diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index d1666195d6bd..234377c5b905 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -57,6 +57,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d including `http.response.elapsed_time` (ECS). {pull}10188[10188], {pull}10274[10274] - Rename multiple fields to `http.response.body.bytes`, from modules "apache", "iis", "kibana", "nginx" and "traefik", including `http.response.content_length` (ECS). {pull}10188[10188] +- Ingesting Elasticsearch audit logs is only supported with Elasticsearch 6.5.0 and above {pull}10352[10352] +- Migrate Elasticsearch audit logs fields to ECS {pull}10352[10352] *Heartbeat* @@ -177,6 +179,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Teach elasticsearch/audit fileset to parse out some more fields. {issue}10134[10134] {pull}10137[10137] - Add convert_timezone to nginx module. {issue}9839[9839] {pull}10148[10148] - Add support for Percona in the `slowlog` fileset of `mysql` module. {issue}6665[6665] {pull}10227[10227] +- Added support for ingesting structured Elasticsearch audit logs {pull}10352[10352] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 055cf62d30b4..ab2c6ea9b5c1 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -3911,6 +3911,17 @@ elasticsearch Module +*`elasticsearch.node.id`*:: ++ +-- +type: keyword + +example: DSiWcTyeThWtUXLB9J0BMw + +ID of the node + +-- + *`elasticsearch.node.name`*:: + -- @@ -3972,7 +3983,7 @@ The layer from which this event originated: rest, transport or ip_filter -- -*`elasticsearch.audit.origin_type`*:: +*`elasticsearch.audit.origin.type`*:: + -- type: keyword @@ -3983,7 +3994,7 @@ Where the request originated: rest (request originated from a REST API request), -- -*`elasticsearch.audit.realm`*:: +*`elasticsearch.audit.user.realm`*:: + -- type: keyword @@ -3992,7 +4003,7 @@ The authentication realm -- -*`elasticsearch.audit.roles`*:: +*`elasticsearch.audit.user.roles`*:: + -- type: keyword @@ -4025,7 +4036,7 @@ Indices accessed by action -- -*`elasticsearch.audit.request`*:: +*`elasticsearch.audit.request.name`*:: + -- type: keyword @@ -4036,39 +4047,39 @@ The type of request that was executed -- -*`elasticsearch.audit.event_type`*:: +*`elasticsearch.audit.request_body`*:: + -- type: alias -alias to: event.type +alias to: http.request.body.content -- -*`elasticsearch.audit.origin_address`*:: +*`elasticsearch.audit.event_type`*:: + -- type: alias -alias to: source.ip +alias to: event.type -- -*`elasticsearch.audit.uri`*:: +*`elasticsearch.audit.origin_address`*:: + -- type: alias -alias to: url.original +alias to: source.ip -- -*`elasticsearch.audit.request_body`*:: +*`elasticsearch.audit.uri`*:: + -- type: alias -alias to: http.request.body.content +alias to: url.original -- diff --git a/filebeat/module/elasticsearch/_meta/fields.yml b/filebeat/module/elasticsearch/_meta/fields.yml index a22b241f68d9..3bfea37be8e0 100644 --- a/filebeat/module/elasticsearch/_meta/fields.yml +++ b/filebeat/module/elasticsearch/_meta/fields.yml @@ -7,6 +7,10 @@ type: group description: > fields: + - name: node.id + description: "ID of the node" + example: "DSiWcTyeThWtUXLB9J0BMw" + type: keyword - name: node.name description: "Name of the node" example: "vWNJsZ3" diff --git a/filebeat/module/elasticsearch/audit/_meta/fields.yml b/filebeat/module/elasticsearch/audit/_meta/fields.yml index 46e0b0530a02..add12776b465 100644 --- a/filebeat/module/elasticsearch/audit/_meta/fields.yml +++ b/filebeat/module/elasticsearch/audit/_meta/fields.yml @@ -6,15 +6,15 @@ description: "The layer from which this event originated: rest, transport or ip_filter" example: "rest" type: keyword - - name: origin_type + - name: origin.type description: "Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request)" example: "local_node" type: keyword - - name: realm + - name: user.realm description: "The authentication realm" example": "active_directory" type: keyword - - name: roles + - name: user.roles description: "Roles to which the principal belongs" example: [ "kibana_user", "beats_admin" ] type: keyword @@ -26,10 +26,14 @@ description: "Indices accessed by action" example: [ "foo-2019.01.04", "foo-2019.01.03", "foo-2019.01.06" ] type: keyword - - name: request + - name: request.name description: "The type of request that was executed" example: "ClearScrollRequest" type: keyword + - name: request_body + type: alias + path: http.request.body.content + migration: true - name: event_type type: alias path: event.type @@ -42,10 +46,6 @@ type: alias path: url.original migration: true - - name: request_body - type: alias - path: http.request.body.content - migration: true - name: principal type: alias path: user.name diff --git a/filebeat/module/elasticsearch/audit/ingest/pipeline-json.json b/filebeat/module/elasticsearch/audit/ingest/pipeline-json.json new file mode 100644 index 000000000000..0ef3601bbd0d --- /dev/null +++ b/filebeat/module/elasticsearch/audit/ingest/pipeline-json.json @@ -0,0 +1,132 @@ +{ + "description": "Pipeline for parsing elasticsearch audit logs in JSON format", + "processors": [ + { + "json": { + "field": "message", + "target_field": "elasticsearch.audit" + } + }, + { + "dot_expander": { + "field": "event.action", + "path": "elasticsearch.audit" + } + }, + { + "rename": { + "field": "elasticsearch.audit.event.action", + "target_field": "event.action" + } + }, + { + "dot_expander": { + "field": "event.type", + "path": "elasticsearch.audit" + } + }, + { + "rename": { + "field": "elasticsearch.audit.event.type", + "target_field": "elasticsearch.audit.layer" + } + }, + { + "dot_expander": { + "field": "origin.address", + "path": "elasticsearch.audit" + } + }, + { + "grok": { + "field": "elasticsearch.audit.origin.address", + "patterns": [ + "\\[%{IPORHOST:source.ip}\\]:%{INT:source.port:int}", + "%{IPORHOST:source.ip}:%{INT:source.port:int}" + ] + } + }, + { + "rename": { + "field": "elasticsearch.audit.origin.address", + "target_field": "source.address" + } + }, + { + "dot_expander": { + "field": "url.path", + "path": "elasticsearch.audit" + } + }, + { + "dot_expander": { + "field": "url.query", + "path": "elasticsearch.audit" + } + }, + { + "set": { + "if": "ctx.elasticsearch.audit?.url?.path != null && ctx.elasticsearch.audit?.url?.query == null", + "field": "url.original", + "value": "{{elasticsearch.audit.url.path}}" + } + }, + { + "set": { + "if": "ctx.elasticsearch.audit?.url?.path != null && ctx.elasticsearch.audit?.url?.query != null", + "field": "url.original", + "value": "{{elasticsearch.audit.url.path}}?{{elasticsearch.audit.url.query}}" + } + }, + { + "remove": { + "if": "ctx.elasticsearch.audit?.url?.path != null", + "field": "elasticsearch.audit.url.path" + } + }, + { + "remove": { + "if": "ctx.elasticsearch.audit?.url?.query != null", + "field": "elasticsearch.audit.url.query" + } + }, + { + "dot_expander": { + "field": "node.id", + "path": "elasticsearch.audit" + } + }, + { + "dot_expander": { + "field": "node.name", + "path": "elasticsearch.audit" + } + }, + { + "rename": { + "field": "elasticsearch.audit.node", + "target_field": "elasticsearch.node" + } + }, + { + "dot_expander": { + "field": "user.name", + "path": "elasticsearch.audit" + } + }, + { + "rename": { + "field": "elasticsearch.audit.user.name", + "target_field": "user.name" + } + } + ], + "on_failure": [ + { + "set": { + "field": "error.message", + "value": "{{ _ingest.on_failure_message }}" + } + } + ] +} diff --git a/filebeat/module/elasticsearch/audit/ingest/pipeline-plaintext.json b/filebeat/module/elasticsearch/audit/ingest/pipeline-plaintext.json new file mode 100644 index 000000000000..1e37f253dacc --- /dev/null +++ b/filebeat/module/elasticsearch/audit/ingest/pipeline-plaintext.json @@ -0,0 +1,63 @@ +{ + "description": "Pipeline for parsing elasticsearch audit logs in plaintext format", + "processors": [ + { + "grok": { + "field": "message", + "pattern_definitions": { + "ES_TIMESTAMP": "\\[%{TIMESTAMP_ISO8601:elasticsearch.audit.@timestamp}\\]", + "ES_NODE_NAME": "(\\[%{DATA:elasticsearch.node.name}\\])?", + "ES_AUDIT_LAYER": "\\[%{WORD:elasticsearch.audit.layer}\\]", + "ES_AUDIT_EVENT_TYPE": "\\[%{WORD:event.type}\\]", + "ES_AUDIT_ORIGIN_TYPE": "(origin_type\\=\\[%{WORD:elasticsearch.audit.origin.type}\\])?", + "ES_AUDIT_ORIGIN_ADDRESS": "(origin_address\\=\\[%{IPORHOST:source.ip}\\])?", + "ES_AUDIT_PRINCIPAL": "(principal\\=\\[%{WORD:user.name}\\])?", + "ES_AUDIT_REALM": "(realm\\=\\[%{WORD:elasticsearch.audit.user.realm}\\])?", + "ES_AUDIT_ROLES": "(roles\\=\\[%{DATA:elasticsearch.audit.user.roles}\\])?", + "ES_AUDIT_ACTION": "(action\\=\\[%{DATA:elasticsearch.audit.action}(\\[%{DATA:elasticsearch.audit.sub_action}\\])?\\])?", + "ES_AUDIT_URI": "(uri=\\[%{DATA:url.original}\\])?", + "ES_AUDIT_INDICES": "(indices\\=\\[%{DATA:elasticsearch.audit.indices}\\])?", + "ES_AUDIT_REQUEST": "(request\\=\\[%{WORD:elasticsearch.audit.request.name}\\])?", + "ES_AUDIT_REQUEST_BODY": "(request_body\\=\\[%{DATA:http.request.body.content}\\])?" + }, + "patterns": [ + "%{ES_TIMESTAMP}\\s*%{ES_NODE_NAME}\\s*%{ES_AUDIT_LAYER}\\s*%{ES_AUDIT_EVENT_TYPE}\\s*%{ES_AUDIT_ORIGIN_TYPE},?\\s*%{ES_AUDIT_ORIGIN_ADDRESS},?\\s*%{ES_AUDIT_PRINCIPAL},?\\s*%{ES_AUDIT_REALM},?\\s*%{ES_AUDIT_ROLES},?\\s*%{ES_AUDIT_ACTION},?\\s*%{ES_AUDIT_INDICES},?\\s*%{ES_AUDIT_URI},?\\s*%{ES_AUDIT_REQUEST},?\\s*%{ES_AUDIT_REQUEST_BODY},?" + ] + } + }, + { + "split": { + "field": "elasticsearch.audit.user.roles", + "separator": ",", + "ignore_missing": true + } + }, + { + "split": { + "field": "elasticsearch.audit.indices", + "separator": ",", + "ignore_missing": true + } + }, + { + "script": { + "lang": "painless", + "source": "if (ctx.elasticsearch.audit.sub_action != null) { ctx.elasticsearch.audit.action += '[' + ctx.elasticsearch.audit.sub_action + ']' }" + } + }, + { + "remove": { + "field": "elasticsearch.audit.sub_action", + "ignore_missing": true + } + } + ], + "on_failure": [ + { + "set": { + "field": "error.message", + "value": "{{ _ingest.on_failure_message }}" + } + } + ] +} diff --git a/filebeat/module/elasticsearch/audit/ingest/pipeline.json b/filebeat/module/elasticsearch/audit/ingest/pipeline.json index 9c97beb45741..25d5c464d7dc 100644 --- a/filebeat/module/elasticsearch/audit/ingest/pipeline.json +++ b/filebeat/module/elasticsearch/audit/ingest/pipeline.json @@ -10,56 +10,29 @@ { "grok": { "field": "message", - "pattern_definitions": { - "ES_TIMESTAMP": "\\[%{TIMESTAMP_ISO8601:elasticsearch.audit.timestamp}\\]", - "ES_NODE_NAME": "(\\[%{DATA:elasticsearch.node.name}\\])?", - "ES_AUDIT_LAYER": "\\[%{WORD:elasticsearch.audit.layer}\\]", - "ES_AUDIT_EVENT_TYPE": "\\[%{WORD:event.type}\\]", - "ES_AUDIT_ORIGIN_TYPE": "(origin_type\\=\\[%{WORD:elasticsearch.audit.origin_type}\\])?", - "ES_AUDIT_ORIGIN_ADDRESS": "(origin_address\\=\\[%{IPORHOST:source.ip}\\])?", - "ES_AUDIT_PRINCIPAL": "(principal\\=\\[%{WORD:user.name}\\])?", - "ES_AUDIT_REALM": "(realm\\=\\[%{WORD:elasticsearch.audit.realm}\\])?", - "ES_AUDIT_ROLES": "(roles\\=\\[%{DATA:elasticsearch.audit.roles}\\])?", - "ES_AUDIT_ACTION": "(action\\=\\[%{DATA:elasticsearch.audit.action}(\\[%{DATA:elasticsearch.audit.sub_action}\\])?\\])?", - "ES_AUDIT_URI": "(uri=\\[%{DATA:url.original}\\])?", - "ES_AUDIT_INDICES": "(indices\\=\\[%{DATA:elasticsearch.audit.indices}\\])?", - "ES_AUDIT_REQUEST": "(request\\=\\[%{WORD:elasticsearch.audit.request}\\])?", - "ES_AUDIT_REQUEST_BODY": "(request_body\\=\\[%{DATA:http.request.body.content}\\])?" - }, "patterns": [ - "%{ES_TIMESTAMP}\\s*%{ES_NODE_NAME}\\s*%{ES_AUDIT_LAYER}\\s*%{ES_AUDIT_EVENT_TYPE}\\s*%{ES_AUDIT_ORIGIN_TYPE},?\\s*%{ES_AUDIT_ORIGIN_ADDRESS},?\\s*%{ES_AUDIT_PRINCIPAL},?\\s*%{ES_AUDIT_REALM},?\\s*%{ES_AUDIT_ROLES},?\\s*%{ES_AUDIT_ACTION},?\\s*%{ES_AUDIT_INDICES},?\\s*%{ES_AUDIT_URI},?\\s*%{ES_AUDIT_REQUEST},?\\s*%{ES_AUDIT_REQUEST_BODY},?" - ] - } - }, - { - "split": { - "field": "elasticsearch.audit.roles", - "separator": ",", - "ignore_missing": true - } - }, - { - "split": { - "field": "elasticsearch.audit.indices", - "separator": ",", - "ignore_missing": true + "^%{CHAR:first_char}" + ], + "pattern_definitions": { + "CHAR": "." + } } }, { - "script": { - "lang": "painless", - "source": "if (ctx.elasticsearch.audit.sub_action != null) { ctx.elasticsearch.audit.action += '[' + ctx.elasticsearch.audit.sub_action + ']' }" + "pipeline": { + "if": "ctx.first_char != '{'", + "name": "{< IngestPipeline "pipeline-plaintext" >}" } }, { - "remove": { - "field": "elasticsearch.audit.sub_action", - "ignore_missing": true + "pipeline": { + "if": "ctx.first_char == '{'", + "name": "{< IngestPipeline "pipeline-json" >}" } }, { "date": { - "field": "elasticsearch.audit.timestamp", + "field": "elasticsearch.audit.@timestamp", "target_field": "@timestamp", "formats": [ "ISO8601" @@ -70,7 +43,14 @@ }, { "remove": { - "field": "elasticsearch.audit.timestamp" + "field": "elasticsearch.audit.@timestamp" + } + }, + { + "remove": { + "field": [ + "first_char" + ] } } ], diff --git a/filebeat/module/elasticsearch/audit/manifest.yml b/filebeat/module/elasticsearch/audit/manifest.yml index 7ccb68c7e434..677b47eb590f 100644 --- a/filebeat/module/elasticsearch/audit/manifest.yml +++ b/filebeat/module/elasticsearch/audit/manifest.yml @@ -4,10 +4,13 @@ var: - name: paths default: - /var/log/elasticsearch/*_access.log + - /var/log/elasticsearch/*_audit.log os.darwin: - /usr/local/var/lib/elasticsearch/*_access.log + - /usr/local/var/lib/elasticsearch/*_audit.log os.windows: - c:/ProgramData/Elastic/Elasticsearch/logs/*_access.log + - c:/ProgramData/Elastic/Elasticsearch/logs/*_audit.log - name: convert_timezone default: false # if ES < 6.1.0, this flag switches to false automatically when evaluating the @@ -16,5 +19,9 @@ var: version: 6.1.0 value: false -ingest_pipeline: ingest/pipeline.json +ingest_pipeline: + - ingest/pipeline.json + - ingest/pipeline-json.json + - ingest/pipeline-plaintext.json + input: config/audit.yml diff --git a/filebeat/module/elasticsearch/audit/test/test.log b/filebeat/module/elasticsearch/audit/test/test-access.log similarity index 100% rename from filebeat/module/elasticsearch/audit/test/test.log rename to filebeat/module/elasticsearch/audit/test/test-access.log diff --git a/filebeat/module/elasticsearch/audit/test/test.log-expected.json b/filebeat/module/elasticsearch/audit/test/test-access.log-expected.json similarity index 93% rename from filebeat/module/elasticsearch/audit/test/test.log-expected.json rename to filebeat/module/elasticsearch/audit/test/test-access.log-expected.json index 5511a09e38c3..07caf481db24 100644 --- a/filebeat/module/elasticsearch/audit/test/test.log-expected.json +++ b/filebeat/module/elasticsearch/audit/test/test-access.log-expected.json @@ -37,8 +37,8 @@ "ecs.version": "1.0.0-beta2", "elasticsearch.audit.action": "indices:data/read/scroll/clear", "elasticsearch.audit.layer": "transport", - "elasticsearch.audit.origin_type": "local_node", - "elasticsearch.audit.request": "ClearScrollRequest", + "elasticsearch.audit.origin.type": "local_node", + "elasticsearch.audit.request.name": "ClearScrollRequest", "event.dataset": "elasticsearch.audit", "event.module": "elasticsearch", "event.type": "access_granted", @@ -87,8 +87,8 @@ "ecs.version": "1.0.0-beta2", "elasticsearch.audit.action": "cluster:monitor/main", "elasticsearch.audit.layer": "transport", - "elasticsearch.audit.origin_type": "rest", - "elasticsearch.audit.request": "MainRequest", + "elasticsearch.audit.origin.type": "rest", + "elasticsearch.audit.request.name": "MainRequest", "event.dataset": "elasticsearch.audit", "event.module": "elasticsearch", "event.type": "access_denied", @@ -131,10 +131,10 @@ "servicelog-2019.01.07" ], "elasticsearch.audit.layer": "transport", - "elasticsearch.audit.origin_type": "transport", - "elasticsearch.audit.realm": "active_directory", - "elasticsearch.audit.request": "SearchFreeContextRequest", - "elasticsearch.audit.roles": [ + "elasticsearch.audit.origin.type": "transport", + "elasticsearch.audit.request.name": "SearchFreeContextRequest", + "elasticsearch.audit.user.realm": "active_directory", + "elasticsearch.audit.user.roles": [ "kibana_user", "my_custom_role_1", "foo_reader" diff --git a/filebeat/module/elasticsearch/audit/test/test-audit.log b/filebeat/module/elasticsearch/audit/test/test-audit.log new file mode 100644 index 000000000000..2c74b5cbee95 --- /dev/null +++ b/filebeat/module/elasticsearch/audit/test/test-audit.log @@ -0,0 +1,6 @@ +{"@timestamp":"2018-10-31T09:34:25,109", "node.id":"DSiWcTyeThWtUXLB9J0BMw", "event.type":"rest", "event.action":"authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"[::1]:61598", "url.path":"/_xpack/security/user/beats_system/_password"} +{"@timestamp":"2018-10-31T09:34:25,207", "node.id":"DSiWcTyeThWtUXLB9J0BMw", "event.type":"rest", "event.action":"authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"[::1]:61599", "url.path":"/_xpack/security/user/remote_monitoring_user/_password"} +{"@timestamp":"2018-10-31T09:35:11,428", "node.id":"DSiWcTyeThWtUXLB9J0BMw", "event.type":"transport", "event.action":"access_granted", "user.name":"_xpack_security", "user.realm":"__attach", "user.roles":["superuser"], "origin.type":"local_node", "origin.address":"127.0.0.1:9300", "action":"cluster:admin/xpack/security/realm/cache/clear", "request.name":"ClearRealmCacheRequest"} +{"@timestamp":"2018-10-31T09:35:11,430", "node.id":"DSiWcTyeThWtUXLB9J0BMw", "event.type":"transport", "event.action":"access_granted", "user.name":"_xpack_security", "user.realm":"__attach", "user.roles":["superuser"], "origin.type":"local_node", "origin.address":"127.0.0.1:9300", "action":"cluster:admin/xpack/security/realm/cache/clear[n]", "request.name":"Node"} +{"@timestamp":"2018-10-31T09:35:12,303", "node.id":"DSiWcTyeThWtUXLB9J0BMw", "event.type":"transport", "event.action":"access_granted", "user.name":"elastic", "user.realm":"reserved", "user.roles":["superuser"], "origin.type":"rest","origin.address":"[::1]:61711", "action":"cluster:admin/xpack/security/user/change_password", "request.name":"ChangePasswordRequest"} +{"@timestamp":"2018-10-31T09:35:12,314", "node.id":"DSiWcTyeThWtUXLB9J0BMw", "event.type":"transport", "event.action":"access_granted", "user.name":"_xpack_security", "user.realm":"__attach", "user.roles":["superuser"], "origin.type":"local_node", "origin.address":"127.0.0.1:9300", "action":"indices:admin/create", "request.name":"CreateIndexRequest", "indices":[".security-6"]} diff --git a/filebeat/module/elasticsearch/audit/test/test-audit.log-expected.json b/filebeat/module/elasticsearch/audit/test/test-audit.log-expected.json new file mode 100644 index 000000000000..9d46c4f18007 --- /dev/null +++ b/filebeat/module/elasticsearch/audit/test/test-audit.log-expected.json @@ -0,0 +1,145 @@ +[ + { + "@timestamp": "2018-10-31T09:34:25.109Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.audit.layer": "rest", + "elasticsearch.audit.origin.type": "rest", + "elasticsearch.node.id": "DSiWcTyeThWtUXLB9J0BMw", + "event.action": "authentication_failed", + "event.dataset": "elasticsearch.audit", + "event.module": "elasticsearch", + "fileset.name": "audit", + "input.type": "log", + "log.offset": 0, + "message": "{\"@timestamp\":\"2018-10-31T09:34:25,109\", \"node.id\":\"DSiWcTyeThWtUXLB9J0BMw\", \"event.type\":\"rest\", \"event.action\":\"authentication_failed\", \"user.name\":\"elastic\", \"origin.type\":\"rest\", \"origin.address\":\"[::1]:61598\", \"url.path\":\"/_xpack/security/user/beats_system/_password\"}", + "service.type": "elasticsearch", + "source.address": "[::1]:61598", + "source.ip": "::1", + "source.port": 61598, + "url.original": "/_xpack/security/user/beats_system/_password", + "user.name": "elastic" + }, + { + "@timestamp": "2018-10-31T09:34:25.207Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.audit.layer": "rest", + "elasticsearch.audit.origin.type": "rest", + "elasticsearch.node.id": "DSiWcTyeThWtUXLB9J0BMw", + "event.action": "authentication_failed", + "event.dataset": "elasticsearch.audit", + "event.module": "elasticsearch", + "fileset.name": "audit", + "input.type": "log", + "log.offset": 274, + "message": "{\"@timestamp\":\"2018-10-31T09:34:25,207\", \"node.id\":\"DSiWcTyeThWtUXLB9J0BMw\", \"event.type\":\"rest\", \"event.action\":\"authentication_failed\", \"user.name\":\"elastic\", \"origin.type\":\"rest\", \"origin.address\":\"[::1]:61599\", \"url.path\":\"/_xpack/security/user/remote_monitoring_user/_password\"}", + "service.type": "elasticsearch", + "source.address": "[::1]:61599", + "source.ip": "::1", + "source.port": 61599, + "url.original": "/_xpack/security/user/remote_monitoring_user/_password", + "user.name": "elastic" + }, + { + "@timestamp": "2018-10-31T09:35:11.428Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.audit.action": "cluster:admin/xpack/security/realm/cache/clear", + "elasticsearch.audit.layer": "transport", + "elasticsearch.audit.origin.type": "local_node", + "elasticsearch.audit.request.name": "ClearRealmCacheRequest", + "elasticsearch.audit.user.realm": "__attach", + "elasticsearch.audit.user.roles": [ + "superuser" + ], + "elasticsearch.node.id": "DSiWcTyeThWtUXLB9J0BMw", + "event.action": "access_granted", + "event.dataset": "elasticsearch.audit", + "event.module": "elasticsearch", + "fileset.name": "audit", + "input.type": "log", + "log.offset": 558, + "message": "{\"@timestamp\":\"2018-10-31T09:35:11,428\", \"node.id\":\"DSiWcTyeThWtUXLB9J0BMw\", \"event.type\":\"transport\", \"event.action\":\"access_granted\", \"user.name\":\"_xpack_security\", \"user.realm\":\"__attach\", \"user.roles\":[\"superuser\"], \"origin.type\":\"local_node\", \"origin.address\":\"127.0.0.1:9300\", \"action\":\"cluster:admin/xpack/security/realm/cache/clear\", \"request.name\":\"ClearRealmCacheRequest\"}", + "service.type": "elasticsearch", + "source.address": "127.0.0.1:9300", + "source.ip": "127.0.0.1", + "source.port": 9300, + "user.name": "_xpack_security" + }, + { + "@timestamp": "2018-10-31T09:35:11.430Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.audit.action": "cluster:admin/xpack/security/realm/cache/clear[n]", + "elasticsearch.audit.layer": "transport", + "elasticsearch.audit.origin.type": "local_node", + "elasticsearch.audit.request.name": "Node", + "elasticsearch.audit.user.realm": "__attach", + "elasticsearch.audit.user.roles": [ + "superuser" + ], + "elasticsearch.node.id": "DSiWcTyeThWtUXLB9J0BMw", + "event.action": "access_granted", + "event.dataset": "elasticsearch.audit", + "event.module": "elasticsearch", + "fileset.name": "audit", + "input.type": "log", + "log.offset": 941, + "message": "{\"@timestamp\":\"2018-10-31T09:35:11,430\", \"node.id\":\"DSiWcTyeThWtUXLB9J0BMw\", \"event.type\":\"transport\", \"event.action\":\"access_granted\", \"user.name\":\"_xpack_security\", \"user.realm\":\"__attach\", \"user.roles\":[\"superuser\"], \"origin.type\":\"local_node\", \"origin.address\":\"127.0.0.1:9300\", \"action\":\"cluster:admin/xpack/security/realm/cache/clear[n]\", \"request.name\":\"Node\"}", + "service.type": "elasticsearch", + "source.address": "127.0.0.1:9300", + "source.ip": "127.0.0.1", + "source.port": 9300, + "user.name": "_xpack_security" + }, + { + "@timestamp": "2018-10-31T09:35:12.303Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.audit.action": "cluster:admin/xpack/security/user/change_password", + "elasticsearch.audit.layer": "transport", + "elasticsearch.audit.origin.type": "rest", + "elasticsearch.audit.request.name": "ChangePasswordRequest", + "elasticsearch.audit.user.realm": "reserved", + "elasticsearch.audit.user.roles": [ + "superuser" + ], + "elasticsearch.node.id": "DSiWcTyeThWtUXLB9J0BMw", + "event.action": "access_granted", + "event.dataset": "elasticsearch.audit", + "event.module": "elasticsearch", + "fileset.name": "audit", + "input.type": "log", + "log.offset": 1309, + "message": "{\"@timestamp\":\"2018-10-31T09:35:12,303\", \"node.id\":\"DSiWcTyeThWtUXLB9J0BMw\", \"event.type\":\"transport\", \"event.action\":\"access_granted\", \"user.name\":\"elastic\", \"user.realm\":\"reserved\", \"user.roles\":[\"superuser\"], \"origin.type\":\"rest\",\"origin.address\":\"[::1]:61711\", \"action\":\"cluster:admin/xpack/security/user/change_password\", \"request.name\":\"ChangePasswordRequest\"}", + "service.type": "elasticsearch", + "source.address": "[::1]:61711", + "source.ip": "::1", + "source.port": 61711, + "user.name": "elastic" + }, + { + "@timestamp": "2018-10-31T09:35:12.314Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.audit.action": "indices:admin/create", + "elasticsearch.audit.indices": [ + ".security-6" + ], + "elasticsearch.audit.layer": "transport", + "elasticsearch.audit.origin.type": "local_node", + "elasticsearch.audit.request.name": "CreateIndexRequest", + "elasticsearch.audit.user.realm": "__attach", + "elasticsearch.audit.user.roles": [ + "superuser" + ], + "elasticsearch.node.id": "DSiWcTyeThWtUXLB9J0BMw", + "event.action": "access_granted", + "event.dataset": "elasticsearch.audit", + "event.module": "elasticsearch", + "fileset.name": "audit", + "input.type": "log", + "log.offset": 1676, + "message": "{\"@timestamp\":\"2018-10-31T09:35:12,314\", \"node.id\":\"DSiWcTyeThWtUXLB9J0BMw\", \"event.type\":\"transport\", \"event.action\":\"access_granted\", \"user.name\":\"_xpack_security\", \"user.realm\":\"__attach\", \"user.roles\":[\"superuser\"], \"origin.type\":\"local_node\", \"origin.address\":\"127.0.0.1:9300\", \"action\":\"indices:admin/create\", \"request.name\":\"CreateIndexRequest\", \"indices\":[\".security-6\"]}", + "service.type": "elasticsearch", + "source.address": "127.0.0.1:9300", + "source.ip": "127.0.0.1", + "source.port": 9300, + "user.name": "_xpack_security" + } +] \ No newline at end of file diff --git a/filebeat/module/elasticsearch/fields.go b/filebeat/module/elasticsearch/fields.go index 013167c476eb..f556467c7104 100644 --- a/filebeat/module/elasticsearch/fields.go +++ b/filebeat/module/elasticsearch/fields.go @@ -32,5 +32,5 @@ func init() { // AssetElasticsearch returns asset data. // This is the base64 encoded gzipped contents of module/elasticsearch. func AssetElasticsearch() string { - return "eJzUml9v2zgSwN/7KQZ+2gKJzk7S3MYPB+x507TF9c82aRe7riHQ1FhiTZEqSdnxLfrdDyRlW5Yl2cq1uZ5fEksk5zd/OBySPoU5roaAnGjDqEaiaPIEwDDDcQi9nee9JwARaqpYZpgUQ/jHEwDY7QuvZZRzfAIwY8gjPXRNTkGQFPfF2I9ZZTiEWMk8K57UyNgdrjykkBEG9t/Nm8oAvTckRZAzMAm61r1SS7wnaeY0Xfz+5pX+87z80pPNcbWUKtoTzESE9+2SX9omrnm9zBnjOEViTg1qc8pElpuu8ll0QDqL6mWTtzfxr8vph/ez0cdnf//lln6ZjuLl8eJ1QlTUKj5aG901rafoHy+Q5BEze63LcdMYO1ATP+WhOVmh2nlTVeYuQd8KZkqmsEwYTcAkTAMuUBiQisVMEIPREBRqcwJGEaEzqew7YFk4Y9yg6lWkbC1he1Xf1hukTO7lhrZhK//vCSp0zlD4JUe9Tww/7b/xyhJ4f317B7+8e7nu/LSs3qbfkmhQSJEtMAIpnLRtM5oQIZA/PQEuKeGhnYnwk23jvruZCUzrHKMy59Nmi23H6W43hYSnBz1OcpOgMIwS+9B3auDp2SlFDVtgGDGF1Ei1egCW5Khbsd7bFmDkJgQRMsUEZRnhMEUuRawbTTaG3pxNiSBhrlH1TqBns48OSZQy0YNJZ16rsRQH7ShKGdh3AZMQHzF4jzQ3GDX7mfJcG1TDVApmpPpbSpjoblomIkYPGPelbwOEUtQaI5iuCt42k86kPD3rD66C/iDoX1ir7jw533ty+RBTF/PhoK3tSNbW61nZwdAjjkTdUiU5f+97dzezS4d1+ch3JZyRqg8yYpKiY1DTMWWxIl5Bo3JsS4MkihTq6viHJGuZK4oByx4gOFeso7Rc8aDIsPwBAgu3hlMZrTpKTozJgqJ/YPsHVAqDohpTx2Bsck5X7TWqas3UJnMtL8JMoU/D364EWA8e04ePCXAzAlvHaTSFgODIqiNLiK6fJVXpBwjs57kTBDpDymaM2hXiZuRFBJXGdUxlrhr3QOvcPwrQfsqV+M0IqOQc/XJQC1pyf+6jI9RIG9FmXJJqLB8JNqqQbATapUCqiInYWtRyvyILAgumTE44pIQmTLSAa6ryaahX6VTy0JApx9CwFL+XHvCO5BrBigAmQCOVItJAORJhdcgz8CzgWPRBcKOYiB8B/Ahuh3KQe4lkHiqc6TBT0q7ijv87kt9ZZp3ZTcBWosMAhTNUKGxFsVWqGT0jinCOPFSoKRGPRV2yd0rU3NJztkCQ089IjbaFJkcgWcbXdTDToI3MMoyalaGcaB3mgksSPZYmXpqLF5Hb8s1BHGl9muWOs5GxLikfyfjOBwaM3n3wMV7EC6qZVKkF3qbCGsTmlF1WwC6tDUaGg4Y+UhH7qSghc6NZ5PeWc1QCeZ0CpcSy0v8DSiaqkNBKabd6j4F5Jw3hgJxkNl4r0EYClbY2N568tF66jbk2RLlWMyaYToLaKuPzIg1VLhqmYLMiBxRwWw2L6khefXxd0ORZabadANFA/PA2yjPJhAGRp1NU9bQmUUgiHRprl9Bmmabk8WDyG6KmJN6xZiEVnFSX2wo31CWNTSDbFOhWlzXztzaxRTBSzq2LPVTB2cplSFy/A6ov3Q5ZawRcxrFfeuMGkQmSamZ8cCH7AkkGhHNZLDZERGu/sH93rmVtn3A+bUzqTBiM987+jsCEzeS1yjs5NvDnjMvpyrRVKHZl+m5IH2wacUTNMJtNM4/CGKunNw923FseQYwCi8JZUppnRNDVj+9B5zw5swYpa/ADuLPRpoe9u5K5iL+lf/+wA/6fe3hV1eEH8HGLXevpNnZDtdgRunsYeOte2+ztzif2L1qqMbDvp01tLNNMiupJ0a64f8l422733HB7wigDDGiQBq/RkF+JISOFxKC7qLK4jFaO8psWrtqTmyqRX7rqBtyP/rZzGhc0bXOl5114M2o+Wq0/SK2bhfWzZZOzxf4GZZelKqmNYs3B5Z6Cm2piKR9D4Ea/BaoESRRq/NJq8lv8ktutdVFNNlr+/OLi6urqrNb8jRTb0jBcHwQFafvVwe6G+mZ0Yv+kjHNWFGuNhIPLfv/IknFjpamd+6QboEuErqy1Ri7uj0pF8JLoYmCMOtD/fBT9JmdxueQybk5a/r2/DdB+c3Fd/Q3CHkRvfNYf/Hzavzw9u7ob9If9y+Hg4uTq/Hwyfvnm+VuYjP1luR8iKCCCLzmq1QTGi/Djq+TzxwmMUzSKUXclfxmcB/1TO27QvwzOLifj/sRV4+OL4FmqJyfuS+iNNL5w3+2eJWFGjwdXF+fP7KNVhno8ObGbI+P/cQjugmT824fr93+Edy+u34TPr+9GLzZjuAtzPR7Y9u5yYvzXp56j/dQb/vWplxJDk5Bw7r9OpdTmU284CPpfv36dnPw3qd4W+5WVbC/Px6j2ftRQ9katsWdodr13OLtbA7eQuCnHzGaLVFxwua2yM1YT33m/n+o6FIP3po7DerENxL5vEtZNZRcnLaJuDTHMzYYu8hr0KsVim0j/ux7bqklmNZA76uxCPHQua+Pgctnu1w6TpIOV8N4oEnrIFrxr26zQBZiYSZWS/ZvjB/lpm1jagtBvRplpioyLs46Tb5uJDoq1ZmcY+V/6NAGcdQNQMjesskBXfwvhWjRZWPcHL/48++2f86vPy4vYxOS5Ed0ik0XN0l9G32TCH5h8dy2zLpK0TdZ/AgAA//+KDY6g" + return "eJzUml9z2rgWwN/7Kc7wtDuT+EKS5m542JktTdN0tn82Ie3dpYxHyAdbRZYcSYZwd/rd70g2YIxtcG6b28tLgi3p/M4fHR1JHMMMl31ATrRhVCNRNHoGYJjh2IfO1vPOM4AANVUsMUyKPvz6DAC2+8JbGaQcnwFMGfJA912TYxAkxl0x9mOWCfYhVDJN8icVMraHKw4pZIAeC9bPS9071y9BTsFE6Fp2Cu3wgcSJ0/LlLftEh0scRp/M3b9+f3Hxpvvi7aLYNoOc4XIhVVDNYP+tpXhHYtzPMf/07o3+6/RwwUwE+NAs+do2cc2rZU4ZxwkSc2xQm2MmktS0ld9kfSedBdWyyfur8OVicnczHXx8/s/fbun9ZBC2sLuOiAoaxQcro7um1RTdwwWSNGBmp3UxdncYfi28KMdwcWhOlqi23pSVGUaYtYKpkjEsIkYjMBHTgHMUBqRiIRPEYNAHhdocgVFE6EQq+w5Y4k8ZN6g6JSkbS9he5bfVBimSZ3I927CR/1OECp0zFN6nqHeJ4afdN5myBG4ub4fw24frVeefi+qt+y2IBoUU2RwDkMJJ2zSjEREC+c9HwCUl3LczEX6ybdx3NzOBaZ1iUOT8ud5im3Ha2y3VqDyFhMd73U5SE6EwjBL7EFynGqiOnVfUsDn6AVNIjVTLx7JJjrqR7ca2ACPXwYiQKCYoSwiHCXIpQl1rvBF0ZmxCBPGttM4RdGwe0j4JYiY6MG4NbdWWYq8xRSEXZ13ARCSLHXxAmhoM6j1OeaoNqn4sBTNS/SMmTLS3LxMBo3uMe521AUIpao0BTJY5b5NJp1Ien3R7F16353XPrFW3npzuPDl/jKnzmVFeeqoNboezBl9N0hbWHnAk6pYqyflN1ru9rXOx/kQGy8rOhDNSdkVCTNSHyJjEW+lq+3tUCoPClFrHLFQk09ioFCsxXJL2K7LkPgjXsSq9HiI1S6Q+CQKFujz+Pslapoqix5JHCE4VayktVdzL8z5/hMB14mkr1qa6ijiuk7mSF2CiMEvI364iWA0e0sePCXA1AFvWaTS5AO/AIiSJiK4Oz7L0PQT288oJAp0gZVNG7TJxNchEeKXGVUxFrgr3QOPcPwjQfoqF+dUAqOQcszWhErTg/jSLDl8jrUWbcknKueJAsEGJZC3QrgdSBUyE1qKW+w2ZE5gzZVLCISY0YqIBXFOVTny9jCeS+4ZMOPqGxfi99IAPJNUIVgQwARqpFIEGypEIq0OaQMYCjkXvBTeKifAJwA/gdih7uRdIZr7CqfYTJe1S7vi/I/nQMuvE7gk2Eh0GKJyiQmHLio1S9egJUYRz5L5CTYl4KuqCvWOiZpaeszmCnHxBarStNjkCSRK+qoiZBm1kkmBQrwzlRGs/FVyS4Kk0yaS5eBGpreEcxIHWp0nqOGsZq5LygYwfssCAwYe7LMbzeEE1lSq2wJtUWIFYn7KhtIuoMTLsNfSBithPSQmZGs2CbKs5QyWQVylQSCxL/T+gZKIMCY2UdtP3FJhDaQgH5CSx8VqCNhKotLW5ycgL66Xbp2tDlGs1ZYLpyKusMr7MY1+lomYK1iuyRwG31bCojuTNx7c5TZoUZtsREA0kG95GeSKZMCDSeIKqmtZECkmgfWPt4tssU5c8Hk1+RdSEhFvWzKWCk+pyW+6GqqSxDmSbAt3qsmL+1ia2CEbKmXVxBpVzNnIZElZvPapLt33WGgCXYZgtvWGNyAhJOTM+upB9jSQBwrnMFxsigpVf2L9b17K2jz+b1CZ1JgyGO0eBB2DCevJa5Z0cG/gzxuVkaZoqFLsyfTekO5tGHFE9zHq3ygM/xPIRzqMd954HEKLAvHCWlKYJEXT543vQOU9OrUGKGvwA7qy16X7vLmUqwm/p3z/tgP/nHl6WdfgBfNxg12q6td1QzbeEbh8G3rrXNnu784nde5dyDOz6aV0byziRonwSty3udxlu2m2fG25OGKWHHvVi7y0a8pIYMlBIDLp7K4vLaOlkv27hqjy5KRNlS1fVgLvR33RO44Kmaa50MhdeDeqPVqsPUqtmYfVsWedssbtB2WYpS2qiWHFwuaPguppYyKcQuNZvjipCEvga7xtNfov3qd1a59VkreVPz84uLi5OKs1fS7EpDf3VQZAXN98fbG+orwZH9k/MOGd5sVZL2Dvvdg8sGddWmti5T9oBukToylpr5PwSqVAEL4jOB8agBf0vB9GvcxaXCy7D+qSVvc+O4XW2ubgs/yxiB6IzOun2fjnunh+fXAx73X73vN87O7o4PR2Prt+9eg/jUXZ3ng3h5RDefYpqOYbR3P/4JvrycQyjGI1i1N3Qn3unXvfYjut1z72T8/GoO3bV+OjMex7r8ZH74mdGGp2573bPEjGjR72Ls9Pn9tEyQT0aH9nNkcn+cQjuZmL0x93lzZ/+8PXlO//V5XDwej2Guz/Xo55t724FRn9/7jjaz53+3587MTE08gnn2deJlNp87vR7Xvfr16/jo/8m1dtiv7SS7eT5ENXObxyK3qg09hTNtvf2Z3dr4AYSN+WYWW+R8gsut1V2xqrjO+12Y12FYvDBVHFYLzaB2Pd1wtqp7OKkQdStIYa52dBGXo1ehVhsEpn91Mi2qpNZDuSWOrsQ953Lmji4XDT7tcUkaWElfDCK+BlkA96lbZbrAkxMpYrJ7vXxo/y0SSxNQZhtRpmpi4yzk5aTb5OJ9oq1ZmcYZD/8qQM4aQegZGpYaYEu/yDCtaizsO72Xv918seL2cWXxVloQvLKiHaRyYJ66dfBN5nweybfsGHWBZI2yfpPAAAA//8S77fm" }