Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for saddr_fam filter to AuditBeat #36776

Closed
chrisanag1985 opened this issue Oct 6, 2023 · 3 comments · Fixed by #36964
Closed

Add support for saddr_fam filter to AuditBeat #36776

chrisanag1985 opened this issue Oct 6, 2023 · 3 comments · Fixed by #36964
Assignees
@efd6
Labels
Auditbeat enhancement

Comments

@chrisanag1985
Copy link

Hi!!! I tried to filter out some traffic and get only AF_INET and AF_INET6 audit logs using these rules:

-a always,exit -F arch=b64 -S connect,accept,listen,bind  -F a2=16 -F saddr_fam=2 -F success=1 -F key=network-v4
-a always,exit -F arch=b64 -S connect,accept,listen,bind  -F a2=24 -F saddr_fam=10 -F success=1 -F key=network-v6

but I get this error

[root@PC rules.d]# auditbeat test config
Exiting: 1 error: failed to unpack the auditd config: 1 error: failed loading rules: 2 errors: at /etc/auditbeat/audit.rules.d/audit-rules.conf:24: failed to interpret rule '-a always,exit -F arch=b64 -S connect,accept,listen,bind  -F a2=16 -F saddr_fam=2 -F success=1 -F key=network-v4': failed to add filter '{2 saddr_fam = 2}': invalid field 'saddr_fam' on left; at /etc/auditbeat/audit.rules.d/audit-rules.conf:25: failed to interpret rule '-a always,exit -F arch=b64 -S connect,accept,listen,bind  -F a2=24 -F saddr_fam=10 -F success=1 -F key=network-v6': failed to add filter '{2 saddr_fam = 10}': invalid field 'saddr_fam' on left accessing 'auditbeat.modules.0' (source:'/etc/auditbeat/auditbeat.yml')
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Oct 6, 2023
@chrisanag1985 chrisanag1985 changed the title Add support from saddr_fam filter Add support from saddr_fam filter to AuditBeat Oct 6, 2023
@chrisanag1985 chrisanag1985 changed the title Add support from saddr_fam filter to AuditBeat Add support for saddr_fam filter to AuditBeat Oct 6, 2023
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Oct 16, 2023
@jamiehynds jamiehynds added Auditbeat needs_team Indicates that the issue/PR needs a Team:* label labels Oct 16, 2023
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Oct 16, 2023
@botelastic
Copy link

botelastic bot commented Oct 16, 2023

This issue doesn't have a Team:<team> label.

@andrewkroh
Copy link
Member

I created an issue in the upstream library. elastic/go-libaudit#144

@efd6 efd6 self-assigned this Oct 22, 2023
@efd6 efd6 mentioned this issue Oct 25, 2023
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@efd6 efd6

Labels
Auditbeat enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

mod: update version of github.com/elastic/go-libaudit to v2.4.0 efd6/beats
5 participants
@andrewkroh @elasticmachine @chrisanag1985 @jamiehynds @efd6