Skip to content

Commit

Permalink
Filebeat auditd: Fix Top Exec Commands dashboard visualization (#27638)
Browse files Browse the repository at this point in the history
This visualization was expecting an uppercase EXECVE value in
event.action while the ingest pipeline was lowercasing this value.

(cherry picked from commit 02315d9)

# Conflicts:
#	filebeat/module/auditd/_meta/kibana/7/visualization/5ebdbe50-0a0f-11e7-825f-6748cda7d858-ecs.json
  • Loading branch information
adriansr authored and mergify-bot committed Aug 30, 2021
1 parent dc7f15c commit 87091ce
Show file tree
Hide file tree
Showing 2 changed files with 82 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Fixes the Snyk module to work with the new API changes. {pull}27358[27358]
- Fixes a bug in `http_endpoint` that caused numbers encoded as strings. {issue}27382[27382] {pull}27480[27480]
- Update indentation for azure filebeat configuration. {pull}26604[26604]
- Auditd: Fix Top Exec Commands dashboard visualization. {pull}27638[27638]

*Heartbeat*

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
"query": {
"language": "kuery",
"query": "event.action:execve"
}
}
},
"title": "Top Exec Commands [Filebeat Auditd] ECS",
"uiStateJSON": {
"vis": {
"params": {
"sort": {
"columnIndex": null,
"direction": null
}
}
}
},
"version": 1,
"visState": {
"aggs": [
{
"enabled": true,
"id": "1",
"params": {},
"schema": "metric",
"type": "count"
},
{
"enabled": true,
"id": "2",
"params": {
"customLabel": "Command (arg 0)",
"field": "auditd.log.a0",
"order": "desc",
"orderBy": "1",
"size": 30
},
"schema": "bucket",
"type": "terms"
}
],
"listeners": {},
"params": {
"perPage": 10,
"showMeticsAtAllLevels": false,
"showPartialRows": false,
"showToolbar": true,
"showTotal": false,
"sort": {
"columnIndex": null,
"direction": null
},
"totalFunc": "sum"
},
"title": "Audit Top Exec Commands ECS",
"type": "table"
}
},
"coreMigrationVersion": "8.0.0",
"id": "5ebdbe50-0a0f-11e7-825f-6748cda7d858-ecs",
"migrationVersion": {
"visualization": "7.14.0"
},
"references": [
{
"id": "filebeat-*",
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern"
}
],
"type": "visualization",
"updated_at": "2021-08-04T16:33:56.442Z",
"version": "WzQzNDcsMV0="
}

0 comments on commit 87091ce

Please sign in to comment.