Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactoring Auditbeat Modules #5422

Closed
andrewkroh opened this issue Oct 23, 2017 · 1 comment
Closed

Refactoring Auditbeat Modules #5422

andrewkroh opened this issue Oct 23, 2017 · 1 comment
Assignees
@andrewkroh
Labels
Auditbeat enhancement

Comments

@andrewkroh
Copy link
Member

andrewkroh commented Oct 23, 2017
edited
Loading

Update: See Breaking Changes in Auditbeat 6.2 for info about how to upgrade from an earlier version.

We want to do some refactoring to change the config and event schema before the Auditbeat GA release. Auditbeat reuses Metricbeat's framework, and the framework's orientation around metrics is visible to the Auditbeat user, but it shouldn't be.

Goals

  • Simplify configuration for the end-user
    • Modules should map clearly to events the users want to monitor.
  • Divorce from the Metricbeat event data model
    • The metricset namespace isn't necessary here.
  • Abstract the data source from module
    • Users shouldn't need to know how the data is collected
    • If needed an advanced user should be able to control what data sources are used.
    • For example have a module for monitoring what processes are running or what sockets are active rather than a module oriented around a data source like the kernel's audit framework or eBPF.
  • Provide specialized dashboards for each module.

Steps

  1. Modify the Metricbeat framework to allow for customization of the event builder (the builder is responsible for adding the metricset field to all events).
  2. Reorganize the config to allow for modules without "metricsets".
  3. Rename the existing audit/kernel metricset to the auditd module. (As we add modules I expect this to be used less.)
  4. Rename the existing audit/file metricset to file_integrity.

Sample Configs

Note the removal of metricsets: [] and the removal of the module name prefixes from the config options.

auditbeat.modules:
- module: file_integrity
  paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc
  scan_at_start: true
  scan_rate_per_sec: 50 MiB
  max_file_size: 100 MiB
  hash_types: [sha1]

auditbeat.modules:
- module: auditd
  resolve_ids: true
  failure_mode: silent
  backlog_limit: 8196
  rate_limit: 0
  include_raw_message: false
  include_warnings: false
@andrewkroh andrewkroh mentioned this issue Oct 24, 2017
Closed
9 tasks
@ruflin
Copy link
Contributor

ruflin commented Nov 5, 2017

Separation of data source from modules reminds me a lot of prospectors types and modules in Filebeat. Would be great to sync up on this one for Filebeat to make sure the configuration options are similar.

@andrewkroh andrewkroh mentioned this issue Nov 21, 2017
Merged
@andrewkroh andrewkroh self-assigned this Dec 13, 2017
andrewkroh added a commit to andrewkroh/beats that referenced this issue Dec 13, 2017
@andrewkroh
Rename Auditbeat modules
71d2fb9 
This changes the audit.file and audit.kernel metricsets into modules
named file_integrity and auditd, respectively. This requires existing
users to update their configuration.

The dashboards need to be updated to account for these changes.

Closes elastic#5422 (see the issue for more details)
@andrewkroh andrewkroh mentioned this issue Dec 13, 2017
Merged
adriansr pushed a commit that referenced this issue Dec 14, 2017
@andrewkroh @adriansr
Rename Auditbeat modules (#5875)
6227d6c 
This changes the audit.file and audit.kernel metricsets into modules
named file_integrity and auditd, respectively. This requires existing
users to update their configuration.

The dashboards need to be updated to account for these changes.

Closes #5422 (see the issue for more details)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andrewkroh andrewkroh

Labels
Auditbeat enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ruflin @andrewkroh