Adding categorization fields for the system/auth module

This PR adds the following fields for the SSH login events: * `event.category: authentication` * `event.action: ssh_login` * `event.type` either `authentication_success` or `authentication_failure` The `event.outcome` is currently not quite ECS compliant, but I didn't touch it to avoid a breaking change. The PR doesn't attempt to categorize other logs besides the SSH login attempts, so it's a subset of elastic#9905, but it's what we need for the UI.
tsg · Mar 20, 2019 · 2933054 · 2933054
1 parent 68cc3fd
commit 2933054
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/filebeat/module/system/auth/ingest/pipeline.json b/filebeat/module/system/auth/ingest/pipeline.json
@@ -61,6 +61,12 @@
                 "target_field": "source.geo",
                 "ignore_failure": true
             }
+        },
+        {
+            "script": {
+                "lang": "painless",
+                "source": "if (ctx.process.name == \"sshd\") {                if (ctx.event.outcome == \"Accepted\") {                  ctx.event.type = \"authentication_success\";                  ctx.event.category = \"authentication\";                  ctx.event.action = \"ssh_login\";                } else if (ctx.event.outcome == \"Invalid\" || ctx.event.outcome == \"Failed\") {                  ctx.event.type = \"authentication_failure\";                  ctx.event.category = \"authentication\";                  ctx.event.action = \"ssh_login\";                }              }"
+            }
         }
     ],
     "on_failure" : [{

diff --git a/filebeat/module/system/auth/test/test.log-expected.json b/filebeat/module/system/auth/test/test.log-expected.json
@@ -4,6 +4,9 @@
         "event.dataset": "system.auth",
         "event.module": "system",
         "event.outcome": "Accepted",
+        "event.category": "authentication",
+        "event.action": "ssh_login",
+        "event.type": "authentication_success",
         "fileset.name": "auth",
         "host.hostname": "localhost",
         "input.type": "log",
@@ -22,6 +25,9 @@
         "event.dataset": "system.auth",
         "event.module": "system",
         "event.outcome": "Accepted",
+        "event.category": "authentication",
+        "event.action": "ssh_login",
+        "event.type": "authentication_success",
         "fileset.name": "auth",
         "host.hostname": "localhost",
         "input.type": "log",
@@ -39,6 +45,9 @@
         "event.dataset": "system.auth",
         "event.module": "system",
         "event.outcome": "Invalid",
+        "event.category": "authentication",
+        "event.action": "ssh_login",
+        "event.type": "authentication_failure",
         "fileset.name": "auth",
         "host.hostname": "localhost",
         "input.type": "log",
@@ -54,6 +63,9 @@
         "event.dataset": "system.auth",
         "event.module": "system",
         "event.outcome": "Failed",
+        "event.category": "authentication",
+        "event.action": "ssh_login",
+        "event.type": "authentication_failure",
         "fileset.name": "auth",
         "host.hostname": "slave22",
         "input.type": "log",
@@ -170,4 +182,4 @@
         "user.id": "48",
         "user.name": "apache"
     }
-]
+]