Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document all fields used in auditd dashboards #3962

Merged
merged 2 commits into from Apr 9, 2017

Conversation

Projects
None yet
3 participants
@andrewkroh
Copy link
Member

commented Apr 7, 2017

To allow the dashboards to load all fields used in the dashboards need to be in the Kibana index pattern.

I also changed pid, ppid, item, and item to just be keywords. There wasn’t really a good reason reason for these to be stored as numbers and sometimes in the events these were set to characters like “?”.

Document all fields used in auditd dashboards
To allow the dashboards to load all fields used in the dashboards need to be in the Kibana index pattern.

I also change pid, ppid, item, and item to just be keywords. There wasn’t really a good reason reason for these to be stored as numbers and sometime in the events these were set to characters like “?”.
The item field indicates which item out of the total number of items. This number is zero-based; a value of 0 means it is the first item.
[float]
=== auditd.log.a0
This first argument to the system call.

This comment has been minimized.

Copy link
@dedemorton

dedemorton Apr 7, 2017

Contributor

Should this say, "The first argument..."?

This comment has been minimized.

Copy link
@andrewkroh

andrewkroh Apr 7, 2017

Author Member

Yep, will fix them all. Thanks

[float]
=== auditd.log.res

This result of the system call (success or failure).

This comment has been minimized.

Copy link
@dedemorton

dedemorton Apr 7, 2017

Contributor

Should this say, "The result of..."

description: >
The item field indicates which item out of the total number of items.
This number is zero-based; a value of 0 means it is the first item.
- name: a0
description: >
This first argument to the system call.

This comment has been minimized.

Copy link
@dedemorton

dedemorton Apr 7, 2017

Contributor

See above comment.

This first argument to the system call.
- name: res
description: >
This result of the system call (success or failure).

This comment has been minimized.

Copy link
@dedemorton

dedemorton Apr 7, 2017

Contributor

See above comment.

@tsg tsg merged commit 2ebc2c8 into elastic:master Apr 9, 2017

6 checks passed

CLA Commit author has signed the CLA
Details
codecov/patch Coverage not affected when comparing ee07419...67a5837
Details
codecov/project 65.6% (+4.31%) compared to ee07419
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
default Build finished.
Details

andrewkroh added a commit to andrewkroh/beats that referenced this pull request Apr 10, 2017

Add fileset for parsing linux auditd logs (elastic#3750) (elastic#3923)…
… (elastic#3941) (elastic#3962)

The PR adds an auditd module for parsing logs from the auditd daemon. There is a sample dashboard for viewing this data.

Features

- Parses audit event type, unix epoch time, audit event counter, and the arbitrary key/value pairs that follow.
- Applies geoip lookup to the `auditd.log.addr` field which is present for some remote login events.
- Decodes hex encoded ascii values that are sometimes used for the `auditd.log.exe` and `auditd.log.cmd` fields.
- Remove key/value pairs where the value is `?`.

Missing Features

- Decoder for `auditd.log.saddr` field present in SOCKADDR audit events. A recipe is described [here](https://unix.stackexchange.com/questions/102926/how-to-interpret-the-saddr-field-of-an-audit-log) and could probably be ported to painless. Sample value:
  `type=SOCKADDR msg=audit(1481078693.491:873): saddr=01002F7661722F72756E2F6E7363642F736F636B657400008983B330BE7F0000000000000000000070830130BE7F000004000000000000001B00000000000000D128B7ED000000008B8BB330BE7F00003B00000000000000403E4BF7FD7F0000447F0130BE7F000080150230BE7F`

tsg added a commit that referenced this pull request Apr 11, 2017

Add fileset for parsing linux auditd logs (#3750) (#3923) (#3941) (#3962
) (#3975)

The PR adds an auditd module for parsing logs from the auditd daemon. There is a sample dashboard for viewing this data.

Features

- Parses audit event type, unix epoch time, audit event counter, and the arbitrary key/value pairs that follow.
- Applies geoip lookup to the `auditd.log.addr` field which is present for some remote login events.
- Decodes hex encoded ascii values that are sometimes used for the `auditd.log.exe` and `auditd.log.cmd` fields.
- Remove key/value pairs where the value is `?`.

Missing Features

- Decoder for `auditd.log.saddr` field present in SOCKADDR audit events. A recipe is described [here](https://unix.stackexchange.com/questions/102926/how-to-interpret-the-saddr-field-of-an-audit-log) and could probably be ported to painless. Sample value:
  `type=SOCKADDR msg=audit(1481078693.491:873): saddr=01002F7661722F72756E2F6E7363642F736F636B657400008983B330BE7F0000000000000000000070830130BE7F000004000000000000001B00000000000000D128B7ED000000008B8BB330BE7F00003B00000000000000403E4BF7FD7F0000447F0130BE7F000080150230BE7F`

@andrewkroh andrewkroh deleted the andrewkroh:bugfix/auditd branch Jul 5, 2017

athom added a commit to athom/beats that referenced this pull request Jan 25, 2018

Document all fields used in auditd dashboards (elastic#3962)
* Document all fields used in auditd dashboards

To allow the dashboards to load all fields used in the dashboards need to be in the Kibana index pattern.

I also change pid, ppid, item, and item to just be keywords. There wasn’t really a good reason reason for these to be stored as numbers and sometime in the events these were set to characters like “?”.

* Fix typo in field docs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.