Filebeat: ingest Elasticsearch structured audit logs

CHANGELOG.next.asciidoc

@@ -22,6 +22,7 @@ https://github.com/elastic/beats/compare/v6.6.0...6.x[Check the HEAD diff]
 - Allow beats to blacklist certain part of the configuration while using Central Management. {pull}9099[9099]
 - Filesets with multiple ingest pipelines added in {pull}8914[8914] only work with Elasticsearch >= 6.5.0 {pull}10001[10001]
 - Add grok pattern to support redis 5.0.3 log timestamp. {issue}9819[9819] {pull}10033[10033]
+- Ingesting Elasticsearch audit logs is only supported with Elasticsearch 6.5.0 and above {pull}8852[8852]
 
 *Heartbeat*
 
@@ -153,6 +154,7 @@ https://github.com/elastic/beats/compare/v6.6.0...6.x[Check the HEAD diff]
 - Add convert_timezone to nginx module. {issue}9839[9839] {pull}10148[10148]
 - Add support for Percona in the `slowlog` fileset of `mysql` module. {issue}6665[6665] {pull}10227[10227]
 - Teach elasticsearch/audit fileset to parse out some more fields. {issue}10134[10134] {pull}10137[10137]
+- Added support for ingesting structured Elasticsearch audit logs {pull}8852[8852]
 
 *Heartbeat*
 - Made monitors.d configuration part of the default config. {pull}9004[9004]

filebeat/docs/fields.asciidoc

@@ -969,6 +969,17 @@ elasticsearch Module
 
 
 
+*`elasticsearch.node.id`*::
++
+--
+type: keyword
+
+example: DSiWcTyeThWtUXLB9J0BMw
+
+ID of the node
+
+--
+
 *`elasticsearch.node.name`*::
 +
 --
@@ -1063,6 +1074,17 @@ The IP address from which the request originated
 
 --
 
+*`elasticsearch.audit.origin_port`*::
++
+--
+type: integer
+
+example: 9300
+
+The TCP port from which the request originated
+
+--
+
 *`elasticsearch.audit.principal`*::
 +
 --
@@ -1149,6 +1171,17 @@ The body of the request, if enabled
 
 --
 
+*`elasticsearch.audit.user_realm`*::
++
+--
+type: keyword
+
+example: __attach
+
+The name of the realm that authenticated the user
+
+--
+
 [float]
 == deprecation fields
 

filebeat/module/elasticsearch/_meta/fields.yml

@@ -7,6 +7,10 @@
       type: group
       description: >
       fields:
+        - name: node.id
+          description: "ID of the node"
+          example: "DSiWcTyeThWtUXLB9J0BMw"
+          type: keyword
         - name: node.name
           description: "Name of the node"
           example: "vWNJsZ3"

filebeat/module/elasticsearch/audit/_meta/fields.yml

@@ -18,6 +18,10 @@
       description: "The IP address from which the request originated"
       example: "192.168.1.42"
       type: ip
+    - name: origin_port
+      description: "The TCP port from which the request originated"
+      example: 9300
+      type: integer
     - name: principal
       description: "The principal (username) that failed authentication"
       example: "_anonymous"
@@ -50,3 +54,7 @@
       description: "The body of the request, if enabled"
       example: "body"
       type: text
+    - name: user_realm
+      description: "The name of the realm that authenticated the user"
+      example: "__attach"
+      type: keyword

filebeat/module/elasticsearch/audit/ingest/pipeline-json.json

@@ -0,0 +1,190 @@
+{
+    "description": "Pipeline for parsing elasticsearch audit logs in JSON format",
+    "processors": [
+        {
+            "json": {
+                "field": "message",
+                "target_field": "elasticsearch.audit"
+            }
+        },
+        {
+            "dot_expander": {
+                "field": "event.action",
+                "path": "elasticsearch.audit"
+            }
+        },
+        {
+            "rename": {
+                "field": "elasticsearch.audit.event.action",
+                "target_field": "elasticsearch.audit.event_type"
+            }
+        },
+        {
+            "dot_expander": {
+                "field": "event.type",
+                "path": "elasticsearch.audit"
+            }
+        },
+        {
+            "rename": {
+                "field": "elasticsearch.audit.event.type",
+                "target_field": "elasticsearch.audit.layer"
+            }
+        },
+        {
+            "remove": {
+                "field": "elasticsearch.audit.event"
+            }
+        },
+        {
+            "dot_expander": {
+                "field": "origin.type",
+                "path": "elasticsearch.audit"
+            }
+        },
+        {
+            "rename": {
+                "field": "elasticsearch.audit.origin.type",
+                "target_field": "elasticsearch.audit.origin_type"
+            }
+        },
+        {
+            "dot_expander": {
+                "field": "origin.address",
+                "path": "elasticsearch.audit"
+            }
+        },
+        {
+            "grok": {
+                "field": "elasticsearch.audit.origin.address",
+                "patterns": [
+                    "\\[%{IPORHOST:elasticsearch.audit.origin_address}\\]:%{INT:elasticsearch.audit.origin_port:int}",
+                    "%{IPORHOST:elasticsearch.audit.origin_address}:%{INT:elasticsearch.audit.origin_port:int}"
+                ]
+            }
+        },
+        {
+            "remove": {
+                "field": "elasticsearch.audit.origin"
+            }
+        },
+        {
+            "dot_expander": {
+                "field": "user.name",
+                "path": "elasticsearch.audit"
+            }
+        },
+        {
+            "rename": {
+                "field": "elasticsearch.audit.user.name",
+                "target_field": "elasticsearch.audit.principal"
+            }
+        },
+        {
+            "dot_expander": {
+                "field": "request.name",
+                "path": "elasticsearch.audit"
+            }
+        },
+        {
+            "set": {
+                "value": "{{elasticsearch.audit.request.name}}",
+                "field": "elasticsearch.audit.request"
+            }
+        },
+        {
+            "remove": {
+                "if": "ctx.elasticsearch.audit.request == ''",
+                "field": "elasticsearch.audit.request"
+            }
+        },
+        {
+            "dot_expander": {
+                "field": "url.path",
+                "path": "elasticsearch.audit"
+            }
+        },
+        {
+            "dot_expander": {
+                "field": "url.query",
+                "path": "elasticsearch.audit"
+            }
+        },
+        {
+            "set": {
+                "if": "ctx.elasticsearch.audit?.url?.path != null && ctx.elasticsearch.audit?.url?.query == null",
+                "field": "elasticsearch.audit.uri",
+                "value": "{{elasticsearch.audit.url.path}}"
+            }
+        },
+        {
+            "set": {
+                "if": "ctx.elasticsearch.audit?.url?.path != null && ctx.elasticsearch.audit?.url?.query != null",
+                "field": "elasticsearch.audit.uri",
+                "value": "{{elasticsearch.audit.url.path}}?{{elasticsearch.audit.url.query}}"
+            }
+        },
+        {
+            "remove": {
+                "if": "ctx.elasticsearch.audit?.url?.path != null",
+                "field": "elasticsearch.audit.url.path"
+            }
+        },
+        {
+            "remove": {
+                "if": "ctx.elasticsearch.audit?.url?.query != null",
+                "field": "elasticsearch.audit.url.query"
+            }
+        },
+        {
+            "dot_expander": {
+                "field": "node.id",
+                "path": "elasticsearch.audit"
+            }
+        },
+        {
+            "dot_expander": {
+                "field": "node.name",
+                "path": "elasticsearch.audit"
+            }
+        },
+        {
+            "rename": {
+                "field": "elasticsearch.audit.node",
+                "target_field": "elasticsearch.node"
+            }
+        },
+        {
+            "dot_expander": {
+                "field": "user.realm",
+                "path": "elasticsearch.audit"
+            }
+        },
+        {
+            "rename": {
+                "if": "ctx.elasticsearch.audit?.user?.realm != null",
+                "field": "elasticsearch.audit.user.realm",
+                "target_field": "elasticsearch.audit.user_realm"
+            }
+        },
+        {
+            "dot_expander": {
+                "field": "user.roles",
+                "path": "elasticsearch.audit"
+            }
+        },
+        {
+            "remove": {
+                "field": "elasticsearch.audit.user"
+            }
+        }
+    ],
+    "on_failure": [
+        {
+            "set": {
+                "field": "error.message",
+                "value": "{{ _ingest.on_failure_message }}"
+            }
+        }
+    ]
+}

filebeat/module/elasticsearch/audit/ingest/pipeline-plaintext.json

@@ -0,0 +1,63 @@
+{
+    "description": "Pipeline for parsing elasticsearch audit logs in plaintext format",
+    "processors": [
+        {
+            "grok": {
+                "field": "message",
+                "pattern_definitions": {
+                    "ES_TIMESTAMP": "\\[%{TIMESTAMP_ISO8601:elasticsearch.audit.@timestamp}\\]",
+                    "ES_NODE_NAME": "(\\[%{DATA:elasticsearch.node.name}\\])?",
+                    "ES_AUDIT_LAYER": "\\[%{WORD:elasticsearch.audit.layer}\\]",
+                    "ES_AUDIT_EVENT_TYPE": "\\[%{WORD:elasticsearch.audit.event_type}\\]",
+                    "ES_AUDIT_ORIGIN_TYPE": "(origin_type\\=\\[%{WORD:elasticsearch.audit.origin_type}\\])?",
+                    "ES_AUDIT_ORIGIN_ADDRESS": "(origin_address\\=\\[%{IPORHOST:elasticsearch.audit.origin_address}\\])?",
+                    "ES_AUDIT_PRINCIPAL": "(principal\\=\\[%{WORD:elasticsearch.audit.principal}\\])?",
+                    "ES_AUDIT_REALM": "(realm\\=\\[%{WORD:elasticsearch.audit.realm}\\])?",
+                    "ES_AUDIT_ROLES": "(roles\\=\\[%{DATA:elasticsearch.audit.roles}\\])?",
+                    "ES_AUDIT_ACTION": "(action\\=\\[%{DATA:elasticsearch.audit.action}(\\[%{DATA:elasticsearch.audit.sub_action}\\])?\\])?",
+                    "ES_AUDIT_URI": "(uri=\\[%{DATA:elasticsearch.audit.uri}\\])?",
+                    "ES_AUDIT_INDICES": "(indices\\=\\[%{DATA:elasticsearch.audit.indices}\\])?",
+                    "ES_AUDIT_REQUEST": "(request\\=\\[%{WORD:elasticsearch.audit.request}\\])?",
+                    "ES_AUDIT_REQUEST_BODY": "(request_body\\=\\[%{DATA:elasticsearch.audit.request_body}\\])?"
+                },
+                "patterns": [
+                    "%{ES_TIMESTAMP}\\s*%{ES_NODE_NAME}\\s*%{ES_AUDIT_LAYER}\\s*%{ES_AUDIT_EVENT_TYPE}\\s*%{ES_AUDIT_ORIGIN_TYPE},?\\s*%{ES_AUDIT_ORIGIN_ADDRESS},?\\s*%{ES_AUDIT_PRINCIPAL},?\\s*%{ES_AUDIT_REALM},?\\s*%{ES_AUDIT_ROLES},?\\s*%{ES_AUDIT_ACTION},?\\s*%{ES_AUDIT_INDICES},?\\s*%{ES_AUDIT_URI},?\\s*%{ES_AUDIT_REQUEST},?\\s*%{ES_AUDIT_REQUEST_BODY},?"
+                ]
+            }
+        },
+        {
+            "split": {
+                "field": "elasticsearch.audit.roles",
+                "separator": ",",
+                "ignore_missing": true
+            }
+        },
+        {
+            "split": {
+                "field": "elasticsearch.audit.indices",
+                "separator": ",",
+                "ignore_missing": true
+            }
+        },
+        {
+            "script": {
+                "lang": "painless",
+                "source": "if (ctx.elasticsearch.audit.sub_action != null) { ctx.elasticsearch.audit.action += '[' + ctx.elasticsearch.audit.sub_action + ']' }"
+            }
+        },
+        {
+            "remove": {
+                "field": "elasticsearch.audit.sub_action",
+                "ignore_missing": true
+            }
+        }
+    ],
+    "on_failure": [
+        {
+            "set": {
+                "field": "error.message",
+                "value": "{{ _ingest.on_failure_message }}"
+            }
+        }
+    ]
+}