System Auth integration not populating process.name

[janniten]

Hello,
Last week I saw (based on an slack message https://elasticstack.slack.com/archives/C02J2JBS0FP/p1712234933586649) that when creating a user in Linux (version 1.54 of system integration) the process.name was not properly populated.
The event.category and event.type is set based on the value of the process name and therefore the events were without category/type
What I have observed is that the value of the process is set in log.syslog.appname, but I'm not able to find references to this field in the pipeline.

Also, doing a pipeline simulation the field log.syslog.appname is not set... so I do not understand

The event original is this one
Apr 4 15:13:14 serverxyz useradd[2586]: new user: name=testoriginal, UID=6185, GID=6185, home=/home/testoriginal, shell=/bin/bash

What is wrong? What is the origin of the field log.syslog.appname?

[jvalente-salemstate]

It's being set by filebeat when it runs the syslog processor..

The processor calls a parser for RFC5424 that sets it.

%%{
    # RFC 5424 Syslog Message Format.
    # https://tools.ietf.org/html/rfc5424

    machine rfc5424;

...

    action set_app_name {
        m.setAppName(data[tok:p])
    }
...

The change was probably, based on the specific format and field and versions they did work, made in #8103 for 1.47.1. I'm guessing the grok pattern in the pipeline is failing to match somehow.

[janniten]

Hello @jvalente-salemstate ,
Is the field log.syslog.appname renamed to process.name in some place?
I'm not able to see where this happens.

IMHO this is an important issue to solve. There are some DR as
https://elastic.github.io/detection-rules-explorer/rules/edfd5ca9-9d6c-44d9-b615-1e56b920219c
That will not work without a proper categorization/typification.

As workaround I've added to my custom pipeline this:

      {
        "set": {
          "field": "process.name",
          "value": "{{log.syslog.appname}}",
          "if": "ctx?.log?.syslog?.appname != null && ctx?.process?.name == null"
        }
      },
      {
        "append": {
          "tag": "append_category-iam",
          "field": "event.category",
          "value": "iam",
          "if": "ctx.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)"
        }
      },
      {
        "set": {
          "tag": "set_outcome-success",
          "field": "event.outcome",
          "value": "success",
          "if": """ctx.process?.name != null && (ctx.message == null || !ctx.message.contains("fail")) && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)"""
        }
      },
      {
        "set": {
          "tag": "set_outcome-failure",
          "field": "event.outcome",
          "value": "failure",
          "if": """ctx.process?.name != null && (ctx.message != null && ctx.message.contains("fail")) && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)"""
        }
      },
      {
        "append": {
          "tag": "append_type-user",
          "field": "event.type",
          "value": "user",
          "if": "ctx.process?.name != null && ['useradd', 'userdel', 'usermod'].contains(ctx.process.name)"
        }
      },
      {
        "append": {
          "tag": "append_type-group",
          "field": "event.type",
          "value": "group",
          "if": "ctx.process?.name != null && ['groupadd', 'groupdel', 'groupmod'].contains(ctx.process.name)"
        }
      },
      {
        "append": {
          "tag": "append_type-creation",
          "field": "event.type",
          "value": "creation",
          "if": "ctx.process?.name != null && ['useradd', 'groupadd'].contains(ctx.process.name)"
        }
      },
      {
        "append": {
          "tag": "append_type-deletion",
          "field": "event.type",
          "value": "deletion",
          "if": "ctx.process?.name != null && ['userdel', 'groupdel'].contains(ctx.process.name)"
        }
      },
      {
        "append": {
          "tag": "append_type-change",
          "field": "event.type",
          "value": "change",
          "if": "ctx.process?.name != null && ['usermod', 'groupmod'].contains(ctx.process.name)"
        }
      }

[elasticmachine]

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

[Oddly]

After looking through the latest change, it seems the sample data for the auth dataset uses a the following event sample log to test the auth dataset.
This test logging contains logs like:
<86>1 2023-10-17T18:09:11.231928+02:00 test-server systemd 70965 - - pam_unix(systemd-user:session): session closed for user nobody
which differs from the logging that is sent in from /var/log/secure:
Apr 4 15:13:14 serverxyz useradd[2586]: new user: name=testoriginal, UID=6185, GID=6185, home=/home/testoriginal, shell=/bin/bash

Notable is that the log.syslog.appname field was introduced with the latest commit (see above) to the system.auth integration, which also introduced some rather large change, involving syslog5424 grok pattern matching.

Not sure if this is the issue, but this is what I've found when looking around.