From e5b3b6e68864a6cb88603455727d390c02ca14eb Mon Sep 17 00:00:00 2001 From: Mohammed Naser Date: Thu, 27 Sep 2018 18:03:33 -0400 Subject: [PATCH] Fix auditd logs using Filebeat Filebeat auditd module only works by using Ingest which means that the dashboards are broken when using Logstash. This patch adds some basic information in order for the dashboard to become functional. Change-Id: I18283354ea49b26e1716dcab1f6452948e52845f --- .../templates/logstash-pipelines.yml.j2 | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/elk_metrics_6x/templates/logstash-pipelines.yml.j2 b/elk_metrics_6x/templates/logstash-pipelines.yml.j2 index afeb5296..5840f30c 100644 --- a/elk_metrics_6x/templates/logstash-pipelines.yml.j2 +++ b/elk_metrics_6x/templates/logstash-pipelines.yml.j2 @@ -43,6 +43,43 @@ add_tag => ["syslog"] } } + + # NOTE(mnaser): Filebeat doesn't support shipping to different outputs + # which means we need to parse `auditd` fileset here rather + # than rely on ingest. + if [fileset][module] == "auditd" { + grok { + break_on_match => false + match => { + message => [ + "type=%{WORD:[auditd][log][record_type]}", + "msg=audit\(%{NUMBER:timestamp}:%{NUMBER:[auditd][log][sequence]}\)", + "a0=\"%{DATA:[auditd][log][a0]}\"", + "acct=\"%{DATA:[auditd][log][acct]}\"", + "addr=%{IPORHOST:[auditd][log][addr]}" + ] + } + } + + date { + match => [ "timestamp", "UNIX" ] + remove_field => "timestamp" + } + + if [auditd][log][addr] { + geoip { + source => "[auditd][log][addr]" + target => "[auditd][geoip]" + } + } + + # NOTE(mnaser): We don't match all fields so `grok` thinks that we + # failed. + mutate { + remove_tag => ["_grokparsefailure"] + } + } + if [@metadata][source_type] == "beats" or [@metadata][source_type] == "syslog" { if [systemd_slice] { mutate {