Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rename Filebeat module from system.audit to auditd.log #3941

Merged
merged 2 commits into from Apr 7, 2017

Conversation

Projects
None yet
3 participants
@andrewkroh
Copy link
Member

commented Apr 6, 2017

This moves the audit fileset from the system module into its own module named auditd. The new fileset name is log.

Rename Filebeat module from system.audit to auditd.log
This moves the `audit` fileset from the `system` module into its own module named `auditd`. The new fileset name is `log`.

@andrewkroh andrewkroh requested a review from tsg Apr 6, 2017

@ruflin

ruflin approved these changes Apr 7, 2017

Copy link
Collaborator

left a comment

LGTM. It seems we never added a Changelog entry for audit module. Probably time to add one.

@tsg

tsg approved these changes Apr 7, 2017

Copy link
Collaborator

left a comment

LGTM, thanks for doing the rename!

@andrewkroh

This comment has been minimized.

Copy link
Member Author

commented Apr 7, 2017

The Jenkins failure doesn't look related to the changes.

@tsg

This comment has been minimized.

Copy link
Collaborator

commented Apr 7, 2017

It was green before, so I'm merging it.

@tsg tsg merged commit ee07419 into elastic:master Apr 7, 2017

5 of 6 checks passed

default Build finished.
Details
CLA Commit author has signed the CLA
Details
codecov/patch Coverage not affected when comparing 13bc6d8...5cf0b3d
Details
codecov/project 65.62% (+0.08%) compared to 13bc6d8
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

andrewkroh added a commit to andrewkroh/beats that referenced this pull request Apr 7, 2017

Rename Filebeat module from system.audit to auditd.log (elastic#3941)
* Rename Filebeat module from system.audit to auditd.log

This moves the `audit` fileset from the `system` module into its own module named `auditd`. The new fileset name is `log`.

* Add changelog entry for auditd module.

andrewkroh added a commit to andrewkroh/beats that referenced this pull request Apr 7, 2017

Add fileset for parsing linux auditd logs (elastic#3750) (elastic#3923)…
… (elastic#3941)

The PR adds an auditd module for parsing logs from the auditd daemon. There is a sample dashboard for viewing this data.

Features

- Parses audit event type, unix epoch time, audit event counter, and the arbitrary key/value pairs that follow.
- Applies geoip lookup to the `auditd.log.addr` field which is present for some remote login events.
- Decodes hex encoded ascii values that are sometimes used for the `auditd.log.exe` and `auditd.log.cmd` fields.
- Remove key/value pairs where the value is `?`.

Missing Features

- Decoder for `auditd.log.saddr` field present in SOCKADDR audit events. A recipe is described [here](https://unix.stackexchange.com/questions/102926/how-to-interpret-the-saddr-field-of-an-audit-log) and could probably be ported to painless. Sample value:
  `type=SOCKADDR msg=audit(1481078693.491:873): saddr=01002F7661722F72756E2F6E7363642F736F636B657400008983B330BE7F0000000000000000000070830130BE7F000004000000000000001B00000000000000D128B7ED000000008B8BB330BE7F00003B00000000000000403E4BF7FD7F0000447F0130BE7F000080150230BE7F`

andrewkroh added a commit to andrewkroh/beats that referenced this pull request Apr 10, 2017

Add fileset for parsing linux auditd logs (elastic#3750) (elastic#3923)…
… (elastic#3941) (elastic#3962)

The PR adds an auditd module for parsing logs from the auditd daemon. There is a sample dashboard for viewing this data.

Features

- Parses audit event type, unix epoch time, audit event counter, and the arbitrary key/value pairs that follow.
- Applies geoip lookup to the `auditd.log.addr` field which is present for some remote login events.
- Decodes hex encoded ascii values that are sometimes used for the `auditd.log.exe` and `auditd.log.cmd` fields.
- Remove key/value pairs where the value is `?`.

Missing Features

- Decoder for `auditd.log.saddr` field present in SOCKADDR audit events. A recipe is described [here](https://unix.stackexchange.com/questions/102926/how-to-interpret-the-saddr-field-of-an-audit-log) and could probably be ported to painless. Sample value:
  `type=SOCKADDR msg=audit(1481078693.491:873): saddr=01002F7661722F72756E2F6E7363642F736F636B657400008983B330BE7F0000000000000000000070830130BE7F000004000000000000001B00000000000000D128B7ED000000008B8BB330BE7F00003B00000000000000403E4BF7FD7F0000447F0130BE7F000080150230BE7F`

tsg added a commit that referenced this pull request Apr 11, 2017

Add fileset for parsing linux auditd logs (#3750) (#3923) (#3941) (#3962
) (#3975)

The PR adds an auditd module for parsing logs from the auditd daemon. There is a sample dashboard for viewing this data.

Features

- Parses audit event type, unix epoch time, audit event counter, and the arbitrary key/value pairs that follow.
- Applies geoip lookup to the `auditd.log.addr` field which is present for some remote login events.
- Decodes hex encoded ascii values that are sometimes used for the `auditd.log.exe` and `auditd.log.cmd` fields.
- Remove key/value pairs where the value is `?`.

Missing Features

- Decoder for `auditd.log.saddr` field present in SOCKADDR audit events. A recipe is described [here](https://unix.stackexchange.com/questions/102926/how-to-interpret-the-saddr-field-of-an-audit-log) and could probably be ported to painless. Sample value:
  `type=SOCKADDR msg=audit(1481078693.491:873): saddr=01002F7661722F72756E2F6E7363642F736F636B657400008983B330BE7F0000000000000000000070830130BE7F000004000000000000001B00000000000000D128B7ED000000008B8BB330BE7F00003B00000000000000403E4BF7FD7F0000447F0130BE7F000080150230BE7F`

@andrewkroh andrewkroh deleted the andrewkroh:bugfix/rename-audit-fileset branch Jul 5, 2017

athom added a commit to athom/beats that referenced this pull request Jan 25, 2018

Rename Filebeat module from system.audit to auditd.log (elastic#3941)
* Rename Filebeat module from system.audit to auditd.log

This moves the `audit` fileset from the `system` module into its own module named `auditd`. The new fileset name is `log`.

* Add changelog entry for auditd module.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.