New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auditd: handle ENRICHED auditd format #8716
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
GitHub does a poor job at rendering the diff here; git shows this:
diff --git a/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-enriched.log b/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-enriched.log
new file mode 100644
index 000000000..760f90b35
--- /dev/null
+++ b/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-enriched.log
@@ -0,0 +1,3 @@
+type=SOCKADDR msg=audit(1666825569.818:23260118): saddr=02000000000000000000000000000000^]SADDR={ saddr_fam=inet laddr=0.0.0.0 lport=0 }
+type=SOCKADDR msg=audit(1666825569.435:23260106): saddr=0A00DE9900000000000000000000000000002a02cf40000000000000^]SADDR={ saddr_fam=inet6 laddr=2a02:cf40:: lport=56985 }
+type=SOCKADDR msg=audit(1666825568.865:23260105): saddr=0100^]SADDR={ saddr_fam=local sockaddr len too short }
🌐 Coverage report
|
🚀 Benchmarks reportTo see the full report comment with |
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
packages/auditd/changelog.yml
Outdated
@@ -1,4 +1,9 @@ | |||
# newer versions go on top | |||
- version: "3.18.0" | |||
changes: | |||
- description: Handle ENRICHED audit formatr. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
extra r after format?
- description: Handle ENRICHED audit formatr. | |
- description: Handle ENRICHED audit format. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tiny question on the changelog description, otherwise LGTM
Package auditd - 3.18.0 containing this change is available at https://epr.elastic.co/search?package=auditd |
Proposed commit message
Spec for format: https://github.com/linux-audit/audit-documentation/wiki/SPEC-Audit-Event-Enrichment
Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
Related issues
Screenshots