Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ignore audit fileset on macOS #3923

Merged
merged 1 commit into from
Apr 5, 2017
Merged

Ignore audit fileset on macOS #3923

merged 1 commit into from
Apr 5, 2017

Conversation

andrewkroh
Copy link
Member

Silently ignore audit fileset on macOS.

Fixes #3918

ruflin
ruflin reviewed Apr 5, 2017
View reviewed changes
filebeat/module/system/audit/manifest.yml
@@ -4,7 +4,7 @@ var:
- name: paths
default:
- /var/log/audit/audit.log*
os.darwin: []
os.darwin: [""]
os.windows: []
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the same change for winodws needed?

Copy link
Member Author

@andrewkroh andrewkroh Apr 5, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The whole system module is documented as not supported on Windows.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I think it's better to leave at is, so that users get an error on windows when trying this module (otherwise, the problem would be silently ignored).

@andrewkroh andrewkroh mentioned this pull request Apr 5, 2017
Closed
@tsg tsg added needs_backport PR is waiting to be backported to other branches. v5.4.0 and removed needs_backport PR is waiting to be backported to other branches. v5.4.0 labels Apr 5, 2017
@tsg tsg merged commit 4d89a03 into elastic:master Apr 5, 2017
@tsg tsg added needs_backport PR is waiting to be backported to other branches. v5.4.0 labels Apr 5, 2017
andrewkroh added a commit to andrewkroh/beats that referenced this pull request Apr 10, 2017
@andrewkroh
Add fileset for parsing linux auditd logs (elastic#3750) (elastic#3923)…
529f983 
… (elastic#3941) (elastic#3962)

The PR adds an auditd module for parsing logs from the auditd daemon. There is a sample dashboard for viewing this data.

Features

- Parses audit event type, unix epoch time, audit event counter, and the arbitrary key/value pairs that follow.
- Applies geoip lookup to the `auditd.log.addr` field which is present for some remote login events.
- Decodes hex encoded ascii values that are sometimes used for the `auditd.log.exe` and `auditd.log.cmd` fields.
- Remove key/value pairs where the value is `?`.

Missing Features

- Decoder for `auditd.log.saddr` field present in SOCKADDR audit events. A recipe is described [here](https://unix.stackexchange.com/questions/102926/how-to-interpret-the-saddr-field-of-an-audit-log) and could probably be ported to painless. Sample value:
  `type=SOCKADDR msg=audit(1481078693.491:873): saddr=01002F7661722F72756E2F6E7363642F736F636B657400008983B330BE7F0000000000000000000070830130BE7F000004000000000000001B00000000000000D128B7ED000000008B8BB330BE7F00003B00000000000000403E4BF7FD7F0000447F0130BE7F000080150230BE7F`
@andrewkroh andrewkroh mentioned this pull request Apr 10, 2017
Merged
tsg pushed a commit that referenced this pull request Apr 11, 2017
@andrewkroh @tsg
Add fileset for parsing linux auditd logs (#3750) (#3923) (#3941) (#3962
c403343 
) (#3975)

The PR adds an auditd module for parsing logs from the auditd daemon. There is a sample dashboard for viewing this data.

Features

- Parses audit event type, unix epoch time, audit event counter, and the arbitrary key/value pairs that follow.
- Applies geoip lookup to the `auditd.log.addr` field which is present for some remote login events.
- Decodes hex encoded ascii values that are sometimes used for the `auditd.log.exe` and `auditd.log.cmd` fields.
- Remove key/value pairs where the value is `?`.

Missing Features

- Decoder for `auditd.log.saddr` field present in SOCKADDR audit events. A recipe is described [here](https://unix.stackexchange.com/questions/102926/how-to-interpret-the-saddr-field-of-an-audit-log) and could probably be ported to painless. Sample value:
  `type=SOCKADDR msg=audit(1481078693.491:873): saddr=01002F7661722F72756E2F6E7363642F736F636B657400008983B330BE7F0000000000000000000070830130BE7F000004000000000000001B00000000000000D128B7ED000000008B8BB330BE7F00003B00000000000000403E4BF7FD7F0000447F0130BE7F000080150230BE7F`
@andrewkroh andrewkroh removed the needs_backport PR is waiting to be backported to other branches. label Apr 12, 2017
@andrewkroh andrewkroh deleted the bugfix/fb/macos-audit-fileset-defaults branch July 5, 2017 19:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ruflin ruflin ruflin left review comments

@tsg tsg tsg left review comments

Assignees
No one assigned
Labels
bug Filebeat Filebeat review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andrewkroh @tsg @ruflin