Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add System Package #390

Merged
merged 4 commits into from May 5, 2020
Merged

Add System Package #390

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
be0504f
updated against master
fearful-symmetry May 5, 2020
6a561fb
add readme, change version
fearful-symmetry May 5, 2020
2c0f70b
manifest updates
fearful-symmetry May 5, 2020
cf6fd86
small fixes
fearful-symmetry May 5, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
14 changes: 14 additions & 0 deletions dev/packages/alpha/system/0.0.1/dataset/auth/agent/stream/log.yml.hbs
View file
Open in desktop
@@ -0,0 +1,14 @@
paths:
{{#each paths as |path i|}}
- {{path}}
{{/each}}
exclude_files: [".gz$"]
multiline:
pattern: "^\\s"
match: after
processors:
- add_locale: ~
- add_fields:
target: ''
fields:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is interesting. I wonder if we should add this still on the Beats side in the future. @ph

ecs.version: 1.5.0
121 changes: 121 additions & 0 deletions dev/packages/alpha/system/0.0.1/dataset/auth/elasticsearch/ingest-pipeline/default.json
View file
Open in desktop
@@ -0,0 +1,121 @@
{
"description": "Pipeline for parsing system authorisation/secure logs",
"processors": [
{
"grok": {
"field": "message",
"ignore_missing": true,
"pattern_definitions" : {
"GREEDYMULTILINE" : "(.|\n)*",
"TIMESTAMP": "(?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP})"
},
"patterns": [
"%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?",
"%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.ip}",
"%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}",
"%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: \\s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}",
"%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}",
"%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$",
"%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.auth.message}"
]
}
},
{
"remove": {
"field": "message"
}
},
{
"rename": {
"field": "system.auth.message",
"target_field": "message",
"ignore_missing": true
}
},
{
"set": {
"field": "source.ip",
"value": "{{system.auth.ssh.dropped_ip}}",
"if": "ctx.containsKey('system') && ctx.system.containsKey('auth') && ctx.system.auth.containsKey('ssh') && ctx.system.auth.ssh.containsKey('dropped_ip')"
}
},
{
"date": {
"if": "ctx.event.timezone == null",
"field": "system.auth.timestamp",
"target_field": "@timestamp",
"formats": [
"MMM d HH:mm:ss",
"MMM dd HH:mm:ss",
"ISO8601"
],
"on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
}
},
{
"date": {
"if": "ctx.event.timezone != null",
"field": "system.auth.timestamp",
"target_field": "@timestamp",
"formats": [
"MMM d HH:mm:ss",
"MMM dd HH:mm:ss",
"ISO8601"
],
"timezone": "{{ event.timezone }}",
"on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
}
},
{
"remove": {
"field": "system.auth.timestamp"
}
},
{
"geoip": {
"field": "source.ip",
"target_field": "source.geo",
"ignore_failure": true
}
},
{
"geoip": {
"database_file": "GeoLite2-ASN.mmdb",
"field": "source.ip",
"target_field": "source.as",
"properties": [
"asn",
"organization_name"
],
"ignore_missing": true
}
},
{
"rename": {
"field": "source.as.asn",
"target_field": "source.as.number",
"ignore_missing": true
}
},
{
"rename": {
"field": "source.as.organization_name",
"target_field": "source.as.organization.name",
"ignore_missing": true
}
},
{
"script": {
"lang": "painless",
"ignore_failure": true,
"source": "if (ctx.system.auth.ssh.event == \"Accepted\") { if (!ctx.containsKey(\"event\")) { ctx.event = [:]; } ctx.event.type = \"authentication_success\"; ctx.event.category = \"authentication\"; ctx.event.action = \"ssh_login\"; ctx.event.outcome = \"success\"; } else if (ctx.system.auth.ssh.event == \"Invalid\" || ctx.system.auth.ssh.event == \"Failed\") { if (!ctx.containsKey(\"event\")) { ctx.event = [:]; } ctx.event.type = \"authentication_failure\"; ctx.event.category = \"authentication\"; ctx.event.action = \"ssh_login\"; ctx.event.outcome = \"failure\"; }"
}
}
],
"on_failure" : [{
"set" : {
"field" : "error.message",
"value" : "{{ _ingest.on_failure_message }}"
}
}]
}
146 changes: 146 additions & 0 deletions dev/packages/alpha/system/0.0.1/dataset/auth/elasticsearch/ingest-pipeline/default.yml
View file
Open in desktop
@@ -0,0 +1,146 @@
---
description: Pipeline for parsing system authorisation/secure logs
processors:
- grok:
field: message
ignore_missing: true
pattern_definitions:
GREEDYMULTILINE: |-
(.|
)*
TIMESTAMP: (?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP})
patterns:
- '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?:
%{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user
)?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long}
ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?'
- '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?:
%{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.ip}'
- '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?:
Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}'
- '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?:
\s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty}
; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}'
- '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?:
new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}'
- '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?:
new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id},
home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$'
- '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?:
%{GREEDYMULTILINE:system.auth.message}'
- remove:
field: message
- rename:
field: system.auth.message
target_field: message
ignore_missing: true
- set:
field: source.ip
value: '{{system.auth.ssh.dropped_ip}}'
if: "ctx?.system?.auth?.ssh?.dropped_ip != null"
- date:
if: ctx.event.timezone == null
field: system.auth.timestamp
target_field: '@timestamp'
formats:
- MMM d HH:mm:ss
- MMM dd HH:mm:ss
- ISO8601
on_failure:
- append:
field: error.message
value: '{{ _ingest.on_failure_message }}'
- date:
if: ctx.event.timezone != null
field: system.auth.timestamp
target_field: '@timestamp'
formats:
- MMM d HH:mm:ss
- MMM dd HH:mm:ss
- ISO8601
timezone: '{{ event.timezone }}'
on_failure:
- append:
field: error.message
value: '{{ _ingest.on_failure_message }}'
- remove:
field: system.auth.timestamp
- geoip:
field: source.ip
target_field: source.geo
ignore_failure: true
- geoip:
database_file: GeoLite2-ASN.mmdb
field: source.ip
target_field: source.as
properties:
- asn
- organization_name
ignore_missing: true
- rename:
field: source.as.asn
target_field: source.as.number
ignore_missing: true
- rename:
field: source.as.organization_name
target_field: source.as.organization.name
ignore_missing: true
- set:
field: event.kind
value: event
- script:
lang: painless
ignore_failure: true
source: >-
if (ctx.system.auth.ssh.event == "Accepted") {
ctx.event.type = ["authentication_success", "info"];
ctx.event.category = ["authentication"];
ctx.event.action = "ssh_login";
ctx.event.outcome = "success";
} else if (ctx.system.auth.ssh.event == "Invalid" || ctx.system.auth.ssh.event == "Failed") {
ctx.event.type = ["authentication_failure", "info"];
ctx.event.category = ["authentication"];
ctx.event.action = "ssh_login";
ctx.event.outcome = "failure";
}

- append:
field: event.category
value: iam
if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)"
- set:
field: event.outcome
value: success
if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)"
- append:
field: event.type
value: user
if: "ctx?.process?.name != null && ['useradd', 'userdel', 'usermod'].contains(ctx.process.name)"
- append:
field: event.type
value: group
if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod'].contains(ctx.process.name)"
- append:
field: event.type
value: creation
if: "ctx?.process?.name != null && ['useradd', 'groupadd'].contains(ctx.process.name)"
- append:
field: event.type
value: deletion
if: "ctx?.process?.name != null && ['userdel', 'groupdel'].contains(ctx.process.name)"
- append:
field: event.type
value: change
if: "ctx?.process?.name != null && ['usermod', 'groupmod'].contains(ctx.process.name)"
- append:
field: related.user
value: "{{user.name}}"
if: "ctx?.user?.name != null"
- append:
field: related.ip
value: "{{source.ip}}"
if: "ctx?.source?.ip != null"
on_failure:
- set:
field: error.message
value: '{{ _ingest.on_failure_message }}'