user target_field: server.user.name @@ -186,25 +189,26 @@ processors: ignore_missing: true if: ctx.oracle?.database_audit != null - grok: + field: client.address patterns: - "(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})" ignore_failure: true ignore_missing: true - field: client.address - grok: + field: server.address patterns: - "(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})" ignore_failure: true ignore_missing: true - field: server.address + # Renaming certain fields for better data structure - rename: field: oracle.database_audit.sessionid target_field: oracle.database_audit.session_id ignore_missing: true - rename: - ignore_missing: true field: oracle.database_audit.client_terminal target_field: oracle.database_audit.client.terminal + ignore_missing: true - rename: field: oracle.database_audit.client_address target_field: oracle.database_audit.client.address @@ -222,9 +226,10 @@ processors: target_field: oracle.database_audit.database.id ignore_missing: true - rename: - ignore_missing: true field: oracle.database_audit.entry_id target_field: oracle.database_audit.entry.id + ignore_missing: true + - remove: field: - tmp_timestamp From bafbff1f7b14d49844eb73fdc7b03b2c9e15231e Mon Sep 17 00:00:00 2001 From: Alexander A Date: Mon, 24 Apr 2023 01:42:35 +0300 Subject: [PATCH 13/14] Update x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com> --- .../filebeat/module/oracle/database_audit/ingest/pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml b/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml index 7fff8e5dc38..fe66fd2bcad 100644 --- a/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml +++ b/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml @@ -320,7 +320,7 @@ processors: field: related.user value: "{{server.user.name}}" allow_duplicates: false - if: ctx?.server?.user?.name != null && ctx?.server?.user?.name != '/' + if: ctx.server?.user?.name != null && ctx.server.user.name != '/' - append: value: "{{server.domain}}" if: ctx?.server?.domain != null From 4bdb896564a9bce039f1ea99652fd01638232db8 Mon Sep 17 00:00:00 2001 From: Alexander A Date: Mon, 24 Apr 2023 01:42:42 +0300 Subject: [PATCH 14/14] Update x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com> --- .../filebeat/module/oracle/database_audit/ingest/pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml b/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml index fe66fd2bcad..04ec1e4709b 100644 --- a/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml +++ b/x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml @@ -315,7 +315,7 @@ processors: field: related.user value: "{{client.user.name}}" allow_duplicates: false - if: ctx?.client?.user?.name != null && ctx?.client?.user?.name != '/' + if: ctx.client?.user?.name != null && ctx.client.user.name != '/' - append: field: related.user value: "{{server.user.name}}"