elastic · opoplawski · Oct 25, 2018 · jsoriano · Oct 28, 2018
diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -35134,6 +35134,155 @@ type: alias
 
 alias to: source.geo.region_iso_code
 
+--
+
+[float]
+== pam fields
+
+Fields specific to PAM messages.
+
+
+
+*`system.auth.pam.module`*::
++
+--
+The name of the PAM module.
+
+
+--
+
+*`system.auth.pam.service`*::
++
+--
+
+
+--
+
+*`system.auth.pam.type`*::
++
+--
+The PAM type.
+
+
+--
+
+*`system.auth.pam.result`*::
++
+--
+The PAM result text, e.g. "authentication success".
+
+
+--
+
+*`system.auth.pam.logname`*::
++
+--
+The PAM logname.
+
+
+--
+
+*`system.auth.pam.uid`*::
++
+--
+type: long
+
+The UID of the PAM process.
+
+
+--
+
+*`system.auth.pam.euid`*::
++
+--
+type: long
+
+The EUID of the PAM process.
+
+
+--
+
+*`system.auth.pam.tty`*::
++
+--
+The TTY of the PAM process.
+
+
+--
+
+*`system.auth.pam.ruser`*::
++
+--
+The remote username.
+
+
+--
+
+*`system.auth.pam.rhost`*::
++
+--
+type: ip
+
+The remote host IP address.
+
+
+--
+
+*`system.auth.pam.user`*::
++
+--
+The username.
+
+
+--
+
+*`system.auth.pam.errno`*::
++
+--
+type: long
+
+The PAM result error number.
+
+
+--
+
+*`system.auth.pam.errmsg`*::
++
+--
+The PAM result error message.
+
+
+--
+
+[float]
+== session fields
+
+Fields specific to PAM session messages.
+
+
+
+*`system.auth.pam.session.action`*::
++
+--
+The PAM session action. Can be one of "opened" or "closed".
+
+
+--
+
+*`system.auth.pam.session.byuser`*::
++
+--
+The PAM session source user.
+
+
+--
+
+*`system.auth.pam.session.byuid`*::
++
+--
+The PAM session source UID.
+
+
 --
 
 [float]

diff --git a/filebeat/module/system/auth/_meta/fields.yml b/filebeat/module/system/auth/_meta/fields.yml
@@ -28,6 +28,83 @@
       path: user.name
       migration: true
 
+    - name: pam
+      type: group
+      description: >
+        Fields specific to PAM messages.
+      fields:
+      - name: module
+        description: >
+          The name of the PAM module.
+      - name: service
+        description: >
+          The name of the PAM service.
+      - name: type
+        description: >
+          The PAM type.
+      - name: result
+        description: >
+          The PAM result text, e.g. "authentication success".
+      - name: euid
+        type: long
+        description: >
+          The EUID of the PAM process.
+      - name: user
+        description: >
+          The username.
+      - name: auth
+        type: group
+        description: >
+          Fields specific to PAM auth messages.
+        fields:
+        - name: logname
+          description: >
+            The PAM auth logname.
+        - name: uid
+          type: long
+          description: >
+            The UID of the PAM auth process.
+        - name: euid
+          type: long
+          description: >
+            The EUID of the PAM auth process.
+        - name: tty
+          description: >
+            The TTY of the PAM auth process.
+        - name: ruser
+          description: >
+            The remote username.
+        - name: rhost
+          type: ip
+          description: >
+            The remote host IP address.
+      - name: error
+        type: group
+        description: >
+          Fields specific to PAM errors.
+        fields:
+        - name: number
+          type: long
+          description: >
+            The PAM result error number.
+        - name: message
+          description: >
+            The PAM result error message.
+      - name: session
+        type: group
+        description: >
+          Fields specific to PAM session messages.
+        fields:
+        - name: action
+          description: >
+            The PAM session action. Can be one of "opened" or "closed".
+        - name: byuser
+          description: >
+            The PAM session source user.
+        - name: byuid
+          description: >
+            The PAM session source UID.
+
     - name: ssh
       type: group
       fields:

diff --git a/filebeat/module/system/auth/ingest/pipeline.yml b/filebeat/module/system/auth/ingest/pipeline.yml
@@ -25,6 +25,7 @@ processors:
     - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?:
       new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id},
       home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$'
+    - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: pam_%{DATA:system.auth.pam.module}\\(%{DATA:system.auth.pam.service}:%{DATA:system.auth.pam.type}\\): %{DATA:system.auth.pam.result}; logname=%{DATA:system.auth.pam.auth.logname} uid=%{INT:system.auth.pam.auth.uid} euid=%{INT:system.auth.pam.auth.euid} tty=%{DATA:system.auth.pam.auth.tty} ruser=%{DATA:system.auth.pam.auth.ruser} rhost=%{DATA:system.auth.pam.auth.rhost} user=%{DATA:system.auth.pam.user}'
     - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?:
       %{GREEDYMULTILINE:system.auth.message}'
 - remove:

diff --git a/filebeat/module/system/auth/test/test.log b/filebeat/module/system/auth/test/test.log
@@ -8,3 +8,13 @@ Feb 23 00:08:48 localhost sudo: vagrant : TTY=pts/1 ; PWD=/home/vagrant ; USER=r
 Feb 24 00:13:02 precise32 sudo:      tsg : user NOT in sudoers ; TTY=pts/1 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/ls
 Feb 22 11:47:05 localhost groupadd[6991]: new group: name=apache, GID=48
 Feb 22 11:47:05 localhost useradd[6995]: new user: name=apache, UID=48, GID=48, home=/usr/share/httpd, shell=/sbin/nologin
+Oct 25 16:01:10 localhost kcheckpass[16540]: pam_sss(kscreensaver:auth): authentication success; [email protected] uid=1111 euid=1111 tty=:0 ruser= rhost= user=test
+Oct 26 09:39:10 localhost auth: pam_sss(dovecot:auth): authentication success; logname= uid=0 euid=0 tty=dovecot ruser=test rhost=10.0.2.2 user=test
+Oct 26 09:39:10 localhost auth: pam_unix(dovecot:session): session opened for user test by (uid=0)
+Oct 26 09:39:10 localhost auth: pam_unix(dovecot:session): session closed for user test
+Oct 26 09:39:35 localhost auth: pam_unix(dovecot:auth): check pass; user unknown
+Oct 26 09:39:35 localhost auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=test rhost=10.0.2.2
+Oct 26 10:16:52 localhost gdm-smartcard]: pam_sss(gdm-smartcard:auth): authentication success; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= [email protected]
+Oct 26 10:16:53 localhost gdm-smartcard]: pam_unix(gdm-smartcard:session): session opened for user [email protected] by (uid=0)
+Oct 26 10:26:55 localhost su: pam_unix(su:session): session opened for user root by test(uid=1111)
+Oct 26 10:27:25 localhost su: pam_unix(su:session): session closed for user root