Describe the enhancement:
The other Beats (Filebeat, Winlogbeat, Metriceat, etc.) have a script processor from libbeat, however Auditbeat does not. It would be useful if it was included with this Beat as well.
https://www.elastic.co/guide/en/beats/filebeat/current/processor-script.html
Script Processor
The script processor executes Javascript code to process an event. The processor uses a pure Go implementation of ECMAScript 5.1 and has no external dependencies. This can be useful in situations where one of the other processors doesn’t provide the functionality you need to filter events.
The error that happens when you try to use it is
$ sudo auditbeat
Exiting: error initializing processors: the processor action script does not exist. Valid actions: drop_event, truncate_fields, add_host_metadata, add_process_metadata, dns, add_labels, detect_mime_type, add_id, add_locale, extract_array, fingerprint, add_network_direction, drop_fields, include_fields, rename, add_observer_metadata, add_docker_metadata, add_nomad_metadata, decode_base64_field, convert, decode_xml, dissect, registered_domain, add_cloudfoundry_metadata, decompress_gzip_field, add_kubernetes_metadata, replace, copy_fields, decode_json_fields, community_id, rate_limit, urldecode, add_tags, add_cloud_metadata, decode_xml_wineventlog, add_fields
Describe a specific use case for the enhancement or feature:
This fills the gaps if the other processors do not have the options desired. Such as being able to compare the values of two different fields. For example, being able to set a field indicating if values match or not. For example process names not matching file names or source and destination IPs matching.
This came up in the discuss forums as well at https://discuss.elastic.co/t/extracting-some-fields-from-an-array-item-and-renaming-them-with-auditbeats-processors/265408/2.
Describe the enhancement:
The other Beats (Filebeat, Winlogbeat, Metriceat, etc.) have a
scriptprocessor from libbeat, however Auditbeat does not. It would be useful if it was included with this Beat as well.https://www.elastic.co/guide/en/beats/filebeat/current/processor-script.html
The error that happens when you try to use it is
Describe a specific use case for the enhancement or feature:
This fills the gaps if the other processors do not have the options desired. Such as being able to compare the values of two different fields. For example, being able to set a field indicating if values match or not. For example process names not matching file names or source and destination IPs matching.
This came up in the discuss forums as well at https://discuss.elastic.co/t/extracting-some-fields-from-an-array-item-and-renaming-them-with-auditbeats-processors/265408/2.