diff --git a/filebeat/module/elasticsearch/audit/ingest/pipeline.json b/filebeat/module/elasticsearch/audit/ingest/pipeline.json index 63ea18fdc4bc..6e1d5be7e215 100644 --- a/filebeat/module/elasticsearch/audit/ingest/pipeline.json +++ b/filebeat/module/elasticsearch/audit/ingest/pipeline.json @@ -14,14 +14,14 @@ "ES_TIMESTAMP": "\\[%{TIMESTAMP_ISO8601:elasticsearch.audit.timestamp}\\]", "ES_NODE_NAME": "(\\[%{DATA:elasticsearch.node.name}\\])?", "ES_AUDIT_LAYER": "\\[%{WORD:elasticsearch.audit.layer}\\]", - "ES_AUDIT_EVENT_TYPE": "\\[%{WORD:event.type}\\]", + "ES_AUDIT_EVENT_TYPE": "\\[%{WORD:elasticsearch.audit.event_type}\\]", "ES_AUDIT_ORIGIN_TYPE": "(origin_type\\=\\[%{WORD:elasticsearch.audit.origin_type}\\])?", "ES_AUDIT_ORIGIN_ADDRESS": "(origin_address\\=\\[%{IPORHOST:elasticsearch.audit.origin_address}\\])?", "ES_AUDIT_PRINCIPAL": "(principal\\=\\[%{WORD:elasticsearch.audit.principal}\\])?", "ES_AUDIT_REALM": "(realm\\=\\[%{WORD:elasticsearch.audit.realm}\\])?", "ES_AUDIT_ROLES": "(roles\\=\\[%{DATA:elasticsearch.audit.roles}\\])?", "ES_AUDIT_ACTION": "(action\\=\\[%{DATA:elasticsearch.audit.action}(\\[%{DATA:elasticsearch.audit.sub_action}\\])?\\])?", - "ES_AUDIT_URI": "(uri=\\[%{DATA:elasticsearch.audit.uri\\])?", + "ES_AUDIT_URI": "(uri=\\[%{DATA:elasticsearch.audit.uri}\\])?", "ES_AUDIT_INDICES": "(indices\\=\\[%{DATA:elasticsearch.audit.indices}\\])?", "ES_AUDIT_REQUEST": "(request\\=\\[%{WORD:elasticsearch.audit.request}\\])?", "ES_AUDIT_REQUEST_BODY": "(request_body\\=\\[%{DATA:elasticsearch.audit.request_body}\\])?" diff --git a/filebeat/module/elasticsearch/audit/test/test.log-expected.json b/filebeat/module/elasticsearch/audit/test/test.log-expected.json index f842c84483c4..f2c334c6a1fa 100644 --- a/filebeat/module/elasticsearch/audit/test/test.log-expected.json +++ b/filebeat/module/elasticsearch/audit/test/test.log-expected.json @@ -1,11 +1,12 @@ [ { "@timestamp": "2018-06-19T05:16:15.549Z", + "elasticsearch.audit.event_type": "authentication_failed", "elasticsearch.audit.layer": "rest", "elasticsearch.audit.origin_address": "147.107.128.77", "elasticsearch.audit.principal": "i030648", + "elasticsearch.audit.uri": "/_xpack/security/_authenticate", "event.dataset": "elasticsearch.audit", - "event.type": "authentication_failed", "fileset.module": "elasticsearch", "fileset.name": "audit", "input.type": "log", @@ -16,12 +17,13 @@ }, { "@timestamp": "2018-06-19T05:07:52.304Z", + "elasticsearch.audit.event_type": "authentication_failed", "elasticsearch.audit.layer": "rest", "elasticsearch.audit.origin_address": "172.22.0.3", "elasticsearch.audit.principal": "rado", + "elasticsearch.audit.uri": "/_xpack/security/_authenticate", "elasticsearch.node.name": "v_VJhjV", "event.dataset": "elasticsearch.audit", - "event.type": "authentication_failed", "fileset.module": "elasticsearch", "fileset.name": "audit", "input.type": "log", @@ -33,13 +35,13 @@ { "@timestamp": "2018-06-19T05:00:15.778Z", "elasticsearch.audit.action": "indices:data/read/scroll/clear", + "elasticsearch.audit.event_type": "access_granted", "elasticsearch.audit.layer": "transport", "elasticsearch.audit.origin_address": "192.168.1.165", "elasticsearch.audit.origin_type": "local_node", "elasticsearch.audit.principal": "_xpack_security", "elasticsearch.audit.request": "ClearScrollRequest", "event.dataset": "elasticsearch.audit", - "event.type": "access_granted", "fileset.module": "elasticsearch", "fileset.name": "audit", "input.type": "log", @@ -50,11 +52,12 @@ }, { "@timestamp": "2018-06-19T05:07:45.544Z", + "elasticsearch.audit.event_type": "anonymous_access_denied", "elasticsearch.audit.layer": "rest", "elasticsearch.audit.origin_address": "172.22.0.3", + "elasticsearch.audit.uri": "/_xpack/security/_authenticate", "elasticsearch.node.name": "v_VJhjV", "event.dataset": "elasticsearch.audit", - "event.type": "anonymous_access_denied", "fileset.module": "elasticsearch", "fileset.name": "audit", "input.type": "log", @@ -65,11 +68,12 @@ }, { "@timestamp": "2018-06-19T05:26:27.268Z", + "elasticsearch.audit.event_type": "authentication_failed", "elasticsearch.audit.layer": "rest", "elasticsearch.audit.origin_address": "147.107.128.77", "elasticsearch.audit.principal": "N078801", + "elasticsearch.audit.uri": "/_xpack/security/_authenticate", "event.dataset": "elasticsearch.audit", - "event.type": "authentication_failed", "fileset.module": "elasticsearch", "fileset.name": "audit", "input.type": "log", @@ -81,13 +85,13 @@ { "@timestamp": "2018-06-19T05:55:26.898Z", "elasticsearch.audit.action": "cluster:monitor/main", + "elasticsearch.audit.event_type": "access_denied", "elasticsearch.audit.layer": "transport", "elasticsearch.audit.origin_address": "147.107.128.77", "elasticsearch.audit.origin_type": "rest", "elasticsearch.audit.principal": "_anonymous", "elasticsearch.audit.request": "MainRequest", "event.dataset": "elasticsearch.audit", - "event.type": "access_denied", "fileset.module": "elasticsearch", "fileset.name": "audit", "input.type": "log", @@ -98,12 +102,14 @@ }, { "@timestamp": "2018-06-19T05:24:15.190Z", + "elasticsearch.audit.event_type": "authentication_failed", "elasticsearch.audit.layer": "rest", "elasticsearch.audit.origin_address": "172.18.0.3", "elasticsearch.audit.principal": "elastic", + "elasticsearch.audit.request_body": "body", + "elasticsearch.audit.uri": "/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip", "elasticsearch.node.name": "v_VJhjV", "event.dataset": "elasticsearch.audit", - "event.type": "authentication_failed", "fileset.module": "elasticsearch", "fileset.name": "audit", "input.type": "log", @@ -115,6 +121,7 @@ { "@timestamp": "2019-01-08T14:15:02.011Z", "elasticsearch.audit.action": "indices:data/read/search[free_context]", + "elasticsearch.audit.event_type": "access_granted", "elasticsearch.audit.indices": [ "foo-2019.01.04", "foo-2019.01.03", @@ -136,7 +143,6 @@ ], "elasticsearch.node.name": "NodeName-0", "event.dataset": "elasticsearch.audit", - "event.type": "access_granted", "fileset.module": "elasticsearch", "fileset.name": "audit", "input.type": "log",