Skip to content

Commit 7bd3130

Browse files
marc-grmarc-gr
committed
Upgrade elasticsearch/audit to ECS 1.8
1 parent b050cd0 commit 7bd3130

10 files changed

Lines changed: 322 additions & 10 deletions

File tree

CHANGELOG.next.asciidoc

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -845,6 +845,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
845845
- Update mysqlenterprise module to ECS 1.8. {issue}23118[23118] {pull}23978[23978]
846846
- Upgrade sophos/xg fileset to ECS 1.8.0. {issue}23118[23118] {pull}23967[23967]
847847
- Upgrade system/auth to ECS 1.8 {issue}23118[23118] {pull}23961[23961]
848+
- Upgrade elasticsearch/audit to ECS 1.8 {issue}23118[23118] {pull}24000[24000]
848849

849850
*Heartbeat*
850851

filebeat/docs/fields.asciidoc

Lines changed: 28 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -47765,11 +47765,6 @@ example: 0
4776547765

4776647766
--
4776747767

47768-
[float]
47769-
=== audit
47770-
47771-
47772-
4777347768

4777447769
*`elasticsearch.audit.layer`*::
4777547770
+
@@ -47833,6 +47828,27 @@ example: ['kibana_admin', 'beats_admin']
4783347828

4783447829
--
4783547830

47831+
*`elasticsearch.audit.user.run_as.name`*::
47832+
+
47833+
--
47834+
type: keyword
47835+
47836+
--
47837+
47838+
*`elasticsearch.audit.user.run_as.realm`*::
47839+
+
47840+
--
47841+
type: keyword
47842+
47843+
--
47844+
47845+
*`elasticsearch.audit.component`*::
47846+
+
47847+
--
47848+
type: keyword
47849+
47850+
--
47851+
4783647852
*`elasticsearch.audit.action`*::
4783747853
+
4783847854
--
@@ -47929,6 +47945,13 @@ type: text
4792947945

4793047946
--
4793147947

47948+
*`elasticsearch.audit.invalidate.apikeys.owned_by_authenticated_user`*::
47949+
+
47950+
--
47951+
type: boolean
47952+
47953+
--
47954+
4793247955
[float]
4793347956
=== deprecation
4793447957

filebeat/module/elasticsearch/audit/_meta/fields.yml

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,5 @@
11
- name: audit
22
type: group
3-
description: >
43
fields:
54
- name: layer
65
description: "The layer from which this event originated: rest, transport or ip_filter"
@@ -26,6 +25,12 @@
2625
description: "Roles to which the principal belongs"
2726
example: [ "kibana_admin", "beats_admin" ]
2827
type: keyword
28+
- name: user.run_as.name
29+
type: keyword
30+
- name: user.run_as.realm
31+
type: keyword
32+
- name: component
33+
type: keyword
2934
- name: action
3035
description: "The name of the action that was executed"
3136
example: "cluster:monitor/main"
@@ -63,3 +68,5 @@
6368
migration: true
6469
- name: message
6570
type: text
71+
- name: invalidate.apikeys.owned_by_authenticated_user
72+
type: boolean

filebeat/module/elasticsearch/audit/config/audit.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ processors:
1010
- add_fields:
1111
target: ''
1212
fields:
13-
ecs.version: 1.7.0
13+
ecs.version: 1.8.0
1414
- if:
1515
regexp:
1616
message: "^{"

filebeat/module/elasticsearch/audit/ingest/pipeline-json.yml

Lines changed: 59 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,6 @@ processors:
33
- json:
44
field: message
55
target_field: elasticsearch.audit
6-
- drop:
7-
if: ctx.elasticsearch.audit?.type != null && ctx.elasticsearch.audit.type != 'audit'
86
- remove:
97
field: elasticsearch.audit.type
108
ignore_missing: true
@@ -16,6 +14,7 @@ processors:
1614
- yyyy-MM-dd'T'HH:mm:ss,SSS
1715
- yyyy-MM-dd'T'HH:mm:ss,SSSZ
1816
timezone: '{{ event.timezone }}'
17+
ignore_failure: true
1918
- remove:
2019
if: ctx.elasticsearch.audit['@timestamp'] == null && ctx.event.timezone != null
2120
field: event.timezone
@@ -80,13 +79,64 @@ processors:
8079
- rename:
8180
field: elasticsearch.audit.node
8281
target_field: elasticsearch.node
82+
- rename:
83+
field: elasticsearch.audit.change.disable.user.name
84+
target_field: user.name
85+
ignore_missing: true
86+
- rename:
87+
field: elasticsearch.audit.change.enable.user.name
88+
target_field: user.name
89+
ignore_missing: true
90+
- rename:
91+
field: elasticsearch.audit.delete.user.name
92+
target_field: user.name
93+
ignore_missing: true
94+
- rename:
95+
field: elasticsearch.audit.put.user.name
96+
target_field: user.name
97+
ignore_missing: true
98+
- rename:
99+
field: elasticsearch.audit.put.user.full_name
100+
target_field: user.full_name
101+
ignore_missing: true
102+
- rename:
103+
field: elasticsearch.audit.put.user.email
104+
target_field: user.email
105+
ignore_missing: true
106+
- remove:
107+
field: elasticsearch.audit.put
108+
ignore_missing: true
109+
- rename:
110+
field: elasticsearch.audit.invalidate.apikeys.user.name
111+
target_field: user.name
112+
ignore_missing: true
113+
- rename:
114+
field: elasticsearch.audit.invalidate.apikeys.user.realm
115+
target_field: elasticsearch.audit.user.realm
116+
ignore_missing: true
117+
- dot_expander:
118+
field: user.run_as.name
119+
path: elasticsearch.audit
120+
ignore_failure: true
121+
- dot_expander:
122+
field: user.run_as.realm
123+
path: elasticsearch.audit
124+
ignore_failure: true
125+
- convert:
126+
field: elasticsearch.audit.user.run_as.name
127+
target_field: user.effective.name
128+
type: string
129+
ignore_failure: true
83130
- dot_expander:
84131
field: user.name
85132
path: elasticsearch.audit
86133
- rename:
87134
field: elasticsearch.audit.user.name
88135
target_field: user.name
89136
ignore_missing: true
137+
- dot_expander:
138+
field: user.email
139+
path: elasticsearch.audit
90140
- dot_expander:
91141
field: request.method
92142
path: elasticsearch.audit
@@ -104,10 +154,17 @@ processors:
104154
- dot_expander:
105155
field: cluster.name
106156
path: elasticsearch.audit
157+
- dot_expander:
158+
field: cluster.uuid
159+
path: elasticsearch.audit
107160
- rename:
108161
field: elasticsearch.audit.cluster.name
109162
target_field: elasticsearch.cluster.name
110163
ignore_missing: true
164+
- rename:
165+
field: elasticsearch.audit.cluster.uuid
166+
target_field: elasticsearch.cluster.uuid
167+
ignore_missing: true
111168
- rename:
112169
field: elasticsearch.audit.level
113170
target_field: log.level

filebeat/module/elasticsearch/audit/ingest/pipeline.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,10 @@ processors:
5555
field: related.user
5656
value: "{{user.name}}"
5757
if: "ctx?.user?.name != null"
58+
- append:
59+
field: related.user
60+
value: "{{user.effective.name}}"
61+
if: "ctx?.user?.effective?.name != null"
5862
- remove:
5963
field: elasticsearch.audit.@timestamp
6064
- remove:

filebeat/module/elasticsearch/audit/test/test-audit-docker.log-expected.json

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,27 @@
2323
"source.port": 40380,
2424
"url.original": "/"
2525
},
26+
{
27+
"@timestamp": "2019-06-11T15:03:32.777Z",
28+
"elasticsearch.audit.component": "o.e.x.s.a.AuthenticationService",
29+
"elasticsearch.audit.message": "Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]",
30+
"elasticsearch.cluster.name": "docker-cluster",
31+
"elasticsearch.cluster.uuid": "xEiKc6ipRiyzU8_8czXrJw",
32+
"elasticsearch.node.id": "Xaq2BFVcQ1OhyMrjL8gNOg",
33+
"elasticsearch.node.name": "dff7befc418f",
34+
"event.category": "database",
35+
"event.dataset": "elasticsearch.audit",
36+
"event.kind": "event",
37+
"event.module": "elasticsearch",
38+
"event.outcome": "failure",
39+
"fileset.name": "audit",
40+
"host.id": "Xaq2BFVcQ1OhyMrjL8gNOg",
41+
"input.type": "log",
42+
"log.level": "INFO",
43+
"log.offset": 299,
44+
"message": "{\"type\": \"server\", \"timestamp\": \"2019-06-11T15:03:32,777+0000\", \"level\": \"INFO\", \"component\": \"o.e.x.s.a.AuthenticationService\", \"cluster.name\": \"docker-cluster\", \"node.name\": \"dff7befc418f\", \"cluster.uuid\": \"xEiKc6ipRiyzU8_8czXrJw\", \"node.id\": \"Xaq2BFVcQ1OhyMrjL8gNOg\", \"message\": \"Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]\" }",
45+
"service.type": "elasticsearch"
46+
},
2647
{
2748
"@timestamp": "2019-06-11T15:03:32.778Z",
2849
"elasticsearch.audit.layer": "rest",

filebeat/module/elasticsearch/audit/test/test-audit.log

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,3 +5,10 @@
55
{"@timestamp":"2018-10-31T09:35:12,303", "node.id":"DSiWcTyeThWtUXLB9J0BMw", "event.type":"transport", "event.action":"access_granted", "user.name":"elastic", "user.realm":"reserved", "user.roles":["superuser"], "origin.type":"rest","origin.address":"[::1]:61711", "action":"cluster:admin/xpack/security/user/change_password", "request.name":"ChangePasswordRequest"}
66
{"@timestamp":"2018-10-31T09:35:12,314", "node.id":"DSiWcTyeThWtUXLB9J0BMw", "event.type":"transport", "event.action":"access_granted", "user.name":"_xpack_security", "user.realm":"__attach", "user.roles":["superuser"], "origin.type":"local_node", "origin.address":"127.0.0.1:9300", "action":"indices:admin/create", "request.name":"CreateIndexRequest", "indices":[".security-6"]}
77
{"@timestamp":"2019-01-27T20:15:10,380", "node.name":"node-0", "node.id":"y8fa3M5zSSGo1M_KJRMUXw", "event.type":"rest", "event.action":"authentication_success", "user.name":"elastic-admin", "origin.type":"rest", "origin.address":"[::1]:58955", "realm":"default_file", "url.path":"/_search", "request.method":"GET", "request.body":"\n{\n \"query\" : {\n \"term\" : { \"user\" : \"kimchy\" }\n }\n}\n", "request.id":"WzL_kb6VSvOhAq0twPvHOQ"}
8+
{"type":"audit", "timestamp":"2020-12-30T23:17:28,308+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_disable_user", "request.id":"qvLIgw_eTvyK3cgV-GaLVg", "change":{"disable":{"user":{"name":"user1"}}}}
9+
{"type":"audit", "timestamp":"2020-12-30T23:17:34,843+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_enable_user", "request.id":"BO3QU3qeTb-Ei0G0rUOalQ", "change":{"enable":{"user":{"name":"user1"}}}}
10+
{"type":"audit", "timestamp":"2020-12-30T22:19:41,345+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_user", "request.id":"au5a1Cc3RrebDMitMGGNCw", "delete":{"user":{"name":"jacknich"}}}
11+
{"type":"audit", "timestamp":"2020-12-31T00:36:30,247+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"invalidate_apikeys", "request.id":"7lyIQU9QTFqSrTxD0CqnTQ", "invalidate":{"apikeys":{"owned_by_authenticated_user":false,"user":{"name":"myuser","realm":"native1"}}}}
12+
{"type":"audit", "timestamp":"2020-12-30T22:10:09,749+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_user", "request.id":"VIiSvhp4Riim_tpkQCVSQA", "put":{"user":{"name":"user1","enabled":false,"roles":["admin","other_role1"],"full_name":"Jack Sparrow","email":"jack@blackpearl.com","has_password":true,"metadata":{"cunning":10}}}}
13+
{"type":"audit", "timestamp":"2020-12-30T22:49:34,859+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_denied", "user.name":"user1", "user.run_as.name":"user1", "user.realm":"default_native", "user.run_as.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52662", "request.id":"RcaSt872RG-R_WJBEGfYXA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}
14+
{"type":"audit", "timestamp":"2020-12-30T22:44:42,068+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_granted", "user.name":"elastic", "user.run_as.name":"user1", "user.realm":"reserved", "user.run_as.realm":"default_native", "user.roles":["superuser"], "origin.type":"rest", "origin.address":"[::1]:52623", "request.id":"dGqPTdEQSX2TAPS3cvc1qA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}

0 commit comments

Comments
 (0)