diff --git a/packages/auditd/changelog.yml b/packages/auditd/changelog.yml index c7f1b4dbe5f..9be00c47b3d 100644 --- a/packages/auditd/changelog.yml +++ b/packages/auditd/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.1.2" + changes: + - description: Set event.outcome value according ECS specification + type: bugfix + link: https://github.com/elastic/integrations/pull/3079 - version: "2.1.1" changes: - description: Add documentation for multi-fields diff --git a/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-raw.log-expected.json b/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-raw.log-expected.json index 311d3b3c551..e6a0a0d77e1 100644 --- a/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-raw.log-expected.json +++ b/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-raw.log-expected.json @@ -21,7 +21,7 @@ "action": "mac_ipsec_event", "kind": "event", "original": "type=MAC_IPSEC_EVENT msg=audit(1485893834.891:18877201): op=SPD-delete auid=4294967295 ses=4294967295 res=1 src=192.168.2.0 src_prefixlen=24 dst=192.168.0.0 dst_prefixlen=16", - "outcome": "1" + "outcome": "success" }, "source": { "address": "192.168.2.0", @@ -642,7 +642,7 @@ ], "kind": "event", "original": "node=localhost.localdomain type=CONFIG_CHANGE msg=audit(1594053514.707:5): audit_failure=1 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 res=1", - "outcome": "1", + "outcome": "success", "type": [ "change" ] @@ -1764,7 +1764,7 @@ ], "kind": "event", "original": "type=CONFIG_CHANGE msg=audit(1481077231.371:478): auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=\"add_rule\" key=(null) list=4 res=1", - "outcome": "1", + "outcome": "success", "type": [ "change" ] diff --git a/packages/auditd/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/auditd/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 53f66a34c3c..d4618e3cd47 100644 --- a/packages/auditd/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/auditd/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -2114,10 +2114,21 @@ processors: ignore_failure: true field: auditd.log.msg target_field: message - - rename: + - set: + if: (ctx?.auditd?.log?.res != null && ["1", "success"].contains(ctx.auditd.log.res)) + field: event.outcome + value: "success" + ignore_failure: true + - set: + if: (ctx?.auditd?.log?.res != null && ["0", "failed"].contains(ctx.auditd.log.res)) + field: event.outcome + value: "failure" + ignore_failure: true + - set: + if: (ctx?.auditd?.log?.res != null && !["0", "1", "success", "failed"].contains(ctx.auditd.log.res)) + field: event.outcome + value: "unknown" ignore_failure: true - field: auditd.log.res - target_field: event.outcome # The processor below populates process.args list from argN fields. # # It handles the common case of a complete record: Contains argc=N and a0 to aN-1, @@ -2218,6 +2229,7 @@ processors: - auditd.log.epoch - auditd.log.copy - auditd.log.arch + - auditd.log.res ignore_failure: true ignore_missing: true - remove: diff --git a/packages/auditd/data_stream/log/sample_event.json b/packages/auditd/data_stream/log/sample_event.json index cc57adeb1a8..8c6a1b245ed 100644 --- a/packages/auditd/data_stream/log/sample_event.json +++ b/packages/auditd/data_stream/log/sample_event.json @@ -1,11 +1,12 @@ { "@timestamp": "2016-01-03T00:37:51.394Z", "agent": { - "ephemeral_id": "26e35ddc-258e-426f-87cf-40517f808d30", - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", + "ephemeral_id": "ef6d17d9-f955-48be-a4c5-6b4ea1fe9772", + "hostname": "docker-fleet-agent", + "id": "f386c08a-1dcf-444a-a259-9c33fa001606", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0-beta1" + "version": "7.17.0" }, "auditd": { "log": { @@ -22,37 +23,36 @@ "version": "8.0.0" }, "elastic_agent": { - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", + "id": "f386c08a-1dcf-444a-a259-9c33fa001606", "snapshot": false, - "version": "8.0.0-beta1" + "version": "7.17.0" }, "event": { "action": "proctitle", "agent_id_status": "verified", "dataset": "auditd.log", - "ingested": "2021-12-24T01:30:55Z", + "ingested": "2022-04-13T05:23:36Z", "kind": "event" }, "host": { "architecture": "x86_64", - "containerized": true, + "containerized": false, "hostname": "docker-fleet-agent", - "id": "4ccba669f0df47fa3f57a9e4169ae7f1", "ip": [ - "192.168.224.7" + "172.19.0.7" ], "mac": [ - "02:42:c0:a8:e0:07" + "02:42:ac:13:00:07" ], "name": "docker-fleet-agent", "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.11.0-41-generic", - "name": "CentOS Linux", - "platform": "centos", + "codename": "focal", + "family": "debian", + "kernel": "5.10.104-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", "type": "linux", - "version": "7 (Core)" + "version": "20.04.3 LTS (Focal Fossa)" } }, "input": { diff --git a/packages/auditd/docs/README.md b/packages/auditd/docs/README.md index b8020886846..4e8fef73d09 100644 --- a/packages/auditd/docs/README.md +++ b/packages/auditd/docs/README.md @@ -20,11 +20,12 @@ An example event for `log` looks as following: { "@timestamp": "2016-01-03T00:37:51.394Z", "agent": { - "ephemeral_id": "26e35ddc-258e-426f-87cf-40517f808d30", - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", + "ephemeral_id": "ef6d17d9-f955-48be-a4c5-6b4ea1fe9772", + "hostname": "docker-fleet-agent", + "id": "f386c08a-1dcf-444a-a259-9c33fa001606", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0-beta1" + "version": "7.17.0" }, "auditd": { "log": { @@ -41,37 +42,36 @@ An example event for `log` looks as following: "version": "8.0.0" }, "elastic_agent": { - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", + "id": "f386c08a-1dcf-444a-a259-9c33fa001606", "snapshot": false, - "version": "8.0.0-beta1" + "version": "7.17.0" }, "event": { "action": "proctitle", "agent_id_status": "verified", "dataset": "auditd.log", - "ingested": "2021-12-24T01:30:55Z", + "ingested": "2022-04-13T05:23:36Z", "kind": "event" }, "host": { "architecture": "x86_64", - "containerized": true, + "containerized": false, "hostname": "docker-fleet-agent", - "id": "4ccba669f0df47fa3f57a9e4169ae7f1", "ip": [ - "192.168.224.7" + "172.19.0.7" ], "mac": [ - "02:42:c0:a8:e0:07" + "02:42:ac:13:00:07" ], "name": "docker-fleet-agent", "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.11.0-41-generic", - "name": "CentOS Linux", - "platform": "centos", + "codename": "focal", + "family": "debian", + "kernel": "5.10.104-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", "type": "linux", - "version": "7 (Core)" + "version": "20.04.3 LTS (Focal Fossa)" } }, "input": { diff --git a/packages/auditd/manifest.yml b/packages/auditd/manifest.yml index 233c580c6de..117a2af1f6a 100644 --- a/packages/auditd/manifest.yml +++ b/packages/auditd/manifest.yml @@ -1,6 +1,6 @@ name: auditd title: Auditd -version: 2.1.1 +version: 2.1.2 release: ga description: Collect logs from Linux audit daemon with Elastic Agent. type: integration