tyler.durden/icingabeat
1
0
Fork 0
mirror of https://github.com/Icinga/icingabeat.git synced 2025-04-08 17:15:05 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update to libbeat 7.3.0

Browse Source
This commit is contained in:
Blerim Sheqa 2019-08-15 14:07:09 +02:00
parent 7357b0f489
commit 96abd765dd
4704 changed files with 709425 additions and 103638 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
vendor/github.com/elastic/beats/.editorconfig generated vendored
View File

@ -23,7 +23,10 @@ indent_size = 4
indent_style = space
indent_size = 2
[Makefile]
[Makefile*]
indent_style = tab
[*.mk]
indent_style = tab
[Vagrantfile]

4
vendor/github.com/elastic/beats/.gitattributes generated vendored
View File

@ -1,5 +1,5 @@
CHANGELOG.md merge=union
CHANGELOG.asciidoc merge=union
CHANGELOG.next.asciidoc merge=union
CHANGELOG-developer.next.asciidoc merge=union
# Keep these file types as CRLF (Windows).
*.bat text eol=crlf

39
vendor/github.com/elastic/beats/.github/CODEOWNERS generated vendored Normal file
View File

@ -0,0 +1,39 @@
# GitHub CODEOWNERS definition
# See: https://help.github.com/articles/about-codeowners/
# * @elastic/beats
# libbeat
/libbeat/ @elastic/beats
/auditbeat/ @elastic/beats
/packetbeat/ @elastic/beats
/filebeat/ @elastic/beats
/metricbeat/ @elastic/beats
/journalbeat/ @elastic/beats
/winlogbeat/ @elastic/beats
# Auditbeat
/auditbeat/module/ @elastic/secops
/x-pack/auditbeat/ @elastic/secops
# Packetbeat
/packetbeat/protos/ @elastic/secops
/x-pack/packetbeat/ @elastic/secops
# Filebeat
/filebeat/module/ @elastic/infrastructure
/filebeat/module/elasticsearch/ @elastic/stack-monitoring
/filebeat/module/kibana/ @elastic/stack-monitoring
/filebeat/module/logstash/ @elastic/stack-monitoring
/x-pack/filebeat/module/ @elastic/infrastructure
/x-pack/filebeat/module/suricata/ @elastic/secops
# Metricbeat
/metricbeat/module/ @elastic/infrastructure
/metricbeat/module/elasticsearch/ @elastic/stack-monitoring
/metricbeat/module/kibana/ @elastic/stack-monitoring
/metricbeat/module/logstash/ @elastic/stack-monitoring
/x-pack/metricbeat/module/ @elastic/infrastructure
# Heartbeat
/heartbeat/ @elastic/uptime

8
vendor/github.com/elastic/beats/.github/ISSUE_TEMPLATE.md generated vendored
View File

@ -1,3 +1,9 @@
---
name: Bug
about: "Report confirmed bugs. For unconfirmed bugs please visit https://discuss.elastic.co/c/beats"
---
Please post all questions and issues on https://discuss.elastic.co/c/beats
before opening a Github Issue. Your questions will reach a wider audience there,
and if we confirm that there is a bug, then you can open a new issue.
@ -5,6 +11,8 @@ and if we confirm that there is a bug, then you can open a new issue.
For security vulnerabilities please only send reports to security@elastic.co.
See https://www.elastic.co/community/security for more information.
Please include configurations and logs if available.
For confirmed bugs, please report:
- Version:
- Operating System:

20
vendor/github.com/elastic/beats/.github/ISSUE_TEMPLATE/bug-report.md generated vendored Normal file
View File

@ -0,0 +1,20 @@
---
name: Bug
about: "Report confirmed bugs. For unconfirmed bugs please visit https://discuss.elastic.co/c/beats"
---
Please post all questions and issues on https://discuss.elastic.co/c/beats
before opening a Github Issue. Your questions will reach a wider audience there,
and if we confirm that there is a bug, then you can open a new issue.
For security vulnerabilities please only send reports to security@elastic.co.
See https://www.elastic.co/community/security for more information.
Please include configurations and logs if available.
For confirmed bugs, please report:
- Version:
- Operating System:
- Discuss Forum URL:
- Steps to Reproduce:

10
vendor/github.com/elastic/beats/.github/ISSUE_TEMPLATE/feature-request.md generated vendored Normal file
View File

@ -0,0 +1,10 @@
---
name: Enhancement request
about: Beats can't do all the things, but maybe it can do your things.
---
**Describe the enhancement:**
**Describe a specific use case for the enhancement or feature:**

19
vendor/github.com/elastic/beats/.github/ISSUE_TEMPLATE/flaky-test.md generated vendored Normal file
View File

@ -0,0 +1,19 @@
---
name: Flaky Test
about: Report a flaky test (one that doesn't pass consistently)
---
## Flaky Test
* **Test Name:** Name of the failing test.
* **Link:** Link to file/line number in github.
* **Branch:** Git branch the test was seen in. If a PR, the branch the PR was based off.
* **Artifact Link:** If available, attach the generated zip artifact associated with the stack trace for this failure.
* **Notes:** Additional details about the test. e.g. theory as to failure cause
### Stack Trace
```
paste stack trace here
```

36
vendor/github.com/elastic/beats/.github/ISSUE_TEMPLATE/module-checklist.md generated vendored Normal file
View File

@ -0,0 +1,36 @@
---
name: New Module / Dataset
about: "Meta issue to track the creation, updating of a new module or dataset."
---
# Metricbeat Module / Dataset release checklist
This checklist is intended for Devs which create or update a module to make sure modules are consistent.
## Modules
For a metricset to go GA, the following criterias should be met:
* [ ] Supported versions are documented
* [ ] Supported operating systems are documented (if applicable)
* [ ] Integration tests exist
* [ ] System tests exist
* [ ] Automated checks that all fields are documented
* [ ] Documentation
* [ ] Fields follow [ECS](https://github.com/elastic/ecs) and [naming conventions](https://www.elastic.co/guide/en/beats/devguide/master/event-conventions.html)
* [ ] Dashboards exists (if applicable)
* [ ] Kibana Home Tutorial (if applicable)
* [ ] Open issue in [EUI repo](https://github.com/elastic/eui) to add [icon for module](https://elastic.github.io/eui/#/display/icons) if not already exists.
* [ ] Open PR against Kibana repo with tutorial. Examples can be found [here](https://github.com/elastic/kibana/tree/master/src/legacy/core_plugins/kibana/server/tutorials).
## Filebeat module
* [ ] Test log files exist for the grok patterns
* [ ] Generated output for at least 1 log file exists
## Metricbeat module
* [ ] Example `data.json` exists and an automated way to generate it exists (`go test -data`)
* [ ] Test environment in Docker exist for integration tests

18
vendor/github.com/elastic/beats/.github/ISSUE_TEMPLATE/question.md generated vendored Normal file
View File

@ -0,0 +1,18 @@
---
name: Question
about: Who, what, when, where, and how?
---
Hey, stop right there!
We use GitHub to track feature requests and bug reports. Please do not submit issues for questions about how to use features of Beat, how to set Beats up, best practices, or development related help.
However, we do want to help! Head on over to our official Beats forums and ask
your questions there. In additional to awesome, knowledgeable community
contributors, core Beats developers are on the forums every single day to help
you out.
The forums are here: https://discuss.elastic.co/c/beats
We can't stop you from opening an issue here, but it will likely linger without a response for days or weeks before it is closed and we ask you to join us on the forums instead. Save yourself the time, and ask on the forums today.

10
vendor/github.com/elastic/beats/.gitignore generated vendored
View File

@ -3,12 +3,13 @@
/.idea
/.vscode
/build
/*/data
/*/logs
/*/fields.yml
/*/*.template*.json
**/html_docs
/*/_meta/kibana.generated
*beat/fields.yml
*beat/_meta/kibana.generated
*beat/build
*beat/logs
*beat/data
# Files
.DS_Store
@ -19,6 +20,7 @@ coverage.out
.python-version
beat.db
*.keystore
mage_output_file.go
# Editor swap files
*.swp

2
vendor/github.com/elastic/beats/.go-version generated vendored
View File

@ -1 +1 @@
1.10.6
1.12.4

87
vendor/github.com/elastic/beats/.travis.yml generated vendored
View File

@ -12,8 +12,8 @@ env:
global:
# Cross-compile for amd64 only to speed up testing.
- GOX_FLAGS="-arch amd64"
- DOCKER_COMPOSE_VERSION=1.11.1
- GO_VERSION="$(cat .go-version)"
- DOCKER_COMPOSE_VERSION=1.21.0
- TRAVIS_GO_VERSION=$(cat .go-version)
# Newer versions of minikube fail on travis, see: https://github.com/kubernetes/minikube/issues/2704
- TRAVIS_MINIKUBE_VERSION=v0.25.2
@ -22,114 +22,138 @@ jobs:
# General checks
- os: linux
env: TARGETS="check"
go: $GO_VERSION
go: $TRAVIS_GO_VERSION
stage: check
# Filebeat
- os: linux
env: TARGETS="-C filebeat testsuite"
go: $GO_VERSION
go: $TRAVIS_GO_VERSION
stage: test
- os: osx
env: TARGETS="TEST_ENVIRONMENT=0 -C filebeat testsuite"
go: $GO_VERSION
go: $TRAVIS_GO_VERSION
stage: test
- os: linux
env: TARGETS="-C x-pack/filebeat testsuite"
go: $(GO_VERSION)
stage: test
# Heartbeat
- os: linux
env: TARGETS="-C heartbeat testsuite"
go: $GO_VERSION
go: $TRAVIS_GO_VERSION
stage: test
- os: osx
env: TARGETS="TEST_ENVIRONMENT=0 -C heartbeat testsuite"
go: $GO_VERSION
go: $TRAVIS_GO_VERSION
stage: test
# Auditbeat
- os: linux
env: TARGETS="-C auditbeat testsuite"
go: $GO_VERSION
go: $TRAVIS_GO_VERSION
stage: test
- os: osx
env: TARGETS="TEST_ENVIRONMENT=0 -C auditbeat testsuite"
go: $GO_VERSION
go: $TRAVIS_GO_VERSION
stage: test
- os: linux
env: TARGETS="-C auditbeat crosscompile"
go: $GO_VERSION
go: $TRAVIS_GO_VERSION
stage: test
- os: linux
env: TARGETS="-C x-pack/auditbeat testsuite"
go: $TRAVIS_GO_VERSION
stage: test
# Libbeat
- os: linux
env: TARGETS="-C libbeat testsuite"
go: $GO_VERSION
go: $TRAVIS_GO_VERSION
stage: test
- os: linux
env: TARGETS="-C libbeat crosscompile"
go: $GO_VERSION
go: $TRAVIS_GO_VERSION
stage: test
- os: linux
env: STRESS_TEST_OPTIONS="-timeout=20m -race -v -parallel 1" TARGETS="-C libbeat stress-tests"
go: $GO_VERSION
go: $TRAVIS_GO_VERSION
stage: test
- os: linux
env: TARGETS="-C x-pack/libbeat testsuite"
go: $TRAVIS_GO_VERSION
stage: test
# Metricbeat
- os: linux
env: TARGETS="-C metricbeat testsuite"
go: $GO_VERSION
env: TARGETS="-C metricbeat unit-tests coverage-report"
go: $TRAVIS_GO_VERSION
stage: test
- os: linux
env: TARGETS="-C metricbeat integration-tests-environment coverage-report"
go: $TRAVIS_GO_VERSION
stage: test
- os: linux
env: TARGETS="-C metricbeat update system-tests-environment coverage-report"
go: $TRAVIS_GO_VERSION
stage: test
- os: osx
env: TARGETS="TEST_ENVIRONMENT=0 -C metricbeat testsuite"
go: $GO_VERSION
go: $TRAVIS_GO_VERSION
stage: test
- os: linux
env: TARGETS="-C metricbeat crosscompile"
go: $GO_VERSION
go: $TRAVIS_GO_VERSION
stage: test
- os: linux
env: TARGETS="-C x-pack/metricbeat testsuite"
go: $TRAVIS_GO_VERSION
stage: test
# Packetbeat
- os: linux
env: TARGETS="-C packetbeat testsuite"
go: $GO_VERSION
go: $TRAVIS_GO_VERSION
stage: test
# Winlogbeat
- os: linux
env: TARGETS="-C winlogbeat crosscompile"
go: $GO_VERSION
stage: test
# Journalbeat
- os: linux
env: TARGETS="-C journalbeat testsuite"
go: $GO_VERSION
go: $TRAVIS_GO_VERSION
stage: test
# Functionbeat
- os: linux
env: TARGETS="-C x-pack/functionbeat testsuite"
go: $GO_VERSION
go: $TRAVIS_GO_VERSION
stage: test
- os: osx
env: TARGETS="TEST_ENVIRONMENT=0 -C x-pack/functionbeat testsuite"
go: $GO_VERSION
go: $TRAVIS_GO_VERSION
stage: test
# Journalbeat
- os: linux
env: TARGETS="-C journalbeat testsuite"
go: $TRAVIS_GO_VERSION
stage: test
# Generators
- os: linux
env: TARGETS="-C generator/metricbeat test"
go: $GO_VERSION
go: $TRAVIS_GO_VERSION
stage: test
- os: linux
env: TARGETS="-C generator/beat test"
go: $GO_VERSION
go: $TRAVIS_GO_VERSION
stage: test
# Docs
- os: linux
env: TARGETS="docs"
go: $GO_VERSION
go: $TRAVIS_GO_VERSION
stage: test
# Kubernetes
@ -168,6 +192,7 @@ addons:
- xsltproc
- libxml2-utils
- libsystemd-journal-dev
- librpm-dev
before_install:
- python --version

74
vendor/github.com/elastic/beats/CHANGELOG-developer.asciidoc generated vendored
View File

@ -12,10 +12,65 @@ other Beats should be migrated.
Note: This changelog was only started after the 6.3 release.
=== Beats version HEAD
https://github.com/elastic/beats/compare/v6.3.0..master[Check the HEAD diff]
=== Beats version 7.1.1
https://github.com/elastic/beats/compare/v7.1.0..v7.1.1[Check the HEAD diff]
The list below covers the major changes between 6.3.0 and master only.
=== Beats version 7.1.0
https://github.com/elastic/beats/compare/v7.0.0..v7.1.0[Check the HEAD diff]
=== Beats version 7.0.1
https://github.com/elastic/beats/compare/v7.0.0..v7.0.1[Check the HEAD diff]
=== Beats version 7.0.0-GA
https://github.com/elastic/beats/compare/v7.0.0-rc2..v7.0.0[Check the HEAD diff]
The list below covers the major changes between 7.0.0-rc2 and 7.0 only.
==== Added
- Added support for using PYTHON_EXE to control what Python interpreter is used
by `make` and `mage`. Example: `export PYTHON_EXE=python2.7`. {pull}11212[11212]
=== Beats version 7.0.0-rc2
https://github.com/elastic/beats/compare/v7.0.0-rc1..v7.0.0-rc2[Check the HEAD diff]
=== Beats version 7.0.0-rc1
https://github.com/elastic/beats/compare/v7.0.0-beta1..v7.0.0-rc1[Check the HEAD diff]
==== Breaking changes
- Remove support for deprecated `GenRootCmd` methods. {pull}10721[10721]
- Remove SkipNormalization, SkipAgentMetadata, SkipAddHostName. {pull}10801[10801] {pull}10769[10769]
==== Bugfixes
- Align default index between elasticsearch and logstash and kafka output. {pull}10841[10841]
- Fix duplication check for `append_fields` option. {pull}10959[10959]
==== Added
- Introduce processing.Support to instance.Setting. This allows Beats to fully modify the event processing. {pull}10801[10801]
=== Beats version 7.0.0-beta1
https://github.com/elastic/beats/compare/v7.0.0-alpha2..v7.0.0-beta1[Check the HEAD diff]
==== Breaking changes
- Outputs receive Index Manager as additional parameter. The index manager can
be used to create an index selector. {pull}10347[10347]
- Remove support for loading dashboards to Elasticsearch 5. {pull}10451[10451]
==== Added
- Allow multiple object type configurations per field. {pull}9772[9772]
- Move agent metadata addition to a processor. {pull}9952[9952]
- Add (*common.Config).Has and (*common.Config).Remove. {pull}10363[10363]
- Introduce ILM and IndexManagement support to beat.Settings. {pull}10347[10347]
- Generating index pattern on demand instead of shipping them in the packages. {pull}10478[10478]
=== Beats version 7.0.0-alpha2
https://github.com/elastic/beats/compare/v6.3.0..v7.0.0-alpha2[Check the HEAD diff]
The list below covers the major changes between 6.3.0 and 7.0.0-alpha2 only.
==== Breaking changes
@ -29,13 +84,18 @@ The list below covers the major changes between 6.3.0 and master only.
the building a Beat more cross-platform friendly (e.g. Windows). This requires that your Beat
has a magefile.go with a fields target. The `FIELDS_FILE_PATH` make variable is no longer
used because the value is specified in magefile.go. {pull}7670[7670]
- Outputs must implement String. {pull}6404[6404]
- Renamed `-beat-name` CLI option used in `kibana_index_pattern.go` to `-beat` for consistency with other scripts in `dev-tools/cmd`. {pull}8615[8615]
- Systemd unit file template used on Linux packaging now includes environment variables to ease flag overriding. One of them includes the `-e` flag, making beats log to stderr by default on systemd uses. {pull}8942[8942]
- Removed dashboards and index patterns generation for Kibana 5. {pull}8927[8927]
- Move generator packages of Filebeat from `scripts/generator` to `generator`. {pull}9147[9147]
==== Bugfixes
- Fix permissions of generated Filebeat filesets. {pull}7140[7140]
- Collect fields from _meta/fields.yml too. {pull}8397[8397]
- Fix issue on asset generation that could lead to different results in Windows. {pull}8464[8464]
- Remove default version qualifier, you can use `VERSION_QUALIFIER` environment variable to set it. {pull}9148[9148]
==== Added
@ -48,6 +108,7 @@ The list below covers the major changes between 6.3.0 and master only.
`mage -h goTestUnit`. {pull}7766[7766]
- Beats packaging now build non-oss binaries from code located in the x-pack folder. {issue}7783[7783]
- New function `AddTagsWithKey` is added, so `common.MapStr` can be enriched with tags with an arbitrary key. {pull}7991[7991]
- Move filebeat/reader to libbeat/reader {pull}8206[8206]
- Libbeat provides a new function `cmd.GenRootCmdWithSettings` that should be preferred over deprecated functions
`cmd.GenRootCmd`, `cmd.GenRootCmdWithRunFlags`, and `cmd.GenRootCmdWithIndexPrefixWithRunFlags`. {pull}7850[7850]
- Set current year in generator templates. {pull}8396[8396]
@ -61,3 +122,10 @@ The list below covers the major changes between 6.3.0 and master only.
- Add `mage.KibanaDashboards` for collecting Kibana dashboards and generating index patterns. {pull}8615[8615]
- Allow to disable config resolver using the `Settings.DisableConfigResolver` field when initializing libbeat. {pull}8769[8769]
- Add `mage.AddPlatforms` to allow to specify dependent platforms when building a beat. {pull}8889[8889]
- Add `cfgwarn.CheckRemoved6xSetting(s)` to display a warning for options removed in 7.0. {pull}8909[8909]
- Add docker image building to `mage.Package`. {pull}8898[8898]
- Simplified exporting of dashboards. {pull}7730[7730]
- Update Beats to use go 1.11.2 {pull}8746[8746]
- Allow/Merge fields.yml overrides {pull}9188[9188]
- Filesets can now define multiple ingest pipelines, with the first one considered as the entry point pipeline. {pull}8914[8914]
- Add `group_measurements_by_instance` option to windows perfmon metricset. {pull}8688[8688]

45
vendor/github.com/elastic/beats/CHANGELOG-developer.next.asciidoc generated vendored Normal file
View File

@ -0,0 +1,45 @@
// Use these for links to issue and pulls. Note issues and pulls redirect one to
// each other on Github, so don't worry too much on using the right prefix.
:issue: https://github.com/elastic/beats/issues/
:pull: https://github.com/elastic/beats/pull/
This changelog is intended for community Beat developers. It covers the major
breaking changes to the internal APIs in the official Beats and changes related
to developing a Beat like code generators or `fields.yml`. Only the major
changes will be covered in this changelog that are expected to affect community
developers. Each breaking change added here should have an explanation on how
other Beats should be migrated.
Note: This changelog documents the current changes which are not yet present in
an actual release.
=== Beats version HEAD
https://github.com/elastic/beats/compare/v7.0.0-rc2..master[Check the HEAD diff]
The list below covers the major changes between 7.0.0-rc2 and master only.
==== Breaking changes
- Move Fields from package libbeat/common to libbeat/mapping. {pull}11198[11198]
==== Bugfixes
==== Added
- Metricset generator generates beta modules by default now. {pull}10657[10657]
- The `beat.Event` accessor methods now support `@metadata` keys. {pull}10761[10761]
- Assertion for documented fields in tests fails if any of the fields in the tested event is documented as an alias. {pull}10921[10921]
- Support for Logger in the Metricset base instance. {pull}11106[11106]
- Filebeat modules can now use ingest pipelines in YAML format. {pull}11209[11209]
- Prometheus helper for metricbeat contains now `Namespace` field for `prometheus.MetricsMappings` {pull}11424[11424]
- Update Jinja2 version to 2.10.1. {pull}11817[11817]
- Reduce idxmgmt.Supporter interface and rework export commands to reuse logic. {pull}11777[11777],{pull}12065[12065],{pull}12067[12067],{pull}12160[12160]
- Update urllib3 version to 1.24.2 {pull}11930[11930]
- Add libbeat/common/cleanup package. {pull}12134[12134]
- New helper to check for leaked goroutines on tests. {pull}12106[12106]
- Only Load minimal template if no fields are provided. {pull}12103[12103]
- Add new option `IgnoreAllErrors` to `libbeat.common.schema` for skipping fields that failed while converting. {pull}12089[12089]
- Deprecate setup cmds for `template` and `ilm-policy`. Add new setup cmd for `index-management`. {pull}12132[12132]
- Use the go-lookslike library for testing in heartbeat. Eventually the mapval package will be replaced with it. {pull}12540[12540]
- New ReporterV2 interfaces that can receive a context on `Fetch(ctx, reporter)`, or `Run(ctx, reporter)`. {pull}11981[11981]
- Generate configuration from `mage` for all Beats. {pull}12618[12618]

1431
vendor/github.com/elastic/beats/CHANGELOG.asciidoc generated vendored
View File

File diff suppressed because it is too large Load Diff

318
vendor/github.com/elastic/beats/CHANGELOG.next.asciidoc generated vendored Normal file
View File

@ -0,0 +1,318 @@
// Use these for links to issue and pulls. Note issues and pulls redirect one to
// each other on Github, so don't worry too much on using the right prefix.
:issue: https://github.com/elastic/beats/issues/
:pull: https://github.com/elastic/beats/pull/
=== Beats version HEAD
https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD diff]
==== Breaking changes
*Affecting all Beats*
- Update to Golang 1.12.1. {pull}11330[11330]
- Update to Golang 1.12.4. {pull}11782[11782]
- Update to ECS 1.0.1. {pull}12284[12284] {pull}12317[12317]
- Default of output.kafka.metadata.full is set to false by now. This reduced the amount of metadata to be queried from a kafka cluster. {pull}12738[12738]
*Auditbeat*
- Auditd module: Normalized value of `event.category` field from `user-login` to `authentication`. {pull}11432[11432]
- Auditd module: Unset `auditd.session` and `user.audit.id` fields are removed from audit events. {issue}11431[11431] {pull}11815[11815]
- Socket dataset: Exclude localhost by default {pull}11993[11993]
*Filebeat*
- Add read_buffer configuration option. {pull}11739[11739]
- `convert_timezone` option is removed and locale is always added to the event so timezone is used when parsing the timestamp, this behaviour can be overriden with processors. {pull}12410[12410]
*Heartbeat*
- Removed the `add_host_metadata` and `add_cloud_metadata` processors from the default config. These don't fit well with ECS for Heartbeat and were rarely used.
*Journalbeat*
*Metricbeat*
- Add new option `OpMultiplyBuckets` to scale histogram buckets to avoid decimal points in final events {pull}10994[10994]
- system/raid metricset now uses /sys/block instead of /proc/mdstat for data. {pull}11613[11613]
- kubernetes.container.cpu.limit.cores and kubernetes.container.cpu.requests.cores are now floats. {issue}11975[11975]
*Packetbeat*
- Add support for mongodb opcode 2013 (OP_MSG). {issue}6191[6191] {pull}8594[8594]
- NFSv4: Always use opname `ILLEGAL` when failed to match request to a valid nfs operation. {pull}11503[11503]
*Winlogbeat*
*Functionbeat*
==== Bugfixes
*Affecting all Beats*
- Fix typo in TLS renegotiation configuration and setting the option correctly {issue}10871[10871], {pull}12354[12354]
- Ensure all beat commands respect configured settings. {pull}10721[10721]
- Add missing fields and test cases for libbeat add_kubernetes_metadata processor. {issue}11133[11133], {pull}11134[11134]
- decode_json_field: process objects and arrays only {pull}11312[11312]
- decode_json_field: do not process arrays when flag not set. {pull}11318[11318]
- Report faulting file when config reload fails. {pull}11304[11304]
- Fix a typo in libbeat/outputs/transport/client.go by updating `c.conn.LocalAddr()` to `c.conn.RemoteAddr()`. {pull}11242[11242]
- Management configuration backup file will now have a timestamps in their name. {pull}11034[11034]
- [CM] Parse enrollment_token response correctly {pull}11648[11648]
- Not hiding error in case of http failure using elastic fetcher {pull}11604[11604]
- Escape BOM on JsonReader before trying to decode line {pull}11661[11661]
- Fix matching of string arrays in contains condition. {pull}11691[11691]
- Replace wmi queries with win32 api calls as they were consuming CPU resources {issue}3249[3249] and {issue}11840[11840]
- Fix a race condition with the Kafka pipeline client, it is possible that `Close()` get called before `Connect()` . {issue}11945[11945]
- Fix queue.spool.write.flush.events config type. {pull}12080[12080]
- Fixed a memory leak when using the add_process_metadata processor under Windows. {pull}12100[12100]
- Fix of docker json parser for missing "log" jsonkey in docker container's log {issue}11464[11464]
- Fixed Beat ID being reported by GET / API. {pull}12180[12180]
- Fixed setting bulk max size in kafka output. {pull}12254[12254]
- Add host.os.codename to fields.yml. {pull}12261[12261]
- Fix `@timestamp` being duplicated in events if `@timestamp` is set in a
processor (or by any code utilizing `PutValue()` on a `beat.Event`).
- Fix leak in script processor when using Javascript functions in a processor chain. {pull}12600[12600]
- Add additional nil pointer checks to Docker client code to deal with vSphere Integrated Containers {pull}12628[12628]
- Fix Central Management enroll under Windows {issue}12797[12797] {pull}12799[12799]
- Fixed a crash under Windows when fetching processes information. {pull}12833[12833]
- Fix seccomp policy preventing some features to function properly on 32bit Linux systems. {issue}12990[12990] {pull}13008[13008]
*Auditbeat*
- Process dataset: Fixed a memory leak under Windows. {pull}12100[12100]
- Login dataset: Fix re-read of utmp files. {pull}12028[12028]
- Package dataset: Fixed a crash inside librpm after Auditbeat has been running for a while. {issue}12147[12147] {pull}12168[12168]
- Fix formatting of config files on macOS and Windows. {pull}12148[12148]
- Fix direction of incoming IPv6 sockets. {pull}12248[12248]
- Package dataset: Close librpm handle. {pull}12215[12215]
- Package dataset: Auto-detect package directories. {pull}12289[12289]
- Package dataset: Improve dpkg parsing. {pull}12325[12325]
- System module: Start system module without host ID. {pull}12373[12373]
- Host dataset: Fix reboot detection logic. {pull}12591[12591]
- Add syscalls used by librpm for the system/package dataset to the default Auditbeat seccomp policy. {issue}12578[12578] {pull}12617[12617]
- Process dataset: Do not show non-root warning on Windows. {pull}12740[12740]
- Host dataset: Export Host fields to gob encoder. {pull}12940[12940]
*Filebeat*
- Add support for Cisco syslog format used by their switch. {pull}10760[10760]
- Cover empty request data, url and version in Apache2 module{pull}10730[10730]
- Fix registry entries not being cleaned due to race conditions. {pull}10747[10747]
- Improve detection of file deletion on Windows. {pull}10747[10747]
- Add missing Kubernetes metadata fields to Filebeat CoreDNS module, and fix a documentation error. {pull}11591[11591]
- Reduce memory usage if long lines are truncated to fit `max_bytes` limit. The line buffer is copied into a smaller buffer now. This allows the runtime to release unused memory earlier. {pull}11524[11524]
- Fix memory leak in Filebeat pipeline acker. {pull}12063[12063]
- Fix goroutine leak caused on initialization failures of log input. {pull}12125[12125]
- Fix goroutine leak on non-explicit finalization of log input. {pull}12164[12164]
- Skipping unparsable log entries from docker json reader {pull}12268[12268]
- Parse timezone in PostgreSQL logs as part of the timestamp {pull}12338[12338]
- Load correct pipelines when system module is configured in modules.d. {pull}12340[12340]
- Fix timezone offset parsing in system/syslog. {pull}12529[12529]
- When TLS is configured for the TCP input and a `certificate_authorities` is configured we now default to `required` for the `client_authentication`. {pull}12584[12584]
- Apply `max_message_size` to incoming message buffer. {pull}11966[11966]
- Syslog input will now omit the `process` object from events if it is empty. {pull}12700[12700]
*Heartbeat*
- Fix NPEs / resource leaks when executing config checks. {pull}11165[11165]
- Fix duplicated IPs on `mode: all` monitors. {pull}12458[12458]
*Journalbeat*
- Use backoff when no new events are found. {pull}11861[11861]
- Iterate over journal correctly, so no duplicate entries are sent. {pull}12716[12716]
- Preserve host name when reading from remote journal. {pull}12714[12714]
*Metricbeat*
- Change diskio metrics retrieval method (only for Windows) from wmi query to DeviceIOControl function using the IOCTL_DISK_PERFORMANCE control code {pull}11635[11635]
- Call GetMetricData api per region instead of per instance. {issue}11820[11820] {pull}11882[11882]
- Update documentation with cloudwatch:ListMetrics permission. {pull}11987[11987]
- Check permissions in system socket metricset based on capabilities. {pull}12039[12039]
- Get process information from sockets owned by current user when system socket metricset is run without privileges. {pull}12039[12039]
- Avoid generating hints-based configuration with empty hosts when no exposed port is suitable for the hosts hint. {issue}8264[8264] {pull}12086[12086]
- Fixed a socket leak in the postgresql module under Windows when SSL is disabled on the server. {pull}11393[11393]
- Change some field type from scaled_float to long in aws module. {pull}11982[11982]
- Fixed RabbitMQ `queue` metricset gathering when `consumer_utilisation` is set empty at the metrics source {pull}12089[12089]
- Fix direction of incoming IPv6 sockets. {pull}12248[12248]
- Refactored Windows perfmon metricset: replaced method to retrieve counter paths with PdhExpandWildCardPathW, separated code by responsibility, removed unused functions {pull}12212[12212]
- Validate that kibana/status metricset cannot be used when xpack is enabled. {pull}12264[12264]
- Ignore prometheus metrics when their values are NaN or Inf. {pull}12084[12084] {issue}10849[10849]
- In the kibana/stats metricset, only log error (don't also index it) if xpack is enabled. {pull}12265[12265]
- Fix an issue listing all processes when run under Windows as a non-privileged user. {issue}12301[12301] {pull}12475[12475]
- The `elasticsearch/index_summary` metricset gracefully handles an empty Elasticsearch cluster when `xpack.enabled: true` is set. {pull}12489[12489] {issue}12487[12487]
- When TLS is configured for the http metricset and a `certificate_authorities` is configured we now default to `required` for the `client_authentication`. {pull}12584[12584]
- Reuse connections in PostgreSQL metricsets. {issue}12504[12504] {pull}12603[12603]
- PdhExpandWildCardPathW will not expand counter paths in 32 bit windows systems, workaround will use a different function.{issue}12590[12590]{pull}12622[12622]
- In the elasticsearch/node_stats metricset, if xpack is enabled, make parsing of ES node load average optional as ES on Windows doesn't report load average. {pull}12866[12866]
- Fix incoherent behaviour in redis key metricset when keyspace is specified both in host URL and key pattern {pull}12913[12913]
- Fix connections leak in redis module {pull}12914[12914] {pull}12950[12950]
- Fix wrong uptime reporting by system/uptime metricset under Windows. {pull}12915[12915]
- Print errors that were being omitted in vSphere metricsets {pull}12816[12816]
*Packetbeat*
- Prevent duplicate packet loss error messages in HTTP events. {pull}10709[10709]
- Fixed a memory leak when using process monitoring under Windows. {pull}12100[12100]
- Improved debug logging efficiency in PGQSL module. {issue}12150[12150]
- Limit memory usage of Redis replication sessions. {issue}12657[12657]
*Winlogbeat*
*Functionbeat*
- Fix function name reference for Kinesis streams in CloudFormation templates {pull}11646[11646]
==== Added
*Affecting all Beats*
- Decouple Debug logging from fail_on_error logic for rename, copy, truncate processors {pull}12451[12451]
- Add an option to append to existing logs rather than always rotate on start. {pull}11953[11953]
- Add `network` condition to processors for matching IP addresses against CIDRs. {pull}10743[10743]
- Add if/then/else support to processors. {pull}10744[10744]
- Add `community_id` processor for computing network flow hashes. {pull}10745[10745]
- Add output test to kafka output {pull}10834[10834]
- Gracefully shut down on SIGHUP {pull}10704[10704]
- New processor: `copy_fields`. {pull}11303[11303]
- Add `error.message` to events when `fail_on_error` is set in `rename` and `copy_fields` processors. {pull}11303[11303]
- New processor: `truncate_fields`. {pull}11297[11297]
- Allow a beat to ship monitoring data directly to an Elasticsearch monitoring cluster. {pull}9260[9260]
- Updated go-seccomp-bpf library to v1.1.0 which updates syscall lists for Linux v5.0. {pull}NNNN[NNNN]
- Add `add_observer_metadata` processor. {pull}11394[11394]
- Add `decode_csv_fields` processor. {pull}11753[11753]
- Add `convert` processor for converting data types of fields. {issue}8124[8124] {pull}11686[11686]
- New `extract_array` processor. {pull}11761[11761]
- Add number of goroutines to reported metrics. {pull}12135[12135]
- Add `proxy_disable` output flag to explicitly ignore proxy environment variables. {issue}11713[11713] {pull}12243[12243]
- Processor `add_cloud_metadata` adds fields `cloud.account.id` and `cloud.image.id` for AWS EC2. {pull}12307[12307]
- Add configurable bulk_flush_frequency in kafka output. {pull}12254[12254]
- Add `decode_base64_field` processor for decoding base64 field. {pull}11914[11914]
- Add support for reading the `network.iana_number` field by default to the community_id processor. {pull}12701[12701]
- Add aws overview dashboard. {issue}11007[11007] {pull}12175[12175]
- Add `decompress_gzip_field` processor. {pull}12733[12733]
- Add `timestamp` processor for parsing time fields. {pull}12699[12699]
- Add Oracle Tablespaces Dashboard {pull}12736[12736]
*Auditbeat*
- Auditd module: Add `event.outcome` and `event.type` for ECS. {pull}11432[11432]
- Process: Add file hash of process executable. {pull}11722[11722]
- Socket: Add network.transport and network.community_id. {pull}12231[12231]
- Host: Fill top-level host fields. {pull}12259[12259]
*Filebeat*
- Add more info to message logged when a duplicated symlink file is found {pull}10845[10845]
- Add option to configure docker input with paths {pull}10687[10687]
- Add Netflow module to enrich flow events with geoip data. {pull}10877[10877]
- Set `event.category: network_traffic` for Suricata. {pull}10882[10882]
- Allow custom default settings with autodiscover (for example, use of CRI paths for logs). {pull}12193[12193]
- Allow to disable hints based autodiscover default behavior (fetching all logs). {pull}12193[12193]
- Change Suricata module pipeline to handle `destination.domain` being set if a reverse DNS processor is used. {issue}10510[10510]
- Add the `network.community_id` flow identifier to field to the IPTables, Suricata, and Zeek modules. {pull}11005[11005]
- New Filebeat coredns module to ingest coredns logs. It supports both native coredns deployment and coredns deployment in kubernetes. {pull}11200[11200]
- New module for Cisco ASA logs. {issue}9200[9200] {pull}11171[11171]
- Added support for Cisco ASA fields to the netflow input. {pull}11201[11201]
- Configurable line terminator. {pull}11015[11015]
- Add Filebeat envoyproxy module. {pull}11700[11700]
- Add apache2(httpd) log path (`/var/log/httpd`) to make apache2 module work out of the box on Redhat-family OSes. {issue}11887[11887] {pull}11888[11888]
- Add support to new MongoDB additional diagnostic information {pull}11952[11952]
- New module `panw` for Palo Alto Networks PAN-OS logs. {pull}11999[11999]
- Add RabbitMQ module. {pull}12032[12032]
- Add new `container` input. {pull}12162[12162]
- Add timeouts on communication with docker daemon. {pull}12310[12310]
- `container` and `docker` inputs now support reading of labels and env vars written by docker JSON file logging driver. {issue}8358[8358]
- Add specific date processor to convert timezones so same pipeline can be used when convert_timezone is enabled or disabled. {pull}12253[12253]
- Add MSSQL module {pull}12079[12079]
- Add ISO8601 date parsing support for system module. {pull}12568[12568] {pull}12578[12579]
- Update Kubernetes deployment manifest to use `container` input. {pull}12632[12632]
- Use correct OS path separator in `add_kubernetes_metadata` to support Windows nodes. {pull}9205[9205]
- Add support for client addresses with port in Apache error logs {pull}12695[12695]
- Add `google-pubsub` input type for consuming messages from a Google Cloud Pub/Sub topic subscription. {pull}12746[12746]
- Add module for ingesting Cisco IOS logs over syslog. {pull}12748[12748]
- Add module for ingesting Google Cloud VPC flow logs. {pull}12747[12747]
- Report host metadata for Filebeat logs in Kubernetes. {pull}12790[12790]
*Heartbeat*
- Enable `add_observer_metadata` processor in default config. {pull}11394[11394]
*Journalbeat*
*Metricbeat*
- Add AWS SQS metricset. {pull}10684[10684] {issue}10053[10053]
- Add AWS s3_request metricset. {pull}10949[10949] {issue}10055[10055]
- Add s3_daily_storage metricset. {pull}10940[10940] {issue}10055[10055]
- Add `coredns` metricbeat module. {pull}10585[10585]
- Add SSL support for Metricbeat HTTP server. {pull}11482[11482] {issue}11457[11457]
- The `elasticsearch.index` metricset (with `xpack.enabled: true`) now collects `refresh.external_total_time_in_millis` fields from Elasticsearch. {pull}11616[11616]
- Allow module configurations to have variants {pull}9118[9118]
- Add `timeseries.instance` field calculation. {pull}10293[10293]
- Added new disk states and raid level to the system/raid metricset. {pull}11613[11613]
- Added `path_name` and `start_name` to service metricset on windows module {issue}8364[8364] {pull}11877[11877]
- Add check on object name in the counter path if the instance name is missing {issue}6528[6528] {pull}11878[11878]
- Add AWS cloudwatch metricset. {pull}11798[11798] {issue}11734[11734]
- Add `regions` in aws module config to specify target regions for querying cloudwatch metrics. {issue}11932[11932] {pull}11956[11956]
- Keep `etcd` followers members from reporting `leader` metricset events {pull}12004[12004]
- Add overview dashboard to Consul module {pull}10665[10665]
- New fields were added in the mysql/status metricset. {pull}12227[12227]
- Add Kubernetes metricset `proxy`. {pull}12312[12312]
- Add Kubernetes proxy dashboard to Kubernetes module {pull}12734[12734]
- Always report Pod UID in the `pod` metricset. {pull}12345[12345]
- Add Vsphere Virtual Machine operating system to `os` field in Vsphere virtualmachine module. {pull}12391[12391]
- Add validation for elasticsearch and kibana modules' metricsets when xpack.enabled is set to true. {pull}12386[12386]
- Add CockroachDB module. {pull}12467[12467]
- Add support for metricbeat modules based on existing modules (a.k.a. light modules) {issue}12270[12270] {pull}12465[12465]
- Add a system/entropy metricset {pull}12450[12450]
- Add kubernetes metricset `controllermanager` {pull}12409[12409]
- Add Kubernetes controller manager dashboard to Kubernetes module {pull}12744[12744]
- Allow redis URL format in redis hosts config. {pull}12408[12408]
- Add tags into ec2 metricset. {issue}[12263]12263 {pull}12372[12372]
- Add kubernetes metricset `scheduler` {pull}12521[12521]
- Add Kubernetes scheduler dashboard to Kubernetes module {pull}12749[12749]
- Add `beat` module. {pull}12181[12181] {pull}12615[12615]
- Collect tags for cloudwatch metricset in aws module. {issue}[12263]12263 {pull}12480[12480]
- Add AWS RDS metricset. {pull}11620[11620] {issue}10054[10054]
- Add Oracle Module {pull}11890[11890]
*Packetbeat*
*Functionbeat*
- New options to configure roles and VPC. {pull}11779[11779]
- Export automation templates used to create functions. {pull}11923[11923]
- Configurable Amazon endpoint. {pull}12369[12369]
*Winlogbeat*
- Add support for reading from .evtx files. {issue}4450[4450]
==== Deprecated
*Affecting all Beats*
*Filebeat*
- `docker` input is deprecated in favour `container`. {pull}12162[12162]
- `postgresql.log.timestamp` field is deprecated in favour of `@timestamp`. {pull}12338[12338]
*Heartbeat*
*Journalbeat*
*Metricbeat*
*Packetbeat*
*Winlogbeat*
*Functionbeat*
==== Known Issue
*Journalbeat*

125
vendor/github.com/elastic/beats/Jenkinsfile generated vendored Normal file
View File

@ -0,0 +1,125 @@
#!/usr/bin/env groovy
library identifier: 'apm@current',
retriever: modernSCM(
[$class: 'GitSCMSource',
credentialsId: 'f94e9298-83ae-417e-ba91-85c279771570',
id: '37cf2c00-2cc7-482e-8c62-7bbffef475e2',
remote: 'git@github.com:elastic/apm-pipeline-library.git'])
pipeline {
agent none
environment {
BASE_DIR = 'src/github.com/elastic/beats'
}
options {
timeout(time: 1, unit: 'HOURS')
buildDiscarder(logRotator(numToKeepStr: '20', artifactNumToKeepStr: '20', daysToKeepStr: '30'))
timestamps()
ansiColor('xterm')
disableResume()
durabilityHint('PERFORMANCE_OPTIMIZED')
}
triggers {
issueCommentTrigger('(?i).*(?:jenkins\\W+)?run\\W+(?:the\\W+)?tests(?:\\W+please)?.*')
}
parameters {
booleanParam(name: 'Run_As_Master_Branch', defaultValue: false, description: 'Allow to run any steps on a PR, some steps normally only run on master branch.')
}
stages {
/**
Checkout the code and stash it, to use it on other stages.
*/
stage('Checkout') {
agent { label 'linux && immutable' }
environment {
PATH = "${env.PATH}:${env.WORKSPACE}/bin"
HOME = "${env.WORKSPACE}"
GOPATH = "${env.WORKSPACE}"
}
options { skipDefaultCheckout() }
steps {
dir("${BASE_DIR}"){
checkout scm
}
stash allowEmpty: true, name: 'source', useDefaultExcludes: false
script {
env.GO_VERSION = readFile("${BASE_DIR}/.go-version")
}
}
}
/**
Updating generated files for Beat.
Checks the GO environment.
Checks the Python environment.
Checks YAML files are generated.
Validate that all updates were committed.
*/
stage('Intake') {
agent { label 'linux && immutable' }
options { skipDefaultCheckout() }
environment {
PATH = "${env.PATH}:${env.WORKSPACE}/bin"
HOME = "${env.WORKSPACE}"
GOPATH = "${env.WORKSPACE}"
}
steps {
withGithubNotify(context: 'Intake') {
deleteDir()
unstash 'source'
dir("${BASE_DIR}"){
sh './dev-tools/jenkins_intake.sh'
}
}
}
}
stage('Test') {
failFast true
parallel {
/**
Run unit tests and report junit results.
*/
stage('Filebeat') {
agent { label 'linux && immutable' }
options { skipDefaultCheckout() }
environment {
PATH = "${env.PATH}:${env.WORKSPACE}/bin"
HOME = "${env.WORKSPACE}"
GOPATH = "${env.WORKSPACE}"
}
steps {
withGithubNotify(context: 'Test', tab: 'tests') {
deleteDir()
unstash 'source'
dir("${BASE_DIR}"){
sh './filebeat/scripts/jenkins/unit-test.sh'
}
}
}
post {
always {
junit(allowEmptyResults: true,
keepLongStdio: true,
testResults: "${BASE_DIR}/build/junit-*.xml")
}
}
}
}
}
}
post {
success {
echoColor(text: '[SUCCESS]', colorfg: 'green', colorbg: 'default')
}
aborted {
echoColor(text: '[ABORTED]', colorfg: 'magenta', colorbg: 'default')
}
failure {
echoColor(text: '[FAILURE]', colorfg: 'red', colorbg: 'default')
//step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: "${NOTIFY_TO}", sendToIndividuals: false])
}
unstable {
echoColor(text: '[UNSTABLE]', colorfg: 'yellow', colorbg: 'default')
}
}
}

42
vendor/github.com/elastic/beats/Makefile generated vendored
View File

@ -7,18 +7,33 @@ PYTHON_ENV?=$(BUILD_DIR)/python-env
VIRTUALENV_PARAMS?=
FIND=find . -type f -not -path "*/vendor/*" -not -path "*/build/*" -not -path "*/.git/*"
GOLINT=golint
GOLINT_REPO=github.com/golang/lint/golint
GOLINT_REPO=golang.org/x/lint/golint
REVIEWDOG=reviewdog
REVIEWDOG_OPTIONS?=-diff "git diff master"
REVIEWDOG_REPO=github.com/haya14busa/reviewdog/cmd/reviewdog
XPACK_SUFFIX=x-pack/
# PROJECTS_XPACK_PKG is a list of Beats that have independent packaging support
# in the x-pack directory (rather than having the OSS build produce both sets
# of artifacts). This will be removed once we complete the transition.
PROJECTS_XPACK_PKG=x-pack/auditbeat x-pack/filebeat x-pack/metricbeat x-pack/winlogbeat
# PROJECTS_XPACK_MAGE is a list of Beats whose primary build logic is based in
# Mage. For compatibility with CI testing these projects support a subset of the
# makefile targets. After all Beats converge to primarily using Mage we can
# remove this and treat all sub-projects the same.
PROJECTS_XPACK_MAGE=$(PROJECTS_XPACK_PKG)
#
# Includes
#
include dev-tools/make/mage.mk
# Runs complete testsuites (unit, system, integration) for all beats with coverage and race detection.
# Also it builds the docs and the generators
.PHONY: testsuite
testsuite:
@$(foreach var,$(PROJECTS),$(MAKE) -C $(var) testsuite || exit 1;)
@$(foreach var,$(PROJECTS) $(PROJECTS_XPACK_MAGE),$(MAKE) -C $(var) testsuite || exit 1;)
.PHONY: setup-commit-hook
setup-commit-hook:
@ -54,15 +69,15 @@ coverage-report:
.PHONY: update
update: notice
@$(foreach var,$(PROJECTS),$(MAKE) -C $(var) update || exit 1;)
@$(foreach var,$(PROJECTS) $(PROJECTS_XPACK_MAGE),$(MAKE) -C $(var) update || exit 1;)
@$(MAKE) -C deploy/kubernetes all
.PHONY: clean
clean:
clean: mage
@rm -rf build
@$(foreach var,$(PROJECTS),$(MAKE) -C $(var) clean || exit 1;)
@$(foreach var,$(PROJECTS) $(PROJECTS_XPACK_MAGE),$(MAKE) -C $(var) clean || exit 1;)
@$(MAKE) -C generator clean
@-mage -clean 2> /dev/null
@-mage -clean
# Cleans up the vendor directory from unnecessary files
# This should always be run after updating the dependencies
@ -72,7 +87,7 @@ clean-vendor:
.PHONY: check
check: python-env
@$(foreach var,$(PROJECTS) dev-tools,$(MAKE) -C $(var) check || exit 1;)
@$(foreach var,$(PROJECTS) dev-tools $(PROJECTS_XPACK_MAGE),$(MAKE) -C $(var) check || exit 1;)
@# Checks also python files which are not part of the beats
@$(FIND) -name *.py -exec $(PYTHON_ENV)/bin/autopep8 -d --max-line-length 120 {} \; | (! grep . -q) || (echo "Code differs from autopep8's style" && false)
@# Validate that all updates were committed
@ -84,7 +99,7 @@ check: python-env
.PHONY: check-headers
check-headers:
@go get github.com/elastic/go-licenser
@go get -u github.com/elastic/go-licenser
@go-licenser -d -exclude x-pack
@go-licenser -d -license Elastic x-pack
@ -107,7 +122,7 @@ misspell:
.PHONY: fmt
fmt: add-headers python-env
@$(foreach var,$(PROJECTS) dev-tools,$(MAKE) -C $(var) fmt || exit 1;)
@$(foreach var,$(PROJECTS) dev-tools $(PROJECTS_XPACK_MAGE),$(MAKE) -C $(var) fmt || exit 1;)
@# Cleans also python files which are not part of the beats
@$(FIND) -name "*.py" -exec $(PYTHON_ENV)/bin/autopep8 --in-place --max-line-length 120 {} \;
@ -150,8 +165,8 @@ snapshot:
# Builds a release.
.PHONY: release
release: beats-dashboards
@$(foreach var,$(BEATS),$(MAKE) -C $(var) release || exit 1;)
@$(foreach var,$(BEATS), \
@$(foreach var,$(BEATS) $(PROJECTS_XPACK_PKG),$(MAKE) -C $(var) release || exit 1;)
@$(foreach var,$(BEATS) $(PROJECTS_XPACK_PKG), \
test -d $(var)/build/distributions && test -n "$$(ls $(var)/build/distributions)" || exit 0; \
mkdir -p build/distributions/$(subst $(XPACK_SUFFIX),'',$(var)) && mv -f $(var)/build/distributions/* build/distributions/$(subst $(XPACK_SUFFIX),'',$(var))/ || exit 1;)
@ -167,11 +182,6 @@ release-manager-snapshot:
release-manager-release:
./dev-tools/run_with_go_ver $(MAKE) release
# Installs the mage build tool from the vendor directory.
.PHONY: mage
mage:
@go install github.com/elastic/beats/vendor/github.com/magefile/mage
# Collects dashboards from all Beats and generates a zip file distribution.
.PHONY: beats-dashboards
beats-dashboards: mage update

1147
vendor/github.com/elastic/beats/NOTICE.txt generated vendored
View File

File diff suppressed because it is too large Load Diff

8
vendor/github.com/elastic/beats/README.md generated vendored
View File

@ -21,7 +21,9 @@ Beat | Description
--- | ---
[Auditbeat](https://github.com/elastic/beats/tree/master/auditbeat) | Collect your Linux audit framework data and monitor the integrity of your files.
[Filebeat](https://github.com/elastic/beats/tree/master/filebeat) | Tails and ships log files
[Functionbeat](https://github.com/elastic/beats/tree/master/x-pack/functionbeat) | Read and ships events from serverless infrastructure.
[Heartbeat](https://github.com/elastic/beats/tree/master/heartbeat) | Ping remote services for availability
[Journalbeat](https://github.com/elastic/beats/tree/master/journalbeat) | Read and ships event from Journald.
[Metricbeat](https://github.com/elastic/beats/tree/master/metricbeat) | Fetches sets of metrics from the operating system and services
[Packetbeat](https://github.com/elastic/beats/tree/master/packetbeat) | Monitors the network and applications by sniffing packets
[Winlogbeat](https://github.com/elastic/beats/tree/master/winlogbeat) | Fetches and ships Windows Event logs
@ -40,7 +42,9 @@ on the [elastic.co site](https://www.elastic.co/guide/):
* [Beats platform](https://www.elastic.co/guide/en/beats/libbeat/current/index.html)
* [Auditbeat](https://www.elastic.co/guide/en/beats/auditbeat/current/index.html)
* [Filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/index.html)
* [Functionbeat](https://www.elastic.co/guide/en/beats/functionbeat/current/index.html)
* [Heartbeat](https://www.elastic.co/guide/en/beats/heartbeat/current/index.html)
* [Journalbeat](https://www.elastic.co/guide/en/beats/journalbeat/current/index.html)
* [Metricbeat](https://www.elastic.co/guide/en/beats/metricbeat/current/index.html)
* [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/index.html)
* [Winlogbeat](https://www.elastic.co/guide/en/beats/winlogbeat/current/index.html)
@ -77,3 +81,7 @@ Beats](https://github.com/elastic/beats/blob/master/libbeat/docs/communitybeats.
See our [CONTRIBUTING](CONTRIBUTING.md) file for information about setting up
your dev environment to build Beats from the source.
## Snapshots
For testing purposes, we generate snapshot builds that you can find [here](https://beats-ci.elastic.co/job/elastic+beats+master+multijob-package-linux/lastSuccessfulBuild/gcsObjects/). Please be aware that these are built on top of master and are not meant for production.

42
vendor/github.com/elastic/beats/Vagrantfile generated vendored
View File

@ -37,7 +37,7 @@ cmd /c mklink /d C:\\Gopath\\src\\github.com\\elastic\\beats \\\\vboxsvr\\vagran
echo "Installing gvm to manage go version"
[Net.ServicePointManager]::SecurityProtocol = "tls12"
Invoke-WebRequest -URI https://github.com/andrewkroh/gvm/releases/download/v0.0.5/gvm-windows-amd64.exe -Outfile C:\Windows\System32\gvm.exe
Invoke-WebRequest -URI https://github.com/andrewkroh/gvm/releases/download/v0.1.0/gvm-windows-amd64.exe -Outfile C:\Windows\System32\gvm.exe
C:\Windows\System32\gvm.exe --format=powershell #{GO_VERSION} | Invoke-Expression
go version
@ -69,16 +69,19 @@ if [ -d "/vagrant" ] && [ ! -e "beats" ]; then ln -s /vagrant beats; fi
SCRIPT
# Linux GVM
$linuxGvmProvision = <<SCRIPT
def linuxGvmProvision(arch="amd64")
return <<SCRIPT
mkdir -p ~/bin
if [ ! -e "~/bin/gvm" ]; then
curl -sL -o ~/bin/gvm https://github.com/andrewkroh/gvm/releases/download/v0.0.5/gvm-linux-amd64
curl -sL -o ~/bin/gvm https://github.com/andrewkroh/gvm/releases/download/v0.1.0/gvm-linux-#{arch}
chmod +x ~/bin/gvm
~/bin/gvm #{GO_VERSION}
echo 'export GOPATH=$HOME/go' >> ~/.bash_profile
echo 'export PATH=$HOME/bin:$GOPATH/bin:$PATH' >> ~/.bash_profile
echo 'eval "$(gvm #{GO_VERSION})"' >> ~/.bash_profile
fi
SCRIPT
end
Vagrant.configure(2) do |config|
@ -140,7 +143,17 @@ Vagrant.configure(2) do |config|
c.vm.network :forwarded_port, guest: 22, host: 2226, id: "ssh", auto_correct: true
c.vm.provision "shell", inline: $unixProvision, privileged: false
c.vm.provision "shell", inline: $linuxGvmProvision, privileged: false
c.vm.provision "shell", inline: linuxGvmProvision, privileged: false
c.vm.synced_folder ".", "/vagrant", type: "virtualbox"
end
config.vm.define "precise32", primary: true do |c|
c.vm.box = "ubuntu/precise32"
c.vm.network :forwarded_port, guest: 22, host: 2226, id: "ssh", auto_correct: true
c.vm.provision "shell", inline: $unixProvision, privileged: false
c.vm.provision "shell", inline: linuxGvmProvision("386"), privileged: false
c.vm.synced_folder ".", "/vagrant", type: "virtualbox"
end
@ -150,7 +163,7 @@ Vagrant.configure(2) do |config|
c.vm.network :forwarded_port, guest: 22, host: 2229, id: "ssh", auto_correct: true
c.vm.provision "shell", inline: $unixProvision, privileged: false
c.vm.provision "shell", inline: $linuxGvmProvision, privileged: false
c.vm.provision "shell", inline: linuxGvmProvision, privileged: false
c.vm.provision "shell", inline: "yum install -y make gcc python-pip python-virtualenv git"
c.vm.synced_folder ".", "/vagrant", type: "virtualbox"
@ -161,7 +174,7 @@ Vagrant.configure(2) do |config|
c.vm.network :forwarded_port, guest: 22, host: 2227, id: "ssh", auto_correct: true
c.vm.provision "shell", inline: $unixProvision, privileged: false
c.vm.provision "shell", inline: $linuxGvmProvision, privileged: false
c.vm.provision "shell", inline: linuxGvmProvision, privileged: false
c.vm.provision "shell", inline: "dnf install -y make gcc python-pip python-virtualenv git"
c.vm.synced_folder ".", "/vagrant", type: "virtualbox"
@ -172,7 +185,7 @@ Vagrant.configure(2) do |config|
c.vm.network :forwarded_port, guest: 22, host: 2228, id: "ssh", auto_correct: true
c.vm.provision "shell", inline: $unixProvision, privileged: false
c.vm.provision "shell", inline: $linuxGvmProvision, privileged: false
c.vm.provision "shell", inline: linuxGvmProvision, privileged: false
c.vm.provision "shell", inline: "pacman -Sy && pacman -S --noconfirm make gcc python-pip python-virtualenv git"
c.vm.synced_folder ".", "/vagrant", type: "virtualbox"
@ -183,7 +196,7 @@ Vagrant.configure(2) do |config|
c.vm.network :forwarded_port, guest: 22, host: 2229, id: "ssh", auto_correct: true
c.vm.provision "shell", inline: $unixProvision, privileged: false
c.vm.provision "shell", inline: $linuxGvmProvision, privileged: false
c.vm.provision "shell", inline: linuxGvmProvision, privileged: false
c.vm.provision "shell", inline: "apt-get update && apt-get install -y make gcc python-pip python-virtualenv git"
c.vm.synced_folder ".", "/vagrant", type: "virtualbox"
@ -194,7 +207,7 @@ Vagrant.configure(2) do |config|
c.vm.network :forwarded_port, guest: 22, host: 2230, id: "ssh", auto_correct: true
c.vm.provision "shell", inline: $unixProvision, privileged: false
c.vm.provision "shell", inline: $linuxGvmProvision, privileged: false
c.vm.provision "shell", inline: linuxGvmProvision, privileged: false
c.vm.provision "shell", inline: "pip install virtualenv"
c.vm.synced_folder ".", "/vagrant", type: "virtualbox"
@ -210,6 +223,17 @@ Vagrant.configure(2) do |config|
end
end
config.vm.define "centos7", primary: true do |c|
c.vm.box = "bento/centos-7"
c.vm.network :forwarded_port, guest: 22, host: 2231, id: "ssh", auto_correct: true
c.vm.provision "shell", inline: $unixProvision, privileged: false
c.vm.provision "shell", inline: linuxGvmProvision, privileged: false
c.vm.provision "shell", inline: "yum install -y make gcc python-pip python-virtualenv git"
c.vm.synced_folder ".", "/vagrant", type: "virtualbox"
end
end
# -*- mode: ruby -*-

24
vendor/github.com/elastic/beats/auditbeat/Dockerfile generated vendored
View File

@ -1,17 +1,13 @@
FROM golang:1.10.6
MAINTAINER Nicolas Ruflin <ruflin@elastic.co>
FROM golang:1.12.4
RUN set -x && \
apt-get update && \
apt-get install -y --no-install-recommends \
netcat python-pip virtualenv && \
apt-get clean
RUN \
apt-get update \
&& apt-get install -y --no-install-recommends \
python-pip \
virtualenv \
librpm-dev \
&& rm -rf /var/lib/apt/lists/*
RUN pip install --upgrade pip
RUN pip install --upgrade setuptools
# Setup work environment
ENV AUDITBEAT_PATH /go/src/github.com/elastic/beats/auditbeat
RUN mkdir -p $AUDITBEAT_PATH/build/coverage
WORKDIR $AUDITBEAT_PATH
HEALTHCHECK CMD exit 0
RUN pip install --upgrade docker-compose==1.23.2

35
vendor/github.com/elastic/beats/auditbeat/Makefile generated vendored
View File

@ -2,37 +2,12 @@ BEAT_NAME=auditbeat
BEAT_TITLE=Auditbeat
SYSTEM_TESTS=true
TEST_ENVIRONMENT?=true
GOX_OS?=linux windows ## @Building List of all OS to be supported by "make crosscompile".
DEV_OS?=linux
GOX_OS?=linux windows
ES_BEATS?=..
EXCLUDE_COMMON_UPDATE_TARGET=true
# Path to the libbeat Makefile
include ${ES_BEATS}/libbeat/scripts/Makefile
# Collects all dependencies and then calls update
.PHONY: collect
collect: collect-docs configs kibana
# Collects all module configs
.PHONY: configs
configs: python-env
@cat ${ES_BEATS}/auditbeat/_meta/common.p1.yml \
<(go run scripts/generate_config.go -os ${DEV_OS} -concat) \
${ES_BEATS}/auditbeat/_meta/common.p2.yml > _meta/beat.yml
@cat ${ES_BEATS}/auditbeat/_meta/common.reference.yml \
<(go run scripts/generate_config.go -os ${DEV_OS} -ref -concat) > _meta/beat.reference.yml
# Collects all module docs
.PHONY: collect-docs
collect-docs: python-env
@rm -rf docs/modules
@mkdir -p docs/modules
@go run scripts/generate_config.go -os linux
@${PYTHON_ENV}/bin/python ${ES_BEATS}/auditbeat/scripts/docs_collector.py --beat ${BEAT_NAME}
# Collects all module dashboards
.PHONY: kibana
kibana:
@-rm -rf _meta/kibana.generated
@mkdir -p _meta/kibana.generated
@-cp -pr module/*/_meta/kibana/* _meta/kibana.generated
.PHONY: update
update: mage
mage update

14
vendor/github.com/elastic/beats/auditbeat/_meta/beat.docker.yml generated vendored Normal file
View File

@ -0,0 +1,14 @@
auditbeat.modules:
- module: auditd
audit_rules: |
-w /etc/passwd -p wa -k identity
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc

2
vendor/github.com/elastic/beats/auditbeat/_meta/common.p2.yml generated vendored
View File

@ -1,6 +1,6 @@
#==================== Elasticsearch template setting ==========================
setup.template.settings:
index.number_of_shards: 3
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false

2
vendor/github.com/elastic/beats/auditbeat/_meta/common.reference.yml generated vendored
View File

@ -22,7 +22,7 @@ auditbeat.config.modules:
# Set to true to enable config reloading
reload.enabled: false
# Maximum amount of time to randomly delay the start of a metricset. Use 0 to
# Maximum amount of time to randomly delay the start of a dataset. Use 0 to
# disable startup delay.
auditbeat.max_start_delay: 10s

153
vendor/github.com/elastic/beats/auditbeat/_meta/fields.common.yml generated vendored
View File

@ -3,71 +3,11 @@
description: >
Contains common fields available in all event types.
fields:
- name: event.module
description: >
The name of the module that generated the event.
- name: event.action
type: keyword
example: logged-in
description: >
Action describes the change that triggered the event.
For the file integrity module the possible values are:
attributes_modified, created, deleted, updated, moved, and config_change.
- name: file
type: group
description: File attributes.
fields:
- name: path
type: text
description: The path to the file.
multi_fields:
- name: raw
type: keyword
description: >
The path to the file. This is a non-analyzed field that is useful
for aggregations.
- name: target_path
type: keyword
description: The target path for symlinks.
- name: type
type: keyword
description: The file type (file, dir, or symlink).
- name: device
type: keyword
description: The device.
- name: inode
type: keyword
description: The inode representing the file in the filesystem.
- name: uid
type: keyword
description: >
The user ID (UID) or security identifier (SID) of the file owner.
- name: owner
type: keyword
description: The file owner's username.
- name: gid
type: keyword
description: The primary group ID (GID) of the file.
- name: group
type: keyword
description: The primary group name of the file.
- name: mode
type: keyword
example: 0640
description: The mode of the file in octal representation.
- name: setuid
type: boolean
example: true
@ -78,20 +18,8 @@
example: true
description: Set if the file has the `setgid` bit set. Omitted otherwise.
- name: size
type: long
description: The file size in bytes (field is only added when `type` is `file`).
- name: mtime
type: date
description: The last modified time of the file (time when content was modified).
- name: ctime
type: date
description: The last change time of the file (time when metadata was changed).
- name: origin
type: text
type: keyword
description: >
An array of strings describing a possible external origin for
this file. For example, the URL it was downloaded from. Only
@ -121,3 +49,82 @@
type: keyword
example: s0
description: The object's SELinux level.
- name: user
type: group
description: User information.
fields:
- name: audit
type: group
description: Audit user information.
fields:
- name: id
type: keyword
description: Audit user ID.
- name: name
type: keyword
description: Audit user name.
- name: effective
type: group
description: Effective user information.
fields:
- name: id
type: keyword
description: Effective user ID.
- name: name
type: keyword
description: Effective user name.
- name: group
type: group
description: Effective group information.
fields:
- name: id
type: keyword
description: Effective group ID.
- name: name
type: keyword
description: Effective group name.
- name: filesystem
type: group
description: Filesystem user information.
fields:
- name: id
type: keyword
description: Filesystem user ID.
- name: name
type: keyword
description: Filesystem user name.
- name: group
type: group
description: Filesystem group information.
fields:
- name: id
type: keyword
description: Filesystem group ID.
- name: name
type: keyword
description: Filesystem group name.
- name: saved
type: group
description: Saved user information.
fields:
- name: id
type: keyword
description: Saved user ID.
- name: name
type: keyword
description: Saved user name.
- name: group
type: group
description: Saved group information.
fields:
- name: id
type: keyword
description: Saved group ID.
- name: name
type: keyword
description: Saved group name.

21
vendor/github.com/elastic/beats/auditbeat/auditbeat.docker.yml generated vendored Normal file
View File

@ -0,0 +1,21 @@
auditbeat.modules:
- module: auditd
audit_rules: |
-w /etc/passwd -p wa -k identity
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
processors:
- add_cloud_metadata: ~
output.elasticsearch:
hosts: '${ELASTICSEARCH_HOSTS:elasticsearch:9200}'
username: '${ELASTICSEARCH_USERNAME:}'
password: '${ELASTICSEARCH_PASSWORD:}'

289
vendor/github.com/elastic/beats/auditbeat/auditbeat.reference.yml generated vendored
View File

@ -22,7 +22,7 @@ auditbeat.config.modules:
# Set to true to enable config reloading
reload.enabled: false
# Maximum amount of time to randomly delay the start of a metricset. Use 0 to
# Maximum amount of time to randomly delay the start of a dataset. Use 0 to
# disable startup delay.
auditbeat.max_start_delay: 10s
@ -84,6 +84,11 @@ auditbeat.modules:
- '~$'
- '/\.git($|/)'
# List of regular expressions used to explicitly include files. When configured,
# Auditbeat will ignore files unless they match a pattern.
#include_files:
#- '/\.ssh($|/)'
# Scan over the configured file paths at startup and send events for new or
# modified files since the last time Auditbeat was running.
scan_at_start: true
@ -190,7 +195,7 @@ auditbeat.modules:
# Sets the write buffer size.
#buffer_size: 1MiB
# Maximum duration after which events are flushed, if the write buffer
# Maximum duration after which events are flushed if the write buffer
# is not full yet. The default value is 1s.
#flush.timeout: 1s
@ -204,7 +209,7 @@ auditbeat.modules:
#codec: cbor
#read:
# Reader flush timeout, waiting for more events to become available, so
# to fill a complete batch, as required by the outputs.
# to fill a complete batch as required by the outputs.
# If flush_timeout is 0, all available events are forwarded to the
# outputs immediately.
# The default value is 0s.
@ -286,6 +291,7 @@ auditbeat.modules:
# match_source_index: 4
# match_short_id: false
# cleanup_timeout: 60
# labels.dedot: false
# # To connect to Docker over TLS you must specify a client and CA certificate.
# #ssl:
# # certificate_authority: "/etc/pki/root/ca.pem"
@ -323,10 +329,53 @@ auditbeat.modules:
# max_depth: 1
# target: ""
# overwrite_keys: false
#
#processors:
#- decompress_gzip_field:
# from: "field1"
# to: "field2"
# ignore_missing: false
# fail_on_error: true
#
# The following example copies the value of message to message_copied
#
#processors:
#- copy_fields:
# fields:
# - from: message
# to: message_copied
# fail_on_error: true
# ignore_missing: false
#
# The following example truncates the value of message to 1024 bytes
#
#processors:
#- truncate_fields:
# fields:
# - message
# max_bytes: 1024
# fail_on_error: false
# ignore_missing: true
#
# The following example preserves the raw message under event.original
#
#processors:
#- copy_fields:
# fields:
# - from: message
# to: event.original
# fail_on_error: false
# ignore_missing: true
#- truncate_fields:
# fields:
# - event.original
# max_bytes: 1024
# fail_on_error: false
# ignore_missing: true
#============================= Elastic Cloud ==================================
# These settings simplify using auditbeat with the Elastic Cloud (https://cloud.elastic.co/).
# These settings simplify using Auditbeat with the Elastic Cloud (https://cloud.elastic.co/).
# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
@ -355,15 +404,15 @@ output.elasticsearch:
# Set gzip compression level.
#compression_level: 0
# Configure escaping html symbols in strings.
#escape_html: true
# Configure escaping HTML symbols in strings.
#escape_html: false
# Optional protocol and basic auth credentials.
#protocol: "https"
#username: "elastic"
#password: "changeme"
# Dictionary of HTTP parameters to pass within the url with index operations.
# Dictionary of HTTP parameters to pass within the URL with index operations.
#parameters:
#param1: value1
#param2: value2
@ -374,21 +423,26 @@ output.elasticsearch:
# Optional index name. The default is "auditbeat" plus date
# and generates [auditbeat-]YYYY.MM.DD keys.
# In case you modify this pattern you must update setup.template.name and setup.template.pattern accordingly.
#index: "auditbeat-%{[beat.version]}-%{+yyyy.MM.dd}"
#index: "auditbeat-%{[agent.version]}-%{+yyyy.MM.dd}"
# Optional ingest node pipeline. By default no pipeline will be used.
#pipeline: ""
# Optional HTTP Path
# Optional HTTP path
#path: "/elasticsearch"
# Custom HTTP headers to add to each request
#headers:
# X-My-Header: Contents of the header
# Proxy server url
# Proxy server URL
#proxy_url: http://proxy:3128
# Whether to disable proxy settings for outgoing connections. If true, this
# takes precedence over both the proxy_url field and any environment settings
# (HTTP_PROXY, HTTPS_PROXY). The default is false.
#proxy_disable: false
# The number of times a particular Elasticsearch index operation is attempted. If
# the indexing operation doesn't succeed after this many retries, the events are
# dropped. The default is 3.
@ -409,46 +463,44 @@ output.elasticsearch:
# Elasticsearch after a network error. The default is 60s.
#backoff.max: 60s
# Configure http request timeout before failing a request to Elasticsearch.
# Configure HTTP request timeout before failing a request to Elasticsearch.
#timeout: 90
# Use SSL settings for HTTPS.
#ssl.enabled: true
# Configure SSL verification mode. If `none` is configured, all server hosts
# and certificates will be accepted. In this mode, SSL based connections are
# and certificates will be accepted. In this mode, SSL-based connections are
# susceptible to man-in-the-middle attacks. Use only for testing. Default is
# `full`.
#ssl.verification_mode: full
# List of supported/valid TLS versions. By default all TLS versions 1.0 up to
# List of supported/valid TLS versions. By default all TLS versions from 1.0 up to
# 1.2 are enabled.
#ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
# SSL configuration. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
# Client certificate key
#ssl.key: "/etc/pki/client/cert.key"
# Optional passphrase for decrypting the Certificate Key.
# Optional passphrase for decrypting the certificate key.
#ssl.key_passphrase: ''
# Configure cipher suites to be used for SSL connections
#ssl.cipher_suites: []
# Configure curve types for ECDHE based cipher suites
# Configure curve types for ECDHE-based cipher suites
#ssl.curve_types: []
# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never
#----------------------------- Logstash output ---------------------------------
#output.logstash:
# Boolean flag to enable or disable the output module.
@ -463,8 +515,8 @@ output.elasticsearch:
# Set gzip compression level.
#compression_level: 3
# Configure escaping html symbols in strings.
#escape_html: true
# Configure escaping HTML symbols in strings.
#escape_html: false
# Optional maximum time to live for a connection to Logstash, after which the
# connection will be re-established. A value of `0s` (the default) will
@ -473,7 +525,7 @@ output.elasticsearch:
# Not yet supported for async connections (i.e. with the "pipelining" option set)
#ttl: 30s
# Optional load balance the events between the Logstash hosts. Default is false.
# Optionally load-balance events between Logstash hosts. Default is false.
#loadbalance: false
# Number of batches to be sent asynchronously to Logstash while processing
@ -506,7 +558,7 @@ output.elasticsearch:
# Resolve names locally when using a proxy server. Defaults to false.
#proxy_use_local_resolver: false
# Enable SSL support. SSL is automatically enabled, if any SSL setting is set.
# Enable SSL support. SSL is automatically enabled if any SSL setting is set.
#ssl.enabled: true
# Configure SSL verification mode. If `none` is configured, all server hosts
@ -515,7 +567,7 @@ output.elasticsearch:
# `full`.
#ssl.verification_mode: full
# List of supported/valid TLS versions. By default all TLS versions 1.0 up to
# List of supported/valid TLS versions. By default all TLS versions from 1.0 up to
# 1.2 are enabled.
#ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
@ -526,7 +578,7 @@ output.elasticsearch:
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
# Client certificate key
#ssl.key: "/etc/pki/client/cert.key"
# Optional passphrase for decrypting the Certificate Key.
@ -535,7 +587,7 @@ output.elasticsearch:
# Configure cipher suites to be used for SSL connections
#ssl.cipher_suites: []
# Configure curve types for ECDHE based cipher suites
# Configure curve types for ECDHE-based cipher suites
#ssl.curve_types: []
# Configure what types of renegotiation are supported. Valid options are
@ -562,7 +614,7 @@ output.elasticsearch:
# Boolean flag to enable or disable the output module.
#enabled: true
# The list of Kafka broker addresses from where to fetch the cluster metadata.
# The list of Kafka broker addresses from which to fetch the cluster metadata.
# The cluster metadata contain the actual Kafka brokers events are published
# to.
#hosts: ["localhost:9092"]
@ -571,7 +623,7 @@ output.elasticsearch:
# using any event field. To set the topic from document type use `%{[type]}`.
#topic: beats
# The Kafka event key setting. Use format string to create unique event key.
# The Kafka event key setting. Use format string to create a unique event key.
# By default no event key will be generated.
#key: ''
@ -592,35 +644,38 @@ output.elasticsearch:
#username: ''
#password: ''
# Kafka version auditbeat is assumed to run against. Defaults to the "1.0.0".
# Kafka version Auditbeat is assumed to run against. Defaults to the "1.0.0".
#version: '1.0.0'
# Configure JSON encoding
#codec.json:
# Pretty print json event
# Pretty-print JSON event
#pretty: false
# Configure escaping html symbols in strings.
#escape_html: true
# Configure escaping HTML symbols in strings.
#escape_html: false
# Metadata update configuration. Metadata do contain leader information
# deciding which broker to use when publishing.
# Metadata update configuration. Metadata contains leader information
# used to decide which broker to use when publishing.
#metadata:
# Max metadata request retry attempts when cluster is in middle of leader
# election. Defaults to 3 retries.
#retry.max: 3
# Waiting time between retries during leader elections. Default is 250ms.
# Wait time between retries during leader elections. Default is 250ms.
#retry.backoff: 250ms
# Refresh metadata interval. Defaults to every 10 minutes.
#refresh_frequency: 10m
# Strategy for fetching the topics metadata from the broker. Default is false.
#full: false
# The number of concurrent load-balanced Kafka output workers.
#worker: 1
# The number of times to retry publishing an event after a publishing failure.
# After the specified number of retries, the events are typically dropped.
# After the specified number of retries, events are typically dropped.
# Some Beats, such as Filebeat, ignore the max_retries setting and retry until
# all events are published. Set max_retries to a value less than 0 to retry
# until all events are published. The default is 3.
@ -630,6 +685,10 @@ output.elasticsearch:
# is 2048.
#bulk_max_size: 2048
# Duration to wait before sending bulk Kafka request. 0 is no delay. The default
# is 0.
#bulk_flush_frequency: 0s
# The number of seconds to wait for responses from the Kafka brokers before
# timing out. The default is 30s.
#timeout: 30s
@ -668,7 +727,7 @@ output.elasticsearch:
# purposes. The default is "beats".
#client_id: beats
# Enable SSL support. SSL is automatically enabled, if any SSL setting is set.
# Enable SSL support. SSL is automatically enabled if any SSL setting is set.
#ssl.enabled: true
# Optional SSL configuration options. SSL is off by default.
@ -681,7 +740,7 @@ output.elasticsearch:
# `full`.
#ssl.verification_mode: full
# List of supported/valid TLS versions. By default all TLS versions 1.0 up to
# List of supported/valid TLS versions. By default all TLS versions from 1.0 up to
# 1.2 are enabled.
#ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
@ -697,7 +756,7 @@ output.elasticsearch:
# Configure cipher suites to be used for SSL connections
#ssl.cipher_suites: []
# Configure curve types for ECDHE based cipher suites
# Configure curve types for ECDHE-based cipher suites
#ssl.curve_types: []
# Configure what types of renegotiation are supported. Valid options are
@ -714,23 +773,19 @@ output.elasticsearch:
# Pretty print json event
#pretty: false
# Configure escaping html symbols in strings.
#escape_html: true
# Configure escaping HTML symbols in strings.
#escape_html: false
# The list of Redis servers to connect to. If load balancing is enabled, the
# The list of Redis servers to connect to. If load-balancing is enabled, the
# events are distributed to the servers in the list. If one server becomes
# unreachable, the events are distributed to the reachable servers only.
#hosts: ["localhost:6379"]
# The Redis port to use if hosts does not contain a port number. The default
# is 6379.
#port: 6379
# The name of the Redis list or channel the events are published to. The
# default is auditbeat.
#key: auditbeat
# The password to authenticate with. The default is no authentication.
# The password to authenticate to Redis with. The default is no authentication.
#password:
# The Redis database number where the events are published. The default is 0.
@ -831,11 +886,11 @@ output.elasticsearch:
# Configure JSON encoding
#codec.json:
# Pretty print json event
# Pretty-print JSON event
#pretty: false
# Configure escaping html symbols in strings.
#escape_html: true
# Configure escaping HTML symbols in strings.
#escape_html: false
# Path to the directory where to save the generated files. The option is
# mandatory.
@ -846,7 +901,7 @@ output.elasticsearch:
#filename: auditbeat
# Maximum size in kilobytes of each file. When this size is reached, and on
# every auditbeat restart, the files are rotated. The default value is 10240
# every Auditbeat restart, the files are rotated. The default value is 10240
# kB.
#rotate_every_kb: 10000
@ -858,7 +913,6 @@ output.elasticsearch:
# Permissions to use for file creation. The default is 0600.
#permissions: 0600
#----------------------------- Console output ---------------------------------
#output.console:
# Boolean flag to enable or disable the output module.
@ -866,34 +920,34 @@ output.elasticsearch:
# Configure JSON encoding
#codec.json:
# Pretty print json event
# Pretty-print JSON event
#pretty: false
# Configure escaping html symbols in strings.
#escape_html: true
# Configure escaping HTML symbols in strings.
#escape_html: false
#================================= Paths ======================================
# The home path for the auditbeat installation. This is the default base path
# The home path for the Auditbeat installation. This is the default base path
# for all other path settings and for miscellaneous files that come with the
# distribution (for example, the sample dashboards).
# If not set by a CLI flag or in the configuration file, the default for the
# home path is the location of the binary.
#path.home:
# The configuration path for the auditbeat installation. This is the default
# The configuration path for the Auditbeat installation. This is the default
# base path for configuration files, including the main YAML configuration file
# and the Elasticsearch template file. If not set by a CLI flag or in the
# configuration file, the default for the configuration path is the home path.
#path.config: ${path.home}
# The data path for the auditbeat installation. This is the default base path
# for all the files in which auditbeat needs to store its data. If not set by a
# The data path for the Auditbeat installation. This is the default base path
# for all the files in which Auditbeat needs to store its data. If not set by a
# CLI flag or in the configuration file, the default for the data path is a data
# subdirectory inside the home path.
#path.data: ${path.home}/data
# The logs path for a auditbeat installation. This is the default location for
# The logs path for a Auditbeat installation. This is the default location for
# the Beat's log files. If not set by a CLI flag or in the configuration file,
# the default for the logs path is a logs subdirectory inside the home path.
#path.logs: ${path.home}/logs
@ -956,14 +1010,14 @@ output.elasticsearch:
# Set to false to disable template loading.
#setup.template.enabled: true
# Template name. By default the template name is "auditbeat-%{[beat.version]}"
# The template name and pattern has to be set in case the elasticsearch index pattern is modified.
#setup.template.name: "auditbeat-%{[beat.version]}"
# Template name. By default the template name is "auditbeat-%{[agent.version]}"
# The template name and pattern has to be set in case the Elasticsearch index pattern is modified.
#setup.template.name: "auditbeat-%{[agent.version]}"
# Template pattern. By default the template pattern is "-%{[beat.version]}-*" to apply to the default index settings.
# Template pattern. By default the template pattern is "-%{[agent.version]}-*" to apply to the default index settings.
# The first part is the version of the beat and then -* is used to match all daily indices.
# The template name and pattern has to be set in case the elasticsearch index pattern is modified.
#setup.template.pattern: "auditbeat-%{[beat.version]}-*"
# The template name and pattern has to be set in case the Elasticsearch index pattern is modified.
#setup.template.pattern: "auditbeat-%{[agent.version]}-*"
# Path to fields.yml file to generate the template
#setup.template.fields: "${path.config}/fields.yml"
@ -975,10 +1029,10 @@ output.elasticsearch:
#- name: field_name
# type: field_type
# Enable json template loading. If this is enabled, the fields.yml is ignored.
# Enable JSON template loading. If this is enabled, the fields.yml is ignored.
#setup.template.json.enabled: false
# Path to the json template file
# Path to the JSON template file
#setup.template.json.path: "${path.config}/template.json"
# Name under which the template is stored in Elasticsearch
@ -1003,6 +1057,41 @@ setup.template.settings:
#_source:
#enabled: false
#============================== Setup ILM =====================================
# Configure index lifecycle management (ILM). These settings create a write
# alias and add additional settings to the index template. When ILM is enabled,
# output.elasticsearch.index is ignored, and the write alias is used to set the
# index name.
# Enable ILM support. Valid values are true, false, and auto. When set to auto
# (the default), the Beat uses index lifecycle management when it connects to a
# cluster that supports ILM; otherwise, it creates daily indices.
#setup.ilm.enabled: auto
# Set the prefix used in the index lifecycle write alias name. The default alias
# name is 'auditbeat-%{[agent.version]}'.
#setup.ilm.rollover_alias: "auditbeat"
# Set the rollover index pattern. The default is "%{now/d}-000001".
#setup.ilm.pattern: "{now/d}-000001"
# Set the lifecycle policy name. The default policy name is
# 'auditbeat-%{[agent.version]}'.
#setup.ilm.policy_name: "mypolicy"
# The path to a JSON file that contains a lifecycle policy configuration. Used
# to load your own lifecycle policy.
#setup.ilm.policy_file:
# Disable the check for an existing lifecycle policy. The default is false. If
# you disable this check, set setup.ilm.overwrite: true so the lifecycle policy
# can be installed.
#setup.ilm.check_exists: false
# Overwrite the lifecycle policy at startup. The default is false.
#setup.ilm.overwrite: false
#============================== Kibana =====================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
@ -1020,7 +1109,7 @@ setup.kibana:
#username: "elastic"
#password: "changeme"
# Optional HTTP Path
# Optional HTTP path
#path: ""
# Use SSL settings for HTTPS. Default is true.
@ -1032,27 +1121,27 @@ setup.kibana:
# `full`.
#ssl.verification_mode: full
# List of supported/valid TLS versions. By default all TLS versions 1.0 up to
# List of supported/valid TLS versions. By default all TLS versions from 1.0 up to
# 1.2 are enabled.
#ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
# SSL configuration. By default is off.
# SSL configuration. The default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
# Client certificate key
#ssl.key: "/etc/pki/client/cert.key"
# Optional passphrase for decrypting the Certificate Key.
# Optional passphrase for decrypting the certificate key.
#ssl.key_passphrase: ''
# Configure cipher suites to be used for SSL connections
#ssl.cipher_suites: []
# Configure curve types for ECDHE based cipher suites
# Configure curve types for ECDHE-based cipher suites
#ssl.curve_types: []
@ -1070,13 +1159,16 @@ setup.kibana:
# Multiple selectors can be chained.
#logging.selectors: [ ]
# Send all logging output to stderr. The default is false.
#logging.to_stderr: false
# Send all logging output to syslog. The default is false.
#logging.to_syslog: false
# Send all logging output to Windows Event Logs. The default is false.
#logging.to_eventlog: false
# If enabled, auditbeat periodically logs its internal metrics that have changed
# If enabled, Auditbeat periodically logs its internal metrics that have changed
# in the last period. For each metric that changed, the delta from the value at
# the beginning of the period is logged. Also, the total values for
# all non-zero internal metrics are logged on shutdown. The default is true.
@ -1111,27 +1203,33 @@ logging.files:
# Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
# are boundary-aligned with minutes, hours, days, weeks, months, and years as
# reported by the local system clock. All other intervals are calculated from the
# unix epoch. Defaults to disabled.
# Unix epoch. Defaults to disabled.
#interval: 0
# Set to true to log messages in json format.
# Rotate existing logs on startup rather than appending to the existing
# file. Defaults to true.
# rotateonstartup: true
# Set to true to log messages in JSON format.
#logging.json: false
#============================== Xpack Monitoring =====================================
# auditbeat can export internal metrics to a central Elasticsearch monitoring cluster.
# This requires xpack monitoring to be enabled in Elasticsearch.
# The reporting is disabled by default.
#============================== Xpack Monitoring ===============================
# Auditbeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
# reporting is disabled by default.
# Set to true to enable the monitoring reporter.
#xpack.monitoring.enabled: false
#monitoring.enabled: false
# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well. Any setting that is not set is
# automatically inherited from the Elasticsearch output configuration, so if you
# have the Elasticsearch output configured, you can simply uncomment the
# following line, and leave the rest commented out.
#xpack.monitoring.elasticsearch:
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.elasticsearch:
# Array of hosts to connect to.
# Scheme and port can be left out and will be set to the default (http and 9200)
@ -1147,7 +1245,7 @@ logging.files:
#username: "beats_system"
#password: "changeme"
# Dictionary of HTTP parameters to pass within the url with index operations.
# Dictionary of HTTP parameters to pass within the URL with index operations.
#parameters:
#param1: value1
#param2: value2
@ -1179,7 +1277,7 @@ logging.files:
# Elasticsearch after a network error. The default is 60s.
#backoff.max: 60s
# Configure http request timeout before failing an request to Elasticsearch.
# Configure HTTP request timeout before failing an request to Elasticsearch.
#timeout: 90
# Use SSL settings for HTTPS.
@ -1191,27 +1289,27 @@ logging.files:
# `full`.
#ssl.verification_mode: full
# List of supported/valid TLS versions. By default all TLS versions 1.0 up to
# List of supported/valid TLS versions. By default all TLS versions from 1.0 up to
# 1.2 are enabled.
#ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
# SSL configuration. By default is off.
# SSL configuration. The default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
# Client certificate key
#ssl.key: "/etc/pki/client/cert.key"
# Optional passphrase for decrypting the Certificate Key.
# Optional passphrase for decrypting the certificate key.
#ssl.key_passphrase: ''
# Configure cipher suites to be used for SSL connections
#ssl.cipher_suites: []
# Configure curve types for ECDHE based cipher suites
# Configure curve types for ECDHE-based cipher suites
#ssl.curve_types: []
# Configure what types of renegotiation are supported. Valid options are
@ -1240,3 +1338,8 @@ logging.files:
# Enable or disable seccomp system call filtering on Linux. Default is enabled.
#seccomp.enabled: true
#================================= Migration ==================================
# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: false

28
vendor/github.com/elastic/beats/auditbeat/auditbeat.yml generated vendored
View File

@ -48,10 +48,9 @@ auditbeat.modules:
- /etc
#==================== Elasticsearch template setting ==========================
setup.template.settings:
index.number_of_shards: 3
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false
@ -74,7 +73,7 @@ setup.template.settings:
#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here, or by using the `-setup` CLI flag or the `setup` command.
# options here or by using the `setup` command.
#setup.dashboards.enabled: false
# The URL from where to download the dashboards archive. By default this URL
@ -102,7 +101,7 @@ setup.kibana:
#============================= Elastic Cloud ==================================
# These settings simplify using auditbeat with the Elastic Cloud (https://cloud.elastic.co/).
# These settings simplify using Auditbeat with the Elastic Cloud (https://cloud.elastic.co/).
# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
@ -142,7 +141,7 @@ output.elasticsearch:
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
#================================ Procesors =====================================
#================================ Processors =====================================
# Configure processors to enhance or manipulate events generated by the beat.
@ -167,11 +166,18 @@ processors:
# reporting is disabled by default.
# Set to true to enable the monitoring reporter.
#xpack.monitoring.enabled: false
#monitoring.enabled: false
# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well. Any setting that is not set is
# automatically inherited from the Elasticsearch output configuration, so if you
# have the Elasticsearch output configured, you can simply uncomment the
# following line.
#xpack.monitoring.elasticsearch:
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.elasticsearch:
#================================= Migration ==================================
# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true

3
vendor/github.com/elastic/beats/auditbeat/cmd/root.go generated vendored
View File

@ -23,6 +23,7 @@ import (
"github.com/elastic/beats/auditbeat/core"
"github.com/elastic/beats/libbeat/cmd"
"github.com/elastic/beats/libbeat/cmd/instance"
"github.com/elastic/beats/metricbeat/beater"
"github.com/elastic/beats/metricbeat/mb/module"
)
@ -46,6 +47,6 @@ func init() {
),
)
var runFlags = pflag.NewFlagSet(Name, pflag.ExitOnError)
RootCmd = cmd.GenRootCmdWithRunFlags(Name, "", create, runFlags)
RootCmd = cmd.GenRootCmdWithSettings(create, instance.Settings{RunFlags: runFlags, Name: Name})
RootCmd.AddCommand(ShowCmd)
}

6
vendor/github.com/elastic/beats/auditbeat/core/eventmod.go generated vendored
View File

@ -30,4 +30,10 @@ func AddDatasetToEvent(module, metricSet string, event *mb.Event) {
}
event.RootFields.Put("event.module", module)
// Modules without "datasets" should set their module and metricset names
// to the same value then this will omit the event.dataset field.
if module != metricSet {
event.RootFields.Put("event.dataset", metricSet)
}
}

8
vendor/github.com/elastic/beats/auditbeat/docker-compose.yml generated vendored
View File

@ -1,13 +1,15 @@
version: '2.1'
version: '2.3'
services:
beat:
build: ${PWD}/.
depends_on:
- proxy_dep
env_file:
- ${PWD}/build/test.env
working_dir: /go/src/github.com/elastic/beats/auditbeat
environment:
- ES_HOST=elasticsearch
- ES_PORT=9200
- ES_USER=beats
- ES_PASS=testing
- KIBANA_HOST=kibana
- KIBANA_PORT=5601
volumes:

4
vendor/github.com/elastic/beats/auditbeat/docs/auditbeat-filtering.asciidoc generated vendored
View File

@ -1,6 +1,6 @@
[[filtering-and-enhancing-data]]
== Filter and enhance the exported data
include::../../libbeat/docs/processors.asciidoc[]
include::{libbeat-dir}/docs/processors.asciidoc[]
include::../../libbeat/docs/processors-using.asciidoc[]
include::{libbeat-dir}/docs/processors-using.asciidoc[]

2
vendor/github.com/elastic/beats/auditbeat/docs/auditbeat-general-options.asciidoc generated vendored
View File

@ -4,4 +4,4 @@
You can specify settings in the +{beatname_lc}.yml+ config file to control the
general behavior of {beatname_uc}.
include::../../libbeat/docs/generalconfig.asciidoc[]
include::{libbeat-dir}/docs/generalconfig.asciidoc[]

2
vendor/github.com/elastic/beats/auditbeat/docs/auditbeat-modules-config.asciidoc generated vendored
View File

@ -6,7 +6,7 @@ the +{beatname_lc}.yml+ config file. Each entry in the list begins with a dash
(-) and is followed by settings for that module.
The following example shows a configuration that runs the `auditd` and
`file_integrity` moduled.
`file_integrity` modules.
[source,yaml]
----

126
vendor/github.com/elastic/beats/auditbeat/docs/breaking.asciidoc generated vendored
View File

@ -1,126 +0,0 @@
[[auditbeat-breaking-changes]]
== Breaking changes in 6.2
As a general rule, we strive to keep backwards compatibility between minor
versions (e.g. 6.x to 6.y) so you can upgrade without any configuration file
changes, but there are breaking changes between the earlier beta releases and
the 6.2 GA release.
There are changes that affect both the configuration and the event schema.
[float]
=== Configuration Changes
The audit module has been renamed and is now two separate modules: the
<<auditbeat-module-auditd,auditd module>> and the
<<auditbeat-module-file_integrity,file_integrity module>>. You must update your
configuration to use these modules.
The `kernel` metricset has become the <<auditbeat-module-auditd,auditd module>>.
.Old Config
[source,yaml]
----
- module: audit
metricsets: ["kernel"]
kernel.resolve_ids: true
kernel.failure_mode: silent
kernel.backlog_limit: 8196
kernel.rate_limit: 0
kernel.include_raw_message: false
kernel.include_warnings: false
kernel.audit_rules: |
# Rules
----
.New Config
[source,yaml]
----
- module: auditd
resolve_ids: true
failure_mode: silent
backlog_limit: 8196
rate_limit: 0
include_raw_message: false
include_warnings: false
audit_rules: |
# Rules
----
The `file` metricset has become the
<<auditbeat-module-file_integrity,file_integrity module>>.
.Old Config
[source,yaml]
----
- module: audit
metricsets: [file]
file.paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
file.scan_at_start: true
file.scan_rate_per_sec: 50 MiB
file.max_file_size: 100 MiB
file.hash_types: [sha1]
----
.New Config
[source,yaml]
----
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
scan_at_start: true
scan_rate_per_sec: 50 MiB
max_file_size: 100 MiB
hash_types: [sha1]
recursive: false <1>
----
<1> `recursive` is a new option in 6.2 and is disabled by default. Set the value
to true to watch for changes in all sub-directories.
[float]
=== Event Schema Changes
Most field names were changed in 6.2. We wanted to rename the modules and use
common field names for similar data types across all the modules. The table
below provides a summary of the field changes.
In Kibana you need to <<load-kibana-dashboards,import>> the latest dashboards
that work with the new event format. The new dashboards will not work with data
produced by older versions of Auditbeat.
.Renamed Fields
[frame="topbot",options="header"]
|======================
|Old Field|New Field
|`metricset.module` |`event.module`
|`metricset.name` |_Removed_
|`audit.kernel.action` |`event.action`
|`audit.kernel.category` |`event.category`
|`audit.kernel.record_type`|`event.type`
|`audit.kernel.key` |`tags`
|`audit.kernel.actor.attrs`|`user`
|`audit.kernel.actor` |`auditd.summary.actor`
|`audit.kernel.thing` |`auditd.summary.object`
|`audit.kernel.how` |`auditd.summary.how`
|`audit.kernel.socket` |`auditd.data.socket`, `source`, `destination`
footnote:[Based on the syscall type either the `source` or `destination` may
also be populated.]
|`audit.kernel.data.*` |`process.*` footnote:[Fields related to a process
will be moved under the `process` namespace.]
|`audit.kernel.data.*` |`file.*` footnote:[Fields related to a file will be
moved under the `file` namespace.]
|`audit.kernel.data` |`auditd.data`
|`audit.file.action` |`event.action`
|`audit.file.hash` |`hash`
|`audit.file` |`file`
|======================

34
vendor/github.com/elastic/beats/auditbeat/docs/configuring-howto.asciidoc generated vendored
View File

@ -14,7 +14,7 @@ There's also a full example configuration file at
options. For mac and win, look in the archive that you extracted.
The {beatname_uc} configuration file uses http://yaml.org/[YAML] for its syntax.
See the {libbeat}/config-file-format.html[Config File Format] section of the
See the {beats-ref}/config-file-format.html[Config File Format] section of the
_Beats Platform Reference_ for more about the structure of the config file.
The following topics describe how to configure {beatname_uc}:
@ -24,9 +24,11 @@ The following topics describe how to configure {beatname_uc}:
* <<{beatname_lc}-configuration-reloading>>
* <<configuring-internal-queue>>
* <<configuring-output>>
* <<ilm>>
* <<configuration-ssl>>
* <<filtering-and-enhancing-data>>
* <<configuring-ingest-node>>
* <<{beatname_lc}-geoip>>
* <<configuration-path>>
* <<setup-kibana-endpoint>>
* <<configuration-dashboards>>
@ -49,34 +51,38 @@ include::./auditbeat-general-options.asciidoc[]
include::./reload-configuration.asciidoc[]
include::../../libbeat/docs/queueconfig.asciidoc[]
include::{libbeat-dir}/docs/queueconfig.asciidoc[]
include::../../libbeat/docs/outputconfig.asciidoc[]
include::{libbeat-dir}/docs/outputconfig.asciidoc[]
include::../../libbeat/docs/shared-ssl-config.asciidoc[]
include::{libbeat-dir}/docs/shared-ilm.asciidoc[]
include::{libbeat-dir}/docs/shared-ssl-config.asciidoc[]
include::./auditbeat-filtering.asciidoc[]
include::../../libbeat/docs/shared-config-ingest.asciidoc[]
include::{libbeat-dir}/docs/shared-config-ingest.asciidoc[]
include::../../libbeat/docs/shared-path-config.asciidoc[]
include::{libbeat-dir}/docs/shared-geoip.asciidoc[]
include::../../libbeat/docs/shared-kibana-config.asciidoc[]
include::{libbeat-dir}/docs/shared-path-config.asciidoc[]
include::../../libbeat/docs/setup-config.asciidoc[]
include::{libbeat-dir}/docs/shared-kibana-config.asciidoc[]
include::../../libbeat/docs/loggingconfig.asciidoc[]
include::{libbeat-dir}/docs/setup-config.asciidoc[]
include::{libbeat-dir}/docs/loggingconfig.asciidoc[]
:standalone:
include::../../libbeat/docs/shared-env-vars.asciidoc[]
include::{libbeat-dir}/docs/shared-env-vars.asciidoc[]
:standalone!:
:standalone:
include::../../libbeat/docs/yaml.asciidoc[]
include::{libbeat-dir}/docs/yaml.asciidoc[]
:standalone!:
include::../../libbeat/docs/regexp.asciidoc[]
include::{libbeat-dir}/docs/regexp.asciidoc[]
include::../../libbeat/docs/http-endpoint.asciidoc[]
include::{libbeat-dir}/docs/http-endpoint.asciidoc[]
include::../../libbeat/docs/reference-yml.asciidoc[]
include::{libbeat-dir}/docs/reference-yml.asciidoc[]

4
vendor/github.com/elastic/beats/auditbeat/docs/faq.asciidoc generated vendored
View File

@ -7,6 +7,6 @@ https://discuss.elastic.co/c/beats/{beatname_lc}[{beatname_uc} discussion forum]
include::./faq-ulimit.asciidoc[]
include::../../libbeat/docs/faq-limit-bandwidth.asciidoc[]
include::{libbeat-dir}/docs/faq-limit-bandwidth.asciidoc[]
include::../../libbeat/docs/shared-faq.asciidoc[]
include::{libbeat-dir}/docs/shared-faq.asciidoc[]

5773
vendor/github.com/elastic/beats/auditbeat/docs/fields.asciidoc generated vendored
View File

File diff suppressed because it is too large Load Diff

46
vendor/github.com/elastic/beats/auditbeat/docs/getting-started.asciidoc generated vendored
View File

@ -1,7 +1,7 @@
[id="{beatname_lc}-getting-started"]
== Getting started with {beatname_uc}
include::../../libbeat/docs/shared-getting-started-intro.asciidoc[]
include::{libbeat-dir}/docs/shared-getting-started-intro.asciidoc[]
* <<{beatname_lc}-installation>>
* <<{beatname_lc}-configuration>>
@ -16,7 +16,7 @@ include::../../libbeat/docs/shared-getting-started-intro.asciidoc[]
Install {beatname_uc} on all the servers you want to monitor.
include::../../libbeat/docs/shared-download-and-install.asciidoc[]
include::{libbeat-dir}/docs/shared-download-and-install.asciidoc[]
[[deb]]
*deb:*
@ -75,6 +75,8 @@ tar xzvf {beatname_lc}-{version}-darwin-x86_64.tar.gz
endif::[]
include::{libbeat-dir}/docs/shared-brew-install.asciidoc[]
[[linux]]
*linux:*
@ -97,6 +99,22 @@ endif::[]
[[docker]]
*docker:*
ifeval::["{release-state}"=="unreleased"]
Version {stack-version} of {beatname_uc} has not yet been released.
endif::[]
ifeval::["{release-state}"!="unreleased"]
["source","sh",subs="attributes"]
------------------------------------------------
curl -L -O https://artifacts.elastic.co/downloads/beats/{beatname_lc}/{beatname_lc}-{version}-linux-x86_64.tar.gz
tar xzvf {beatname_lc}-{version}-linux-x86_64.tar.gz
------------------------------------------------
endif::[]
See <<running-on-docker, Running on Docker>> for deploying Docker containers.
[[win]]
@ -144,7 +162,7 @@ For more information about these options, see
[id="{beatname_lc}-configuration"]
=== Step 2: Configure {beatname_uc}
include::../../libbeat/docs/shared-configuring.asciidoc[]
include::{libbeat-dir}/docs/shared-configuring.asciidoc[]
To configure {beatname_uc}:
@ -174,25 +192,25 @@ If you accept the default configuration without specifying additional modules,
+
See <<configuring-howto-{beatname_lc}>> for more details about configuring modules.
include::../../libbeat/docs/step-configure-output.asciidoc[]
include::{libbeat-dir}/docs/step-configure-output.asciidoc[]
include::../../libbeat/docs/step-configure-kibana-endpoint.asciidoc[]
include::{libbeat-dir}/docs/step-configure-kibana-endpoint.asciidoc[]
include::../../libbeat/docs/step-configure-credentials.asciidoc[]
include::{libbeat-dir}/docs/step-configure-credentials.asciidoc[]
include::../../libbeat/docs/step-test-config.asciidoc[]
include::{libbeat-dir}/docs/step-test-config.asciidoc[]
include::../../libbeat/docs/step-look-at-config.asciidoc[]
include::{libbeat-dir}/docs/step-look-at-config.asciidoc[]
[id="{beatname_lc}-template"]
=== Step 3: Load the index template in {es}
include::../../libbeat/docs/shared-template-load.asciidoc[]
include::{libbeat-dir}/docs/shared-template-load.asciidoc[]
[[load-kibana-dashboards]]
=== Step 4: Set up the {kib} dashboards
include::../../libbeat/docs/dashboards.asciidoc[]
include::{libbeat-dir}/docs/dashboards.asciidoc[]
[id="{beatname_lc}-starting"]
=== Step 5: Start {beatname_uc}
@ -222,12 +240,14 @@ sudo ./{beatname_lc} -e
<1> To monitor system files, you'll be running {beatname_uc} as root, so you
need to change ownership of the configuration file, or run {beatname_uc} with
`--strict.perms=false` specified. See
{libbeat}/config-file-permissions.html[Config File Ownership and Permissions]
{beats-ref}/config-file-permissions.html[Config File Ownership and Permissions]
in the _Beats Platform Reference_.
If you see a warning about too many open files, you need to increase the
`ulimit`. See the <<ulimit,FAQ>> for more details.
include::{libbeat-dir}/docs/shared-brew-run.asciidoc[]
*win:*
["source","sh",subs="attributes"]
@ -260,10 +280,10 @@ To make it easier for you to start auditing the activities of users and
processes on your system, we have created example {beatname_uc} dashboards.
You loaded the dashboards earlier when you ran the `setup` command.
include::../../libbeat/docs/opendashboards.asciidoc[]
include::{libbeat-dir}/docs/opendashboards.asciidoc[]
The dashboards are provided as examples. We recommend that you
{kibana-ref}/dashboard.html[customize] them to meet your needs.
[role="screenshot"]
image:./images/auditbeat-file-integrity-dashboard.png[Auditbeat File Integrity Dashboard]
image::./images/auditbeat-file-integrity-dashboard.png[Auditbeat File Integrity Dashboard]

BIN
vendor/github.com/elastic/beats/auditbeat/docs/images/coordinate-map.png generated vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 361 KiB

18
vendor/github.com/elastic/beats/auditbeat/docs/index.asciidoc generated vendored
View File

@ -1,6 +1,8 @@
= Auditbeat Reference
include::../../libbeat/docs/version.asciidoc[]
:libbeat-dir: ../../libbeat
include::{libbeat-dir}/docs/version.asciidoc[]
include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
@ -19,31 +21,31 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
:win_os:
:linux_os:
include::../../libbeat/docs/shared-beats-attributes.asciidoc[]
include::{libbeat-dir}/docs/shared-beats-attributes.asciidoc[]
include::./overview.asciidoc[]
include::./getting-started.asciidoc[]
include::../../libbeat/docs/repositories.asciidoc[]
include::./breaking.asciidoc[]
include::{libbeat-dir}/docs/repositories.asciidoc[]
include::./setting-up-running.asciidoc[]
include::./upgrading.asciidoc[]
include::./configuring-howto.asciidoc[]
include::./modules.asciidoc[]
include::./fields.asciidoc[]
include::../../libbeat/docs/monitoring/monitoring-beats.asciidoc[]
include::{libbeat-dir}/docs/monitoring/monitoring-beats.asciidoc[]
include::../../libbeat/docs/shared-securing-beat.asciidoc[]
include::{libbeat-dir}/docs/shared-securing-beat.asciidoc[]
include::./troubleshooting.asciidoc[]
include::./faq.asciidoc[]
include::../../libbeat/docs/contributing-to-beats.asciidoc[]
include::{libbeat-dir}/docs/contributing-to-beats.asciidoc[]

12
vendor/github.com/elastic/beats/auditbeat/docs/modules/auditd.asciidoc generated vendored
View File

@ -175,15 +175,15 @@ audit ruleset.
*`include_raw_message`*:: This boolean setting causes {beatname_uc} to
include each of the raw messages that contributed to the event in the document
as a field called `messages`. The default value is false. This setting is
as a field called `event.original`. The default value is false. This setting is
primarily used for development and debugging purposes.
*`include_warnings`*:: This boolean setting causes {beatname_uc} to
include as warnings any issues that were encountered while parsing the raw
messages. The default value is false. When this setting is enabled the raw
messages will be included in the event regardless of the
`include_raw_message` config setting. This setting is primarily used for
development and debugging purposes.
messages. The messages are written to the `error.message` field. The default
value is false. When this setting is enabled the raw messages will be included
in the event regardless of the `include_raw_message` config setting. This
setting is primarily used for development and debugging purposes.
*`audit_rules`*:: A string containing the audit rules that should be
installed to the kernel. There should be one rule per line. Comments can be
@ -297,5 +297,7 @@ auditbeat.modules:
## Unauthorized access attempts.
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
----

15
vendor/github.com/elastic/beats/auditbeat/docs/modules/file_integrity.asciidoc generated vendored
View File

@ -58,6 +58,7 @@ Linux.
- '(?i)\.sw[nop]$'
- '~$'
- '/\.git($|/)'
include_files: []
scan_at_start: true
scan_rate_per_sec: 50 MiB
max_file_size: 100 MiB
@ -70,7 +71,19 @@ not supported. The specified paths should exist when the metricset is started.
*`exclude_files`*:: A list of regular expressions used to filter out events
for unwanted files. The expressions are matched against the full path of every
file and directory. By default, no files are excluded. See <<regexp-support>>
file and directory. When used in conjunction with `include_files`, file paths need
to match both `include_files` and not match `exclude_files` to be selected.
By default, no files are excluded. See <<regexp-support>>
for a list of supported regexp patterns. It is recommended to wrap regular
expressions in single quotation marks to avoid issues with YAML escaping
rules.
*`include_files`*:: A list of regular expressions used to specify which files to
select. When configured, only files matching the pattern will be monitored.
The expressions are matched against the full path of every file and directory.
When used in conjunction with `exclude_files`, file paths need
to match both `include_files` and not match `exclude_files` to be selected.
By default, all files are selected. See <<regexp-support>>
for a list of supported regexp patterns. It is recommended to wrap regular
expressions in single quotation marks to avoid issues with YAML escaping
rules.

6
vendor/github.com/elastic/beats/auditbeat/docs/modules_list.asciidoc generated vendored
View File

@ -4,9 +4,11 @@ This file is generated! See scripts/docs_collector.py
* <<{beatname_lc}-module-auditd,Auditd>>
* <<{beatname_lc}-module-file_integrity,File Integrity>>
* <<{beatname_lc}-module-system,System>>
--
include::modules/auditd.asciidoc[]
include::modules/file_integrity.asciidoc[]
include::./modules/auditd.asciidoc[]
include::./modules/file_integrity.asciidoc[]
include::../../x-pack/auditbeat/docs/modules/system.asciidoc[]

2
vendor/github.com/elastic/beats/auditbeat/docs/overview.asciidoc generated vendored
View File

@ -11,3 +11,5 @@ can use {beatname_uc} to collect and centralize audit events from the Linux
Audit Framework. You can also use {beatname_uc} to detect changes to critical
files, like binaries and configuration files, and identify potential security
policy violations.
include::{libbeat-dir}/docs/shared-libbeat-description.asciidoc[]

2
vendor/github.com/elastic/beats/auditbeat/docs/reload-configuration.asciidoc generated vendored
View File

@ -44,4 +44,4 @@ definitions. For example:
NOTE: On systems with POSIX file permissions, all Beats configuration files are
subject to ownership and file permission checks. If you encounter config loading
errors related to file ownership, see {libbeat}/config-file-permissions.html.
errors related to file ownership, see {beats-ref}/config-file-permissions.html.

2
vendor/github.com/elastic/beats/auditbeat/docs/running-on-docker.asciidoc generated vendored
View File

@ -1,4 +1,4 @@
include::../../libbeat/docs/shared-docker.asciidoc[]
include::{libbeat-dir}/docs/shared-docker.asciidoc[]
==== Special requirements

75
vendor/github.com/elastic/beats/auditbeat/docs/running-on-kubernetes.asciidoc generated vendored Normal file
View File

@ -0,0 +1,75 @@
[[running-on-kubernetes]]
=== Running {beatname_uc} on Kubernetes
{beatname_uc} <<running-on-docker,Docker images>> can be used on Kubernetes to
check files integrity.
ifeval::["{release-state}"=="unreleased"]
However, version {stack-version} of {beatname_uc} has not yet been
released, so no Docker image is currently available for this version.
endif::[]
[float]
==== Kubernetes deploy manifests
By deploying {beatname_uc} as a https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/[DaemonSet]
we ensure we get a running instance on each node of the cluster.
Everything is deployed under `kube-system` namespace, you can change that by
updating the YAML file.
To get the manifests just run:
["source", "sh", subs="attributes"]
------------------------------------------------
curl -L -O https://raw.githubusercontent.com/elastic/beats/{branch}/deploy/kubernetes/{beatname_lc}-kubernetes.yaml
------------------------------------------------
[WARNING]
=======================================
If you are using Kubernetes 1.7 or earlier: {beatname_uc} uses a hostPath volume to persist internal data, it's located
under /var/lib/{beatname_lc}-data. The manifest uses folder autocreation (`DirectoryOrCreate`), which was introduced in
Kubernetes 1.8. You will need to remove `type: DirectoryOrCreate` from the manifest and create the host folder yourself.
=======================================
[float]
==== Settings
Some parameters are exposed in the manifest to configure logs destination, by
default they will use an existing Elasticsearch deploy if it's present, but you
may want to change that behavior, so just edit the YAML file and modify them:
["source", "yaml", subs="attributes"]
------------------------------------------------
- name: ELASTICSEARCH_HOST
value: elasticsearch
- name: ELASTICSEARCH_PORT
value: "9200"
- name: ELASTICSEARCH_USERNAME
value: elastic
- name: ELASTICSEARCH_PASSWORD
value: changeme
------------------------------------------------
[float]
==== Deploy
To deploy {beatname_uc} to Kubernetes just run:
["source", "sh", subs="attributes"]
------------------------------------------------
kubectl create -f {beatname_lc}-kubernetes.yaml
------------------------------------------------
Then you should be able to check the status by running:
["source", "sh", subs="attributes"]
------------------------------------------------
$ kubectl --namespace=kube-system get ds/{beatname_lc}
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE-SELECTOR AGE
{beatname_lc} 32 32 0 32 0 <none> 1m
------------------------------------------------

16
vendor/github.com/elastic/beats/auditbeat/docs/setting-up-running.asciidoc generated vendored
View File

@ -20,15 +20,23 @@ This section includes additional information on how to set up and run
* <<running-on-docker>>
* <<running-on-kubernetes>>
* <<running-with-systemd>>
//MAINTAINERS: If you add a new file to this section, make sure you update the bulleted list ^^ too.
include::../../libbeat/docs/shared-directory-layout.asciidoc[]
include::{libbeat-dir}/docs/shared-directory-layout.asciidoc[]
include::../../libbeat/docs/keystore.asciidoc[]
include::{libbeat-dir}/docs/keystore.asciidoc[]
include::../../libbeat/docs/command-reference.asciidoc[]
include::{libbeat-dir}/docs/command-reference.asciidoc[]
include::./running-on-docker.asciidoc[]
include::../../libbeat/docs/shared-shutdown.asciidoc[]
include::./running-on-kubernetes.asciidoc[]
include::{libbeat-dir}/docs/shared-systemd.asciidoc[]
include::{libbeat-dir}/docs/shared-shutdown.asciidoc[]

4
vendor/github.com/elastic/beats/auditbeat/docs/troubleshooting.asciidoc generated vendored
View File

@ -17,14 +17,14 @@ following tips:
[[getting-help]]
== Get Help
include::../../libbeat/docs/getting-help.asciidoc[]
include::{libbeat-dir}/docs/getting-help.asciidoc[]
//sets block macro for debugging.asciidoc included in next section
[id="enable-{beatname_lc}-debugging"]
== Debug
include::../../libbeat/docs/debugging.asciidoc[]
include::{libbeat-dir}/docs/debugging.asciidoc[]

7
vendor/github.com/elastic/beats/auditbeat/docs/upgrading.asciidoc generated vendored Normal file
View File

@ -0,0 +1,7 @@
[[upgrading-auditbeat]]
== Upgrading Auditbeat
For information about upgrading to a new version, see the following topics in the _Beats Platform Reference_:
* {beats-ref}/breaking-changes.html[Breaking Changes]
* {beats-ref}/upgrading.html[Upgrading]

264
vendor/github.com/elastic/beats/auditbeat/helper/hasher/hasher.go generated vendored Normal file
View File

@ -0,0 +1,264 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package hasher
import (
"crypto/md5"
"crypto/sha1"
"crypto/sha256"
"crypto/sha512"
"encoding/hex"
"fmt"
"hash"
"io"
"os"
"strings"
"time"
"github.com/OneOfOne/xxhash"
"github.com/dustin/go-humanize"
"github.com/joeshaw/multierror"
"github.com/pkg/errors"
"golang.org/x/crypto/blake2b"
"golang.org/x/crypto/sha3"
"golang.org/x/time/rate"
"github.com/elastic/beats/libbeat/common/file"
)
// HashType identifies a cryptographic algorithm.
type HashType string
// Unpack unpacks a string to a HashType for config parsing.
func (t *HashType) Unpack(v string) error {
*t = HashType(strings.ToLower(v))
return nil
}
// IsValid checks if the hash type is valid.
func (t *HashType) IsValid() bool {
_, valid := validHashes[*t]
return valid
}
var validHashes = map[HashType](func() hash.Hash){
BLAKE2B_256: func() hash.Hash {
h, _ := blake2b.New256(nil)
return h
},
BLAKE2B_384: func() hash.Hash {
h, _ := blake2b.New384(nil)
return h
},
BLAKE2B_512: func() hash.Hash {
h, _ := blake2b.New512(nil)
return h
},
MD5: md5.New,
SHA1: sha1.New,
SHA224: sha256.New224,
SHA256: sha256.New,
SHA384: sha512.New384,
SHA512: sha512.New,
SHA512_224: sha512.New512_224,
SHA512_256: sha512.New512_256,
SHA3_224: sha3.New224,
SHA3_256: sha3.New256,
SHA3_384: sha3.New384,
SHA3_512: sha3.New512,
XXH64: func() hash.Hash {
return xxhash.New64()
},
}
// Enum of hash types.
const (
BLAKE2B_256 HashType = "blake2b_256"
BLAKE2B_384 HashType = "blake2b_384"
BLAKE2B_512 HashType = "blake2b_512"
MD5 HashType = "md5"
SHA1 HashType = "sha1"
SHA224 HashType = "sha224"
SHA256 HashType = "sha256"
SHA384 HashType = "sha384"
SHA3_224 HashType = "sha3_224"
SHA3_256 HashType = "sha3_256"
SHA3_384 HashType = "sha3_384"
SHA3_512 HashType = "sha3_512"
SHA512 HashType = "sha512"
SHA512_224 HashType = "sha512_224"
SHA512_256 HashType = "sha512_256"
XXH64 HashType = "xxh64"
)
// Digest is a output of a hash function.
type Digest []byte
// String returns the digest value in lower-case hexadecimal form.
func (d Digest) String() string {
return hex.EncodeToString(d)
}
// MarshalText encodes the digest to a hexadecimal representation of itself.
func (d Digest) MarshalText() ([]byte, error) { return []byte(d.String()), nil }
// FileTooLargeError is the error that occurs when a file that
// exceeds the max file size is attempting to be hashed.
type FileTooLargeError struct {
fileSize int64
}
// Error returns the error message for FileTooLargeError.
func (e FileTooLargeError) Error() string {
return fmt.Sprintf("hasher: file size %d exceeds max file size", e.fileSize)
}
// Config contains the configuration of a FileHasher.
type Config struct {
HashTypes []HashType `config:"hash_types,replace"`
MaxFileSize string `config:"max_file_size"`
MaxFileSizeBytes uint64 `config:",ignore"`
ScanRatePerSec string `config:"scan_rate_per_sec"`
ScanRateBytesPerSec uint64 `config:",ignore"`
}
// Validate validates the config.
func (c *Config) Validate() error {
var errs multierror.Errors
for _, ht := range c.HashTypes {
if !ht.IsValid() {
errs = append(errs, errors.Errorf("invalid hash_types value '%v'", ht))
}
}
var err error
c.MaxFileSizeBytes, err = humanize.ParseBytes(c.MaxFileSize)
if err != nil {
errs = append(errs, errors.Wrap(err, "invalid max_file_size value"))
} else if c.MaxFileSizeBytes <= 0 {
errs = append(errs, errors.Errorf("max_file_size value (%v) must be positive", c.MaxFileSize))
}
c.ScanRateBytesPerSec, err = humanize.ParseBytes(c.ScanRatePerSec)
if err != nil {
errs = append(errs, errors.Wrap(err, "invalid scan_rate_per_sec value"))
}
return errs.Err()
}
// FileHasher hashes the contents of files.
type FileHasher struct {
config Config
limiter *rate.Limiter
// To cancel hashing
done <-chan struct{}
}
// NewFileHasher creates a new FileHasher.
func NewFileHasher(c Config, done <-chan struct{}) (*FileHasher, error) {
return &FileHasher{
config: c,
limiter: rate.NewLimiter(
rate.Limit(c.ScanRateBytesPerSec), // Rate
int(c.MaxFileSizeBytes), // Burst
),
done: done,
}, nil
}
// HashFile hashes the contents of a file.
func (hasher *FileHasher) HashFile(path string) (map[HashType]Digest, error) {
info, err := os.Stat(path)
if err != nil {
return nil, errors.Wrapf(err, "failed to stat file %v", path)
}
// Throttle reading and hashing rate.
if len(hasher.config.HashTypes) > 0 {
err = hasher.throttle(info.Size())
if err != nil {
return nil, errors.Wrapf(err, "failed to hash file %v", path)
}
}
var hashes []hash.Hash
for _, hashType := range hasher.config.HashTypes {
h, valid := validHashes[hashType]
if !valid {
return nil, errors.Errorf("unknown hash type '%v'", hashType)
}
hashes = append(hashes, h())
}
if len(hashes) > 0 {
f, err := file.ReadOpen(path)
if err != nil {
return nil, errors.Wrap(err, "failed to open file for hashing")
}
defer f.Close()
hashWriter := multiWriter(hashes)
if _, err := io.Copy(hashWriter, f); err != nil {
return nil, errors.Wrap(err, "failed to calculate file hashes")
}
nameToHash := make(map[HashType]Digest, len(hashes))
for i, h := range hashes {
nameToHash[hasher.config.HashTypes[i]] = h.Sum(nil)
}
return nameToHash, nil
}
return nil, nil
}
func (hasher *FileHasher) throttle(fileSize int64) error {
reservation := hasher.limiter.ReserveN(time.Now(), int(fileSize))
if !reservation.OK() {
// File is bigger than the max file size
return FileTooLargeError{fileSize}
}
delay := reservation.Delay()
if delay == 0 {
return nil
}
timer := time.NewTimer(delay)
defer timer.Stop()
select {
case <-hasher.done:
case <-timer.C:
}
return nil
}
func multiWriter(hash []hash.Hash) io.Writer {
writers := make([]io.Writer, 0, len(hash))
for _, h := range hash {
writers = append(writers, h)
}
return io.MultiWriter(writers...)
}

92
vendor/github.com/elastic/beats/auditbeat/helper/hasher/hasher_test.go generated vendored Normal file
View File

@ -0,0 +1,92 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package hasher
import (
"io/ioutil"
"os"
"path/filepath"
"testing"
"github.com/pkg/errors"
"github.com/stretchr/testify/assert"
)
func TestHasher(t *testing.T) {
dir, err := ioutil.TempDir("", "auditbeat-hasher-test")
if err != nil {
t.Fatal(err)
}
defer os.RemoveAll(dir)
file := filepath.Join(dir, "exe")
if err = ioutil.WriteFile(file, []byte("test exe\n"), 0600); err != nil {
t.Fatal(err)
}
config := Config{
HashTypes: []HashType{SHA1, MD5},
MaxFileSize: "100 MiB",
MaxFileSizeBytes: 100 * 1024 * 1024,
ScanRatePerSec: "50 MiB",
ScanRateBytesPerSec: 50 * 1024 * 1024,
}
hasher, err := NewFileHasher(config, nil)
if err != nil {
t.Fatal(err)
}
hashes, err := hasher.HashFile(file)
if err != nil {
t.Fatal(err)
}
assert.Len(t, hashes, 2)
assert.Equal(t, "44a36f2cd27e56794cd405ad8d44e82dba4c54fa", hashes["sha1"].String())
assert.Equal(t, "1d7572082f6b0d18a393d618285d7100", hashes["md5"].String())
}
func TestHasherLimits(t *testing.T) {
dir, err := ioutil.TempDir("", "auditbeat-hasher-test")
if err != nil {
t.Fatal(err)
}
defer os.RemoveAll(dir)
file := filepath.Join(dir, "exe")
if err = ioutil.WriteFile(file, []byte("test exe\n"), 0600); err != nil {
t.Fatal(err)
}
configZeroSize := Config{
HashTypes: []HashType{SHA1},
MaxFileSize: "0 MiB",
MaxFileSizeBytes: 0,
ScanRatePerSec: "0 MiB",
ScanRateBytesPerSec: 0,
}
hasher, err := NewFileHasher(configZeroSize, nil)
if err != nil {
t.Fatal(err)
}
hashes, err := hasher.HashFile(file)
assert.Empty(t, hashes)
assert.Error(t, err)
assert.IsType(t, FileTooLargeError{}, errors.Cause(err))
}

9
vendor/github.com/elastic/beats/auditbeat/include/fields.go generated vendored
View File

File diff suppressed because one or more lines are too long

5
vendor/github.com/elastic/beats/auditbeat/include/list.go generated vendored
View File

@ -15,11 +15,12 @@
// specific language governing permissions and limitations
// under the License.
// Code generated by beats/dev-tools/cmd/module_include_list/module_include_list.go - DO NOT EDIT.
package include
import (
// Include all Auditbeat modules so that they register their
// factories with the global registry.
// Import packages that need to register themselves.
_ "github.com/elastic/beats/auditbeat/module/auditd"
_ "github.com/elastic/beats/auditbeat/module/file_integrity"
)

296
vendor/github.com/elastic/beats/auditbeat/magefile.go generated vendored
View File

@ -22,250 +22,186 @@ package main
import (
"context"
"fmt"
"regexp"
"time"
"github.com/magefile/mage/mg"
"github.com/magefile/mage/sh"
"github.com/pkg/errors"
"github.com/elastic/beats/dev-tools/mage"
auditbeat "github.com/elastic/beats/auditbeat/scripts/mage"
devtools "github.com/elastic/beats/dev-tools/mage"
)
func init() {
mage.BeatDescription = "Audit the activities of users and processes on your system."
devtools.BeatDescription = "Audit the activities of users and processes on your system."
}
// Aliases provides compatibility with CI while we transition all Beats
// to having common testing targets.
var Aliases = map[string]interface{}{
"goTestUnit": GoUnitTest, // dev-tools/jenkins_ci.ps1 uses this.
}
// Build builds the Beat binary.
func Build() error {
return mage.Build(mage.DefaultBuildArgs())
return devtools.Build(devtools.DefaultBuildArgs())
}
// GolangCrossBuild build the Beat binary inside of the golang-builder.
// Do not use directly, use crossBuild instead.
func GolangCrossBuild() error {
return mage.GolangCrossBuild(mage.DefaultGolangCrossBuildArgs())
return devtools.GolangCrossBuild(devtools.DefaultGolangCrossBuildArgs())
}
// BuildGoDaemon builds the go-daemon binary (use crossBuildGoDaemon).
func BuildGoDaemon() error {
return mage.BuildGoDaemon()
return devtools.BuildGoDaemon()
}
// CrossBuild cross-builds the beat for all target platforms.
func CrossBuild() error {
return mage.CrossBuild()
}
// CrossBuildXPack cross-builds the beat with XPack for all target platforms.
func CrossBuildXPack() error {
return mage.CrossBuildXPack()
return devtools.CrossBuild()
}
// CrossBuildGoDaemon cross-builds the go-daemon binary using Docker.
func CrossBuildGoDaemon() error {
return mage.CrossBuildGoDaemon()
return devtools.CrossBuildGoDaemon()
}
// Clean cleans all generated files and build artifacts.
func Clean() error {
return mage.Clean()
return devtools.Clean()
}
// Package packages the Beat for distribution.
// Use SNAPSHOT=true to build snapshots.
// Use PLATFORMS to control the target platforms.
// Use VERSION_QUALIFIER to control the version qualifier.
func Package() {
start := time.Now()
defer func() { fmt.Println("package ran for", time.Since(start)) }()
mage.UseElasticBeatPackaging()
customizePackaging()
devtools.UseElasticBeatOSSPackaging()
devtools.PackageKibanaDashboardsFromBuildDir()
auditbeat.CustomizePackaging(auditbeat.OSSPackaging)
mg.Deps(Update)
mg.Deps(makeConfigTemplates, CrossBuild, CrossBuildXPack, CrossBuildGoDaemon)
mg.SerialDeps(mage.Package, TestPackages)
mg.SerialDeps(Fields, Dashboards, Config, devtools.GenerateModuleIncludeListGo)
mg.Deps(CrossBuild, CrossBuildGoDaemon)
mg.SerialDeps(devtools.Package, TestPackages)
}
// TestPackages tests the generated packages (i.e. file modes, owners, groups).
func TestPackages() error {
return mage.TestPackages()
return devtools.TestPackages(devtools.WithRootUserContainer())
}
// Update updates the generated files (aka make update).
func Update() error {
return sh.Run("make", "update")
// Update is an alias for running fields, dashboards, config, includes.
func Update() {
mg.SerialDeps(Fields, Dashboards, Config,
devtools.GenerateModuleIncludeListGo, Docs)
}
// Fields generates a fields.yml for the Beat.
func Fields() error {
return mage.GenerateFieldsYAML("module")
// Config generates both the short/reference configs and populates the modules.d
// directory.
func Config() error {
return devtools.Config(devtools.AllConfigTypes, auditbeat.OSSConfigFileParams(), ".")
}
// GoTestUnit executes the Go unit tests.
// Use TEST_COVERAGE=true to enable code coverage profiling.
// Use RACE_DETECTOR=true to enable the race detector.
func GoTestUnit(ctx context.Context) error {
return mage.GoTest(ctx, mage.DefaultGoTestUnitArgs())
// Fields generates fields.yml and fields.go files for the Beat.
func Fields() {
mg.Deps(libbeatAndAuditbeatCommonFieldsGo, moduleFieldsGo)
mg.Deps(fieldsYML)
}
// GoTestIntegration executes the Go integration tests.
// Use TEST_COVERAGE=true to enable code coverage profiling.
// Use RACE_DETECTOR=true to enable the race detector.
func GoTestIntegration(ctx context.Context) error {
return mage.GoTest(ctx, mage.DefaultGoTestIntegrationArgs())
}
// -----------------------------------------------------------------------------
// Customizations specific to Auditbeat.
// - Config files are Go templates.
const (
configTemplateGlob = "module/*/_meta/config*.yml.tmpl"
shortConfigTemplate = "build/auditbeat.yml.tmpl"
referenceConfigTemplate = "build/auditbeat.reference.yml.tmpl"
)
func makeConfigTemplates() error {
configFiles, err := mage.FindFiles(configTemplateGlob)
if err != nil {
return errors.Wrap(err, "failed to find config templates")
// libbeatAndAuditbeatCommonFieldsGo generates a fields.go containing both
// libbeat and auditbeat's common fields.
func libbeatAndAuditbeatCommonFieldsGo() error {
if err := devtools.GenerateFieldsYAML(); err != nil {
return err
}
var shortIn []string
shortIn = append(shortIn, "_meta/common.p1.yml")
shortIn = append(shortIn, configFiles...)
shortIn = append(shortIn, "_meta/common.p2.yml")
shortIn = append(shortIn, "../libbeat/_meta/config.yml")
if !mage.IsUpToDate(shortConfigTemplate, shortIn...) {
fmt.Println(">> Building", shortConfigTemplate)
mage.MustFileConcat(shortConfigTemplate, 0600, shortIn...)
mage.MustFindReplace(shortConfigTemplate, regexp.MustCompile("beatname"), "{{.BeatName}}")
mage.MustFindReplace(shortConfigTemplate, regexp.MustCompile("beat-index-prefix"), "{{.BeatIndexPrefix}}")
}
var referenceIn []string
referenceIn = append(referenceIn, "_meta/common.reference.yml")
referenceIn = append(referenceIn, configFiles...)
referenceIn = append(referenceIn, "../libbeat/_meta/config.reference.yml")
if !mage.IsUpToDate(referenceConfigTemplate, referenceIn...) {
fmt.Println(">> Building", referenceConfigTemplate)
mage.MustFileConcat(referenceConfigTemplate, 0644, referenceIn...)
mage.MustFindReplace(referenceConfigTemplate, regexp.MustCompile("beatname"), "{{.BeatName}}")
mage.MustFindReplace(referenceConfigTemplate, regexp.MustCompile("beat-index-prefix"), "{{.BeatIndexPrefix}}")
}
return nil
return devtools.GenerateAllInOneFieldsGo()
}
// customizePackaging modifies the package specs to use templated config files
// instead of the defaults.
// moduleFieldsGo generates a fields.go for each module.
func moduleFieldsGo() error {
return devtools.GenerateModuleFieldsGo("module")
}
// fieldsYML generates the fields.yml file containing all fields.
func fieldsYML() error {
return devtools.GenerateFieldsYAML("module")
}
// ExportDashboard exports a dashboard and writes it into the correct directory.
//
// Customizations specific to Auditbeat:
// - Include audit.rules.d directory in packages.
func customizePackaging() {
var (
shortConfig = mage.PackageFile{
Mode: 0600,
Source: "{{.PackageDir}}/auditbeat.yml",
Dep: generateShortConfig,
Config: true,
}
referenceConfig = mage.PackageFile{
Mode: 0644,
Source: "{{.PackageDir}}/auditbeat.reference.yml",
Dep: generateReferenceConfig,
}
)
archiveRulesDir := "audit.rules.d"
linuxPkgRulesDir := "/etc/{{.BeatName}}/audit.rules.d"
rulesSrcDir := "module/auditd/_meta/audit.rules.d"
sampleRules := mage.PackageFile{
Mode: 0644,
Source: rulesSrcDir,
Dep: func(spec mage.PackageSpec) error {
if spec.OS == "linux" {
params := map[string]interface{}{
"ArchBits": archBits,
}
rulesFile := spec.MustExpand(rulesSrcDir+"/sample-rules-linux-{{call .ArchBits .GOARCH}}bit.conf", params)
if err := mage.Copy(rulesFile, spec.MustExpand("{{.PackageDir}}/audit.rules.d/sample-rules.conf.disabled")); err != nil {
return errors.Wrap(err, "failed to copy sample rules")
}
}
return nil
},
}
for _, args := range mage.Packages {
pkgType := args.Types[0]
switch pkgType {
case mage.TarGz, mage.Zip:
args.Spec.ReplaceFile("{{.BeatName}}.yml", shortConfig)
args.Spec.ReplaceFile("{{.BeatName}}.reference.yml", referenceConfig)
case mage.Deb, mage.RPM, mage.DMG:
args.Spec.ReplaceFile("/etc/{{.BeatName}}/{{.BeatName}}.yml", shortConfig)
args.Spec.ReplaceFile("/etc/{{.BeatName}}/{{.BeatName}}.reference.yml", referenceConfig)
default:
panic(errors.Errorf("unhandled package type: %v", pkgType))
}
if args.OS == "linux" {
rulesDest := archiveRulesDir
if pkgType != mage.TarGz {
rulesDest = linuxPkgRulesDir
}
args.Spec.Files[rulesDest] = sampleRules
}
}
// Required environment variables:
// - MODULE: Name of the module
// - ID: Dashboard id
func ExportDashboard() error {
return devtools.ExportDashboard()
}
func generateReferenceConfig(spec mage.PackageSpec) error {
params := map[string]interface{}{
"Reference": true,
"ArchBits": archBits,
}
return spec.ExpandFile(referenceConfigTemplate,
"{{.PackageDir}}/auditbeat.reference.yml", params)
// Dashboards collects all the dashboards and generates index patterns.
func Dashboards() error {
return devtools.KibanaDashboards("module")
}
func generateShortConfig(spec mage.PackageSpec) error {
params := map[string]interface{}{
"Reference": false,
"ArchBits": archBits,
}
return spec.ExpandFile(shortConfigTemplate,
"{{.PackageDir}}/auditbeat.yml", params)
// Docs collects the documentation.
func Docs() {
mg.Deps(auditbeat.ModuleDocs, auditbeat.FieldDocs)
}
// archBits returns the number of bit width of the GOARCH architecture value.
// This function is used by the auditd module configuration templates to
// generate architecture specific audit rules.
func archBits(goarch string) int {
switch goarch {
case "386", "arm":
return 32
default:
return 64
}
// Fmt formats source code and adds file headers.
func Fmt() {
mg.Deps(devtools.Format)
}
// Configs generates the auditbeat.yml and auditbeat.reference.yml config files.
// Set DEV_OS and DEV_ARCH to change the target host for the generated configs.
// Defaults to linux/amd64.
func Configs() {
mg.Deps(makeConfigTemplates)
params := map[string]interface{}{
"GOOS": mage.EnvOr("DEV_OS", "linux"),
"GOARCH": mage.EnvOr("DEV_ARCH", "amd64"),
"ArchBits": archBits,
"Reference": false,
}
fmt.Printf(">> Building auditbeat.yml for %v/%v\n", params["GOOS"], params["GOARCH"])
mage.MustExpandFile(shortConfigTemplate, "auditbeat.yml", params)
params["Reference"] = true
fmt.Printf(">> Building auditbeat.reference.yml for %v/%v\n", params["GOOS"], params["GOARCH"])
mage.MustExpandFile(referenceConfigTemplate, "auditbeat.reference.yml", params)
// Check runs fmt and update then returns an error if any modifications are found.
func Check() {
mg.SerialDeps(devtools.Format, Update, devtools.Check)
}
// IntegTest executes integration tests (it uses Docker to run the tests).
func IntegTest() {
devtools.AddIntegTestUsage()
defer devtools.StopIntegTestEnv()
mg.SerialDeps(GoIntegTest, PythonIntegTest)
}
// UnitTest executes the unit tests.
func UnitTest() {
mg.SerialDeps(GoUnitTest, PythonUnitTest)
}
// GoUnitTest executes the Go unit tests.
// Use TEST_COVERAGE=true to enable code coverage profiling.
// Use RACE_DETECTOR=true to enable the race detector.
func GoUnitTest(ctx context.Context) error {
mg.Deps(Fields)
return devtools.GoTest(ctx, devtools.DefaultGoTestUnitArgs())
}
// GoIntegTest executes the Go integration tests.
// Use TEST_COVERAGE=true to enable code coverage profiling.
// Use RACE_DETECTOR=true to enable the race detector.
func GoIntegTest(ctx context.Context) error {
mg.Deps(Fields)
return devtools.RunIntegTest("goIntegTest", func() error {
return devtools.GoTest(ctx, devtools.DefaultGoTestIntegrationArgs())
})
}
// PythonUnitTest executes the python system tests.
func PythonUnitTest() error {
mg.Deps(devtools.BuildSystemTestBinary)
return devtools.PythonNoseTest(devtools.DefaultPythonTestUnitArgs())
}
// PythonIntegTest executes the python system tests in the integration environment (Docker).
func PythonIntegTest(ctx context.Context) error {
if !devtools.IsInIntegTestEnv() {
mg.SerialDeps(Fields, Dashboards)
}
return devtools.RunIntegTest("pythonIntegTest", func() error {
mg.Deps(devtools.BuildSystemTestBinary)
return devtools.PythonNoseTest(devtools.DefaultPythonTestIntegrationArgs())
})
}

63
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/accept.json generated vendored
View File

@ -15,6 +15,7 @@
"syscall": "accept",
"tty": "(none)"
},
"message_type": "syscall",
"result": "success",
"sequence": 8832,
"session": "unset",
@ -34,19 +35,21 @@
"event": {
"action": "accepted-connection-from",
"category": "audit-rule",
"module": "auditd",
"type": "syscall"
"module": "auditd"
},
"network": {
"direction": "incoming"
},
"process": {
"exe": "/usr/sbin/sshd",
"executable": "/usr/sbin/sshd",
"name": "sshd",
"pid": "1663",
"ppid": "1",
"pid": 1663,
"ppid": 1,
"title": "(sshd)"
},
"service": {
"type": "auditd"
},
"source": {
"ip": "72.83.230.100",
"port": "58140"
@ -55,24 +58,38 @@
"net"
],
"user": {
"auid": "unset",
"egid": "0",
"euid": "0",
"fsgid": "0",
"fsuid": "0",
"gid": "0",
"name_map": {
"egid": "root",
"euid": "root",
"fsgid": "root",
"fsuid": "root",
"gid": "root",
"sgid": "root",
"suid": "root",
"uid": "root"
"audit": {
"id": "unset"
},
"sgid": "0",
"suid": "0",
"uid": "0"
"effective": {
"group": {
"id": "0",
"name": "root"
},
"id": "0",
"name": "root"
},
"filesystem": {
"group": {
"id": "0",
"name": "root"
},
"id": "0",
"name": "root"
},
"group": {
"id": "0",
"name": "root"
},
"id": "0",
"name": "root",
"saved": {
"group": {
"id": "0",
"name": "root"
},
"id": "0",
"name": "root"
}
}
}

3
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/config.yml.tmpl generated vendored
View File

@ -41,4 +41,5 @@
## Unauthorized access attempts.
#-a always,exit -F arch=b{{call .ArchBits .GOARCH}} -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
#-a always,exit -F arch=b{{call .ArchBits .GOARCH}} -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
{{ end -}}
{{ end }}

28
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/data.json generated vendored
View File

@ -1,11 +1,16 @@
{
"@timestamp": "2017-10-12T08:05:34.853Z",
"agent": {
"hostname": "host.example.com",
"name": "host.example.com"
},
"auditd": {
"data": {
"acct": "(invalid user)",
"op": "login",
"terminal": "sshd"
},
"message_type": "user_login",
"result": "fail",
"sequence": 19955,
"session": "unset",
@ -22,31 +27,32 @@
}
}
},
"beat": {
"hostname": "host.example.com",
"name": "host.example.com"
},
"event": {
"action": "logged-in",
"category": "user-login",
"module": "auditd",
"type": "user_login"
"original": [
"type=USER_LOGIN msg=audit(1492896301.818:19955): pid=12635 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28696E76616C6964207573657229 exe=\"/usr/sbin/sshd\" hostname=? addr=179.38.151.221 terminal=sshd res=failed'"
]
},
"network": {
"direction": "incoming"
},
"process": {
"exe": "/usr/sbin/sshd",
"pid": "12635"
"executable": "/usr/sbin/sshd",
"pid": 12635
},
"service": {
"type": "auditd"
},
"source": {
"ip": "179.38.151.221"
},
"user": {
"auid": "unset",
"name_map": {
"uid": "root"
"audit": {
"id": "unset"
},
"uid": "0"
"id": "0",
"name": "root"
}
}

10
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/docs.asciidoc generated vendored
View File

@ -170,15 +170,15 @@ audit ruleset.
*`include_raw_message`*:: This boolean setting causes {beatname_uc} to
include each of the raw messages that contributed to the event in the document
as a field called `messages`. The default value is false. This setting is
as a field called `event.original`. The default value is false. This setting is
primarily used for development and debugging purposes.
*`include_warnings`*:: This boolean setting causes {beatname_uc} to
include as warnings any issues that were encountered while parsing the raw
messages. The default value is false. When this setting is enabled the raw
messages will be included in the event regardless of the
`include_raw_message` config setting. This setting is primarily used for
development and debugging purposes.
messages. The messages are written to the `error.message` field. The default
value is false. When this setting is enabled the raw messages will be included
in the event regardless of the `include_raw_message` config setting. This
setting is primarily used for development and debugging purposes.
*`audit_rules`*:: A string containing the audit rules that should be
installed to the kernel. There should be one rule per line. Comments can be

60
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/execve.json generated vendored
View File

@ -11,6 +11,7 @@
"syscall": "execve",
"tty": "pts0"
},
"message_type": "syscall",
"paths": [
{
"dev": "08:01",
@ -40,8 +41,8 @@
"session": "11",
"summary": {
"actor": {
"primary": "ubuntu",
"secondary": "ubuntu"
"primary": "1001",
"secondary": "1001"
},
"how": "/bin/uname",
"object": {
@ -53,8 +54,7 @@
"event": {
"action": "executed",
"category": "audit-rule",
"module": "auditd",
"type": "syscall"
"module": "auditd"
},
"file": {
"device": "00:00",
@ -71,32 +71,44 @@
"uname",
"-a"
],
"cwd": "/home/andrew_kroh",
"exe": "/bin/uname",
"executable": "/bin/uname",
"name": "uname",
"pid": "10043",
"ppid": "10027",
"title": "uname -a"
"pid": 10043,
"ppid": 10027,
"title": "uname -a",
"working_directory": "/home/andrew_kroh"
},
"service": {
"type": "auditd"
},
"tags": [
"user_commands"
],
"user": {
"auid": "1001",
"egid": "1002",
"euid": "1001",
"fsgid": "1002",
"fsuid": "1001",
"gid": "1002",
"name_map": {
"auid": "ubuntu",
"euid": "ubuntu",
"fsuid": "ubuntu",
"suid": "ubuntu",
"uid": "ubuntu"
"audit": {
"id": "1001"
},
"sgid": "1002",
"suid": "1001",
"uid": "1001"
"effective": {
"group": {
"id": "1002"
},
"id": "1001"
},
"filesystem": {
"group": {
"id": "1002"
},
"id": "1001"
},
"group": {
"id": "1002"
},
"id": "1001",
"saved": {
"group": {
"id": "1002"
},
"id": "1001"
}
}
}

159
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/fields.yml generated vendored
View File

@ -2,48 +2,46 @@
title: Auditd
description: These are the fields generated by the auditd module.
fields:
- name: event
type: group
fields:
- name: category
type: keyword
example: audit-rule
description: >
The event's category is a value derived from the `record_type`.
- name: type
type: keyword
description: The audit record's type.
- name: user
type: group
fields:
- name: auid
type: keyword
description: login user ID
type: alias
path: user.audit.id
migration: true
- name: uid
type: keyword
description: user ID
type: alias
path: user.id
migration: true
- name: euid
type: keyword
description: effective user ID
type: alias
path: user.effective.id
migration: true
- name: fsuid
type: keyword
description: file system user ID
type: alias
path: user.filesystem.id
migration: true
- name: suid
type: keyword
description: sent user ID
type: alias
path: user.saved.id
migration: true
- name: gid
type: keyword
description: group ID
type: alias
path: user.group.id
migration: true
- name: egid
type: keyword
description: effective group ID
type: alias
path: user.effective.group.id
migration: true
- name: sgid
type: keyword
description: set group ID
type: alias
path: user.saved.group.id
migration: true
- name: fsgid
type: keyword
description: file system group ID
type: alias
path: user.filesystem.group.id
migration: true
- name: name_map
type: group
description: >
@ -52,32 +50,41 @@
(e.g. auid -> root).
fields:
- name: auid
type: keyword
description: login user name
type: alias
path: user.audit.name
migration: true
- name: uid
type: keyword
description: user name
type: alias
path: user.name
migration: true
- name: euid
type: keyword
description: effective user name
type: alias
path: user.effective.name
migration: true
- name: fsuid
type: keyword
description: file system user name
type: alias
path: user.filesystem.name
migration: true
- name: suid
type: keyword
description: sent user name
type: alias
path: user.saved.name
migration: true
- name: gid
type: keyword
description: group name
type: alias
path: user.group.name
migration: true
- name: egid
type: keyword
description: effective group name
type: alias
path: user.effective.group.name
migration: true
- name: sgid
type: keyword
description: set group name
type: alias
path: user.saved.group.name
migration: true
- name: fsgid
type: keyword
description: file system group name
type: alias
path: user.filesystem.group.name
migration: true
- name: selinux
type: group
description: The SELinux identity of the actor.
@ -103,41 +110,16 @@
type: group
description: Process attributes.
fields:
- name: pid
type: keyword
description: Process ID.
- name: ppid
type: keyword
description: Parent process ID.
- name: name
type: keyword
description: Process name (comm).
- name: title
type: keyword
description: Process title or command line parameters (proctitle).
- name: exe
type: keyword
description: Absolute path of the executable.
- name: cwd
type: keyword
type: alias
path: process.working_directory
migration: true
description: The current working directory.
- name: args
type: keyword
description: The process arguments as a list.
- name: source
type: group
description: Source that triggered the event.
fields:
- name: ip
type: ip
description: The remote address.
- name: port
type: keyword
description: The port number.
- name: hostname
type: keyword
description: Hostname of the source.
- name: path
type: keyword
description: This is the path associated with a unix socket.
@ -146,26 +128,18 @@
type: group
description: Destination address that triggered the event.
fields:
- name: ip
type: ip
description: The remote address.
- name: port
type: keyword
description: The port number.
- name: hostname
type: keyword
description: Hostname of the source.
- name: path
type: keyword
description: This is the path associated with a unix socket.
- name: network.direction
type: keyword
description: Direction of the network traffic (`incoming` or `outgoing`).
- name: auditd
type: group
fields:
- name: message_type
type: keyword
example: syscall
description: >
The audit message type (e.g. syscall or apparmor_denied).
- name: sequence
type: long
description: >
@ -877,15 +851,20 @@
- name: path
type: keyword
description: This is the path associated with a unix socket.
- name: messages
type: text
type: alias
migration: true
path: event.original
description: >
An ordered list of the raw messages received from the kernel that
were used to construct this document. This field is present if an error
occurred processing the data or if `include_raw_message` is set
in the config.
- name: warnings
type: keyword
type: alias
migration: true
path: error.message
description: >
The warnings generated by the Beat during the construction of the event.
These are disabled by default and are used for development and debug

13
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/dashboard/7de391b0-c1ca-11e7-8995-936807a28b16.json generated vendored
View File

@ -1,13 +0,0 @@
{
"hits": 0,
"timeRestore": false,
"description": "",
"title": "[Auditbeat Auditd] Executions",
"uiStateJSON": "{}",
"panelsJSON": "[{\"col\":1,\"id\":\"2efac370-c1ca-11e7-8995-936807a28b16\",\"panelIndex\":1,\"row\":1,\"size_x\":4,\"size_y\":4,\"type\":\"visualization\"},{\"col\":5,\"id\":\"20a8e8d0-c1c8-11e7-8995-936807a28b16\",\"panelIndex\":2,\"row\":1,\"size_x\":4,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"columns\":[\"beat.hostname\",\"process.args\",\"auditd.summary.actor.primary\",\"auditd.summary.actor.secondary\",\"process.exe\"],\"id\":\"d382f5b0-c1c6-11e7-8995-936807a28b16\",\"panelIndex\":4,\"row\":5,\"size_x\":12,\"size_y\":5,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"},{\"size_x\":4,\"size_y\":4,\"panelIndex\":5,\"type\":\"visualization\",\"id\":\"AWECQyrvI1bE2ipp1pSa\",\"col\":9,\"row\":1}]",
"optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[{\"query\":{\"match_all\":{}}}],\"highlightAll\":true,\"version\":true}"
}
}

13
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/dashboard/AWECRPCcI1bE2ipp1pU6.json generated vendored
View File

@ -1,13 +0,0 @@
{
"hits": 0,
"timeRestore": false,
"description": "Summary of socket related syscall events.",
"title": "[Auditbeat Auditd] Sockets",
"uiStateJSON": "{\"P-3\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-4\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-5\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}",
"panelsJSON": "[{\"col\":1,\"id\":\"b21e0c70-c252-11e7-8692-232bd1143e8a\",\"panelIndex\":1,\"row\":1,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"faf882f0-c242-11e7-8692-232bd1143e8a\",\"panelIndex\":3,\"row\":4,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"ea483730-c246-11e7-8692-232bd1143e8a\",\"panelIndex\":4,\"row\":7,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"ceb91de0-c250-11e7-8692-232bd1143e8a\",\"panelIndex\":5,\"row\":7,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"AWECSCC-I1bE2ipp1pZj\",\"panelIndex\":6,\"row\":4,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"}]",
"optionsJSON": "{\"darkTheme\":false}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[{\"query\":{\"match_all\":{}}}],\"highlightAll\":true,\"version\":true}"
}
}

13
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/dashboard/c0ac2c00-c1c0-11e7-8995-936807a28b16.json generated vendored
View File

@ -1,13 +0,0 @@
{
"hits": 0,
"timeRestore": false,
"description": "Summary of Linux kernel audit events.",
"title": "[Auditbeat Auditd] Overview",
"uiStateJSON": "{}",
"panelsJSON": "[{\"col\":1,\"id\":\"97680df0-c1c0-11e7-8995-936807a28b16\",\"panelIndex\":1,\"row\":1,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"col\":7,\"id\":\"08679220-c25a-11e7-8692-232bd1143e8a\",\"panelIndex\":2,\"row\":1,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"columns\":[\"beat.hostname\",\"auditd.summary.actor.primary\",\"auditd.summary.actor.secondary\",\"event.action\",\"auditd.summary.object.type\",\"auditd.summary.object.primary\",\"auditd.summary.object.secondary\",\"auditd.summary.how\",\"auditd.result\"],\"id\":\"0f10c430-c1c3-11e7-8995-936807a28b16\",\"panelIndex\":3,\"row\":5,\"size_x\":12,\"size_y\":6,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"}]",
"optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[{\"query\":{\"match_all\":{}}}],\"highlightAll\":true,\"version\":true}"
}
}

24
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/search/0f10c430-c1c3-11e7-8995-936807a28b16.json generated vendored
View File

@ -1,24 +0,0 @@
{
"sort": [
"@timestamp",
"desc"
],
"hits": 0,
"description": "",
"title": "Audit Event Table [Auditbeat Auditd]",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"highlightAll\": true,\n \"version\": true,\n \"filter\": [\n {\n \"meta\": {\n \"negate\": false,\n \"index\": \"auditbeat-*\",\n \"type\": \"phrase\",\n \"key\": \"event.module\",\n \"value\": \"auditd\",\n \"params\": {\n \"query\": \"auditd\",\n \"type\": \"phrase\"\n },\n \"disabled\": false,\n \"alias\": null\n },\n \"query\": {\n \"match\": {\n \"event.module\": {\n \"query\": \"auditd\",\n \"type\": \"phrase\"\n }\n }\n },\n \"$state\": {\n \"store\": \"appState\"\n }\n }\n ]\n}"
},
"columns": [
"beat.hostname",
"auditd.summary.actor.primary",
"auditd.summary.actor.secondary",
"event.action",
"auditd.summary.object.type",
"auditd.summary.object.primary",
"auditd.summary.object.secondary",
"auditd.summary.how",
"auditd.result"
]
}

22
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/search/5438b030-c246-11e7-8692-232bd1143e8a.json generated vendored
View File

@ -1,22 +0,0 @@
{
"sort": [
"@timestamp",
"desc"
],
"hits": 0,
"description": "",
"title": "Socket Connects [Auditbeat Auditd]",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"highlightAll\": true,\n \"version\": true,\n \"filter\": [\n {\n \"$state\": {\n \"store\": \"appState\"\n },\n \"meta\": {\n \"alias\": null,\n \"disabled\": false,\n \"index\": \"auditbeat-*\",\n \"key\": \"event.module\",\n \"negate\": false,\n \"params\": {\n \"query\": \"auditd\",\n \"type\": \"phrase\"\n },\n \"type\": \"phrase\",\n \"value\": \"auditd\"\n },\n \"query\": {\n \"match\": {\n \"event.module\": {\n \"query\": \"auditd\",\n \"type\": \"phrase\"\n }\n }\n }\n },\n {\n \"meta\": {\n \"negate\": false,\n \"index\": \"auditbeat-*\",\n \"type\": \"phrase\",\n \"key\": \"event.action\",\n \"value\": \"connected-to\",\n \"params\": {\n \"query\": \"connected-to\",\n \"type\": \"phrase\"\n },\n \"disabled\": false,\n \"alias\": null\n },\n \"query\": {\n \"match\": {\n \"event.action\": {\n \"query\": \"connected-to\",\n \"type\": \"phrase\"\n }\n }\n },\n \"$state\": {\n \"store\": \"appState\"\n }\n },\n {\n \"meta\": {\n \"index\": \"auditbeat-*\",\n \"negate\": false,\n \"disabled\": false,\n \"alias\": null,\n \"type\": \"exists\",\n \"key\": \"auditd.summary.object.primary\",\n \"value\": \"exists\"\n },\n \"exists\": {\n \"field\": \"auditd.summary.object.primary\"\n },\n \"$state\": {\n \"store\": \"appState\"\n }\n }\n ]\n}"
},
"columns": [
"beat.hostname",
"auditd.summary.how",
"auditd.summary.object.primary",
"auditd.summary.object.secondary",
"auditd.data.socket.family",
"auditd.result",
"auditd.data.exit"
]
}

21
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/search/b4c93470-c240-11e7-8692-232bd1143e8a.json generated vendored
View File

@ -1,21 +0,0 @@
{
"sort": [
"@timestamp",
"desc"
],
"hits": 0,
"description": "",
"title": "Socket Binds [Auditbeat Auditd]",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"highlightAll\": true,\n \"version\": true,\n \"filter\": [\n {\n \"$state\": {\n \"store\": \"appState\"\n },\n \"meta\": {\n \"alias\": null,\n \"disabled\": false,\n \"index\": \"auditbeat-*\",\n \"key\": \"event.module\",\n \"negate\": false,\n \"params\": {\n \"query\": \"auditd\",\n \"type\": \"phrase\"\n },\n \"type\": \"phrase\",\n \"value\": \"auditd\"\n },\n \"query\": {\n \"match\": {\n \"event.module\": {\n \"query\": \"auditd\",\n \"type\": \"phrase\"\n }\n }\n }\n },\n {\n \"meta\": {\n \"index\": \"auditbeat-*\",\n \"negate\": false,\n \"disabled\": false,\n \"alias\": null,\n \"type\": \"phrase\",\n \"key\": \"auditd.data.syscall\",\n \"value\": \"bind\",\n \"params\": {\n \"query\": \"bind\",\n \"type\": \"phrase\"\n }\n },\n \"query\": {\n \"match\": {\n \"auditd.data.syscall\": {\n \"query\": \"bind\",\n \"type\": \"phrase\"\n }\n }\n },\n \"$state\": {\n \"store\": \"appState\"\n }\n },\n {\n \"meta\": {\n \"negate\": true,\n \"index\": \"auditbeat-*\",\n \"type\": \"phrase\",\n \"key\": \"auditd.data.socket.family\",\n \"value\": \"netlink\",\n \"params\": {\n \"query\": \"netlink\",\n \"type\": \"phrase\"\n },\n \"disabled\": false,\n \"alias\": null\n },\n \"query\": {\n \"match\": {\n \"auditd.data.socket.family\": {\n \"query\": \"netlink\",\n \"type\": \"phrase\"\n }\n }\n },\n \"$state\": {\n \"store\": \"appState\"\n }\n }\n ]\n}"
},
"columns": [
"beat.hostname",
"auditd.summary.how",
"auditd.summary.object.primary",
"auditd.summary.object.secondary",
"auditd.data.socket.family",
"auditd.result"
]
}

20
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/search/d382f5b0-c1c6-11e7-8995-936807a28b16.json generated vendored
View File

@ -1,20 +0,0 @@
{
"sort": [
"@timestamp",
"desc"
],
"hits": 0,
"description": "",
"title": "Process Executions [Auditbeat Auditd]",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"highlightAll\": true,\n \"version\": true,\n \"filter\": [\n {\n \"$state\": {\n \"store\": \"appState\"\n },\n \"meta\": {\n \"alias\": null,\n \"disabled\": false,\n \"index\": \"auditbeat-*\",\n \"key\": \"event.module\",\n \"negate\": false,\n \"params\": {\n \"query\": \"auditd\",\n \"type\": \"phrase\"\n },\n \"type\": \"phrase\",\n \"value\": \"auditd\"\n },\n \"query\": {\n \"match\": {\n \"event.module\": {\n \"query\": \"auditd\",\n \"type\": \"phrase\"\n }\n }\n }\n },\n {\n \"$state\": {\n \"store\": \"appState\"\n },\n \"meta\": {\n \"alias\": null,\n \"disabled\": false,\n \"index\": \"auditbeat-*\",\n \"key\": \"event.action\",\n \"negate\": false,\n \"params\": {\n \"query\": \"executed\",\n \"type\": \"phrase\"\n },\n \"type\": \"phrase\",\n \"value\": \"executed\"\n },\n \"query\": {\n \"match\": {\n \"event.action\": {\n \"query\": \"executed\",\n \"type\": \"phrase\"\n }\n }\n }\n }\n ]\n}"
},
"columns": [
"beat.hostname",
"process.args",
"auditd.summary.actor.primary",
"auditd.summary.actor.secondary",
"process.exe"
]
}

21
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/search/e8734160-c24c-11e7-8692-232bd1143e8a.json generated vendored
View File

@ -1,21 +0,0 @@
{
"sort": [
"@timestamp",
"desc"
],
"hits": 0,
"description": "",
"title": "Socket Accept / Recvfrom [Auditbeat Auditd]",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"highlightAll\": true,\n \"version\": true,\n \"filter\": [\n {\n \"$state\": {\n \"store\": \"appState\"\n },\n \"meta\": {\n \"alias\": null,\n \"disabled\": false,\n \"index\": \"auditbeat-*\",\n \"key\": \"event.module\",\n \"negate\": false,\n \"params\": {\n \"query\": \"auditd\",\n \"type\": \"phrase\"\n },\n \"type\": \"phrase\",\n \"value\": \"auditd\"\n },\n \"query\": {\n \"match\": {\n \"event.module\": {\n \"query\": \"auditd\",\n \"type\": \"phrase\"\n }\n }\n }\n },\n {\n \"meta\": {\n \"negate\": false,\n \"index\": \"auditbeat-*\",\n \"type\": \"phrase\",\n \"key\": \"auditd.summary.object.type\",\n \"value\": \"socket\",\n \"params\": {\n \"query\": \"socket\",\n \"type\": \"phrase\"\n },\n \"disabled\": false,\n \"alias\": null\n },\n \"query\": {\n \"match\": {\n \"auditd.summary.object.type\": {\n \"query\": \"socket\",\n \"type\": \"phrase\"\n }\n }\n },\n \"$state\": {\n \"store\": \"appState\"\n }\n },\n {\n \"meta\": {\n \"index\": \"auditbeat-*\",\n \"negate\": false,\n \"disabled\": false,\n \"alias\": null,\n \"type\": \"exists\",\n \"key\": \"auditd.summary.object.primary\",\n \"value\": \"exists\"\n },\n \"exists\": {\n \"field\": \"auditd.summary.object.primary\"\n },\n \"$state\": {\n \"store\": \"appState\"\n }\n },\n {\n \"query\": {\n \"terms\": {\n \"auditd.data.syscall\": [\n \"accept\",\n \"accept4\",\n \"recvfrom\",\n \"recvmsg\"\n ]\n }\n },\n \"meta\": {\n \"negate\": false,\n \"index\": \"auditbeat-*\",\n \"disabled\": false,\n \"alias\": null,\n \"type\": \"custom\",\n \"key\": \"query\",\n \"value\": \"{\\\"terms\\\":{\\\"auditd.data.syscall\\\":[\\\"accept\\\",\\\"accept4\\\",\\\"recvfrom\\\",\\\"recvmsg\\\"]}}\"\n },\n \"$state\": {\n \"store\": \"appState\"\n }\n }\n ]\n}"
},
"columns": [
"beat.hostname",
"auditd.summary.how",
"auditd.summary.object.primary",
"auditd.summary.object.secondary",
"auditd.data.socket.family",
"event.action"
]
}

11
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/visualization/08679220-c25a-11e7-8692-232bd1143e8a.json generated vendored
View File

@ -1,11 +0,0 @@
{
"visState": "{\n \"title\": \"Event Categories [Auditbeat Auditd]\",\n \"type\": \"pie\",\n \"params\": {\n \"type\": \"pie\",\n \"addTooltip\": true,\n \"addLegend\": true,\n \"legendPosition\": \"right\",\n \"isDonut\": true\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"event.category\",\n \"size\": 5,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Category\"\n }\n },\n {\n \"id\": \"3\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"event.action\",\n \"size\": 20,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Action\"\n }\n }\n ]\n}",
"description": "",
"title": "Event Categories [Auditbeat Auditd]",
"uiStateJSON": "{}",
"version": 1,
"savedSearchId": "0f10c430-c1c3-11e7-8995-936807a28b16",
"kibanaSavedObjectMeta": {
"searchSourceJSON": ""
}
}

11
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/visualization/20a8e8d0-c1c8-11e7-8995-936807a28b16.json generated vendored
View File

@ -1,11 +0,0 @@
{
"visState": "{\n \"title\": \"Error Codes [Auditbeat Auditd Executions]\",\n \"type\": \"pie\",\n \"params\": {\n \"type\": \"pie\",\n \"addTooltip\": true,\n \"addLegend\": true,\n \"legendPosition\": \"right\",\n \"isDonut\": true\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"auditd.data.exit\",\n \"exclude\": \"0\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\"\n }\n }\n ]\n}",
"description": "",
"title": "Error Codes [Auditbeat Auditd Executions]",
"uiStateJSON": "{}",
"version": 1,
"savedSearchId": "d382f5b0-c1c6-11e7-8995-936807a28b16",
"kibanaSavedObjectMeta": {
"searchSourceJSON": ""
}
}

11
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/visualization/2efac370-c1ca-11e7-8995-936807a28b16.json generated vendored
View File

@ -1,11 +0,0 @@
{
"visState": "{\n \"title\": \"Exe Name Tag Cloud [Auditbeat Auditd Executions]\",\n \"type\": \"tagcloud\",\n \"params\": {\n \"scale\": \"linear\",\n \"orientation\": \"single\",\n \"minFontSize\": 14,\n \"maxFontSize\": 45\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"process.exe\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\"\n }\n }\n ]\n}",
"description": "",
"title": "Exe Name Tag Cloud [Auditbeat Auditd Executions]",
"uiStateJSON": "{}",
"version": 1,
"savedSearchId": "d382f5b0-c1c6-11e7-8995-936807a28b16",
"kibanaSavedObjectMeta": {
"searchSourceJSON": ""
}
}

10
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/visualization/97680df0-c1c0-11e7-8995-936807a28b16.json generated vendored
View File

@ -1,10 +0,0 @@
{
"visState": "{\n \"title\": \"Event Actions [Auditbeat Auditd Overview]\",\n \"type\": \"metrics\",\n \"params\": {\n \"id\": \"61ca57f0-469d-11e7-af02-69e470af7417\",\n \"type\": \"timeseries\",\n \"series\": [\n {\n \"id\": \"61ca57f1-469d-11e7-af02-69e470af7417\",\n \"color\": \"#68BC00\",\n \"split_mode\": \"terms\",\n \"metrics\": [\n {\n \"id\": \"6b9fb2d0-c1bc-11e7-938f-ab0645b6c431\",\n \"type\": \"count\"\n }\n ],\n \"seperate_axis\": 0,\n \"axis_position\": \"right\",\n \"formatter\": \"number\",\n \"chart_type\": \"line\",\n \"line_width\": 1,\n \"point_size\": 1,\n \"fill\": 0.5,\n \"stacked\": \"none\",\n \"terms_field\": \"event.action\",\n \"label\": \"Actions\"\n }\n ],\n \"time_field\": \"@timestamp\",\n \"index_pattern\": \"auditbeat-*\",\n \"interval\": \"auto\",\n \"axis_position\": \"left\",\n \"axis_formatter\": \"number\",\n \"show_legend\": 1,\n \"show_grid\": 1,\n \"filter\": \"event.module:auditd\",\n \"background_color_rules\": [\n {\n \"id\": \"58c95a20-c1bd-11e7-938f-ab0645b6c431\"\n }\n ],\n \"bar_color_rules\": [\n {\n \"id\": \"5bfc71a0-c1bd-11e7-938f-ab0645b6c431\"\n }\n ],\n \"gauge_color_rules\": [\n {\n \"id\": \"5d20a650-c1bd-11e7-938f-ab0645b6c431\"\n }\n ],\n \"gauge_width\": 10,\n \"gauge_inner_width\": 10,\n \"gauge_style\": \"half\",\n \"legend_position\": \"left\"\n },\n \"aggs\": []\n}",
"description": "",
"title": "Event Actions [Auditbeat Auditd Overview]",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
}
}

10
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/visualization/AWECQyrvI1bE2ipp1pSa.json generated vendored
View File

@ -1,10 +0,0 @@
{
"visState": "{\"title\":\"Primary Username Tag Cloud [Auditbeat Auditd]\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"type\":\"tagcloud\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"auditd.summary.actor.primary\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
"description": "",
"title": "Primary Username Tag Cloud [Auditbeat Auditd]",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"query\":{\"match_all\":{}},\"filter\":[]}"
}
}

10
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/visualization/AWECSCC-I1bE2ipp1pZj.json generated vendored
View File

@ -1,10 +0,0 @@
{
"visState": "{\"title\":\"Socket Families [Auditbeat Auditd]\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"left\",\"isDonut\":true,\"type\":\"pie\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"auditd.data.socket.family\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Family\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"auditd.data.syscall\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Syscall\"}}],\"listeners\":{}}",
"description": "",
"title": "Socket Families [Auditbeat Auditd]",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"query\":{\"match_all\":{}},\"filter\":[]}"
}
}

10
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/visualization/b21e0c70-c252-11e7-8692-232bd1143e8a.json generated vendored
View File

@ -1,10 +0,0 @@
{
"visState": "{\n \"title\": \"Socket Syscalls Time Series [Auditbeat Auditd]\",\n \"type\": \"metrics\",\n \"params\": {\n \"id\": \"61ca57f0-469d-11e7-af02-69e470af7417\",\n \"type\": \"timeseries\",\n \"series\": [\n {\n \"id\": \"61ca57f1-469d-11e7-af02-69e470af7417\",\n \"color\": \"#68BC00\",\n \"split_mode\": \"terms\",\n \"metrics\": [\n {\n \"id\": \"61ca57f2-469d-11e7-af02-69e470af7417\",\n \"type\": \"count\"\n }\n ],\n \"seperate_axis\": 0,\n \"axis_position\": \"right\",\n \"formatter\": \"number\",\n \"chart_type\": \"line\",\n \"line_width\": 1,\n \"point_size\": 1,\n \"fill\": 0.5,\n \"stacked\": \"none\",\n \"terms_field\": \"auditd.data.syscall\",\n \"label\": \"syscall\"\n }\n ],\n \"time_field\": \"@timestamp\",\n \"index_pattern\": \"auditbeat-*\",\n \"interval\": \"auto\",\n \"axis_position\": \"left\",\n \"axis_formatter\": \"number\",\n \"show_legend\": 1,\n \"show_grid\": 1,\n \"filter\": \"auditd.summary.object.type:socket\",\n \"legend_position\": \"left\",\n \"bar_color_rules\": [\n {\n \"id\": \"2cebb0c0-c252-11e7-8a68-93ffe9ec5950\"\n }\n ],\n \"gauge_color_rules\": [\n {\n \"id\": \"6c891740-c252-11e7-8a68-93ffe9ec5950\"\n }\n ],\n \"gauge_width\": 10,\n \"gauge_inner_width\": 10,\n \"gauge_style\": \"half\",\n \"background_color_rules\": [\n {\n \"id\": \"95b603d0-c252-11e7-8a68-93ffe9ec5950\"\n }\n ]\n },\n \"aggs\": []\n}",
"description": "",
"title": "Socket Syscalls Time Series [Auditbeat Auditd]",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
}
}

11
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/visualization/ceb91de0-c250-11e7-8692-232bd1143e8a.json generated vendored
View File

@ -1,11 +0,0 @@
{
"visState": "{\n \"title\": \"Accept / Recvfrom Unique Address Table [Auditbeat Auditd]\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showPartialRows\": false,\n \"showMeticsAtAllLevels\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"cardinality\",\n \"schema\": \"metric\",\n \"params\": {\n \"field\": \"auditd.summary.object.primary\",\n \"customLabel\": \"Unique Addresses\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"process.exe\",\n \"size\": 50,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Exe\"\n }\n },\n {\n \"id\": \"3\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"auditd.data.syscall\",\n \"size\": 5,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Syscall\"\n }\n }\n ]\n}",
"description": "",
"title": "Accept / Recvfrom Unique Address Table [Auditbeat Auditd]",
"uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n },\n \"spy\": {\n \"mode\": {\n \"name\": null,\n \"fill\": false\n }\n }\n}",
"version": 1,
"savedSearchId": "e8734160-c24c-11e7-8692-232bd1143e8a",
"kibanaSavedObjectMeta": {
"searchSourceJSON": ""
}
}

11
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/visualization/ea483730-c246-11e7-8692-232bd1143e8a.json generated vendored
View File

@ -1,11 +0,0 @@
{
"visState": "{\n \"title\": \"Connect [Auditbeat Auditd]\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showPartialRows\": false,\n \"showMeticsAtAllLevels\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"process.exe\",\n \"size\": 50,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Exe\"\n }\n },\n {\n \"id\": \"3\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"auditd.summary.object.primary\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Address\"\n }\n },\n {\n \"id\": \"4\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"auditd.summary.object.secondary\",\n \"size\": 5,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Port\"\n }\n }\n ]\n}",
"description": "",
"title": "Connect [Auditbeat Auditd]",
"uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}",
"version": 1,
"savedSearchId": "5438b030-c246-11e7-8692-232bd1143e8a",
"kibanaSavedObjectMeta": {
"searchSourceJSON": ""
}
}

11
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/visualization/faf882f0-c242-11e7-8692-232bd1143e8a.json generated vendored
View File

@ -1,11 +0,0 @@
{
"visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Exe\",\"field\":\"auditd.summary.how\",\"order\":\"desc\",\"orderBy\":\"_term\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Address\",\"field\":\"auditd.summary.object.primary\",\"order\":\"desc\",\"orderBy\":\"_term\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Port\",\"field\":\"auditd.summary.object.secondary\",\"order\":\"desc\",\"orderBy\":\"_term\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\"},\"title\":\"Bind (non-ephemeral) [Auditbeat Auditd]\",\"type\":\"table\"}",
"description": "",
"title": "Bind (non-ephemeral) [Auditbeat Auditd]",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"savedSearchId": "b4c93470-c240-11e7-8692-232bd1143e8a",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
}
}

56
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/6/dashboard/auditbeat-kernel-executions.json → vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/7/dashboard/auditbeat-kernel-executions.json generated vendored
View File

@ -7,13 +7,13 @@
"searchSourceJSON": {
"filter": [],
"query": {
"language": "lucene",
"language": "kuery",
"query": ""
}
}
},
"savedSearchId": "d382f5b0-c1c6-11e7-8995-936807a28b16",
"title": "Error Codes [Auditbeat Auditd Executions]",
"savedSearchId": "d382f5b0-c1c6-11e7-8995-936807a28b16-ecs",
"title": "Error Codes [Auditbeat Auditd Executions] ECS",
"uiStateJSON": {},
"version": 1,
"visState": {
@ -46,11 +46,11 @@
"legendPosition": "right",
"type": "pie"
},
"title": "Error Codes [Auditbeat Auditd Executions]",
"title": "Error Codes [Auditbeat Auditd Executions] ECS",
"type": "pie"
}
},
"id": "20a8e8d0-c1c8-11e7-8995-936807a28b16",
"id": "20a8e8d0-c1c8-11e7-8995-936807a28b16-ecs",
"type": "visualization",
"updated_at": "2018-01-16T22:10:23.921Z",
"version": 4
@ -63,12 +63,12 @@
"filter": [],
"index": "auditbeat-*",
"query": {
"language": "lucene",
"language": "kuery",
"query": ""
}
}
},
"title": "Primary Username Tag Cloud [Auditbeat Auditd]",
"title": "Primary Username Tag Cloud [Auditbeat Auditd] ECS",
"uiStateJSON": {},
"version": 1,
"visState": {
@ -99,11 +99,11 @@
"orientation": "single",
"scale": "linear"
},
"title": "Primary Username Tag Cloud [Auditbeat Auditd]",
"title": "Primary Username Tag Cloud [Auditbeat Auditd] ECS",
"type": "tagcloud"
}
},
"id": "f81a6de0-c1c1-11e7-8995-936807a28b16",
"id": "f81a6de0-c1c1-11e7-8995-936807a28b16-ecs",
"type": "visualization",
"updated_at": "2018-01-16T22:12:18.730Z",
"version": 3
@ -115,13 +115,13 @@
"searchSourceJSON": {
"filter": [],
"query": {
"language": "lucene",
"language": "kuery",
"query": ""
}
}
},
"savedSearchId": "d382f5b0-c1c6-11e7-8995-936807a28b16",
"title": "Exe Name Tag Cloud [Auditbeat Auditd Executions]",
"savedSearchId": "d382f5b0-c1c6-11e7-8995-936807a28b16-ecs",
"title": "Exe Name Tag Cloud [Auditbeat Auditd Executions] ECS",
"uiStateJSON": {},
"version": 1,
"visState": {
@ -137,7 +137,7 @@
"enabled": true,
"id": "2",
"params": {
"field": "process.exe",
"field": "process.executable",
"order": "desc",
"orderBy": "1",
"size": 10
@ -152,11 +152,11 @@
"orientation": "single",
"scale": "linear"
},
"title": "Exe Name Tag Cloud [Auditbeat Auditd Executions]",
"title": "Exe Name Tag Cloud [Auditbeat Auditd Executions] ECS",
"type": "tagcloud"
}
},
"id": "2efac370-c1ca-11e7-8995-936807a28b16",
"id": "2efac370-c1ca-11e7-8995-936807a28b16-ecs",
"type": "visualization",
"updated_at": "2018-01-16T22:57:41.411Z",
"version": 4
@ -164,11 +164,11 @@
{
"attributes": {
"columns": [
"beat.hostname",
"agent.hostname",
"process.args",
"auditd.summary.actor.primary",
"auditd.summary.actor.secondary",
"process.exe"
"process.executable"
],
"description": "",
"hits": 0,
@ -231,8 +231,8 @@
"highlightAll": true,
"index": "auditbeat-*",
"query": {
"language": "lucene",
"query": "*"
"language": "kuery",
"query": ""
},
"version": true
}
@ -241,10 +241,10 @@
"@timestamp",
"desc"
],
"title": "Process Executions [Auditbeat Auditd]",
"title": "Process Executions [Auditbeat Auditd] ECS",
"version": 1
},
"id": "d382f5b0-c1c6-11e7-8995-936807a28b16",
"id": "d382f5b0-c1c6-11e7-8995-936807a28b16-ecs",
"type": "search",
"updated_at": "2018-01-16T22:26:35.050Z",
"version": 5
@ -258,7 +258,7 @@
"filter": [],
"highlightAll": true,
"query": {
"language": "lucene",
"language": "kuery",
"query": ""
},
"version": true
@ -277,7 +277,7 @@
"x": 4,
"y": 0
},
"id": "20a8e8d0-c1c8-11e7-8995-936807a28b16",
"id": "20a8e8d0-c1c8-11e7-8995-936807a28b16-ecs",
"panelIndex": "1",
"type": "visualization",
"version": "6.2.4"
@ -290,7 +290,7 @@
"x": 8,
"y": 0
},
"id": "f81a6de0-c1c1-11e7-8995-936807a28b16",
"id": "f81a6de0-c1c1-11e7-8995-936807a28b16-ecs",
"panelIndex": "3",
"type": "visualization",
"version": "6.2.4"
@ -303,7 +303,7 @@
"x": 0,
"y": 0
},
"id": "2efac370-c1ca-11e7-8995-936807a28b16",
"id": "2efac370-c1ca-11e7-8995-936807a28b16-ecs",
"panelIndex": "5",
"type": "visualization",
"version": "6.2.4"
@ -316,17 +316,17 @@
"x": 0,
"y": 3
},
"id": "d382f5b0-c1c6-11e7-8995-936807a28b16",
"id": "d382f5b0-c1c6-11e7-8995-936807a28b16-ecs",
"panelIndex": "6",
"type": "search",
"version": "6.2.4"
}
],
"timeRestore": false,
"title": "[Auditbeat Auditd] Executions",
"title": "[Auditbeat Auditd] Executions ECS",
"version": 1
},
"id": "7de391b0-c1ca-11e7-8995-936807a28b16",
"id": "7de391b0-c1ca-11e7-8995-936807a28b16-ecs",
"type": "dashboard",
"updated_at": "2018-01-16T22:58:11.243Z",
"version": 5

36
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/6/dashboard/auditbeat-kernel-overview.json → vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/7/dashboard/auditbeat-kernel-overview.json generated vendored
View File

@ -6,7 +6,7 @@
"kibanaSavedObjectMeta": {
"searchSourceJSON": {}
},
"title": "Event Actions [Auditbeat Auditd Overview]",
"title": "Event Actions [Auditbeat Auditd Overview] ECS",
"uiStateJSON": {},
"version": 1,
"visState": {
@ -65,11 +65,11 @@
"time_field": "@timestamp",
"type": "timeseries"
},
"title": "Event Actions [Auditbeat Auditd Overview]",
"title": "Event Actions [Auditbeat Auditd Overview] ECS",
"type": "metrics"
}
},
"id": "97680df0-c1c0-11e7-8995-936807a28b16",
"id": "97680df0-c1c0-11e7-8995-936807a28b16-ecs",
"type": "visualization",
"updated_at": "2018-01-16T22:11:01.438Z",
"version": 3
@ -82,13 +82,13 @@
"filter": [],
"index": "auditbeat-*",
"query": {
"language": "lucene",
"language": "kuery",
"query": ""
}
}
},
"savedSearchId": "0f10c430-c1c3-11e7-8995-936807a28b16",
"title": "Event Categories [Auditbeat Auditd]",
"savedSearchId": "0f10c430-c1c3-11e7-8995-936807a28b16-ecs",
"title": "Event Categories [Auditbeat Auditd] ECS",
"uiStateJSON": {},
"version": 1,
"visState": {
@ -134,11 +134,11 @@
"legendPosition": "right",
"type": "pie"
},
"title": "Event Categories [Auditbeat Auditd]",
"title": "Event Categories [Auditbeat Auditd] ECS",
"type": "pie"
}
},
"id": "08679220-c25a-11e7-8692-232bd1143e8a",
"id": "08679220-c25a-11e7-8692-232bd1143e8a-ecs",
"type": "visualization",
"updated_at": "2018-01-16T22:54:10.330Z",
"version": 4
@ -146,7 +146,7 @@
{
"attributes": {
"columns": [
"beat.hostname",
"agent.hostname",
"auditd.summary.actor.primary",
"auditd.summary.actor.secondary",
"event.action",
@ -191,7 +191,7 @@
"highlightAll": true,
"index": "auditbeat-*",
"query": {
"language": "lucene",
"language": "kuery",
"query": ""
},
"version": true
@ -201,10 +201,10 @@
"@timestamp",
"desc"
],
"title": "Audit Event Table [Auditbeat Auditd]",
"title": "Audit Event Table [Auditbeat Auditd] ECS",
"version": 1
},
"id": "0f10c430-c1c3-11e7-8995-936807a28b16",
"id": "0f10c430-c1c3-11e7-8995-936807a28b16-ecs",
"type": "search",
"updated_at": "2018-01-16T22:51:24.572Z",
"version": 4
@ -218,7 +218,7 @@
"filter": [],
"highlightAll": true,
"query": {
"language": "lucene",
"language": "kuery",
"query": ""
},
"version": true
@ -237,7 +237,7 @@
"x": 0,
"y": 0
},
"id": "97680df0-c1c0-11e7-8995-936807a28b16",
"id": "97680df0-c1c0-11e7-8995-936807a28b16-ecs",
"panelIndex": "1",
"type": "visualization",
"version": "6.2.4"
@ -250,7 +250,7 @@
"x": 7,
"y": 0
},
"id": "08679220-c25a-11e7-8692-232bd1143e8a",
"id": "08679220-c25a-11e7-8692-232bd1143e8a-ecs",
"panelIndex": "4",
"type": "visualization",
"version": "6.2.4"
@ -263,17 +263,17 @@
"x": 0,
"y": 3
},
"id": "0f10c430-c1c3-11e7-8995-936807a28b16",
"id": "0f10c430-c1c3-11e7-8995-936807a28b16-ecs",
"panelIndex": "5",
"type": "search",
"version": "6.2.4"
}
],
"timeRestore": false,
"title": "[Auditbeat Auditd] Overview",
"title": "[Auditbeat Auditd] Overview ECS",
"version": 1
},
"id": "c0ac2c00-c1c0-11e7-8995-936807a28b16",
"id": "c0ac2c00-c1c0-11e7-8995-936807a28b16-ecs",
"type": "dashboard",
"updated_at": "2018-01-16T22:55:17.775Z",
"version": 5

90
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/6/dashboard/auditbeat-kernel-sockets.json → vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/7/dashboard/auditbeat-kernel-sockets.json generated vendored
View File

@ -35,13 +35,13 @@
}
],
"query": {
"language": "lucene",
"language": "kuery",
"query": ""
}
}
},
"savedSearchId": "b4c93470-c240-11e7-8692-232bd1143e8a",
"title": "Bind (non-ephemeral) [Auditbeat Auditd]",
"savedSearchId": "b4c93470-c240-11e7-8692-232bd1143e8a-ecs",
"title": "Bind (non-ephemeral) [Auditbeat Auditd] ECS",
"uiStateJSON": {
"vis": {
"params": {
@ -113,11 +113,11 @@
},
"totalFunc": "sum"
},
"title": "Bind (non-ephemeral) [Auditbeat Auditd]",
"title": "Bind (non-ephemeral) [Auditbeat Auditd] ECS",
"type": "table"
}
},
"id": "faf882f0-c242-11e7-8692-232bd1143e8a",
"id": "faf882f0-c242-11e7-8692-232bd1143e8a-ecs",
"type": "visualization",
"updated_at": "2018-01-16T22:08:02.522Z",
"version": 3
@ -129,13 +129,13 @@
"searchSourceJSON": {
"filter": [],
"query": {
"language": "lucene",
"language": "kuery",
"query": ""
}
}
},
"savedSearchId": "5438b030-c246-11e7-8692-232bd1143e8a",
"title": "Connect [Auditbeat Auditd]",
"savedSearchId": "5438b030-c246-11e7-8692-232bd1143e8a-ecs",
"title": "Connect [Auditbeat Auditd] ECS",
"uiStateJSON": {
"vis": {
"params": {
@ -161,7 +161,7 @@
"id": "2",
"params": {
"customLabel": "Exe",
"field": "process.exe",
"field": "process.executable",
"order": "desc",
"orderBy": "1",
"size": 50
@ -207,11 +207,11 @@
},
"totalFunc": "sum"
},
"title": "Connect [Auditbeat Auditd]",
"title": "Connect [Auditbeat Auditd] ECS",
"type": "table"
}
},
"id": "ea483730-c246-11e7-8692-232bd1143e8a",
"id": "ea483730-c246-11e7-8692-232bd1143e8a-ecs",
"type": "visualization",
"updated_at": "2018-01-16T23:24:16.851Z",
"version": 4
@ -223,13 +223,13 @@
"searchSourceJSON": {
"filter": [],
"query": {
"language": "lucene",
"language": "kuery",
"query": ""
}
}
},
"savedSearchId": "e8734160-c24c-11e7-8692-232bd1143e8a",
"title": "Accept / Recvfrom Unique Address Table [Auditbeat Auditd]",
"savedSearchId": "e8734160-c24c-11e7-8692-232bd1143e8a-ecs",
"title": "Accept / Recvfrom Unique Address Table [Auditbeat Auditd] ECS",
"uiStateJSON": {
"spy": {
"mode": {
@ -264,7 +264,7 @@
"id": "2",
"params": {
"customLabel": "Exe",
"field": "process.exe",
"field": "process.executable",
"order": "desc",
"orderBy": "1",
"size": 50
@ -297,11 +297,11 @@
},
"totalFunc": "sum"
},
"title": "Accept / Recvfrom Unique Address Table [Auditbeat Auditd]",
"title": "Accept / Recvfrom Unique Address Table [Auditbeat Auditd] ECS",
"type": "table"
}
},
"id": "ceb91de0-c250-11e7-8692-232bd1143e8a",
"id": "ceb91de0-c250-11e7-8692-232bd1143e8a-ecs",
"type": "visualization",
"updated_at": "2018-01-16T22:16:51.535Z",
"version": 5
@ -312,7 +312,7 @@
"kibanaSavedObjectMeta": {
"searchSourceJSON": {}
},
"title": "Socket Syscalls Time Series [Auditbeat Auditd]",
"title": "Socket Syscalls Time Series [Auditbeat Auditd] ECS",
"uiStateJSON": {},
"version": 1,
"visState": {
@ -371,11 +371,11 @@
"time_field": "@timestamp",
"type": "timeseries"
},
"title": "Socket Syscalls Time Series [Auditbeat Auditd]",
"title": "Socket Syscalls Time Series [Auditbeat Auditd] ECS",
"type": "metrics"
}
},
"id": "b21e0c70-c252-11e7-8692-232bd1143e8a",
"id": "b21e0c70-c252-11e7-8692-232bd1143e8a-ecs",
"type": "visualization",
"updated_at": "2018-01-16T22:13:38.857Z",
"version": 3
@ -388,12 +388,12 @@
"filter": [],
"index": "auditbeat-*",
"query": {
"language": "lucene",
"language": "kuery",
"query": ""
}
}
},
"title": "Socket Families [Auditbeat Auditd]",
"title": "Socket Families [Auditbeat Auditd] ECS",
"uiStateJSON": {},
"version": 1,
"visState": {
@ -439,11 +439,11 @@
"legendPosition": "left",
"type": "pie"
},
"title": "Socket Families [Auditbeat Auditd]",
"title": "Socket Families [Auditbeat Auditd] ECS",
"type": "pie"
}
},
"id": "a8e20450-c256-11e7-8692-232bd1143e8a",
"id": "a8e20450-c256-11e7-8692-232bd1143e8a-ecs",
"type": "visualization",
"updated_at": "2018-01-16T22:12:51.655Z",
"version": 3
@ -451,7 +451,7 @@
{
"attributes": {
"columns": [
"beat.hostname",
"agent.hostname",
"auditd.summary.how",
"auditd.summary.object.primary",
"auditd.summary.object.secondary",
@ -545,7 +545,7 @@
"highlightAll": true,
"index": "auditbeat-*",
"query": {
"language": "lucene",
"language": "kuery",
"query": ""
},
"version": true
@ -555,10 +555,10 @@
"@timestamp",
"desc"
],
"title": "Socket Binds [Auditbeat Auditd]",
"title": "Socket Binds [Auditbeat Auditd] ECS",
"version": 1
},
"id": "b4c93470-c240-11e7-8692-232bd1143e8a",
"id": "b4c93470-c240-11e7-8692-232bd1143e8a-ecs",
"type": "search",
"updated_at": "2018-01-16T23:05:58.935Z",
"version": 5
@ -566,7 +566,7 @@
{
"attributes": {
"columns": [
"beat.hostname",
"agent.hostname",
"auditd.summary.how",
"auditd.summary.object.primary",
"auditd.summary.object.secondary",
@ -652,7 +652,7 @@
"highlightAll": true,
"index": "auditbeat-*",
"query": {
"language": "lucene",
"language": "kuery",
"query": ""
},
"version": true
@ -662,10 +662,10 @@
"@timestamp",
"desc"
],
"title": "Socket Connects [Auditbeat Auditd]",
"title": "Socket Connects [Auditbeat Auditd] ECS",
"version": 1
},
"id": "5438b030-c246-11e7-8692-232bd1143e8a",
"id": "5438b030-c246-11e7-8692-232bd1143e8a-ecs",
"type": "search",
"updated_at": "2018-01-16T23:09:43.937Z",
"version": 5
@ -673,7 +673,7 @@
{
"attributes": {
"columns": [
"beat.hostname",
"agent.hostname",
"auditd.summary.how",
"auditd.summary.object.primary",
"auditd.summary.object.secondary",
@ -782,7 +782,7 @@
"highlightAll": true,
"index": "auditbeat-*",
"query": {
"language": "lucene",
"language": "kuery",
"query": ""
},
"version": true
@ -792,10 +792,10 @@
"@timestamp",
"desc"
],
"title": "Socket Accept / Recvfrom [Auditbeat Auditd]",
"title": "Socket Accept / Recvfrom [Auditbeat Auditd] ECS",
"version": 1
},
"id": "e8734160-c24c-11e7-8692-232bd1143e8a",
"id": "e8734160-c24c-11e7-8692-232bd1143e8a-ecs",
"type": "search",
"updated_at": "2018-01-16T23:20:51.403Z",
"version": 4
@ -809,8 +809,8 @@
"filter": [],
"highlightAll": true,
"query": {
"language": "lucene",
"query": "*"
"language": "kuery",
"query": ""
},
"version": true
}
@ -838,7 +838,7 @@
"x": 6,
"y": 3
},
"id": "faf882f0-c242-11e7-8692-232bd1143e8a",
"id": "faf882f0-c242-11e7-8692-232bd1143e8a-ecs",
"panelIndex": "1",
"type": "visualization",
"version": "6.2.4"
@ -861,7 +861,7 @@
"x": 0,
"y": 7
},
"id": "ea483730-c246-11e7-8692-232bd1143e8a",
"id": "ea483730-c246-11e7-8692-232bd1143e8a-ecs",
"panelIndex": "2",
"type": "visualization",
"version": "6.2.4"
@ -884,7 +884,7 @@
"x": 6,
"y": 7
},
"id": "ceb91de0-c250-11e7-8692-232bd1143e8a",
"id": "ceb91de0-c250-11e7-8692-232bd1143e8a-ecs",
"panelIndex": "3",
"type": "visualization",
"version": "6.2.4"
@ -897,7 +897,7 @@
"x": 0,
"y": 0
},
"id": "b21e0c70-c252-11e7-8692-232bd1143e8a",
"id": "b21e0c70-c252-11e7-8692-232bd1143e8a-ecs",
"panelIndex": "4",
"type": "visualization",
"version": "6.2.4"
@ -910,17 +910,17 @@
"x": 0,
"y": 3
},
"id": "a8e20450-c256-11e7-8692-232bd1143e8a",
"id": "a8e20450-c256-11e7-8692-232bd1143e8a-ecs",
"panelIndex": "5",
"type": "visualization",
"version": "6.2.4"
}
],
"timeRestore": false,
"title": "[Auditbeat Auditd] Sockets",
"title": "[Auditbeat Auditd] Sockets ECS",
"version": 1
},
"id": "693a5f40-c243-11e7-8692-232bd1143e8a",
"id": "693a5f40-c243-11e7-8692-232bd1143e8a-ecs",
"type": "dashboard",
"updated_at": "2018-01-16T23:24:37.521Z",
"version": 4

183
vendor/github.com/elastic/beats/auditbeat/module/auditd/audit_linux.go generated vendored
View File

@ -20,6 +20,7 @@ package auditd
import (
"fmt"
"os"
"os/user"
"runtime"
"strconv"
"strings"
@ -47,6 +48,7 @@ const (
unicast = "unicast"
multicast = "multicast"
uidUnset = "unset"
lostEventsUpdateInterval = time.Second * 15
maxDefaultStreamBufferConsumers = 4
@ -458,8 +460,8 @@ func buildMetricbeatEvent(msgs []*auparse.AuditMessage, config Config) mb.Event
auditEvent, err := aucoalesce.CoalesceMessages(msgs)
if err != nil {
// Add messages on error so that it's possible to debug the problem.
out := mb.Event{MetricSetFields: common.MapStr{}}
addMessages(msgs, out.MetricSetFields)
out := mb.Event{RootFields: common.MapStr{}}
addEventOriginal(msgs, out.RootFields)
return out
}
@ -467,22 +469,29 @@ func buildMetricbeatEvent(msgs []*auparse.AuditMessage, config Config) mb.Event
aucoalesce.ResolveIDs(auditEvent)
}
eventOutcome := auditEvent.Result
if eventOutcome == "fail" {
eventOutcome = "failure"
}
out := mb.Event{
Timestamp: auditEvent.Timestamp,
RootFields: common.MapStr{
"event": common.MapStr{
"category": auditEvent.Category.String(),
"type": strings.ToLower(auditEvent.Type.String()),
"action": auditEvent.Summary.Action,
"outcome": eventOutcome,
},
},
ModuleFields: common.MapStr{
"sequence": auditEvent.Sequence,
"result": auditEvent.Result,
"session": auditEvent.Session,
"data": createAuditdData(auditEvent.Data),
"message_type": strings.ToLower(auditEvent.Type.String()),
"sequence": auditEvent.Sequence,
"result": auditEvent.Result,
"data": createAuditdData(auditEvent.Data),
},
}
if auditEvent.Session != uidUnset {
out.ModuleFields.Put("session", auditEvent.Session)
}
// Add root level fields.
addUser(auditEvent.User, out.RootFields)
@ -494,6 +503,17 @@ func buildMetricbeatEvent(msgs []*auparse.AuditMessage, config Config) mb.Event
if len(auditEvent.Tags) > 0 {
out.RootFields.Put("tags", auditEvent.Tags)
}
if config.Warnings && len(auditEvent.Warnings) > 0 {
warnings := make([]string, 0, len(auditEvent.Warnings))
for _, err := range auditEvent.Warnings {
warnings = append(warnings, err.Error())
}
out.RootFields.Put("error.message", warnings)
addEventOriginal(msgs, out.RootFields)
}
if config.RawMessage {
addEventOriginal(msgs, out.RootFields)
}
// Add module fields.
m := out.ModuleFields
@ -518,32 +538,120 @@ func buildMetricbeatEvent(msgs []*auparse.AuditMessage, config Config) mb.Event
if len(auditEvent.Paths) > 0 {
m.Put("paths", auditEvent.Paths)
}
if config.Warnings && len(auditEvent.Warnings) > 0 {
warnings := make([]string, 0, len(auditEvent.Warnings))
for _, err := range auditEvent.Warnings {
warnings = append(warnings, err.Error())
switch auditEvent.Category {
case aucoalesce.EventTypeUserLogin:
// Customize event.type / event.category to match unified values.
normalizeEventFields(out.RootFields)
// Set ECS user fields from the attempted login account.
if usernameOrID := auditEvent.Summary.Actor.Secondary; usernameOrID != "" {
if usr, err := resolveUsernameOrID(usernameOrID); err == nil {
out.RootFields.Put("user.name", usr.Username)
out.RootFields.Put("user.id", usr.Uid)
} else {
// The login account doesn't exists. Treat it as a user name
out.RootFields.Put("user.name", usernameOrID)
out.RootFields.Delete("user.id")
}
}
m.Put("warnings", warnings)
addMessages(msgs, m)
}
if config.RawMessage {
addMessages(msgs, m)
}
return out
}
func resolveUsernameOrID(userOrID string) (usr *user.User, err error) {
usr, err = user.Lookup(userOrID)
if err == nil {
// User found by name
return
}
if _, ok := err.(user.UnknownUserError); !ok {
// Lookup failed by a reason other than user not found
return
}
return user.LookupId(userOrID)
}
func normalizeEventFields(m common.MapStr) {
getFieldAsStr := func(key string) (s string, found bool) {
iface, err := m.GetValue(key)
if err != nil {
return
}
s, found = iface.(string)
return
}
category, ok1 := getFieldAsStr("event.category")
action, ok2 := getFieldAsStr("event.action")
outcome, ok3 := getFieldAsStr("event.outcome")
if !ok1 || !ok2 || !ok3 {
return
}
if category == "user-login" && action == "logged-in" { // USER_LOGIN
m.Put("event.category", "authentication")
m.Put("event.type", fmt.Sprintf("authentication_%s", outcome))
}
}
func addUser(u aucoalesce.User, m common.MapStr) {
user := make(common.MapStr, len(u.IDs))
user := common.MapStr{}
m.Put("user", user)
for id, value := range u.IDs {
user[id] = value
if value == uidUnset {
continue
}
switch id {
case "uid":
user["id"] = value
case "gid":
user.Put("group.id", value)
case "euid":
user.Put("effective.id", value)
case "egid":
user.Put("effective.group.id", value)
case "suid":
user.Put("saved.id", value)
case "sgid":
user.Put("saved.group.id", value)
case "fsuid":
user.Put("filesystem.id", value)
case "fsgid":
user.Put("filesystem.group.id", value)
case "auid":
user.Put("audit.id", value)
default:
user.Put(id+".id", value)
}
if len(u.SELinux) > 0 {
user["selinux"] = u.SELinux
}
if len(u.Names) > 0 {
user["name_map"] = u.Names
}
for id, value := range u.Names {
switch id {
case "uid":
user["name"] = value
case "gid":
user.Put("group.name", value)
case "euid":
user.Put("effective.name", value)
case "egid":
user.Put("effective.group.name", value)
case "suid":
user.Put("saved.name", value)
case "sgid":
user.Put("saved.group.name", value)
case "fsuid":
user.Put("filesystem.name", value)
case "fsgid":
user.Put("filesystem.group.name", value)
case "auid":
user.Put("audit.name", value)
default:
user.Put(id+".name", value)
}
}
}
@ -556,10 +664,14 @@ func addProcess(p aucoalesce.Process, m common.MapStr) {
process := common.MapStr{}
m.Put("process", process)
if p.PID != "" {
process["pid"] = p.PID
if pid, err := strconv.Atoi(p.PID); err == nil {
process["pid"] = pid
}
}
if p.PPID != "" {
process["ppid"] = p.PPID
if ppid, err := strconv.Atoi(p.PPID); err == nil {
process["ppid"] = ppid
}
}
if p.Title != "" {
process["title"] = p.Title
@ -568,10 +680,10 @@ func addProcess(p aucoalesce.Process, m common.MapStr) {
process["name"] = p.Name
}
if p.Exe != "" {
process["exe"] = p.Exe
process["executable"] = p.Exe
}
if p.CWD != "" {
process["cwd"] = p.CWD
process["working_directory"] = p.CWD
}
if len(p.Args) > 0 {
process["args"] = p.Args
@ -622,7 +734,7 @@ func addAddress(addr *aucoalesce.Address, key string, m common.MapStr) {
address := common.MapStr{}
m.Put(key, address)
if addr.Hostname != "" {
address["hostname"] = addr.Hostname
address["domain"] = addr.Hostname
}
if addr.IP != "" {
address["ip"] = addr.IP
@ -646,15 +758,20 @@ func addNetwork(net *aucoalesce.Network, m common.MapStr) {
m.Put("network", network)
}
func addMessages(msgs []*auparse.AuditMessage, m common.MapStr) {
_, added := m["messages"]
if !added && len(msgs) > 0 {
rawMsgs := make([]string, 0, len(msgs))
for _, msg := range msgs {
rawMsgs = append(rawMsgs, "type="+msg.RecordType.String()+" msg="+msg.RawData)
}
m["messages"] = rawMsgs
func addEventOriginal(msgs []*auparse.AuditMessage, m common.MapStr) {
const key = "event.original"
if len(msgs) == 0 {
return
}
original, _ := m.GetValue(key)
if original != nil {
return
}
rawMsgs := make([]string, 0, len(msgs))
for _, msg := range msgs {
rawMsgs = append(rawMsgs, "type="+msg.RecordType.String()+" msg="+msg.RawData)
}
m.Put(key, rawMsgs)
}
func createAuditdData(data map[string]string) common.MapStr {

164
vendor/github.com/elastic/beats/auditbeat/module/auditd/audit_linux_test.go generated vendored
View File

@ -24,6 +24,9 @@ import (
"io/ioutil"
"os"
"os/exec"
"os/user"
"sort"
"strings"
"testing"
"time"
@ -32,7 +35,9 @@ import (
"github.com/prometheus/procfs"
"github.com/elastic/beats/auditbeat/core"
"github.com/elastic/beats/libbeat/common"
"github.com/elastic/beats/libbeat/logp"
"github.com/elastic/beats/libbeat/mapping"
"github.com/elastic/beats/metricbeat/mb"
mbtest "github.com/elastic/beats/metricbeat/mb/testing"
"github.com/elastic/go-libaudit"
@ -46,7 +51,9 @@ import (
var audit = flag.Bool("audit", false, "interact with the real audit framework")
var (
userLoginMsg = `type=USER_LOGIN msg=audit(1492896301.818:19955): pid=12635 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=179.38.151.221 terminal=sshd res=failed'`
userLoginFailMsg = `type=USER_LOGIN msg=audit(1492896301.818:19955): pid=12635 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=179.38.151.221 terminal=sshd res=failed'`
userLoginSuccessMsg = `type=USER_LOGIN msg=audit(1492896303.915:19956): pid=12635 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=61647269616E exe="/usr/sbin/sshd" hostname=? addr=179.38.151.221 terminal=sshd res=success'`
userAuthMsg = `type=USER_AUTH msg=audit(1552714590.571:21114): pid=11312 uid=0 auid=0 ses=62 msg='op=PAM:authentication acct="root" exe="/bin/su" hostname="test" addr="127.0.0.1" terminal=/dev/pts/0 res=success'`
execveMsgs = []string{
`type=SYSCALL msg=audit(1492752522.985:8972): arch=c000003e syscall=59 success=yes exit=0 a0=10812c8 a1=1070208 a2=1152008 a3=59a items=2 ppid=10027 pid=10043 auid=1001 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 tty=pts0 ses=11 comm="uname" exe="/bin/uname" key="key=user_commands"`,
@ -75,8 +82,10 @@ func TestData(t *testing.T) {
returnACK().returnStatus().
// Send expected ACKs for initialization
returnACK().returnACK().returnACK().returnACK().returnACK().
// Send a single audit message from the kernel.
returnMessage(userLoginMsg)
// Send three auditd messages.
returnMessage(userLoginFailMsg).
returnMessage(execveMsgs...).
returnMessage(acceptMsgs...)
// Replace the default AuditClient with a mock.
ms := mbtest.NewPushMetricSetV2(t, getConfig())
@ -84,21 +93,128 @@ func TestData(t *testing.T) {
auditMetricSet.client.Close()
auditMetricSet.client = &libaudit.AuditClient{Netlink: mock}
events := mbtest.RunPushMetricSetV2(10*time.Second, 1, ms)
if len(events) == 0 {
t.Fatal("received no events")
events := mbtest.RunPushMetricSetV2(10*time.Second, 3, ms)
if len(events) != 3 {
t.Fatalf("expected 3 events, but received %d", len(events))
}
assertNoErrors(t, events)
assertFieldsAreDocumented(t, events)
beatEvent := mbtest.StandardizeEvent(ms, events[0], core.AddDatasetToEvent)
mbtest.WriteEventToDataJSON(t, beatEvent, "")
}
func TestLoginType(t *testing.T) {
logp.TestingSetup()
// Create a mock netlink client that provides the expected responses.
mock := NewMock().
// Get Status response for initClient
returnACK().returnStatus().
// Send expected ACKs for initialization
returnACK().returnACK().returnACK().returnACK().returnACK().
// Send an authentication failure and a success.
returnMessage(userLoginFailMsg).
returnMessage(userLoginSuccessMsg).
returnMessage(userAuthMsg)
// Replace the default AuditClient with a mock.
ms := mbtest.NewPushMetricSetV2(t, getConfig())
auditMetricSet := ms.(*MetricSet)
auditMetricSet.client.Close()
auditMetricSet.client = &libaudit.AuditClient{Netlink: mock}
const expectedEvents = 3
events := mbtest.RunPushMetricSetV2(10*time.Second, expectedEvents, ms)
if len(events) != expectedEvents {
t.Fatalf("expected %d events, but received %d", expectedEvents, len(events))
}
assertNoErrors(t, events)
assertFieldsAreDocumented(t, events)
sort.Slice(events,
func(i, j int) bool {
return events[i].ModuleFields["sequence"].(uint32) < events[j].ModuleFields["sequence"].(uint32)
})
for idx, expected := range []common.MapStr{
{
"event.category": "authentication",
"event.type": "authentication_failure",
"event.outcome": "failure",
"user.name": "(invalid user)",
"user.id": nil,
"session": nil,
},
{
"event.category": "authentication",
"event.type": "authentication_success",
"event.outcome": "success",
"user.name": "adrian",
"user.audit.id": nil,
"auditd.session": nil,
},
{
"event.category": "user-login",
"event.outcome": "success",
"user.name": "root",
"user.id": "0",
"user.audit.id": "0",
"auditd.session": "62",
},
} {
beatEvent := mbtest.StandardizeEvent(ms, events[idx], core.AddDatasetToEvent)
mbtest.WriteEventToDataJSON(t, beatEvent, "")
for k, v := range expected {
msg := fmt.Sprintf("%s[%d]", k, idx)
cur, err := beatEvent.GetValue(k)
if v != nil {
assert.NoError(t, err, msg)
assert.Equal(t, v, cur, msg)
} else {
_, err := beatEvent.GetValue(k)
assert.Equal(t, common.ErrKeyNotFound, err, msg)
}
}
}
}
// assertFieldsAreDocumented mimics assert_fields_are_documented in Python system tests.
func assertFieldsAreDocumented(t *testing.T, events []mb.Event) {
fieldsYml, err := mapping.LoadFieldsYaml("../../fields.yml")
if err != nil {
t.Fatal(err)
}
documentedFields := fieldsYml.GetKeys()
for _, e := range events {
beatEvent := e.BeatEvent(moduleName, metricsetName, core.AddDatasetToEvent)
for eventFieldName := range beatEvent.Fields.Flatten() {
found := false
for _, documentedFieldName := range documentedFields {
// Have to use HasPrefix and not "==" since fields in auditd.paths.* get flattened
// to auditd.paths which does not exist in fields.yml.
if strings.HasPrefix(documentedFieldName, eventFieldName) {
found = true
break
}
}
if !found {
assert.Fail(t, "Field not documented", "Key '%v' found in event is not documented.", eventFieldName)
}
}
}
}
func getConfig() map[string]interface{} {
return map[string]interface{}{
"module": "auditd",
"failure_mode": "log",
"socket_type": "unicast",
"module": "auditd",
"failure_mode": "log",
"socket_type": "unicast",
"include_warnings": true,
"include_raw_message": true,
}
}
@ -222,7 +338,7 @@ func assertHasBinCatExecve(t *testing.T, events []mb.Event) {
t.Helper()
for _, e := range events {
v, err := e.RootFields.GetValue("process.exe")
v, err := e.RootFields.GetValue("process.executable")
if err == nil {
if exe, ok := v.(string); ok && exe == "/bin/cat" {
return
@ -243,3 +359,31 @@ func assertNoErrors(t *testing.T, events []mb.Event) {
}
}
}
func BenchmarkResolveUsernameOrID(b *testing.B) {
for _, query := range []struct {
input string
name string
id string
err bool
}{
{input: "0", name: "root", id: "0"},
{input: "root", name: "root", id: "0"},
{input: "vagrant", name: "vagrant", id: "1000"},
{input: "1000", name: "vagrant", id: "1000"},
{input: "nonexisting", err: true},
{input: "9987", err: true},
} {
b.Run(query.input, func(b *testing.B) {
var usr *user.User
var err error
for i := 0; i < b.N; i++ {
usr, err = resolveUsernameOrID(query.input)
}
if assert.Equal(b, query.err, err != nil, fmt.Sprintf("%v", err)) && !query.err {
assert.Equal(b, query.name, usr.Username)
assert.Equal(b, query.id, usr.Uid)
}
})
}
}

36
vendor/github.com/elastic/beats/auditbeat/module/auditd/fields.go generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

31
vendor/github.com/elastic/beats/auditbeat/module/file_integrity/_meta/config.yml.tmpl generated vendored
View File

@ -1,9 +1,9 @@
{{ if .Reference -}}
{{- if .Reference -}}
# The file integrity module sends events when files are changed (created,
# updated, deleted). The events contain file metadata and hashes.
{{ end -}}
- module: file_integrity
{{ if eq .GOOS "darwin" -}}
{{- if eq .GOOS "darwin" }}
paths:
- /bin
- /usr/bin
@ -11,39 +11,50 @@
- /sbin
- /usr/sbin
- /usr/local/sbin
{{ else if eq .GOOS "windows" -}}
{{ else if eq .GOOS "windows" }}
paths:
- C:/windows
- C:/windows/system32
- C:/Program Files
- C:/Program Files (x86)
{{ else -}}
{{ else }}
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
{{- end }}
{{ if .Reference }}
{{ end -}}
{{- if .Reference }}
# List of regular expressions to filter out notifications for unwanted files.
# Wrap in single quotes to workaround YAML escaping rules. By default no files
# are ignored.
{{ if eq .GOOS "darwin" -}}
{{- if eq .GOOS "darwin" }}
exclude_files:
- '\.DS_Store$'
- '\.swp$'
{{ else if eq .GOOS "windows" -}}
{{- else if eq .GOOS "windows" }}
exclude_files:
- '(?i)\.lnk$'
- '(?i)\.swp$'
{{ else -}}
{{- else }}
exclude_files:
- '(?i)\.sw[nop]$'
- '~$'
- '/\.git($|/)'
{{- end }}
# List of regular expressions used to explicitly include files. When configured,
# Auditbeat will ignore files unless they match a pattern.
{{- if eq .GOOS "windows" }}
#include_files:
#- '\\\.ssh($|\\)'
{{- else }}
#include_files:
#- '/\.ssh($|/)'
{{- end }}
# Scan over the configured file paths at startup and send events for new or
# modified files since the last time Auditbeat was running.
scan_at_start: true
@ -64,4 +75,4 @@
# Detect changes to files included in subdirectories. Disabled by default.
recursive: false
{{- end }}
{{ end }}

18
vendor/github.com/elastic/beats/auditbeat/module/file_integrity/_meta/data.json generated vendored
View File

@ -1,6 +1,6 @@
{
"@timestamp": "2017-10-12T08:05:34.853Z",
"beat": {
"agent": {
"hostname": "host.example.com",
"name": "host.example.com"
},
@ -9,22 +9,26 @@
"created",
"updated"
],
"dataset": "file",
"module": "file_integrity"
},
"file": {
"ctime": "2018-01-05T03:28:26Z",
"gid": 20,
"ctime": "2019-01-19T15:21:37.939882147Z",
"gid": "20",
"group": "staff",
"inode": "20164115",
"inode": "8028777",
"mode": "0600",
"mtime": "2018-01-05T03:28:26Z",
"mtime": "2019-01-19T15:21:37.939882147Z",
"owner": "akroh",
"path": "/private/var/folders/8x/rnyk6yxn6w97lddn3bs02gf00000gn/T/audit-file864778064/file.data",
"path": "/private/var/folders/kx/7y5ztvx100z148jvds11c6rh0000gn/T/audit-file418060202/file.data",
"size": 11,
"type": "file",
"uid": 501
"uid": "501"
},
"hash": {
"sha1": "2aae6c35c94fcfb415dbe95f408b9ce91ee846ed"
},
"service": {
"type": "file_integrity"
}
}

15
vendor/github.com/elastic/beats/auditbeat/module/file_integrity/_meta/docs.asciidoc generated vendored
View File

@ -53,6 +53,7 @@ Linux.
- '(?i)\.sw[nop]$'
- '~$'
- '/\.git($|/)'
include_files: []
scan_at_start: true
scan_rate_per_sec: 50 MiB
max_file_size: 100 MiB
@ -65,7 +66,19 @@ not supported. The specified paths should exist when the metricset is started.
*`exclude_files`*:: A list of regular expressions used to filter out events
for unwanted files. The expressions are matched against the full path of every
file and directory. By default, no files are excluded. See <<regexp-support>>
file and directory. When used in conjunction with `include_files`, file paths need
to match both `include_files` and not match `exclude_files` to be selected.
By default, no files are excluded. See <<regexp-support>>
for a list of supported regexp patterns. It is recommended to wrap regular
expressions in single quotation marks to avoid issues with YAML escaping
rules.
*`include_files`*:: A list of regular expressions used to specify which files to
select. When configured, only files matching the pattern will be monitored.
The expressions are matched against the full path of every file and directory.
When used in conjunction with `exclude_files`, file paths need
to match both `include_files` and not match `exclude_files` to be selected.
By default, all files are selected. See <<regexp-support>>
for a list of supported regexp patterns. It is recommended to wrap regular
expressions in single quotation marks to avoid issues with YAML escaping
rules.

13
vendor/github.com/elastic/beats/auditbeat/module/file_integrity/_meta/kibana/5/dashboard/AWECF9rkI1bE2ipp1oRh.json generated vendored
View File

@ -1,13 +0,0 @@
{
"hits": 0,
"timeRestore": false,
"description": "",
"title": "[Auditbeat File Integrity]",
"uiStateJSON": "{\"P-1\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-11\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-5\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-6\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-7\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}}",
"panelsJSON": "[{\"col\":1,\"id\":\"AV0tVcg6g1PYniApZa-v\",\"panelIndex\":1,\"row\":1,\"size_x\":2,\"size_y\":6,\"type\":\"visualization\"},{\"col\":10,\"id\":\"AV0tWL-Yg1PYniApZbCs\",\"panelIndex\":2,\"row\":1,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":10,\"id\":\"AV0tWSdXg1PYniApZbDU\",\"panelIndex\":3,\"row\":4,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":3,\"id\":\"AV0tV05vg1PYniApZbA2\",\"panelIndex\":4,\"row\":1,\"size_x\":7,\"size_y\":6,\"type\":\"visualization\"},{\"col\":1,\"id\":\"AV0tY6jwg1PYniApZbRY\",\"panelIndex\":5,\"row\":7,\"size_x\":4,\"size_y\":2,\"type\":\"visualization\"},{\"col\":5,\"id\":\"AV0tav8Ag1PYniApZbbK\",\"panelIndex\":6,\"row\":7,\"size_x\":4,\"size_y\":2,\"type\":\"visualization\"},{\"col\":9,\"id\":\"AV0tbcUdg1PYniApZbe1\",\"panelIndex\":7,\"row\":7,\"size_x\":4,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"AV0te0TCg1PYniApZbw9\",\"panelIndex\":8,\"row\":9,\"size_x\":4,\"size_y\":2,\"type\":\"visualization\"},{\"col\":5,\"id\":\"AV0tW0djg1PYniApZbGL\",\"panelIndex\":9,\"row\":9,\"size_x\":4,\"size_y\":2,\"type\":\"visualization\"},{\"col\":9,\"id\":\"AV0tes4Eg1PYniApZbwV\",\"panelIndex\":10,\"row\":9,\"size_x\":4,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"AV0tc_xZg1PYniApZbnL\",\"panelIndex\":11,\"row\":11,\"size_x\":6,\"size_y\":5,\"type\":\"visualization\"},{\"col\":7,\"columns\":[\"file.path\",\"event.action\"],\"id\":\"a380a060-cb44-11e7-9835-2f31fe08873b\",\"panelIndex\":12,\"row\":11,\"size_x\":6,\"size_y\":5,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"}]",
"optionsJSON": "{\"darkTheme\":false}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[{\"query\":{\"match_all\":{}}}],\"highlightAll\":true,\"version\":true}"
}
}

17
vendor/github.com/elastic/beats/auditbeat/module/file_integrity/_meta/kibana/5/search/a380a060-cb44-11e7-9835-2f31fe08873b.json generated vendored
View File

@ -1,17 +0,0 @@
{
"sort": [
"@timestamp",
"desc"
],
"hits": 0,
"description": "",
"title": "File Integrity Events [Auditbeat File Integrity]",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"highlightAll\": true,\n \"version\": true,\n \"filter\": [\n {\n \"meta\": {\n \"index\": \"auditbeat-*\",\n \"negate\": false,\n \"disabled\": false,\n \"alias\": null,\n \"type\": \"phrase\",\n \"key\": \"event.module\",\n \"value\": \"file_integrity\",\n \"params\": {\n \"query\": \"file_integrity\",\n \"type\": \"phrase\"\n }\n },\n \"query\": {\n \"match\": {\n \"event.module\": {\n \"query\": \"file_integrity\",\n \"type\": \"phrase\"\n }\n }\n },\n \"$state\": {\n \"store\": \"appState\"\n }\n }\n ]\n}"
},
"columns": [
"file.path",
"event.action"
]
}

11
vendor/github.com/elastic/beats/auditbeat/module/file_integrity/_meta/kibana/5/visualization/AV0tV05vg1PYniApZbA2.json generated vendored
View File

@ -1,11 +0,0 @@
{
"visState": "{\n \"title\": \"Events Over Time [Auditbeat File Integrity]\",\n \"type\": \"histogram\",\n \"params\": {\n \"grid\": {\n \"categoryLines\": false,\n \"style\": {\n \"color\": \"#eee\"\n }\n },\n \"categoryAxes\": [\n {\n \"id\": \"CategoryAxis-1\",\n \"type\": \"category\",\n \"position\": \"bottom\",\n \"show\": true,\n \"style\": {},\n \"scale\": {\n \"type\": \"linear\"\n },\n \"labels\": {\n \"show\": true,\n \"truncate\": 100\n },\n \"title\": {\n \"text\": \"@timestamp per 5 minutes\"\n }\n }\n ],\n \"valueAxes\": [\n {\n \"id\": \"ValueAxis-1\",\n \"name\": \"LeftAxis-1\",\n \"type\": \"value\",\n \"position\": \"left\",\n \"show\": true,\n \"style\": {},\n \"scale\": {\n \"type\": \"linear\",\n \"mode\": \"normal\",\n \"defaultYExtents\": true\n },\n \"labels\": {\n \"show\": true,\n \"rotate\": 0,\n \"filter\": false,\n \"truncate\": 100\n },\n \"title\": {\n \"text\": \"Count\"\n }\n }\n ],\n \"seriesParams\": [\n {\n \"show\": \"true\",\n \"type\": \"histogram\",\n \"mode\": \"stacked\",\n \"data\": {\n \"label\": \"Count\",\n \"id\": \"1\"\n },\n \"valueAxis\": \"ValueAxis-1\",\n \"drawLinesBetweenPoints\": true,\n \"showCircles\": true\n }\n ],\n \"addTooltip\": true,\n \"addLegend\": true,\n \"legendPosition\": \"left\",\n \"times\": [],\n \"addTimeMarker\": false,\n \"type\": \"histogram\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"date_histogram\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"@timestamp\",\n \"interval\": \"auto\",\n \"customInterval\": \"2h\",\n \"min_doc_count\": 1,\n \"extended_bounds\": {}\n }\n },\n {\n \"id\": \"3\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"group\",\n \"params\": {\n \"field\": \"event.action\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Action\"\n }\n }\n ]\n}",
"description": "",
"title": "Events Over Time [Auditbeat File Integrity]",
"uiStateJSON": "{}",
"version": 1,
"savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b",
"kibanaSavedObjectMeta": {
"searchSourceJSON": ""
}
}

11
vendor/github.com/elastic/beats/auditbeat/module/file_integrity/_meta/kibana/5/visualization/AV0tVcg6g1PYniApZa-v.json generated vendored
View File

@ -1,11 +0,0 @@
{
"visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Action\",\"field\":\"event.action\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"extendRange\":false,\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":true,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"24\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":true},\"type\":\"gauge\"},\"title\":\"Actions [Auditbeat File Integrity]\",\"type\":\"metric\"}",
"description": "",
"title": "Actions [Auditbeat File Integrity]",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"version": 1,
"savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"filter\":[]}"
}
}

11
vendor/github.com/elastic/beats/auditbeat/module/file_integrity/_meta/kibana/5/visualization/AV0tW0djg1PYniApZbGL.json generated vendored
View File

@ -1,11 +0,0 @@
{
"visState": "{\"title\":\"Top updated [Auditbeat File Integrity]\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false,\"type\":\"pie\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"file.path.raw\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Path\"}}],\"listeners\":{}}",
"description": "",
"title": "Top updated [Auditbeat File Integrity]",
"uiStateJSON": "{}",
"version": 1,
"savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[{\"meta\":{\"index\":\"auditbeat-*\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"updated\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"updated\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"
}
}

11
vendor/github.com/elastic/beats/auditbeat/module/file_integrity/_meta/kibana/5/visualization/AV0tWL-Yg1PYniApZbCs.json generated vendored
View File

@ -1,11 +0,0 @@
{
"visState": "{\n \"title\": \"Top owners [Auditbeat File Integrity]\",\n \"type\": \"pie\",\n \"params\": {\n \"addTooltip\": true,\n \"addLegend\": true,\n \"legendPosition\": \"right\",\n \"isDonut\": true,\n \"type\": \"pie\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"file.owner\",\n \"size\": 5,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Owner\"\n }\n }\n ]\n}",
"description": "",
"title": "Top owners [Auditbeat File Integrity]",
"uiStateJSON": "{}",
"version": 1,
"savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b",
"kibanaSavedObjectMeta": {
"searchSourceJSON": ""
}
}

11
vendor/github.com/elastic/beats/auditbeat/module/file_integrity/_meta/kibana/5/visualization/AV0tWSdXg1PYniApZbDU.json generated vendored
View File

@ -1,11 +0,0 @@
{
"visState": "{\n \"title\": \"Top groups [Auditbeat File Integrity]\",\n \"type\": \"pie\",\n \"params\": {\n \"addTooltip\": true,\n \"addLegend\": true,\n \"legendPosition\": \"right\",\n \"isDonut\": true,\n \"type\": \"pie\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"file.group\",\n \"size\": 5,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Group\"\n }\n }\n ]\n}",
"description": "",
"title": "Top groups [Auditbeat File Integrity]",
"uiStateJSON": "{}",
"version": 1,
"savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b",
"kibanaSavedObjectMeta": {
"searchSourceJSON": ""
}
}

11
vendor/github.com/elastic/beats/auditbeat/module/file_integrity/_meta/kibana/5/visualization/AV0tY6jwg1PYniApZbRY.json generated vendored
View File

@ -1,11 +0,0 @@
{
"visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"World Writable Files\",\"field\":\"file.inode\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":false},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"23\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"World Writable File Count [Auditbeat File Integrity]\",\"type\":\"metric\"}",
"description": "",
"title": "World Writable File Count [Auditbeat File Integrity]",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"version": 1,
"savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[{\"query\":{\"regexp\":{\"file.mode\":{\"value\":\"0..[2367]\"}}},\"meta\":{\"negate\":false,\"index\":\"auditbeat-*\",\"disabled\":false,\"alias\":null,\"type\":\"custom\",\"key\":\"query\",\"value\":\"{\\\"regexp\\\":{\\\"file.mode\\\":{\\\"value\\\":\\\"0..[2367]\\\"}}}\"},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"negate\":true,\"index\":\"auditbeat-*\",\"type\":\"phrase\",\"key\":\"file.type\",\"value\":\"symlink\",\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"file.type\":{\"query\":\"symlink\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"
}
}

11
vendor/github.com/elastic/beats/auditbeat/module/file_integrity/_meta/kibana/5/visualization/AV0tav8Ag1PYniApZbbK.json generated vendored
View File

@ -1,11 +0,0 @@
{
"visState": "{\"title\":\"Most changed file by count [Auditbeat File Integrity]\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"20\",\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Most changed file by count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"file.path.raw\",\"size\":1,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File\"}}],\"listeners\":{}}",
"description": "",
"title": "Most changed file by count [Auditbeat File Integrity]",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"version": 1,
"savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[{\"meta\":{\"index\":\"auditbeat-*\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"file.type\",\"value\":\"file\"},\"query\":{\"match\":{\"file.type\":{\"query\":\"file\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"
}
}

Some files were not shown because too many files have changed in this diff Show More