Skip to content

Commit

Permalink
Adding fields
Browse files Browse the repository at this point in the history
  • Loading branch information
ycombinator committed Jan 29, 2019
1 parent c2cbd96 commit 6ec4c25
Show file tree
Hide file tree
Showing 5 changed files with 113 additions and 1 deletion.
22 changes: 22 additions & 0 deletions filebeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -1160,6 +1160,28 @@ Indices accessed by action
--
*`elasticsearch.audit.request_id`*::
+
--
type: keyword
example: WzL_kb6VSvOhAq0twPvHOQ
Unique ID of request
--
*`elasticsearch.audit.request_method`*::
+
--
type: keyword
example: GET
Method of HTTP request
--
*`elasticsearch.audit.request`*::
+
--
Expand Down
2 changes: 1 addition & 1 deletion filebeat/include/fields.go

Large diffs are not rendered by default.

8 changes: 8 additions & 0 deletions filebeat/module/elasticsearch/audit/_meta/fields.yml
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,14 @@
description: "Indices accessed by action"
example: [ "foo-2019.01.04", "foo-2019.01.03", "foo-2019.01.06" ]
type: keyword
- name: request_id
description: "Unique ID of request"
example: "WzL_kb6VSvOhAq0twPvHOQ"
type: keyword
- name: request_method
description: "Method of HTTP request"
example: "GET"
type: keyword
- name: request
description: "The type of request that was executed"
example: "ClearScrollRequest"
Expand Down
46 changes: 46 additions & 0 deletions filebeat/module/elasticsearch/audit/ingest/pipeline-json.json
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,45 @@
"target_field": "elasticsearch.audit.principal"
}
},
{
"dot_expander": {
"field": "request.method",
"path": "elasticsearch.audit"
}
},
{
"rename": {
"if": "ctx.elasticsearch.audit?.request?.method != null",
"field": "elasticsearch.audit.request.method",
"target_field": "elasticsearch.audit.request_method"
}
},
{
"dot_expander": {
"field": "request.id",
"path": "elasticsearch.audit"
}
},
{
"rename": {
"if": "ctx.elasticsearch.audit?.request?.id != null",
"field": "elasticsearch.audit.request.id",
"target_field": "elasticsearch.audit.request_id"
}
},
{
"dot_expander": {
"field": "request.body",
"path": "elasticsearch.audit"
}
},
{
"rename": {
"if": "ctx.elasticsearch.audit?.request?.body != null",
"field": "elasticsearch.audit.request.body",
"target_field": "elasticsearch.audit.request_body"
}
},
{
"dot_expander": {
"field": "request.name",
Expand Down Expand Up @@ -173,6 +212,13 @@
"path": "elasticsearch.audit"
}
},
{
"rename": {
"if": "ctx.elasticsearch.audit?.user?.roles != null",
"field": "elasticsearch.audit.user.roles",
"target_field": "elasticsearch.audit.roles"
}
},
{
"remove": {
"field": "elasticsearch.audit.user"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,9 @@
"elasticsearch.audit.origin_type": "local_node",
"elasticsearch.audit.principal": "_xpack_security",
"elasticsearch.audit.request": "ClearRealmCacheRequest",
"elasticsearch.audit.roles": [
"superuser"
],
"elasticsearch.audit.user_realm": "__attach",
"elasticsearch.node.id": "DSiWcTyeThWtUXLB9J0BMw",
"event.dataset": "elasticsearch.audit",
Expand All @@ -68,6 +71,9 @@
"elasticsearch.audit.origin_type": "local_node",
"elasticsearch.audit.principal": "_xpack_security",
"elasticsearch.audit.request": "Node",
"elasticsearch.audit.roles": [
"superuser"
],
"elasticsearch.audit.user_realm": "__attach",
"elasticsearch.node.id": "DSiWcTyeThWtUXLB9J0BMw",
"event.dataset": "elasticsearch.audit",
Expand All @@ -89,6 +95,9 @@
"elasticsearch.audit.origin_type": "rest",
"elasticsearch.audit.principal": "elastic",
"elasticsearch.audit.request": "ChangePasswordRequest",
"elasticsearch.audit.roles": [
"superuser"
],
"elasticsearch.audit.user_realm": "reserved",
"elasticsearch.node.id": "DSiWcTyeThWtUXLB9J0BMw",
"event.dataset": "elasticsearch.audit",
Expand All @@ -113,6 +122,9 @@
"elasticsearch.audit.origin_type": "local_node",
"elasticsearch.audit.principal": "_xpack_security",
"elasticsearch.audit.request": "CreateIndexRequest",
"elasticsearch.audit.roles": [
"superuser"
],
"elasticsearch.audit.user_realm": "__attach",
"elasticsearch.node.id": "DSiWcTyeThWtUXLB9J0BMw",
"event.dataset": "elasticsearch.audit",
Expand All @@ -123,5 +135,29 @@
"offset": 1676,
"prospector.type": "log",
"service.name": "elasticsearch"
},
{
"@timestamp": "2019-01-27T20:15:10.380Z",
"elasticsearch.audit.event_type": "authentication_success",
"elasticsearch.audit.layer": "rest",
"elasticsearch.audit.origin_address": "::1",
"elasticsearch.audit.origin_port": 58955,
"elasticsearch.audit.origin_type": "rest",
"elasticsearch.audit.principal": "elastic-admin",
"elasticsearch.audit.realm": "default_file",
"elasticsearch.audit.request_body": "\n{\n \"query\" : {\n \"term\" : { \"user\" : \"kimchy\" }\n }\n}\n",
"elasticsearch.audit.request_id": "WzL_kb6VSvOhAq0twPvHOQ",
"elasticsearch.audit.request_method": "GET",
"elasticsearch.audit.uri": "/_search",
"elasticsearch.node.id": "y8fa3M5zSSGo1M_KJRMUXw",
"elasticsearch.node.name": "node-0",
"event.dataset": "elasticsearch.audit",
"fileset.module": "elasticsearch",
"fileset.name": "audit",
"input.type": "log",
"message": "{\"@timestamp\":\"2019-01-27T20:15:10,380\", \"node.name\":\"node-0\", \"node.id\":\"y8fa3M5zSSGo1M_KJRMUXw\", \"event.type\":\"rest\", \"event.action\":\"authentication_success\", \"user.name\":\"elastic-admin\", \"origin.type\":\"rest\", \"origin.address\":\"[::1]:58955\", \"realm\":\"default_file\", \"url.path\":\"/_search\", \"request.method\":\"GET\", \"request.body\":\"\\n{\\n \\\"query\\\" : {\\n \\\"term\\\" : { \\\"user\\\" : \\\"kimchy\\\" }\\n }\\n}\\n\", \"request.id\":\"WzL_kb6VSvOhAq0twPvHOQ\"}",
"offset": 2056,
"prospector.type": "log",
"service.name": "elasticsearch"
}
]

0 comments on commit 6ec4c25

Please sign in to comment.