Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auditd: handle ENRICHED auditd format #8716

Merged
merged 2 commits into from Dec 14, 2023
Merged

auditd: handle ENRICHED auditd format #8716

merged 2 commits into from Dec 14, 2023

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Dec 13, 2023

Proposed commit message

Spec for format: https://github.com/linux-audit/audit-documentation/wiki/SPEC-Audit-Event-Enrichment

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6 efd6 self-assigned this Dec 13, 2023
efd6
efd6 commented Dec 13, 2023
View reviewed changes
packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-enriched.log Outdated
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GitHub does a poor job at rendering the diff here; git shows this:

diff --git a/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-enriched.log b/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-enriched.log
new file mode 100644
index 000000000..760f90b35
--- /dev/null
+++ b/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-enriched.log
@@ -0,0 +1,3 @@
+type=SOCKADDR msg=audit(1666825569.818:23260118): saddr=02000000000000000000000000000000^]SADDR={ saddr_fam=inet laddr=0.0.0.0 lport=0 }
+type=SOCKADDR msg=audit(1666825569.435:23260106): saddr=0A00DE9900000000000000000000000000002a02cf40000000000000^]SADDR={ saddr_fam=inet6 laddr=2a02:cf40:: lport=56985 }
+type=SOCKADDR msg=audit(1666825568.865:23260105): saddr=0100^]SADDR={ saddr_fam=local sockaddr len too short }

@elasticmachine
Copy link

elasticmachine commented Dec 13, 2023
edited

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2023-12-14T20:31:32.376+0000

  • Duration: 14 min 27 sec

Test stats 🧪

Test Results
Failed 0
Passed 10
Skipped 0
Total 10

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@elasticmachine
Copy link

elasticmachine commented Dec 13, 2023
edited

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (1/1) 💚
Files 100.0% (1/1) 💚 3.929
Classes 100.0% (1/1) 💚 3.929
Methods 100.0% (15/15) 💚 7.585
Lines 98.051% (2214/2258) 👍 9.41
Conditionals 100.0% (0/0) 💚

@elasticmachine
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@efd6 efd6 marked this pull request as ready for review December 13, 2023 01:55
@efd6 efd6 requested a review from a team as a code owner December 13, 2023 01:55
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

kgeller
kgeller reviewed Dec 14, 2023
View reviewed changes
packages/auditd/changelog.yml Outdated
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "3.18.0"
changes:
- description: Handle ENRICHED audit formatr.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

extra r after format?

Suggested change
- description: Handle ENRICHED audit formatr.
- description: Handle ENRICHED audit format.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

kgeller
kgeller approved these changes Dec 14, 2023
View reviewed changes
Copy link
Contributor

@kgeller kgeller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tiny question on the changelog description, otherwise LGTM

@efd6 efd6 merged commit c37f3c8 into elastic:main Dec 14, 2023
4 checks passed
@elasticmachine
Copy link

Package auditd - 3.18.0 containing this change is available at https://epr.elastic.co/search?package=auditd

@efd6 efd6 mentioned this pull request Jan 28, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kgeller kgeller kgeller approved these changes

Assignees

@efd6 efd6

Labels
enhancement New feature or request Integration:Auditd
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Auditd Logs] Support ENRICHED log format
3 participants
@efd6 @elasticmachine @kgeller