Skip to content

[Auditbeat] Include the error message with auditd module events#30009

Merged
andrewkroh merged 1 commit intoelastic:masterfrom
andrewkroh:bugfix/ab/auditd-error-msg
Jan 27, 2022
Merged

[Auditbeat] Include the error message with auditd module events#30009
andrewkroh merged 1 commit intoelastic:masterfrom
andrewkroh:bugfix/ab/auditd-error-msg

Conversation

@andrewkroh
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh commented Jan 26, 2022

What does this PR do?

Auditbeat adds event.original when there is a parse failure, but it wasn't
including the error message. Having the error helps you understand what
went wrong.

Example output:

{"@timestamp":"2022-01-26T00:15:20.241Z","@metadata":{"beat":"auditbeat","type":"_doc","version":"8.1.0"},"error":{"message":"missing syscall message in compound event"},"event":{"original":["type=UNKNOWN[1333] msg=audit(1643156118.179:545): op=freq old=36792303616000 new=-176298262528000","type=UNKNOWN[1333] msg=audit(1643156118.179:545): op=tick old=9977 new=10000"],"module":"auditd"},"service":{"type":"auditd"},"host":{"name":"ubuntu-impish"},"agent":{"version":"8.1.0","ephemeral_id":"a6dd5138-f1b2-437a-8b83-324ec09bbaa3","id":"c127e0a1-be4b-4f9f-a5e4-97496699f75e","name":"ubuntu-impish","type":"auditbeat"},"ecs":{"version":"8.0.0"}}

Why is it important?

So you don't lose error details and can correct processing issues.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

@andrewkroh andrewkroh requested a review from a team as a code owner January 26, 2022 01:09
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jan 26, 2022

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Jan 26, 2022
@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Jan 26, 2022

This pull request does not have a backport label. Could you fix it @andrewkroh? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-v./d./d./d is the label to automatically backport to the 7./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

@andrewkroh andrewkroh force-pushed the bugfix/ab/auditd-error-msg branch from d4eb069 to 2f86381 Compare January 26, 2022 01:09
@mergify mergify bot added the backport-skip Skip notification from the automated backport with mergify label Jan 26, 2022
@andrewkroh
Include the error message with auditd module events
05001d8 
Auditbeat adds event.original when there is a parse failure, but it wasn't
including the error message. Having the error helps you understand what
went wrong.

Example output:

{"@timestamp":"2022-01-26T00:15:20.241Z","@metadata":{"beat":"auditbeat","type":"_doc","version":"8.1.0"},"error":{"message":"missing syscall message in compound event"},"event":{"original":["type=UNKNOWN[1333] msg=audit(1643156118.179:545): op=freq old=36792303616000 new=-176298262528000","type=UNKNOWN[1333] msg=audit(1643156118.179:545): op=tick old=9977 new=10000"],"module":"auditd"},"service":{"type":"auditd"},"host":{"name":"ubuntu-impish"},"agent":{"version":"8.1.0","ephemeral_id":"a6dd5138-f1b2-437a-8b83-324ec09bbaa3","id":"c127e0a1-be4b-4f9f-a5e4-97496699f75e","name":"ubuntu-impish","type":"auditbeat"},"ecs":{"version":"8.0.0"}}
@andrewkroh andrewkroh force-pushed the bugfix/ab/auditd-error-msg branch from 2f86381 to 05001d8 Compare January 26, 2022 01:10
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jan 26, 2022
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-01-27T01:48:46.513+0000

  • Duration: 21 min 41 sec

  • Commit: 05001d8

❕ Flaky test report

No test was executed to be analysed.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@andrewkroh
Copy link
Copy Markdown
Member Author

andrewkroh commented Jan 26, 2022

/test

@andrewkroh
Copy link
Copy Markdown
Member Author

andrewkroh commented Jan 27, 2022

/test

@andrewkroh andrewkroh merged commit e691b6e into elastic:master Jan 27, 2022
v1v added a commit to v1v/beats that referenced this pull request Jan 31, 2022
@v1v
Merge remote-tracking branch 'upstream/master' into feature/bump-stac…
0ca8d43 
…k-version-after-8-0-creation

* upstream/master: (69 commits)
  Update stale config following (elastic#30082)
  Make include_matches backwards compatible with 7.x config (elastic#30032)
  [Filebeat] Update handling of elasticsearch server logs (elastic#30018)
  Remove SSL3 support from libbeat and its documentation. (elastic#30071)
  Revert "Packaging: rename arm64 suffix to aarch64 in the tar.gz artifacts ONLY (elastic#28813)" (elastic#30083)
  [libbeat] Add script processor to all beats (elastic#29752)
  Add fonts to support more different types of characters for multiple languages (elastic#29861)
  libbeat/reader: Fix messge conversion to beat.Event (elastic#30057)
  probot[stale]: ignore issues with the tag flaky-test (elastic#30065)
  [DOCS] Add redirect for GSuite module (elastic#30034)
  [Automation] Update elastic stack version to 8.1.0-aa69d697 for testing (elastic#30012)
  Remove msitools install for windows build, using the latest docker image with msitools preinstalled (elastic#30040)
  filebeat/generator/fields: fix dropped error (elastic#29943)
  Include the error message with auditd module events (elastic#30009)
  [Metricbeat] gcp: add firestore metricset (elastic#29918)
  probot: update stale dates (elastic#29997)
  Metricbeat enterprise search module: add xpack.enabled support (elastic#29871)
  x-pack/packetbeat: install Npcap at start-up when required (elastic#29112)
  [Filebeat] Fix panic in decode_cef when recovering from invalid data (elastic#30038)
  Correctly fixe how selected packages are defined (elastic#30039)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 approved these changes

Assignees

No one assigned

Labels

Auditbeat backport-skip Skip notification from the automated backport with mergify v8.1.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@andrewkroh @elasticmachine @efd6