Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rename Filebeat module from system.audit to auditd.log #3941

Merged
merged 2 commits into from
Apr 7, 2017
Merged

Rename Filebeat module from system.audit to auditd.log #3941

merged 2 commits into from
Apr 7, 2017

Conversation

andrewkroh
Copy link
Member

This moves the audit fileset from the system module into its own module named auditd. The new fileset name is log.

@andrewkroh
Rename Filebeat module from system.audit to auditd.log
ce2a5cc 
This moves the `audit` fileset from the `system` module into its own module named `auditd`. The new fileset name is `log`.
@andrewkroh andrewkroh requested a review from tsg April 6, 2017 16:53
ruflin
ruflin approved these changes Apr 7, 2017
View reviewed changes
Copy link
Member

@ruflin ruflin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. It seems we never added a Changelog entry for audit module. Probably time to add one.

tsg
tsg approved these changes Apr 7, 2017
View reviewed changes
Copy link
Contributor

@tsg tsg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for doing the rename!

@andrewkroh andrewkroh mentioned this pull request Apr 7, 2017
Merged
@andrewkroh
Copy link
Member Author

The Jenkins failure doesn't look related to the changes.

@tsg
Copy link
Contributor

tsg commented Apr 7, 2017

It was green before, so I'm merging it.

@tsg tsg merged commit ee07419 into elastic:master Apr 7, 2017
andrewkroh added a commit to andrewkroh/beats that referenced this pull request Apr 10, 2017
@andrewkroh
Add fileset for parsing linux auditd logs (elastic#3750) (elastic#3923)…
529f983 
… (elastic#3941) (elastic#3962)

The PR adds an auditd module for parsing logs from the auditd daemon. There is a sample dashboard for viewing this data.

Features

- Parses audit event type, unix epoch time, audit event counter, and the arbitrary key/value pairs that follow.
- Applies geoip lookup to the `auditd.log.addr` field which is present for some remote login events.
- Decodes hex encoded ascii values that are sometimes used for the `auditd.log.exe` and `auditd.log.cmd` fields.
- Remove key/value pairs where the value is `?`.

Missing Features

- Decoder for `auditd.log.saddr` field present in SOCKADDR audit events. A recipe is described [here](https://unix.stackexchange.com/questions/102926/how-to-interpret-the-saddr-field-of-an-audit-log) and could probably be ported to painless. Sample value:
  `type=SOCKADDR msg=audit(1481078693.491:873): saddr=01002F7661722F72756E2F6E7363642F736F636B657400008983B330BE7F0000000000000000000070830130BE7F000004000000000000001B00000000000000D128B7ED000000008B8BB330BE7F00003B00000000000000403E4BF7FD7F0000447F0130BE7F000080150230BE7F`
@andrewkroh andrewkroh mentioned this pull request Apr 10, 2017
Merged
tsg pushed a commit that referenced this pull request Apr 11, 2017
@andrewkroh @tsg
Add fileset for parsing linux auditd logs (#3750) (#3923) (#3941) (#3962
c403343 
) (#3975)

The PR adds an auditd module for parsing logs from the auditd daemon. There is a sample dashboard for viewing this data.

Features

- Parses audit event type, unix epoch time, audit event counter, and the arbitrary key/value pairs that follow.
- Applies geoip lookup to the `auditd.log.addr` field which is present for some remote login events.
- Decodes hex encoded ascii values that are sometimes used for the `auditd.log.exe` and `auditd.log.cmd` fields.
- Remove key/value pairs where the value is `?`.

Missing Features

- Decoder for `auditd.log.saddr` field present in SOCKADDR audit events. A recipe is described [here](https://unix.stackexchange.com/questions/102926/how-to-interpret-the-saddr-field-of-an-audit-log) and could probably be ported to painless. Sample value:
  `type=SOCKADDR msg=audit(1481078693.491:873): saddr=01002F7661722F72756E2F6E7363642F736F636B657400008983B330BE7F0000000000000000000070830130BE7F000004000000000000001B00000000000000D128B7ED000000008B8BB330BE7F00003B00000000000000403E4BF7FD7F0000447F0130BE7F000080150230BE7F`
@andrewkroh andrewkroh deleted the bugfix/rename-audit-fileset branch July 5, 2017 19:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ruflin ruflin ruflin approved these changes

@tsg tsg tsg approved these changes

Assignees
No one assigned
Labels
Filebeat Filebeat review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andrewkroh @tsg @ruflin