tyler.durden
/
icingabeat
mirror of https://github.com/Icinga/icingabeat.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Migrate beat to go modules

This commit is contained in:
Blerim Sheqa 2021-09-22 16:58:34 +02:00
parent 59103fa0a6
commit cbeed36768
12181 changed files with 805 additions and 3213246 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -7,7 +7,7 @@ BEAT_DOC_URL?=https://icinga.com/docs/icingabeat
BEAT_GOPATH=$(firstword $(subst :, ,${GOPATH}))
SYSTEM_TESTS=false
TEST_ENVIRONMENT=false
ES_BEATS?=./vendor/github.com/elastic/beats
ES_BEATS?=./
LIBBEAT_MAKEFILE=$(ES_BEATS)/libbeat/scripts/Makefile
GOPACKAGES=$(shell govendor list -no-status +local)
GOBUILD_FLAGS=-i -ldflags "-X $(BEAT_PATH)/vendor/github.com/elastic/beats/libbeat/version.buildTime=$(NOW) -X $(BEAT_PATH)/vendor/github.com/elastic/beats/libbeat/version.commit=$(COMMIT_ID)"

6
beater/eventstream.go
View File

@ -12,9 +12,9 @@ import (
"github.com/icinga/icingabeat/config"
"github.com/elastic/beats/libbeat/beat"
"github.com/elastic/beats/libbeat/common"
"github.com/elastic/beats/libbeat/logp"
"github.com/elastic/beats/v7/libbeat/beat"
"github.com/elastic/beats/v7/libbeat/common"
"github.com/elastic/beats/v7/libbeat/logp"
)
// Eventstream type

2
beater/http.go
View File

@ -9,7 +9,7 @@ import (
"net/url"
"time"
"github.com/elastic/beats/libbeat/logp"
"github.com/elastic/beats/v7/libbeat/logp"
)
func requestURL(bt *Icingabeat, method string, URL *url.URL) (*http.Response, error) {

6
beater/icingabeat.go
View File

@ -3,9 +3,9 @@ package beater
import (
"fmt"
"github.com/elastic/beats/libbeat/beat"
"github.com/elastic/beats/libbeat/common"
"github.com/elastic/beats/libbeat/logp"
"github.com/elastic/beats/v7/libbeat/beat"
"github.com/elastic/beats/v7/libbeat/common"
"github.com/elastic/beats/v7/libbeat/logp"
"github.com/icinga/icingabeat/config"
)

6
beater/statuspoller.go
View File

@ -10,9 +10,9 @@ import (
"github.com/icinga/icingabeat/config"
"github.com/elastic/beats/libbeat/beat"
"github.com/elastic/beats/libbeat/common"
"github.com/elastic/beats/libbeat/logp"
"github.com/elastic/beats/v7/libbeat/beat"
"github.com/elastic/beats/v7/libbeat/common"
"github.com/elastic/beats/v7/libbeat/logp"
)
// Statuspoller type

4
cmd/root.go
View File

@ -3,8 +3,8 @@ package cmd
import (
"github.com/icinga/icingabeat/beater"
cmd "github.com/elastic/beats/libbeat/cmd"
"github.com/elastic/beats/libbeat/cmd/instance"
cmd "github.com/elastic/beats/v7/libbeat/cmd"
"github.com/elastic/beats/v7/libbeat/cmd/instance"
)
// Name of this beat

22
go.mod Normal file
View File

@ -0,0 +1,22 @@
module github.com/icinga/icingabeat
go 1.16
replace (
github.com/Microsoft/go-winio => github.com/bi-zone/go-winio v0.4.15
github.com/Shopify/sarama => github.com/elastic/sarama v1.19.1-0.20210823122811-11c3ef800752
github.com/cucumber/godog => github.com/cucumber/godog v0.8.1
github.com/docker/docker => github.com/docker/engine v0.0.0-20191113042239-ea84732a7725
github.com/docker/go-plugins-helpers => github.com/elastic/go-plugins-helpers v0.0.0-20200207104224-bdf17607b79f
github.com/dop251/goja => github.com/andrewkroh/goja v0.0.0-20190128172624-dd2ac4456e20
github.com/dop251/goja_nodejs => github.com/dop251/goja_nodejs v0.0.0-20171011081505-adff31b136e6
github.com/fsnotify/fsevents => github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270
github.com/fsnotify/fsnotify => github.com/adriansr/fsnotify v0.0.0-20180417234312-c9bbe1f46f1d
github.com/golang/glog => github.com/elastic/glog v1.0.1-0.20210831205241-7d8b5c89dfc4
github.com/google/gopacket => github.com/adriansr/gopacket v1.1.18-0.20200327165309-dd62abfa8a41
github.com/insomniacslk/dhcp => github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3 // indirect
github.com/tonistiigi/fifo => github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c
golang.org/x/tools => golang.org/x/tools v0.0.0-20200602230032-c00d67ef29d0 // release 1.14
)
require github.com/elastic/beats/v7 v7.14.2 // indirect

761
go.sum Normal file
View File

@ -0,0 +1,761 @@
4d63.com/embedfiles v0.0.0-20190311033909-995e0740726f/go.mod h1:HxEsUxoVZyRxsZML/S6e2xAuieFMlGO0756ncWx1aXE=
4d63.com/tz v1.1.1-0.20191124060701-6d37baae851b/go.mod h1:SHGqVdL7hd2ZaX2T9uEiOZ/OFAUfCCLURdLPJsd8ZNs=
bazil.org/fuse v0.0.0-20160811212531-371fbbdaa898/go.mod h1:Xbm+BRKSBEpa4q4hTSxohYNQpsxXPbPry4JJWOB3LB8=
cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
cloud.google.com/go v0.51.0/go.mod h1:hWtGJ6gnXH+KgDv+V0zFGDvpi07n3z8ZNj3T1RW0Gcw=
cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
code.cloudfoundry.org/go-diodes v0.0.0-20190809170250-f77fb823c7ee/go.mod h1:Jzi+ccHgo/V/PLQUaQ6hnZcC1c4BS790gx21LRRui4g=
code.cloudfoundry.org/go-loggregator v7.4.0+incompatible/go.mod h1:KPBTRqj+y738Nhf1+g4JHFaBU8j7dedirR5ETNHvMXU=
code.cloudfoundry.org/gofileutils v0.0.0-20170111115228-4d0c80011a0f/go.mod h1:sk5LnIjB/nIEU7yP5sDQExVm62wu0pBh3yrElngUisI=
code.cloudfoundry.org/rfc5424 v0.0.0-20180905210152-236a6d29298a/go.mod h1:tkZo8GtzBjySJ7USvxm4E36lNQw1D3xM6oKHGqdaAJ4=
dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
github.com/Azure/azure-amqp-common-go/v3 v3.0.0/go.mod h1:SY08giD/XbhTz07tJdpw1SoxQXHPN30+DI3Z04SYqyg=
github.com/Azure/azure-event-hubs-go/v3 v3.1.2/go.mod h1:hR40byNJjKkS74+3RhloPQ8sJ8zFQeJ920Uk3oYY0+k=
github.com/Azure/azure-pipeline-go v0.1.8/go.mod h1:XA1kFWRVhSK+KNFiOhfv83Fv8L9achrP7OxIzeTn1Yg=
github.com/Azure/azure-pipeline-go v0.1.9/go.mod h1:XA1kFWRVhSK+KNFiOhfv83Fv8L9achrP7OxIzeTn1Yg=
github.com/Azure/azure-pipeline-go v0.2.1/go.mod h1:UGSo8XybXnIGZ3epmeBw7Jdz+HiUVpqIlpz/HKHylF4=
github.com/Azure/azure-sdk-for-go v37.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
github.com/Azure/azure-storage-blob-go v0.6.0/go.mod h1:oGfmITT1V6x//CswqY2gtAHND+xIP64/qL7a5QJix0Y=
github.com/Azure/azure-storage-blob-go v0.8.0/go.mod h1:lPI3aLPpuLTeUwh1sViKXFxwl2B6teiRqI0deQUvsw0=
github.com/Azure/go-amqp v0.12.6/go.mod h1:qApuH6OFTSKZFmCOxccvAv5rLizBQf4v8pRmG138DPo=
github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI=
github.com/Azure/go-autorest/autorest v0.9.3/go.mod h1:GsRuLYvwzLjjjRoWEIyMUaYq8GNUx2nRB378IPt/1p0=
github.com/Azure/go-autorest/autorest v0.9.6/go.mod h1:/FALq9T/kS7b5J5qsQ+RSTUdAmGFqi0vUdVNNx8q630=
github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0=
github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc=
github.com/Azure/go-autorest/autorest/adal v0.8.1/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q=
github.com/Azure/go-autorest/autorest/adal v0.8.2/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q=
github.com/Azure/go-autorest/autorest/azure/auth v0.4.2/go.mod h1:90gmfKdlmKgfjUpnCEpOJzsUEjrWDSLwHIG73tSXddM=
github.com/Azure/go-autorest/autorest/azure/cli v0.3.1/go.mod h1:ZG5p860J94/0kI9mNJVoIoLgXcirM2gF5i2kWloofxw=
github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA=
github.com/Azure/go-autorest/autorest/date v0.2.0/go.mod h1:vcORJHLJEh643/Ioh9+vPmf1Ij9AEBM5FuBIXLmIy0g=
github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
github.com/Azure/go-autorest/autorest/mocks v0.3.0/go.mod h1:a8FDP3DYzQ4RYfVAxAN3SVSiiO77gL2j2ronKKP0syM=
github.com/Azure/go-autorest/autorest/to v0.3.0/go.mod h1:MgwOyqaIuKdG4TL/2ywSsIWKAfJfgHDo8ObuUk3t5sA=
github.com/Azure/go-autorest/autorest/validation v0.2.0/go.mod h1:3EEqHnBxQGHXRYq3HT1WyXAvT7LLY3tl70hw6tQIbjI=
github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc=
github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk=
github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
github.com/DataDog/zstd v1.4.1/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo=
github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
github.com/Microsoft/hcsshim v0.8.7/go.mod h1:OHd7sQqRFrYd3RmSgbgji+ctCwkbq2wbEYNSzOYtcBQ=
github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
github.com/StackExchange/wmi v0.0.0-20170221213301-9f32b5905fd6/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=
github.com/adriansr/fsnotify v0.0.0-20180417234312-c9bbe1f46f1d/go.mod h1:VykaKG/ofkKje+MSvqjrDsz1wfyHIvEVFljhq2EOZ4g=
github.com/adriansr/gopacket v1.1.18-0.20200327165309-dd62abfa8a41/go.mod h1:UdDNZ1OO62aGYVnPhxT1U6aI7ukYtA/kB8vaU0diBUM=
github.com/aerospike/aerospike-client-go v1.27.1-0.20170612174108-0f3b54da6bdc/go.mod h1:zj8LBEnWBDOVEIJt8LvaRvDG5ARAoa5dBeHaB472NRc=
github.com/akavel/rsrc v0.8.0/go.mod h1:uLoCtb9J+EyAqh+26kdrTgmzRBFPGOolLWKpdxkKq+c=
github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
github.com/andrewkroh/goja v0.0.0-20190128172624-dd2ac4456e20/go.mod h1:cI59GRkC2FRaFYtgbYEqMlgnnfvAwXzjojyZKXwklNg=
github.com/andrewkroh/sys v0.0.0-20151128191922-287798fe3e43/go.mod h1:tJPYQG4mnMeUtQvQKNkbsFrnmZOg59Qnf8CcctFv5v4=
github.com/antihax/optional v0.0.0-20180407024304-ca021399b1a6/go.mod h1:V8iCPQYkqmusNa815XgQio277wI47sdRh1dUOLdyC6Q=
github.com/antlr/antlr4 v0.0.0-20200820155224-be881fa6b91d/go.mod h1:T7PbCXFs94rrTttyxjbyT5+/1V8T2TYDejxUfHJjw1Y=
github.com/apache/thrift v0.13.1-0.20200603211036-eac4d0c79a5f/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
github.com/apoydence/eachers v0.0.0-20181020210610-23942921fe77/go.mod h1:bXvGk6IkT1Agy7qzJ+DjIw/SJ1AaB3AvAuMDVV+Vkoo=
github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI=
github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
github.com/aws/aws-lambda-go v1.6.0/go.mod h1:zUsUQhAUjYzR8AuduJPCfhBuKWUaDbQiPOG+ouzmE1A=
github.com/aws/aws-sdk-go-v2 v0.9.0/go.mod h1:sa1GePZ/LfBGI4dSq30f6uR4Tthll8axxtEPvlpXZ8U=
github.com/awslabs/goformation/v3 v3.1.0/go.mod h1:hQ5RXo3GNm2laHWKizDzU5DsDy+yNcenSca2UxN0850=
github.com/awslabs/goformation/v4 v4.1.0/go.mod h1:MBDN7u1lMNDoehbFuO4uPvgwPeolTMA2TzX1yO6KlxI=
github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
github.com/bi-zone/go-winio v0.4.15/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw=
github.com/blakesmith/ar v0.0.0-20150311145944-8bd4349a67f2/go.mod h1:PkYb9DJNAwrSvRx5DYA+gUcOIgTGVMNkfSCbZM8cWpI=
github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
github.com/bsm/sarama-cluster v2.1.14-0.20180625083203-7e67d87a6b3f+incompatible/go.mod h1:r7ao+4tTNXvWm+VRpRJchr2kQhqxgmAp2iEX5W96gMM=
github.com/cavaliercoder/badio v0.0.0-20160213150051-ce5280129e9e/go.mod h1:V284PjgVwSk4ETmz84rpu9ehpGg7swlIH8npP9k2bGw=
github.com/cavaliercoder/go-rpm v0.0.0-20190131055624-7a9c54e3d83e/go.mod h1:AZIh1CCnMrcVm6afFf96PBvE2MRpWFco91z8ObJtgDY=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
github.com/cloudfoundry-community/go-cfclient v0.0.0-20190808214049-35bcce23fc5f/go.mod h1:RtIewdO+K/czvxvIFCMbPyx7jdxSLL1RZ+DA/Vk8Lwg=
github.com/cloudfoundry/noaa v2.1.0+incompatible/go.mod h1:5LmacnptvxzrTvMfL9+EJhgkUfIgcwI61BVSTh47ECo=
github.com/cloudfoundry/sonde-go v0.0.0-20171206171820-b33733203bb4/go.mod h1:GS0pCHd7onIsewbw8Ue9qa9pZPv2V88cUZDttK6KzgI=
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0/go.mod h1:4Zcjuz89kmFXt9morQgcfYZAYZ5n8WHjt81YYWIwtTM=
github.com/containerd/cgroups v0.0.0-20190919134610-bf292b21730f/go.mod h1:OApqhQ4XNSNC13gXIwDjhOQxjWa/NxkwZXJ1EvqT0ko=
github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/containerd/containerd v1.3.3/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
github.com/containerd/continuity v0.0.0-20200107194136-26c1120b8d41/go.mod h1:Dq467ZllaHgAtVp4p1xUQWBrFXR9s/wyoTpG8zOJGkY=
github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0=
github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk=
github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
github.com/cucumber/godog v0.8.1/go.mod h1:vSh3r/lM+psC1BPXvdkSEuNjmXfpVqrMGYAElF6hxnA=
github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-xdr v0.0.0-20161123171359-e6a2ba005892/go.mod h1:CTDl0pzVzE5DEzZhPfvhY/9sPFMQIxaJ9VAMs9AagrE=
github.com/denisenkom/go-mssqldb v0.0.0-20200206145737-bbfc9a55622e/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=
github.com/devigned/tab v0.1.1/go.mod h1:XG9mPq0dFghrYvoBF3xdRrJzSTX1b7IQrvaL9mzjeJY=
github.com/devigned/tab v0.1.2-0.20190607222403-0c15cf42f9a2/go.mod h1:XG9mPq0dFghrYvoBF3xdRrJzSTX1b7IQrvaL9mzjeJY=
github.com/dgraph-io/badger/v2 v2.2007.3-0.20201012072640-f5a7e0a1c83b/go.mod h1:26P/7fbL4kUZVEVKLAKXkBXKOydDmM2p1e+NhhnBCAE=
github.com/dgraph-io/ristretto v0.0.3-0.20200630154024-f66de99634de/go.mod h1:KPxhHT9ZxKefz+PCeOGsrHpl1qZ7i70dGTu2u+Ahh6E=
github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
github.com/dgrijalva/jwt-go v3.2.1-0.20190620180102-5e25c22bd5d6+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
github.com/digitalocean/go-libvirt v0.0.0-20180301200012-6075ea3c39a1/go.mod h1:PRcPVAAma6zcLpFd4GZrjR/MRpood3TamjKI2m/z/Uw=
github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8=
github.com/dlclark/regexp2 v1.1.7-0.20171009020623-7632a260cbaf/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc=
github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
github.com/docker/engine v0.0.0-20191113042239-ea84732a7725/go.mod h1:3CPr2caMgTHxxIAZgEMd3uLYPDlRvPqCpyeRf6ncPcY=
github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw=
github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
github.com/dolmen-go/contextio v0.0.0-20200217195037-68fc5150bcd5/go.mod h1:cxc20xI7fOgsFHWgt+PenlDDnMcrvh7Ocuj5hEFIdEk=
github.com/dop251/goja_nodejs v0.0.0-20171011081505-adff31b136e6/go.mod h1:hn7BA7c8pLvoGndExHudxTDKZ84Pyvv+90pbBjbTz0Y=
github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
github.com/eapache/go-resiliency v1.2.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs=
github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU=
github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2/go.mod h1:H9keYFcgq3Qr5OUJm/JZI/i6U7joQ8SYLhZwfeOo6Ts=
github.com/elastic/beats/v7 v7.14.2 h1:bPAaiCeOsTHPgWVLausbyO6GOlP/95L7OTcXeX9Q8d0=
github.com/elastic/beats/v7 v7.14.2/go.mod h1:NoQ+AlI+yzg+QOjnRe/zzLyR1F9KneDqi1Qp/79O3JM=
github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3/go.mod h1:aPqzac6AYkipvp4hufTyMj5PDIphF3+At8zr7r51xjY=
github.com/elastic/ecs v1.10.0/go.mod h1:pgiLbQsijLOJvFR8OTILLu0Ni/R/foUNg0L+T6mU9b4=
github.com/elastic/elastic-agent-client/v7 v7.0.0-20210727140539-f0905d9377f6 h1:nFvXHBjYK3e9+xF0WKDeAKK4aOO51uC28s+L9rBmilo=
github.com/elastic/elastic-agent-client/v7 v7.0.0-20210727140539-f0905d9377f6/go.mod h1:uh/Gj9a0XEbYoM4NYz4LvaBVARz3QXLmlNjsrKY9fTc=
github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270/go.mod h1:Msl1pdboCbArMF/nSCDUXgQuWTeoMmE/z8607X+k7ng=
github.com/elastic/glog v1.0.1-0.20210831205241-7d8b5c89dfc4/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4=
github.com/elastic/go-concert v0.1.0/go.mod h1:9MtFarjXroUgmm0m6HY3NSe1XiKhdktiNRRj9hWvIaM=
github.com/elastic/go-libaudit/v2 v2.2.0/go.mod h1:MM/l/4xV7ilcl+cIblL8Zn448J7RZaDwgNLE4gNKYPg=
github.com/elastic/go-licenser v0.3.1/go.mod h1:D8eNQk70FOCVBl3smCGQt/lv7meBeQno2eI1S5apiHQ=
github.com/elastic/go-lookslike v0.3.0/go.mod h1:AhH+rdJux5RlVjs+6ej4jkvYyoNRkj2crxmqeHlj3hA=
github.com/elastic/go-lumber v0.1.0/go.mod h1:8YvjMIRYypWuPvpxx7WoijBYdbB7XIh/9FqSYQZTtxQ=
github.com/elastic/go-perf v0.0.0-20191212140718-9c656876f595/go.mod h1:s09U1b4P1ZxnKx2OsqY7KlHdCesqZWIhyq0Gs/QC/Us=
github.com/elastic/go-plugins-helpers v0.0.0-20200207104224-bdf17607b79f/go.mod h1:OPGqFNdTS34kMReS5hPFtBhD9J8itmSDurs1ix2wx7c=
github.com/elastic/go-seccomp-bpf v1.1.0/go.mod h1:l+89Vy5BzjVcaX8USZRMOwmwwDScE+vxCFzzvQwN7T8=
github.com/elastic/go-structform v0.0.9/go.mod h1:CZWf9aIRYY5SuKSmOhtXScE5uQiLZNqAFnwKR4OrIM4=
github.com/elastic/go-sysinfo v1.1.1/go.mod h1:i1ZYdU10oLNfRzq4vq62BEwD2fH8KaWh6eh0ikPT9F0=
github.com/elastic/go-sysinfo v1.7.0 h1:4vVvcfi255+8+TyQ7TYUTEK3A+G8v5FLE+ZKYL1z1Dg=
github.com/elastic/go-sysinfo v1.7.0/go.mod h1:i1ZYdU10oLNfRzq4vq62BEwD2fH8KaWh6eh0ikPT9F0=
github.com/elastic/go-txfile v0.0.7/go.mod h1:H0nCoFae0a4ga57apgxFsgmRjevNCsEaT6g56JoeKAE=
github.com/elastic/go-ucfg v0.7.0/go.mod h1:iaiY0NBIYeasNgycLyTvhJftQlQEUO2hpF+FX0JKxzo=
github.com/elastic/go-ucfg v0.8.3 h1:leywnFjzr2QneZZWhE6uWd+QN/UpP0sdJRHYyuFvkeo=
github.com/elastic/go-ucfg v0.8.3/go.mod h1:iaiY0NBIYeasNgycLyTvhJftQlQEUO2hpF+FX0JKxzo=
github.com/elastic/go-windows v1.0.0/go.mod h1:TsU0Nrp7/y3+VwE82FoZF8gC/XFg/Elz6CcloAxnPgU=
github.com/elastic/go-windows v1.0.1 h1:AlYZOldA+UJ0/2nBuqWdo90GFCgG9xuyw9SYzGUtJm0=
github.com/elastic/go-windows v1.0.1/go.mod h1:FoVvqWSun28vaDQPbj2Elfc0JahhPB7WQEGa3c814Ss=
github.com/elastic/gosigar v0.14.1/go.mod h1:iXRIGg2tLnu7LBdpqzyQfGDEidKCfWcCMS0WKyPWoMs=
github.com/elastic/sarama v1.19.1-0.20210823122811-11c3ef800752/go.mod h1:mdtqvCSg8JOxk8PmpTNGyo6wzd4BMm4QXSfDnTXmgkE=
github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
github.com/fatih/color v1.9.0 h1:8xPHl4/q1VyqGIPif1F+1V3Y3lSmrq01EabUW3CoW5s=
github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab/go.mod h1:/P9AEU963A2AYjv4d1V5eVL1CQbEJq6aCNHDDjibzu8=
github.com/go-ole/go-ole v1.2.5-0.20190920104607-14974a1cf647/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
github.com/go-sourcemap/sourcemap v2.1.2+incompatible/go.mod h1:F8jJfvm2KbVjc5NqelyYJmf/v5J0dwNLS2mL4sNA1Jg=
github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
github.com/go-test/deep v1.0.7/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8=
github.com/gobuffalo/here v0.6.0/go.mod h1:wAG085dHOYqUpf+Ap+WOdrPTp5IYcDAs/x7PLa8Y5fM=
github.com/gocarina/gocsv v0.0.0-20170324095351-ffef3ffc77be/go.mod h1:/oj50ZdPq/cUjA02lMZhijk5kR31SEydKyqah1OgBuo=
github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4=
github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
github.com/godror/godror v0.10.4/go.mod h1:9MVLtu25FBJBMHkPs0m3Ngf/VmwGcLpM2HS8PlNGw9U=
github.com/gofrs/flock v0.7.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
github.com/gofrs/flock v0.7.2-0.20190320160742-5135e617513b/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
github.com/gofrs/uuid v3.3.0+incompatible h1:8K4tyRfvU1CYPgJsveYFQMhpFd/wXNM7iK6rR7UHz84=
github.com/gofrs/uuid v3.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM=
github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
github.com/gomodule/redigo v1.8.3/go.mod h1:P9dn9mFrCBvWhGE1wpxx6fgq7BAeLBk+UUUzlpkBYO0=
github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
github.com/google/flatbuffers v1.7.2-0.20170925184458-7a6b2bf521e9/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/licenseclassifier v0.0.0-20200402202327-879cb1424de0/go.mod h1:qsqn2hxC+vURpyBRygGUuinTO42MFRLcsmQ/P8v94+M=
github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg=
github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75/go.mod h1:g2644b03hfBX9Ov0ZBDgXXens4rxSxmqFBbhvKv2yVA=
github.com/gorilla/mux v1.7.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
github.com/grpc-ecosystem/grpc-gateway v1.13.0/go.mod h1:8XEsbTttt/W+VvjtQhLACqCisSPWTxCZ7sBRjU6iH9c=
github.com/h2non/filetype v1.1.1/go.mod h1:319b3zT68BvV+WRj7cwy856M2ehB3HqNOt6sy1HndBY=
github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I=
github.com/hashicorp/go-multierror v1.1.0 h1:B9UzwGQJehnUY1yNrnwREHc3fGbC2xefo8g4TbElacI=
github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA=
github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
github.com/hashicorp/go-version v1.0.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
github.com/hashicorp/nomad/api v0.0.0-20200303134319-e31695b5bbe6/go.mod h1:WKCL+tLVhN1D+APwH3JiTRZoxcdwRk86bWu1LVCUPaE=
github.com/hectane/go-acl v0.0.0-20190604041725-da78bae5fc95/go.mod h1:QiyDdbZLaJ/mZP4Zwc9g2QsfaEA4o7XvvgZegSci5/E=
github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
github.com/jarcoal/httpmock v1.0.4/go.mod h1:ATjnClrvW/3tijVmpL/va5Z3aAyGvqU3gCT8nX0Txik=
github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
github.com/jcmturner/gofork v1.0.0/go.mod h1:MK8+TM0La+2rjBD4jE12Kj1pCCxK7d2LK/UM3ncEo0o=
github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
github.com/jcmturner/gokrb5/v8 v8.4.2/go.mod h1:sb+Xq/fTY5yktf/VxLsE3wlfPqQjp0aWNYyvBVK62bc=
github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
github.com/jmoiron/sqlx v1.2.1-0.20190826204134-d7d95172beb5/go.mod h1:1FEQNm3xlJgrMD+FBdI9+xvCksHtbpVBBw5dYhBSsks=
github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901 h1:rp+c0RAYOWj8l6qbCUTSiRLG/iKnW3K3/QfPPuSsBt4=
github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901/go.mod h1:Z86h9688Y0wesXCyonoVr47MasHilkuLMqGhRZ4Hpak=
github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
github.com/josephspurrier/goversioninfo v0.0.0-20190209210621-63e6d1acd3dd/go.mod h1:eJTEwMjXb7kZ633hO3Ln9mBUCOjX2+FlTljvpl9SYdE=
github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgbbvHEiQClaW2NsSzMyGHqN+rDFqY705q49KG0=
github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
github.com/kardianos/service v1.1.0/go.mod h1:RrJI2xn5vve/r32U5suTbeaSGoMU6GbNPoj36CVYcHc=
github.com/karrick/godirwalk v1.15.6/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk=
github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
github.com/klauspost/compress v1.12.2/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
github.com/kolide/osquery-go v0.0.0-20200604192029-b019be7063ac/go.mod h1:rp36fokOKgd/5mOgbvv4fkpdaucQ43mnvb+8BR62Xo8=
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
github.com/lib/pq v1.1.2-0.20190507191818-2ff3cb3adc01/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
github.com/magefile/mage v1.9.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
github.com/magefile/mage v1.11.0 h1:C/55Ywp9BpgVVclD3lRnSYCwXTYxmSppIgLeDYlNuls=
github.com/magefile/mage v1.11.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
github.com/mailru/easyjson v0.7.1/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
github.com/markbates/pkger v0.17.0/go.mod h1:0JoVlrol20BSywW79rN3kdFFsE5xYM+rSCQDXbLhiuI=
github.com/martini-contrib/render v0.0.0-20150707142108-ec18f8345a11/go.mod h1:Ah2dBMoxZEqk118as2T4u4fjfXarE0pPnMJaArZQZsI=
github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
github.com/mattn/go-colorable v0.1.6 h1:6Su7aK7lXmJ/U79bYtBjLNaha4Fs1Rg9plHpcH+vvnE=
github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
github.com/mattn/go-ieproxy v0.0.0-20190610004146-91bb50d98149/go.mod h1:31jz6HNzdxOmlERGGEc4v/dMssOfmp2p5bT/okiKFFc=
github.com/mattn/go-ieproxy v0.0.0-20191113090002-7c0f6868bffe/go.mod h1:pYabZ6IHcRpFh7vIaLfK7rdcWgFEb3SFJ6/gNWuh88E=
github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY=
github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
github.com/mattn/go-sqlite3 v1.9.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
github.com/miekg/dns v1.1.15/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
github.com/mitchellh/gox v1.0.1/go.mod h1:ED6BioOGXMswlXa2zxfh/xdd5QhwYliBFn9V18Ap4z4=
github.com/mitchellh/hashstructure v0.0.0-20170116052023-ab25296c0f51/go.mod h1:QjSHrPWS+BGUVBYkbTZWEnOh3G1DutKwClXU/ABz6AQ=
github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
github.com/mitchellh/mapstructure v1.3.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.5.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
github.com/onsi/gomega v1.2.0/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
github.com/opencontainers/go-digest v1.0.0-rc1.0.20190228220655-ac19fd6e7483/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs=
github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw=
github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE=
github.com/otiai10/curr v1.0.0/go.mod h1:LskTG5wDwr8Rs+nNQ+1LlxRjAtTZZjtJW4rMXl6j4vs=
github.com/otiai10/mint v1.3.0/go.mod h1:F5AjcsTsWUqX+Na9fpHb52P8pcRX2CI6A3ctIT91xUo=
github.com/otiai10/mint v1.3.1/go.mod h1:/yxELlJQ0ufhjUwhshSj+wFjZ78CnZ48/1wtmBH1OTc=
github.com/oxtoacart/bpool v0.0.0-20150712133111-4e1c5567d7c2/go.mod h1:L3UMQOThbttwfYRNFOWLLVXMhk5Lkio4GGOtw5UrxS0=
github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
github.com/pierrec/lz4 v2.6.0+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
github.com/pierrre/gotestcover v0.0.0-20160517101806-924dca7d15f0/go.mod h1:4xpMLz7RBWyB+ElzHu8Llua96TRCB3YwX+l5EP1wmHk=
github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.8.1-0.20170505043639-c605e284fe17/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g=
github.com/prometheus/client_golang v1.1.1-0.20190913103102-20428fa0bffc/go.mod h1:ikMPikHu8SMvBGWoKulvvOOZN227amf2E9eMYqyAwAY=
github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc=
github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt26CguLLsqA=
github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
github.com/prometheus/procfs v0.0.0-20190425082905-87a4384529e0/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
github.com/prometheus/procfs v0.0.5/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
github.com/prometheus/procfs v0.0.11 h1:DhHlBtkHWPYi8O2y31JkK0TF+DGM+51OopZjH/Ia5qI=
github.com/prometheus/procfs v0.0.11/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
github.com/prometheus/prometheus v2.5.0+incompatible/go.mod h1:oAIUtOny2rjMX0OWN5vPR5/q/twIROJvdqnQKDdil/s=
github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
github.com/samuel/go-parser v0.0.0-20130731160455-ca8abbf65d0e/go.mod h1:Sb6li54lXV0yYEjI4wX8cucdQ9gqUJV3+Ngg3l9g30I=
github.com/samuel/go-thrift v0.0.0-20140522043831-2187045faa54/go.mod h1:Vrkh1pnjV9Bl8c3P9zH0/D4NlOHWP5d4/hF4YTULaec=
github.com/sanathkr/go-yaml v0.0.0-20170819195128-ed9d249f429b/go.mod h1:8458kAagoME2+LN5//WxE71ysZ3B7r22fdgb7qVmXSY=
github.com/sanathkr/yaml v0.0.0-20170819201035-0056894fa522/go.mod h1:tQTYKOQgxoH3v6dEmdHiz4JG+nbxWwM5fgPQUpSZqVQ=
github.com/sanathkr/yaml v1.0.1-0.20170819201035-0056894fa522/go.mod h1:tQTYKOQgxoH3v6dEmdHiz4JG+nbxWwM5fgPQUpSZqVQ=
github.com/santhosh-tekuri/jsonschema v1.2.4 h1:hNhW8e7t+H1vgY+1QeEQpveR6D4+OwKPXCfD2aieJis=
github.com/santhosh-tekuri/jsonschema v1.2.4/go.mod h1:TEAUOeZSmIxTTuHatJzrvARHiuO9LYd+cIxzgEHCQI4=
github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
github.com/shirou/gopsutil v3.20.12+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA=
github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
github.com/spf13/cobra v0.0.2-0.20171109065643-2da4a54c5cee/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
github.com/spf13/pflag v1.0.1-0.20171106142849-4c012f6dcd95/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
github.com/stretchr/testify v1.1.5-0.20170601210322-f6abca593680/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
github.com/stretchr/testify v1.5.0/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
github.com/tsg/go-daemon v0.0.0-20200207173439-e704b93fd89b/go.mod h1:jAqhj/JBVC1PwcLTWd6rjQyGyItxxrhpiBl8LSuAGmw=
github.com/tsg/gopacket v0.0.0-20200626092518-2ab8e397a786/go.mod h1:RIkfovP3Y7my19aXEjjbNd9E5TlHozzAyt7B8AaEcwg=
github.com/ugorji/go v1.1.8/go.mod h1:0lNM99SwWUIRhCXnigEMClngXBk/EmpTXa7mgiewYWA=
github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
github.com/ugorji/go/codec v1.1.8/go.mod h1:X00B19HDtwvKbQY2DcYjvZxKQp8mzrJoQ6EgoIY/D2E=
github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
github.com/urso/diag v0.0.0-20200210123136-21b3cc8eb797/go.mod h1:pNWFTeQ+V1OYT/TzWpnWb6eQBdoXpdx+H+lrH97/Oyo=
github.com/urso/go-bin v0.0.0-20180220135811-781c575c9f0e/go.mod h1:6GfHrdWBQYjFRIznu7XuQH4lYB2w8nO4bnImVKkzPOM=
github.com/urso/magetools v0.0.0-20190919040553-290c89e0c230/go.mod h1:DFxTNgS/ExCGmmjVjSOgS2WjtfjKXgCyDzAFgbtovSA=
github.com/urso/qcgen v0.0.0-20180131103024-0b059e7db4f4/go.mod h1:RspW+E2Yb7Fs7HclB2tiDaiu6Rp41BiIG4Wo1YaoXGc=
github.com/urso/sderr v0.0.0-20200210124243-c2a16f3d43ec/go.mod h1:Wp40HwmjM59FkDIVFfcCb9LzBbnc0XAMp8++hJuWvSU=
github.com/vbatts/tar-split v0.11.1/go.mod h1:LEuURwDEiWjRjwu46yU3KVGuUdVv/dcnpcEPSzR8z6g=
github.com/vmware/govmomi v0.0.0-20170802214208-2cad15190b41/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU=
github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I=
github.com/xdg/scram v1.0.3/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I=
github.com/xdg/stringprep v1.0.3/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y=
github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs=
github.com/xeipuuv/gojsonschema v0.0.0-20181112162635-ac52e6811b56/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs=
github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
github.com/yuin/gopher-lua v0.0.0-20170403160031-b402f3114ec7/go.mod h1:aEV29XrmTYFr3CiRxZeGHpkvbwq+prZduBqMaascyCU=
go.elastic.co/apm v1.7.2/go.mod h1:tCw6CkOJgkWnzEthFN9HUP1uL3Gjc/Ur6m7gRPLaoH0=
go.elastic.co/apm v1.8.1-0.20200909061013-2aef45b9cf4b h1:Sf+V3eV91ZuXjF3824SABFgXU+z4ZEuIX5ikDvt2lCE=
go.elastic.co/apm v1.8.1-0.20200909061013-2aef45b9cf4b/go.mod h1:qoOSi09pnzJDh5fKnfY7bPmQgl8yl2tULdOu03xhui0=
go.elastic.co/apm/module/apmelasticsearch v1.7.2/go.mod h1:ZyNFuyWdt42GBZkz0SogoLzDBrBGj4orxpiUuxYeYq8=
go.elastic.co/apm/module/apmhttp v1.7.2/go.mod h1:sTFWiWejnhSdZv6+dMgxGec2Nxe/ZKfHfz/xtRM+cRY=
go.elastic.co/ecszap v0.3.0 h1:Zo/Y4sJLqbWDlqCHI4F4Lzeg0Fs4+n5ldVis4h9xV8w=
go.elastic.co/ecszap v0.3.0/go.mod h1:HTUi+QRmr3EuZMqxPX+5fyOdMNfUu5iPebgfhgsTJYQ=
go.elastic.co/fastjson v1.0.0/go.mod h1:PmeUOMMtLHQr9ZS9J9owrAVg0FkaZDRZJEFTTGHtchs=
go.elastic.co/fastjson v1.1.0 h1:3MrGBWWVIxe/xvsbpghtkFoPciPhOCmjsR/HfwEeQR4=
go.elastic.co/fastjson v1.1.0/go.mod h1:boNGISWMjQsUPy/t6yqt2/1Wx4YNPSe+mZjlyw9vKKI=
go.elastic.co/go-licence-detector v0.4.0/go.mod h1:fSJQU8au4SAgDK+UQFbgUPsXKYNBDv4E/dwWevrMpXU=
go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
go.uber.org/atomic v1.5.0 h1:OI5t8sDa1Or+q8AeE+yKeB/SDYioSHAgcVljj9JIETY=
go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
go.uber.org/goleak v1.0.0/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
go.uber.org/multierr v1.3.0 h1:sFPn2GLc3poCkfrpIXGhBD2X0CMIo4Q/zSULXrj/+uc=
go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee h1:0mgffUl7nfd+FpvXMVz4IDEaUSmT1ysygQC7qYo7sG4=
go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA=
go.uber.org/zap v1.14.0 h1:/pduUoebOeeJzTDFuoMgC6nRkiasr1sBCIEorly7m4o=
go.uber.org/zap v1.14.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM=
golang.org/x/crypto v0.0.0-20171113213409-9f005a07e0d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20201112155050-0c6587e931a9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e h1:gsTQYXdTw2Gq7RBsWvlQ91b+aEQ6bXFUngBGuR8sPpI=
golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
golang.org/x/lint v0.0.0-20200130185559-910be7a94367 h1:0IiAsCRByjO2QjX7ZPkw5oU9x+n1YqRL802rjC0c3Aw=
golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20191002035440-2ec189313ef0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20191021144547-ec77196f6094/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20191112182307-2180aed22343/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20210614182718-04defd469f4e h1:XpT3nA5TvE525Ne3hInMh6+GETgn27Zfm9dxsThnX2Q=
golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190130055435-99b60b757ec1/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20180810173357-98c5dad5d1a0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180815093151-14742f9018cd/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190204203706-41f3e6584952/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190405154228-4b34438f7a67/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190514135907-3a4b5fb9f71f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190529164535-6a60838ec259/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191025021431-6c3a3bfe00ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191112214154-59a1497f0cea/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200102141924-c96a22e43c9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 h1:SrN+KX8Art/Sf4HNj6Zcz06G7VEz+7w9tdXTPOZ7+l4=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/tools v0.0.0-20200602230032-c00d67ef29d0 h1:6txNFSnY+tteYoO+hf01EpdYcYZiurdC9MDIrcUzEu4=
golang.org/x/tools v0.0.0-20200602230032-c00d67ef29d0/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
google.golang.org/genproto v0.0.0-20190927181202-20e1ac93f88c/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb h1:hcskBH5qZCOa7WpTUFUFvoebnSFZBYpjykLtjIp9DVk=
google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA=
google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
google.golang.org/grpc v1.29.1 h1:EC2SB8S04d2r73uptxphDSUG+kTKVgjRPF+N3xpxRB4=
google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c=
google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
gopkg.in/jcmturner/gokrb5.v7 v7.5.0/go.mod h1:l8VISx+WGYp+Fp7KRbsiUuXTTOnxIc3Tuvyavf11/WM=
gopkg.in/mgo.v2 v2.0.0-20160818020120-3f83fa500528/go.mod h1:yeKp02qBN3iKW1OzL3MGk2IdtZzaj7SFntXj72NppTA=
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
gotest.tools/gotestsum v0.6.0/go.mod h1:LEX+ioCVdeWhZc8GYfiBRag360eBhwixWJ62R9eDQtI=
gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.1-2019.2.3 h1:3JgtbtFHMiCmsznwGVTUWbgGov+pVqnlf1dEJTNAXeM=
honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
howett.net/plist v0.0.0-20181124034731-591f970eefbb h1:jhnBjNi9UFpfpl8YZhA9CrOqpnJdvzuiHsl/dnxl11M=
howett.net/plist v0.0.0-20181124034731-591f970eefbb/go.mod h1:vMygbs4qMhSZSc4lCUl2OEE+rDiIIJAIdR4m7MiMcm0=
k8s.io/api v0.19.4/go.mod h1:SbtJ2aHCItirzdJ36YslycFNzWADYH3tgOhvBEFtZAk=
k8s.io/apimachinery v0.19.4/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA=
k8s.io/client-go v0.19.4/go.mod h1:ZrEy7+wj9PjH5VMBCuu/BDlvtUAku0oVFk4MmnW9mWA=
k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o=
k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk=
k8s.io/utils v0.0.0-20200729134348-d5654de09c73/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=

2
include/fields.go
View File

@ -20,7 +20,7 @@
package include
import (
"github.com/elastic/beats/libbeat/asset"
"github.com/elastic/beats/v7/libbeat/asset"
)
func init() {

14
magefile.go
View File

@ -8,12 +8,12 @@ import (
"github.com/magefile/mage/mg"
devtools "github.com/elastic/beats/dev-tools/mage"
"github.com/elastic/beats/dev-tools/mage/target/build"
"github.com/elastic/beats/dev-tools/mage/target/common"
"github.com/elastic/beats/dev-tools/mage/target/pkg"
"github.com/elastic/beats/dev-tools/mage/target/unittest"
"github.com/elastic/beats/dev-tools/mage/target/update"
devtools "github.com/elastic/beats/v7/dev-tools/mage"
"github.com/elastic/beats/v7/dev-tools/mage/target/build"
"github.com/elastic/beats/v7/dev-tools/mage/target/common"
"github.com/elastic/beats/v7/dev-tools/mage/target/pkg"
"github.com/elastic/beats/v7/dev-tools/mage/target/unittest"
"github.com/elastic/beats/v7/dev-tools/mage/target/update"
)
func init() {
@ -21,6 +21,8 @@ func init() {
devtools.BeatDescription = "Icingabeat fetches data from the Icinga 2 API and forwards it to Elasticsearch or Logstash."
devtools.BeatVendor = "{full_name}"
devtools.BeatProjectType = devtools.CommunityProject
devtools.CrossBuildMountModcache = true
}
// Package packages the Beat for distribution.

38
vendor/github.com/elastic/beats/.editorconfig generated vendored
View File

@ -1,38 +0,0 @@
# See: http://editorconfig.org
root = true
[*]
charset = utf-8
end_of_line = lf
insert_final_newline = true
trim_trailing_whitespace = true
[.go]
indent_size = 4
indent_style = tab
[*.json]
indent_size = 4
indent_style = space
[*.py]
indent_style = space
indent_size = 4
[*.yml]
indent_style = space
indent_size = 2
[Makefile*]
indent_style = tab
[*.mk]
indent_style = tab
[Vagrantfile]
indent_size = 2
indent_style = space
[*.rl]
indent_size = 4
indent_style = space

6
vendor/github.com/elastic/beats/.gitattributes generated vendored
View File

@ -1,6 +0,0 @@
CHANGELOG.next.asciidoc merge=union
CHANGELOG-developer.next.asciidoc merge=union
# Keep these file types as CRLF (Windows).
*.bat text eol=crlf
*.cmd text eol=crlf

43
vendor/github.com/elastic/beats/.github/CODEOWNERS generated vendored
View File

@ -1,43 +0,0 @@
# GitHub CODEOWNERS definition
# See: https://help.github.com/articles/about-codeowners/
# * @elastic/beats
# libbeat
# /libbeat/ @elastic/beats
# /auditbeat/ @elastic/beats
# /packetbeat/ @elastic/beats
# /filebeat/ @elastic/beats
# /metricbeat/ @elastic/beats
# /journalbeat/ @elastic/beats
# /winlogbeat/ @elastic/beats
# Auditbeat
/auditbeat/module/ @elastic/siem
/x-pack/auditbeat/ @elastic/siem
# Packetbeat
/packetbeat/protos/ @elastic/siem
/x-pack/packetbeat/ @elastic/siem
# Filebeat
/filebeat/module/ @elastic/integrations
/filebeat/module/elasticsearch/ @elastic/stack-monitoring
/filebeat/module/kibana/ @elastic/stack-monitoring
/filebeat/module/logstash/ @elastic/stack-monitoring
/x-pack/filebeat/module/ @elastic/integrations
/x-pack/filebeat/module/suricata/ @elastic/secops
# Metricbeat
/metricbeat/module/ @elastic/integrations
/metricbeat/module/elasticsearch/ @elastic/stack-monitoring
/metricbeat/module/kibana/ @elastic/stack-monitoring
/metricbeat/module/logstash/ @elastic/stack-monitoring
/metricbeat/module/beat/ @elastic/stack-monitoring
/x-pack/metricbeat/module/ @elastic/integrations
# Heartbeat
/heartbeat/ @elastic/uptime
# Winlogbeat
/x-pack/winlogbeat/ @elastic/siem

20
vendor/github.com/elastic/beats/.github/ISSUE_TEMPLATE.md generated vendored
View File

@ -1,20 +0,0 @@
---
name: Bug
about: "Report confirmed bugs. For unconfirmed bugs please visit https://discuss.elastic.co/c/beats"
---
Please post all questions and issues on https://discuss.elastic.co/c/beats
before opening a Github Issue. Your questions will reach a wider audience there,
and if we confirm that there is a bug, then you can open a new issue.
For security vulnerabilities please only send reports to security@elastic.co.
See https://www.elastic.co/community/security for more information.
Please include configurations and logs if available.
For confirmed bugs, please report:
- Version:
- Operating System:
- Discuss Forum URL:
- Steps to Reproduce:

20
vendor/github.com/elastic/beats/.github/ISSUE_TEMPLATE/bug-report.md generated vendored
View File

@ -1,20 +0,0 @@
---
name: Bug
about: "Report confirmed bugs. For unconfirmed bugs please visit https://discuss.elastic.co/c/beats"
---
Please post all questions and issues on https://discuss.elastic.co/c/beats
before opening a Github Issue. Your questions will reach a wider audience there,
and if we confirm that there is a bug, then you can open a new issue.
For security vulnerabilities please only send reports to security@elastic.co.
See https://www.elastic.co/community/security for more information.
Please include configurations and logs if available.
For confirmed bugs, please report:
- Version:
- Operating System:
- Discuss Forum URL:
- Steps to Reproduce:

10
vendor/github.com/elastic/beats/.github/ISSUE_TEMPLATE/feature-request.md generated vendored
View File

@ -1,10 +0,0 @@
---
name: Enhancement request
about: Beats can't do all the things, but maybe it can do your things.
---
**Describe the enhancement:**
**Describe a specific use case for the enhancement or feature:**

19
vendor/github.com/elastic/beats/.github/ISSUE_TEMPLATE/flaky-test.md generated vendored
View File

@ -1,19 +0,0 @@
---
name: Flaky Test
about: Report a flaky test (one that doesn't pass consistently)
---
## Flaky Test
* **Test Name:** Name of the failing test.
* **Link:** Link to file/line number in github.
* **Branch:** Git branch the test was seen in. If a PR, the branch the PR was based off.
* **Artifact Link:** If available, attach the generated zip artifact associated with the stack trace for this failure.
* **Notes:** Additional details about the test. e.g. theory as to failure cause
### Stack Trace
```
paste stack trace here
```

36
vendor/github.com/elastic/beats/.github/ISSUE_TEMPLATE/module-checklist.md generated vendored
View File

@ -1,36 +0,0 @@
---
name: New Module / Dataset
about: "Meta issue to track the creation, updating of a new module or dataset."
---
# Metricbeat Module / Dataset release checklist
This checklist is intended for Devs which create or update a module to make sure modules are consistent.
## Modules
For a metricset to go GA, the following criterias should be met:
* [ ] Supported versions are documented
* [ ] Supported operating systems are documented (if applicable)
* [ ] Integration tests exist
* [ ] System tests exist
* [ ] Automated checks that all fields are documented
* [ ] Documentation
* [ ] Fields follow [ECS](https://github.com/elastic/ecs) and [naming conventions](https://www.elastic.co/guide/en/beats/devguide/master/event-conventions.html)
* [ ] Dashboards exists (if applicable)
* [ ] Kibana Home Tutorial (if applicable)
* [ ] Open issue in [EUI repo](https://github.com/elastic/eui) to add [icon for module](https://elastic.github.io/eui/#/display/icons) if not already exists.
* [ ] Open PR against Kibana repo with tutorial. Examples can be found [here](https://github.com/elastic/kibana/tree/master/src/legacy/core_plugins/kibana/server/tutorials).
## Filebeat module
* [ ] Test log files exist for the grok patterns
* [ ] Generated output for at least 1 log file exists
## Metricbeat module
* [ ] Example `data.json` exists and an automated way to generate it exists (`go test -data`)
* [ ] Test environment in Docker exist for integration tests

18
vendor/github.com/elastic/beats/.github/ISSUE_TEMPLATE/question.md generated vendored
View File

@ -1,18 +0,0 @@
---
name: Question
about: Who, what, when, where, and how?
---
Hey, stop right there!
We use GitHub to track feature requests and bug reports. Please do not submit issues for questions about how to use features of Beat, how to set Beats up, best practices, or development related help.
However, we do want to help! Head on over to our official Beats forums and ask
your questions there. In additional to awesome, knowledgeable community
contributors, core Beats developers are on the forums every single day to help
you out.
The forums are here: https://discuss.elastic.co/c/beats
We can't stop you from opening an issue here, but it will likely linger without a response for days or weeks before it is closed and we ask you to join us on the forums instead. Save yourself the time, and ask on the forums today.

40
vendor/github.com/elastic/beats/.gitignore generated vendored
View File

@ -1,40 +0,0 @@
# Directories
/.vagrant
/.idea
/.vscode
/build
/*/*.template*.json
**/html_docs
*beat/fields.yml
*beat/_meta/kibana.generated
*beat/build
*beat/logs
*beat/data
x-pack/functionbeat/pkg
# Files
.DS_Store
/beats.iml
*.dev.yml
*.generated.yml
coverage.out
.python-version
beat.db
*.keystore
mage_output_file.go
x-pack/functionbeat/*/fields.yml
x-pack/functionbeat/provider/*/functionbeat-*
# Editor swap files
*.swp
*.swo
*.swn
# Compiled Object files, Static and Dynamic libs (Shared Objects)
*.o
*.a
*.so
*.exe
*.test
*.prof
*.pyc

1
vendor/github.com/elastic/beats/.go-version generated vendored
View File

@ -1 +0,0 @@
1.12.12

13
vendor/github.com/elastic/beats/.pylintrc generated vendored
View File

@ -1,13 +0,0 @@
[MESSAGES CONTROL]
disable=too-many-lines,too-many-public-methods,too-many-statements
[BASIC]
method-rgx=[a-z_][a-z0-9_]{2,50}$
[FORMAT]
max-line-length=120

251
vendor/github.com/elastic/beats/.travis.yml generated vendored
View File

@ -1,251 +0,0 @@
sudo: required
dist: trusty
services:
- docker
language: go
# Make sure project can also be built on travis for clones of the repo
go_import_path: github.com/elastic/beats
env:
global:
# Cross-compile for amd64 only to speed up testing.
- GOX_FLAGS="-arch amd64"
- DOCKER_COMPOSE_VERSION=1.21.0
- TRAVIS_GO_VERSION=$(cat .go-version)
# Newer versions of minikube fail on travis, see: https://github.com/kubernetes/minikube/issues/2704
- TRAVIS_MINIKUBE_VERSION=v0.25.2
jobs:
include:
# General checks
- os: linux
env: TARGETS="check"
go: $TRAVIS_GO_VERSION
stage: check
# Filebeat
- os: linux
env: TARGETS="-C filebeat testsuite"
go: $TRAVIS_GO_VERSION
stage: test
- os: osx
env: TARGETS="TEST_ENVIRONMENT=0 -C filebeat testsuite"
go: $TRAVIS_GO_VERSION
stage: test
- os: linux
env: TARGETS="-C x-pack/filebeat testsuite"
go: $(GO_VERSION)
stage: test
# Heartbeat
- os: linux
env: TARGETS="-C heartbeat testsuite"
go: $TRAVIS_GO_VERSION
stage: test
- os: osx
env: TARGETS="TEST_ENVIRONMENT=0 -C heartbeat testsuite"
go: $TRAVIS_GO_VERSION
stage: test
# Auditbeat
- os: linux
env: TARGETS="-C auditbeat testsuite"
go: $TRAVIS_GO_VERSION
stage: test
- os: osx
env: TARGETS="TEST_ENVIRONMENT=0 -C auditbeat testsuite"
go: $TRAVIS_GO_VERSION
stage: test
- os: linux
env: TARGETS="-C auditbeat crosscompile"
go: $TRAVIS_GO_VERSION
stage: test
- os: linux
env: TARGETS="-C x-pack/auditbeat testsuite"
go: $TRAVIS_GO_VERSION
stage: test
# Libbeat
- os: linux
env: TARGETS="-C libbeat testsuite"
go: $TRAVIS_GO_VERSION
stage: test
- os: linux
env: TARGETS="-C libbeat crosscompile"
go: $TRAVIS_GO_VERSION
stage: test
- os: linux
env: STRESS_TEST_OPTIONS="-timeout=20m -race -v -parallel 1" TARGETS="-C libbeat stress-tests"
go: $TRAVIS_GO_VERSION
stage: test
- os: linux
env: TARGETS="-C x-pack/libbeat testsuite"
go: $TRAVIS_GO_VERSION
stage: test
# Metricbeat
- os: linux
env: TARGETS="-C metricbeat unit-tests coverage-report"
go: $TRAVIS_GO_VERSION
stage: test
- os: linux
env: TARGETS="-C metricbeat integration-tests-environment coverage-report"
go: $TRAVIS_GO_VERSION
stage: test
- os: linux
env: TARGETS="-C metricbeat update system-tests-environment coverage-report"
go: $TRAVIS_GO_VERSION
stage: test
- os: osx
env: TARGETS="TEST_ENVIRONMENT=0 -C metricbeat testsuite"
go: $TRAVIS_GO_VERSION
stage: test
- os: linux
env: TARGETS="-C metricbeat crosscompile"
go: $TRAVIS_GO_VERSION
stage: test
- os: linux
env: TARGETS="-C x-pack/metricbeat testsuite"
go: $TRAVIS_GO_VERSION
stage: test
# Packetbeat
- os: linux
env: TARGETS="-C packetbeat testsuite"
go: $TRAVIS_GO_VERSION
stage: test
# Winlogbeat
- os: linux
env: TARGETS="-C winlogbeat crosscompile"
go: $TRAVIS_GO_VERSION
stage: test
# Functionbeat
- os: linux
env: TARGETS="-C x-pack/functionbeat testsuite"
go: $TRAVIS_GO_VERSION
stage: test
- os: osx
env: TARGETS="TEST_ENVIRONMENT=0 -C x-pack/functionbeat testsuite"
go: $TRAVIS_GO_VERSION
stage: test
# Journalbeat
- os: linux
env: TARGETS="-C journalbeat testsuite"
go: $TRAVIS_GO_VERSION
stage: test
# Generators
- os: linux
env: TARGETS="-C generator/metricbeat test test-package"
go: $TRAVIS_GO_VERSION
stage: test
- os: linux
env: TARGETS="-C generator/beat test test-package"
go: $TRAVIS_GO_VERSION
stage: test
- os: osx
env: TARGETS="-C generator/metricbeat test"
go: $TRAVIS_GO_VERSION
stage: test
- os: osx
env: TARGETS="-C generator/beat test"
go: $TRAVIS_GO_VERSION
stage: test
# Docs
- os: linux
env: TARGETS="docs"
go: $TRAVIS_GO_VERSION
stage: test
# Kubernetes
- os: linux
install: deploy/kubernetes/.travis/setup.sh
env:
- TARGETS="-C deploy/kubernetes test"
- TRAVIS_K8S_VERSION=v1.9.4
stage: test
- os: linux
install: deploy/kubernetes/.travis/setup.sh
env:
- TARGETS="-C deploy/kubernetes test"
- TRAVIS_K8S_VERSION=v1.10.0
stage: test
- os: linux
dist: xenial
install: deploy/kubernetes/.travis/setup.sh
env:
- TARGETS="-C deploy/kubernetes test"
- TRAVIS_K8S_VERSION=v1.15.3
- TRAVIS_MINIKUBE_VERSION=v1.3.1
stage: test
addons:
apt:
update: true
packages:
- python-virtualenv
- libpcap-dev
- xsltproc
- libxml2-utils
- librpm-dev
# TODO include 1.11 once minikube supports it
#- os: linux
# install: deploy/kubernetes/.travis/setup.sh
# env:
# - TARGETS="-C deploy/kubernetes test"
# - TRAVIS_K8S_VERSION=v1.11.0
# stage: test
addons:
apt:
update: true
packages:
- python-virtualenv
- libpcap-dev
- xsltproc
- libxml2-utils
- libsystemd-journal-dev
- librpm-dev
before_install:
- python --version
- umask 022
- chmod -R go-w $GOPATH/src/github.com/elastic/beats
# Docker-compose installation
- sudo rm /usr/local/bin/docker-compose || true
- curl -L https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m` > docker-compose
- chmod +x docker-compose
- sudo mv docker-compose /usr/local/bin
- if [ $TRAVIS_OS_NAME = osx ]; then pip install virtualenv; fi
# Skips installations step
install: true
script:
- make $TARGETS
notifications:
slack:
on_success: change
on_failure: always
on_pull_requests: false
rooms:
secure: "e25J5puEA31dOooTI4T+K+zrTs8XeWIGq2cgmiPt9u/g7eqWeQj1UJnVsr8GOu1RPDyuJZJHXqfrvuOYJTdHzXbwjD0JTbwwVVZMkkZW2SWZHG46HCXPiucjWXEr3hXJKBJDDpIx6VxrN7r17dejv1biQ8QuEFZfiB1H8kbH/ho="
after_success:
# Copy full.cov to coverage.txt because codecov.io requires this file
- test -f auditbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f auditbeat/build/coverage/full.cov
- test -f filebeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f filebeat/build/coverage/full.cov
- test -f heartbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f heartbeat/build/coverage/full.cov
- test -f libbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f libbeat/build/coverage/full.cov
- test -f metricbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f metricbeat/build/coverage/full.cov
- test -f packetbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f packetbeat/build/coverage/full.cov

204
vendor/github.com/elastic/beats/CHANGELOG-developer.asciidoc generated vendored
View File

@ -1,204 +0,0 @@
// Use these for links to issue and pulls. Note issues and pulls redirect one to
// each other on Github, so don't worry too much on using the right prefix.
:issue: https://github.com/elastic/beats/issues/
:pull: https://github.com/elastic/beats/pull/
This changelog is intended for community Beat developers. It covers the major
breaking changes to the internal APIs in the official Beats and changes related
to developing a Beat like code generators or `fields.yml`. Only the major
changes will be covered in this changelog that are expected to affect community
developers. Each breaking change added here should have an explanation on how
other Beats should be migrated.
Note: This changelog was only started after the 6.3 release.
=== Beats version 7.5.1
https://github.com/elastic/beats/compare/v7.5.0..v7.5.1[Check the HEAD diff]
=== Beats version 7.5.0
https://github.com/elastic/beats/compare/v7.4.1..v7.5.0[Check the HEAD diff]
==== Breaking changes
- Build docker and kubernetes features only on supported platforms. {pull}13509[13509]
- Need to register new processors to be used in the JS processor in their `init` functions. {pull}13509[13509]
==== Added
- Compare event by event in `testadata` framework to avoid sorting problems {pull}13747[13747]
=== Beats version 7.4.1
https://github.com/elastic/beats/compare/v7.4.0..v7.4.1[Check the HEAD diff]
=== Beats version 7.4.0
https://github.com/elastic/beats/compare/v7.3.1..v7.4.0[Check the HEAD diff]
==== Breaking changes
- For "metricbeat style" generated custom beats, the mage target `GoTestIntegration` has changed to `GoIntegTest` and `GoTestUnit` has changed to `GoUnitTest`. {pull}13341[13341]
==== Added
- Add ClientFactory to TCP input source to add SplitFunc/NetworkFuncs per client. {pull}8543[8543]
- Introduce beat.OutputChooses publisher mode. {pull}12996[12996]
- Ensure that beat.Processor, beat.ProcessorList, and processors.ProcessorList are compatible and can be composed more easily. {pull}12996[12996]
- Add support to close beat.Client via beat.CloseRef (a subset of context.Context). {pull}13031[13031]
- Add checks for types and formats used in fields definitions in `fields.yml` files. {pull}13188[13188]
- Makefile included in generator copies files from beats repository using `git archive` instead of cp. {pull}13193[13193]
=== Beats version 7.3.2
https://github.com/elastic/beats/compare/v7.3.1..v7.3.2[Check the HEAD diff]
=== Beats version 7.3.1
https://github.com/elastic/beats/compare/v7.3.0..v7.3.1[Check the HEAD diff]
=== Beats version 7.3.0
https://github.com/elastic/beats/compare/v7.2.1..v7.3.0[Check the HEAD diff]
==== Added
- Add new option `IgnoreAllErrors` to `libbeat.common.schema` for skipping fields that failed while converting. {pull}12089[12089]
=== Beats version 7.2.1
https://github.com/elastic/beats/compare/v7.2.0..v7.2.1[Check the HEAD diff]
=== Beats version 7.2.0
https://github.com/elastic/beats/compare/v7.1.1..v7.2.0[Check the HEAD diff]
==== Breaking changes
- Move Fields from package libbeat/common to libbeat/mapping. {pull}11198[11198]
==== Added
- Metricset generator generates beta modules by default now. {pull}10657[10657]
- The `beat.Event` accessor methods now support `@metadata` keys. {pull}10761[10761]
- Assertion for documented fields in tests fails if any of the fields in the tested event is documented as an alias. {pull}10921[10921]
- Support for Logger in the Metricset base instance. {pull}11106[11106]
- Filebeat modules can now use ingest pipelines in YAML format. {pull}11209[11209]
- Prometheus helper for metricbeat contains now `Namespace` field for `prometheus.MetricsMappings` {pull}11424[11424]
- Update Jinja2 version to 2.10.1. {pull}11817[11817]
- Reduce idxmgmt.Supporter interface and rework export commands to reuse logic. {pull}11777[11777],{pull}12065[12065],{pull}12067[12067],{pull}12160[12160]
- Update urllib3 version to 1.24.2 {pull}11930[11930]
- Add libbeat/common/cleanup package. {pull}12134[12134]
- Only Load minimal template if no fields are provided. {pull}12103[12103]
- Add new option `IgnoreAllErrors` to `libbeat.common.schema` for skipping fields that failed while converting. {pull}12089[12089]
- Deprecate setup cmds for `template` and `ilm-policy`. Add new setup cmd for `index-management`. {pull}12132[12132]
=== Beats version 7.1.1
https://github.com/elastic/beats/compare/v7.1.0..v7.1.1[Check the HEAD diff]
=== Beats version 7.1.0
https://github.com/elastic/beats/compare/v7.0.0..v7.1.0[Check the HEAD diff]
=== Beats version 7.0.1
https://github.com/elastic/beats/compare/v7.0.0..v7.0.1[Check the HEAD diff]
=== Beats version 7.0.0-GA
https://github.com/elastic/beats/compare/v7.0.0-rc2..v7.0.0[Check the HEAD diff]
The list below covers the major changes between 7.0.0-rc2 and 7.0 only.
==== Added
- Added support for using PYTHON_EXE to control what Python interpreter is used
by `make` and `mage`. Example: `export PYTHON_EXE=python2.7`. {pull}11212[11212]
=== Beats version 7.0.0-rc2
https://github.com/elastic/beats/compare/v7.0.0-rc1..v7.0.0-rc2[Check the HEAD diff]
=== Beats version 7.0.0-rc1
https://github.com/elastic/beats/compare/v7.0.0-beta1..v7.0.0-rc1[Check the HEAD diff]
==== Breaking changes
- Remove support for deprecated `GenRootCmd` methods. {pull}10721[10721]
- Remove SkipNormalization, SkipAgentMetadata, SkipAddHostName. {pull}10801[10801] {pull}10769[10769]
==== Bugfixes
- Align default index between elasticsearch and logstash and kafka output. {pull}10841[10841]
- Fix duplication check for `append_fields` option. {pull}10959[10959]
==== Added
- Introduce processing.Support to instance.Setting. This allows Beats to fully modify the event processing. {pull}10801[10801]
=== Beats version 7.0.0-beta1
https://github.com/elastic/beats/compare/v7.0.0-alpha2..v7.0.0-beta1[Check the HEAD diff]
==== Breaking changes
- Outputs receive Index Manager as additional parameter. The index manager can
be used to create an index selector. {pull}10347[10347]
- Remove support for loading dashboards to Elasticsearch 5. {pull}10451[10451]
==== Added
- Allow multiple object type configurations per field. {pull}9772[9772]
- Move agent metadata addition to a processor. {pull}9952[9952]
- Add (*common.Config).Has and (*common.Config).Remove. {pull}10363[10363]
- Introduce ILM and IndexManagement support to beat.Settings. {pull}10347[10347]
- Generating index pattern on demand instead of shipping them in the packages. {pull}10478[10478]
=== Beats version 7.0.0-alpha2
https://github.com/elastic/beats/compare/v6.3.0..v7.0.0-alpha2[Check the HEAD diff]
The list below covers the major changes between 6.3.0 and 7.0.0-alpha2 only.
==== Breaking changes
- The beat.Pipeline is now passed to cfgfile.RunnerFactory. Beats using libbeat for module reloading or autodiscovery need to be adapted. {pull}7018[7017]
- Moving of TLS helper functions and structs from `output/tls` to `tlscommon`. {pull}7054[7054]
- Port fields.yml collector to Golang {pull}6911[6911]
- Dashboards under _meta/kibana are expected to be decoded. See https://github.com/elastic/beats/pull/7224 for a conversion script. {pull}7265[7265]
- Constructor `(github.com/elastic/beats/libbeat/output/codec/json).New` expects a new `escapeHTML` parameter. {pull}7445[7445]
- Packaging has been refactored and updates are required. See the PR for migration details. {pull}7388[7388]
- `make fields` has been modified to use Mage (https://magefile.org/) in an effort to make
the building a Beat more cross-platform friendly (e.g. Windows). This requires that your Beat
has a magefile.go with a fields target. The `FIELDS_FILE_PATH` make variable is no longer
used because the value is specified in magefile.go. {pull}7670[7670]
- Outputs must implement String. {pull}6404[6404]
- Renamed `-beat-name` CLI option used in `kibana_index_pattern.go` to `-beat` for consistency with other scripts in `dev-tools/cmd`. {pull}8615[8615]
- Systemd unit file template used on Linux packaging now includes environment variables to ease flag overriding. One of them includes the `-e` flag, making beats log to stderr by default on systemd uses. {pull}8942[8942]
- Removed dashboards and index patterns generation for Kibana 5. {pull}8927[8927]
- Move generator packages of Filebeat from `scripts/generator` to `generator`. {pull}9147[9147]
==== Bugfixes
- Fix permissions of generated Filebeat filesets. {pull}7140[7140]
- Collect fields from _meta/fields.yml too. {pull}8397[8397]
- Fix issue on asset generation that could lead to different results in Windows. {pull}8464[8464]
- Remove default version qualifier, you can use `VERSION_QUALIFIER` environment variable to set it. {pull}9148[9148]
==== Added
- Libbeat provides a global registry for beats developer that allow to register and retrieve plugin. {pull}7392[7392]
- Added more options to control required and optional fields in schema.Apply(), error returned is a plain nil if no error happened {pull}7335[7335]
- Packaging on MacOS now produces a .dmg file containing an installer (.pkg) and uninstaller for the Beat. {pull}7481[7481]
- Added mage targets `goTestUnit` and `goTestIntegration` for executing
'go test'. This captures the log to a file, summarizes the result, produces a
coverage profile (.cov), and produces an HTML coverage report. See
`mage -h goTestUnit`. {pull}7766[7766]
- Beats packaging now build non-oss binaries from code located in the x-pack folder. {issue}7783[7783]
- New function `AddTagsWithKey` is added, so `common.MapStr` can be enriched with tags with an arbitrary key. {pull}7991[7991]
- Move filebeat/reader to libbeat/reader {pull}8206[8206]
- Libbeat provides a new function `cmd.GenRootCmdWithSettings` that should be preferred over deprecated functions
`cmd.GenRootCmd`, `cmd.GenRootCmdWithRunFlags`, and `cmd.GenRootCmdWithIndexPrefixWithRunFlags`. {pull}7850[7850]
- Set current year in generator templates. {pull}8396[8396]
- You can now override default settings of libbeat by using instance.Settings. {pull}8449[8449]
- Add `-space-id` option to `export_dashboards.go` script to support Kibana Spaces {pull}7942[7942]
- Add `-name` option to `asset.go` script to explicitly name the asset rather than using its filename. {pull}8693[8693]
- Add `-out` option to `kibana_index_pattern.go` to control the output dir to make it possible to write the generated output to `build/kibana` instead of `_meta/kibana.generated` (but the output dir remains unchanged at this point). {pull}8615[8615]
- Add `module_fields.go` for generated `fields.go` files for modules. {pull}8615[8615]
- Add `mage.GenerateModuleReferenceConfig` for generating reference config files that include configuration sections from the module directory. {pull}8615[8615]
- Add `mage.GenerateFieldsGo` for generating fields.go files. {pull}8615[8615]
- Add `mage.KibanaDashboards` for collecting Kibana dashboards and generating index patterns. {pull}8615[8615]
- Allow to disable config resolver using the `Settings.DisableConfigResolver` field when initializing libbeat. {pull}8769[8769]
- Add `mage.AddPlatforms` to allow to specify dependent platforms when building a beat. {pull}8889[8889]
- Add `cfgwarn.CheckRemoved6xSetting(s)` to display a warning for options removed in 7.0. {pull}8909[8909]
- Add docker image building to `mage.Package`. {pull}8898[8898]
- Simplified exporting of dashboards. {pull}7730[7730]
- Update Beats to use go 1.11.2 {pull}8746[8746]
- Allow/Merge fields.yml overrides {pull}9188[9188]
- Filesets can now define multiple ingest pipelines, with the first one considered as the entry point pipeline. {pull}8914[8914]
- Add `group_measurements_by_instance` option to windows perfmon metricset. {pull}8688[8688]

55
vendor/github.com/elastic/beats/CHANGELOG-developer.next.asciidoc generated vendored
View File

@ -1,55 +0,0 @@
// Use these for links to issue and pulls. Note issues and pulls redirect one to
// each other on Github, so don't worry too much on using the right prefix.
:issue: https://github.com/elastic/beats/issues/
:pull: https://github.com/elastic/beats/pull/
This changelog is intended for community Beat developers. It covers the major
breaking changes to the internal APIs in the official Beats and changes related
to developing a Beat like code generators or `fields.yml`. Only the major
changes will be covered in this changelog that are expected to affect community
developers. Each breaking change added here should have an explanation on how
other Beats should be migrated.
Note: This changelog documents the current changes which are not yet present in
an actual release.
=== Beats version HEAD
https://github.com/elastic/beats/compare/v7.0.0-rc2..master[Check the HEAD diff]
The list below covers the major changes between 7.0.0-rc2 and master only.
==== Breaking changes
- Move Fields from package libbeat/common to libbeat/mapping. {pull}11198[11198]
- For "metricbeat style" generated custom beats, the mage target `GoTestIntegration` has changed to `GoIntegTest` and `GoTestUnit` has changed to `GoUnitTest`. {pull}13341[13341]
==== Bugfixes
- Stop using `mage:import` in community beats. This was ignoring the vendorized beats directory for some mage targets, using the code available in GOPATH, this causes inconsistencies and compilation problems if the version of the code in the GOPATH is different to the vendored one. Use of `mage:import` will continue to be unsupported in custom beats till beats is migrated to go modules, or mage supports vendored dependencies. {issue}13998[13998] {pull}14162[14162]
==== Added
- Metricset generator generates beta modules by default now. {pull}10657[10657]
- The `beat.Event` accessor methods now support `@metadata` keys. {pull}10761[10761]
- Assertion for documented fields in tests fails if any of the fields in the tested event is documented as an alias. {pull}10921[10921]
- Support for Logger in the Metricset base instance. {pull}11106[11106]
- Filebeat modules can now use ingest pipelines in YAML format. {pull}11209[11209]
- Prometheus helper for metricbeat contains now `Namespace` field for `prometheus.MetricsMappings` {pull}11424[11424]
- Update Jinja2 version to 2.10.1. {pull}11817[11817]
- Reduce idxmgmt.Supporter interface and rework export commands to reuse logic. {pull}11777[11777],{pull}12065[12065],{pull}12067[12067],{pull}12160[12160]
- Update urllib3 version to 1.24.2 {pull}11930[11930]
- Add libbeat/common/cleanup package. {pull}12134[12134]
- New helper to check for leaked goroutines on tests. {pull}12106[12106]
- Only Load minimal template if no fields are provided. {pull}12103[12103]
- Add new option `IgnoreAllErrors` to `libbeat.common.schema` for skipping fields that failed while converting. {pull}12089[12089]
- Deprecate setup cmds for `template` and `ilm-policy`. Add new setup cmd for `index-management`. {pull}12132[12132]
- Use the go-lookslike library for testing in heartbeat. Eventually the mapval package will be replaced with it. {pull}12540[12540]
- New ReporterV2 interfaces that can receive a context on `Fetch(ctx, reporter)`, or `Run(ctx, reporter)`. {pull}11981[11981]
- Generate configuration from `mage` for all Beats. {pull}12618[12618]
- Add ClientFactory to TCP input source to add SplitFunc/NetworkFuncs per client. {pull}8543[8543]
- Introduce beat.OutputChooses publisher mode. {pull}12996[12996]
- Ensure that beat.Processor, beat.ProcessorList, and processors.ProcessorList are compatible and can be composed more easily. {pull}12996[12996]
- Add support to close beat.Client via beat.CloseRef (a subset of context.Context). {pull}13031[13031]
- Add checks for types and formats used in fields definitions in `fields.yml` files. {pull}13188[13188]
- Makefile included in generator copies files from beats repository using `git archive` instead of cp. {pull}13193[13193]
- Strip debug symbols from binaries to reduce binary sizes. {issue}12768[12768]

5609
vendor/github.com/elastic/beats/CHANGELOG.asciidoc generated vendored
View File

File diff suppressed because it is too large Load Diff

145
vendor/github.com/elastic/beats/CHANGELOG.next.asciidoc generated vendored
View File

@ -1,145 +0,0 @@
// Use these for links to issue and pulls. Note issues and pulls redirect one to
// each other on Github, so don't worry too much on using the right prefix.
:issue: https://github.com/elastic/beats/issues/
:pull: https://github.com/elastic/beats/pull/
=== Beats version HEAD
https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD diff]
==== Breaking changes
*Affecting all Beats*
- Update to Golang 1.12.1. {pull}11330[11330]
*Auditbeat*
*Filebeat*
- Fix parsing of Elasticsearch node name by `elasticsearch/slowlog` fileset. {pull}14547[14547]
*Heartbeat*
*Journalbeat*
- Remove broken dashboard. {pull}15288[15288]
*Metricbeat*
- kubernetes.container.cpu.limit.cores and kubernetes.container.cpu.requests.cores are now floats. {issue}11975[11975]
*Packetbeat*
*Winlogbeat*
*Functionbeat*
==== Bugfixes
*Affecting all Beats*
- Fix a race condition with the Kafka pipeline client, it is possible that `Close()` get called before `Connect()` . {issue}11945[11945]
- Allow users to configure only `cluster_uuid` setting under `monitoring` namespace. {pull}14338[14338]
*Auditbeat*
*Filebeat*
- cisco/asa fileset: Fix parsing of 302021 message code. {pull}14519[14519]
- Fix filebeat azure dashboards, event category should be `Alert`. {pull}14668[14668]
- Check content-type when creating new reader in s3 input. {pull}15252[15252] {issue}15225[15225]
- Fix session reset detection and a crash in Netflow input. {pull}14904[14904]
- netflow: Allow for options templates without scope fields. {pull}15449[15449]
- netflow: Fix bytes/packets counters on some devices (NSEL and Netstream). {pull}15449[15449]
- netflow: Fix compatibility with some Cisco devices by changing the field `class_id` from short to long. {pull}15449[15449]
- Fixed dashboard for Cisco ASA Firewall. {issue}15420[15420] {pull}15553[15553]
*Heartbeat*
- Fix recording of SSL cert metadata for Expired/Unvalidated x509 certs. {pull}13687[13687]
*Journalbeat*
*Metricbeat*
- Fix checking tagsFilter using length in cloudwatch metricset. {pull}14525[14525]
- Fixed bug with `elasticsearch/cluster_stats` metricset not recording license expiration date correctly. {issue}14541[14541] {pull}14591[14591]
- Log bulk failures from bulk API requests to monitoring cluster. {issue}14303[14303] {pull}14356[14356]
- Fix regular expression to detect instance name in perfmon metricset. {issue}14273[14273] {pull}14666[14666]
- Fixed bug with `elasticsearch/cluster_stats` metricset not recording license ID in the correct field. {pull}14592[14592]
- Fix `docker.container.size` fields values {issue}14979[14979] {pull}15224[15224]
- Make `kibana` module more resilient to Kibana unavailability. {issue}15258[15258] {pull}15270[15270]
- Fix panic exception with some unicode strings in perfmon metricset. {issue}15264[15264]
- Make `logstash` module more resilient to Logstash unavailability. {issue}15276[15276] {pull}15306[15306]
*Packetbeat*
*Winlogbeat*
*Functionbeat*
==== Added
*Affecting all Beats*
- Add a friendly log message when a request to docker has exceeded the deadline. {pull}15336[15336]
*Auditbeat*
*Filebeat*
- `container` and `docker` inputs now support reading of labels and env vars written by docker JSON file logging driver. {issue}8358[8358]
- Add `index` option to all inputs to directly set a per-input index value. {pull}14010[14010]
- Include log.source.address for unparseable syslog messages. {issue}13268[13268] {pull}15453[15453]
*Heartbeat*
*Journalbeat*
*Metricbeat*
*Packetbeat*
*Functionbeat*
*Winlogbeat*
==== Deprecated
*Affecting all Beats*
*Filebeat*
*Heartbeat*
*Journalbeat*
*Metricbeat*
*Packetbeat*
*Winlogbeat*
*Functionbeat*
==== Known Issue
*Journalbeat*

17
vendor/github.com/elastic/beats/CONTRIBUTING.md generated vendored
View File

@ -1,17 +0,0 @@
Please post all questions and issues first on
[https://discuss.elastic.co/c/beats](https://discuss.elastic.co/c/beats)
before opening a Github Issue.
# Contributing to Beats
The Beats are open source and we love to receive contributions from our
community — you!
There are many ways to contribute, from writing tutorials or blog posts,
improving the documentation, submitting bug reports and feature requests or
writing code for implementing a whole new protocol.
If you want to contribute to the Beats project, you can start by reading
the [contributing guidelines](https://www.elastic.co/guide/en/beats/devguide/current/beats-contributing.html)
in the _Beats Developer Guide_.

125
vendor/github.com/elastic/beats/Jenkinsfile generated vendored
View File

@ -1,125 +0,0 @@
#!/usr/bin/env groovy
library identifier: 'apm@current',
retriever: modernSCM(
[$class: 'GitSCMSource',
credentialsId: 'f94e9298-83ae-417e-ba91-85c279771570',
id: '37cf2c00-2cc7-482e-8c62-7bbffef475e2',
remote: 'git@github.com:elastic/apm-pipeline-library.git'])
pipeline {
agent none
environment {
BASE_DIR = 'src/github.com/elastic/beats'
}
options {
timeout(time: 1, unit: 'HOURS')
buildDiscarder(logRotator(numToKeepStr: '20', artifactNumToKeepStr: '20', daysToKeepStr: '30'))
timestamps()
ansiColor('xterm')
disableResume()
durabilityHint('PERFORMANCE_OPTIMIZED')
}
triggers {
issueCommentTrigger('(?i).*(?:jenkins\\W+)?run\\W+(?:the\\W+)?tests(?:\\W+please)?.*')
}
parameters {
booleanParam(name: 'Run_As_Master_Branch', defaultValue: false, description: 'Allow to run any steps on a PR, some steps normally only run on master branch.')
}
stages {
/**
Checkout the code and stash it, to use it on other stages.
*/
stage('Checkout') {
agent { label 'linux && immutable' }
environment {
PATH = "${env.PATH}:${env.WORKSPACE}/bin"
HOME = "${env.WORKSPACE}"
GOPATH = "${env.WORKSPACE}"
}
options { skipDefaultCheckout() }
steps {
dir("${BASE_DIR}"){
checkout scm
}
stash allowEmpty: true, name: 'source', useDefaultExcludes: false
script {
env.GO_VERSION = readFile("${BASE_DIR}/.go-version")
}
}
}
/**
Updating generated files for Beat.
Checks the GO environment.
Checks the Python environment.
Checks YAML files are generated.
Validate that all updates were committed.
*/
stage('Intake') {
agent { label 'linux && immutable' }
options { skipDefaultCheckout() }
environment {
PATH = "${env.PATH}:${env.WORKSPACE}/bin"
HOME = "${env.WORKSPACE}"
GOPATH = "${env.WORKSPACE}"
}
steps {
withGithubNotify(context: 'Intake') {
deleteDir()
unstash 'source'
dir("${BASE_DIR}"){
sh './dev-tools/jenkins_intake.sh'
}
}
}
}
stage('Test') {
failFast true
parallel {
/**
Run unit tests and report junit results.
*/
stage('Filebeat') {
agent { label 'linux && immutable' }
options { skipDefaultCheckout() }
environment {
PATH = "${env.PATH}:${env.WORKSPACE}/bin"
HOME = "${env.WORKSPACE}"
GOPATH = "${env.WORKSPACE}"
}
steps {
withGithubNotify(context: 'Test', tab: 'tests') {
deleteDir()
unstash 'source'
dir("${BASE_DIR}"){
sh './filebeat/scripts/jenkins/unit-test.sh'
}
}
}
post {
always {
junit(allowEmptyResults: true,
keepLongStdio: true,
testResults: "${BASE_DIR}/build/junit-*.xml")
}
}
}
}
}
}
post {
success {
echoColor(text: '[SUCCESS]', colorfg: 'green', colorbg: 'default')
}
aborted {
echoColor(text: '[ABORTED]', colorfg: 'magenta', colorbg: 'default')
}
failure {
echoColor(text: '[FAILURE]', colorfg: 'red', colorbg: 'default')
//step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: "${NOTIFY_TO}", sendToIndividuals: false])
}
unstable {
echoColor(text: '[UNSTABLE]', colorfg: 'yellow', colorbg: 'default')
}
}
}

13
vendor/github.com/elastic/beats/LICENSE.txt generated vendored
View File

@ -1,13 +0,0 @@
Source code in this repository is variously licensed under the Apache License
Version 2.0, an Apache compatible license, or the Elastic License. Outside of
the "x-pack" folder, source code in a given file is licensed under the Apache
License Version 2.0, unless otherwise noted at the beginning of the file or a
LICENSE file present in the directory subtree declares a separate license.
Within the "x-pack" folder, source code in a given file is licensed under the
Elastic License, unless otherwise noted at the beginning of the file or a
LICENSE file present in the directory subtree declares a separate license.
The build produces two sets of binaries - one set that falls under the Elastic
License and another set that falls under Apache License Version 2.0. The
binaries that contain `-oss` in the artifact name are licensed under the Apache
License Version 2.0.

184
vendor/github.com/elastic/beats/Makefile generated vendored
View File

@ -1,184 +0,0 @@
BUILD_DIR=$(CURDIR)/build
COVERAGE_DIR=$(BUILD_DIR)/coverage
BEATS?=auditbeat filebeat heartbeat journalbeat metricbeat packetbeat winlogbeat x-pack/functionbeat
PROJECTS=libbeat $(BEATS)
PROJECTS_ENV=libbeat filebeat metricbeat
PYTHON_ENV?=$(BUILD_DIR)/python-env
VIRTUALENV_PARAMS?=
FIND=find . -type f -not -path "*/vendor/*" -not -path "*/build/*" -not -path "*/.git/*"
GOLINT=golint
GOLINT_REPO=golang.org/x/lint/golint
REVIEWDOG=reviewdog
REVIEWDOG_OPTIONS?=-diff "git diff master"
REVIEWDOG_REPO=github.com/haya14busa/reviewdog/cmd/reviewdog
XPACK_SUFFIX=x-pack/
# PROJECTS_XPACK_PKG is a list of Beats that have independent packaging support
# in the x-pack directory (rather than having the OSS build produce both sets
# of artifacts). This will be removed once we complete the transition.
PROJECTS_XPACK_PKG=x-pack/auditbeat x-pack/filebeat x-pack/metricbeat x-pack/winlogbeat
# PROJECTS_XPACK_MAGE is a list of Beats whose primary build logic is based in
# Mage. For compatibility with CI testing these projects support a subset of the
# makefile targets. After all Beats converge to primarily using Mage we can
# remove this and treat all sub-projects the same.
PROJECTS_XPACK_MAGE=$(PROJECTS_XPACK_PKG)
#
# Includes
#
include dev-tools/make/mage.mk
# Runs complete testsuites (unit, system, integration) for all beats with coverage and race detection.
# Also it builds the docs and the generators
.PHONY: testsuite
testsuite:
@$(foreach var,$(PROJECTS) $(PROJECTS_XPACK_MAGE),$(MAKE) -C $(var) testsuite || exit 1;)
.PHONY: setup-commit-hook
setup-commit-hook:
@cp script/pre_commit.sh .git/hooks/pre-commit
@chmod 751 .git/hooks/pre-commit
stop-environments:
@$(foreach var,$(PROJECTS_ENV),$(MAKE) -C $(var) stop-environment || exit 0;)
# Runs unit and system tests without coverage and race detection.
.PHONY: test
test:
@$(foreach var,$(PROJECTS),$(MAKE) -C $(var) test || exit 1;)
# Runs unit tests without coverage and race detection.
.PHONY: unit
unit:
@$(foreach var,$(PROJECTS),$(MAKE) -C $(var) unit || exit 1;)
# Crosscompile all beats.
.PHONY: crosscompile
crosscompile:
@$(foreach var,filebeat winlogbeat metricbeat heartbeat auditbeat,$(MAKE) -C $(var) crosscompile || exit 1;)
.PHONY: coverage-report
coverage-report:
@mkdir -p $(COVERAGE_DIR)
@echo 'mode: atomic' > ./$(COVERAGE_DIR)/full.cov
@# Collects all coverage files and skips top line with mode
@$(foreach var,$(PROJECTS),tail -q -n +2 ./$(var)/$(COVERAGE_DIR)/*.cov >> ./$(COVERAGE_DIR)/full.cov || true;)
@go tool cover -html=./$(COVERAGE_DIR)/full.cov -o $(COVERAGE_DIR)/full.html
@echo "Generated coverage report $(COVERAGE_DIR)/full.html"
.PHONY: update
update: notice
@$(foreach var,$(PROJECTS) $(PROJECTS_XPACK_MAGE),$(MAKE) -C $(var) update || exit 1;)
@$(MAKE) -C deploy/kubernetes all
.PHONY: clean
clean: mage
@rm -rf build
@$(foreach var,$(PROJECTS) $(PROJECTS_XPACK_MAGE),$(MAKE) -C $(var) clean || exit 1;)
@$(MAKE) -C generator clean
@-mage -clean
# Cleans up the vendor directory from unnecessary files
# This should always be run after updating the dependencies
.PHONY: clean-vendor
clean-vendor:
@sh script/clean_vendor.sh
.PHONY: check
check: python-env
@$(foreach var,$(PROJECTS) dev-tools $(PROJECTS_XPACK_MAGE),$(MAKE) -C $(var) check || exit 1;)
@# Checks also python files which are not part of the beats
@$(FIND) -name *.py -exec $(PYTHON_ENV)/bin/autopep8 -d --max-line-length 120 {} \; | (! grep . -q) || (echo "Code differs from autopep8's style" && false)
@# Validate that all updates were committed
@$(MAKE) update
@$(MAKE) check-headers
@git diff | cat
@git update-index --refresh
@git diff-index --exit-code HEAD --
.PHONY: check-headers
check-headers: mage
@mage checkLicenseHeaders
.PHONY: add-headers
add-headers: mage
@mage addLicenseHeaders
# Corrects spelling errors
.PHONY: misspell
misspell:
go get -u github.com/client9/misspell/cmd/misspell
# Ignore Kibana files (.json)
$(FIND) \
-not -path "*.json" \
-not -path "*.log" \
-name '*' \
-exec misspell -w {} \;
.PHONY: fmt
fmt: add-headers python-env
@$(foreach var,$(PROJECTS) dev-tools $(PROJECTS_XPACK_MAGE),$(MAKE) -C $(var) fmt || exit 1;)
@# Cleans also python files which are not part of the beats
@$(FIND) -name "*.py" -exec $(PYTHON_ENV)/bin/autopep8 --in-place --max-line-length 120 {} \;
.PHONY: lint
lint:
@go get $(GOLINT_REPO) $(REVIEWDOG_REPO)
$(REVIEWDOG) $(REVIEWDOG_OPTIONS)
# Builds the documents for each beat
.PHONY: docs
docs:
@$(foreach var,$(PROJECTS),BUILD_DIR=${BUILD_DIR} $(MAKE) -C $(var) docs || exit 1;)
sh ./script/build_docs.sh dev-guide github.com/elastic/beats/docs/devguide ${BUILD_DIR}
.PHONY: notice
notice: python-env
@echo "Generating NOTICE"
@$(PYTHON_ENV)/bin/python dev-tools/generate_notice.py .
# Sets up the virtual python environment
.PHONY: python-env
python-env:
@test -d $(PYTHON_ENV) || virtualenv $(VIRTUALENV_PARAMS) $(PYTHON_ENV)
@$(PYTHON_ENV)/bin/pip install -q --upgrade pip autopep8==1.3.5 six
@# Work around pip bug. See: https://github.com/pypa/pip/issues/4464
@find $(PYTHON_ENV) -type d -name dist-packages -exec sh -c "echo dist-packages > {}.pth" ';'
# Tests if apm works with the current code
.PHONY: test-apm
test-apm:
sh ./script/test_apm.sh
### Packaging targets ####
# Builds a snapshot release.
.PHONY: snapshot
snapshot:
@$(MAKE) SNAPSHOT=true release
# Builds a release.
.PHONY: release
release: beats-dashboards
@$(foreach var,$(BEATS) $(PROJECTS_XPACK_PKG),$(MAKE) -C $(var) release || exit 1;)
@$(foreach var,$(BEATS) $(PROJECTS_XPACK_PKG), \
test -d $(var)/build/distributions && test -n "$$(ls $(var)/build/distributions)" || exit 0; \
mkdir -p build/distributions/$(subst $(XPACK_SUFFIX),'',$(var)) && mv -f $(var)/build/distributions/* build/distributions/$(subst $(XPACK_SUFFIX),'',$(var))/ || exit 1;)
# Builds a snapshot release. The Go version defined in .go-version will be
# installed and used for the build.
.PHONY: release-manager-snapshot
release-manager-snapshot:
@$(MAKE) SNAPSHOT=true release-manager-release
# Builds a snapshot release. The Go version defined in .go-version will be
# installed and used for the build.
.PHONY: release-manager-release
release-manager-release:
./dev-tools/run_with_go_ver $(MAKE) release
# Collects dashboards from all Beats and generates a zip file distribution.
.PHONY: beats-dashboards
beats-dashboards: mage update
@mage packageBeatDashboards

6372
vendor/github.com/elastic/beats/NOTICE.txt generated vendored
View File

File diff suppressed because it is too large Load Diff

87
vendor/github.com/elastic/beats/README.md generated vendored
View File

@ -1,87 +0,0 @@
[![Travis](https://travis-ci.org/elastic/beats.svg?branch=master)](https://travis-ci.org/elastic/beats)
[![GoReportCard](http://goreportcard.com/badge/elastic/beats)](http://goreportcard.com/report/elastic/beats)
[![codecov.io](https://codecov.io/github/elastic/beats/coverage.svg?branch=master)](https://codecov.io/github/elastic/beats?branch=master)
# Beats - The Lightweight Shippers of the Elastic Stack
The [Beats](https://www.elastic.co/products/beats) are lightweight data
shippers, written in Go, that you install on your servers to capture all sorts
of operational data (think of logs, metrics, or network packet data). The Beats
send the operational data to Elasticsearch, either directly or via Logstash, so
it can be visualized with Kibana.
By "lightweight", we mean that Beats have a small installation footprint, use
limited system resources, and have no runtime dependencies.
This repository contains
[libbeat](https://github.com/elastic/beats/tree/master/libbeat), our Go
framework for creating Beats, and all the officially supported Beats:
Beat | Description
--- | ---
[Auditbeat](https://github.com/elastic/beats/tree/master/auditbeat) | Collect your Linux audit framework data and monitor the integrity of your files.
[Filebeat](https://github.com/elastic/beats/tree/master/filebeat) | Tails and ships log files
[Functionbeat](https://github.com/elastic/beats/tree/master/x-pack/functionbeat) | Read and ships events from serverless infrastructure.
[Heartbeat](https://github.com/elastic/beats/tree/master/heartbeat) | Ping remote services for availability
[Journalbeat](https://github.com/elastic/beats/tree/master/journalbeat) | Read and ships event from Journald.
[Metricbeat](https://github.com/elastic/beats/tree/master/metricbeat) | Fetches sets of metrics from the operating system and services
[Packetbeat](https://github.com/elastic/beats/tree/master/packetbeat) | Monitors the network and applications by sniffing packets
[Winlogbeat](https://github.com/elastic/beats/tree/master/winlogbeat) | Fetches and ships Windows Event logs
In addition to the above Beats, which are officially supported by
[Elastic](https://elastic.co), the community has created a set of other Beats
that make use of libbeat but live outside of this Github repository. We maintain
a list of community Beats
[here](https://www.elastic.co/guide/en/beats/libbeat/master/community-beats.html).
## Documentation and Getting Started
You can find the documentation and getting started guides for each of the Beats
on the [elastic.co site](https://www.elastic.co/guide/):
* [Beats platform](https://www.elastic.co/guide/en/beats/libbeat/current/index.html)
* [Auditbeat](https://www.elastic.co/guide/en/beats/auditbeat/current/index.html)
* [Filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/index.html)
* [Functionbeat](https://www.elastic.co/guide/en/beats/functionbeat/current/index.html)
* [Heartbeat](https://www.elastic.co/guide/en/beats/heartbeat/current/index.html)
* [Journalbeat](https://www.elastic.co/guide/en/beats/journalbeat/current/index.html)
* [Metricbeat](https://www.elastic.co/guide/en/beats/metricbeat/current/index.html)
* [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/index.html)
* [Winlogbeat](https://www.elastic.co/guide/en/beats/winlogbeat/current/index.html)
## Getting Help
If you need help or hit an issue, please start by opening a topic on our
[discuss forums](https://discuss.elastic.co/c/beats). Please note that we
reserve GitHub tickets for confirmed bugs and enhancement requests.
## Downloads
You can download pre-compiled Beats binaries, as well as packages for the
supported platforms, from [this page](https://www.elastic.co/downloads/beats).
## Contributing
We'd love working with you! You can help make the Beats better in many ways:
report issues, help us reproduce issues, fix bugs, add functionality, or even
create your own Beat.
Please start by reading our [CONTRIBUTING](CONTRIBUTING.md) file.
If you are creating a new Beat, you don't need to submit the code to this
repository. You can simply start working in a new repository and make use of the
libbeat packages, by following our [developer
guide](https://www.elastic.co/guide/en/beats/libbeat/current/new-beat.html).
After you have a working prototype, open a pull request to add your Beat to the
list of [community
Beats](https://github.com/elastic/beats/blob/master/libbeat/docs/communitybeats.asciidoc).
## Building Beats from the Source
See our [CONTRIBUTING](CONTRIBUTING.md) file for information about setting up
your dev environment to build Beats from the source.
## Snapshots
For testing purposes, we generate snapshot builds that you can find [here](https://beats-ci.elastic.co/job/elastic+beats+master+multijob-package-linux/lastSuccessfulBuild/gcsObjects/). Please be aware that these are built on top of master and are not meant for production.

286
vendor/github.com/elastic/beats/Vagrantfile generated vendored
View File

@ -1,286 +0,0 @@
### Documentation
#
# This is a Vagrantfile for Beats development and testing. These are unofficial
# environments to help developers test things in different environments.
#
# Notes
# =====
#
# win2012, win2016, win2019
# -------------------------
#
# To login install Microsoft Remote Desktop Client (available in Mac App Store).
# Then run 'vagrant rdp' and login as user/pass vagrant/vagrant. Or you can
# manually configure your RDP client to connect to the mapped 3389 port as shown
# by 'vagrant port win2019'.
#
# The provisioning currently does no install libpcap sources or a pcap driver
# (like npcap) so Packetbeat will not build/run without some manually setup.
#
# solaris
# -------------------
# - Use gmake instead of make.
#
# freebsd and openbsd
# -------------------
# - Use gmake instead of make.
# - Folder syncing doesn't work well. Consider copying the files into the box or
# cloning the project inside the box.
###
# Read the branch's Go version from the .go-version file.
GO_VERSION = File.read(File.join(File.dirname(__FILE__), ".go-version")).strip
# Provisioning for Windows PowerShell
$winPsProvision = <<SCRIPT
$gopath_beats = "C:\\Gopath\\src\\github.com\\elastic\\beats"
if (-Not (Test-Path $gopath_beats)) {
echo 'Creating github.com\\elastic in the GOPATH'
New-Item -itemtype directory -path "C:\\Gopath\\src\\github.com\\elastic" -force
echo "Symlinking C:\\Vagrant to C:\\Gopath\\src\\github.com\\elastic"
cmd /c mklink /d $gopath_beats \\\\vboxsvr\\vagrant
}
if (-Not (Get-Command "gvm" -ErrorAction SilentlyContinue)) {
echo "Installing gvm to manage go version"
[Net.ServicePointManager]::SecurityProtocol = "tls12"
Invoke-WebRequest -URI https://github.com/andrewkroh/gvm/releases/download/v0.2.1/gvm-windows-amd64.exe -Outfile C:\\Windows\\System32\\gvm.exe
C:\\Windows\\System32\\gvm.exe --format=powershell #{GO_VERSION} | Invoke-Expression
go version
echo "Configure Go environment variables"
[System.Environment]::SetEnvironmentVariable("GOPATH", "C:\\Gopath", [System.EnvironmentVariableTarget]::Machine)
[System.Environment]::SetEnvironmentVariable("GOROOT", "C:\\Users\\vagrant\\.gvm\\versions\\go#{GO_VERSION}.windows.amd64", [System.EnvironmentVariableTarget]::Machine)
[System.Environment]::SetEnvironmentVariable("PATH", "%GOROOT%\\bin;$env:PATH;C:\\Gopath\\bin", [System.EnvironmentVariableTarget]::Machine)
}
$shell_link = "$Home\\Desktop\\Beats Shell.lnk"
if (-Not (Test-Path $shell_link)) {
echo "Creating Beats Shell desktop shortcut"
$WshShell = New-Object -comObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut($shell_link)
$Shortcut.TargetPath = "powershell.exe"
$Shortcut.Arguments = "-noexit -command '$gopath_beats'"
$Shortcut.WorkingDirectory = $gopath_beats
$Shortcut.Save()
}
Try {
echo "Disabling automatic updates"
$AUSettings = (New-Object -com "Microsoft.Update.AutoUpdate").Settings
$AUSettings.NotificationLevel = 1
$AUSettings.Save()
} Catch {
echo "Failed to disable automatic updates."
}
if (-Not (Get-Command "choco" -ErrorAction SilentlyContinue)) {
Set-ExecutionPolicy Bypass -Scope Process -Force
iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
}
choco feature disable -n=showDownloadProgress
if (-Not (Get-Command "python" -ErrorAction SilentlyContinue)) {
echo "Installing python2"
choco install python2 -y -r
refreshenv
$env:PATH = "$env:PATH;C:\\Python27;C:\\Python27\\Scripts"
}
if (-Not (Get-Command "pip" -ErrorAction SilentlyContinue)) {
echo "Installing pip"
Invoke-WebRequest https://bootstrap.pypa.io/get-pip.py -OutFile get-pip.py
python get-pip.py -U --force-reinstall 2>&1 | %{ "$_" }
rm get-pip.py
Invoke-WebRequest
} else {
echo "Updating pip"
python -m pip install --upgrade pip 2>&1 | %{ "$_" }
}
if (-Not (Get-Command "virtualenv" -ErrorAction SilentlyContinue)) {
echo "Installing virtualenv"
python -m pip install virtualenv 2>&1 | %{ "$_" }
}
if (-Not (Get-Command "git" -ErrorAction SilentlyContinue)) {
echo "Installing git"
choco install git -y -r
}
if (-Not (Get-Command "gcc" -ErrorAction SilentlyContinue)) {
echo "Installing mingw (gcc)"
choco install mingw -y -r
}
SCRIPT
# Provisioning for Unix/Linux
$unixProvision = <<SCRIPT
echo 'Creating github.com/elastic in the GOPATH'
mkdir -p ~/go/src/github.com/elastic
echo 'Symlinking /vagrant to ~/go/src/github.com/elastic'
cd ~/go/src/github.com/elastic
if [ -d "/vagrant" ] && [ ! -e "beats" ]; then ln -s /vagrant beats; fi
SCRIPT
# Linux GVM
def linuxGvmProvision(arch="amd64")
return <<SCRIPT
mkdir -p ~/bin
if [ ! -e "~/bin/gvm" ]; then
curl -sL -o ~/bin/gvm https://github.com/andrewkroh/gvm/releases/download/v0.1.0/gvm-linux-#{arch}
chmod +x ~/bin/gvm
~/bin/gvm #{GO_VERSION}
echo 'export GOPATH=$HOME/go' >> ~/.bash_profile
echo 'export PATH=$HOME/bin:$GOPATH/bin:$PATH' >> ~/.bash_profile
echo 'eval "$(gvm #{GO_VERSION})"' >> ~/.bash_profile
fi
SCRIPT
end
# Provision packages for Linux Debian.
def linuxDebianProvision()
return <<SCRIPT
#!/usr/bin/env bash
set -eio pipefail
apt-get update
apt-get install -y make gcc python-pip python-virtualenv git
SCRIPT
end
Vagrant.configure(2) do |config|
# Windows Server 2012 R2
config.vm.define "win2012", primary: true do |c|
c.vm.box = "https://s3.amazonaws.com/beats-files/vagrant/beats-win2012-r2-virtualbox-2016-10-28_1224.box"
c.vm.guest = :windows
# Communicator for windows boxes
c.vm.communicator = "winrm"
# Port forward WinRM and RDP
c.vm.network :forwarded_port, guest: 22, host: 2222, id: "ssh", auto_correct: true
c.vm.network :forwarded_port, guest: 3389, host: 33389, id: "rdp", auto_correct: true
c.vm.network :forwarded_port, guest: 5985, host: 55985, id: "winrm", auto_correct: true
c.vm.provision "shell", inline: $winPsProvision
end
config.vm.define "win2016", primary: true do |c|
c.vm.box = "StefanScherer/windows_2016"
c.vm.provision "shell", inline: $winPsProvision, privileged: false
end
config.vm.define "win2019", primary: true do |c|
c.vm.box = "StefanScherer/windows_2019"
c.vm.provision "shell", inline: $winPsProvision, privileged: false
end
# Solaris 11.2
config.vm.define "solaris", primary: true do |c|
c.vm.box = "https://s3.amazonaws.com/beats-files/vagrant/beats-solaris-11.2-virtualbox-2016-11-02_1603.box"
c.vm.network :forwarded_port, guest: 22, host: 2223, id: "ssh", auto_correct: true
c.vm.provision "shell", inline: $unixProvision, privileged: false
end
# FreeBSD 11.0
config.vm.define "freebsd", primary: true do |c|
c.vm.box = "https://s3.amazonaws.com/beats-files/vagrant/beats-freebsd-11.0-virtualbox-2016-11-02_1638.box"
c.vm.network :forwarded_port, guest: 22, host: 2224, id: "ssh", auto_correct: true
# Must use NFS to sync a folder on FreeBSD and this requires a host-only network.
# To enable the /vagrant folder, set disabled to false and uncomment the private_network.
c.vm.synced_folder ".", "/vagrant", id: "vagrant-root", :nfs => true, disabled: true
#c.vm.network "private_network", ip: "192.168.135.18"
c.vm.hostname = "beats-tester"
c.vm.provision "shell", inline: $unixProvision, privileged: false
end
# OpenBSD 5.9-stable
config.vm.define "openbsd", primary: true do |c|
c.vm.box = "https://s3.amazonaws.com/beats-files/vagrant/beats-openbsd-5.9-current-virtualbox-2016-11-02_2007.box"
c.vm.network :forwarded_port, guest: 22, host: 2225, id: "ssh", auto_correct: true
c.vm.synced_folder ".", "/vagrant", type: "rsync", disabled: true
c.vm.provider :virtualbox do |vbox|
vbox.check_guest_additions = false
vbox.functional_vboxsf = false
end
c.vm.provision "shell", inline: $unixProvision, privileged: false
end
config.vm.define "precise32", primary: true do |c|
c.vm.box = "ubuntu/precise32"
c.vm.network :forwarded_port, guest: 22, host: 2226, id: "ssh", auto_correct: true
c.vm.provision "shell", inline: $unixProvision, privileged: false
c.vm.provision "shell", inline: linuxGvmProvision("386"), privileged: false
c.vm.provision "shell", inline: linuxDebianProvision
end
config.vm.define "precise64", primary: true do |c|
c.vm.box = "ubuntu/precise64"
c.vm.network :forwarded_port, guest: 22, host: 2227, id: "ssh", auto_correct: true
c.vm.provision "shell", inline: $unixProvision, privileged: false
c.vm.provision "shell", inline: linuxGvmProvision, privileged: false
c.vm.provision "shell", inline: linuxDebianProvision
end
config.vm.define "ubuntu1804", primary: true do |c|
c.vm.box = "ubuntu/bionic64"
c.vm.network :forwarded_port, guest: 22, host: 2228, id: "ssh", auto_correct: true
c.vm.provision "shell", inline: $unixProvision, privileged: false
c.vm.provision "shell", inline: linuxGvmProvision, privileged: false
c.vm.provision "shell", inline: linuxDebianProvision
end
config.vm.define "centos6", primary: true do |c|
c.vm.box = "bento/centos-6.10"
c.vm.network :forwarded_port, guest: 22, host: 2229, id: "ssh", auto_correct: true
c.vm.provision "shell", inline: $unixProvision, privileged: false
c.vm.provision "shell", inline: linuxGvmProvision, privileged: false
c.vm.provision "shell", inline: "yum install -y make gcc python-pip python-virtualenv git rpm-devel"
end
config.vm.define "centos7", primary: true do |c|
c.vm.box = "bento/centos-7"
c.vm.network :forwarded_port, guest: 22, host: 2230, id: "ssh", auto_correct: true
c.vm.provision "shell", inline: $unixProvision, privileged: false
c.vm.provision "shell", inline: linuxGvmProvision, privileged: false
c.vm.provision "shell", inline: "yum install -y make gcc python-pip python-virtualenv git rpm-devel"
end
config.vm.define "fedora29", primary: true do |c|
c.vm.box = "bento/fedora-29"
c.vm.network :forwarded_port, guest: 22, host: 2231, id: "ssh", auto_correct: true
c.vm.provision "shell", inline: $unixProvision, privileged: false
c.vm.provision "shell", inline: linuxGvmProvision, privileged: false
c.vm.provision "shell", inline: "dnf install -y make gcc python-pip python-virtualenv git rpm-devel"
end
config.vm.define "sles12", primary: true do |c|
c.vm.box = "elastic/sles-12-x86_64"
c.vm.network :forwarded_port, guest: 22, host: 2232, id: "ssh", auto_correct: true
c.vm.provision "shell", inline: $unixProvision, privileged: false
c.vm.provision "shell", inline: linuxGvmProvision, privileged: false
c.vm.provision "shell", inline: "pip install virtualenv"
end
config.vm.define "archlinux", primary: true do |c|
c.vm.box = "archlinux/archlinux"
c.vm.network :forwarded_port, guest: 22, host: 2233, id: "ssh", auto_correct: true
c.vm.provision "shell", inline: $unixProvision, privileged: false
c.vm.provision "shell", inline: linuxGvmProvision, privileged: false
c.vm.provision "shell", inline: "pacman -Sy && pacman -S --noconfirm make gcc python-pip python-virtualenv git"
end
end

9
vendor/github.com/elastic/beats/auditbeat/.gitignore generated vendored
View File

@ -1,9 +0,0 @@
build
_meta/beat.yml
_meta/beat.reference.yml
module/*/_meta/config.yml
/auditbeat
/auditbeat.test
/docs/html_docs

13
vendor/github.com/elastic/beats/auditbeat/Dockerfile generated vendored
View File

@ -1,13 +0,0 @@
FROM golang:1.12.12
RUN \
apt-get update \
&& apt-get install -y --no-install-recommends \
python-pip \
virtualenv \
librpm-dev \
&& rm -rf /var/lib/apt/lists/*
RUN pip install --upgrade pip
RUN pip install --upgrade setuptools
RUN pip install --upgrade docker-compose==1.23.2

13
vendor/github.com/elastic/beats/auditbeat/Makefile generated vendored
View File

@ -1,13 +0,0 @@
BEAT_NAME=auditbeat
BEAT_TITLE=Auditbeat
SYSTEM_TESTS=true
TEST_ENVIRONMENT?=true
GOX_OS?=linux windows
ES_BEATS?=..
EXCLUDE_COMMON_UPDATE_TARGET=true
include ${ES_BEATS}/libbeat/scripts/Makefile
.PHONY: update
update: mage
mage update

14
vendor/github.com/elastic/beats/auditbeat/_meta/beat.docker.yml generated vendored
View File

@ -1,14 +0,0 @@
auditbeat.modules:
- module: auditd
audit_rules: |
-w /etc/passwd -p wa -k identity
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc

12
vendor/github.com/elastic/beats/auditbeat/_meta/common.p1.yml generated vendored
View File

@ -1,12 +0,0 @@
###################### Auditbeat Configuration Example #########################
# This is an example configuration file highlighting only the most common
# options. The auditbeat.reference.yml file from the same directory contains all
# the supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/auditbeat/index.html
#========================== Modules configuration =============================
auditbeat.modules:

6
vendor/github.com/elastic/beats/auditbeat/_meta/common.p2.yml generated vendored
View File

@ -1,6 +0,0 @@
#==================== Elasticsearch template setting ==========================
setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false

31
vendor/github.com/elastic/beats/auditbeat/_meta/common.reference.yml generated vendored
View File

@ -1,31 +0,0 @@
########################## Auditbeat Configuration #############################
# This is a reference configuration file documenting all non-deprecated options
# in comments. For a shorter configuration example that contains only the most
# common options, please see auditbeat.yml in the same directory.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/auditbeat/index.html
#============================ Config Reloading ================================
# Config reloading allows to dynamically load modules. Each file which is
# monitored must contain one or multiple modules as a list.
auditbeat.config.modules:
# Glob pattern for configuration reloading
path: ${path.config}/modules.d/*.yml
# Period on which files under path should be checked for changes
reload.period: 10s
# Set to true to enable config reloading
reload.enabled: false
# Maximum amount of time to randomly delay the start of a dataset. Use 0 to
# disable startup delay.
auditbeat.max_start_delay: 10s
#========================== Modules configuration =============================
auditbeat.modules:

130
vendor/github.com/elastic/beats/auditbeat/_meta/fields.common.yml generated vendored
View File

@ -1,130 +0,0 @@
- key: common
title: Common
description: >
Contains common fields available in all event types.
fields:
- name: file
type: group
description: File attributes.
fields:
- name: setuid
type: boolean
example: true
description: Set if the file has the `setuid` bit set. Omitted otherwise.
- name: setgid
type: boolean
example: true
description: Set if the file has the `setgid` bit set. Omitted otherwise.
- name: origin
type: keyword
description: >
An array of strings describing a possible external origin for
this file. For example, the URL it was downloaded from. Only
supported in macOS, via the kMDItemWhereFroms attribute.
Omitted if origin information is not available.
multi_fields:
- name: raw
type: keyword
description: >
This is a non-analyzed field that is useful for aggregations on the
origin data.
- name: selinux
type: group
description: The SELinux identity of the file.
fields:
- name: user
type: keyword
description: The owner of the object.
- name: role
type: keyword
description: The object's SELinux role.
- name: domain
type: keyword
description: The object's SELinux domain or type.
- name: level
type: keyword
example: s0
description: The object's SELinux level.
- name: user
type: group
description: User information.
fields:
- name: audit
type: group
description: Audit user information.
fields:
- name: id
type: keyword
description: Audit user ID.
- name: name
type: keyword
description: Audit user name.
- name: effective
type: group
description: Effective user information.
fields:
- name: id
type: keyword
description: Effective user ID.
- name: name
type: keyword
description: Effective user name.
- name: group
type: group
description: Effective group information.
fields:
- name: id
type: keyword
description: Effective group ID.
- name: name
type: keyword
description: Effective group name.
- name: filesystem
type: group
description: Filesystem user information.
fields:
- name: id
type: keyword
description: Filesystem user ID.
- name: name
type: keyword
description: Filesystem user name.
- name: group
type: group
description: Filesystem group information.
fields:
- name: id
type: keyword
description: Filesystem group ID.
- name: name
type: keyword
description: Filesystem group name.
- name: saved
type: group
description: Saved user information.
fields:
- name: id
type: keyword
description: Saved user ID.
- name: name
type: keyword
description: Saved user name.
- name: group
type: group
description: Saved group information.
fields:
- name: id
type: keyword
description: Saved group ID.
- name: name
type: keyword
description: Saved group name.

22
vendor/github.com/elastic/beats/auditbeat/auditbeat.docker.yml generated vendored
View File

@ -1,22 +0,0 @@
auditbeat.modules:
- module: auditd
audit_rules: |
-w /etc/passwd -p wa -k identity
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
processors:
- add_cloud_metadata: ~
- add_docker_metadata: ~
output.elasticsearch:
hosts: '${ELASTICSEARCH_HOSTS:elasticsearch:9200}'
username: '${ELASTICSEARCH_USERNAME:}'
password: '${ELASTICSEARCH_PASSWORD:}'

1366
vendor/github.com/elastic/beats/auditbeat/auditbeat.reference.yml generated vendored
View File

File diff suppressed because it is too large Load Diff

189
vendor/github.com/elastic/beats/auditbeat/auditbeat.yml generated vendored
View File

@ -1,189 +0,0 @@
###################### Auditbeat Configuration Example #########################
# This is an example configuration file highlighting only the most common
# options. The auditbeat.reference.yml file from the same directory contains all
# the supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/auditbeat/index.html
#========================== Modules configuration =============================
auditbeat.modules:
- module: auditd
# Load audit rules from separate files. Same format as audit.rules(7).
audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
audit_rules: |
## Define audit rules here.
## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
## examples or add your own rules.
## If you are on a 64 bit platform, everything should be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
#-a always,exit -F arch=b32 -S all -F key=32bit-abi
## Executions.
#-a always,exit -F arch=b64 -S execve,execveat -k exec
## External access (warning: these can be expensive to audit).
#-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
## Identity changes.
#-w /etc/group -p wa -k identity
#-w /etc/passwd -p wa -k identity
#-w /etc/gshadow -p wa -k identity
## Unauthorized access attempts.
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
#==================== Elasticsearch template setting ==========================
setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false
#================================ General =====================================
# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:
# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]
# Optional fields that you can specify to add additional information to the
# output.
#fields:
# env: staging
#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the `setup` command.
#setup.dashboards.enabled: false
# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:
#============================== Kibana =====================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:
# Kibana Host
# Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
#host: "localhost:5601"
# Kibana Space ID
# ID of the Kibana Space into which the dashboards should be loaded. By default,
# the Default Space will be used.
#space.id:
#============================= Elastic Cloud ==================================
# These settings simplify using Auditbeat with the Elastic Cloud (https://cloud.elastic.co/).
# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:
# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:
#================================ Outputs =====================================
# Configure what output to use when sending the data collected by the beat.
#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["localhost:9200"]
# Optional protocol and basic auth credentials.
#protocol: "https"
#username: "elastic"
#password: "changeme"
#----------------------------- Logstash output --------------------------------
#output.logstash:
# The Logstash hosts
#hosts: ["localhost:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
#================================ Processors =====================================
# Configure processors to enhance or manipulate events generated by the beat.
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~
#================================ Logging =====================================
# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug
# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]
#============================== X-Pack Monitoring ===============================
# auditbeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
# reporting is disabled by default.
# Set to true to enable the monitoring reporter.
#monitoring.enabled: false
# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Auditbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:
# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.elasticsearch:
#================================= Migration ==================================
# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true

52
vendor/github.com/elastic/beats/auditbeat/cmd/root.go generated vendored
View File

@ -1,52 +0,0 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package cmd
import (
"github.com/spf13/cobra"
"github.com/spf13/pflag"
"github.com/elastic/beats/auditbeat/core"
"github.com/elastic/beats/libbeat/cmd"
"github.com/elastic/beats/libbeat/cmd/instance"
"github.com/elastic/beats/metricbeat/beater"
"github.com/elastic/beats/metricbeat/mb/module"
)
// Name of the beat (auditbeat).
const Name = "auditbeat"
// RootCmd for running auditbeat.
var RootCmd *cmd.BeatsRootCmd
// ShowCmd to display extra information.
var ShowCmd = &cobra.Command{
Use: "show",
Short: "Show modules information",
}
func init() {
create := beater.Creator(
beater.WithModuleOptions(
module.WithEventModifier(core.AddDatasetToEvent),
),
)
var runFlags = pflag.NewFlagSet(Name, pflag.ExitOnError)
RootCmd = cmd.GenRootCmdWithSettings(create, instance.Settings{RunFlags: runFlags, Name: Name})
RootCmd.AddCommand(ShowCmd)
}

39
vendor/github.com/elastic/beats/auditbeat/core/eventmod.go generated vendored
View File

@ -1,39 +0,0 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package core
import (
"github.com/elastic/beats/libbeat/common"
"github.com/elastic/beats/metricbeat/mb"
)
// AddDatasetToEvent adds dataset information to the event. In particular this
// adds the module name under dataset.module.
func AddDatasetToEvent(module, metricSet string, event *mb.Event) {
if event.RootFields == nil {
event.RootFields = common.MapStr{}
}
event.RootFields.Put("event.module", module)
// Modules without "datasets" should set their module and metricset names
// to the same value then this will omit the event.dataset field.
if module != metricSet {
event.RootFields.Put("event.dataset", metricSet)
}
}

191
vendor/github.com/elastic/beats/auditbeat/datastore/datastore.go generated vendored
View File

@ -1,191 +0,0 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package datastore
import (
"io"
"os"
"sync"
bolt "github.com/coreos/bbolt"
"github.com/elastic/beats/libbeat/paths"
)
var (
initDatastoreOnce sync.Once
ds *boltDatastore
)
// OpenBucket returns a new Bucket that stores data in {path.data}/beat.db.
// The returned Bucket must be closed when finished to ensure all resources
// are released.
func OpenBucket(name string) (Bucket, error) {
initDatastoreOnce.Do(func() {
ds = &boltDatastore{
path: paths.Resolve(paths.Data, "beat.db"),
mode: 0600,
}
})
return ds.OpenBucket(name)
}
// Datastore
type Datastore interface {
OpenBucket(name string) (Bucket, error)
}
type boltDatastore struct {
mutex sync.Mutex
useCount uint32
path string
mode os.FileMode
db *bolt.DB
}
func New(path string, mode os.FileMode) Datastore {
return &boltDatastore{path: path, mode: mode}
}
func (ds *boltDatastore) OpenBucket(bucket string) (Bucket, error) {
ds.mutex.Lock()
defer ds.mutex.Unlock()
// Initialize the Bolt DB.
if ds.db == nil {
var err error
ds.db, err = bolt.Open(ds.path, ds.mode, nil)
if err != nil {
return nil, err
}
}
// Ensure the name exists.
err := ds.db.Update(func(tx *bolt.Tx) error {
_, err := tx.CreateBucketIfNotExists([]byte(bucket))
return err
})
if err != nil {
return nil, err
}
return &boltBucket{ds, bucket}, nil
}
func (ds *boltDatastore) done() {
ds.mutex.Lock()
defer ds.mutex.Unlock()
if ds.useCount > 0 {
ds.useCount--
if ds.useCount == 0 {
ds.db.Close()
ds.db = nil
}
}
}
// Bucket
type Bucket interface {
io.Closer
Load(key string, f func(blob []byte) error) error
Store(key string, blob []byte) error
Delete(key string) error // Delete removes a key from the bucket. If the key does not exist then nothing is done and a nil error is returned.
DeleteBucket() error // Deletes and closes the bucket.
}
// BoltBucket is a Bucket that exposes some Bolt specific APIs.
type BoltBucket interface {
Bucket
View(func(tx *bolt.Bucket) error) error
Update(func(tx *bolt.Bucket) error) error
}
type boltBucket struct {
ds *boltDatastore
name string
}
func (b *boltBucket) Load(key string, f func(blob []byte) error) error {
return b.ds.db.View(func(tx *bolt.Tx) error {
b := tx.Bucket([]byte(b.name))
data := b.Get([]byte(key))
if data == nil {
return nil
}
return f(data)
})
}
func (b *boltBucket) Store(key string, blob []byte) error {
return b.ds.db.Update(func(tx *bolt.Tx) error {
b := tx.Bucket([]byte(b.name))
return b.Put([]byte(key), blob)
})
}
func (b *boltBucket) ForEach(f func(key string, blob []byte) error) error {
return b.ds.db.View(func(tx *bolt.Tx) error {
b := tx.Bucket([]byte(b.name))
return b.ForEach(func(k, v []byte) error {
return f(string(k), v)
})
})
}
func (b *boltBucket) Delete(key string) error {
return b.ds.db.Update(func(tx *bolt.Tx) error {
b := tx.Bucket([]byte(b.name))
return b.Delete([]byte(key))
})
}
func (b *boltBucket) DeleteBucket() error {
err := b.ds.db.Update(func(tx *bolt.Tx) error {
return tx.DeleteBucket([]byte(b.name))
})
b.Close()
return err
}
func (b *boltBucket) View(f func(*bolt.Bucket) error) error {
return b.ds.db.View(func(tx *bolt.Tx) error {
b := tx.Bucket([]byte(b.name))
return f(b)
})
}
func (b *boltBucket) Update(f func(*bolt.Bucket) error) error {
return b.ds.db.Update(func(tx *bolt.Tx) error {
b := tx.Bucket([]byte(b.name))
return f(b)
})
}
func (b *boltBucket) Close() error {
b.ds.done()
b.ds = nil
return nil
}

39
vendor/github.com/elastic/beats/auditbeat/docker-compose.yml generated vendored
View File

@ -1,39 +0,0 @@
version: '2.3'
services:
beat:
build: ${PWD}/.
depends_on:
- proxy_dep
working_dir: /go/src/github.com/elastic/beats/auditbeat
environment:
- ES_HOST=elasticsearch
- ES_PORT=9200
- ES_USER=beats
- ES_PASS=testing
- KIBANA_HOST=kibana
- KIBANA_PORT=5601
volumes:
- ${PWD}/..:/go/src/github.com/elastic/beats/
command: make
privileged: true
pid: host
cap_add:
- AUDIT_CONTROL
# This is a proxy used to block beats until all services are healthy.
# See: https://github.com/docker/compose/issues/4369
proxy_dep:
image: busybox
depends_on:
elasticsearch: { condition: service_healthy }
kibana: { condition: service_healthy }
elasticsearch:
extends:
file: ../testing/environments/${TESTING_ENVIRONMENT}.yml
service: elasticsearch
kibana:
extends:
file: ../testing/environments/${TESTING_ENVIRONMENT}.yml
service: kibana

6
vendor/github.com/elastic/beats/auditbeat/docs/auditbeat-filtering.asciidoc generated vendored
View File

@ -1,6 +0,0 @@
[[filtering-and-enhancing-data]]
== Filter and enhance the exported data
include::{libbeat-dir}/processors.asciidoc[]
include::{libbeat-dir}/processors-using.asciidoc[]

7
vendor/github.com/elastic/beats/auditbeat/docs/auditbeat-general-options.asciidoc generated vendored
View File

@ -1,7 +0,0 @@
[[configuration-general-options]]
== Specify general settings
You can specify settings in the +{beatname_lc}.yml+ config file to control the
general behavior of {beatname_uc}.
include::{libbeat-dir}/generalconfig.asciidoc[]

31
vendor/github.com/elastic/beats/auditbeat/docs/auditbeat-modules-config.asciidoc generated vendored
View File

@ -1,31 +0,0 @@
[id="configuration-{beatname_lc}"]
== Specify which modules to run
To enable specific modules you add entries to the `auditbeat.modules` list in
the +{beatname_lc}.yml+ config file. Each entry in the list begins with a dash
(-) and is followed by settings for that module.
The following example shows a configuration that runs the `auditd` and
`file_integrity` modules.
[source,yaml]
----
auditbeat.modules:
- module: auditd
audit_rules: |
-w /etc/passwd -p wa -k identity
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
----
The configuration details vary by module. See the
<<{beatname_lc}-modules,module documentation>> for more detail about configuring
the available modules.

56
vendor/github.com/elastic/beats/auditbeat/docs/auditbeat-options.asciidoc generated vendored
View File

@ -1,56 +0,0 @@
//////////////////////////////////////////////////////////////////////////
//// This content is shared by all Auditbeat modules. Make sure you keep the
//// descriptions generic enough to work for all modules. To include
//// this file, use:
////
//// include::{docdir}/auditbeat-options.asciidoc[]
////
//////////////////////////////////////////////////////////////////////////
[id="module-standard-options-{modulename}"]
[float]
==== Standard configuration options
You can specify the following options for any {beatname_uc} module.
*`module`*:: The name of the module to run.
ifeval::["{modulename}"=="system"]
*`datasets`*:: A list of datasets to execute.
endif::[]
*`enabled`*:: A Boolean value that specifies whether the module is enabled.
ifeval::["{modulename}"=="system"]
*`period`*:: The frequency at which the datasets check for changes. If a system
is not reachable, {beatname_uc} returns an error for each period. This setting
is required. For most datasets, especially `process` and `socket`, a shorter
period is recommended.
endif::[]
*`fields`*:: A dictionary of fields that will be sent with the dataset event. This setting
is optional.
*`tags`*:: A list of tags that will be sent with the dataset event. This setting is
optional.
*`processors`*:: A list of processors to apply to the data generated by the dataset.
+
See <<filtering-and-enhancing-data>> for information about specifying
processors in your config.
*`index`*:: If present, this formatted string overrides the index for events from this
module (for elasticsearch outputs), or sets the `raw_index` field of the event's
metadata (for other outputs). This string can only refer to the agent name and
version and the event timestamp; for access to dynamic fields, use
`output.elasticsearch.index` or a processor.
+
Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might
expand to +"{beatname_lc}-myindex-2019.12.13"+.
*`keep_null`*:: If this option is set to true, fields with `null` values will be published in
the output document. By default, `keep_null` is set to `false`.
*`service.name`*:: A name given by the user to the service the data is collected from. It can be
used for example to identify information collected from nodes of different
clusters with the same `service.type`.

88
vendor/github.com/elastic/beats/auditbeat/docs/configuring-howto.asciidoc generated vendored
View File

@ -1,88 +0,0 @@
[id="configuring-howto-{beatname_lc}"]
= Configuring {beatname_uc}
[partintro]
--
Before modifying configuration settings, make sure you've completed the
<<{beatname_lc}-configuration,configuration steps>> in the Getting Started.
This section describes some common use cases for changing configuration options.
To configure {beatname_uc}, you edit the configuration file. For rpm and deb,
youll find the configuration file at +/etc/{beatname_lc}/{beatname_lc}.yml+.
There's also a full example configuration file at
+/etc/{beatname_lc}/{beatname_lc}.reference.yml+ that shows all non-deprecated
options. For mac and win, look in the archive that you extracted.
The {beatname_uc} configuration file uses http://yaml.org/[YAML] for its syntax.
See the {beats-ref}/config-file-format.html[Config File Format] section of the
_Beats Platform Reference_ for more about the structure of the config file.
The following topics describe how to configure {beatname_uc}:
* <<configuration-{beatname_lc}>>
* <<configuration-general-options>>
* <<{beatname_lc}-configuration-reloading>>
* <<configuring-internal-queue>>
* <<configuring-output>>
* <<ilm>>
* <<configuration-ssl>>
* <<filtering-and-enhancing-data>>
* <<configuring-ingest-node>>
* <<{beatname_lc}-geoip>>
* <<configuration-path>>
* <<setup-kibana-endpoint>>
* <<configuration-dashboards>>
* <<configuration-template>>
* <<configuration-logging>>
* <<using-environ-vars>>
* <<yaml-tips>>
* <<regexp-support>>
* <<http-endpoint>>
* <<{beatname_lc}-reference-yml>>
After changing configuration settings, you need to restart {beatname_uc} to
pick up the changes.
--
include::./auditbeat-modules-config.asciidoc[]
include::./auditbeat-general-options.asciidoc[]
include::./reload-configuration.asciidoc[]
include::{libbeat-dir}/queueconfig.asciidoc[]
include::{libbeat-dir}/outputconfig.asciidoc[]
include::{libbeat-dir}/shared-ilm.asciidoc[]
include::{libbeat-dir}/shared-ssl-config.asciidoc[]
include::./auditbeat-filtering.asciidoc[]
include::{libbeat-dir}/shared-config-ingest.asciidoc[]
include::{libbeat-dir}/shared-geoip.asciidoc[]
include::{libbeat-dir}/shared-path-config.asciidoc[]
include::{libbeat-dir}/shared-kibana-config.asciidoc[]
include::{libbeat-dir}/setup-config.asciidoc[]
include::{libbeat-dir}/loggingconfig.asciidoc[]
:standalone:
include::{libbeat-dir}/shared-env-vars.asciidoc[]
:standalone!:
:standalone:
include::{libbeat-dir}/yaml.asciidoc[]
:standalone!:
include::{libbeat-dir}/regexp.asciidoc[]
include::{libbeat-dir}/http-endpoint.asciidoc[]
include::{libbeat-dir}/reference-yml.asciidoc[]

28
vendor/github.com/elastic/beats/auditbeat/docs/faq-ulimit.asciidoc generated vendored
View File

@ -1,28 +0,0 @@
[[ulimit]]
=== {beatname_uc} fails to watch folders because too many files are open
Because of the way file monitoring is implemented on macOS, you may see a
warning similar to the following:
[source,shell]
----
eventreader_fsnotify.go:42: WARN [audit.file] Failed to watch /usr/bin: too many
open files (check the max number of open files allowed with 'ulimit -a')
----
To resolve this issue, run {beatname_uc} with the `ulimit` set to a larger
value, for example:
["source","sh",subs="attributes"]
----
sudo sh -c 'ulimit -n 8192 && ./{beatname_uc} -e
----
Or:
["source","sh",subs="attributes"]
----
sudo su
ulimit -n 8192
./{beatname_lc} -e
----

12
vendor/github.com/elastic/beats/auditbeat/docs/faq.asciidoc generated vendored
View File

@ -1,12 +0,0 @@
[[faq]]
== Common problems
This section describes common problems you might encounter with
{beatname_uc}. Also check out the
https://discuss.elastic.co/c/beats/{beatname_lc}[{beatname_uc} discussion forum].
include::./faq-ulimit.asciidoc[]
include::{libbeat-dir}/faq-limit-bandwidth.asciidoc[]
include::{libbeat-dir}/shared-faq.asciidoc[]

7862
vendor/github.com/elastic/beats/auditbeat/docs/fields.asciidoc generated vendored
View File

File diff suppressed because it is too large Load Diff

289
vendor/github.com/elastic/beats/auditbeat/docs/getting-started.asciidoc generated vendored
View File

@ -1,289 +0,0 @@
[id="{beatname_lc}-getting-started"]
== Getting started with {beatname_uc}
include::{libbeat-dir}/shared-getting-started-intro.asciidoc[]
* <<{beatname_lc}-installation>>
* <<{beatname_lc}-configuration>>
* <<{beatname_lc}-template>>
* <<load-kibana-dashboards>>
* <<{beatname_lc}-starting>>
* <<view-kibana-dashboards>>
* <<setup-repositories>>
[id="{beatname_lc}-installation"]
=== Step 1: Install {beatname_uc}
Install {beatname_uc} on all the servers you want to monitor.
include::{libbeat-dir}/shared-download-and-install.asciidoc[]
[[deb]]
*deb:*
ifeval::["{release-state}"=="unreleased"]
Version {version} of {beatname_uc} has not yet been released.
endif::[]
ifeval::["{release-state}"!="unreleased"]
["source","sh",subs="attributes"]
------------------------------------------------
curl -L -O https://artifacts.elastic.co/downloads/beats/{beatname_lc}/{beatname_lc}-{version}-amd64.deb
sudo dpkg -i {beatname_lc}-{version}-amd64.deb
------------------------------------------------
endif::[]
[[rpm]]
*rpm:*
ifeval::["{release-state}"=="unreleased"]
Version {version} of {beatname_uc} has not yet been released.
endif::[]
ifeval::["{release-state}"!="unreleased"]
["source","sh",subs="attributes"]
------------------------------------------------
curl -L -O https://artifacts.elastic.co/downloads/beats/{beatname_lc}/{beatname_lc}-{version}-x86_64.rpm
sudo rpm -vi {beatname_lc}-{version}-x86_64.rpm
------------------------------------------------
endif::[]
[[mac]]
*mac:*
ifeval::["{release-state}"=="unreleased"]
Version {version} of {beatname_uc} has not yet been released.
endif::[]
ifeval::["{release-state}"!="unreleased"]
["source","sh",subs="attributes"]
------------------------------------------------
curl -L -O https://artifacts.elastic.co/downloads/beats/{beatname_lc}/{beatname_lc}-{version}-darwin-x86_64.tar.gz
tar xzvf {beatname_lc}-{version}-darwin-x86_64.tar.gz
------------------------------------------------
endif::[]
include::{libbeat-dir}/shared-brew-install.asciidoc[]
[[linux]]
*linux:*
ifeval::["{release-state}"=="unreleased"]
Version {version} of {beatname_uc} has not yet been released.
endif::[]
ifeval::["{release-state}"!="unreleased"]
["source","sh",subs="attributes"]
------------------------------------------------
curl -L -O https://artifacts.elastic.co/downloads/beats/{beatname_lc}/{beatname_lc}-{version}-linux-x86_64.tar.gz
tar xzvf {beatname_lc}-{version}-linux-x86_64.tar.gz
------------------------------------------------
endif::[]
[[docker]]
*docker:*
ifeval::["{release-state}"=="unreleased"]
Version {version} of {beatname_uc} has not yet been released.
endif::[]
ifeval::["{release-state}"!="unreleased"]
["source","sh",subs="attributes"]
------------------------------------------------
curl -L -O https://artifacts.elastic.co/downloads/beats/{beatname_lc}/{beatname_lc}-{version}-linux-x86_64.tar.gz
tar xzvf {beatname_lc}-{version}-linux-x86_64.tar.gz
------------------------------------------------
endif::[]
See <<running-on-docker, Running on Docker>> for deploying Docker containers.
[[win]]
*win:*
ifeval::["{release-state}"=="unreleased"]
Version {version} of {beatname_uc} has not yet been released.
endif::[]
ifeval::["{release-state}"!="unreleased"]
. Download the {beatname_uc} Windows zip file from the
https://www.elastic.co/downloads/beats/{beatname_lc}[downloads page].
. Extract the contents of the zip file into `C:\Program Files`.
. Rename the +{beatname_lc}-<version>-windows+ directory to +{beatname_uc}+.
. Open a PowerShell prompt as an Administrator (right-click the PowerShell icon
and select *Run As Administrator*).
. From the PowerShell prompt, run the following commands to install {beatname_uc}
as a Windows service:
+
["source","sh",subs="attributes"]
----------------------------------------------------------------------
PS > cd 'C:{backslash}Program Files{backslash}{beatname_uc}'
PS C:{backslash}Program Files{backslash}{beatname_uc}> .{backslash}install-service-{beatname_lc}.ps1
----------------------------------------------------------------------
NOTE: If script execution is disabled on your system, you need to set the
execution policy for the current session to allow the script to run. For
example: +PowerShell.exe -ExecutionPolicy UnRestricted -File
.\install-service-{beatname_lc}.ps1+.
endif::[]
Before starting {beatname_uc}, you should look at the configuration options in the
configuration file, for example +C:{backslash}Program Files{backslash}{beatname_uc}{backslash}{beatname_lc}.yml+.
For more information about these options, see
<<configuring-howto-{beatname_lc}>>.
[id="{beatname_lc}-configuration"]
=== Step 2: Configure {beatname_uc}
include::{libbeat-dir}/shared-configuring.asciidoc[]
To configure {beatname_uc}:
. Define the {beatname_uc} modules that you want to enable. {beatname_uc} uses
modules to collect the audit information. For each module, specify the
metricsets that you want to collect.
+
The following example shows the `file_integrity` module configured to generate
events whenever a file in one of the specified paths changes on disk:
+
["source","sh",subs="attributes"]
-------------------------------------
auditbeat.modules:
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
-------------------------------------
+
If you accept the default configuration without specifying additional modules,
{beatname_uc} uses a configuration that's tailored to the operating system where
{beatname_uc} is running.
+
See <<configuring-howto-{beatname_lc}>> for more details about configuring modules.
include::{libbeat-dir}/step-configure-output.asciidoc[]
include::{libbeat-dir}/step-configure-kibana-endpoint.asciidoc[]
include::{libbeat-dir}/step-configure-credentials.asciidoc[]
include::{libbeat-dir}/step-test-config.asciidoc[]
include::{libbeat-dir}/step-look-at-config.asciidoc[]
[id="{beatname_lc}-template"]
=== Step 3: Load the index template in {es}
include::{libbeat-dir}/shared-template-load.asciidoc[]
[[load-kibana-dashboards]]
=== Step 4: Set up the {kib} dashboards
include::{libbeat-dir}/dashboards.asciidoc[]
[id="{beatname_lc}-starting"]
=== Step 5: Start {beatname_uc}
Run {beatname_uc} by issuing the appropriate command for your platform. If you
are accessing a secured {es} cluster, make sure you've configured credentials as
described in <<{beatname_lc}-configuration>>.
NOTE: If you use an init.d script to start {beatname_uc} on deb or rpm, you can't
specify command line flags (see <<command-line-options>>). To specify flags,
start {beatname_uc} in the foreground.
*deb and rpm:*
["source","sh",subs="attributes"]
----------------------------------------------------------------------
sudo service {beatname_lc} start
----------------------------------------------------------------------
*mac and linux:*
["source","sh",subs="attributes"]
----------------------------------------------------------------------
sudo chown root {beatname_lc}.yml <1>
sudo ./{beatname_lc} -e
----------------------------------------------------------------------
<1> To monitor system files, you'll be running {beatname_uc} as root, so you
need to change ownership of the configuration file, or run {beatname_uc} with
`--strict.perms=false` specified. See
{beats-ref}/config-file-permissions.html[Config File Ownership and Permissions]
in the _Beats Platform Reference_.
If you see a warning about too many open files, you need to increase the
`ulimit`. See the <<ulimit,FAQ>> for more details.
include::{libbeat-dir}/shared-brew-run.asciidoc[]
*win:*
["source","sh",subs="attributes"]
----------------------------------------------------------------------
PS C:{backslash}Program Files{backslash}{beatname_uc}> Start-Service {beatname_lc}
----------------------------------------------------------------------
By default the log files are stored in +C:{backslash}ProgramData{backslash}{beatname_lc}{backslash}Logs+.
==== Test the {beatname_uc} installation
To verify that your server's statistics are present in {es}, issue the following
command:
["source","sh",subs="attributes"]
----------------------------------------------------------------------
curl -XGET 'http://localhost:9200/{beatname_lc}-*/_search?pretty'
----------------------------------------------------------------------
Make sure that you replace `localhost:9200` with the address of your {es}
instance.
On Windows, if you don't have cURL installed, simply point your browser to the
URL.
[[view-kibana-dashboards]]
=== Step 6: View the sample {kib} dashboards
To make it easier for you to start auditing the activities of users and
processes on your system, we have created example {beatname_uc} dashboards.
You loaded the dashboards earlier when you ran the `setup` command.
include::{libbeat-dir}/opendashboards.asciidoc[]
The dashboards are provided as examples. We recommend that you
{kibana-ref}/dashboard.html[customize] them to meet your needs.
[role="screenshot"]
image::./images/auditbeat-file-integrity-dashboard.png[Auditbeat File Integrity Dashboard]

BIN
vendor/github.com/elastic/beats/auditbeat/docs/images/auditbeat-file-integrity-dashboard.png generated vendored
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 257 KiB

BIN
vendor/github.com/elastic/beats/auditbeat/docs/images/auditbeat-kernel-executions-dashboard.png generated vendored
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 133 KiB

BIN
vendor/github.com/elastic/beats/auditbeat/docs/images/auditbeat-kernel-overview-dashboard.png generated vendored
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 133 KiB

BIN
vendor/github.com/elastic/beats/auditbeat/docs/images/auditbeat-kernel-sockets-dashboard.png generated vendored
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 218 KiB

BIN
vendor/github.com/elastic/beats/auditbeat/docs/images/coordinate-map.png generated vendored
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 361 KiB

BIN
vendor/github.com/elastic/beats/auditbeat/docs/images/kibana-created-indexes.png generated vendored
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 90 KiB

BIN
vendor/github.com/elastic/beats/auditbeat/docs/images/kibana-navigation-vis.png generated vendored
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 48 KiB

55
vendor/github.com/elastic/beats/auditbeat/docs/index.asciidoc generated vendored
View File

@ -1,55 +0,0 @@
= Auditbeat Reference
:libbeat-dir: {docdir}/../../libbeat/docs
include::{libbeat-dir}/version.asciidoc[]
include::{asciidoc-dir}/../../shared/versions/stack/{source_branch}.asciidoc[]
include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
:beatname_lc: auditbeat
:beatname_uc: Auditbeat
:beatname_pkg: {beatname_lc}
:github_repo_name: beats
:discuss_forum: beats/{beatname_lc}
:beat_default_index_prefix: {beatname_lc}
:deb_os:
:rpm_os:
:mac_os:
:docker_platform:
:win_os:
:linux_os:
:no_decode_cef_processor:
:no_decode_csv_fields_processor:
:no_script_processor:
:no_timestamp_processor:
include::{libbeat-dir}/shared-beats-attributes.asciidoc[]
include::./overview.asciidoc[]
include::./getting-started.asciidoc[]
include::{libbeat-dir}/repositories.asciidoc[]
include::./setting-up-running.asciidoc[]
include::./upgrading.asciidoc[]
include::./configuring-howto.asciidoc[]
include::./modules.asciidoc[]
include::./fields.asciidoc[]
include::{libbeat-dir}/monitoring/monitoring-beats.asciidoc[]
include::{libbeat-dir}/shared-securing-beat.asciidoc[]
include::./troubleshooting.asciidoc[]
include::./faq.asciidoc[]
include::{libbeat-dir}/contributing-to-beats.asciidoc[]

10
vendor/github.com/elastic/beats/auditbeat/docs/modules.asciidoc generated vendored
View File

@ -1,10 +0,0 @@
[id="{beatname_lc}-modules"]
= Modules
[partintro]
--
This section contains detailed information about the metric collecting modules
contained in {beatname_uc}. More details about each module can be found under
the links below.
include::modules_list.asciidoc[]

306
vendor/github.com/elastic/beats/auditbeat/docs/modules/auditd.asciidoc generated vendored
View File

@ -1,306 +0,0 @@
////
This file is generated! See scripts/docs_collector.py
////
[id="{beatname_lc}-module-auditd"]
== Auditd Module
The `auditd` module receives audit events from the Linux Audit Framework that
is a part of the Linux kernel.
This module is available only for Linux.
[float]
=== How it works
This module establishes a subscription to the kernel to receive the events
as they occur. So unlike most other modules, the `period` configuration
option is unused because it is not implemented using polling.
The Linux Audit Framework can send multiple messages for a single auditable
event. For example, a `rename` syscall causes the kernel to send eight separate
messages. Each message describes a different aspect of the activity that is
occurring (the syscall itself, file paths, current working directory, process
title). This module will combine all of the data from each of the messages
into a single event.
Messages for one event can be interleaved with messages from another event. This
module will buffer the messages in order to combine related messages into a
single event even if they arrive interleaved or out of order.
[float]
=== Useful commands
When running {beatname_uc} with the `auditd` module enabled, you might find
that other monitoring tools interfere with {beatname_uc}.
For example, you might encounter errors if another process, such as `auditd`, is
registered to receive data from the Linux Audit Framework. You can use these
commands to see if the `auditd` service is running and stop it:
* See if `auditd` is running:
+
[source,shell]
-----
service auditd status
-----
* Stop the `auditd` service:
+
[source,shell]
-----
service auditd stop
-----
* Disable `auditd` from starting on boot:
+
[source,shell]
-----
chkconfig auditd off
-----
To save CPU usage and disk space, you can use this command to stop `journald`
from listening to audit messages:
[source,shell]
-----
systemctl mask systemd-journald-audit.socket
-----
[float]
=== Inspect the kernel audit system status
{beatname_uc} provides useful commands to query the state of the audit system
in the Linux kernel.
* See the list of installed audit rules:
+
[source,shell]
-----
auditbeat show auditd-rules
-----
+
Prints the list of loaded rules, similar to `auditctl -l`:
+
[source,shell]
-----
-a never,exit -S all -F pid=26253
-a always,exit -F arch=b32 -S all -F key=32bit-abi
-a always,exit -F arch=b64 -S execve,execveat -F key=exec
-a always,exit -F arch=b64 -S connect,accept,bind -F key=external-access
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F key=access
-----
* See the status of the audit system:
+
[source,shell]
-----
auditbeat show auditd-status
-----
+
Prints the status of the kernel audit system, similar to `auditctl -s`:
+
[source,shell]
-----
enabled 1
failure 0
pid 0
rate_limit 0
backlog_limit 8192
lost 14407
backlog 0
backlog_wait_time 0
features 0xf
-----
[float]
=== Configuration options
This module has some configuration options for tuning its behavior. The
following example shows all configuration options with their default values.
[source,yaml]
----
- module: auditd
resolve_ids: true
failure_mode: silent
backlog_limit: 8192
rate_limit: 0
include_raw_message: false
include_warnings: false
backpressure_strategy: auto
----
*`socket_type`*:: This optional setting controls the type of
socket that {beatname_uc} uses to receive events from the kernel. The two
options are `unicast` and `multicast`.
+
`unicast` should be used when {beatname_uc} is the primary userspace daemon for
receiving audit events and managing the rules. Only a single process can receive
audit events through the "unicast" connection so any other daemons should be
stopped (e.g. stop `auditd`).
+
`multicast` can be used in kernel versions 3.16 and newer. By using `multicast`
{beatname_uc} will receive an audit event broadcast that is not exclusive to a
a single process. This is ideal for situations where `auditd` is running and
managing the rules. If `multicast` is specified, but the kernel version is less
than 3.16 {beatname_uc} will automatically revert to `unicast`.
+
By default {beatname_uc} will use `multicast` if the kernel version is 3.16 or
newer and no rules have been defined. Otherwise `unicast` will be used.
*`resolve_ids`*:: This boolean setting enables the resolution of UIDs and
GIDs to their associated names. The default value is true.
*`failure_mode`*:: This determines the kernel's behavior on critical
failures such as errors sending events to {beatname_uc}, the backlog limit was
exceeded, the kernel ran out of memory, or the rate limit was exceeded. The
options are `silent`, `log`, or `panic`. `silent` basically makes the kernel
ignore the errors, `log` makes the kernel write the audit messages using
`printk` so they show up in system's syslog, and `panic` causes the kernel to
panic to prevent use of the machine. {beatname_uc}'s default is `silent`.
*`backlog_limit`*:: This controls the maximum number of audit messages
that will be buffered by the kernel.
*`rate_limit`*:: This sets a rate limit on the number of messages/sec
delivered by the kernel. The default is 0, which disables rate limiting.
Changing this value to anything other than zero can cause messages to be lost.
The preferred approach to reduce the messaging rate is be more selective in the
audit ruleset.
*`include_raw_message`*:: This boolean setting causes {beatname_uc} to
include each of the raw messages that contributed to the event in the document
as a field called `event.original`. The default value is false. This setting is
primarily used for development and debugging purposes.
*`include_warnings`*:: This boolean setting causes {beatname_uc} to
include as warnings any issues that were encountered while parsing the raw
messages. The messages are written to the `error.message` field. The default
value is false. When this setting is enabled the raw messages will be included
in the event regardless of the `include_raw_message` config setting. This
setting is primarily used for development and debugging purposes.
*`audit_rules`*:: A string containing the audit rules that should be
installed to the kernel. There should be one rule per line. Comments can be
embedded in the string using `#` as a prefix. The format for rules is the same
used by the Linux `auditctl` utility. {beatname_uc} supports adding file watches
(`-w`) and syscall rules (`-a` or `-A`).
*`audit_rule_files`*:: A list of files to load audit rules from. This files are
loaded after the rules declared in `audit_rules` are loaded. Wildcards are
supported and will expand in lexicographical order. The format is the same as
that of the `audit_rules` field.
*`backpressure_strategy`*:: Specifies the strategy that {beatname_uc} uses to
prevent backpressure from propagating to the kernel and impacting audited
processes.
+
--
The possible values are:
- `auto` (default): {beatname_uc} uses the `kernel` strategy, if supported, or
falls back to the `userspace` strategy.
- `kernel`: {beatname_uc} sets the `backlog_wait_time` in the kernel's
audit framework to 0. This causes events to be discarded in the kernel if
the audit backlog queue fills to capacity. Requires a 3.14 kernel or
newer.
- `userspace`: {beatname_uc} drops events when there is backpressure
from the publishing pipeline. If no `rate_limit` is set, {beatname_uc} sets a rate
limit of 5000. Users should test their setup and adjust the `rate_limit`
option accordingly.
- `both`: {beatname_uc} uses the `kernel` and `userspace` strategies at the same
time.
- `none`: No backpressure mitigation measures are enabled.
--
*`keep_null`*:: If this option is set to true, fields with `null` values will be
published in the output document. By default, `keep_null` is set to `false`.
[float]
=== Audit rules
The audit rules are where you configure the activities that are audited. These
rules are configured as either syscalls or files that should be monitored. For
example you can track all `connect` syscalls or file system writes to
`/etc/passwd`.
Auditing a large number of syscalls can place a heavy load on the system so
consider carefully the rules you define and try to apply filters in the rules
themselves to be as selective as possible.
The kernel evaluates the rules in the order in which they were defined so place
the most active rules first in order to speed up evaluation.
You can assign keys to each rule for better identification of the rule that
triggered an event and easier filtering later in Elasticsearch.
Defining any audit rules in the config causes {beatname_uc} to purge all
existing audit rules prior to adding the rules specified in the config.
Therefore it is unnecessary and unsupported to include a `-D` (delete all) rule.
["source","sh",subs="attributes"]
----
{beatname_lc}.modules:
- module: auditd
audit_rules: |
# Things that affect identity.
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
# Unauthorized access attempts to files (unsuccessful).
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
----
[float]
=== Example configuration
The Auditd module supports the common configuration options that are
described under <<configuration-{beatname_lc},configuring {beatname_uc}>>. Here
is an example configuration:
[source,yaml]
----
auditbeat.modules:
- module: auditd
# Load audit rules from separate files. Same format as audit.rules(7).
audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
audit_rules: |
## Define audit rules here.
## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
## examples or add your own rules.
## If you are on a 64 bit platform, everything should be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
#-a always,exit -F arch=b32 -S all -F key=32bit-abi
## Executions.
#-a always,exit -F arch=b64 -S execve,execveat -k exec
## External access (warning: these can be expensive to audit).
#-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
## Identity changes.
#-w /etc/group -p wa -k identity
#-w /etc/passwd -p wa -k identity
#-w /etc/gshadow -p wa -k identity
## Unauthorized access attempts.
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
----

148
vendor/github.com/elastic/beats/auditbeat/docs/modules/file_integrity.asciidoc generated vendored
View File

@ -1,148 +0,0 @@
////
This file is generated! See scripts/docs_collector.py
////
[id="{beatname_lc}-module-file_integrity"]
== File Integrity Module
The `file_integrity` module sends events when a file is changed (created,
updated, or deleted) on disk. The events contain file metadata and hashes.
The module is implemented for Linux, macOS (Darwin), and Windows.
[float]
=== How it works
This module uses features of the operating system to monitor file changes in
realtime. When the module starts it creates a subscription with the OS to
receive notifications of changes to the specified files or directories. Upon
receiving notification of a change the module will read the file's metadata
and the compute a hash of the file's contents.
At startup this module will perform an initial scan of the configured files
and directories to generate baseline data for the monitored paths and detect
changes since the last time it was run. It uses locally persisted data in order
to only send events for new or modified files.
The operating system features that power this feature are as follows.
* Linux - `inotify` is used, and therefore the kernel must have inotify support.
Inotify was initially merged into the 2.6.13 Linux kernel.
* macOS (Darwin) - Uses the `FSEvents` API, present since macOS 10.5. This API
coalesces multiple changes to a file into a single event. {beatname_uc} translates
this coalesced changes into a meaningful sequence of actions. However,
in rare situations the reported events may have a different ordering than what
actually happened.
* Windows - `ReadDirectoryChangesW` is used.
The file integrity module should not be used to monitor paths on network file
systems.
[float]
=== Configuration options
This module has some configuration options for tuning its behavior. The
following example shows all configuration options with their default values for
Linux.
[source,yaml]
----
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
exclude_files:
- '(?i)\.sw[nop]$'
- '~$'
- '/\.git($|/)'
include_files: []
scan_at_start: true
scan_rate_per_sec: 50 MiB
max_file_size: 100 MiB
hash_types: [sha1]
recursive: false
----
*`paths`*:: A list of paths (directories or files) to watch. Globs are
not supported. The specified paths should exist when the metricset is started.
*`exclude_files`*:: A list of regular expressions used to filter out events
for unwanted files. The expressions are matched against the full path of every
file and directory. When used in conjunction with `include_files`, file paths need
to match both `include_files` and not match `exclude_files` to be selected.
By default, no files are excluded. See <<regexp-support>>
for a list of supported regexp patterns. It is recommended to wrap regular
expressions in single quotation marks to avoid issues with YAML escaping
rules.
*`include_files`*:: A list of regular expressions used to specify which files to
select. When configured, only files matching the pattern will be monitored.
The expressions are matched against the full path of every file and directory.
When used in conjunction with `exclude_files`, file paths need
to match both `include_files` and not match `exclude_files` to be selected.
By default, all files are selected. See <<regexp-support>>
for a list of supported regexp patterns. It is recommended to wrap regular
expressions in single quotation marks to avoid issues with YAML escaping
rules.
*`scan_at_start`*:: A boolean value that controls if {beatname_uc} scans
over the configured file paths at startup and send events for the files
that have been modified since the last time {beatname_uc} was running. The
default value is true.
+
This feature depends on data stored locally in `path.data` in order to determine
if a file has changed. The first time {beatname_uc} runs it will send an event
for each file it encounters.
*`scan_rate_per_sec`*:: When `scan_at_start` is enabled this sets an
average read rate defined in bytes per second for the initial scan. This
throttles the amount of CPU and I/O that {beatname_uc} consumes at startup.
The default value is "50 MiB". Setting the value to "0" disables throttling.
For convenience units can be specified as a suffix to the value. The supported
units are `b` (default), `kib`, `kb`, `mib`, `mb`, `gib`, `gb`, `tib`, `tb`,
`pib`, `pb`, `eib`, and `eb`.
*`max_file_size`*:: The maximum size of a file in bytes for which
{beatname_uc} will compute hashes. Files larger than this size will not be
hashed. The default value is 100 MiB. For convenience units can be specified as
a suffix to the value. The supported units are `b` (default), `kib`, `kb`, `mib`,
`mb`, `gib`, `gb`, `tib`, `tb`, `pib`, `pb`, `eib`, and `eb`.
*`hash_types`*:: A list of hash types to compute when the file changes.
The supported hash types are `blake2b_256`, `blake2b_384`, `blake2b_512`, `md5`,
`sha1`, `sha224`, `sha256`, `sha384`, `sha512`, `sha512_224`, `sha512_256`,
`sha3_224`, `sha3_256`, `sha3_384`, `sha3_512`, and `xxh64`. The default value is `sha1`.
*`recursive`*:: By default, the watches set to the paths specified in
`paths` are not recursive. This means that only changes to the contents
of this directories are watched. If `recursive` is set to `true`, the
`file_integrity` module will watch for changes on this directories and all
their subdirectories.
*`keep_null`*:: If this option is set to true, fields with `null` values will be
published in the output document. By default, `keep_null` is set to `false`.
[float]
=== Example configuration
The File Integrity module supports the common configuration options that are
described under <<configuration-{beatname_lc},configuring {beatname_uc}>>. Here
is an example configuration:
[source,yaml]
----
auditbeat.modules:
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
----

14
vendor/github.com/elastic/beats/auditbeat/docs/modules_list.asciidoc generated vendored
View File

@ -1,14 +0,0 @@
////
This file is generated! See scripts/docs_collector.py
////
* <<{beatname_lc}-module-auditd,Auditd>>
* <<{beatname_lc}-module-file_integrity,File Integrity>>
* <<{beatname_lc}-module-system,System>>
--
include::./modules/auditd.asciidoc[]
include::./modules/file_integrity.asciidoc[]
include::../../x-pack/auditbeat/docs/modules/system.asciidoc[]

15
vendor/github.com/elastic/beats/auditbeat/docs/overview.asciidoc generated vendored
View File

@ -1,15 +0,0 @@
[id="{beatname_lc}-overview"]
== {beatname_uc} overview
++++
<titleabbrev>Overview</titleabbrev>
++++
{beatname_uc} is a lightweight shipper that you can install on your servers to
audit the activities of users and processes on your systems. For example, you
can use {beatname_uc} to collect and centralize audit events from the Linux
Audit Framework. You can also use {beatname_uc} to detect changes to critical
files, like binaries and configuration files, and identify potential security
policy violations.
include::{libbeat-dir}/shared-libbeat-description.asciidoc[]

47
vendor/github.com/elastic/beats/auditbeat/docs/reload-configuration.asciidoc generated vendored
View File

@ -1,47 +0,0 @@
[id="{beatname_lc}-configuration-reloading"]
== Reload the configuration dynamically
beta[]
You can configure {beatname_uc} to dynamically reload configuration files when
there are changes. To do this, you specify a path
(https://golang.org/pkg/path/filepath/#Glob[glob]) to watch for module
configuration changes. When the files found by the glob change, new modules are
started/stopped according to changes in the configuration files.
To enable dynamic config reloading, you specify the `path` and `reload` options
in the main +{beatname_lc}.yml+ config file. For example:
["source","sh"]
------------------------------------------------------------------------------
auditbeat.config.modules:
path: ${path.config}/conf.d/*.yml
reload.enabled: true
reload.period: 10s
------------------------------------------------------------------------------
*`path`*:: A glob that defines the files to check for changes.
*`reload.enabled`*:: When set to `true`, enables dynamic config reload.
*`reload.period`*:: Specifies how often the files are checked for changes. Do not
set the `period` to less than 1s because the modification time of files is often
stored in seconds. Setting the `period` to less than 1s will result in
unnecessary overhead.
Each file found by the glob must contain a list of one or more module
definitions. For example:
[source,yaml]
------------------------------------------------------------------------------
- module: file_integrity
paths:
- /www/wordpress
- /www/wordpress/wp-admin
- /www/wordpress/wp-content
- /www/wordpress/wp-includes
------------------------------------------------------------------------------
NOTE: On systems with POSIX file permissions, all Beats configuration files are
subject to ownership and file permission checks. If you encounter config loading
errors related to file ownership, see {beats-ref}/config-file-permissions.html.

14
vendor/github.com/elastic/beats/auditbeat/docs/running-on-docker.asciidoc generated vendored
View File

@ -1,14 +0,0 @@
include::{libbeat-dir}/shared-docker.asciidoc[]
==== Special requirements
Under Docker, {beatname_uc} runs as a non-root user, but requires some privileged
capabilities to operate correctly. Ensure that the +AUDIT_CONTROL+ and +AUDIT_READ+
capabilities are available to the container.
It is also essential to run {beatname_uc} in the host PID namespace.
["source","sh",subs="attributes"]
----
docker run --cap-add=AUDIT_CONTROL,AUDIT_READ --pid=host {dockerimage}
----

75
vendor/github.com/elastic/beats/auditbeat/docs/running-on-kubernetes.asciidoc generated vendored
View File

@ -1,75 +0,0 @@
[[running-on-kubernetes]]
=== Running {beatname_uc} on Kubernetes
{beatname_uc} <<running-on-docker,Docker images>> can be used on Kubernetes to
check files integrity.
ifeval::["{release-state}"=="unreleased"]
However, version {version} of {beatname_uc} has not yet been
released, so no Docker image is currently available for this version.
endif::[]
[float]
==== Kubernetes deploy manifests
By deploying {beatname_uc} as a https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/[DaemonSet]
we ensure we get a running instance on each node of the cluster.
Everything is deployed under `kube-system` namespace, you can change that by
updating the YAML file.
To get the manifests just run:
["source", "sh", subs="attributes"]
------------------------------------------------
curl -L -O https://raw.githubusercontent.com/elastic/beats/{branch}/deploy/kubernetes/{beatname_lc}-kubernetes.yaml
------------------------------------------------
[WARNING]
=======================================
If you are using Kubernetes 1.7 or earlier: {beatname_uc} uses a hostPath volume to persist internal data, it's located
under /var/lib/{beatname_lc}-data. The manifest uses folder autocreation (`DirectoryOrCreate`), which was introduced in
Kubernetes 1.8. You will need to remove `type: DirectoryOrCreate` from the manifest and create the host folder yourself.
=======================================
[float]
==== Settings
Some parameters are exposed in the manifest to configure logs destination, by
default they will use an existing Elasticsearch deploy if it's present, but you
may want to change that behavior, so just edit the YAML file and modify them:
["source", "yaml", subs="attributes"]
------------------------------------------------
- name: ELASTICSEARCH_HOST
value: elasticsearch
- name: ELASTICSEARCH_PORT
value: "9200"
- name: ELASTICSEARCH_USERNAME
value: elastic
- name: ELASTICSEARCH_PASSWORD
value: changeme
------------------------------------------------
[float]
==== Deploy
To deploy {beatname_uc} to Kubernetes just run:
["source", "sh", subs="attributes"]
------------------------------------------------
kubectl create -f {beatname_lc}-kubernetes.yaml
------------------------------------------------
Then you should be able to check the status by running:
["source", "sh", subs="attributes"]
------------------------------------------------
$ kubectl --namespace=kube-system get ds/{beatname_lc}
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE-SELECTOR AGE
{beatname_lc} 32 32 0 32 0 <none> 1m
------------------------------------------------

42
vendor/github.com/elastic/beats/auditbeat/docs/setting-up-running.asciidoc generated vendored
View File

@ -1,42 +0,0 @@
/////
// NOTE:
// Each beat has its own setup overview to allow for the addition of content
// that is unique to each beat.
/////
[[setting-up-and-running]]
== Setting up and running {beatname_uc}
Before reading this section, see the
<<{beatname_lc}-getting-started,getting started documentation>> for basic
installation instructions to get you started.
This section includes additional information on how to set up and run
{beatname_uc}, including:
* <<directory-layout>>
* <<command-line-options>>
* <<running-on-docker>>
* <<running-on-kubernetes>>
* <<running-with-systemd>>
//MAINTAINERS: If you add a new file to this section, make sure you update the bulleted list ^^ too.
include::{libbeat-dir}/shared-directory-layout.asciidoc[]
include::{libbeat-dir}/keystore.asciidoc[]
include::{libbeat-dir}/command-reference.asciidoc[]
include::./running-on-docker.asciidoc[]
include::./running-on-kubernetes.asciidoc[]
include::{libbeat-dir}/shared-systemd.asciidoc[]
include::{libbeat-dir}/shared-shutdown.asciidoc[]

30
vendor/github.com/elastic/beats/auditbeat/docs/troubleshooting.asciidoc generated vendored
View File

@ -1,30 +0,0 @@
[[troubleshooting]]
= Troubleshooting
[partintro]
--
If you have issues installing or running {beatname_uc}, read the
following tips:
* <<getting-help>>
* <<enable-{beatname_lc}-debugging>>
* <<faq>>
//sets block macro for getting-help.asciidoc included in next section
--
[[getting-help]]
== Get Help
include::{libbeat-dir}/getting-help.asciidoc[]
//sets block macro for debugging.asciidoc included in next section
[id="enable-{beatname_lc}-debugging"]
== Debug
include::{libbeat-dir}/debugging.asciidoc[]

7
vendor/github.com/elastic/beats/auditbeat/docs/upgrading.asciidoc generated vendored
View File

@ -1,7 +0,0 @@
[[upgrading-auditbeat]]
== Upgrading Auditbeat
For information about upgrading to a new version, see the following topics in the _Beats Platform Reference_:
* {beats-ref}/breaking-changes.html[Breaking Changes]
* {beats-ref}/upgrading.html[Upgrading]

264
vendor/github.com/elastic/beats/auditbeat/helper/hasher/hasher.go generated vendored
View File

@ -1,264 +0,0 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package hasher
import (
"crypto/md5"
"crypto/sha1"
"crypto/sha256"
"crypto/sha512"
"encoding/hex"
"fmt"
"hash"
"io"
"os"
"strings"
"time"
"github.com/OneOfOne/xxhash"
"github.com/dustin/go-humanize"
"github.com/joeshaw/multierror"
"github.com/pkg/errors"
"golang.org/x/crypto/blake2b"
"golang.org/x/crypto/sha3"
"golang.org/x/time/rate"
"github.com/elastic/beats/libbeat/common/file"
)
// HashType identifies a cryptographic algorithm.
type HashType string
// Unpack unpacks a string to a HashType for config parsing.
func (t *HashType) Unpack(v string) error {
*t = HashType(strings.ToLower(v))
return nil
}
// IsValid checks if the hash type is valid.
func (t *HashType) IsValid() bool {
_, valid := validHashes[*t]
return valid
}
var validHashes = map[HashType](func() hash.Hash){
BLAKE2B_256: func() hash.Hash {
h, _ := blake2b.New256(nil)
return h
},
BLAKE2B_384: func() hash.Hash {
h, _ := blake2b.New384(nil)
return h
},
BLAKE2B_512: func() hash.Hash {
h, _ := blake2b.New512(nil)
return h
},
MD5: md5.New,
SHA1: sha1.New,
SHA224: sha256.New224,
SHA256: sha256.New,
SHA384: sha512.New384,
SHA512: sha512.New,
SHA512_224: sha512.New512_224,
SHA512_256: sha512.New512_256,
SHA3_224: sha3.New224,
SHA3_256: sha3.New256,
SHA3_384: sha3.New384,
SHA3_512: sha3.New512,
XXH64: func() hash.Hash {
return xxhash.New64()
},
}
// Enum of hash types.
const (
BLAKE2B_256 HashType = "blake2b_256"
BLAKE2B_384 HashType = "blake2b_384"
BLAKE2B_512 HashType = "blake2b_512"
MD5 HashType = "md5"
SHA1 HashType = "sha1"
SHA224 HashType = "sha224"
SHA256 HashType = "sha256"
SHA384 HashType = "sha384"
SHA3_224 HashType = "sha3_224"
SHA3_256 HashType = "sha3_256"
SHA3_384 HashType = "sha3_384"
SHA3_512 HashType = "sha3_512"
SHA512 HashType = "sha512"
SHA512_224 HashType = "sha512_224"
SHA512_256 HashType = "sha512_256"
XXH64 HashType = "xxh64"
)
// Digest is a output of a hash function.
type Digest []byte
// String returns the digest value in lower-case hexadecimal form.
func (d Digest) String() string {
return hex.EncodeToString(d)
}
// MarshalText encodes the digest to a hexadecimal representation of itself.
func (d Digest) MarshalText() ([]byte, error) { return []byte(d.String()), nil }
// FileTooLargeError is the error that occurs when a file that
// exceeds the max file size is attempting to be hashed.
type FileTooLargeError struct {
fileSize int64
}
// Error returns the error message for FileTooLargeError.
func (e FileTooLargeError) Error() string {
return fmt.Sprintf("hasher: file size %d exceeds max file size", e.fileSize)
}
// Config contains the configuration of a FileHasher.
type Config struct {
HashTypes []HashType `config:"hash_types,replace"`
MaxFileSize string `config:"max_file_size"`
MaxFileSizeBytes uint64 `config:",ignore"`
ScanRatePerSec string `config:"scan_rate_per_sec"`
ScanRateBytesPerSec uint64 `config:",ignore"`
}
// Validate validates the config.
func (c *Config) Validate() error {
var errs multierror.Errors
for _, ht := range c.HashTypes {
if !ht.IsValid() {
errs = append(errs, errors.Errorf("invalid hash_types value '%v'", ht))
}
}
var err error
c.MaxFileSizeBytes, err = humanize.ParseBytes(c.MaxFileSize)
if err != nil {
errs = append(errs, errors.Wrap(err, "invalid max_file_size value"))
} else if c.MaxFileSizeBytes <= 0 {
errs = append(errs, errors.Errorf("max_file_size value (%v) must be positive", c.MaxFileSize))
}
c.ScanRateBytesPerSec, err = humanize.ParseBytes(c.ScanRatePerSec)
if err != nil {
errs = append(errs, errors.Wrap(err, "invalid scan_rate_per_sec value"))
}
return errs.Err()
}
// FileHasher hashes the contents of files.
type FileHasher struct {
config Config
limiter *rate.Limiter
// To cancel hashing
done <-chan struct{}
}
// NewFileHasher creates a new FileHasher.
func NewFileHasher(c Config, done <-chan struct{}) (*FileHasher, error) {
return &FileHasher{
config: c,
limiter: rate.NewLimiter(
rate.Limit(c.ScanRateBytesPerSec), // Rate
int(c.MaxFileSizeBytes), // Burst
),
done: done,
}, nil
}
// HashFile hashes the contents of a file.
func (hasher *FileHasher) HashFile(path string) (map[HashType]Digest, error) {
info, err := os.Stat(path)
if err != nil {
return nil, errors.Wrapf(err, "failed to stat file %v", path)
}
// Throttle reading and hashing rate.
if len(hasher.config.HashTypes) > 0 {
err = hasher.throttle(info.Size())
if err != nil {
return nil, errors.Wrapf(err, "failed to hash file %v", path)
}
}
var hashes []hash.Hash
for _, hashType := range hasher.config.HashTypes {
h, valid := validHashes[hashType]
if !valid {
return nil, errors.Errorf("unknown hash type '%v'", hashType)
}
hashes = append(hashes, h())
}
if len(hashes) > 0 {
f, err := file.ReadOpen(path)
if err != nil {
return nil, errors.Wrap(err, "failed to open file for hashing")
}
defer f.Close()
hashWriter := multiWriter(hashes)
if _, err := io.Copy(hashWriter, f); err != nil {
return nil, errors.Wrap(err, "failed to calculate file hashes")
}
nameToHash := make(map[HashType]Digest, len(hashes))
for i, h := range hashes {
nameToHash[hasher.config.HashTypes[i]] = h.Sum(nil)
}
return nameToHash, nil
}
return nil, nil
}
func (hasher *FileHasher) throttle(fileSize int64) error {
reservation := hasher.limiter.ReserveN(time.Now(), int(fileSize))
if !reservation.OK() {
// File is bigger than the max file size
return FileTooLargeError{fileSize}
}
delay := reservation.Delay()
if delay == 0 {
return nil
}
timer := time.NewTimer(delay)
defer timer.Stop()
select {
case <-hasher.done:
case <-timer.C:
}
return nil
}
func multiWriter(hash []hash.Hash) io.Writer {
writers := make([]io.Writer, 0, len(hash))
for _, h := range hash {
writers = append(writers, h)
}
return io.MultiWriter(writers...)
}

92
vendor/github.com/elastic/beats/auditbeat/helper/hasher/hasher_test.go generated vendored
View File

@ -1,92 +0,0 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package hasher
import (
"io/ioutil"
"os"
"path/filepath"
"testing"
"github.com/pkg/errors"
"github.com/stretchr/testify/assert"
)
func TestHasher(t *testing.T) {
dir, err := ioutil.TempDir("", "auditbeat-hasher-test")
if err != nil {
t.Fatal(err)
}
defer os.RemoveAll(dir)
file := filepath.Join(dir, "exe")
if err = ioutil.WriteFile(file, []byte("test exe\n"), 0600); err != nil {
t.Fatal(err)
}
config := Config{
HashTypes: []HashType{SHA1, MD5},
MaxFileSize: "100 MiB",
MaxFileSizeBytes: 100 * 1024 * 1024,
ScanRatePerSec: "50 MiB",
ScanRateBytesPerSec: 50 * 1024 * 1024,
}
hasher, err := NewFileHasher(config, nil)
if err != nil {
t.Fatal(err)
}
hashes, err := hasher.HashFile(file)
if err != nil {
t.Fatal(err)
}
assert.Len(t, hashes, 2)
assert.Equal(t, "44a36f2cd27e56794cd405ad8d44e82dba4c54fa", hashes["sha1"].String())
assert.Equal(t, "1d7572082f6b0d18a393d618285d7100", hashes["md5"].String())
}
func TestHasherLimits(t *testing.T) {
dir, err := ioutil.TempDir("", "auditbeat-hasher-test")
if err != nil {
t.Fatal(err)
}
defer os.RemoveAll(dir)
file := filepath.Join(dir, "exe")
if err = ioutil.WriteFile(file, []byte("test exe\n"), 0600); err != nil {
t.Fatal(err)
}
configZeroSize := Config{
HashTypes: []HashType{SHA1},
MaxFileSize: "0 MiB",
MaxFileSizeBytes: 0,
ScanRatePerSec: "0 MiB",
ScanRateBytesPerSec: 0,
}
hasher, err := NewFileHasher(configZeroSize, nil)
if err != nil {
t.Fatal(err)
}
hashes, err := hasher.HashFile(file)
assert.Empty(t, hashes)
assert.Error(t, err)
assert.IsType(t, FileTooLargeError{}, errors.Cause(err))
}

36
vendor/github.com/elastic/beats/auditbeat/include/fields.go generated vendored
View File

File diff suppressed because one or more lines are too long

26
vendor/github.com/elastic/beats/auditbeat/include/list.go generated vendored
View File

@ -1,26 +0,0 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
// Code generated by beats/dev-tools/cmd/module_include_list/module_include_list.go - DO NOT EDIT.
package include
import (
// Import packages that need to register themselves.
_ "github.com/elastic/beats/auditbeat/module/auditd"
_ "github.com/elastic/beats/auditbeat/module/file_integrity"
)

197
vendor/github.com/elastic/beats/auditbeat/magefile.go generated vendored
View File

@ -1,197 +0,0 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
// +build mage
package main
import (
"context"
"fmt"
"time"
"github.com/magefile/mage/mg"
auditbeat "github.com/elastic/beats/auditbeat/scripts/mage"
devtools "github.com/elastic/beats/dev-tools/mage"
// mage:import
"github.com/elastic/beats/dev-tools/mage/target/common"
)
func init() {
common.RegisterCheckDeps(Update)
devtools.BeatDescription = "Audit the activities of users and processes on your system."
}
// Aliases provides compatibility with CI while we transition all Beats
// to having common testing targets.
var Aliases = map[string]interface{}{
"goTestUnit": GoUnitTest, // dev-tools/jenkins_ci.ps1 uses this.
}
// Build builds the Beat binary.
func Build() error {
return devtools.Build(devtools.DefaultBuildArgs())
}
// GolangCrossBuild build the Beat binary inside of the golang-builder.
// Do not use directly, use crossBuild instead.
func GolangCrossBuild() error {
return devtools.GolangCrossBuild(devtools.DefaultGolangCrossBuildArgs())
}
// BuildGoDaemon builds the go-daemon binary (use crossBuildGoDaemon).
func BuildGoDaemon() error {
return devtools.BuildGoDaemon()
}
// CrossBuild cross-builds the beat for all target platforms.
func CrossBuild() error {
return devtools.CrossBuild()
}
// CrossBuildGoDaemon cross-builds the go-daemon binary using Docker.
func CrossBuildGoDaemon() error {
return devtools.CrossBuildGoDaemon()
}
// Package packages the Beat for distribution.
// Use SNAPSHOT=true to build snapshots.
// Use PLATFORMS to control the target platforms.
// Use VERSION_QUALIFIER to control the version qualifier.
func Package() {
start := time.Now()
defer func() { fmt.Println("package ran for", time.Since(start)) }()
devtools.UseElasticBeatOSSPackaging()
devtools.PackageKibanaDashboardsFromBuildDir()
auditbeat.CustomizePackaging(auditbeat.OSSPackaging)
mg.SerialDeps(Fields, Dashboards, Config, devtools.GenerateModuleIncludeListGo)
mg.Deps(CrossBuild, CrossBuildGoDaemon)
mg.SerialDeps(devtools.Package, TestPackages)
}
// TestPackages tests the generated packages (i.e. file modes, owners, groups).
func TestPackages() error {
return devtools.TestPackages(devtools.WithRootUserContainer())
}
// Update is an alias for running fields, dashboards, config, includes.
func Update() {
mg.SerialDeps(Fields, Dashboards, Config,
devtools.GenerateModuleIncludeListGo, Docs)
}
// Config generates both the short/reference configs and populates the modules.d
// directory.
func Config() error {
return devtools.Config(devtools.AllConfigTypes, auditbeat.OSSConfigFileParams(), ".")
}
// Fields generates fields.yml and fields.go files for the Beat.
func Fields() {
mg.Deps(libbeatAndAuditbeatCommonFieldsGo, moduleFieldsGo)
mg.Deps(fieldsYML)
}
// libbeatAndAuditbeatCommonFieldsGo generates a fields.go containing both
// libbeat and auditbeat's common fields.
func libbeatAndAuditbeatCommonFieldsGo() error {
if err := devtools.GenerateFieldsYAML(); err != nil {
return err
}
return devtools.GenerateAllInOneFieldsGo()
}
// moduleFieldsGo generates a fields.go for each module.
func moduleFieldsGo() error {
return devtools.GenerateModuleFieldsGo("module")
}
// fieldsYML generates the fields.yml file containing all fields.
func fieldsYML() error {
return devtools.GenerateFieldsYAML("module")
}
// ExportDashboard exports a dashboard and writes it into the correct directory.
//
// Required environment variables:
// - MODULE: Name of the module
// - ID: Dashboard id
func ExportDashboard() error {
return devtools.ExportDashboard()
}
// Dashboards collects all the dashboards and generates index patterns.
func Dashboards() error {
return devtools.KibanaDashboards("module")
}
// Docs collects the documentation.
func Docs() {
mg.Deps(auditbeat.ModuleDocs, auditbeat.FieldDocs)
}
// IntegTest executes integration tests (it uses Docker to run the tests).
func IntegTest() {
devtools.AddIntegTestUsage()
defer devtools.StopIntegTestEnv()
mg.SerialDeps(GoIntegTest, PythonIntegTest)
}
// UnitTest executes the unit tests.
func UnitTest() {
mg.SerialDeps(GoUnitTest, PythonUnitTest)
}
// GoUnitTest executes the Go unit tests.
// Use TEST_COVERAGE=true to enable code coverage profiling.
// Use RACE_DETECTOR=true to enable the race detector.
func GoUnitTest(ctx context.Context) error {
mg.Deps(Fields)
return devtools.GoTest(ctx, devtools.DefaultGoTestUnitArgs())
}
// GoIntegTest executes the Go integration tests.
// Use TEST_COVERAGE=true to enable code coverage profiling.
// Use RACE_DETECTOR=true to enable the race detector.
func GoIntegTest(ctx context.Context) error {
mg.Deps(Fields)
return devtools.RunIntegTest("goIntegTest", func() error {
return devtools.GoTest(ctx, devtools.DefaultGoTestIntegrationArgs())
})
}
// PythonUnitTest executes the python system tests.
func PythonUnitTest() error {
mg.Deps(devtools.BuildSystemTestBinary)
return devtools.PythonNoseTest(devtools.DefaultPythonTestUnitArgs())
}
// PythonIntegTest executes the python system tests in the integration environment (Docker).
func PythonIntegTest(ctx context.Context) error {
if !devtools.IsInIntegTestEnv() {
mg.SerialDeps(Fields, Dashboards)
}
return devtools.RunIntegTest("pythonIntegTest", func() error {
mg.Deps(devtools.BuildSystemTestBinary)
return devtools.PythonNoseTest(devtools.DefaultPythonTestIntegrationArgs())
})
}

37
vendor/github.com/elastic/beats/auditbeat/main.go generated vendored
View File

@ -1,37 +0,0 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package main
import (
"os"
"github.com/elastic/beats/auditbeat/cmd"
// Register modules.
_ "github.com/elastic/beats/auditbeat/module/auditd"
_ "github.com/elastic/beats/auditbeat/module/file_integrity"
// Register includes.
_ "github.com/elastic/beats/auditbeat/include"
)
func main() {
if err := cmd.RootCmd.Execute(); err != nil {
os.Exit(1)
}
}

43
vendor/github.com/elastic/beats/auditbeat/main_test.go generated vendored
View File

@ -1,43 +0,0 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package main
// This file is mandatory as otherwise the auditbeat.test binary is not generated correctly.
import (
"flag"
"testing"
"github.com/elastic/beats/auditbeat/cmd"
)
var systemTest *bool
func init() {
systemTest = flag.Bool("systemTest", false, "Set to true when running system tests")
cmd.RootCmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("systemTest"))
cmd.RootCmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("test.coverprofile"))
}
// Test started when the test binary is started. Only calls main.
func TestSystem(t *testing.T) {
if *systemTest {
main()
}
}

11
vendor/github.com/elastic/beats/auditbeat/make.bat generated vendored
View File

@ -1,11 +0,0 @@
@echo off
REM Windows wrapper for Mage (https://magefile.org/) that installs it
REM to %GOPATH%\bin from the Beats vendor directory.
REM
REM After running this once you may invoke mage.exe directly.
WHERE mage
IF %ERRORLEVEL% NEQ 0 go install github.com/elastic/beats/vendor/github.com/magefile/mage
mage %*

95
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/accept.json generated vendored
View File

@ -1,95 +0,0 @@
{
"auditd": {
"data": {
"a0": "3",
"a1": "7ffd0dc80040",
"a2": "7ffd0dc7ffd0",
"a3": "0",
"arch": "x86_64",
"exit": "5",
"socket": {
"addr": "72.83.230.100",
"family": "ipv4",
"port": "58140"
},
"syscall": "accept",
"tty": "(none)"
},
"message_type": "syscall",
"result": "success",
"sequence": 8832,
"session": "unset",
"summary": {
"actor": {
"primary": "unset",
"secondary": "root"
},
"how": "/usr/sbin/sshd",
"object": {
"primary": "72.83.230.100",
"secondary": "58140",
"type": "socket"
}
}
},
"event": {
"action": "accepted-connection-from",
"category": "audit-rule",
"module": "auditd"
},
"network": {
"direction": "incoming"
},
"process": {
"executable": "/usr/sbin/sshd",
"name": "sshd",
"pid": 1663,
"ppid": 1,
"title": "(sshd)"
},
"service": {
"type": "auditd"
},
"source": {
"ip": "72.83.230.100",
"port": "58140"
},
"tags": [
"net"
],
"user": {
"audit": {
"id": "unset"
},
"effective": {
"group": {
"id": "0",
"name": "root"
},
"id": "0",
"name": "root"
},
"filesystem": {
"group": {
"id": "0",
"name": "root"
},
"id": "0",
"name": "root"
},
"group": {
"id": "0",
"name": "root"
},
"id": "0",
"name": "root",
"saved": {
"group": {
"id": "0",
"name": "root"
},
"id": "0",
"name": "root"
}
}
}

11
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/audit.rules.d/sample-rules-linux-32bit.conf generated vendored
View File

@ -1,11 +0,0 @@
## Executions.
-a always,exit -F arch=b32 -S execve,execveat -k exec
## Identity changes.
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
## Unauthorized access attempts.
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access

17
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/audit.rules.d/sample-rules-linux-64bit.conf generated vendored
View File

@ -1,17 +0,0 @@
## If you are on a 64 bit platform, everything should be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
-a always,exit -F arch=b32 -S all -F key=32bit-abi
## Executions.
-a always,exit -F arch=b64 -S execve,execveat -k exec
## Identity changes.
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
## Unauthorized access attempts.
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access

49
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/config.yml.tmpl generated vendored
View File

@ -1,49 +0,0 @@
{{ if eq .GOOS "linux" -}}
{{ if .Reference -}}
# The auditd module collects events from the audit framework in the Linux
# kernel. You need to specify audit rules for the events that you want to audit.
{{ end -}}
- module: auditd
{{ if .Reference -}}
resolve_ids: true
failure_mode: silent
backlog_limit: 8196
rate_limit: 0
include_raw_message: false
include_warnings: false
# Set to true to publish fields with null values in events.
#keep_null: false
{{ end -}}
# Load audit rules from separate files. Same format as audit.rules(7).
audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
audit_rules: |
## Define audit rules here.
## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
## examples or add your own rules.
{{ if eq .GOARCH "amd64" -}}
## If you are on a 64 bit platform, everything should be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
#-a always,exit -F arch=b32 -S all -F key=32bit-abi
{{ end -}}
## Executions.
#-a always,exit -F arch=b{{call .ArchBits .GOARCH}} -S execve,execveat -k exec
## External access (warning: these can be expensive to audit).
#-a always,exit -F arch=b{{call .ArchBits .GOARCH}} -S accept,bind,connect -F key=external-access
## Identity changes.
#-w /etc/group -p wa -k identity
#-w /etc/passwd -p wa -k identity
#-w /etc/gshadow -p wa -k identity
## Unauthorized access attempts.
#-a always,exit -F arch=b{{call .ArchBits .GOARCH}} -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
#-a always,exit -F arch=b{{call .ArchBits .GOARCH}} -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
{{ end }}

58
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/data.json generated vendored
View File

@ -1,58 +0,0 @@
{
"@timestamp": "2017-10-12T08:05:34.853Z",
"agent": {
"hostname": "host.example.com",
"name": "host.example.com"
},
"auditd": {
"data": {
"acct": "(invalid user)",
"op": "login",
"terminal": "sshd"
},
"message_type": "user_login",
"result": "fail",
"sequence": 19955,
"session": "unset",
"summary": {
"actor": {
"primary": "unset",
"secondary": "(invalid user)"
},
"how": "/usr/sbin/sshd",
"object": {
"primary": "sshd",
"secondary": "179.38.151.221",
"type": "user-session"
}
}
},
"event": {
"action": "logged-in",
"category": "user-login",
"module": "auditd",
"original": [
"type=USER_LOGIN msg=audit(1492896301.818:19955): pid=12635 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28696E76616C6964207573657229 exe=\"/usr/sbin/sshd\" hostname=? addr=179.38.151.221 terminal=sshd res=failed'"
]
},
"network": {
"direction": "incoming"
},
"process": {
"executable": "/usr/sbin/sshd",
"pid": 12635
},
"service": {
"type": "auditd"
},
"source": {
"ip": "179.38.151.221"
},
"user": {
"audit": {
"id": "unset"
},
"id": "0",
"name": "root"
}
}

257
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/docs.asciidoc generated vendored
View File

@ -1,257 +0,0 @@
== Auditd Module
The `auditd` module receives audit events from the Linux Audit Framework that
is a part of the Linux kernel.
This module is available only for Linux.
[float]
=== How it works
This module establishes a subscription to the kernel to receive the events
as they occur. So unlike most other modules, the `period` configuration
option is unused because it is not implemented using polling.
The Linux Audit Framework can send multiple messages for a single auditable
event. For example, a `rename` syscall causes the kernel to send eight separate
messages. Each message describes a different aspect of the activity that is
occurring (the syscall itself, file paths, current working directory, process
title). This module will combine all of the data from each of the messages
into a single event.
Messages for one event can be interleaved with messages from another event. This
module will buffer the messages in order to combine related messages into a
single event even if they arrive interleaved or out of order.
[float]
=== Useful commands
When running {beatname_uc} with the `auditd` module enabled, you might find
that other monitoring tools interfere with {beatname_uc}.
For example, you might encounter errors if another process, such as `auditd`, is
registered to receive data from the Linux Audit Framework. You can use these
commands to see if the `auditd` service is running and stop it:
* See if `auditd` is running:
+
[source,shell]
-----
service auditd status
-----
* Stop the `auditd` service:
+
[source,shell]
-----
service auditd stop
-----
* Disable `auditd` from starting on boot:
+
[source,shell]
-----
chkconfig auditd off
-----
To save CPU usage and disk space, you can use this command to stop `journald`
from listening to audit messages:
[source,shell]
-----
systemctl mask systemd-journald-audit.socket
-----
[float]
=== Inspect the kernel audit system status
{beatname_uc} provides useful commands to query the state of the audit system
in the Linux kernel.
* See the list of installed audit rules:
+
[source,shell]
-----
auditbeat show auditd-rules
-----
+
Prints the list of loaded rules, similar to `auditctl -l`:
+
[source,shell]
-----
-a never,exit -S all -F pid=26253
-a always,exit -F arch=b32 -S all -F key=32bit-abi
-a always,exit -F arch=b64 -S execve,execveat -F key=exec
-a always,exit -F arch=b64 -S connect,accept,bind -F key=external-access
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F key=access
-----
* See the status of the audit system:
+
[source,shell]
-----
auditbeat show auditd-status
-----
+
Prints the status of the kernel audit system, similar to `auditctl -s`:
+
[source,shell]
-----
enabled 1
failure 0
pid 0
rate_limit 0
backlog_limit 8192
lost 14407
backlog 0
backlog_wait_time 0
features 0xf
-----
[float]
=== Configuration options
This module has some configuration options for tuning its behavior. The
following example shows all configuration options with their default values.
[source,yaml]
----
- module: auditd
resolve_ids: true
failure_mode: silent
backlog_limit: 8192
rate_limit: 0
include_raw_message: false
include_warnings: false
backpressure_strategy: auto
----
*`socket_type`*:: This optional setting controls the type of
socket that {beatname_uc} uses to receive events from the kernel. The two
options are `unicast` and `multicast`.
+
`unicast` should be used when {beatname_uc} is the primary userspace daemon for
receiving audit events and managing the rules. Only a single process can receive
audit events through the "unicast" connection so any other daemons should be
stopped (e.g. stop `auditd`).
+
`multicast` can be used in kernel versions 3.16 and newer. By using `multicast`
{beatname_uc} will receive an audit event broadcast that is not exclusive to a
a single process. This is ideal for situations where `auditd` is running and
managing the rules. If `multicast` is specified, but the kernel version is less
than 3.16 {beatname_uc} will automatically revert to `unicast`.
+
By default {beatname_uc} will use `multicast` if the kernel version is 3.16 or
newer and no rules have been defined. Otherwise `unicast` will be used.
*`resolve_ids`*:: This boolean setting enables the resolution of UIDs and
GIDs to their associated names. The default value is true.
*`failure_mode`*:: This determines the kernel's behavior on critical
failures such as errors sending events to {beatname_uc}, the backlog limit was
exceeded, the kernel ran out of memory, or the rate limit was exceeded. The
options are `silent`, `log`, or `panic`. `silent` basically makes the kernel
ignore the errors, `log` makes the kernel write the audit messages using
`printk` so they show up in system's syslog, and `panic` causes the kernel to
panic to prevent use of the machine. {beatname_uc}'s default is `silent`.
*`backlog_limit`*:: This controls the maximum number of audit messages
that will be buffered by the kernel.
*`rate_limit`*:: This sets a rate limit on the number of messages/sec
delivered by the kernel. The default is 0, which disables rate limiting.
Changing this value to anything other than zero can cause messages to be lost.
The preferred approach to reduce the messaging rate is be more selective in the
audit ruleset.
*`include_raw_message`*:: This boolean setting causes {beatname_uc} to
include each of the raw messages that contributed to the event in the document
as a field called `event.original`. The default value is false. This setting is
primarily used for development and debugging purposes.
*`include_warnings`*:: This boolean setting causes {beatname_uc} to
include as warnings any issues that were encountered while parsing the raw
messages. The messages are written to the `error.message` field. The default
value is false. When this setting is enabled the raw messages will be included
in the event regardless of the `include_raw_message` config setting. This
setting is primarily used for development and debugging purposes.
*`audit_rules`*:: A string containing the audit rules that should be
installed to the kernel. There should be one rule per line. Comments can be
embedded in the string using `#` as a prefix. The format for rules is the same
used by the Linux `auditctl` utility. {beatname_uc} supports adding file watches
(`-w`) and syscall rules (`-a` or `-A`).
*`audit_rule_files`*:: A list of files to load audit rules from. This files are
loaded after the rules declared in `audit_rules` are loaded. Wildcards are
supported and will expand in lexicographical order. The format is the same as
that of the `audit_rules` field.
*`backpressure_strategy`*:: Specifies the strategy that {beatname_uc} uses to
prevent backpressure from propagating to the kernel and impacting audited
processes.
+
--
The possible values are:
- `auto` (default): {beatname_uc} uses the `kernel` strategy, if supported, or
falls back to the `userspace` strategy.
- `kernel`: {beatname_uc} sets the `backlog_wait_time` in the kernel's
audit framework to 0. This causes events to be discarded in the kernel if
the audit backlog queue fills to capacity. Requires a 3.14 kernel or
newer.
- `userspace`: {beatname_uc} drops events when there is backpressure
from the publishing pipeline. If no `rate_limit` is set, {beatname_uc} sets a rate
limit of 5000. Users should test their setup and adjust the `rate_limit`
option accordingly.
- `both`: {beatname_uc} uses the `kernel` and `userspace` strategies at the same
time.
- `none`: No backpressure mitigation measures are enabled.
--
*`keep_null`*:: If this option is set to true, fields with `null` values will be
published in the output document. By default, `keep_null` is set to `false`.
[float]
=== Audit rules
The audit rules are where you configure the activities that are audited. These
rules are configured as either syscalls or files that should be monitored. For
example you can track all `connect` syscalls or file system writes to
`/etc/passwd`.
Auditing a large number of syscalls can place a heavy load on the system so
consider carefully the rules you define and try to apply filters in the rules
themselves to be as selective as possible.
The kernel evaluates the rules in the order in which they were defined so place
the most active rules first in order to speed up evaluation.
You can assign keys to each rule for better identification of the rule that
triggered an event and easier filtering later in Elasticsearch.
Defining any audit rules in the config causes {beatname_uc} to purge all
existing audit rules prior to adding the rules specified in the config.
Therefore it is unnecessary and unsupported to include a `-D` (delete all) rule.
["source","sh",subs="attributes"]
----
{beatname_lc}.modules:
- module: auditd
audit_rules: |
# Things that affect identity.
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
# Unauthorized access attempts to files (unsuccessful).
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
----

114
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/execve.json generated vendored
View File

@ -1,114 +0,0 @@
{
"auditd": {
"data": {
"a0": "10812c8",
"a1": "1070208",
"a2": "1152008",
"a3": "59a",
"arch": "x86_64",
"argc": "2",
"exit": "0",
"syscall": "execve",
"tty": "pts0"
},
"message_type": "syscall",
"paths": [
{
"dev": "08:01",
"inode": "155",
"item": "0",
"mode": "0100755",
"name": "/bin/uname",
"nametype": "NORMAL",
"ogid": "0",
"ouid": "0",
"rdev": "00:00"
},
{
"dev": "08:01",
"inode": "1923",
"item": "1",
"mode": "0100755",
"name": "/lib64/ld-linux-x86-64.so.2",
"nametype": "NORMAL",
"ogid": "0",
"ouid": "0",
"rdev": "00:00"
}
],
"result": "success",
"sequence": 8972,
"session": "11",
"summary": {
"actor": {
"primary": "1001",
"secondary": "1001"
},
"how": "/bin/uname",
"object": {
"primary": "/bin/uname",
"type": "file"
}
}
},
"event": {
"action": "executed",
"category": "audit-rule",
"module": "auditd"
},
"file": {
"device": "00:00",
"gid": "0",
"group": "root",
"inode": "155",
"mode": "0755",
"owner": "root",
"path": "/bin/uname",
"uid": "0"
},
"process": {
"args": [
"uname",
"-a"
],
"executable": "/bin/uname",
"name": "uname",
"pid": 10043,
"ppid": 10027,
"title": "uname -a",
"working_directory": "/home/andrew_kroh"
},
"service": {
"type": "auditd"
},
"tags": [
"user_commands"
],
"user": {
"audit": {
"id": "1001"
},
"effective": {
"group": {
"id": "1002"
},
"id": "1001"
},
"filesystem": {
"group": {
"id": "1002"
},
"id": "1001"
},
"group": {
"id": "1002"
},
"id": "1001",
"saved": {
"group": {
"id": "1002"
},
"id": "1001"
}
}
}

898
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/fields.yml generated vendored
View File

@ -1,898 +0,0 @@
- key: auditd
title: Auditd
description: These are the fields generated by the auditd module.
fields:
- name: user
type: group
fields:
- name: auid
type: alias
path: user.audit.id
migration: true
- name: uid
type: alias
path: user.id
migration: true
- name: euid
type: alias
path: user.effective.id
migration: true
- name: fsuid
type: alias
path: user.filesystem.id
migration: true
- name: suid
type: alias
path: user.saved.id
migration: true
- name: gid
type: alias
path: user.group.id
migration: true
- name: egid
type: alias
path: user.effective.group.id
migration: true
- name: sgid
type: alias
path: user.saved.group.id
migration: true
- name: fsgid
type: alias
path: user.filesystem.group.id
migration: true
- name: name_map
type: group
description: >
If `resolve_ids` is set to true in the configuration then `name_map`
will contain a mapping of uid field names to the resolved name
(e.g. auid -> root).
fields:
- name: auid
type: alias
path: user.audit.name
migration: true
- name: uid
type: alias
path: user.name
migration: true
- name: euid
type: alias
path: user.effective.name
migration: true
- name: fsuid
type: alias
path: user.filesystem.name
migration: true
- name: suid
type: alias
path: user.saved.name
migration: true
- name: gid
type: alias
path: user.group.name
migration: true
- name: egid
type: alias
path: user.effective.group.name
migration: true
- name: sgid
type: alias
path: user.saved.group.name
migration: true
- name: fsgid
type: alias
path: user.filesystem.group.name
migration: true
- name: selinux
type: group
description: The SELinux identity of the actor.
fields:
- name: user
type: keyword
description: account submitted for authentication
- name: role
type: keyword
description: user's SELinux role
- name: domain
type: keyword
description: The actor's SELinux domain or type.
- name: level
type: keyword
example: s0
description: The actor's SELinux level.
- name: category
type: keyword
description: The actor's SELinux category or compartments.
- name: process
type: group
description: Process attributes.
fields:
- name: cwd
type: alias
path: process.working_directory
migration: true
description: The current working directory.
- name: source
type: group
description: Source that triggered the event.
fields:
- name: path
type: keyword
description: This is the path associated with a unix socket.
- name: destination
type: group
description: Destination address that triggered the event.
fields:
- name: path
type: keyword
description: This is the path associated with a unix socket.
- name: auditd
type: group
fields:
- name: message_type
type: keyword
example: syscall
description: >
The audit message type (e.g. syscall or apparmor_denied).
- name: sequence
type: long
description: >
The sequence number of the event as assigned by the kernel. Sequence
numbers are stored as a uint32 in the kernel and can rollover.
- name: session
type: keyword
description: >
The session ID assigned to a login. All events related to a login
session will have the same value.
- name: result
type: keyword
example: success or fail
description: The result of the audited operation (success/fail).
- name: summary
type: group
fields:
- name: actor
type: group
description: The actor is the user that triggered the audit event.
fields:
- name: primary
type: keyword
description: >
The primary identity of the actor. This is the actor's original login
ID. It will not change even if the user changes to another account.
- name: secondary
type: keyword
description: The secondary identity of the actor. This is typically
the same as the primary, except for when the user has used `su`.
- name: object
type: group
description: >
This is the thing or object being acted upon in the event.
fields:
- name: type
type: keyword
description: >
A description of the what the "thing" is (e.g. file, socket,
user-session).
- name: primary
type: keyword
description: ""
- name: secondary
type: keyword
description: ""
- name: how
type: keyword
description: >
This describes how the action was performed. Usually this is the exe
or command that was being executed that triggered the event.
- name: paths
type: group
description: List of paths associated with the event.
fields:
- name: inode
type: keyword
description: inode number
- name: dev
type: keyword
description: device name as found in /dev
- name: obj_user
type: keyword
description: ""
- name: obj_role
type: keyword
description: ""
- name: obj_domain
type: keyword
description: ""
- name: obj_level
type: keyword
description: ""
- name: objtype
type: keyword
description: ""
- name: ouid
type: keyword
description: file owner user ID
- name: rdev
type: keyword
description: the device identifier (special files only)
- name: nametype
type: keyword
description: kind of file operation being referenced
- name: ogid
type: keyword
description: file owner group ID
- name: item
type: keyword
description: which item is being recorded
- name: mode
type: keyword
description: mode flags on a file
- name: name
type: keyword
description: file name in avcs
- name: data
type: group
description: The data from the audit messages.
fields:
- name: action
type: keyword
description: netfilter packet disposition
- name: minor
type: keyword
description: device minor number
- name: acct
type: keyword
description: a user's account name
- name: addr
type: keyword
description: the remote address that the user is connecting from
- name: cipher
type: keyword
description: name of crypto cipher selected
- name: id
type: keyword
description: during account changes
- name: entries
type: keyword
description: number of entries in the netfilter table
- name: kind
type: keyword
description: server or client in crypto operation
- name: ksize
type: keyword
description: key size for crypto operation
- name: spid
type: keyword
description: sent process ID
- name: arch
type: keyword
description: the elf architecture flags
- name: argc
type: keyword
description: the number of arguments to an execve syscall
- name: major
type: keyword
description: device major number
- name: unit
type: keyword
description: systemd unit
- name: table
type: keyword
description: netfilter table name
- name: terminal
type: keyword
description: terminal name the user is running programs on
- name: grantors
type: keyword
description: pam modules approving the action
- name: direction
type: keyword
description: direction of crypto operation
- name: op
type: keyword
description: the operation being performed that is audited
- name: tty
type: keyword
description: tty udevice the user is running programs on
- name: syscall
type: keyword
description: syscall number in effect when the event occurred
- name: data
type: keyword
description: TTY text
- name: family
type: keyword
description: netfilter protocol
- name: mac
type: keyword
description: crypto MAC algorithm selected
- name: pfs
type: keyword
description: perfect forward secrecy method
- name: items
type: keyword
description: the number of path records in the event
- name: a0
type: keyword
description: ""
- name: a1
type: keyword
description: ""
- name: a2
type: keyword
description: ""
- name: a3
type: keyword
description: ""
- name: hostname
type: keyword
description: the hostname that the user is connecting from
- name: lport
type: keyword
description: local network port
- name: rport
type: keyword
description: remote port number
- name: exit
type: keyword
description: syscall exit code
- name: fp
type: keyword
description: crypto key finger print
- name: laddr
type: keyword
description: local network address
- name: sport
type: keyword
description: local port number
- name: capability
type: keyword
description: posix capabilities
- name: nargs
type: keyword
description: the number of arguments to a socket call
- name: new-enabled
type: keyword
description: new TTY audit enabled setting
- name: audit_backlog_limit
type: keyword
description: audit system's backlog queue size
- name: dir
type: keyword
description: directory name
- name: cap_pe
type: keyword
description: process effective capability map
- name: model
type: keyword
description: security model being used for virt
- name: new_pp
type: keyword
description: new process permitted capability map
- name: old-enabled
type: keyword
description: present TTY audit enabled setting
- name: oauid
type: keyword
description: object's login user ID
- name: old
type: keyword
description: old value
- name: banners
type: keyword
description: banners used on printed page
- name: feature
type: keyword
description: kernel feature being changed
- name: vm-ctx
type: keyword
description: the vm's context string
- name: opid
type: keyword
description: object's process ID
- name: seperms
type: keyword
description: SELinux permissions being used
- name: seresult
type: keyword
description: SELinux AVC decision granted/denied
- name: new-rng
type: keyword
description: device name of rng being added from a vm
- name: old-net
type: keyword
description: present MAC address assigned to vm
- name: sigev_signo
type: keyword
description: signal number
- name: ino
type: keyword
description: inode number
- name: old_enforcing
type: keyword
description: old MAC enforcement status
- name: old-vcpu
type: keyword
description: present number of CPU cores
- name: range
type: keyword
description: user's SE Linux range
- name: res
type: keyword
description: result of the audited operation(success/fail)
- name: added
type: keyword
description: number of new files detected
- name: fam
type: keyword
description: socket address family
- name: nlnk-pid
type: keyword
description: pid of netlink packet sender
- name: subj
type: keyword
description: lspp subject's context string
- name: a[0-3]
type: keyword
description: the arguments to a syscall
- name: cgroup
type: keyword
description: path to cgroup in sysfs
- name: kernel
type: keyword
description: kernel's version number
- name: ocomm
type: keyword
description: object's command line name
- name: new-net
type: keyword
description: MAC address being assigned to vm
- name: permissive
type: keyword
description: SELinux is in permissive mode
- name: class
type: keyword
description: resource class assigned to vm
- name: compat
type: keyword
description: is_compat_task result
- name: fi
type: keyword
description: file assigned inherited capability map
- name: changed
type: keyword
description: number of changed files
- name: msg
type: keyword
description: the payload of the audit record
- name: dport
type: keyword
description: remote port number
- name: new-seuser
type: keyword
description: new SELinux user
- name: invalid_context
type: keyword
description: SELinux context
- name: dmac
type: keyword
description: remote MAC address
- name: ipx-net
type: keyword
description: IPX network number
- name: iuid
type: keyword
description: ipc object's user ID
- name: macproto
type: keyword
description: ethernet packet type ID field
- name: obj
type: keyword
description: lspp object context string
- name: ipid
type: keyword
description: IP datagram fragment identifier
- name: new-fs
type: keyword
description: file system being added to vm
- name: vm-pid
type: keyword
description: vm's process ID
- name: cap_pi
type: keyword
description: process inherited capability map
- name: old-auid
type: keyword
description: previous auid value
- name: oses
type: keyword
description: object's session ID
- name: fd
type: keyword
description: file descriptor number
- name: igid
type: keyword
description: ipc object's group ID
- name: new-disk
type: keyword
description: disk being added to vm
- name: parent
type: keyword
description: the inode number of the parent file
- name: len
type: keyword
description: length
- name: oflag
type: keyword
description: open syscall flags
- name: uuid
type: keyword
description: a UUID
- name: code
type: keyword
description: seccomp action code
- name: nlnk-grp
type: keyword
description: netlink group number
- name: cap_fp
type: keyword
description: file permitted capability map
- name: new-mem
type: keyword
description: new amount of memory in KB
- name: seperm
type: keyword
description: SELinux permission being decided on
- name: enforcing
type: keyword
description: new MAC enforcement status
- name: new-chardev
type: keyword
description: new character device being assigned to vm
- name: old-rng
type: keyword
description: device name of rng being removed from a vm
- name: outif
type: keyword
description: out interface number
- name: cmd
type: keyword
description: command being executed
- name: hook
type: keyword
description: netfilter hook that packet came from
- name: new-level
type: keyword
description: new run level
- name: sauid
type: keyword
description: sent login user ID
- name: sig
type: keyword
description: signal number
- name: audit_backlog_wait_time
type: keyword
description: audit system's backlog wait time
- name: printer
type: keyword
description: printer name
- name: old-mem
type: keyword
description: present amount of memory in KB
- name: perm
type: keyword
description: the file permission being used
- name: old_pi
type: keyword
description: old process inherited capability map
- name: state
type: keyword
description: audit daemon configuration resulting state
- name: format
type: keyword
description: audit log's format
- name: new_gid
type: keyword
description: new group ID being assigned
- name: tcontext
type: keyword
description: the target's or object's context string
- name: maj
type: keyword
description: device major number
- name: watch
type: keyword
description: file name in a watch record
- name: device
type: keyword
description: device name
- name: grp
type: keyword
description: group name
- name: bool
type: keyword
description: name of SELinux boolean
- name: icmp_type
type: keyword
description: type of icmp message
- name: new_lock
type: keyword
description: new value of feature lock
- name: old_prom
type: keyword
description: network promiscuity flag
- name: acl
type: keyword
description: access mode of resource assigned to vm
- name: ip
type: keyword
description: network address of a printer
- name: new_pi
type: keyword
description: new process inherited capability map
- name: default-context
type: keyword
description: default MAC context
- name: inode_gid
type: keyword
description: group ID of the inode's owner
- name: new-log_passwd
type: keyword
description: new value for TTY password logging
- name: new_pe
type: keyword
description: new process effective capability map
- name: selected-context
type: keyword
description: new MAC context assigned to session
- name: cap_fver
type: keyword
description: file system capabilities version number
- name: file
type: keyword
description: file name
- name: net
type: keyword
description: network MAC address
- name: virt
type: keyword
description: kind of virtualization being referenced
- name: cap_pp
type: keyword
description: process permitted capability map
- name: old-range
type: keyword
description: present SELinux range
- name: resrc
type: keyword
description: resource being assigned
- name: new-range
type: keyword
description: new SELinux range
- name: obj_gid
type: keyword
description: group ID of object
- name: proto
type: keyword
description: network protocol
- name: old-disk
type: keyword
description: disk being removed from vm
- name: audit_failure
type: keyword
description: audit system's failure mode
- name: inif
type: keyword
description: in interface number
- name: vm
type: keyword
description: virtual machine name
- name: flags
type: keyword
description: mmap syscall flags
- name: nlnk-fam
type: keyword
description: netlink protocol number
- name: old-fs
type: keyword
description: file system being removed from vm
- name: old-ses
type: keyword
description: previous ses value
- name: seqno
type: keyword
description: sequence number
- name: fver
type: keyword
description: file system capabilities version number
- name: qbytes
type: keyword
description: ipc objects quantity of bytes
- name: seuser
type: keyword
description: user's SE Linux user acct
- name: cap_fe
type: keyword
description: file assigned effective capability map
- name: new-vcpu
type: keyword
description: new number of CPU cores
- name: old-level
type: keyword
description: old run level
- name: old_pp
type: keyword
description: old process permitted capability map
- name: daddr
type: keyword
description: remote IP address
- name: old-role
type: keyword
description: present SELinux role
- name: ioctlcmd
type: keyword
description: The request argument to the ioctl syscall
- name: smac
type: keyword
description: local MAC address
- name: apparmor
type: keyword
description: apparmor event information
- name: fe
type: keyword
description: file assigned effective capability map
- name: perm_mask
type: keyword
description: file permission mask that triggered a watch event
- name: ses
type: keyword
description: login session ID
- name: cap_fi
type: keyword
description: file inherited capability map
- name: obj_uid
type: keyword
description: user ID of object
- name: reason
type: keyword
description: text string denoting a reason for the action
- name: list
type: keyword
description: the audit system's filter list number
- name: old_lock
type: keyword
description: present value of feature lock
- name: bus
type: keyword
description: name of subsystem bus a vm resource belongs to
- name: old_pe
type: keyword
description: old process effective capability map
- name: new-role
type: keyword
description: new SELinux role
- name: prom
type: keyword
description: network promiscuity flag
- name: uri
type: keyword
description: URI pointing to a printer
- name: audit_enabled
type: keyword
description: audit systems's enable/disable status
- name: old-log_passwd
type: keyword
description: present value for TTY password logging
- name: old-seuser
type: keyword
description: present SELinux user
- name: per
type: keyword
description: linux personality
- name: scontext
type: keyword
description: the subject's context string
- name: tclass
type: keyword
description: target's object classification
- name: ver
type: keyword
description: audit daemon's version number
- name: new
type: keyword
description: value being set in feature
- name: val
type: keyword
description: generic value associated with the operation
- name: img-ctx
type: keyword
description: the vm's disk image context string
- name: old-chardev
type: keyword
description: present character device assigned to vm
- name: old_val
type: keyword
description: current value of SELinux boolean
- name: success
type: keyword
description: whether the syscall was successful or not
- name: inode_uid
type: keyword
description: user ID of the inode's owner
- name: removed
type: keyword
description: number of deleted files
- name: socket
type: group
fields:
- name: port
type: keyword
description: The port number.
- name: saddr
type: keyword
description: The raw socket address structure.
- name: addr
type: keyword
description: The remote address.
- name: family
type: keyword
example: unix
description: The socket family (unix, ipv4, ipv6, netlink).
- name: path
type: keyword
description: This is the path associated with a unix socket.
- name: messages
type: alias
migration: true
path: event.original
description: >
An ordered list of the raw messages received from the kernel that
were used to construct this document. This field is present if an error
occurred processing the data or if `include_raw_message` is set
in the config.
- name: warnings
type: alias
migration: true
path: error.message
description: >
The warnings generated by the Beat during the construction of the event.
These are disabled by default and are used for development and debug
purposes only.
- name: geoip
type: group
description: >
The geoip fields are defined as a convenience in case you decide to
enrich the data using a geoip filter in Logstash or Ingest Node.
fields:
- name: continent_name
type: keyword
description: >
The name of the continent.
- name: city_name
type: keyword
description: >
The name of the city.
- name: region_name
type: keyword
description: >
The name of the region.
- name: country_iso_code
type: keyword
description: >
Country ISO code.
- name: location
type: geo_point
description: >
The longitude and latitude.

336
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/7/dashboard/auditbeat-kernel-executions.json generated vendored
View File

@ -1,336 +0,0 @@
{
"objects": [
{
"attributes": {
"description": "Command executions",
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
"query": {
"language": "kuery",
"query": ""
}
}
},
"savedSearchId": "d382f5b0-c1c6-11e7-8995-936807a28b16-ecs",
"title": "Error Codes [Auditbeat Auditd] ECS",
"uiStateJSON": {},
"version": 1,
"visState": {
"aggs": [
{
"enabled": true,
"id": "1",
"params": {},
"schema": "metric",
"type": "count"
},
{
"enabled": true,
"id": "2",
"params": {
"exclude": "0",
"field": "auditd.data.exit",
"order": "desc",
"orderBy": "1",
"size": 10
},
"schema": "segment",
"type": "terms"
}
],
"params": {
"addLegend": true,
"addTooltip": true,
"isDonut": true,
"legendPosition": "right",
"type": "pie"
},
"title": "Error Codes [Auditbeat Auditd] ECS",
"type": "pie"
}
},
"id": "20a8e8d0-c1c8-11e7-8995-936807a28b16-ecs",
"type": "visualization",
"updated_at": "2018-01-16T22:10:23.921Z",
"version": 4
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
"index": "auditbeat-*",
"query": {
"language": "kuery",
"query": ""
}
}
},
"title": "Primary Username Tag Cloud [Auditbeat Auditd] ECS",
"uiStateJSON": {},
"version": 1,
"visState": {
"aggs": [
{
"enabled": true,
"id": "1",
"params": {},
"schema": "metric",
"type": "count"
},
{
"enabled": true,
"id": "2",
"params": {
"field": "auditd.summary.actor.primary",
"order": "desc",
"orderBy": "1",
"size": 10
},
"schema": "segment",
"type": "terms"
}
],
"params": {
"maxFontSize": 45,
"minFontSize": 18,
"orientation": "single",
"scale": "linear"
},
"title": "Primary Username Tag Cloud [Auditbeat Auditd] ECS",
"type": "tagcloud"
}
},
"id": "f81a6de0-c1c1-11e7-8995-936807a28b16-ecs",
"type": "visualization",
"updated_at": "2018-01-16T22:12:18.730Z",
"version": 3
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
"query": {
"language": "kuery",
"query": ""
}
}
},
"savedSearchId": "d382f5b0-c1c6-11e7-8995-936807a28b16-ecs",
"title": "Exe Name Tag Cloud [Auditbeat Auditd] ECS",
"uiStateJSON": {},
"version": 1,
"visState": {
"aggs": [
{
"enabled": true,
"id": "1",
"params": {},
"schema": "metric",
"type": "count"
},
{
"enabled": true,
"id": "2",
"params": {
"field": "process.executable",
"order": "desc",
"orderBy": "1",
"size": 10
},
"schema": "segment",
"type": "terms"
}
],
"params": {
"maxFontSize": 45,
"minFontSize": 14,
"orientation": "single",
"scale": "linear"
},
"title": "Exe Name Tag Cloud [Auditbeat Auditd] ECS",
"type": "tagcloud"
}
},
"id": "2efac370-c1ca-11e7-8995-936807a28b16-ecs",
"type": "visualization",
"updated_at": "2018-01-16T22:57:41.411Z",
"version": 4
},
{
"attributes": {
"columns": [
"agent.hostname",
"process.args",
"auditd.summary.actor.primary",
"auditd.summary.actor.secondary",
"process.executable"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"index": "auditbeat-*",
"key": "event.module",
"negate": false,
"params": {
"query": "auditd",
"type": "phrase"
},
"type": "phrase",
"value": "auditd"
},
"query": {
"match": {
"event.module": {
"query": "auditd",
"type": "phrase"
}
}
}
},
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"index": "auditbeat-*",
"key": "event.action",
"negate": false,
"params": {
"query": "executed",
"type": "phrase"
},
"type": "phrase",
"value": "executed"
},
"query": {
"match": {
"event.action": {
"query": "executed",
"type": "phrase"
}
}
}
}
],
"highlightAll": true,
"index": "auditbeat-*",
"query": {
"language": "kuery",
"query": ""
},
"version": true
}
},
"sort": [
"@timestamp",
"desc"
],
"title": "Process Executions [Auditbeat Auditd] ECS",
"version": 1
},
"id": "d382f5b0-c1c6-11e7-8995-936807a28b16-ecs",
"type": "search",
"updated_at": "2018-01-16T22:26:35.050Z",
"version": 5
},
{
"attributes": {
"description": "Overview of kernel executions",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
"highlightAll": true,
"query": {
"language": "kuery",
"query": ""
},
"version": true
}
},
"optionsJSON": {
"darkTheme": false,
"useMargins": false
},
"panelsJSON": [
{
"gridData": {
"h": 3,
"i": "1",
"w": 4,
"x": 4,
"y": 0
},
"id": "20a8e8d0-c1c8-11e7-8995-936807a28b16-ecs",
"panelIndex": "1",
"type": "visualization",
"version": "6.2.4"
},
{
"gridData": {
"h": 3,
"i": "3",
"w": 4,
"x": 8,
"y": 0
},
"id": "f81a6de0-c1c1-11e7-8995-936807a28b16-ecs",
"panelIndex": "3",
"type": "visualization",
"version": "6.2.4"
},
{
"gridData": {
"h": 3,
"i": "5",
"w": 4,
"x": 0,
"y": 0
},
"id": "2efac370-c1ca-11e7-8995-936807a28b16-ecs",
"panelIndex": "5",
"type": "visualization",
"version": "6.2.4"
},
{
"gridData": {
"h": 5,
"i": "6",
"w": 12,
"x": 0,
"y": 3
},
"id": "d382f5b0-c1c6-11e7-8995-936807a28b16-ecs",
"panelIndex": "6",
"type": "search",
"version": "6.2.4"
}
],
"timeRestore": false,
"title": "[Auditbeat Auditd] Executions ECS",
"version": 1
},
"id": "7de391b0-c1ca-11e7-8995-936807a28b16-ecs",
"type": "dashboard",
"updated_at": "2018-01-16T22:58:11.243Z",
"version": 5
}
],
"version": "6.2.4"
}

283
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/7/dashboard/auditbeat-kernel-overview.json generated vendored
View File

@ -1,283 +0,0 @@
{
"objects": [
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": {}
},
"title": "Event Actions [Auditbeat Auditd] ECS",
"uiStateJSON": {},
"version": 1,
"visState": {
"aggs": [],
"params": {
"axis_formatter": "number",
"axis_position": "left",
"background_color_rules": [
{
"id": "58c95a20-c1bd-11e7-938f-ab0645b6c431"
}
],
"bar_color_rules": [
{
"id": "5bfc71a0-c1bd-11e7-938f-ab0645b6c431"
}
],
"filter": "event.module:auditd",
"gauge_color_rules": [
{
"id": "5d20a650-c1bd-11e7-938f-ab0645b6c431"
}
],
"gauge_inner_width": 10,
"gauge_style": "half",
"gauge_width": 10,
"id": "61ca57f0-469d-11e7-af02-69e470af7417",
"index_pattern": "auditbeat-*",
"interval": "auto",
"legend_position": "left",
"series": [
{
"axis_position": "right",
"chart_type": "line",
"color": "#68BC00",
"fill": 0.5,
"formatter": "number",
"id": "61ca57f1-469d-11e7-af02-69e470af7417",
"label": "Actions",
"line_width": 1,
"metrics": [
{
"id": "6b9fb2d0-c1bc-11e7-938f-ab0645b6c431",
"type": "count"
}
],
"point_size": 1,
"seperate_axis": 0,
"split_mode": "terms",
"stacked": "none",
"terms_field": "event.action"
}
],
"show_grid": 1,
"show_legend": 1,
"time_field": "@timestamp",
"type": "timeseries"
},
"title": "Event Actions [Auditbeat Auditd] ECS",
"type": "metrics"
}
},
"id": "97680df0-c1c0-11e7-8995-936807a28b16-ecs",
"type": "visualization",
"updated_at": "2018-01-16T22:11:01.438Z",
"version": 3
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
"index": "auditbeat-*",
"query": {
"language": "kuery",
"query": ""
}
}
},
"savedSearchId": "0f10c430-c1c3-11e7-8995-936807a28b16-ecs",
"title": "Event Categories [Auditbeat Auditd] ECS",
"uiStateJSON": {},
"version": 1,
"visState": {
"aggs": [
{
"enabled": true,
"id": "1",
"params": {},
"schema": "metric",
"type": "count"
},
{
"enabled": true,
"id": "2",
"params": {
"customLabel": "Category",
"field": "event.category",
"order": "desc",
"orderBy": "1",
"size": 5
},
"schema": "segment",
"type": "terms"
},
{
"enabled": true,
"id": "3",
"params": {
"customLabel": "Action",
"field": "event.action",
"order": "desc",
"orderBy": "1",
"size": 20
},
"schema": "segment",
"type": "terms"
}
],
"params": {
"addLegend": true,
"addTooltip": true,
"isDonut": true,
"legendPosition": "right",
"type": "pie"
},
"title": "Event Categories [Auditbeat Auditd] ECS",
"type": "pie"
}
},
"id": "08679220-c25a-11e7-8692-232bd1143e8a-ecs",
"type": "visualization",
"updated_at": "2018-01-16T22:54:10.330Z",
"version": 4
},
{
"attributes": {
"columns": [
"agent.hostname",
"auditd.summary.actor.primary",
"auditd.summary.actor.secondary",
"event.action",
"auditd.summary.object.type",
"auditd.summary.object.primary",
"auditd.summary.object.secondary",
"auditd.summary.how",
"auditd.result"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"index": "auditbeat-*",
"key": "event.module",
"negate": false,
"params": {
"query": "auditd",
"type": "phrase"
},
"type": "phrase",
"value": "auditd"
},
"query": {
"match": {
"event.module": {
"query": "auditd",
"type": "phrase"
}
}
}
}
],
"highlightAll": true,
"index": "auditbeat-*",
"query": {
"language": "kuery",
"query": ""
},
"version": true
}
},
"sort": [
"@timestamp",
"desc"
],
"title": "Audit Event Table [Auditbeat Auditd] ECS",
"version": 1
},
"id": "0f10c430-c1c3-11e7-8995-936807a28b16-ecs",
"type": "search",
"updated_at": "2018-01-16T22:51:24.572Z",
"version": 4
},
{
"attributes": {
"description": "Summary of Linux kernel audit events.",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
"highlightAll": true,
"query": {
"language": "kuery",
"query": ""
},
"version": true
}
},
"optionsJSON": {
"darkTheme": false,
"useMargins": false
},
"panelsJSON": [
{
"gridData": {
"h": 3,
"i": "1",
"w": 7,
"x": 0,
"y": 0
},
"id": "97680df0-c1c0-11e7-8995-936807a28b16-ecs",
"panelIndex": "1",
"type": "visualization",
"version": "6.2.4"
},
{
"gridData": {
"h": 3,
"i": "4",
"w": 5,
"x": 7,
"y": 0
},
"id": "08679220-c25a-11e7-8692-232bd1143e8a-ecs",
"panelIndex": "4",
"type": "visualization",
"version": "6.2.4"
},
{
"gridData": {
"h": 5,
"i": "5",
"w": 12,
"x": 0,
"y": 3
},
"id": "0f10c430-c1c3-11e7-8995-936807a28b16-ecs",
"panelIndex": "5",
"type": "search",
"version": "6.2.4"
}
],
"timeRestore": false,
"title": "[Auditbeat Auditd] Overview ECS",
"version": 1
},
"id": "c0ac2c00-c1c0-11e7-8995-936807a28b16-ecs",
"type": "dashboard",
"updated_at": "2018-01-16T22:55:17.775Z",
"version": 5
}
],
"version": "6.2.4"
}

930
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/7/dashboard/auditbeat-kernel-sockets.json generated vendored
View File

@ -1,930 +0,0 @@
{
"objects": [
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"apply": true,
"disabled": false,
"index": "auditbeat-*",
"key": "auditd.summary.object.secondary",
"negate": true,
"params": {
"query": "0",
"type": "phrase"
},
"type": "phrase",
"value": "0"
},
"query": {
"match": {
"auditd.summary.object.secondary": {
"query": "0",
"type": "phrase"
}
}
}
}
],
"query": {
"language": "kuery",
"query": ""
}
}
},
"savedSearchId": "b4c93470-c240-11e7-8692-232bd1143e8a-ecs",
"title": "Bind (non-ephemeral) [Auditbeat Auditd] ECS",
"uiStateJSON": {
"vis": {
"params": {
"sort": {
"columnIndex": null,
"direction": null
}
}
}
},
"version": 1,
"visState": {
"aggs": [
{
"enabled": true,
"id": "1",
"params": {},
"schema": "metric",
"type": "count"
},
{
"enabled": true,
"id": "2",
"params": {
"customLabel": "Exe",
"field": "auditd.summary.how",
"order": "desc",
"orderBy": "_term",
"size": 50
},
"schema": "bucket",
"type": "terms"
},
{
"enabled": true,
"id": "3",
"params": {
"customLabel": "Address",
"field": "auditd.summary.object.primary",
"order": "desc",
"orderBy": "_term",
"size": 10
},
"schema": "bucket",
"type": "terms"
},
{
"enabled": true,
"id": "4",
"params": {
"customLabel": "Port",
"field": "auditd.summary.object.secondary",
"order": "desc",
"orderBy": "_term",
"size": 10
},
"schema": "bucket",
"type": "terms"
}
],
"params": {
"perPage": 10,
"showMeticsAtAllLevels": false,
"showPartialRows": false,
"showTotal": false,
"sort": {
"columnIndex": null,
"direction": null
},
"totalFunc": "sum"
},
"title": "Bind (non-ephemeral) [Auditbeat Auditd] ECS",
"type": "table"
}
},
"id": "faf882f0-c242-11e7-8692-232bd1143e8a-ecs",
"type": "visualization",
"updated_at": "2018-01-16T22:08:02.522Z",
"version": 3
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
"query": {
"language": "kuery",
"query": ""
}
}
},
"savedSearchId": "5438b030-c246-11e7-8692-232bd1143e8a-ecs",
"title": "Connect [Auditbeat Auditd] ECS",
"uiStateJSON": {
"vis": {
"params": {
"sort": {
"columnIndex": null,
"direction": null
}
}
}
},
"version": 1,
"visState": {
"aggs": [
{
"enabled": true,
"id": "1",
"params": {},
"schema": "metric",
"type": "count"
},
{
"enabled": true,
"id": "2",
"params": {
"customLabel": "Exe",
"field": "process.executable",
"order": "desc",
"orderBy": "1",
"size": 50
},
"schema": "bucket",
"type": "terms"
},
{
"enabled": true,
"id": "3",
"params": {
"customLabel": "Address",
"field": "auditd.summary.object.primary",
"order": "desc",
"orderBy": "1",
"size": 10
},
"schema": "bucket",
"type": "terms"
},
{
"enabled": true,
"id": "4",
"params": {
"customLabel": "Port",
"field": "auditd.summary.object.secondary",
"order": "desc",
"orderBy": "1",
"size": 5
},
"schema": "bucket",
"type": "terms"
}
],
"params": {
"perPage": 10,
"showMeticsAtAllLevels": false,
"showPartialRows": false,
"showTotal": false,
"sort": {
"columnIndex": null,
"direction": null
},
"totalFunc": "sum"
},
"title": "Connect [Auditbeat Auditd] ECS",
"type": "table"
}
},
"id": "ea483730-c246-11e7-8692-232bd1143e8a-ecs",
"type": "visualization",
"updated_at": "2018-01-16T23:24:16.851Z",
"version": 4
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
"query": {
"language": "kuery",
"query": ""
}
}
},
"savedSearchId": "e8734160-c24c-11e7-8692-232bd1143e8a-ecs",
"title": "Accept / Recvfrom Unique Address Table [Auditbeat Auditd] ECS",
"uiStateJSON": {
"spy": {
"mode": {
"fill": false,
"name": null
}
},
"vis": {
"params": {
"sort": {
"columnIndex": null,
"direction": null
}
}
}
},
"version": 1,
"visState": {
"aggs": [
{
"enabled": true,
"id": "1",
"params": {
"customLabel": "Unique Addresses",
"field": "auditd.summary.object.primary"
},
"schema": "metric",
"type": "cardinality"
},
{
"enabled": true,
"id": "2",
"params": {
"customLabel": "Exe",
"field": "process.executable",
"order": "desc",
"orderBy": "1",
"size": 50
},
"schema": "bucket",
"type": "terms"
},
{
"enabled": true,
"id": "3",
"params": {
"customLabel": "Syscall",
"field": "auditd.data.syscall",
"order": "desc",
"orderBy": "1",
"size": 5
},
"schema": "bucket",
"type": "terms"
}
],
"params": {
"perPage": 10,
"showMeticsAtAllLevels": false,
"showPartialRows": false,
"showTotal": false,
"sort": {
"columnIndex": null,
"direction": null
},
"totalFunc": "sum"
},
"title": "Accept / Recvfrom Unique Address Table [Auditbeat Auditd] ECS",
"type": "table"
}
},
"id": "ceb91de0-c250-11e7-8692-232bd1143e8a-ecs",
"type": "visualization",
"updated_at": "2018-01-16T22:16:51.535Z",
"version": 5
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": {}
},
"title": "Socket Syscalls Time Series [Auditbeat Auditd] ECS",
"uiStateJSON": {},
"version": 1,
"visState": {
"aggs": [],
"params": {
"axis_formatter": "number",
"axis_position": "left",
"background_color_rules": [
{
"id": "95b603d0-c252-11e7-8a68-93ffe9ec5950"
}
],
"bar_color_rules": [
{
"id": "2cebb0c0-c252-11e7-8a68-93ffe9ec5950"
}
],
"filter": "auditd.summary.object.type:socket",
"gauge_color_rules": [
{
"id": "6c891740-c252-11e7-8a68-93ffe9ec5950"
}
],
"gauge_inner_width": 10,
"gauge_style": "half",
"gauge_width": 10,
"id": "61ca57f0-469d-11e7-af02-69e470af7417",
"index_pattern": "auditbeat-*",
"interval": "auto",
"legend_position": "left",
"series": [
{
"axis_position": "right",
"chart_type": "line",
"color": "#68BC00",
"fill": 0.5,
"formatter": "number",
"id": "61ca57f1-469d-11e7-af02-69e470af7417",
"label": "syscall",
"line_width": 1,
"metrics": [
{
"id": "61ca57f2-469d-11e7-af02-69e470af7417",
"type": "count"
}
],
"point_size": 1,
"seperate_axis": 0,
"split_mode": "terms",
"stacked": "none",
"terms_field": "auditd.data.syscall"
}
],
"show_grid": 1,
"show_legend": 1,
"time_field": "@timestamp",
"type": "timeseries"
},
"title": "Socket Syscalls Time Series [Auditbeat Auditd] ECS",
"type": "metrics"
}
},
"id": "b21e0c70-c252-11e7-8692-232bd1143e8a-ecs",
"type": "visualization",
"updated_at": "2018-01-16T22:13:38.857Z",
"version": 3
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
"index": "auditbeat-*",
"query": {
"language": "kuery",
"query": ""
}
}
},
"title": "Socket Families [Auditbeat Auditd] ECS",
"uiStateJSON": {},
"version": 1,
"visState": {
"aggs": [
{
"enabled": true,
"id": "1",
"params": {},
"schema": "metric",
"type": "count"
},
{
"enabled": true,
"id": "2",
"params": {
"customLabel": "Socket Family",
"field": "auditd.data.socket.family",
"order": "desc",
"orderBy": "1",
"size": 10
},
"schema": "segment",
"type": "terms"
},
{
"enabled": true,
"id": "3",
"params": {
"customLabel": "Syscall",
"field": "auditd.data.syscall",
"order": "desc",
"orderBy": "1",
"size": 10
},
"schema": "segment",
"type": "terms"
}
],
"params": {
"addLegend": true,
"addTooltip": true,
"isDonut": true,
"legendPosition": "left",
"type": "pie"
},
"title": "Socket Families [Auditbeat Auditd] ECS",
"type": "pie"
}
},
"id": "a8e20450-c256-11e7-8692-232bd1143e8a-ecs",
"type": "visualization",
"updated_at": "2018-01-16T22:12:51.655Z",
"version": 3
},
{
"attributes": {
"columns": [
"agent.hostname",
"auditd.summary.how",
"auditd.summary.object.primary",
"auditd.summary.object.secondary",
"auditd.data.socket.family",
"auditd.result"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"index": "auditbeat-*",
"key": "event.module",
"negate": false,
"params": {
"query": "auditd",
"type": "phrase"
},
"type": "phrase",
"value": "auditd"
},
"query": {
"match": {
"event.module": {
"query": "auditd",
"type": "phrase"
}
}
}
},
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"index": "auditbeat-*",
"key": "auditd.data.syscall",
"negate": false,
"params": {
"query": "bind",
"type": "phrase"
},
"type": "phrase",
"value": "bind"
},
"query": {
"match": {
"auditd.data.syscall": {
"query": "bind",
"type": "phrase"
}
}
}
},
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"index": "auditbeat-*",
"key": "auditd.data.socket.family",
"negate": true,
"params": {
"query": "netlink",
"type": "phrase"
},
"type": "phrase",
"value": "netlink"
},
"query": {
"match": {
"auditd.data.socket.family": {
"query": "netlink",
"type": "phrase"
}
}
}
}
],
"highlightAll": true,
"index": "auditbeat-*",
"query": {
"language": "kuery",
"query": ""
},
"version": true
}
},
"sort": [
"@timestamp",
"desc"
],
"title": "Socket Binds [Auditbeat Auditd] ECS",
"version": 1
},
"id": "b4c93470-c240-11e7-8692-232bd1143e8a-ecs",
"type": "search",
"updated_at": "2018-01-16T23:05:58.935Z",
"version": 5
},
{
"attributes": {
"columns": [
"agent.hostname",
"auditd.summary.how",
"auditd.summary.object.primary",
"auditd.summary.object.secondary",
"auditd.data.socket.family",
"auditd.result",
"auditd.data.exit"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"index": "auditbeat-*",
"key": "event.module",
"negate": false,
"params": {
"query": "auditd",
"type": "phrase"
},
"type": "phrase",
"value": "auditd"
},
"query": {
"match": {
"event.module": {
"query": "auditd",
"type": "phrase"
}
}
}
},
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"index": "auditbeat-*",
"key": "event.action",
"negate": false,
"params": {
"query": "connected-to",
"type": "phrase"
},
"type": "phrase",
"value": "connected-to"
},
"query": {
"match": {
"event.action": {
"query": "connected-to",
"type": "phrase"
}
}
}
},
{
"$state": {
"store": "appState"
},
"exists": {
"field": "auditd.summary.object.primary"
},
"meta": {
"alias": null,
"disabled": false,
"index": "auditbeat-*",
"key": "auditd.summary.object.primary",
"negate": false,
"type": "exists",
"value": "exists"
}
}
],
"highlightAll": true,
"index": "auditbeat-*",
"query": {
"language": "kuery",
"query": ""
},
"version": true
}
},
"sort": [
"@timestamp",
"desc"
],
"title": "Socket Connects [Auditbeat Auditd] ECS",
"version": 1
},
"id": "5438b030-c246-11e7-8692-232bd1143e8a-ecs",
"type": "search",
"updated_at": "2018-01-16T23:09:43.937Z",
"version": 5
},
{
"attributes": {
"columns": [
"agent.hostname",
"auditd.summary.how",
"auditd.summary.object.primary",
"auditd.summary.object.secondary",
"auditd.data.socket.family",
"event.action"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"index": "auditbeat-*",
"key": "event.module",
"negate": false,
"params": {
"query": "auditd",
"type": "phrase"
},
"type": "phrase",
"value": "auditd"
},
"query": {
"match": {
"event.module": {
"query": "auditd",
"type": "phrase"
}
}
}
},
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"index": "auditbeat-*",
"key": "auditd.summary.object.type",
"negate": false,
"params": {
"query": "socket",
"type": "phrase"
},
"type": "phrase",
"value": "socket"
},
"query": {
"match": {
"auditd.summary.object.type": {
"query": "socket",
"type": "phrase"
}
}
}
},
{
"$state": {
"store": "appState"
},
"exists": {
"field": "auditd.summary.object.primary"
},
"meta": {
"alias": null,
"disabled": false,
"index": "auditbeat-*",
"key": "auditd.summary.object.primary",
"negate": false,
"type": "exists",
"value": "exists"
}
},
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"index": "auditbeat-*",
"key": "query",
"negate": false,
"type": "custom",
"value": "{\"terms\":{\"auditd.data.syscall\":[\"accept\",\"accept4\",\"recvfrom\",\"recvmsg\"]}}"
},
"query": {
"terms": {
"auditd.data.syscall": [
"accept",
"accept4",
"recvfrom",
"recvmsg"
]
}
}
}
],
"highlightAll": true,
"index": "auditbeat-*",
"query": {
"language": "kuery",
"query": ""
},
"version": true
}
},
"sort": [
"@timestamp",
"desc"
],
"title": "Socket Accept / Recvfrom [Auditbeat Auditd] ECS",
"version": 1
},
"id": "e8734160-c24c-11e7-8692-232bd1143e8a-ecs",
"type": "search",
"updated_at": "2018-01-16T23:20:51.403Z",
"version": 4
},
{
"attributes": {
"description": "Summary of socket related syscall events.",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
"highlightAll": true,
"query": {
"language": "kuery",
"query": ""
},
"version": true
}
},
"optionsJSON": {
"darkTheme": false,
"useMargins": false
},
"panelsJSON": [
{
"embeddableConfig": {
"vis": {
"params": {
"sort": {
"columnIndex": null,
"direction": null
}
}
}
},
"gridData": {
"h": 4,
"i": "1",
"w": 6,
"x": 6,
"y": 3
},
"id": "faf882f0-c242-11e7-8692-232bd1143e8a-ecs",
"panelIndex": "1",
"type": "visualization",
"version": "6.2.4"
},
{
"embeddableConfig": {
"vis": {
"params": {
"sort": {
"columnIndex": null,
"direction": null
}
}
}
},
"gridData": {
"h": 5,
"i": "2",
"w": 6,
"x": 0,
"y": 7
},
"id": "ea483730-c246-11e7-8692-232bd1143e8a-ecs",
"panelIndex": "2",
"type": "visualization",
"version": "6.2.4"
},
{
"embeddableConfig": {
"vis": {
"params": {
"sort": {
"columnIndex": null,
"direction": null
}
}
}
},
"gridData": {
"h": 5,
"i": "3",
"w": 6,
"x": 6,
"y": 7
},
"id": "ceb91de0-c250-11e7-8692-232bd1143e8a-ecs",
"panelIndex": "3",
"type": "visualization",
"version": "6.2.4"
},
{
"gridData": {
"h": 3,
"i": "4",
"w": 12,
"x": 0,
"y": 0
},
"id": "b21e0c70-c252-11e7-8692-232bd1143e8a-ecs",
"panelIndex": "4",
"type": "visualization",
"version": "6.2.4"
},
{
"gridData": {
"h": 4,
"i": "5",
"w": 6,
"x": 0,
"y": 3
},
"id": "a8e20450-c256-11e7-8692-232bd1143e8a-ecs",
"panelIndex": "5",
"type": "visualization",
"version": "6.2.4"
}
],
"timeRestore": false,
"title": "[Auditbeat Auditd] Sockets ECS",
"version": 1
},
"id": "693a5f40-c243-11e7-8692-232bd1143e8a-ecs",
"type": "dashboard",
"updated_at": "2018-01-16T23:24:37.521Z",
"version": 4
}
],
"version": "6.2.4"
}

999
vendor/github.com/elastic/beats/auditbeat/module/auditd/audit_linux.go generated vendored
View File

@ -1,999 +0,0 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package auditd
import (
"fmt"
"os"
"os/user"
"runtime"
"strconv"
"strings"
"sync"
"syscall"
"time"
"github.com/pkg/errors"
"github.com/elastic/beats/libbeat/common"
"github.com/elastic/beats/libbeat/logp"
"github.com/elastic/beats/libbeat/monitoring"
"github.com/elastic/beats/metricbeat/mb"
"github.com/elastic/beats/metricbeat/mb/parse"
"github.com/elastic/go-libaudit"
"github.com/elastic/go-libaudit/aucoalesce"
"github.com/elastic/go-libaudit/auparse"
"github.com/elastic/go-libaudit/rule"
)
const (
namespace = "auditd"
auditLocked = 2
unicast = "unicast"
multicast = "multicast"
uidUnset = "unset"
lostEventsUpdateInterval = time.Second * 15
maxDefaultStreamBufferConsumers = 4
)
type backpressureStrategy uint8
const (
bsKernel backpressureStrategy = 1 << iota
bsUserSpace
bsAuto
)
var (
auditdMetrics = monitoring.Default.NewRegistry(moduleName)
reassemblerGapsMetric = monitoring.NewInt(auditdMetrics, "reassembler_seq_gaps")
kernelLostMetric = monitoring.NewInt(auditdMetrics, "kernel_lost")
userspaceLostMetric = monitoring.NewInt(auditdMetrics, "userspace_lost")
receivedMetric = monitoring.NewInt(auditdMetrics, "received_msgs")
)
func init() {
mb.Registry.MustAddMetricSet(moduleName, metricsetName, New,
mb.DefaultMetricSet(),
mb.WithHostParser(parse.EmptyHostParser),
mb.WithNamespace(namespace),
)
}
// MetricSet listens for audit messages from the Linux kernel using a netlink
// socket. It buffers the messages to ensure ordering and then streams the
// output. MetricSet implements the mb.PushMetricSet interface, and therefore
// does not rely on polling.
type MetricSet struct {
mb.BaseMetricSet
config Config
client *libaudit.AuditClient
log *logp.Logger
kernelLost struct {
enabled bool
counter uint32
}
backpressureStrategy backpressureStrategy
}
// New constructs a new MetricSet.
func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
config := defaultConfig
if err := base.Module().UnpackConfig(&config); err != nil {
return nil, errors.Wrap(err, "failed to unpack the auditd config")
}
log := logp.NewLogger(moduleName)
_, _, kernel, _ := kernelVersion()
log.Infof("auditd module is running as euid=%v on kernel=%v", os.Geteuid(), kernel)
client, err := newAuditClient(&config, log)
if err != nil {
return nil, errors.Wrap(err, "failed to create audit client")
}
reassemblerGapsMetric.Set(0)
kernelLostMetric.Set(0)
userspaceLostMetric.Set(0)
receivedMetric.Set(0)
return &MetricSet{
BaseMetricSet: base,
client: client,
config: config,
log: log,
backpressureStrategy: getBackpressureStrategy(config.BackpressureStrategy, log),
}, nil
}
func newAuditClient(c *Config, log *logp.Logger) (*libaudit.AuditClient, error) {
var err error
c.SocketType, err = determineSocketType(c, log)
if err != nil {
return nil, err
}
log.Infof("socket_type=%s will be used.", c.SocketType)
if c.SocketType == multicast {
return libaudit.NewMulticastAuditClient(nil)
}
return libaudit.NewAuditClient(nil)
}
// Run initializes the audit client and receives audit messages from the
// kernel until the reporter's done channel is closed.
func (ms *MetricSet) Run(reporter mb.PushReporterV2) {
defer ms.client.Close()
if err := ms.addRules(reporter); err != nil {
reporter.Error(err)
ms.log.Errorw("Failure adding audit rules", "error", err)
return
}
out, err := ms.receiveEvents(reporter.Done())
if err != nil {
reporter.Error(err)
ms.log.Errorw("Failure receiving audit events", "error", err)
return
}
if ms.kernelLost.enabled {
client, err := libaudit.NewAuditClient(nil)
if err != nil {
reporter.Error(err)
ms.log.Errorw("Failure creating audit monitoring client", "error", err)
}
go func() {
defer client.Close()
timer := time.NewTicker(lostEventsUpdateInterval)
defer timer.Stop()
for {
select {
case <-reporter.Done():
return
case <-timer.C:
if status, err := client.GetStatus(); err == nil {
ms.updateKernelLostMetric(status.Lost)
} else {
ms.log.Error("get status request failed:", err)
}
}
}
}()
}
// Spawn the stream buffer consumers
numConsumers := ms.config.StreamBufferConsumers
// By default (stream_buffer_consumers=0) use as many consumers as local CPUs
// with a max of `maxDefaultStreamBufferConsumers`
if numConsumers == 0 {
if numConsumers = runtime.GOMAXPROCS(-1); numConsumers > maxDefaultStreamBufferConsumers {
numConsumers = maxDefaultStreamBufferConsumers
}
}
var wg sync.WaitGroup
wg.Add(numConsumers)
for i := 0; i < numConsumers; i++ {
go func() {
defer wg.Done()
for {
select {
case <-reporter.Done():
return
case msgs := <-out:
reporter.Event(buildMetricbeatEvent(msgs, ms.config))
}
}
}()
}
wg.Wait()
}
func (ms *MetricSet) addRules(reporter mb.PushReporterV2) error {
rules := ms.config.rules()
if len(rules) == 0 {
ms.log.Info("No audit_rules were specified.")
return nil
}
client, err := libaudit.NewAuditClient(nil)
if err != nil {
return errors.Wrap(err, "failed to create audit client for adding rules")
}
defer client.Close()
// Don't attempt to change configuration if audit rules are locked (enabled == 2).
// Will result in EPERM.
status, err := client.GetStatus()
if err != nil {
err = errors.Wrap(err, "failed to get audit status before adding rules")
reporter.Error(err)
return err
}
if status.Enabled == auditLocked {
return errors.New("Skipping rule configuration: Audit rules are locked")
}
// Delete existing rules.
n, err := client.DeleteRules()
if err != nil {
return errors.Wrap(err, "failed to delete existing rules")
}
ms.log.Infof("Deleted %v pre-existing audit rules.", n)
// Add rule to ignore syscalls from this process
if rule, err := buildPIDIgnoreRule(os.Getpid()); err == nil {
rules = append([]auditRule{rule}, rules...)
} else {
ms.log.Errorf("Failed to build a rule to ignore self: %v", err)
}
// Add rules from config.
var failCount int
for _, rule := range rules {
if err = client.AddRule(rule.data); err != nil {
// Treat rule add errors as warnings and continue.
err = errors.Wrapf(err, "failed to add audit rule '%v'", rule.flags)
reporter.Error(err)
ms.log.Warnw("Failure adding audit rule", "error", err)
failCount++
}
}
ms.log.Infof("Successfully added %d of %d audit rules.",
len(rules)-failCount, len(rules))
return nil
}
func (ms *MetricSet) initClient() error {
if ms.config.SocketType == "multicast" {
// This request will fail with EPERM if this process does not have
// CAP_AUDIT_CONTROL, but we will ignore the response. The user will be
// required to ensure that auditing is enabled if the process is only
// given CAP_AUDIT_READ.
err := ms.client.SetEnabled(true, libaudit.NoWait)
return errors.Wrap(err, "failed to enable auditing in the kernel")
}
// Unicast client initialization (requires CAP_AUDIT_CONTROL and that the
// process be in initial PID namespace).
status, err := ms.client.GetStatus()
if err != nil {
return errors.Wrap(err, "failed to get audit status")
}
ms.kernelLost.enabled = true
ms.kernelLost.counter = status.Lost
ms.log.Infow("audit status from kernel at start", "audit_status", status)
if status.Enabled == auditLocked {
return errors.New("failed to configure: The audit system is locked")
}
if fm, _ := ms.config.failureMode(); status.Failure != fm {
if err = ms.client.SetFailure(libaudit.FailureMode(fm), libaudit.NoWait); err != nil {
return errors.Wrap(err, "failed to set audit failure mode in kernel")
}
}
if status.BacklogLimit != ms.config.BacklogLimit {
if err = ms.client.SetBacklogLimit(ms.config.BacklogLimit, libaudit.NoWait); err != nil {
return errors.Wrap(err, "failed to set audit backlog limit in kernel")
}
}
if ms.backpressureStrategy&(bsKernel|bsAuto) != 0 {
// "kernel" backpressure mitigation strategy
//
// configure the kernel to drop audit events immediately if the
// backlog queue is full.
if status.FeatureBitmap&libaudit.AuditFeatureBitmapBacklogWaitTime != 0 {
ms.log.Info("Setting kernel backlog wait time to prevent backpressure propagating to the kernel.")
if err = ms.client.SetBacklogWaitTime(0, libaudit.NoWait); err != nil {
return errors.Wrap(err, "failed to set audit backlog wait time in kernel")
}
} else {
if ms.backpressureStrategy == bsAuto {
ms.log.Warn("setting backlog wait time is not supported in this kernel. Enabling workaround.")
ms.backpressureStrategy |= bsUserSpace
} else {
return errors.New("kernel backlog wait time not supported by kernel, but required by backpressure_strategy")
}
}
}
if ms.backpressureStrategy&(bsKernel|bsUserSpace) == bsUserSpace && ms.config.RateLimit == 0 {
// force a rate limit if the user-space strategy will be used without
// corresponding backlog_wait_time setting in the kernel
ms.config.RateLimit = 5000
}
if status.RateLimit != ms.config.RateLimit {
if err = ms.client.SetRateLimit(ms.config.RateLimit, libaudit.NoWait); err != nil {
return errors.Wrap(err, "failed to set audit rate limit in kernel")
}
}
if status.Enabled == 0 {
if err = ms.client.SetEnabled(true, libaudit.NoWait); err != nil {
return errors.Wrap(err, "failed to enable auditing in the kernel")
}
}
if err := ms.client.WaitForPendingACKs(); err != nil {
return errors.Wrap(err, "failed to wait for ACKs")
}
if err := ms.client.SetPID(libaudit.WaitForReply); err != nil {
if errno, ok := err.(syscall.Errno); ok && errno == syscall.EEXIST && status.PID != 0 {
return fmt.Errorf("failed to set audit PID. An audit process is already running (PID %d)", status.PID)
}
return errors.Wrapf(err, "failed to set audit PID (current audit PID %d)", status.PID)
}
return nil
}
func (ms *MetricSet) updateKernelLostMetric(lost uint32) {
if !ms.kernelLost.enabled {
return
}
delta := int64(lost - ms.kernelLost.counter)
if delta >= 0 {
logFn := ms.log.Debugf
if delta > 0 {
logFn = ms.log.Infof
kernelLostMetric.Add(delta)
}
logFn("kernel lost events: %d (total: %d)", delta, lost)
} else {
ms.log.Warnf("kernel lost event counter reset from %d to %d", ms.kernelLost, lost)
}
ms.kernelLost.counter = lost
}
func (ms *MetricSet) receiveEvents(done <-chan struct{}) (<-chan []*auparse.AuditMessage, error) {
if err := ms.initClient(); err != nil {
return nil, err
}
out := make(chan []*auparse.AuditMessage, ms.config.StreamBufferQueueSize)
var st libaudit.Stream = &stream{done, out}
if ms.backpressureStrategy&bsUserSpace != 0 {
// "user-space" backpressure mitigation strategy
//
// Consume events from our side as fast as possible, by dropping events
// if the publishing pipeline would block.
ms.log.Info("Using non-blocking stream to prevent backpressure propagating to the kernel.")
st = &nonBlockingStream{done, out}
}
reassembler, err := libaudit.NewReassembler(int(ms.config.ReassemblerMaxInFlight), ms.config.ReassemblerTimeout, st)
if err != nil {
return nil, errors.Wrap(err, "failed to create Reassembler")
}
go maintain(done, reassembler)
go func() {
defer ms.log.Debug("receiveEvents goroutine exited")
defer close(out)
defer reassembler.Close()
for {
raw, err := ms.client.Receive(false)
if err != nil {
if errors.Cause(err) == syscall.EBADF {
// Client has been closed.
break
}
continue
}
if filterRecordType(raw.Type) {
continue
}
receivedMetric.Inc()
if err := reassembler.Push(raw.Type, raw.Data); err != nil {
ms.log.Debugw("Dropping audit message",
"record_type", raw.Type,
"message", string(raw.Data),
"error", err)
continue
}
}
}()
return out, nil
}
// maintain periodically evicts timed-out events from the Reassembler. This
// function will block until the done channel is closed or the Reassembler is
// closed.
func maintain(done <-chan struct{}, reassembler *libaudit.Reassembler) {
tick := time.NewTicker(500 * time.Millisecond)
defer tick.Stop()
for {
select {
case <-done:
return
case <-tick.C:
if err := reassembler.Maintain(); err != nil {
return
}
}
}
}
func filterRecordType(typ auparse.AuditMessageType) bool {
switch {
// REPLACE messages are tests to check if Auditbeat is still healthy by
// seeing if unicast messages can be sent without error from the kernel.
// Ignore them.
case typ == auparse.AUDIT_REPLACE:
return true
// Messages from 1300-2999 are valid audit message types.
case typ < auparse.AUDIT_USER_AUTH || typ > auparse.AUDIT_LAST_USER_MSG2:
return true
}
return false
}
func buildMetricbeatEvent(msgs []*auparse.AuditMessage, config Config) mb.Event {
auditEvent, err := aucoalesce.CoalesceMessages(msgs)
if err != nil {
// Add messages on error so that it's possible to debug the problem.
out := mb.Event{RootFields: common.MapStr{}}
addEventOriginal(msgs, out.RootFields)
return out
}
if config.ResolveIDs {
aucoalesce.ResolveIDs(auditEvent)
}
eventOutcome := auditEvent.Result
if eventOutcome == "fail" {
eventOutcome = "failure"
}
out := mb.Event{
Timestamp: auditEvent.Timestamp,
RootFields: common.MapStr{
"event": common.MapStr{
"category": auditEvent.Category.String(),
"action": auditEvent.Summary.Action,
"outcome": eventOutcome,
},
},
ModuleFields: common.MapStr{
"message_type": strings.ToLower(auditEvent.Type.String()),
"sequence": auditEvent.Sequence,
"result": auditEvent.Result,
"data": createAuditdData(auditEvent.Data),
},
}
if auditEvent.Session != uidUnset {
out.ModuleFields.Put("session", auditEvent.Session)
}
// Add root level fields.
addUser(auditEvent.User, out.RootFields)
addProcess(auditEvent.Process, out.RootFields)
addFile(auditEvent.File, out.RootFields)
addAddress(auditEvent.Source, "source", out.RootFields)
addAddress(auditEvent.Dest, "destination", out.RootFields)
addNetwork(auditEvent.Net, out.RootFields)
if len(auditEvent.Tags) > 0 {
out.RootFields.Put("tags", auditEvent.Tags)
}
if config.Warnings && len(auditEvent.Warnings) > 0 {
warnings := make([]string, 0, len(auditEvent.Warnings))
for _, err := range auditEvent.Warnings {
warnings = append(warnings, err.Error())
}
out.RootFields.Put("error.message", warnings)
addEventOriginal(msgs, out.RootFields)
}
if config.RawMessage {
addEventOriginal(msgs, out.RootFields)
}
// Add module fields.
m := out.ModuleFields
if auditEvent.Summary.Actor.Primary != "" {
m.Put("summary.actor.primary", auditEvent.Summary.Actor.Primary)
}
if auditEvent.Summary.Actor.Secondary != "" {
m.Put("summary.actor.secondary", auditEvent.Summary.Actor.Secondary)
}
if auditEvent.Summary.Object.Primary != "" {
m.Put("summary.object.primary", auditEvent.Summary.Object.Primary)
}
if auditEvent.Summary.Object.Secondary != "" {
m.Put("summary.object.secondary", auditEvent.Summary.Object.Secondary)
}
if auditEvent.Summary.Object.Type != "" {
m.Put("summary.object.type", auditEvent.Summary.Object.Type)
}
if auditEvent.Summary.How != "" {
m.Put("summary.how", auditEvent.Summary.How)
}
if len(auditEvent.Paths) > 0 {
m.Put("paths", auditEvent.Paths)
}
switch auditEvent.Category {
case aucoalesce.EventTypeUserLogin:
// Customize event.type / event.category to match unified values.
normalizeEventFields(out.RootFields)
// Set ECS user fields from the attempted login account.
if usernameOrID := auditEvent.Summary.Actor.Secondary; usernameOrID != "" {
if usr, err := resolveUsernameOrID(usernameOrID); err == nil {
out.RootFields.Put("user.name", usr.Username)
out.RootFields.Put("user.id", usr.Uid)
} else {
// The login account doesn't exists. Treat it as a user name
out.RootFields.Put("user.name", usernameOrID)
out.RootFields.Delete("user.id")
}
}
}
return out
}
func resolveUsernameOrID(userOrID string) (usr *user.User, err error) {
usr, err = user.Lookup(userOrID)
if err == nil {
// User found by name
return
}
if _, ok := err.(user.UnknownUserError); !ok {
// Lookup failed by a reason other than user not found
return
}
return user.LookupId(userOrID)
}
func normalizeEventFields(m common.MapStr) {
getFieldAsStr := func(key string) (s string, found bool) {
iface, err := m.GetValue(key)
if err != nil {
return
}
s, found = iface.(string)
return
}
category, ok1 := getFieldAsStr("event.category")
action, ok2 := getFieldAsStr("event.action")
outcome, ok3 := getFieldAsStr("event.outcome")
if !ok1 || !ok2 || !ok3 {
return
}
if category == "user-login" && action == "logged-in" { // USER_LOGIN
m.Put("event.category", "authentication")
m.Put("event.type", fmt.Sprintf("authentication_%s", outcome))
}
}
func addUser(u aucoalesce.User, m common.MapStr) {
user := common.MapStr{}
m.Put("user", user)
for id, value := range u.IDs {
if value == uidUnset {
continue
}
switch id {
case "uid":
user["id"] = value
case "gid":
user.Put("group.id", value)
case "euid":
user.Put("effective.id", value)
case "egid":
user.Put("effective.group.id", value)
case "suid":
user.Put("saved.id", value)
case "sgid":
user.Put("saved.group.id", value)
case "fsuid":
user.Put("filesystem.id", value)
case "fsgid":
user.Put("filesystem.group.id", value)
case "auid":
user.Put("audit.id", value)
default:
user.Put(id+".id", value)
}
if len(u.SELinux) > 0 {
user["selinux"] = u.SELinux
}
}
for id, value := range u.Names {
switch id {
case "uid":
user["name"] = value
case "gid":
user.Put("group.name", value)
case "euid":
user.Put("effective.name", value)
case "egid":
user.Put("effective.group.name", value)
case "suid":
user.Put("saved.name", value)
case "sgid":
user.Put("saved.group.name", value)
case "fsuid":
user.Put("filesystem.name", value)
case "fsgid":
user.Put("filesystem.group.name", value)
case "auid":
user.Put("audit.name", value)
default:
user.Put(id+".name", value)
}
}
}
func addProcess(p aucoalesce.Process, m common.MapStr) {
if p.IsEmpty() {
return
}
process := common.MapStr{}
m.Put("process", process)
if p.PID != "" {
if pid, err := strconv.Atoi(p.PID); err == nil {
process["pid"] = pid
}
}
if p.PPID != "" {
if ppid, err := strconv.Atoi(p.PPID); err == nil {
process["ppid"] = ppid
}
}
if p.Title != "" {
process["title"] = p.Title
}
if p.Name != "" {
process["name"] = p.Name
}
if p.Exe != "" {
process["executable"] = p.Exe
}
if p.CWD != "" {
process["working_directory"] = p.CWD
}
if len(p.Args) > 0 {
process["args"] = p.Args
}
}
func addFile(f *aucoalesce.File, m common.MapStr) {
if f == nil {
return
}
file := common.MapStr{}
m.Put("file", file)
if f.Path != "" {
file["path"] = f.Path
}
if f.Device != "" {
file["device"] = f.Device
}
if f.Inode != "" {
file["inode"] = f.Inode
}
if f.Mode != "" {
file["mode"] = f.Mode
}
if f.UID != "" {
file["uid"] = f.UID
}
if f.GID != "" {
file["gid"] = f.GID
}
if f.Owner != "" {
file["owner"] = f.Owner
}
if f.Group != "" {
file["group"] = f.Group
}
if len(f.SELinux) > 0 {
file["selinux"] = f.SELinux
}
}
func addAddress(addr *aucoalesce.Address, key string, m common.MapStr) {
if addr == nil {
return
}
address := common.MapStr{}
m.Put(key, address)
if addr.Hostname != "" {
address["domain"] = addr.Hostname
}
if addr.IP != "" {
address["ip"] = addr.IP
}
if addr.Port != "" {
address["port"] = addr.Port
}
if addr.Path != "" {
address["path"] = addr.Path
}
}
func addNetwork(net *aucoalesce.Network, m common.MapStr) {
if net == nil {
return
}
network := common.MapStr{
"direction": net.Direction,
}
m.Put("network", network)
}
func addEventOriginal(msgs []*auparse.AuditMessage, m common.MapStr) {
const key = "event.original"
if len(msgs) == 0 {
return
}
original, _ := m.GetValue(key)
if original != nil {
return
}
rawMsgs := make([]string, 0, len(msgs))
for _, msg := range msgs {
rawMsgs = append(rawMsgs, "type="+msg.RecordType.String()+" msg="+msg.RawData)
}
m.Put(key, rawMsgs)
}
func createAuditdData(data map[string]string) common.MapStr {
out := make(common.MapStr, len(data))
for key, v := range data {
if strings.HasPrefix(key, "socket_") {
out.Put("socket."+key[7:], v)
continue
}
out.Put(key, v)
}
return out
}
// stream type
// stream receives callbacks from the libaudit.Reassembler for completed events
// or lost events that are detected by gaps in sequence numbers.
type stream struct {
done <-chan struct{}
out chan<- []*auparse.AuditMessage
}
func (s *stream) ReassemblyComplete(msgs []*auparse.AuditMessage) {
select {
case <-s.done:
return
case s.out <- msgs:
}
}
func (s *stream) EventsLost(count int) {
reassemblerGapsMetric.Add(int64(count))
}
// nonBlockingStream behaves as stream above, except that it will never block
// on backpressure from the publishing pipeline.
// Instead, events will be discarded.
type nonBlockingStream stream
func (s *nonBlockingStream) ReassemblyComplete(msgs []*auparse.AuditMessage) {
select {
case <-s.done:
return
case s.out <- msgs:
default:
userspaceLostMetric.Add(int64(len(msgs)))
}
}
func (s *nonBlockingStream) EventsLost(count int) {
(*stream)(s).EventsLost(count)
}
func hasMulticastSupport() bool {
// Check the kernel version because 3.16+ should have multicast
// support.
major, minor, _, err := kernelVersion()
if err != nil {
// Assume not supported.
return false
}
switch {
case major > 3,
major == 3 && minor >= 16:
return true
}
return false
}
func kernelVersion() (major, minor int, full string, err error) {
var uname syscall.Utsname
if err := syscall.Uname(&uname); err != nil {
return 0, 0, "", err
}
length := len(uname.Release)
data := make([]byte, length)
for i, v := range uname.Release {
if v == 0 {
length = i
break
}
data[i] = byte(v)
}
release := string(data[:length])
parts := strings.SplitN(release, ".", 3)
if len(parts) < 2 {
return 0, 0, release, errors.Errorf("failed to parse uname release '%v'", release)
}
major, err = strconv.Atoi(parts[0])
if err != nil {
return 0, 0, release, errors.Wrapf(err, "failed to parse major version from '%v'", release)
}
minor, err = strconv.Atoi(parts[1])
if err != nil {
return 0, 0, release, errors.Wrapf(err, "failed to parse minor version from '%v'", release)
}
return major, minor, release, nil
}
func determineSocketType(c *Config, log *logp.Logger) (string, error) {
client, err := libaudit.NewAuditClient(nil)
if err != nil {
if c.SocketType == "" {
return "", errors.Wrap(err, "failed to create audit client")
}
// Ignore errors if a socket type has been specified. It will fail during
// further setup and its necessary for unit tests to pass
return c.SocketType, nil
}
defer client.Close()
status, err := client.GetStatus()
if err != nil {
if c.SocketType == "" {
return "", errors.Wrap(err, "failed to get audit status")
}
return c.SocketType, nil
}
rules := c.rules()
isLocked := status.Enabled == auditLocked
hasMulticast := hasMulticastSupport()
hasRules := len(rules) > 0
const useAutodetect = "Remove the socket_type option to have auditbeat " +
"select the most suitable subscription method."
switch c.SocketType {
case unicast:
if isLocked {
log.Errorf("requested unicast socket_type is not available "+
"because audit configuration is locked in the kernel "+
"(enabled=2). %s", useAutodetect)
return "", errors.New("unicast socket_type not available")
}
return c.SocketType, nil
case multicast:
if hasMulticast {
if hasRules {
log.Warn("The audit rules specified in the configuration " +
"cannot be applied when using a multicast socket_type.")
}
return c.SocketType, nil
}
log.Errorf("socket_type is set to multicast but based on the "+
"kernel version, multicast audit subscriptions are not supported. %s",
useAutodetect)
return "", errors.New("multicast socket_type not available")
default:
// attempt to determine the optimal socket_type
if hasMulticast {
if hasRules {
if isLocked {
log.Warn("Audit rules specified in the configuration " +
"cannot be applied because the audit rules have been locked " +
"in the kernel (enabled=2). A multicast audit subscription " +
"will be used instead, which does not support setting rules")
return multicast, nil
}
return unicast, nil
}
return multicast, nil
}
if isLocked {
log.Errorf("Cannot continue: audit configuration is locked " +
"in the kernel (enabled=2) which prevents using unicast " +
"sockets. Multicast audit subscriptions are not available " +
"in this kernel. Disable locking the audit configuration " +
"to use auditbeat.")
return "", errors.New("no connection to audit available")
}
return unicast, nil
}
}
func getBackpressureStrategy(value string, logger *logp.Logger) backpressureStrategy {
switch value {
case "kernel":
return bsKernel
case "userspace", "user-space":
return bsUserSpace
case "auto":
return bsAuto
case "both":
return bsKernel | bsUserSpace
case "none":
return 0
default:
logger.Warn("Unknown value for the 'backpressure_strategy' option. Using default.")
fallthrough
case "", "default":
return bsAuto
}
}
func buildPIDIgnoreRule(pid int) (ruleData auditRule, err error) {
r := rule.SyscallRule{
Type: rule.AppendSyscallRuleType,
List: "exit",
Action: "never",
Filters: []rule.FilterSpec{
{
Type: rule.ValueFilterType,
LHS: "pid",
Comparator: "=",
RHS: strconv.Itoa(pid),
},
},
Syscalls: []string{"all"},
Keys: nil,
}
ruleData.flags = fmt.Sprintf("-A exit,never -F pid=%d -S all", pid)
ruleData.data, err = rule.Build(&r)
return ruleData, err
}

389
vendor/github.com/elastic/beats/auditbeat/module/auditd/audit_linux_test.go generated vendored
View File

@ -1,389 +0,0 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package auditd
import (
"encoding/json"
"flag"
"fmt"
"io/ioutil"
"os"
"os/exec"
"os/user"
"sort"
"strings"
"testing"
"time"
"github.com/stretchr/testify/assert"
"github.com/prometheus/procfs"
"github.com/elastic/beats/auditbeat/core"
"github.com/elastic/beats/libbeat/common"
"github.com/elastic/beats/libbeat/logp"
"github.com/elastic/beats/libbeat/mapping"
"github.com/elastic/beats/metricbeat/mb"
mbtest "github.com/elastic/beats/metricbeat/mb/testing"
"github.com/elastic/go-libaudit"
"github.com/elastic/go-libaudit/auparse"
)
// Specify the -audit flag when running these tests to interact with the real
// kernel instead of mocks. If running in Docker this requires being in the
// host PID namespace (--pid=host) and having CAP_AUDIT_CONTROL and
// CAP_AUDIT_WRITE (so use --privileged).
var audit = flag.Bool("audit", false, "interact with the real audit framework")
var (
userLoginFailMsg = `type=USER_LOGIN msg=audit(1492896301.818:19955): pid=12635 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=179.38.151.221 terminal=sshd res=failed'`
userLoginSuccessMsg = `type=USER_LOGIN msg=audit(1492896303.915:19956): pid=12635 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=61647269616E exe="/usr/sbin/sshd" hostname=? addr=179.38.151.221 terminal=sshd res=success'`
userAuthMsg = `type=USER_AUTH msg=audit(1552714590.571:21114): pid=11312 uid=0 auid=0 ses=62 msg='op=PAM:authentication acct="root" exe="/bin/su" hostname="test" addr="127.0.0.1" terminal=/dev/pts/0 res=success'`
execveMsgs = []string{
`type=SYSCALL msg=audit(1492752522.985:8972): arch=c000003e syscall=59 success=yes exit=0 a0=10812c8 a1=1070208 a2=1152008 a3=59a items=2 ppid=10027 pid=10043 auid=1001 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 tty=pts0 ses=11 comm="uname" exe="/bin/uname" key="key=user_commands"`,
`type=EXECVE msg=audit(1492752522.985:8972): argc=2 a0="uname" a1="-a"`,
`type=CWD msg=audit(1492752522.985:8972): cwd="/home/andrew_kroh"`,
`type=PATH msg=audit(1492752522.985:8972): item=0 name="/bin/uname" inode=155 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL`,
`type=PATH msg=audit(1492752522.985:8972): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=1923 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL`,
`type=PROCTITLE msg=audit(1492752522.985:8972): proctitle=756E616D65002D61`,
`type=EOE msg=audit(1492752522.985:8972):`,
}
acceptMsgs = []string{
`type=SYSCALL msg=audit(1492752520.441:8832): arch=c000003e syscall=43 success=yes exit=5 a0=3 a1=7ffd0dc80040 a2=7ffd0dc7ffd0 a3=0 items=0 ppid=1 pid=1663 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" key="key=net"`,
`type=SOCKADDR msg=audit(1492752520.441:8832): saddr=0200E31C4853E6640000000000000000`,
`type=PROCTITLE msg=audit(1492752520.441:8832): proctitle="(sshd)"`,
`type=EOE msg=audit(1492752520.441:8832):`,
}
)
func TestData(t *testing.T) {
logp.TestingSetup()
// Create a mock netlink client that provides the expected responses.
mock := NewMock().
// Get Status response for initClient
returnACK().returnStatus().
// Send expected ACKs for initialization
returnACK().returnACK().returnACK().returnACK().returnACK().
// Send three auditd messages.
returnMessage(userLoginFailMsg).
returnMessage(execveMsgs...).
returnMessage(acceptMsgs...)
// Replace the default AuditClient with a mock.
ms := mbtest.NewPushMetricSetV2(t, getConfig())
auditMetricSet := ms.(*MetricSet)
auditMetricSet.client.Close()
auditMetricSet.client = &libaudit.AuditClient{Netlink: mock}
events := mbtest.RunPushMetricSetV2(10*time.Second, 3, ms)
if len(events) != 3 {
t.Fatalf("expected 3 events, but received %d", len(events))
}
assertNoErrors(t, events)
assertFieldsAreDocumented(t, events)
beatEvent := mbtest.StandardizeEvent(ms, events[0], core.AddDatasetToEvent)
mbtest.WriteEventToDataJSON(t, beatEvent, "")
}
func TestLoginType(t *testing.T) {
logp.TestingSetup()
// Create a mock netlink client that provides the expected responses.
mock := NewMock().
// Get Status response for initClient
returnACK().returnStatus().
// Send expected ACKs for initialization
returnACK().returnACK().returnACK().returnACK().returnACK().
// Send an authentication failure and a success.
returnMessage(userLoginFailMsg).
returnMessage(userLoginSuccessMsg).
returnMessage(userAuthMsg)
// Replace the default AuditClient with a mock.
ms := mbtest.NewPushMetricSetV2(t, getConfig())
auditMetricSet := ms.(*MetricSet)
auditMetricSet.client.Close()
auditMetricSet.client = &libaudit.AuditClient{Netlink: mock}
const expectedEvents = 3
events := mbtest.RunPushMetricSetV2(10*time.Second, expectedEvents, ms)
if len(events) != expectedEvents {
t.Fatalf("expected %d events, but received %d", expectedEvents, len(events))
}
assertNoErrors(t, events)
assertFieldsAreDocumented(t, events)
sort.Slice(events,
func(i, j int) bool {
return events[i].ModuleFields["sequence"].(uint32) < events[j].ModuleFields["sequence"].(uint32)
})
for idx, expected := range []common.MapStr{
{
"event.category": "authentication",
"event.type": "authentication_failure",
"event.outcome": "failure",
"user.name": "(invalid user)",
"user.id": nil,
"session": nil,
},
{
"event.category": "authentication",
"event.type": "authentication_success",
"event.outcome": "success",
"user.name": "adrian",
"user.audit.id": nil,
"auditd.session": nil,
},
{
"event.category": "user-login",
"event.outcome": "success",
"user.name": "root",
"user.id": "0",
"user.audit.id": "0",
"auditd.session": "62",
},
} {
beatEvent := mbtest.StandardizeEvent(ms, events[idx], core.AddDatasetToEvent)
mbtest.WriteEventToDataJSON(t, beatEvent, "")
for k, v := range expected {
msg := fmt.Sprintf("%s[%d]", k, idx)
cur, err := beatEvent.GetValue(k)
if v != nil {
assert.NoError(t, err, msg)
assert.Equal(t, v, cur, msg)
} else {
_, err := beatEvent.GetValue(k)
assert.Equal(t, common.ErrKeyNotFound, err, msg)
}
}
}
}
// assertFieldsAreDocumented mimics assert_fields_are_documented in Python system tests.
func assertFieldsAreDocumented(t *testing.T, events []mb.Event) {
fieldsYml, err := mapping.LoadFieldsYaml("../../fields.yml")
if err != nil {
t.Fatal(err)
}
documentedFields := fieldsYml.GetKeys()
for _, e := range events {
beatEvent := e.BeatEvent(moduleName, metricsetName, core.AddDatasetToEvent)
for eventFieldName := range beatEvent.Fields.Flatten() {
found := false
for _, documentedFieldName := range documentedFields {
// Have to use HasPrefix and not "==" since fields in auditd.paths.* get flattened
// to auditd.paths which does not exist in fields.yml.
if strings.HasPrefix(documentedFieldName, eventFieldName) {
found = true
break
}
}
if !found {
assert.Fail(t, "Field not documented", "Key '%v' found in event is not documented.", eventFieldName)
}
}
}
}
func getConfig() map[string]interface{} {
return map[string]interface{}{
"module": "auditd",
"failure_mode": "log",
"socket_type": "unicast",
"include_warnings": true,
"include_raw_message": true,
}
}
func TestUnicastClient(t *testing.T) {
if !*audit {
t.Skip("-audit was not specified")
}
logp.TestingSetup()
FailIfAuditdIsRunning(t)
c := map[string]interface{}{
"module": "auditd",
"socket_type": "unicast",
"audit_rules": fmt.Sprintf(`
-a always,exit -F arch=b64 -F ppid=%d -S execve -k exec
`, os.Getpid()),
}
// Any commands executed by this process will generate events due to the
// PPID filter we applied to the rule.
time.AfterFunc(time.Second, func() { exec.Command("cat", "/proc/self/status").Output() })
ms := mbtest.NewPushMetricSetV2(t, c)
events := mbtest.RunPushMetricSetV2(5*time.Second, 0, ms)
assertNoErrors(t, events)
assertHasBinCatExecve(t, events)
}
func TestMulticastClient(t *testing.T) {
if !*audit {
t.Skip("-audit was not specified")
}
if !hasMulticastSupport() {
t.Skip("no multicast support")
}
logp.TestingSetup()
FailIfAuditdIsRunning(t)
c := map[string]interface{}{
"module": "auditd",
"socket_type": "multicast",
"audit_rules": fmt.Sprintf(`
-a always,exit -F arch=b64 -F ppid=%d -S execve -k exec
`, os.Getpid()),
}
// Any commands executed by this process will generate events due to the
// PPID filter we applied to the rule.
time.AfterFunc(time.Second, func() { exec.Command("cat", "/proc/self/status").Output() })
ms := mbtest.NewPushMetricSetV2(t, c)
events := mbtest.RunPushMetricSetV2(5*time.Second, 0, ms)
assertNoErrors(t, events)
assertHasBinCatExecve(t, events)
}
func TestKernelVersion(t *testing.T) {
major, minor, full, err := kernelVersion()
if err != nil {
t.Fatal(err)
}
t.Logf("major=%v, minor=%v, full=%v", major, minor, full)
}
func FailIfAuditdIsRunning(t testing.TB) {
t.Helper()
procs, err := procfs.AllProcs()
if err != nil {
t.Fatal(err)
}
for _, proc := range procs {
comm, err := proc.Comm()
if err != nil {
t.Error(err)
continue
}
if comm == "auditd" {
t.Fatalf("auditd is running (pid=%d). This test cannot run while "+
"auditd is running.", proc.PID)
}
}
}
func TestBuildMetricbeatEvent(t *testing.T) {
if f := flag.Lookup("data"); f != nil && f.Value.String() == "false" {
t.Skip("skip data generation tests")
}
buildSampleEvent(t, acceptMsgs, "_meta/accept.json")
buildSampleEvent(t, execveMsgs, "_meta/execve.json")
}
func buildSampleEvent(t testing.TB, lines []string, filename string) {
var msgs []*auparse.AuditMessage
for _, txt := range lines {
m, err := auparse.ParseLogLine(txt)
if err != nil {
t.Fatal(err)
}
msgs = append(msgs, m)
}
e := buildMetricbeatEvent(msgs, defaultConfig)
beatEvent := e.BeatEvent(moduleName, metricsetName, core.AddDatasetToEvent)
output, err := json.MarshalIndent(&beatEvent.Fields, "", " ")
if err != nil {
t.Fatal(err)
}
if err := ioutil.WriteFile(filename, output, 0644); err != nil {
t.Fatal(err)
}
}
func assertHasBinCatExecve(t *testing.T, events []mb.Event) {
t.Helper()
for _, e := range events {
v, err := e.RootFields.GetValue("process.executable")
if err == nil {
if exe, ok := v.(string); ok && exe == "/bin/cat" {
return
}
}
}
assert.Fail(t, "expected an execve event for /bin/cat")
}
func assertNoErrors(t *testing.T, events []mb.Event) {
t.Helper()
for _, e := range events {
t.Log(e)
if e.Error != nil {
t.Errorf("received error: %+v", e.Error)
}
}
}
func BenchmarkResolveUsernameOrID(b *testing.B) {
for _, query := range []struct {
input string
name string
id string
err bool
}{
{input: "0", name: "root", id: "0"},
{input: "root", name: "root", id: "0"},
{input: "vagrant", name: "vagrant", id: "1000"},
{input: "1000", name: "vagrant", id: "1000"},
{input: "nonexisting", err: true},
{input: "9987", err: true},
} {
b.Run(query.input, func(b *testing.B) {
var usr *user.User
var err error
for i := 0; i < b.N; i++ {
usr, err = resolveUsernameOrID(query.input)
}
if assert.Equal(b, query.err, err != nil, fmt.Sprintf("%v", err)) && !query.err {
assert.Equal(b, query.name, usr.Username)
assert.Equal(b, query.id, usr.Uid)
}
})
}
}

39
vendor/github.com/elastic/beats/auditbeat/module/auditd/audit_unsupported.go generated vendored
View File

@ -1,39 +0,0 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
// +build !linux
package auditd
import (
"github.com/pkg/errors"
"github.com/elastic/beats/metricbeat/mb"
"github.com/elastic/beats/metricbeat/mb/parse"
)
func init() {
mb.Registry.MustAddMetricSet(metricsetName, metricsetName, New,
mb.DefaultMetricSet(),
mb.WithHostParser(parse.EmptyHostParser),
)
}
// New constructs a new MetricSet.
func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
return nil, errors.Errorf("the %v module is only supported on Linux", metricsetName)
}

215
vendor/github.com/elastic/beats/auditbeat/module/auditd/config.go generated vendored
View File

@ -1,215 +0,0 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package auditd
import (
"bufio"
"bytes"
"fmt"
"io"
"os"
"path/filepath"
"sort"
"strings"
"time"
"github.com/joeshaw/multierror"
"github.com/pkg/errors"
"github.com/elastic/go-libaudit/rule"
"github.com/elastic/go-libaudit/rule/flags"
)
const (
moduleName = "auditd"
metricsetName = "auditd"
recursiveGlobDepth = 8
)
// Config defines the kernel metricset's possible configuration options.
type Config struct {
ResolveIDs bool `config:"resolve_ids"` // Resolve UID/GIDs to names.
FailureMode string `config:"failure_mode"` // Failure mode for the kernel (silent, log, panic).
BacklogLimit uint32 `config:"backlog_limit"` // Max number of message to buffer in the auditd.
RateLimit uint32 `config:"rate_limit"` // Rate limit in messages/sec of messages from auditd.
RawMessage bool `config:"include_raw_message"` // Include the list of raw audit messages in the event.
Warnings bool `config:"include_warnings"` // Include warnings in the event (for dev/debug purposes only).
RulesBlob string `config:"audit_rules"` // Audit rules. One rule per line.
RuleFiles []string `config:"audit_rule_files"` // List of rule files.
SocketType string `config:"socket_type"` // Socket type to use with the kernel (unicast or multicast).
// Tuning options (advanced, use with care)
ReassemblerMaxInFlight uint32 `config:"reassembler.max_in_flight"`
ReassemblerTimeout time.Duration `config:"reassembler.timeout"`
StreamBufferQueueSize uint32 `config:"reassembler.queue_size"`
// BackpressureStrategy defines the strategy used to mitigate backpressure
// propagating to the kernel causing audited processes to block until
// Auditbeat can keep-up.
// One of "user-space", "kernel", "both", "none", "auto" (default)
BackpressureStrategy string `config:"backpressure_strategy"`
StreamBufferConsumers int `config:"stream_buffer_consumers"`
auditRules []auditRule
}
type auditRule struct {
flags string
data []byte
}
type ruleWithSource struct {
rule auditRule
source string
}
type ruleSet map[string]ruleWithSource
var defaultConfig = Config{
ResolveIDs: true,
FailureMode: "silent",
BacklogLimit: 8192,
RateLimit: 0,
RawMessage: false,
Warnings: false,
ReassemblerMaxInFlight: 50,
ReassemblerTimeout: 2 * time.Second,
StreamBufferQueueSize: 8192,
StreamBufferConsumers: 0,
}
// Validate validates the rules specified in the config.
func (c *Config) Validate() error {
var errs multierror.Errors
err := c.loadRules()
if err != nil {
errs = append(errs, err)
}
_, err = c.failureMode()
if err != nil {
errs = append(errs, err)
}
c.SocketType = strings.ToLower(c.SocketType)
switch c.SocketType {
case "", "unicast", "multicast":
default:
errs = append(errs, errors.Errorf("invalid socket_type "+
"'%v' (use unicast, multicast, or don't set a value)", c.SocketType))
}
return errs.Err()
}
// Rules returns a list of rules specified in the config.
func (c Config) rules() []auditRule {
return c.auditRules
}
func (c *Config) loadRules() error {
var paths []string
for _, pattern := range c.RuleFiles {
absPattern, err := filepath.Abs(pattern)
if err != nil {
return fmt.Errorf("unable to get the absolute path for %s: %v", pattern, err)
}
files, err := filepath.Glob(absPattern)
if err != nil {
return err
}
sort.Strings(files)
paths = append(paths, files...)
}
knownRules := ruleSet{}
rules, err := readRules(bytes.NewBufferString(c.RulesBlob), "(audit_rules at auditbeat.yml)", knownRules)
if err != nil {
return err
}
c.auditRules = append(c.auditRules, rules...)
for _, filename := range paths {
fHandle, err := os.Open(filename)
if err != nil {
return fmt.Errorf("unable to open rule file '%s': %v", filename, err)
}
rules, err = readRules(fHandle, filename, knownRules)
if err != nil {
return err
}
c.auditRules = append(c.auditRules, rules...)
}
return nil
}
func (c Config) failureMode() (uint32, error) {
switch strings.ToLower(c.FailureMode) {
case "silent":
return 0, nil
case "log":
return 1, nil
case "panic":
return 2, nil
default:
return 0, errors.Errorf("invalid failure_mode '%v' (use silent, log, or panic)", c.FailureMode)
}
}
func readRules(reader io.Reader, source string, knownRules ruleSet) (rules []auditRule, err error) {
var errs multierror.Errors
s := bufio.NewScanner(reader)
for lineNum := 1; s.Scan(); lineNum++ {
location := fmt.Sprintf("%s:%d", source, lineNum)
line := strings.TrimSpace(s.Text())
if len(line) == 0 || line[0] == '#' {
continue
}
// Parse the CLI flags into an intermediate rule specification.
r, err := flags.Parse(line)
if err != nil {
errs = append(errs, errors.Wrapf(err, "at %s: failed to parse rule '%v'", location, line))
continue
}
// Convert rule specification to a binary rule representation.
data, err := rule.Build(r)
if err != nil {
errs = append(errs, errors.Wrapf(err, "at %s: failed to interpret rule '%v'", location, line))
continue
}
// Detect duplicates based on the normalized binary rule representation.
existing, found := knownRules[string(data)]
if found {
errs = append(errs, errors.Errorf("at %s: rule '%v' is a duplicate of '%v' at %s", location, line, existing.rule.flags, existing.source))
continue
}
rule := auditRule{flags: line, data: []byte(data)}
knownRules[string(data)] = ruleWithSource{rule, location}
rules = append(rules, rule)
}
if len(errs) > 0 {
return nil, errors.Wrap(errs.Err(), "failed loading rules")
}
return rules, nil
}

Some files were not shown because too many files have changed in this diff Show More