Skip to content

Commit

Permalink
Cherry-pick #22975 to 7.x: [Filebeat] Add mime type detection for Ela…
Browse files Browse the repository at this point in the history
…sticsearch module (#22995)

* [Filebeat] Add mime type detection for Elasticsearch module (#22975)

* Add mime type resolution for elasticsearch filebeat module

* Update changelog

(cherry picked from commit a34c01a)

* fix up changelog
  • Loading branch information
Andrew Stucki authored Dec 9, 2020
1 parent a5ab280 commit 2f49b78
Show file tree
Hide file tree
Showing 5 changed files with 43 additions and 2 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- API address and shard ID are required settings in the Cloud Foundry input. {pull}21759[21759]
- Remove `suricata.eve.timestamp` alias field. {issue}10535[10535] {pull}22095[22095]
- Rename bad ECS field name tracing.trace.id to trace.id in aws elb fileset. {pull}22571[22571]
- Fix parsing issues with nested JSON payloads in Elasticsearch audit log fileset. {pull}22975[22975]

*Heartbeat*

Expand Down Expand Up @@ -472,6 +473,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Improve panw ECS url fields mapping. {pull}22481[22481]
- Improve Nats filebeat dashboard. {pull}22726[22726]
- Add support for UNIX datagram sockets in `unix` input. {issues}18632[18632] {pull}22699[22699]
- Add `http.request.mime_type` for Elasticsearch audit log fileset. {pull}22975[22975]

*Heartbeat*

Expand Down
36 changes: 36 additions & 0 deletions filebeat/module/elasticsearch/audit/config/audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,39 @@ processors:
target: ''
fields:
ecs.version: 1.7.0
- if:
regexp:
message: "^{"
then:
- decode_json_fields:
fields: [ "message" ]
target: _json
- rename:
fields:
- from: _json.request.body
to: _request
ignore_missing: true
- drop_fields:
fields: [ "_json" ]
else:
- script:
lang: javascript
id: elasticsearch_audit
source: >
var requestRegex = new RegExp("request_body=\\\[(.*)\\\]$");
function process(event) {
var message = event.Get("message");
if (message !== null) {
var matches = message.match(requestRegex);
if (matches && matches.length > 1) {
event.Put("_request", matches[1]);
}
}
}
- detect_mime_type:
field: _request
target: http.request.mime_type
- drop_fields:
fields: ['_request']
ignore_missing: true

Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ processors:
ES_AUDIT_REQUEST: (request\=\[%{WORD:elasticsearch.audit.request.name}\])?
ES_AUDIT_REQUEST_BODY: (request_body\=\[%{DATA:http.request.body.content}\])?
patterns:
- '%{ES_TIMESTAMP}\s*%{ES_NODE_NAME}\s*%{ES_AUDIT_LAYER}\s*%{ES_AUDIT_EVENT_TYPE}\s*%{ES_AUDIT_ORIGIN_TYPE},?\s*%{ES_AUDIT_ORIGIN_ADDRESS},?\s*%{ES_AUDIT_PRINCIPAL},?\s*%{ES_AUDIT_REALM},?\s*%{ES_AUDIT_ROLES},?\s*%{ES_AUDIT_ACTION},?\s*%{ES_AUDIT_INDICES},?\s*%{ES_AUDIT_URI},?\s*%{ES_AUDIT_URI_PARAMS},?\s*%{ES_AUDIT_REQUEST},?\s*%{ES_AUDIT_REQUEST_BODY},?'
- '%{ES_TIMESTAMP}\s*%{ES_NODE_NAME}\s*%{ES_AUDIT_LAYER}\s*%{ES_AUDIT_EVENT_TYPE}\s*%{ES_AUDIT_ORIGIN_TYPE},?\s*%{ES_AUDIT_ORIGIN_ADDRESS},?\s*%{ES_AUDIT_PRINCIPAL},?\s*%{ES_AUDIT_REALM},?\s*%{ES_AUDIT_ROLES},?\s*%{ES_AUDIT_ACTION},?\s*%{ES_AUDIT_INDICES},?\s*%{ES_AUDIT_URI},?\s*%{ES_AUDIT_URI_PARAMS},?\s*%{ES_AUDIT_REQUEST},?\s*%{ES_AUDIT_REQUEST_BODY}$'
- split:
field: elasticsearch.audit.user.roles
separator: ','
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,7 @@
"event.type": "access",
"fileset.name": "audit",
"http.request.body.content": "body",
"http.request.mime_type": "text/plain; charset=utf-8",
"input.type": "log",
"log.offset": 986,
"message": "[2018-06-19T05:24:15,190] [v_VJhjV] [rest] [authentication_failed]\torigin_address=[172.18.0.3], principal=[elastic], uri=[/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip], request_body=[body]",
Expand Down Expand Up @@ -219,7 +220,8 @@
"event.timezone": "-02:00",
"event.type": "access",
"fileset.name": "audit",
"http.request.body.content": "{\"metadata\":{\"intelligence\":7},\"full_name\":\"Jack Nicholson\",\"roles\":[\"admin\",\"other_role1\"",
"http.request.body.content": "{\"metadata\":{\"intelligence\":7},\"full_name\":\"Jack Nicholson\",\"roles\":[\"admin\",\"other_role1\"],\"email\":\"jacknich@example.com\"}",
"http.request.mime_type": "application/json",
"input.type": "log",
"log.offset": 1626,
"message": "[2019-01-27T20:04:27,244] [node-0] [rest] [authentication_success] origin_address=[::1], principal=[elastic-admin], realm=[default_file], uri=[/_xpack/security/user/jacknich2], params=[{username=jacknich2}], request_body=[{\"metadata\":{\"intelligence\":7},\"full_name\":\"Jack Nicholson\",\"roles\":[\"admin\",\"other_role1\"],\"email\":\"jacknich@example.com\"}]",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,7 @@
"host.id": "y8fa3M5zSSGo1M_KJRMUXw",
"http.request.body.content": "\n{\n \"query\" : {\n \"term\" : { \"user\" : \"kimchy\" }\n }\n}\n",
"http.request.method": "GET",
"http.request.mime_type": "application/json",
"input.type": "log",
"log.offset": 2056,
"message": "{\"@timestamp\":\"2019-01-27T20:15:10,380\", \"node.name\":\"node-0\", \"node.id\":\"y8fa3M5zSSGo1M_KJRMUXw\", \"event.type\":\"rest\", \"event.action\":\"authentication_success\", \"user.name\":\"elastic-admin\", \"origin.type\":\"rest\", \"origin.address\":\"[::1]:58955\", \"realm\":\"default_file\", \"url.path\":\"/_search\", \"request.method\":\"GET\", \"request.body\":\"\\n{\\n \\\"query\\\" : {\\n \\\"term\\\" : { \\\"user\\\" : \\\"kimchy\\\" }\\n }\\n}\\n\", \"request.id\":\"WzL_kb6VSvOhAq0twPvHOQ\"}",
Expand Down

0 comments on commit 2f49b78

Please sign in to comment.