diff --git a/filebeat/module/kibana/audit/ingest/pipeline-json.yml b/filebeat/module/kibana/audit/ingest/pipeline-json.yml index 3ff55477488c..2fef934d9e8c 100644 --- a/filebeat/module/kibana/audit/ingest/pipeline-json.yml +++ b/filebeat/module/kibana/audit/ingest/pipeline-json.yml @@ -14,17 +14,25 @@ processors: field: event.action value: "{{kibana._audit_temp.event.action}}" - set: - if: ctx.kibana._audit_temp.event.category != null + if: ctx.kibana._audit_temp.event.category != null && ctx.kibana._audit_temp.event.category instanceof List field: event.category value: "{{kibana._audit_temp.event.category.0}}" +- set: + if: ctx.kibana._audit_temp.event.category != null && ctx.kibana._audit_temp.event.category instanceof String + field: event.category + value: "{{kibana._audit_temp.event.category}}" - set: if: ctx.kibana._audit_temp.event.outcome != null field: event.outcome value: "{{kibana._audit_temp.event.outcome}}" - set: - if: ctx.kibana._audit_temp.event.type != null + if: ctx.kibana._audit_temp.event.type != null && ctx.kibana._audit_temp.event.type instanceof List field: event.type value: "{{kibana._audit_temp.event.type.0}}" +- set: + if: ctx.kibana._audit_temp.event.type != null && ctx.kibana._audit_temp.event.type instanceof String + field: event.type + value: "{{kibana._audit_temp.event.type}}" - remove: field: 'ecs' diff --git a/filebeat/module/kibana/audit/test/test-audit-711.log b/filebeat/module/kibana/audit/test/test-audit-711.log index c928218a9c04..aaa2209673ec 100644 --- a/filebeat/module/kibana/audit/test/test-audit-711.log +++ b/filebeat/module/kibana/audit/test/test-audit-711.log @@ -1,4 +1,4 @@ -{"@timestamp":"2020-12-09T11:57:34.870-05:00","message":"User is requesting [/foo/spaces/enter] endpoint","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.9.0"},"event":{"action":"http_request","category":["web"],"outcome":"unknown"},"http":{"request":{"method":"get"}},"url":{"domain":"0.0.0.0","path":"/foo/spaces/enter","port":5603,"scheme":"https:"},"user":{"name":"elastic","roles":["superuser"]},"kibana":{"space_id":"default"},"trace":{"id":"71a7d4d1-e9ba-474c-a844-9d9c1dc11ba5"}} -{"@timestamp":"2020-12-09T11:59:21.458-05:00","message":"User [elastic] has logged in using basic provider [name=basic]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.9.0"},"event":{"action":"user_login","category":["authentication"],"outcome":"success"},"user":{"name":"elastic","roles":["superuser"]},"kibana":{"authentication_provider":"basic","authentication_type":"basic","authentication_realm":"reserved","lookup_realm":"reserved"},"trace":{"id":"a400bdb7-d279-44c1-b009-bc803809872f"}} -{"@timestamp":"2020-12-09T12:01:36.210-05:00","message":"User is creating index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.9.0"},"event":{"action":"saved_object_create","category":["database"],"type":["creation"],"outcome":"unknown"},"kibana":{"space_id":"default","saved_object":{"type":"index-pattern","id":"325b1500-3a40-11eb-a93c-7bbeae51ac96"}},"user":{"name":"elastic","roles":["superuser"]},"trace":{"id":"b1c237a9-5edd-4653-92bc-350feb8e1530"}} -{"@timestamp":"2020-12-09T12:01:37.281-05:00","message":"User has accessed index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.9.0"},"event":{"action":"saved_object_get","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","saved_object":{"type":"index-pattern","id":"325b1500-3a40-11eb-a93c-7bbeae51ac96"}},"user":{"name":"elastic","roles":["superuser"]},"trace":{"id":"17819e5b-187a-4107-944e-6295925d08be"}} +{"@timestamp":"2020-12-09T11:57:34.870-05:00","message":"User is requesting [/foo/spaces/enter] endpoint","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.6.0"},"event":{"action":"http_request","category":"web","outcome":"unknown"},"http":{"request":{"method":"get"}},"url":{"domain":"0.0.0.0","path":"/foo/spaces/enter","port":5603,"scheme":"https:"},"user":{"name":"elastic","roles":["superuser"]},"kibana":{"space_id":"default"},"trace":{"id":"71a7d4d1-e9ba-474c-a844-9d9c1dc11ba5"}} +{"@timestamp":"2020-12-09T11:59:21.458-05:00","message":"User [elastic] has logged in using basic provider [name=basic]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.6.0"},"event":{"action":"user_login","category":"authentication","outcome":"success"},"user":{"name":"elastic","roles":["superuser"]},"kibana":{"authentication_provider":"basic","authentication_type":"basic","authentication_realm":"reserved","lookup_realm":"reserved"},"trace":{"id":"a400bdb7-d279-44c1-b009-bc803809872f"}} +{"@timestamp":"2020-12-09T12:01:36.210-05:00","message":"User is creating index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.6.0"},"event":{"action":"saved_object_create","category":"database","type":"creation","outcome":"unknown"},"kibana":{"space_id":"default","saved_object":{"type":"index-pattern","id":"325b1500-3a40-11eb-a93c-7bbeae51ac96"}},"user":{"name":"elastic","roles":["superuser"]},"trace":{"id":"b1c237a9-5edd-4653-92bc-350feb8e1530"}} +{"@timestamp":"2020-12-09T12:01:37.281-05:00","message":"User has accessed index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.6.0"},"event":{"action":"saved_object_get","category":"database","type":"access","outcome":"success"},"kibana":{"space_id":"default","saved_object":{"type":"index-pattern","id":"325b1500-3a40-11eb-a93c-7bbeae51ac96"}},"user":{"name":"elastic","roles":["superuser"]},"trace":{"id":"17819e5b-187a-4107-944e-6295925d08be"}} diff --git a/filebeat/module/kibana/audit/test/test-audit-711.log-expected.json b/filebeat/module/kibana/audit/test/test-audit-711.log-expected.json index 5c4999be225f..bfed337b0e3a 100644 --- a/filebeat/module/kibana/audit/test/test-audit-711.log-expected.json +++ b/filebeat/module/kibana/audit/test/test-audit-711.log-expected.json @@ -41,7 +41,7 @@ "event.timezone": "-02:00", "fileset.name": "audit", "input.type": "log", - "log.offset": 545, + "log.offset": 543, "message": "User [elastic] has logged in using basic provider [name=basic]", "process.pid": 20699, "related.user": [ @@ -69,7 +69,7 @@ "kibana.saved_object.id": "325b1500-3a40-11eb-a93c-7bbeae51ac96", "kibana.saved_object.type": "index-pattern", "kibana.space_id": "default", - "log.offset": 1097, + "log.offset": 1093, "message": "User is creating index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]", "process.pid": 20699, "related.user": [ @@ -97,7 +97,7 @@ "kibana.saved_object.id": "325b1500-3a40-11eb-a93c-7bbeae51ac96", "kibana.saved_object.type": "index-pattern", "kibana.space_id": "default", - "log.offset": 1663, + "log.offset": 1655, "message": "User has accessed index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]", "process.pid": 20699, "related.user": [ diff --git a/filebeat/module/kibana/audit/test/test-audit-713.log b/filebeat/module/kibana/audit/test/test-audit-713.log new file mode 100644 index 000000000000..720e1aa126b5 --- /dev/null +++ b/filebeat/module/kibana/audit/test/test-audit-713.log @@ -0,0 +1,4 @@ +{"@timestamp":"2020-12-09T11:57:34.870-05:00","message":"User is requesting [/foo/spaces/enter] endpoint","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.9.0"},"event":{"action":"http_request","category":["web"],"outcome":"unknown"},"http":{"request":{"method":"get"}},"url":{"domain":"0.0.0.0","path":"/foo/spaces/enter","port":5603,"scheme":"https:"},"user":{"name":"elastic","roles":["superuser"]},"kibana":{"space_id":"default"},"trace":{"id":"71a7d4d1-e9ba-474c-a844-9d9c1dc11ba5"}} +{"@timestamp":"2020-12-09T11:59:21.458-05:00","message":"User [elastic] has logged in using basic provider [name=basic]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.9.0"},"event":{"action":"user_login","category":["authentication"],"outcome":"success"},"user":{"name":"elastic","roles":["superuser"]},"kibana":{"authentication_provider":"basic","authentication_type":"basic","authentication_realm":"reserved","lookup_realm":"reserved"},"trace":{"id":"a400bdb7-d279-44c1-b009-bc803809872f"}} +{"@timestamp":"2020-12-09T12:01:36.210-05:00","message":"User is creating index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.9.0"},"event":{"action":"saved_object_create","category":["database"],"type":["creation"],"outcome":"unknown"},"kibana":{"space_id":"default","saved_object":{"type":"index-pattern","id":"325b1500-3a40-11eb-a93c-7bbeae51ac96"}},"user":{"name":"elastic","roles":["superuser"]},"trace":{"id":"b1c237a9-5edd-4653-92bc-350feb8e1530"}} +{"@timestamp":"2020-12-09T12:01:37.281-05:00","message":"User has accessed index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.9.0"},"event":{"action":"saved_object_get","category":"database","type":"access","outcome":"success"},"kibana":{"space_id":"default","saved_object":{"type":"index-pattern","id":"325b1500-3a40-11eb-a93c-7bbeae51ac96"}},"user":{"name":"elastic","roles":["superuser"]},"trace":{"id":"17819e5b-187a-4107-944e-6295925d08be"}} diff --git a/filebeat/module/kibana/audit/test/test-audit-713.log-expected.json b/filebeat/module/kibana/audit/test/test-audit-713.log-expected.json new file mode 100644 index 000000000000..5c4999be225f --- /dev/null +++ b/filebeat/module/kibana/audit/test/test-audit-713.log-expected.json @@ -0,0 +1,113 @@ +[ + { + "@timestamp": "2020-12-09T11:57:34.870-05:00", + "event.action": "http_request", + "event.category": "web", + "event.dataset": "kibana.audit", + "event.kind": "event", + "event.module": "kibana", + "event.outcome": "unknown", + "event.timezone": "-02:00", + "fileset.name": "audit", + "http.request.method": "get", + "input.type": "log", + "kibana.space_id": "default", + "log.offset": 0, + "message": "User is requesting [/foo/spaces/enter] endpoint", + "process.pid": 20699, + "related.user": [ + "elastic" + ], + "service.type": "kibana", + "trace.id": "71a7d4d1-e9ba-474c-a844-9d9c1dc11ba5", + "url.domain": "0.0.0.0", + "url.original": "/foo/spaces/enter", + "url.path": "/foo/spaces/enter", + "url.port": 5603, + "url.scheme": "https:", + "user.name": "elastic", + "user.roles": [ + "superuser" + ] + }, + { + "@timestamp": "2020-12-09T11:59:21.458-05:00", + "event.action": "user_login", + "event.category": "authentication", + "event.dataset": "kibana.audit", + "event.kind": "event", + "event.module": "kibana", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "audit", + "input.type": "log", + "log.offset": 545, + "message": "User [elastic] has logged in using basic provider [name=basic]", + "process.pid": 20699, + "related.user": [ + "elastic" + ], + "service.type": "kibana", + "trace.id": "a400bdb7-d279-44c1-b009-bc803809872f", + "user.name": "elastic", + "user.roles": [ + "superuser" + ] + }, + { + "@timestamp": "2020-12-09T12:01:36.210-05:00", + "event.action": "saved_object_create", + "event.category": "database", + "event.dataset": "kibana.audit", + "event.kind": "event", + "event.module": "kibana", + "event.outcome": "unknown", + "event.timezone": "-02:00", + "event.type": "creation", + "fileset.name": "audit", + "input.type": "log", + "kibana.saved_object.id": "325b1500-3a40-11eb-a93c-7bbeae51ac96", + "kibana.saved_object.type": "index-pattern", + "kibana.space_id": "default", + "log.offset": 1097, + "message": "User is creating index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]", + "process.pid": 20699, + "related.user": [ + "elastic" + ], + "service.type": "kibana", + "trace.id": "b1c237a9-5edd-4653-92bc-350feb8e1530", + "user.name": "elastic", + "user.roles": [ + "superuser" + ] + }, + { + "@timestamp": "2020-12-09T12:01:37.281-05:00", + "event.action": "saved_object_get", + "event.category": "database", + "event.dataset": "kibana.audit", + "event.kind": "event", + "event.module": "kibana", + "event.outcome": "success", + "event.timezone": "-02:00", + "event.type": "access", + "fileset.name": "audit", + "input.type": "log", + "kibana.saved_object.id": "325b1500-3a40-11eb-a93c-7bbeae51ac96", + "kibana.saved_object.type": "index-pattern", + "kibana.space_id": "default", + "log.offset": 1663, + "message": "User has accessed index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]", + "process.pid": 20699, + "related.user": [ + "elastic" + ], + "service.type": "kibana", + "trace.id": "17819e5b-187a-4107-944e-6295925d08be", + "user.name": "elastic", + "user.roles": [ + "superuser" + ] + } +] \ No newline at end of file