Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Auditbeat] Cherry-pick #9327 to 6.x: Login metricset #10509

Merged
merged 5 commits into from
Feb 4, 2019
Merged

[Auditbeat] Cherry-pick #9327 to 6.x: Login metricset #10509

merged 5 commits into from
Feb 4, 2019

Conversation

cwurm
Copy link
Contributor

@cwurm cwurm commented Feb 3, 2019

Cherry-pick of PR #9327 to 6.x branch. Original message:

This adds the login metricset to the Auditbeat system module. It's the last of the six initial metricsets. It only works on Linux, and detects not just user logins and logouts, but also system boots and shutdowns.

It works by reading the /var/log/wtmp and /var/log/btmp file (and rotated files) present on Linux systems. In reading a file, it is similar to Filebeat, except that UTMP is a binary format, so reading happens using a binary Go reader. See utmp(5) for the format of that file.

The logic is roughly as follows:

  1. The config parameters login.utmp_file_pattern and login.btmp_file_pattern will contain the pattern matching the wtmp (good logins, as well as system shutdowns and boots) and btmp (bad/failed logins) files and rotated files (if desired). The defaults are /var/log/wtmp* and /var/log/btmp*. These are expanded using filepath.Glob and the files are sorted lexicographically in reverse order (i.e. /var/log/wtmp.1 will come before /var/log/wtmp) so that we read older login records first - reading in order is required for matching login and logout records, see next steps.
  2. Every Fetch it checks for new entries: Any new files are read from the beginning, while known files are read from a saved offset. To that purpose, the last offset per file is saved and persisted to disk in beat.db. A new file is one that has an unknown inode, but files are also read completely if their newSize < oldSize for some reason (that should make it work with any potential inode reuse - very unlikely since this will never read a lot of files but still possible).
  3. New UTMP records are converted to events (LoginRecord in the code). Boot and shutdown events are fairly straightforward, user login and logout events have to be matched using their tty- so there is a loginSessions map that stores logins to enrich the logouts, and is also persisted to disk.

Note: This dataset also introduces event.origin containing the file the event came from, e.g. /var/log/wtmp.1. In other cases, it would be something like procfs or netlink. It's useful to know where information comes from, e.g. to know how reliable it is.

[Auditbeat] Login metricset (elastic#9327)
cf561e2 
Adds the login metricset to the Auditbeat system module as the last of the six initial metricsets. It only works on Linux, and detects not just user logins and logouts, but also system boots and shutdowns.

It works by reading the /var/log/wtmp and /var/log/btmp file (and rotated files) present on Linux systems. In reading a file, it is similar to Filebeat, except that UTMP is a binary format, so reading happens using a binary Go reader.

(cherry picked from commit 1566e66)
houndci-bot
houndci-bot reviewed Feb 3, 2019
View reviewed changes
x-pack/auditbeat/module/system/login/login.go Show resolved Hide resolved
x-pack/auditbeat/module/system/login/utmp_c.go Show resolved Hide resolved
x-pack/auditbeat/module/system/login/utmp_c.go Show resolved Hide resolved
x-pack/auditbeat/module/system/login/utmp_c.go Show resolved Hide resolved
x-pack/auditbeat/module/system/login/utmp_c.go Show resolved Hide resolved
x-pack/auditbeat/module/system/login/utmp_c.go Show resolved Hide resolved
x-pack/auditbeat/module/system/login/utmp_c.go Show resolved Hide resolved
x-pack/auditbeat/module/system/login/utmp_c.go Show resolved Hide resolved
x-pack/auditbeat/module/system/login/utmp_c.go Show resolved Hide resolved
x-pack/auditbeat/module/system/login/utmp_c.go Show resolved Hide resolved
@cwurm cwurm changed the title Cherry-pick #9327 to 6.x: [Auditbeat] Login metricset [Auditbeat] Cherry-pick #9327 to 6.x: Login metricset Feb 3, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/secops

@cwurm cwurm requested a review from a team February 3, 2019 14:34
@cwurm
Copy link
Contributor Author

cwurm commented Feb 3, 2019

I pushed two changes:

  1. Field definition for event.outcome since 6.x does not have all ECS fields.
  2. Fix for a bug that sneaked in: event.type was still used instead of event.kind. I'll open a quick PR to fix it in master as well.

@cwurm cwurm mentioned this pull request Feb 3, 2019
Merged
webmat
webmat approved these changes Feb 4, 2019
View reviewed changes
Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cwurm cwurm merged commit 55c6182 into elastic:6.x Feb 4, 2019
@cwurm cwurm deleted the backport_9327_6.x branch February 4, 2019 21:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@houndci-bot houndci-bot houndci-bot left review comments

@andrewkroh andrewkroh andrewkroh approved these changes

@webmat webmat webmat approved these changes

Assignees
No one assigned
Labels
Auditbeat backport review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@cwurm @elasticmachine @webmat @andrewkroh @houndci-bot