diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 2a40d643cc2..8e358366ba5 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -591,6 +591,7 @@ field. You can revert this change by configuring tags for the module and omittin - Add experimental dataset sonicwall/firewall for Sonicwall Firewalls logs {pull}19713[19713] - Add experimental dataset squid/log for Squid Proxy Server logs {pull}19713[19713] - Add experimental dataset zscaler/zia for Zscaler Internet Access logs {pull}19713[19713] +- Add support for reading auditd logs that are prefixed with `node=`. {pull}19659[19659] - Add event.ingested for CrowdStrike module {pull}20138[20138] - Add support for additional fields and FirewallMatchEvent type events in CrowdStrike module {pull}20138[20138] - Add event.ingested to all Filebeat modules. {pull}20386[20386] diff --git a/filebeat/module/auditd/log/ingest/pipeline.yml b/filebeat/module/auditd/log/ingest/pipeline.yml index 26a8bf2ab91..c36875e8c48 100644 --- a/filebeat/module/auditd/log/ingest/pipeline.yml +++ b/filebeat/module/auditd/log/ingest/pipeline.yml @@ -7,8 +7,9 @@ processors: - grok: field: message pattern_definitions: - AUDIT_TYPE: "^type=%{NOTSPACE:auditd.log.record_type}" - AUDIT_PREFIX: "%{AUDIT_TYPE} msg=audit\\(%{NUMBER:auditd.log.epoch}:%{NUMBER:auditd.log.sequence}\\):(%{DATA})?" + AUDIT_TYPE: "type=%{NOTSPACE:auditd.log.record_type}" + AUDIT_NODE: "node=%{IPORHOST:auditd.log.node} " + AUDIT_PREFIX: "^(?:%{AUDIT_NODE})?%{AUDIT_TYPE} msg=audit\\(%{NUMBER:auditd.log.epoch}:%{NUMBER:auditd.log.sequence}\\):(%{DATA})?" AUDIT_KEY_VALUES: "%{WORD}=%{GREEDYDATA}" patterns: - "%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:auditd.log.kv} old auid=%{NUMBER:auditd.log.old_auid} diff --git a/filebeat/module/auditd/log/test/audit-cent7-node.log b/filebeat/module/auditd/log/test/audit-cent7-node.log new file mode 100644 index 00000000000..55b31cf3fe6 --- /dev/null +++ b/filebeat/module/auditd/log/test/audit-cent7-node.log @@ -0,0 +1,10 @@ +node=localhost.localdomain type=DAEMON_START msg=audit(1594053514.588:4686): op=start ver=2.8.5 format=raw kernel=3.10.0-1062.9.1.el7.x86_64 auid=4294967295 pid=1643 uid=0 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=success +node=localhost.localdomain type=CONFIG_CHANGE msg=audit(1594053514.707:4): audit_backlog_limit=8192 old=64 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 res=1 +node=localhost.localdomain type=CONFIG_CHANGE msg=audit(1594053514.707:5): audit_failure=1 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 res=1 +node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.709:6): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=auditd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' +node=localhost.localdomain type=SYSTEM_BOOT msg=audit(1594053514.725:7): pid=1667 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="systemd-update-utmp" exe="/usr/lib/systemd/systemd-update-utmp" hostname=? addr=? terminal=? res=success' +node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.739:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-update-utmp comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' +node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.807:9): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' +node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.843:10): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=irqbalance comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' +node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.850:11): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=abrtd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' +node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.857:12): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=abrt-xorg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' diff --git a/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json b/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json new file mode 100644 index 00000000000..70e98f6e87a --- /dev/null +++ b/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json @@ -0,0 +1,218 @@ +[ + { + "@timestamp": "2020-07-06T16:38:34.588Z", + "auditd.log.format": "raw", + "auditd.log.kernel": "3.10.0-1062.9.1.el7.x86_64", + "auditd.log.node": "localhost.localdomain", + "auditd.log.op": "start", + "auditd.log.sequence": 4686, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:auditd_t:s0", + "auditd.log.ver": "2.8.5", + "event.action": "daemon_start", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 0, + "process.pid": 1643, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2020-07-06T16:38:34.707Z", + "auditd.log.audit_backlog_limit": "8192", + "auditd.log.node": "localhost.localdomain", + "auditd.log.old": "64", + "auditd.log.sequence": 4, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:unconfined_service_t:s0", + "event.action": "config_change", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "1", + "fileset.name": "log", + "input.type": "log", + "log.offset": 234, + "service.type": "auditd", + "user.audit.id": "4294967295" + }, + { + "@timestamp": "2020-07-06T16:38:34.707Z", + "auditd.log.audit_failure": "1", + "auditd.log.node": "localhost.localdomain", + "auditd.log.old": "1", + "auditd.log.sequence": 5, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:unconfined_service_t:s0", + "event.action": "config_change", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "1", + "fileset.name": "log", + "input.type": "log", + "log.offset": 425, + "service.type": "auditd", + "user.audit.id": "4294967295" + }, + { + "@timestamp": "2020-07-06T16:38:34.709Z", + "auditd.log.node": "localhost.localdomain", + "auditd.log.sequence": 6, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "auditd", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 606, + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2020-07-06T16:38:34.725Z", + "auditd.log.node": "localhost.localdomain", + "auditd.log.sequence": 7, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "event.action": "system_boot", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "event.type": "host", + "fileset.name": "log", + "input.type": "log", + "log.offset": 862, + "message": "", + "process.executable": "/usr/lib/systemd/systemd-update-utmp", + "process.name": "systemd-update-utmp", + "process.pid": 1667, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2020-07-06T16:38:34.739Z", + "auditd.log.node": "localhost.localdomain", + "auditd.log.sequence": 8, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "systemd-update-utmp", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1132, + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2020-07-06T16:38:34.807Z", + "auditd.log.node": "localhost.localdomain", + "auditd.log.sequence": 9, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "rngd", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1401, + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2020-07-06T16:38:34.843Z", + "auditd.log.node": "localhost.localdomain", + "auditd.log.sequence": 10, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "irqbalance", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1655, + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2020-07-06T16:38:34.850Z", + "auditd.log.node": "localhost.localdomain", + "auditd.log.sequence": 11, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "abrtd", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1916, + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2020-07-06T16:38:34.857Z", + "auditd.log.node": "localhost.localdomain", + "auditd.log.sequence": 12, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "abrt-xorg", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2172, + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + } +] \ No newline at end of file