forked from elastic/integrations
-
Notifications
You must be signed in to change notification settings - Fork 0
/
pipeline_audit.yml
146 lines (146 loc) · 4.85 KB
/
pipeline_audit.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
---
description: Pipeline for parsing Infoblox NIOS Audit logs.
processors:
- grok:
field: message
if: ctx.message.contains('Created') || ctx.message.contains('Modified') || ctx.message.contains('Deleted')
patterns:
- "^%{GREEDYDATA:timestamp} \\[%{DATA:user.name}\\]: %{DATA:event.action} %{DATA:infoblox_nios.log.audit.object.name} %{DATA:infoblox_nios.log.audit.object.value}:? %{GREEDYDATA:infoblox_nios.log.audit.message}$"
- "^%{GREEDYDATA:timestamp} \\[%{DATA:user.name}\\]: %{DATA:event.action} %{GREEDYDATA:infoblox_nios.log.audit.message}$"
- "^%{GREEDYDATA:infoblox_nios.log.audit.message}$"
- grok:
field: message
if: ctx.message.contains('Called')
patterns:
- "^%{GREEDYDATA:timestamp} \\[%{DATA:user.name}\\]: %{DATA:event.action} - %{WORD:infoblox_nios.log.audit.object.name}:? %{GREEDYDATA:infoblox_nios.log.audit.message}$"
- "^%{GREEDYDATA:timestamp} \\[%{DATA:user.name}\\]: %{DATA:event.action} - %{GREEDYDATA:infoblox_nios.log.audit.message}$"
- "^%{GREEDYDATA:infoblox_nios.log.audit.message}$"
- grok:
field: message
if: ctx.event?.action == null
patterns:
- "^%{GREEDYDATA:timestamp} \\[%{DATA:user.name}\\]: %{DATA:event.action} - - %{GREEDYDATA:details}$"
- "^%{GREEDYDATA:timestamp} \\[%{DATA:user.name}\\]: %{DATA:event.action} %{GREEDYDATA:infoblox_nios.log.audit.message}$"
- "^%{GREEDYDATA:timestamp} %{GREEDYDATA:infoblox_nios.log.audit.message}$"
- "^%{GREEDYDATA:infoblox_nios.log.audit.message}$"
- date:
field: timestamp
if: ctx.timestamp != null
formats:
- dd-MMM-yyyy HH:mm:ss.SSS
- yyyy-MM-dd HH:mm:ss.SSS'Z'
on_failure:
- remove:
field: timestamp
ignore_missing: true
- append:
field: error.message
value: '{{{_ingest.on_failure_message}}}'
- kv:
field: details
target_field: audit
field_split: ' '
value_split: '='
ignore_missing: true
- lowercase:
field: event.action
if: ctx.event?.action != null
ignore_failure: true
- set:
field: event.outcome
if: ctx.event?.action == 'login_allowed'
value: 'success'
ignore_failure: true
- append:
field: event.type
if: ctx.event?.action == 'login_allowed'
value: 'start'
ignore_failure: true
- append:
field: event.category
if: ctx.event?.action == 'login_allowed'
value: 'authentication'
ignore_failure: true
- set:
field: event.outcome
if: ctx.event?.action == 'login_denied'
value: 'failure'
ignore_failure: true
- append:
field: event.category
if: ctx.event?.action == 'login_denied'
value: 'authentication'
ignore_failure: true
- append:
field: event.type
if: ctx.event?.action == 'logout'
value: 'end'
ignore_failure: true
- append:
field: event.category
if: ctx.event?.action == 'logout'
value: 'authentication'
ignore_failure: true
- script:
description: Add kv fields under the infoblox_nios.log.audit.
lang: painless
if: ctx.audit != null
source: |
if (ctx.infoblox_nios == null) {
ctx['infoblox_nios'] = new HashMap();
}
if (ctx.infoblox_nios?.log == null) {
ctx.infoblox_nios['log'] = new HashMap();
}
if (ctx.infoblox_nios?.log?.audit == null) {
ctx.infoblox_nios.log['audit'] = new HashMap();
}
for (Map.Entry m : ctx.audit.entrySet()) {
def value = m.getValue();
if (value instanceof String) {
value = value.replace('\\040', ' ')
}
ctx.infoblox_nios.log.audit[m.getKey()] = value;
}
- convert:
field: infoblox_nios.log.audit.ip
if: ctx.infoblox_nios?.log?.audit?.ip != null && ctx.infoblox_nios.log.audit.ip != ''
type: ip
ignore_missing: true
on_failure:
- remove:
field: infoblox_nios.log.audit.ip
ignore_missing: true
- append:
field: error.message
value: '{{{_ingest.on_failure_message}}}'
- append:
field: related.ip
value: '{{{infoblox_nios.log.audit.ip}}}'
if: ctx.infoblox_nios?.log?.audit?.ip != null
allow_duplicates: false
ignore_failure: true
- gsub:
field: user.name
ignore_missing: true
pattern: '\\040'
replacement: ' '
- remove:
field:
- details
- audit
- timestamp
ignore_missing: true
- append:
field: related.user
value: '{{{user.name}}}'
if: ctx.user?.name != null
allow_duplicates: false
ignore_failure: true
on_failure:
- set:
field: event.kind
value: pipeline_error
- append:
field: error.message
value: '{{{ _ingest.on_failure_message }}}'