Migrate beat to go modules
2
Makefile
|
@ -7,7 +7,7 @@ BEAT_DOC_URL?=https://icinga.com/docs/icingabeat
|
|||
BEAT_GOPATH=$(firstword $(subst :, ,${GOPATH}))
|
||||
SYSTEM_TESTS=false
|
||||
TEST_ENVIRONMENT=false
|
||||
ES_BEATS?=./vendor/github.com/elastic/beats
|
||||
ES_BEATS?=./
|
||||
LIBBEAT_MAKEFILE=$(ES_BEATS)/libbeat/scripts/Makefile
|
||||
GOPACKAGES=$(shell govendor list -no-status +local)
|
||||
GOBUILD_FLAGS=-i -ldflags "-X $(BEAT_PATH)/vendor/github.com/elastic/beats/libbeat/version.buildTime=$(NOW) -X $(BEAT_PATH)/vendor/github.com/elastic/beats/libbeat/version.commit=$(COMMIT_ID)"
|
||||
|
|
|
@ -12,9 +12,9 @@ import (
|
|||
|
||||
"github.com/icinga/icingabeat/config"
|
||||
|
||||
"github.com/elastic/beats/libbeat/beat"
|
||||
"github.com/elastic/beats/libbeat/common"
|
||||
"github.com/elastic/beats/libbeat/logp"
|
||||
"github.com/elastic/beats/v7/libbeat/beat"
|
||||
"github.com/elastic/beats/v7/libbeat/common"
|
||||
"github.com/elastic/beats/v7/libbeat/logp"
|
||||
)
|
||||
|
||||
// Eventstream type
|
||||
|
|
|
@ -9,7 +9,7 @@ import (
|
|||
"net/url"
|
||||
"time"
|
||||
|
||||
"github.com/elastic/beats/libbeat/logp"
|
||||
"github.com/elastic/beats/v7/libbeat/logp"
|
||||
)
|
||||
|
||||
func requestURL(bt *Icingabeat, method string, URL *url.URL) (*http.Response, error) {
|
||||
|
|
|
@ -3,9 +3,9 @@ package beater
|
|||
import (
|
||||
"fmt"
|
||||
|
||||
"github.com/elastic/beats/libbeat/beat"
|
||||
"github.com/elastic/beats/libbeat/common"
|
||||
"github.com/elastic/beats/libbeat/logp"
|
||||
"github.com/elastic/beats/v7/libbeat/beat"
|
||||
"github.com/elastic/beats/v7/libbeat/common"
|
||||
"github.com/elastic/beats/v7/libbeat/logp"
|
||||
|
||||
"github.com/icinga/icingabeat/config"
|
||||
)
|
||||
|
|
|
@ -10,9 +10,9 @@ import (
|
|||
|
||||
"github.com/icinga/icingabeat/config"
|
||||
|
||||
"github.com/elastic/beats/libbeat/beat"
|
||||
"github.com/elastic/beats/libbeat/common"
|
||||
"github.com/elastic/beats/libbeat/logp"
|
||||
"github.com/elastic/beats/v7/libbeat/beat"
|
||||
"github.com/elastic/beats/v7/libbeat/common"
|
||||
"github.com/elastic/beats/v7/libbeat/logp"
|
||||
)
|
||||
|
||||
// Statuspoller type
|
||||
|
|
|
@ -3,8 +3,8 @@ package cmd
|
|||
import (
|
||||
"github.com/icinga/icingabeat/beater"
|
||||
|
||||
cmd "github.com/elastic/beats/libbeat/cmd"
|
||||
"github.com/elastic/beats/libbeat/cmd/instance"
|
||||
cmd "github.com/elastic/beats/v7/libbeat/cmd"
|
||||
"github.com/elastic/beats/v7/libbeat/cmd/instance"
|
||||
)
|
||||
|
||||
// Name of this beat
|
||||
|
|
|
@ -0,0 +1,22 @@
|
|||
module github.com/icinga/icingabeat
|
||||
|
||||
go 1.16
|
||||
|
||||
replace (
|
||||
github.com/Microsoft/go-winio => github.com/bi-zone/go-winio v0.4.15
|
||||
github.com/Shopify/sarama => github.com/elastic/sarama v1.19.1-0.20210823122811-11c3ef800752
|
||||
github.com/cucumber/godog => github.com/cucumber/godog v0.8.1
|
||||
github.com/docker/docker => github.com/docker/engine v0.0.0-20191113042239-ea84732a7725
|
||||
github.com/docker/go-plugins-helpers => github.com/elastic/go-plugins-helpers v0.0.0-20200207104224-bdf17607b79f
|
||||
github.com/dop251/goja => github.com/andrewkroh/goja v0.0.0-20190128172624-dd2ac4456e20
|
||||
github.com/dop251/goja_nodejs => github.com/dop251/goja_nodejs v0.0.0-20171011081505-adff31b136e6
|
||||
github.com/fsnotify/fsevents => github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270
|
||||
github.com/fsnotify/fsnotify => github.com/adriansr/fsnotify v0.0.0-20180417234312-c9bbe1f46f1d
|
||||
github.com/golang/glog => github.com/elastic/glog v1.0.1-0.20210831205241-7d8b5c89dfc4
|
||||
github.com/google/gopacket => github.com/adriansr/gopacket v1.1.18-0.20200327165309-dd62abfa8a41
|
||||
github.com/insomniacslk/dhcp => github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3 // indirect
|
||||
github.com/tonistiigi/fifo => github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c
|
||||
golang.org/x/tools => golang.org/x/tools v0.0.0-20200602230032-c00d67ef29d0 // release 1.14
|
||||
)
|
||||
|
||||
require github.com/elastic/beats/v7 v7.14.2 // indirect
|
|
@ -0,0 +1,761 @@
|
|||
4d63.com/embedfiles v0.0.0-20190311033909-995e0740726f/go.mod h1:HxEsUxoVZyRxsZML/S6e2xAuieFMlGO0756ncWx1aXE=
|
||||
4d63.com/tz v1.1.1-0.20191124060701-6d37baae851b/go.mod h1:SHGqVdL7hd2ZaX2T9uEiOZ/OFAUfCCLURdLPJsd8ZNs=
|
||||
bazil.org/fuse v0.0.0-20160811212531-371fbbdaa898/go.mod h1:Xbm+BRKSBEpa4q4hTSxohYNQpsxXPbPry4JJWOB3LB8=
|
||||
cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
|
||||
cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
|
||||
cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
|
||||
cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
|
||||
cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
|
||||
cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
|
||||
cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
|
||||
cloud.google.com/go v0.51.0/go.mod h1:hWtGJ6gnXH+KgDv+V0zFGDvpi07n3z8ZNj3T1RW0Gcw=
|
||||
cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
|
||||
cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
|
||||
cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
|
||||
cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
|
||||
code.cloudfoundry.org/go-diodes v0.0.0-20190809170250-f77fb823c7ee/go.mod h1:Jzi+ccHgo/V/PLQUaQ6hnZcC1c4BS790gx21LRRui4g=
|
||||
code.cloudfoundry.org/go-loggregator v7.4.0+incompatible/go.mod h1:KPBTRqj+y738Nhf1+g4JHFaBU8j7dedirR5ETNHvMXU=
|
||||
code.cloudfoundry.org/gofileutils v0.0.0-20170111115228-4d0c80011a0f/go.mod h1:sk5LnIjB/nIEU7yP5sDQExVm62wu0pBh3yrElngUisI=
|
||||
code.cloudfoundry.org/rfc5424 v0.0.0-20180905210152-236a6d29298a/go.mod h1:tkZo8GtzBjySJ7USvxm4E36lNQw1D3xM6oKHGqdaAJ4=
|
||||
dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
|
||||
github.com/Azure/azure-amqp-common-go/v3 v3.0.0/go.mod h1:SY08giD/XbhTz07tJdpw1SoxQXHPN30+DI3Z04SYqyg=
|
||||
github.com/Azure/azure-event-hubs-go/v3 v3.1.2/go.mod h1:hR40byNJjKkS74+3RhloPQ8sJ8zFQeJ920Uk3oYY0+k=
|
||||
github.com/Azure/azure-pipeline-go v0.1.8/go.mod h1:XA1kFWRVhSK+KNFiOhfv83Fv8L9achrP7OxIzeTn1Yg=
|
||||
github.com/Azure/azure-pipeline-go v0.1.9/go.mod h1:XA1kFWRVhSK+KNFiOhfv83Fv8L9achrP7OxIzeTn1Yg=
|
||||
github.com/Azure/azure-pipeline-go v0.2.1/go.mod h1:UGSo8XybXnIGZ3epmeBw7Jdz+HiUVpqIlpz/HKHylF4=
|
||||
github.com/Azure/azure-sdk-for-go v37.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
|
||||
github.com/Azure/azure-storage-blob-go v0.6.0/go.mod h1:oGfmITT1V6x//CswqY2gtAHND+xIP64/qL7a5QJix0Y=
|
||||
github.com/Azure/azure-storage-blob-go v0.8.0/go.mod h1:lPI3aLPpuLTeUwh1sViKXFxwl2B6teiRqI0deQUvsw0=
|
||||
github.com/Azure/go-amqp v0.12.6/go.mod h1:qApuH6OFTSKZFmCOxccvAv5rLizBQf4v8pRmG138DPo=
|
||||
github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
|
||||
github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI=
|
||||
github.com/Azure/go-autorest/autorest v0.9.3/go.mod h1:GsRuLYvwzLjjjRoWEIyMUaYq8GNUx2nRB378IPt/1p0=
|
||||
github.com/Azure/go-autorest/autorest v0.9.6/go.mod h1:/FALq9T/kS7b5J5qsQ+RSTUdAmGFqi0vUdVNNx8q630=
|
||||
github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0=
|
||||
github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc=
|
||||
github.com/Azure/go-autorest/autorest/adal v0.8.1/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q=
|
||||
github.com/Azure/go-autorest/autorest/adal v0.8.2/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q=
|
||||
github.com/Azure/go-autorest/autorest/azure/auth v0.4.2/go.mod h1:90gmfKdlmKgfjUpnCEpOJzsUEjrWDSLwHIG73tSXddM=
|
||||
github.com/Azure/go-autorest/autorest/azure/cli v0.3.1/go.mod h1:ZG5p860J94/0kI9mNJVoIoLgXcirM2gF5i2kWloofxw=
|
||||
github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA=
|
||||
github.com/Azure/go-autorest/autorest/date v0.2.0/go.mod h1:vcORJHLJEh643/Ioh9+vPmf1Ij9AEBM5FuBIXLmIy0g=
|
||||
github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
|
||||
github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
|
||||
github.com/Azure/go-autorest/autorest/mocks v0.3.0/go.mod h1:a8FDP3DYzQ4RYfVAxAN3SVSiiO77gL2j2ronKKP0syM=
|
||||
github.com/Azure/go-autorest/autorest/to v0.3.0/go.mod h1:MgwOyqaIuKdG4TL/2ywSsIWKAfJfgHDo8ObuUk3t5sA=
|
||||
github.com/Azure/go-autorest/autorest/validation v0.2.0/go.mod h1:3EEqHnBxQGHXRYq3HT1WyXAvT7LLY3tl70hw6tQIbjI=
|
||||
github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc=
|
||||
github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk=
|
||||
github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
|
||||
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
|
||||
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
|
||||
github.com/DataDog/zstd v1.4.1/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo=
|
||||
github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
|
||||
github.com/Microsoft/hcsshim v0.8.7/go.mod h1:OHd7sQqRFrYd3RmSgbgji+ctCwkbq2wbEYNSzOYtcBQ=
|
||||
github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
|
||||
github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
|
||||
github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
|
||||
github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
|
||||
github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
|
||||
github.com/StackExchange/wmi v0.0.0-20170221213301-9f32b5905fd6/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=
|
||||
github.com/adriansr/fsnotify v0.0.0-20180417234312-c9bbe1f46f1d/go.mod h1:VykaKG/ofkKje+MSvqjrDsz1wfyHIvEVFljhq2EOZ4g=
|
||||
github.com/adriansr/gopacket v1.1.18-0.20200327165309-dd62abfa8a41/go.mod h1:UdDNZ1OO62aGYVnPhxT1U6aI7ukYtA/kB8vaU0diBUM=
|
||||
github.com/aerospike/aerospike-client-go v1.27.1-0.20170612174108-0f3b54da6bdc/go.mod h1:zj8LBEnWBDOVEIJt8LvaRvDG5ARAoa5dBeHaB472NRc=
|
||||
github.com/akavel/rsrc v0.8.0/go.mod h1:uLoCtb9J+EyAqh+26kdrTgmzRBFPGOolLWKpdxkKq+c=
|
||||
github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
|
||||
github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
|
||||
github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
|
||||
github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
|
||||
github.com/andrewkroh/goja v0.0.0-20190128172624-dd2ac4456e20/go.mod h1:cI59GRkC2FRaFYtgbYEqMlgnnfvAwXzjojyZKXwklNg=
|
||||
github.com/andrewkroh/sys v0.0.0-20151128191922-287798fe3e43/go.mod h1:tJPYQG4mnMeUtQvQKNkbsFrnmZOg59Qnf8CcctFv5v4=
|
||||
github.com/antihax/optional v0.0.0-20180407024304-ca021399b1a6/go.mod h1:V8iCPQYkqmusNa815XgQio277wI47sdRh1dUOLdyC6Q=
|
||||
github.com/antlr/antlr4 v0.0.0-20200820155224-be881fa6b91d/go.mod h1:T7PbCXFs94rrTttyxjbyT5+/1V8T2TYDejxUfHJjw1Y=
|
||||
github.com/apache/thrift v0.13.1-0.20200603211036-eac4d0c79a5f/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
|
||||
github.com/apoydence/eachers v0.0.0-20181020210610-23942921fe77/go.mod h1:bXvGk6IkT1Agy7qzJ+DjIw/SJ1AaB3AvAuMDVV+Vkoo=
|
||||
github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
|
||||
github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI=
|
||||
github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
|
||||
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
|
||||
github.com/aws/aws-lambda-go v1.6.0/go.mod h1:zUsUQhAUjYzR8AuduJPCfhBuKWUaDbQiPOG+ouzmE1A=
|
||||
github.com/aws/aws-sdk-go-v2 v0.9.0/go.mod h1:sa1GePZ/LfBGI4dSq30f6uR4Tthll8axxtEPvlpXZ8U=
|
||||
github.com/awslabs/goformation/v3 v3.1.0/go.mod h1:hQ5RXo3GNm2laHWKizDzU5DsDy+yNcenSca2UxN0850=
|
||||
github.com/awslabs/goformation/v4 v4.1.0/go.mod h1:MBDN7u1lMNDoehbFuO4uPvgwPeolTMA2TzX1yO6KlxI=
|
||||
github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
|
||||
github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
|
||||
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
|
||||
github.com/bi-zone/go-winio v0.4.15/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw=
|
||||
github.com/blakesmith/ar v0.0.0-20150311145944-8bd4349a67f2/go.mod h1:PkYb9DJNAwrSvRx5DYA+gUcOIgTGVMNkfSCbZM8cWpI=
|
||||
github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
|
||||
github.com/bsm/sarama-cluster v2.1.14-0.20180625083203-7e67d87a6b3f+incompatible/go.mod h1:r7ao+4tTNXvWm+VRpRJchr2kQhqxgmAp2iEX5W96gMM=
|
||||
github.com/cavaliercoder/badio v0.0.0-20160213150051-ce5280129e9e/go.mod h1:V284PjgVwSk4ETmz84rpu9ehpGg7swlIH8npP9k2bGw=
|
||||
github.com/cavaliercoder/go-rpm v0.0.0-20190131055624-7a9c54e3d83e/go.mod h1:AZIh1CCnMrcVm6afFf96PBvE2MRpWFco91z8ObJtgDY=
|
||||
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
|
||||
github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
|
||||
github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
|
||||
github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
|
||||
github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
|
||||
github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
|
||||
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
|
||||
github.com/cloudfoundry-community/go-cfclient v0.0.0-20190808214049-35bcce23fc5f/go.mod h1:RtIewdO+K/czvxvIFCMbPyx7jdxSLL1RZ+DA/Vk8Lwg=
|
||||
github.com/cloudfoundry/noaa v2.1.0+incompatible/go.mod h1:5LmacnptvxzrTvMfL9+EJhgkUfIgcwI61BVSTh47ECo=
|
||||
github.com/cloudfoundry/sonde-go v0.0.0-20171206171820-b33733203bb4/go.mod h1:GS0pCHd7onIsewbw8Ue9qa9pZPv2V88cUZDttK6KzgI=
|
||||
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
|
||||
github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0/go.mod h1:4Zcjuz89kmFXt9morQgcfYZAYZ5n8WHjt81YYWIwtTM=
|
||||
github.com/containerd/cgroups v0.0.0-20190919134610-bf292b21730f/go.mod h1:OApqhQ4XNSNC13gXIwDjhOQxjWa/NxkwZXJ1EvqT0ko=
|
||||
github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
|
||||
github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
|
||||
github.com/containerd/containerd v1.3.3/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
|
||||
github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
|
||||
github.com/containerd/continuity v0.0.0-20200107194136-26c1120b8d41/go.mod h1:Dq467ZllaHgAtVp4p1xUQWBrFXR9s/wyoTpG8zOJGkY=
|
||||
github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
|
||||
github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
|
||||
github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0=
|
||||
github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
|
||||
github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
|
||||
github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
|
||||
github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
|
||||
github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
|
||||
github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
|
||||
github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk=
|
||||
github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
|
||||
github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
|
||||
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
|
||||
github.com/cucumber/godog v0.8.1/go.mod h1:vSh3r/lM+psC1BPXvdkSEuNjmXfpVqrMGYAElF6hxnA=
|
||||
github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
|
||||
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/davecgh/go-xdr v0.0.0-20161123171359-e6a2ba005892/go.mod h1:CTDl0pzVzE5DEzZhPfvhY/9sPFMQIxaJ9VAMs9AagrE=
|
||||
github.com/denisenkom/go-mssqldb v0.0.0-20200206145737-bbfc9a55622e/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=
|
||||
github.com/devigned/tab v0.1.1/go.mod h1:XG9mPq0dFghrYvoBF3xdRrJzSTX1b7IQrvaL9mzjeJY=
|
||||
github.com/devigned/tab v0.1.2-0.20190607222403-0c15cf42f9a2/go.mod h1:XG9mPq0dFghrYvoBF3xdRrJzSTX1b7IQrvaL9mzjeJY=
|
||||
github.com/dgraph-io/badger/v2 v2.2007.3-0.20201012072640-f5a7e0a1c83b/go.mod h1:26P/7fbL4kUZVEVKLAKXkBXKOydDmM2p1e+NhhnBCAE=
|
||||
github.com/dgraph-io/ristretto v0.0.3-0.20200630154024-f66de99634de/go.mod h1:KPxhHT9ZxKefz+PCeOGsrHpl1qZ7i70dGTu2u+Ahh6E=
|
||||
github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
|
||||
github.com/dgrijalva/jwt-go v3.2.1-0.20190620180102-5e25c22bd5d6+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
|
||||
github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
|
||||
github.com/digitalocean/go-libvirt v0.0.0-20180301200012-6075ea3c39a1/go.mod h1:PRcPVAAma6zcLpFd4GZrjR/MRpood3TamjKI2m/z/Uw=
|
||||
github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8=
|
||||
github.com/dlclark/regexp2 v1.1.7-0.20171009020623-7632a260cbaf/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc=
|
||||
github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
|
||||
github.com/docker/engine v0.0.0-20191113042239-ea84732a7725/go.mod h1:3CPr2caMgTHxxIAZgEMd3uLYPDlRvPqCpyeRf6ncPcY=
|
||||
github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
|
||||
github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw=
|
||||
github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
|
||||
github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
|
||||
github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
|
||||
github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
|
||||
github.com/dolmen-go/contextio v0.0.0-20200217195037-68fc5150bcd5/go.mod h1:cxc20xI7fOgsFHWgt+PenlDDnMcrvh7Ocuj5hEFIdEk=
|
||||
github.com/dop251/goja_nodejs v0.0.0-20171011081505-adff31b136e6/go.mod h1:hn7BA7c8pLvoGndExHudxTDKZ84Pyvv+90pbBjbTz0Y=
|
||||
github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
|
||||
github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
|
||||
github.com/eapache/go-resiliency v1.2.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs=
|
||||
github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU=
|
||||
github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
|
||||
github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2/go.mod h1:H9keYFcgq3Qr5OUJm/JZI/i6U7joQ8SYLhZwfeOo6Ts=
|
||||
github.com/elastic/beats/v7 v7.14.2 h1:bPAaiCeOsTHPgWVLausbyO6GOlP/95L7OTcXeX9Q8d0=
|
||||
github.com/elastic/beats/v7 v7.14.2/go.mod h1:NoQ+AlI+yzg+QOjnRe/zzLyR1F9KneDqi1Qp/79O3JM=
|
||||
github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3/go.mod h1:aPqzac6AYkipvp4hufTyMj5PDIphF3+At8zr7r51xjY=
|
||||
github.com/elastic/ecs v1.10.0/go.mod h1:pgiLbQsijLOJvFR8OTILLu0Ni/R/foUNg0L+T6mU9b4=
|
||||
github.com/elastic/elastic-agent-client/v7 v7.0.0-20210727140539-f0905d9377f6 h1:nFvXHBjYK3e9+xF0WKDeAKK4aOO51uC28s+L9rBmilo=
|
||||
github.com/elastic/elastic-agent-client/v7 v7.0.0-20210727140539-f0905d9377f6/go.mod h1:uh/Gj9a0XEbYoM4NYz4LvaBVARz3QXLmlNjsrKY9fTc=
|
||||
github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270/go.mod h1:Msl1pdboCbArMF/nSCDUXgQuWTeoMmE/z8607X+k7ng=
|
||||
github.com/elastic/glog v1.0.1-0.20210831205241-7d8b5c89dfc4/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4=
|
||||
github.com/elastic/go-concert v0.1.0/go.mod h1:9MtFarjXroUgmm0m6HY3NSe1XiKhdktiNRRj9hWvIaM=
|
||||
github.com/elastic/go-libaudit/v2 v2.2.0/go.mod h1:MM/l/4xV7ilcl+cIblL8Zn448J7RZaDwgNLE4gNKYPg=
|
||||
github.com/elastic/go-licenser v0.3.1/go.mod h1:D8eNQk70FOCVBl3smCGQt/lv7meBeQno2eI1S5apiHQ=
|
||||
github.com/elastic/go-lookslike v0.3.0/go.mod h1:AhH+rdJux5RlVjs+6ej4jkvYyoNRkj2crxmqeHlj3hA=
|
||||
github.com/elastic/go-lumber v0.1.0/go.mod h1:8YvjMIRYypWuPvpxx7WoijBYdbB7XIh/9FqSYQZTtxQ=
|
||||
github.com/elastic/go-perf v0.0.0-20191212140718-9c656876f595/go.mod h1:s09U1b4P1ZxnKx2OsqY7KlHdCesqZWIhyq0Gs/QC/Us=
|
||||
github.com/elastic/go-plugins-helpers v0.0.0-20200207104224-bdf17607b79f/go.mod h1:OPGqFNdTS34kMReS5hPFtBhD9J8itmSDurs1ix2wx7c=
|
||||
github.com/elastic/go-seccomp-bpf v1.1.0/go.mod h1:l+89Vy5BzjVcaX8USZRMOwmwwDScE+vxCFzzvQwN7T8=
|
||||
github.com/elastic/go-structform v0.0.9/go.mod h1:CZWf9aIRYY5SuKSmOhtXScE5uQiLZNqAFnwKR4OrIM4=
|
||||
github.com/elastic/go-sysinfo v1.1.1/go.mod h1:i1ZYdU10oLNfRzq4vq62BEwD2fH8KaWh6eh0ikPT9F0=
|
||||
github.com/elastic/go-sysinfo v1.7.0 h1:4vVvcfi255+8+TyQ7TYUTEK3A+G8v5FLE+ZKYL1z1Dg=
|
||||
github.com/elastic/go-sysinfo v1.7.0/go.mod h1:i1ZYdU10oLNfRzq4vq62BEwD2fH8KaWh6eh0ikPT9F0=
|
||||
github.com/elastic/go-txfile v0.0.7/go.mod h1:H0nCoFae0a4ga57apgxFsgmRjevNCsEaT6g56JoeKAE=
|
||||
github.com/elastic/go-ucfg v0.7.0/go.mod h1:iaiY0NBIYeasNgycLyTvhJftQlQEUO2hpF+FX0JKxzo=
|
||||
github.com/elastic/go-ucfg v0.8.3 h1:leywnFjzr2QneZZWhE6uWd+QN/UpP0sdJRHYyuFvkeo=
|
||||
github.com/elastic/go-ucfg v0.8.3/go.mod h1:iaiY0NBIYeasNgycLyTvhJftQlQEUO2hpF+FX0JKxzo=
|
||||
github.com/elastic/go-windows v1.0.0/go.mod h1:TsU0Nrp7/y3+VwE82FoZF8gC/XFg/Elz6CcloAxnPgU=
|
||||
github.com/elastic/go-windows v1.0.1 h1:AlYZOldA+UJ0/2nBuqWdo90GFCgG9xuyw9SYzGUtJm0=
|
||||
github.com/elastic/go-windows v1.0.1/go.mod h1:FoVvqWSun28vaDQPbj2Elfc0JahhPB7WQEGa3c814Ss=
|
||||
github.com/elastic/gosigar v0.14.1/go.mod h1:iXRIGg2tLnu7LBdpqzyQfGDEidKCfWcCMS0WKyPWoMs=
|
||||
github.com/elastic/sarama v1.19.1-0.20210823122811-11c3ef800752/go.mod h1:mdtqvCSg8JOxk8PmpTNGyo6wzd4BMm4QXSfDnTXmgkE=
|
||||
github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
|
||||
github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
|
||||
github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
|
||||
github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
|
||||
github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
|
||||
github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
|
||||
github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
|
||||
github.com/fatih/color v1.9.0 h1:8xPHl4/q1VyqGIPif1F+1V3Y3lSmrq01EabUW3CoW5s=
|
||||
github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
|
||||
github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
|
||||
github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
|
||||
github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
|
||||
github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
|
||||
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
|
||||
github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
|
||||
github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
|
||||
github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
|
||||
github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
|
||||
github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
|
||||
github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
|
||||
github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab/go.mod h1:/P9AEU963A2AYjv4d1V5eVL1CQbEJq6aCNHDDjibzu8=
|
||||
github.com/go-ole/go-ole v1.2.5-0.20190920104607-14974a1cf647/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
|
||||
github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
|
||||
github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
|
||||
github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
|
||||
github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
|
||||
github.com/go-sourcemap/sourcemap v2.1.2+incompatible/go.mod h1:F8jJfvm2KbVjc5NqelyYJmf/v5J0dwNLS2mL4sNA1Jg=
|
||||
github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
|
||||
github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
|
||||
github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
|
||||
github.com/go-test/deep v1.0.7/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8=
|
||||
github.com/gobuffalo/here v0.6.0/go.mod h1:wAG085dHOYqUpf+Ap+WOdrPTp5IYcDAs/x7PLa8Y5fM=
|
||||
github.com/gocarina/gocsv v0.0.0-20170324095351-ffef3ffc77be/go.mod h1:/oj50ZdPq/cUjA02lMZhijk5kR31SEydKyqah1OgBuo=
|
||||
github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4=
|
||||
github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
|
||||
github.com/godror/godror v0.10.4/go.mod h1:9MVLtu25FBJBMHkPs0m3Ngf/VmwGcLpM2HS8PlNGw9U=
|
||||
github.com/gofrs/flock v0.7.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
|
||||
github.com/gofrs/flock v0.7.2-0.20190320160742-5135e617513b/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
|
||||
github.com/gofrs/uuid v3.3.0+incompatible h1:8K4tyRfvU1CYPgJsveYFQMhpFd/wXNM7iK6rR7UHz84=
|
||||
github.com/gofrs/uuid v3.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
|
||||
github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
|
||||
github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
|
||||
github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
|
||||
github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
|
||||
github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
|
||||
github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
|
||||
github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
|
||||
github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
|
||||
github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
|
||||
github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
|
||||
github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
|
||||
github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
|
||||
github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
|
||||
github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
|
||||
github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
|
||||
github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
|
||||
github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
|
||||
github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
|
||||
github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
|
||||
github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
|
||||
github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM=
|
||||
github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
|
||||
github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
|
||||
github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
|
||||
github.com/gomodule/redigo v1.8.3/go.mod h1:P9dn9mFrCBvWhGE1wpxx6fgq7BAeLBk+UUUzlpkBYO0=
|
||||
github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
|
||||
github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
|
||||
github.com/google/flatbuffers v1.7.2-0.20170925184458-7a6b2bf521e9/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
|
||||
github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
|
||||
github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
|
||||
github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
|
||||
github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
|
||||
github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
|
||||
github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
|
||||
github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
|
||||
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
|
||||
github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
|
||||
github.com/google/licenseclassifier v0.0.0-20200402202327-879cb1424de0/go.mod h1:qsqn2hxC+vURpyBRygGUuinTO42MFRLcsmQ/P8v94+M=
|
||||
github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
|
||||
github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
|
||||
github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
|
||||
github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
|
||||
github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
|
||||
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
|
||||
github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
|
||||
github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
|
||||
github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
|
||||
github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
|
||||
github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg=
|
||||
github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
|
||||
github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75/go.mod h1:g2644b03hfBX9Ov0ZBDgXXens4rxSxmqFBbhvKv2yVA=
|
||||
github.com/gorilla/mux v1.7.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
|
||||
github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
|
||||
github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
|
||||
github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
|
||||
github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
|
||||
github.com/grpc-ecosystem/grpc-gateway v1.13.0/go.mod h1:8XEsbTttt/W+VvjtQhLACqCisSPWTxCZ7sBRjU6iH9c=
|
||||
github.com/h2non/filetype v1.1.1/go.mod h1:319b3zT68BvV+WRj7cwy856M2ehB3HqNOt6sy1HndBY=
|
||||
github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
|
||||
github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
|
||||
github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
|
||||
github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
|
||||
github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
|
||||
github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I=
|
||||
github.com/hashicorp/go-multierror v1.1.0 h1:B9UzwGQJehnUY1yNrnwREHc3fGbC2xefo8g4TbElacI=
|
||||
github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA=
|
||||
github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
|
||||
github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
|
||||
github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
|
||||
github.com/hashicorp/go-version v1.0.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
|
||||
github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
|
||||
github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
|
||||
github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
|
||||
github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
|
||||
github.com/hashicorp/nomad/api v0.0.0-20200303134319-e31695b5bbe6/go.mod h1:WKCL+tLVhN1D+APwH3JiTRZoxcdwRk86bWu1LVCUPaE=
|
||||
github.com/hectane/go-acl v0.0.0-20190604041725-da78bae5fc95/go.mod h1:QiyDdbZLaJ/mZP4Zwc9g2QsfaEA4o7XvvgZegSci5/E=
|
||||
github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
|
||||
github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
|
||||
github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
|
||||
github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
|
||||
github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
|
||||
github.com/jarcoal/httpmock v1.0.4/go.mod h1:ATjnClrvW/3tijVmpL/va5Z3aAyGvqU3gCT8nX0Txik=
|
||||
github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
|
||||
github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
|
||||
github.com/jcmturner/gofork v1.0.0/go.mod h1:MK8+TM0La+2rjBD4jE12Kj1pCCxK7d2LK/UM3ncEo0o=
|
||||
github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
|
||||
github.com/jcmturner/gokrb5/v8 v8.4.2/go.mod h1:sb+Xq/fTY5yktf/VxLsE3wlfPqQjp0aWNYyvBVK62bc=
|
||||
github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
|
||||
github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
|
||||
github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
|
||||
github.com/jmoiron/sqlx v1.2.1-0.20190826204134-d7d95172beb5/go.mod h1:1FEQNm3xlJgrMD+FBdI9+xvCksHtbpVBBw5dYhBSsks=
|
||||
github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901 h1:rp+c0RAYOWj8l6qbCUTSiRLG/iKnW3K3/QfPPuSsBt4=
|
||||
github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901/go.mod h1:Z86h9688Y0wesXCyonoVr47MasHilkuLMqGhRZ4Hpak=
|
||||
github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
|
||||
github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
|
||||
github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
|
||||
github.com/josephspurrier/goversioninfo v0.0.0-20190209210621-63e6d1acd3dd/go.mod h1:eJTEwMjXb7kZ633hO3Ln9mBUCOjX2+FlTljvpl9SYdE=
|
||||
github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgbbvHEiQClaW2NsSzMyGHqN+rDFqY705q49KG0=
|
||||
github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
|
||||
github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
|
||||
github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
|
||||
github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
|
||||
github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
|
||||
github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
|
||||
github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
|
||||
github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
|
||||
github.com/kardianos/service v1.1.0/go.mod h1:RrJI2xn5vve/r32U5suTbeaSGoMU6GbNPoj36CVYcHc=
|
||||
github.com/karrick/godirwalk v1.15.6/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk=
|
||||
github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
|
||||
github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
|
||||
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
|
||||
github.com/klauspost/compress v1.12.2/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
|
||||
github.com/kolide/osquery-go v0.0.0-20200604192029-b019be7063ac/go.mod h1:rp36fokOKgd/5mOgbvv4fkpdaucQ43mnvb+8BR62Xo8=
|
||||
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
|
||||
github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
|
||||
github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
|
||||
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
|
||||
github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
|
||||
github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
|
||||
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
|
||||
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
|
||||
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
|
||||
github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
|
||||
github.com/lib/pq v1.1.2-0.20190507191818-2ff3cb3adc01/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
|
||||
github.com/magefile/mage v1.9.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
|
||||
github.com/magefile/mage v1.11.0 h1:C/55Ywp9BpgVVclD3lRnSYCwXTYxmSppIgLeDYlNuls=
|
||||
github.com/magefile/mage v1.11.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
|
||||
github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
|
||||
github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
|
||||
github.com/mailru/easyjson v0.7.1/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
|
||||
github.com/markbates/pkger v0.17.0/go.mod h1:0JoVlrol20BSywW79rN3kdFFsE5xYM+rSCQDXbLhiuI=
|
||||
github.com/martini-contrib/render v0.0.0-20150707142108-ec18f8345a11/go.mod h1:Ah2dBMoxZEqk118as2T4u4fjfXarE0pPnMJaArZQZsI=
|
||||
github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
|
||||
github.com/mattn/go-colorable v0.1.6 h1:6Su7aK7lXmJ/U79bYtBjLNaha4Fs1Rg9plHpcH+vvnE=
|
||||
github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
|
||||
github.com/mattn/go-ieproxy v0.0.0-20190610004146-91bb50d98149/go.mod h1:31jz6HNzdxOmlERGGEc4v/dMssOfmp2p5bT/okiKFFc=
|
||||
github.com/mattn/go-ieproxy v0.0.0-20191113090002-7c0f6868bffe/go.mod h1:pYabZ6IHcRpFh7vIaLfK7rdcWgFEb3SFJ6/gNWuh88E=
|
||||
github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
|
||||
github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
|
||||
github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY=
|
||||
github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
|
||||
github.com/mattn/go-sqlite3 v1.9.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
|
||||
github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
|
||||
github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
|
||||
github.com/miekg/dns v1.1.15/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
|
||||
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
|
||||
github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
|
||||
github.com/mitchellh/gox v1.0.1/go.mod h1:ED6BioOGXMswlXa2zxfh/xdd5QhwYliBFn9V18Ap4z4=
|
||||
github.com/mitchellh/hashstructure v0.0.0-20170116052023-ab25296c0f51/go.mod h1:QjSHrPWS+BGUVBYkbTZWEnOh3G1DutKwClXU/ABz6AQ=
|
||||
github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
|
||||
github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
|
||||
github.com/mitchellh/mapstructure v1.3.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
|
||||
github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
|
||||
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
|
||||
github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
|
||||
github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
|
||||
github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
|
||||
github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
|
||||
github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
|
||||
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
|
||||
github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
|
||||
github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
|
||||
github.com/onsi/ginkgo v1.5.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
|
||||
github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
|
||||
github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
|
||||
github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
|
||||
github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
|
||||
github.com/onsi/gomega v1.2.0/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
|
||||
github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
|
||||
github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
|
||||
github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
|
||||
github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
|
||||
github.com/opencontainers/go-digest v1.0.0-rc1.0.20190228220655-ac19fd6e7483/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
|
||||
github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
|
||||
github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
|
||||
github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
|
||||
github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
|
||||
github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
|
||||
github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
|
||||
github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs=
|
||||
github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw=
|
||||
github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE=
|
||||
github.com/otiai10/curr v1.0.0/go.mod h1:LskTG5wDwr8Rs+nNQ+1LlxRjAtTZZjtJW4rMXl6j4vs=
|
||||
github.com/otiai10/mint v1.3.0/go.mod h1:F5AjcsTsWUqX+Na9fpHb52P8pcRX2CI6A3ctIT91xUo=
|
||||
github.com/otiai10/mint v1.3.1/go.mod h1:/yxELlJQ0ufhjUwhshSj+wFjZ78CnZ48/1wtmBH1OTc=
|
||||
github.com/oxtoacart/bpool v0.0.0-20150712133111-4e1c5567d7c2/go.mod h1:L3UMQOThbttwfYRNFOWLLVXMhk5Lkio4GGOtw5UrxS0=
|
||||
github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
|
||||
github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
|
||||
github.com/pierrec/lz4 v2.6.0+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
|
||||
github.com/pierrre/gotestcover v0.0.0-20160517101806-924dca7d15f0/go.mod h1:4xpMLz7RBWyB+ElzHu8Llua96TRCB3YwX+l5EP1wmHk=
|
||||
github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
|
||||
github.com/pkg/errors v0.8.1-0.20170505043639-c605e284fe17/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
|
||||
github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
|
||||
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
|
||||
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
|
||||
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
|
||||
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
||||
github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
|
||||
github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
|
||||
github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g=
|
||||
github.com/prometheus/client_golang v1.1.1-0.20190913103102-20428fa0bffc/go.mod h1:ikMPikHu8SMvBGWoKulvvOOZN227amf2E9eMYqyAwAY=
|
||||
github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
|
||||
github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
|
||||
github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
|
||||
github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
|
||||
github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc=
|
||||
github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt26CguLLsqA=
|
||||
github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
|
||||
github.com/prometheus/procfs v0.0.0-20190425082905-87a4384529e0/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
|
||||
github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
|
||||
github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
|
||||
github.com/prometheus/procfs v0.0.5/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
|
||||
github.com/prometheus/procfs v0.0.11 h1:DhHlBtkHWPYi8O2y31JkK0TF+DGM+51OopZjH/Ia5qI=
|
||||
github.com/prometheus/procfs v0.0.11/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
|
||||
github.com/prometheus/prometheus v2.5.0+incompatible/go.mod h1:oAIUtOny2rjMX0OWN5vPR5/q/twIROJvdqnQKDdil/s=
|
||||
github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
|
||||
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
|
||||
github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
|
||||
github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
|
||||
github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
|
||||
github.com/samuel/go-parser v0.0.0-20130731160455-ca8abbf65d0e/go.mod h1:Sb6li54lXV0yYEjI4wX8cucdQ9gqUJV3+Ngg3l9g30I=
|
||||
github.com/samuel/go-thrift v0.0.0-20140522043831-2187045faa54/go.mod h1:Vrkh1pnjV9Bl8c3P9zH0/D4NlOHWP5d4/hF4YTULaec=
|
||||
github.com/sanathkr/go-yaml v0.0.0-20170819195128-ed9d249f429b/go.mod h1:8458kAagoME2+LN5//WxE71ysZ3B7r22fdgb7qVmXSY=
|
||||
github.com/sanathkr/yaml v0.0.0-20170819201035-0056894fa522/go.mod h1:tQTYKOQgxoH3v6dEmdHiz4JG+nbxWwM5fgPQUpSZqVQ=
|
||||
github.com/sanathkr/yaml v1.0.1-0.20170819201035-0056894fa522/go.mod h1:tQTYKOQgxoH3v6dEmdHiz4JG+nbxWwM5fgPQUpSZqVQ=
|
||||
github.com/santhosh-tekuri/jsonschema v1.2.4 h1:hNhW8e7t+H1vgY+1QeEQpveR6D4+OwKPXCfD2aieJis=
|
||||
github.com/santhosh-tekuri/jsonschema v1.2.4/go.mod h1:TEAUOeZSmIxTTuHatJzrvARHiuO9LYd+cIxzgEHCQI4=
|
||||
github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
|
||||
github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
|
||||
github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
|
||||
github.com/shirou/gopsutil v3.20.12+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA=
|
||||
github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
|
||||
github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
|
||||
github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
|
||||
github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
|
||||
github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
|
||||
github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
|
||||
github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
|
||||
github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
|
||||
github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
|
||||
github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
|
||||
github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
|
||||
github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
|
||||
github.com/spf13/cobra v0.0.2-0.20171109065643-2da4a54c5cee/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
|
||||
github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
|
||||
github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
|
||||
github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
|
||||
github.com/spf13/pflag v1.0.1-0.20171106142849-4c012f6dcd95/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
|
||||
github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
|
||||
github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
|
||||
github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
|
||||
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
||||
github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
||||
github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
|
||||
github.com/stretchr/testify v1.1.5-0.20170601210322-f6abca593680/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
|
||||
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
|
||||
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
|
||||
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
|
||||
github.com/stretchr/testify v1.5.0/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
|
||||
github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
|
||||
github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
|
||||
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
|
||||
github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
|
||||
github.com/tsg/go-daemon v0.0.0-20200207173439-e704b93fd89b/go.mod h1:jAqhj/JBVC1PwcLTWd6rjQyGyItxxrhpiBl8LSuAGmw=
|
||||
github.com/tsg/gopacket v0.0.0-20200626092518-2ab8e397a786/go.mod h1:RIkfovP3Y7my19aXEjjbNd9E5TlHozzAyt7B8AaEcwg=
|
||||
github.com/ugorji/go v1.1.8/go.mod h1:0lNM99SwWUIRhCXnigEMClngXBk/EmpTXa7mgiewYWA=
|
||||
github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
|
||||
github.com/ugorji/go/codec v1.1.8/go.mod h1:X00B19HDtwvKbQY2DcYjvZxKQp8mzrJoQ6EgoIY/D2E=
|
||||
github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
|
||||
github.com/urso/diag v0.0.0-20200210123136-21b3cc8eb797/go.mod h1:pNWFTeQ+V1OYT/TzWpnWb6eQBdoXpdx+H+lrH97/Oyo=
|
||||
github.com/urso/go-bin v0.0.0-20180220135811-781c575c9f0e/go.mod h1:6GfHrdWBQYjFRIznu7XuQH4lYB2w8nO4bnImVKkzPOM=
|
||||
github.com/urso/magetools v0.0.0-20190919040553-290c89e0c230/go.mod h1:DFxTNgS/ExCGmmjVjSOgS2WjtfjKXgCyDzAFgbtovSA=
|
||||
github.com/urso/qcgen v0.0.0-20180131103024-0b059e7db4f4/go.mod h1:RspW+E2Yb7Fs7HclB2tiDaiu6Rp41BiIG4Wo1YaoXGc=
|
||||
github.com/urso/sderr v0.0.0-20200210124243-c2a16f3d43ec/go.mod h1:Wp40HwmjM59FkDIVFfcCb9LzBbnc0XAMp8++hJuWvSU=
|
||||
github.com/vbatts/tar-split v0.11.1/go.mod h1:LEuURwDEiWjRjwu46yU3KVGuUdVv/dcnpcEPSzR8z6g=
|
||||
github.com/vmware/govmomi v0.0.0-20170802214208-2cad15190b41/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU=
|
||||
github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I=
|
||||
github.com/xdg/scram v1.0.3/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I=
|
||||
github.com/xdg/stringprep v1.0.3/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y=
|
||||
github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
|
||||
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
|
||||
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
|
||||
github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs=
|
||||
github.com/xeipuuv/gojsonschema v0.0.0-20181112162635-ac52e6811b56/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs=
|
||||
github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
|
||||
github.com/yuin/gopher-lua v0.0.0-20170403160031-b402f3114ec7/go.mod h1:aEV29XrmTYFr3CiRxZeGHpkvbwq+prZduBqMaascyCU=
|
||||
go.elastic.co/apm v1.7.2/go.mod h1:tCw6CkOJgkWnzEthFN9HUP1uL3Gjc/Ur6m7gRPLaoH0=
|
||||
go.elastic.co/apm v1.8.1-0.20200909061013-2aef45b9cf4b h1:Sf+V3eV91ZuXjF3824SABFgXU+z4ZEuIX5ikDvt2lCE=
|
||||
go.elastic.co/apm v1.8.1-0.20200909061013-2aef45b9cf4b/go.mod h1:qoOSi09pnzJDh5fKnfY7bPmQgl8yl2tULdOu03xhui0=
|
||||
go.elastic.co/apm/module/apmelasticsearch v1.7.2/go.mod h1:ZyNFuyWdt42GBZkz0SogoLzDBrBGj4orxpiUuxYeYq8=
|
||||
go.elastic.co/apm/module/apmhttp v1.7.2/go.mod h1:sTFWiWejnhSdZv6+dMgxGec2Nxe/ZKfHfz/xtRM+cRY=
|
||||
go.elastic.co/ecszap v0.3.0 h1:Zo/Y4sJLqbWDlqCHI4F4Lzeg0Fs4+n5ldVis4h9xV8w=
|
||||
go.elastic.co/ecszap v0.3.0/go.mod h1:HTUi+QRmr3EuZMqxPX+5fyOdMNfUu5iPebgfhgsTJYQ=
|
||||
go.elastic.co/fastjson v1.0.0/go.mod h1:PmeUOMMtLHQr9ZS9J9owrAVg0FkaZDRZJEFTTGHtchs=
|
||||
go.elastic.co/fastjson v1.1.0 h1:3MrGBWWVIxe/xvsbpghtkFoPciPhOCmjsR/HfwEeQR4=
|
||||
go.elastic.co/fastjson v1.1.0/go.mod h1:boNGISWMjQsUPy/t6yqt2/1Wx4YNPSe+mZjlyw9vKKI=
|
||||
go.elastic.co/go-licence-detector v0.4.0/go.mod h1:fSJQU8au4SAgDK+UQFbgUPsXKYNBDv4E/dwWevrMpXU=
|
||||
go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
|
||||
go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
|
||||
go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
|
||||
go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
|
||||
go.uber.org/atomic v1.5.0 h1:OI5t8sDa1Or+q8AeE+yKeB/SDYioSHAgcVljj9JIETY=
|
||||
go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
|
||||
go.uber.org/goleak v1.0.0/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
|
||||
go.uber.org/multierr v1.3.0 h1:sFPn2GLc3poCkfrpIXGhBD2X0CMIo4Q/zSULXrj/+uc=
|
||||
go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
|
||||
go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee h1:0mgffUl7nfd+FpvXMVz4IDEaUSmT1ysygQC7qYo7sG4=
|
||||
go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA=
|
||||
go.uber.org/zap v1.14.0 h1:/pduUoebOeeJzTDFuoMgC6nRkiasr1sBCIEorly7m4o=
|
||||
go.uber.org/zap v1.14.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM=
|
||||
golang.org/x/crypto v0.0.0-20171113213409-9f005a07e0d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
|
||||
golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
|
||||
golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
|
||||
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
||||
golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
||||
golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
||||
golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
||||
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
||||
golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
||||
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
||||
golang.org/x/crypto v0.0.0-20201112155050-0c6587e931a9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
||||
golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e h1:gsTQYXdTw2Gq7RBsWvlQ91b+aEQ6bXFUngBGuR8sPpI=
|
||||
golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
|
||||
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
|
||||
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
|
||||
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
|
||||
golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
|
||||
golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
|
||||
golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
|
||||
golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
|
||||
golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
|
||||
golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
|
||||
golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
|
||||
golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
|
||||
golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
|
||||
golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
|
||||
golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
|
||||
golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
|
||||
golang.org/x/lint v0.0.0-20200130185559-910be7a94367 h1:0IiAsCRByjO2QjX7ZPkw5oU9x+n1YqRL802rjC0c3Aw=
|
||||
golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
|
||||
golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
|
||||
golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
|
||||
golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
|
||||
golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
|
||||
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
|
||||
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
||||
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
||||
golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
||||
golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
||||
golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
|
||||
golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
|
||||
golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
golang.org/x/net v0.0.0-20191002035440-2ec189313ef0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
golang.org/x/net v0.0.0-20191021144547-ec77196f6094/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
golang.org/x/net v0.0.0-20191112182307-2180aed22343/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
|
||||
golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
|
||||
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
|
||||
golang.org/x/net v0.0.0-20210614182718-04defd469f4e h1:XpT3nA5TvE525Ne3hInMh6+GETgn27Zfm9dxsThnX2Q=
|
||||
golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
|
||||
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
|
||||
golang.org/x/oauth2 v0.0.0-20190130055435-99b60b757ec1/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||
golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sys v0.0.0-20180810173357-98c5dad5d1a0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20180815093151-14742f9018cd/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20190204203706-41f3e6584952/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190405154228-4b34438f7a67/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190514135907-3a4b5fb9f71f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190529164535-6a60838ec259/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20191025021431-6c3a3bfe00ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20191112214154-59a1497f0cea/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200102141924-c96a22e43c9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 h1:SrN+KX8Art/Sf4HNj6Zcz06G7VEz+7w9tdXTPOZ7+l4=
|
||||
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
|
||||
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
|
||||
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||
golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||
golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
|
||||
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||
golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||
golang.org/x/tools v0.0.0-20200602230032-c00d67ef29d0 h1:6txNFSnY+tteYoO+hf01EpdYcYZiurdC9MDIrcUzEu4=
|
||||
golang.org/x/tools v0.0.0-20200602230032-c00d67ef29d0/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
|
||||
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
|
||||
google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
|
||||
google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
|
||||
google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
|
||||
google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
|
||||
google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
|
||||
google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
|
||||
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
|
||||
google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
|
||||
google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
|
||||
google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
|
||||
google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
|
||||
google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
|
||||
google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
|
||||
google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
|
||||
google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
|
||||
google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
|
||||
google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
|
||||
google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
|
||||
google.golang.org/genproto v0.0.0-20190927181202-20e1ac93f88c/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
|
||||
google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
|
||||
google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
|
||||
google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb h1:hcskBH5qZCOa7WpTUFUFvoebnSFZBYpjykLtjIp9DVk=
|
||||
google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
|
||||
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
|
||||
google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
|
||||
google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
|
||||
google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
|
||||
google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA=
|
||||
google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
|
||||
google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
|
||||
google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
|
||||
google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
|
||||
google.golang.org/grpc v1.29.1 h1:EC2SB8S04d2r73uptxphDSUG+kTKVgjRPF+N3xpxRB4=
|
||||
google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
|
||||
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
|
||||
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
|
||||
google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
|
||||
google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
|
||||
google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
|
||||
google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
|
||||
google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
|
||||
google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
|
||||
google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
|
||||
google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c=
|
||||
google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
|
||||
gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
|
||||
gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/check.v1 v1.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
|
||||
gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
|
||||
gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
|
||||
gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
|
||||
gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
|
||||
gopkg.in/jcmturner/gokrb5.v7 v7.5.0/go.mod h1:l8VISx+WGYp+Fp7KRbsiUuXTTOnxIc3Tuvyavf11/WM=
|
||||
gopkg.in/mgo.v2 v2.0.0-20160818020120-3f83fa500528/go.mod h1:yeKp02qBN3iKW1OzL3MGk2IdtZzaj7SFntXj72NppTA=
|
||||
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
|
||||
gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
|
||||
gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||
gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
|
||||
gotest.tools/gotestsum v0.6.0/go.mod h1:LEX+ioCVdeWhZc8GYfiBRag360eBhwixWJ62R9eDQtI=
|
||||
gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
|
||||
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||
honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||
honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||
honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||
honnef.co/go/tools v0.0.1-2019.2.3 h1:3JgtbtFHMiCmsznwGVTUWbgGov+pVqnlf1dEJTNAXeM=
|
||||
honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
|
||||
howett.net/plist v0.0.0-20181124034731-591f970eefbb h1:jhnBjNi9UFpfpl8YZhA9CrOqpnJdvzuiHsl/dnxl11M=
|
||||
howett.net/plist v0.0.0-20181124034731-591f970eefbb/go.mod h1:vMygbs4qMhSZSc4lCUl2OEE+rDiIIJAIdR4m7MiMcm0=
|
||||
k8s.io/api v0.19.4/go.mod h1:SbtJ2aHCItirzdJ36YslycFNzWADYH3tgOhvBEFtZAk=
|
||||
k8s.io/apimachinery v0.19.4/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA=
|
||||
k8s.io/client-go v0.19.4/go.mod h1:ZrEy7+wj9PjH5VMBCuu/BDlvtUAku0oVFk4MmnW9mWA=
|
||||
k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
|
||||
k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
|
||||
k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
|
||||
k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o=
|
||||
k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk=
|
||||
k8s.io/utils v0.0.0-20200729134348-d5654de09c73/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
|
||||
rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
|
||||
sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
|
||||
sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
|
||||
sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
|
|
@ -20,7 +20,7 @@
|
|||
package include
|
||||
|
||||
import (
|
||||
"github.com/elastic/beats/libbeat/asset"
|
||||
"github.com/elastic/beats/v7/libbeat/asset"
|
||||
)
|
||||
|
||||
func init() {
|
||||
|
|
14
magefile.go
|
@ -8,12 +8,12 @@ import (
|
|||
|
||||
"github.com/magefile/mage/mg"
|
||||
|
||||
devtools "github.com/elastic/beats/dev-tools/mage"
|
||||
"github.com/elastic/beats/dev-tools/mage/target/build"
|
||||
"github.com/elastic/beats/dev-tools/mage/target/common"
|
||||
"github.com/elastic/beats/dev-tools/mage/target/pkg"
|
||||
"github.com/elastic/beats/dev-tools/mage/target/unittest"
|
||||
"github.com/elastic/beats/dev-tools/mage/target/update"
|
||||
devtools "github.com/elastic/beats/v7/dev-tools/mage"
|
||||
"github.com/elastic/beats/v7/dev-tools/mage/target/build"
|
||||
"github.com/elastic/beats/v7/dev-tools/mage/target/common"
|
||||
"github.com/elastic/beats/v7/dev-tools/mage/target/pkg"
|
||||
"github.com/elastic/beats/v7/dev-tools/mage/target/unittest"
|
||||
"github.com/elastic/beats/v7/dev-tools/mage/target/update"
|
||||
)
|
||||
|
||||
func init() {
|
||||
|
@ -21,6 +21,8 @@ func init() {
|
|||
|
||||
devtools.BeatDescription = "Icingabeat fetches data from the Icinga 2 API and forwards it to Elasticsearch or Logstash."
|
||||
devtools.BeatVendor = "{full_name}"
|
||||
devtools.BeatProjectType = devtools.CommunityProject
|
||||
devtools.CrossBuildMountModcache = true
|
||||
}
|
||||
|
||||
// Package packages the Beat for distribution.
|
||||
|
|
|
@ -1,38 +0,0 @@
|
|||
# See: http://editorconfig.org
|
||||
root = true
|
||||
|
||||
[*]
|
||||
charset = utf-8
|
||||
end_of_line = lf
|
||||
insert_final_newline = true
|
||||
trim_trailing_whitespace = true
|
||||
|
||||
[.go]
|
||||
indent_size = 4
|
||||
indent_style = tab
|
||||
|
||||
[*.json]
|
||||
indent_size = 4
|
||||
indent_style = space
|
||||
|
||||
[*.py]
|
||||
indent_style = space
|
||||
indent_size = 4
|
||||
|
||||
[*.yml]
|
||||
indent_style = space
|
||||
indent_size = 2
|
||||
|
||||
[Makefile*]
|
||||
indent_style = tab
|
||||
|
||||
[*.mk]
|
||||
indent_style = tab
|
||||
|
||||
[Vagrantfile]
|
||||
indent_size = 2
|
||||
indent_style = space
|
||||
|
||||
[*.rl]
|
||||
indent_size = 4
|
||||
indent_style = space
|
|
@ -1,6 +0,0 @@
|
|||
CHANGELOG.next.asciidoc merge=union
|
||||
CHANGELOG-developer.next.asciidoc merge=union
|
||||
|
||||
# Keep these file types as CRLF (Windows).
|
||||
*.bat text eol=crlf
|
||||
*.cmd text eol=crlf
|
|
@ -1,43 +0,0 @@
|
|||
# GitHub CODEOWNERS definition
|
||||
# See: https://help.github.com/articles/about-codeowners/
|
||||
|
||||
# * @elastic/beats
|
||||
|
||||
# libbeat
|
||||
# /libbeat/ @elastic/beats
|
||||
# /auditbeat/ @elastic/beats
|
||||
# /packetbeat/ @elastic/beats
|
||||
# /filebeat/ @elastic/beats
|
||||
# /metricbeat/ @elastic/beats
|
||||
# /journalbeat/ @elastic/beats
|
||||
# /winlogbeat/ @elastic/beats
|
||||
|
||||
# Auditbeat
|
||||
/auditbeat/module/ @elastic/siem
|
||||
/x-pack/auditbeat/ @elastic/siem
|
||||
|
||||
# Packetbeat
|
||||
/packetbeat/protos/ @elastic/siem
|
||||
/x-pack/packetbeat/ @elastic/siem
|
||||
|
||||
# Filebeat
|
||||
/filebeat/module/ @elastic/integrations
|
||||
/filebeat/module/elasticsearch/ @elastic/stack-monitoring
|
||||
/filebeat/module/kibana/ @elastic/stack-monitoring
|
||||
/filebeat/module/logstash/ @elastic/stack-monitoring
|
||||
/x-pack/filebeat/module/ @elastic/integrations
|
||||
/x-pack/filebeat/module/suricata/ @elastic/secops
|
||||
|
||||
# Metricbeat
|
||||
/metricbeat/module/ @elastic/integrations
|
||||
/metricbeat/module/elasticsearch/ @elastic/stack-monitoring
|
||||
/metricbeat/module/kibana/ @elastic/stack-monitoring
|
||||
/metricbeat/module/logstash/ @elastic/stack-monitoring
|
||||
/metricbeat/module/beat/ @elastic/stack-monitoring
|
||||
/x-pack/metricbeat/module/ @elastic/integrations
|
||||
|
||||
# Heartbeat
|
||||
/heartbeat/ @elastic/uptime
|
||||
|
||||
# Winlogbeat
|
||||
/x-pack/winlogbeat/ @elastic/siem
|
|
@ -1,20 +0,0 @@
|
|||
---
|
||||
name: Bug
|
||||
about: "Report confirmed bugs. For unconfirmed bugs please visit https://discuss.elastic.co/c/beats"
|
||||
|
||||
---
|
||||
|
||||
Please post all questions and issues on https://discuss.elastic.co/c/beats
|
||||
before opening a Github Issue. Your questions will reach a wider audience there,
|
||||
and if we confirm that there is a bug, then you can open a new issue.
|
||||
|
||||
For security vulnerabilities please only send reports to security@elastic.co.
|
||||
See https://www.elastic.co/community/security for more information.
|
||||
|
||||
Please include configurations and logs if available.
|
||||
|
||||
For confirmed bugs, please report:
|
||||
- Version:
|
||||
- Operating System:
|
||||
- Discuss Forum URL:
|
||||
- Steps to Reproduce:
|
|
@ -1,20 +0,0 @@
|
|||
---
|
||||
name: Bug
|
||||
about: "Report confirmed bugs. For unconfirmed bugs please visit https://discuss.elastic.co/c/beats"
|
||||
|
||||
---
|
||||
|
||||
Please post all questions and issues on https://discuss.elastic.co/c/beats
|
||||
before opening a Github Issue. Your questions will reach a wider audience there,
|
||||
and if we confirm that there is a bug, then you can open a new issue.
|
||||
|
||||
For security vulnerabilities please only send reports to security@elastic.co.
|
||||
See https://www.elastic.co/community/security for more information.
|
||||
|
||||
Please include configurations and logs if available.
|
||||
|
||||
For confirmed bugs, please report:
|
||||
- Version:
|
||||
- Operating System:
|
||||
- Discuss Forum URL:
|
||||
- Steps to Reproduce:
|
|
@ -1,10 +0,0 @@
|
|||
---
|
||||
name: Enhancement request
|
||||
about: Beats can't do all the things, but maybe it can do your things.
|
||||
|
||||
---
|
||||
|
||||
**Describe the enhancement:**
|
||||
|
||||
**Describe a specific use case for the enhancement or feature:**
|
||||
|
|
@ -1,19 +0,0 @@
|
|||
---
|
||||
name: Flaky Test
|
||||
about: Report a flaky test (one that doesn't pass consistently)
|
||||
|
||||
---
|
||||
|
||||
## Flaky Test
|
||||
|
||||
* **Test Name:** Name of the failing test.
|
||||
* **Link:** Link to file/line number in github.
|
||||
* **Branch:** Git branch the test was seen in. If a PR, the branch the PR was based off.
|
||||
* **Artifact Link:** If available, attach the generated zip artifact associated with the stack trace for this failure.
|
||||
* **Notes:** Additional details about the test. e.g. theory as to failure cause
|
||||
|
||||
### Stack Trace
|
||||
|
||||
```
|
||||
paste stack trace here
|
||||
```
|
|
@ -1,36 +0,0 @@
|
|||
---
|
||||
name: New Module / Dataset
|
||||
about: "Meta issue to track the creation, updating of a new module or dataset."
|
||||
|
||||
---
|
||||
|
||||
# Metricbeat Module / Dataset release checklist
|
||||
|
||||
This checklist is intended for Devs which create or update a module to make sure modules are consistent.
|
||||
|
||||
## Modules
|
||||
|
||||
For a metricset to go GA, the following criterias should be met:
|
||||
|
||||
* [ ] Supported versions are documented
|
||||
* [ ] Supported operating systems are documented (if applicable)
|
||||
* [ ] Integration tests exist
|
||||
* [ ] System tests exist
|
||||
* [ ] Automated checks that all fields are documented
|
||||
* [ ] Documentation
|
||||
* [ ] Fields follow [ECS](https://github.com/elastic/ecs) and [naming conventions](https://www.elastic.co/guide/en/beats/devguide/master/event-conventions.html)
|
||||
* [ ] Dashboards exists (if applicable)
|
||||
* [ ] Kibana Home Tutorial (if applicable)
|
||||
* [ ] Open issue in [EUI repo](https://github.com/elastic/eui) to add [icon for module](https://elastic.github.io/eui/#/display/icons) if not already exists.
|
||||
* [ ] Open PR against Kibana repo with tutorial. Examples can be found [here](https://github.com/elastic/kibana/tree/master/src/legacy/core_plugins/kibana/server/tutorials).
|
||||
|
||||
## Filebeat module
|
||||
|
||||
* [ ] Test log files exist for the grok patterns
|
||||
* [ ] Generated output for at least 1 log file exists
|
||||
|
||||
|
||||
## Metricbeat module
|
||||
|
||||
* [ ] Example `data.json` exists and an automated way to generate it exists (`go test -data`)
|
||||
* [ ] Test environment in Docker exist for integration tests
|
|
@ -1,18 +0,0 @@
|
|||
---
|
||||
name: Question
|
||||
about: Who, what, when, where, and how?
|
||||
|
||||
---
|
||||
|
||||
Hey, stop right there!
|
||||
|
||||
We use GitHub to track feature requests and bug reports. Please do not submit issues for questions about how to use features of Beat, how to set Beats up, best practices, or development related help.
|
||||
|
||||
However, we do want to help! Head on over to our official Beats forums and ask
|
||||
your questions there. In additional to awesome, knowledgeable community
|
||||
contributors, core Beats developers are on the forums every single day to help
|
||||
you out.
|
||||
|
||||
The forums are here: https://discuss.elastic.co/c/beats
|
||||
|
||||
We can't stop you from opening an issue here, but it will likely linger without a response for days or weeks before it is closed and we ask you to join us on the forums instead. Save yourself the time, and ask on the forums today.
|
|
@ -1,40 +0,0 @@
|
|||
# Directories
|
||||
/.vagrant
|
||||
/.idea
|
||||
/.vscode
|
||||
/build
|
||||
/*/*.template*.json
|
||||
**/html_docs
|
||||
*beat/fields.yml
|
||||
*beat/_meta/kibana.generated
|
||||
*beat/build
|
||||
*beat/logs
|
||||
*beat/data
|
||||
x-pack/functionbeat/pkg
|
||||
|
||||
# Files
|
||||
.DS_Store
|
||||
/beats.iml
|
||||
*.dev.yml
|
||||
*.generated.yml
|
||||
coverage.out
|
||||
.python-version
|
||||
beat.db
|
||||
*.keystore
|
||||
mage_output_file.go
|
||||
x-pack/functionbeat/*/fields.yml
|
||||
x-pack/functionbeat/provider/*/functionbeat-*
|
||||
|
||||
# Editor swap files
|
||||
*.swp
|
||||
*.swo
|
||||
*.swn
|
||||
|
||||
# Compiled Object files, Static and Dynamic libs (Shared Objects)
|
||||
*.o
|
||||
*.a
|
||||
*.so
|
||||
*.exe
|
||||
*.test
|
||||
*.prof
|
||||
*.pyc
|
|
@ -1 +0,0 @@
|
|||
1.12.12
|
|
@ -1,13 +0,0 @@
|
|||
[MESSAGES CONTROL]
|
||||
|
||||
disable=too-many-lines,too-many-public-methods,too-many-statements
|
||||
|
||||
|
||||
[BASIC]
|
||||
|
||||
method-rgx=[a-z_][a-z0-9_]{2,50}$
|
||||
|
||||
|
||||
[FORMAT]
|
||||
|
||||
max-line-length=120
|
|
@ -1,251 +0,0 @@
|
|||
sudo: required
|
||||
dist: trusty
|
||||
services:
|
||||
- docker
|
||||
|
||||
language: go
|
||||
|
||||
# Make sure project can also be built on travis for clones of the repo
|
||||
go_import_path: github.com/elastic/beats
|
||||
|
||||
env:
|
||||
global:
|
||||
# Cross-compile for amd64 only to speed up testing.
|
||||
- GOX_FLAGS="-arch amd64"
|
||||
- DOCKER_COMPOSE_VERSION=1.21.0
|
||||
- TRAVIS_GO_VERSION=$(cat .go-version)
|
||||
# Newer versions of minikube fail on travis, see: https://github.com/kubernetes/minikube/issues/2704
|
||||
- TRAVIS_MINIKUBE_VERSION=v0.25.2
|
||||
|
||||
jobs:
|
||||
include:
|
||||
# General checks
|
||||
- os: linux
|
||||
env: TARGETS="check"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: check
|
||||
|
||||
# Filebeat
|
||||
- os: linux
|
||||
env: TARGETS="-C filebeat testsuite"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
- os: osx
|
||||
env: TARGETS="TEST_ENVIRONMENT=0 -C filebeat testsuite"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
- os: linux
|
||||
env: TARGETS="-C x-pack/filebeat testsuite"
|
||||
go: $(GO_VERSION)
|
||||
stage: test
|
||||
|
||||
# Heartbeat
|
||||
- os: linux
|
||||
env: TARGETS="-C heartbeat testsuite"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
- os: osx
|
||||
env: TARGETS="TEST_ENVIRONMENT=0 -C heartbeat testsuite"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
|
||||
# Auditbeat
|
||||
- os: linux
|
||||
env: TARGETS="-C auditbeat testsuite"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
- os: osx
|
||||
env: TARGETS="TEST_ENVIRONMENT=0 -C auditbeat testsuite"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
- os: linux
|
||||
env: TARGETS="-C auditbeat crosscompile"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
- os: linux
|
||||
env: TARGETS="-C x-pack/auditbeat testsuite"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
|
||||
# Libbeat
|
||||
- os: linux
|
||||
env: TARGETS="-C libbeat testsuite"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
- os: linux
|
||||
env: TARGETS="-C libbeat crosscompile"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
- os: linux
|
||||
env: STRESS_TEST_OPTIONS="-timeout=20m -race -v -parallel 1" TARGETS="-C libbeat stress-tests"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
- os: linux
|
||||
env: TARGETS="-C x-pack/libbeat testsuite"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
|
||||
# Metricbeat
|
||||
- os: linux
|
||||
env: TARGETS="-C metricbeat unit-tests coverage-report"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
- os: linux
|
||||
env: TARGETS="-C metricbeat integration-tests-environment coverage-report"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
- os: linux
|
||||
env: TARGETS="-C metricbeat update system-tests-environment coverage-report"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
|
||||
- os: osx
|
||||
env: TARGETS="TEST_ENVIRONMENT=0 -C metricbeat testsuite"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
- os: linux
|
||||
env: TARGETS="-C metricbeat crosscompile"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
- os: linux
|
||||
env: TARGETS="-C x-pack/metricbeat testsuite"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
|
||||
# Packetbeat
|
||||
- os: linux
|
||||
env: TARGETS="-C packetbeat testsuite"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
|
||||
# Winlogbeat
|
||||
- os: linux
|
||||
env: TARGETS="-C winlogbeat crosscompile"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
|
||||
# Functionbeat
|
||||
- os: linux
|
||||
env: TARGETS="-C x-pack/functionbeat testsuite"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
- os: osx
|
||||
env: TARGETS="TEST_ENVIRONMENT=0 -C x-pack/functionbeat testsuite"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
|
||||
# Journalbeat
|
||||
- os: linux
|
||||
env: TARGETS="-C journalbeat testsuite"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
|
||||
# Generators
|
||||
- os: linux
|
||||
env: TARGETS="-C generator/metricbeat test test-package"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
- os: linux
|
||||
env: TARGETS="-C generator/beat test test-package"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
|
||||
- os: osx
|
||||
env: TARGETS="-C generator/metricbeat test"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
- os: osx
|
||||
env: TARGETS="-C generator/beat test"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
|
||||
# Docs
|
||||
- os: linux
|
||||
env: TARGETS="docs"
|
||||
go: $TRAVIS_GO_VERSION
|
||||
stage: test
|
||||
|
||||
# Kubernetes
|
||||
- os: linux
|
||||
install: deploy/kubernetes/.travis/setup.sh
|
||||
env:
|
||||
- TARGETS="-C deploy/kubernetes test"
|
||||
- TRAVIS_K8S_VERSION=v1.9.4
|
||||
stage: test
|
||||
- os: linux
|
||||
install: deploy/kubernetes/.travis/setup.sh
|
||||
env:
|
||||
- TARGETS="-C deploy/kubernetes test"
|
||||
- TRAVIS_K8S_VERSION=v1.10.0
|
||||
stage: test
|
||||
- os: linux
|
||||
dist: xenial
|
||||
install: deploy/kubernetes/.travis/setup.sh
|
||||
env:
|
||||
- TARGETS="-C deploy/kubernetes test"
|
||||
- TRAVIS_K8S_VERSION=v1.15.3
|
||||
- TRAVIS_MINIKUBE_VERSION=v1.3.1
|
||||
stage: test
|
||||
addons:
|
||||
apt:
|
||||
update: true
|
||||
packages:
|
||||
- python-virtualenv
|
||||
- libpcap-dev
|
||||
- xsltproc
|
||||
- libxml2-utils
|
||||
- librpm-dev
|
||||
|
||||
# TODO include 1.11 once minikube supports it
|
||||
#- os: linux
|
||||
# install: deploy/kubernetes/.travis/setup.sh
|
||||
# env:
|
||||
# - TARGETS="-C deploy/kubernetes test"
|
||||
# - TRAVIS_K8S_VERSION=v1.11.0
|
||||
# stage: test
|
||||
|
||||
addons:
|
||||
apt:
|
||||
update: true
|
||||
packages:
|
||||
- python-virtualenv
|
||||
- libpcap-dev
|
||||
- xsltproc
|
||||
- libxml2-utils
|
||||
- libsystemd-journal-dev
|
||||
- librpm-dev
|
||||
|
||||
before_install:
|
||||
- python --version
|
||||
- umask 022
|
||||
- chmod -R go-w $GOPATH/src/github.com/elastic/beats
|
||||
# Docker-compose installation
|
||||
- sudo rm /usr/local/bin/docker-compose || true
|
||||
- curl -L https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m` > docker-compose
|
||||
- chmod +x docker-compose
|
||||
- sudo mv docker-compose /usr/local/bin
|
||||
- if [ $TRAVIS_OS_NAME = osx ]; then pip install virtualenv; fi
|
||||
|
||||
|
||||
# Skips installations step
|
||||
install: true
|
||||
|
||||
script:
|
||||
- make $TARGETS
|
||||
|
||||
notifications:
|
||||
slack:
|
||||
on_success: change
|
||||
on_failure: always
|
||||
on_pull_requests: false
|
||||
rooms:
|
||||
secure: "e25J5puEA31dOooTI4T+K+zrTs8XeWIGq2cgmiPt9u/g7eqWeQj1UJnVsr8GOu1RPDyuJZJHXqfrvuOYJTdHzXbwjD0JTbwwVVZMkkZW2SWZHG46HCXPiucjWXEr3hXJKBJDDpIx6VxrN7r17dejv1biQ8QuEFZfiB1H8kbH/ho="
|
||||
|
||||
after_success:
|
||||
# Copy full.cov to coverage.txt because codecov.io requires this file
|
||||
- test -f auditbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f auditbeat/build/coverage/full.cov
|
||||
- test -f filebeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f filebeat/build/coverage/full.cov
|
||||
- test -f heartbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f heartbeat/build/coverage/full.cov
|
||||
- test -f libbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f libbeat/build/coverage/full.cov
|
||||
- test -f metricbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f metricbeat/build/coverage/full.cov
|
||||
- test -f packetbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f packetbeat/build/coverage/full.cov
|
|
@ -1,204 +0,0 @@
|
|||
// Use these for links to issue and pulls. Note issues and pulls redirect one to
|
||||
// each other on Github, so don't worry too much on using the right prefix.
|
||||
:issue: https://github.com/elastic/beats/issues/
|
||||
:pull: https://github.com/elastic/beats/pull/
|
||||
|
||||
This changelog is intended for community Beat developers. It covers the major
|
||||
breaking changes to the internal APIs in the official Beats and changes related
|
||||
to developing a Beat like code generators or `fields.yml`. Only the major
|
||||
changes will be covered in this changelog that are expected to affect community
|
||||
developers. Each breaking change added here should have an explanation on how
|
||||
other Beats should be migrated.
|
||||
|
||||
Note: This changelog was only started after the 6.3 release.
|
||||
|
||||
=== Beats version 7.5.1
|
||||
https://github.com/elastic/beats/compare/v7.5.0..v7.5.1[Check the HEAD diff]
|
||||
|
||||
=== Beats version 7.5.0
|
||||
https://github.com/elastic/beats/compare/v7.4.1..v7.5.0[Check the HEAD diff]
|
||||
|
||||
==== Breaking changes
|
||||
|
||||
- Build docker and kubernetes features only on supported platforms. {pull}13509[13509]
|
||||
- Need to register new processors to be used in the JS processor in their `init` functions. {pull}13509[13509]
|
||||
|
||||
==== Added
|
||||
|
||||
- Compare event by event in `testadata` framework to avoid sorting problems {pull}13747[13747]
|
||||
|
||||
=== Beats version 7.4.1
|
||||
https://github.com/elastic/beats/compare/v7.4.0..v7.4.1[Check the HEAD diff]
|
||||
|
||||
=== Beats version 7.4.0
|
||||
https://github.com/elastic/beats/compare/v7.3.1..v7.4.0[Check the HEAD diff]
|
||||
|
||||
==== Breaking changes
|
||||
|
||||
- For "metricbeat style" generated custom beats, the mage target `GoTestIntegration` has changed to `GoIntegTest` and `GoTestUnit` has changed to `GoUnitTest`. {pull}13341[13341]
|
||||
|
||||
==== Added
|
||||
|
||||
- Add ClientFactory to TCP input source to add SplitFunc/NetworkFuncs per client. {pull}8543[8543]
|
||||
- Introduce beat.OutputChooses publisher mode. {pull}12996[12996]
|
||||
- Ensure that beat.Processor, beat.ProcessorList, and processors.ProcessorList are compatible and can be composed more easily. {pull}12996[12996]
|
||||
- Add support to close beat.Client via beat.CloseRef (a subset of context.Context). {pull}13031[13031]
|
||||
- Add checks for types and formats used in fields definitions in `fields.yml` files. {pull}13188[13188]
|
||||
- Makefile included in generator copies files from beats repository using `git archive` instead of cp. {pull}13193[13193]
|
||||
|
||||
=== Beats version 7.3.2
|
||||
https://github.com/elastic/beats/compare/v7.3.1..v7.3.2[Check the HEAD diff]
|
||||
|
||||
=== Beats version 7.3.1
|
||||
https://github.com/elastic/beats/compare/v7.3.0..v7.3.1[Check the HEAD diff]
|
||||
|
||||
=== Beats version 7.3.0
|
||||
https://github.com/elastic/beats/compare/v7.2.1..v7.3.0[Check the HEAD diff]
|
||||
|
||||
==== Added
|
||||
|
||||
- Add new option `IgnoreAllErrors` to `libbeat.common.schema` for skipping fields that failed while converting. {pull}12089[12089]
|
||||
|
||||
=== Beats version 7.2.1
|
||||
https://github.com/elastic/beats/compare/v7.2.0..v7.2.1[Check the HEAD diff]
|
||||
|
||||
=== Beats version 7.2.0
|
||||
https://github.com/elastic/beats/compare/v7.1.1..v7.2.0[Check the HEAD diff]
|
||||
|
||||
==== Breaking changes
|
||||
|
||||
- Move Fields from package libbeat/common to libbeat/mapping. {pull}11198[11198]
|
||||
|
||||
==== Added
|
||||
|
||||
- Metricset generator generates beta modules by default now. {pull}10657[10657]
|
||||
- The `beat.Event` accessor methods now support `@metadata` keys. {pull}10761[10761]
|
||||
- Assertion for documented fields in tests fails if any of the fields in the tested event is documented as an alias. {pull}10921[10921]
|
||||
- Support for Logger in the Metricset base instance. {pull}11106[11106]
|
||||
- Filebeat modules can now use ingest pipelines in YAML format. {pull}11209[11209]
|
||||
- Prometheus helper for metricbeat contains now `Namespace` field for `prometheus.MetricsMappings` {pull}11424[11424]
|
||||
- Update Jinja2 version to 2.10.1. {pull}11817[11817]
|
||||
- Reduce idxmgmt.Supporter interface and rework export commands to reuse logic. {pull}11777[11777],{pull}12065[12065],{pull}12067[12067],{pull}12160[12160]
|
||||
- Update urllib3 version to 1.24.2 {pull}11930[11930]
|
||||
- Add libbeat/common/cleanup package. {pull}12134[12134]
|
||||
- Only Load minimal template if no fields are provided. {pull}12103[12103]
|
||||
- Add new option `IgnoreAllErrors` to `libbeat.common.schema` for skipping fields that failed while converting. {pull}12089[12089]
|
||||
- Deprecate setup cmds for `template` and `ilm-policy`. Add new setup cmd for `index-management`. {pull}12132[12132]
|
||||
|
||||
=== Beats version 7.1.1
|
||||
https://github.com/elastic/beats/compare/v7.1.0..v7.1.1[Check the HEAD diff]
|
||||
|
||||
=== Beats version 7.1.0
|
||||
https://github.com/elastic/beats/compare/v7.0.0..v7.1.0[Check the HEAD diff]
|
||||
|
||||
=== Beats version 7.0.1
|
||||
https://github.com/elastic/beats/compare/v7.0.0..v7.0.1[Check the HEAD diff]
|
||||
|
||||
=== Beats version 7.0.0-GA
|
||||
https://github.com/elastic/beats/compare/v7.0.0-rc2..v7.0.0[Check the HEAD diff]
|
||||
|
||||
The list below covers the major changes between 7.0.0-rc2 and 7.0 only.
|
||||
|
||||
==== Added
|
||||
|
||||
- Added support for using PYTHON_EXE to control what Python interpreter is used
|
||||
by `make` and `mage`. Example: `export PYTHON_EXE=python2.7`. {pull}11212[11212]
|
||||
|
||||
=== Beats version 7.0.0-rc2
|
||||
https://github.com/elastic/beats/compare/v7.0.0-rc1..v7.0.0-rc2[Check the HEAD diff]
|
||||
|
||||
=== Beats version 7.0.0-rc1
|
||||
https://github.com/elastic/beats/compare/v7.0.0-beta1..v7.0.0-rc1[Check the HEAD diff]
|
||||
|
||||
==== Breaking changes
|
||||
|
||||
- Remove support for deprecated `GenRootCmd` methods. {pull}10721[10721]
|
||||
- Remove SkipNormalization, SkipAgentMetadata, SkipAddHostName. {pull}10801[10801] {pull}10769[10769]
|
||||
|
||||
==== Bugfixes
|
||||
|
||||
- Align default index between elasticsearch and logstash and kafka output. {pull}10841[10841]
|
||||
- Fix duplication check for `append_fields` option. {pull}10959[10959]
|
||||
|
||||
==== Added
|
||||
|
||||
- Introduce processing.Support to instance.Setting. This allows Beats to fully modify the event processing. {pull}10801[10801]
|
||||
|
||||
=== Beats version 7.0.0-beta1
|
||||
https://github.com/elastic/beats/compare/v7.0.0-alpha2..v7.0.0-beta1[Check the HEAD diff]
|
||||
|
||||
==== Breaking changes
|
||||
- Outputs receive Index Manager as additional parameter. The index manager can
|
||||
be used to create an index selector. {pull}10347[10347]
|
||||
- Remove support for loading dashboards to Elasticsearch 5. {pull}10451[10451]
|
||||
|
||||
==== Added
|
||||
|
||||
- Allow multiple object type configurations per field. {pull}9772[9772]
|
||||
- Move agent metadata addition to a processor. {pull}9952[9952]
|
||||
- Add (*common.Config).Has and (*common.Config).Remove. {pull}10363[10363]
|
||||
- Introduce ILM and IndexManagement support to beat.Settings. {pull}10347[10347]
|
||||
- Generating index pattern on demand instead of shipping them in the packages. {pull}10478[10478]
|
||||
|
||||
=== Beats version 7.0.0-alpha2
|
||||
https://github.com/elastic/beats/compare/v6.3.0..v7.0.0-alpha2[Check the HEAD diff]
|
||||
|
||||
The list below covers the major changes between 6.3.0 and 7.0.0-alpha2 only.
|
||||
|
||||
==== Breaking changes
|
||||
|
||||
- The beat.Pipeline is now passed to cfgfile.RunnerFactory. Beats using libbeat for module reloading or autodiscovery need to be adapted. {pull}7018[7017]
|
||||
- Moving of TLS helper functions and structs from `output/tls` to `tlscommon`. {pull}7054[7054]
|
||||
- Port fields.yml collector to Golang {pull}6911[6911]
|
||||
- Dashboards under _meta/kibana are expected to be decoded. See https://github.com/elastic/beats/pull/7224 for a conversion script. {pull}7265[7265]
|
||||
- Constructor `(github.com/elastic/beats/libbeat/output/codec/json).New` expects a new `escapeHTML` parameter. {pull}7445[7445]
|
||||
- Packaging has been refactored and updates are required. See the PR for migration details. {pull}7388[7388]
|
||||
- `make fields` has been modified to use Mage (https://magefile.org/) in an effort to make
|
||||
the building a Beat more cross-platform friendly (e.g. Windows). This requires that your Beat
|
||||
has a magefile.go with a fields target. The `FIELDS_FILE_PATH` make variable is no longer
|
||||
used because the value is specified in magefile.go. {pull}7670[7670]
|
||||
- Outputs must implement String. {pull}6404[6404]
|
||||
- Renamed `-beat-name` CLI option used in `kibana_index_pattern.go` to `-beat` for consistency with other scripts in `dev-tools/cmd`. {pull}8615[8615]
|
||||
- Systemd unit file template used on Linux packaging now includes environment variables to ease flag overriding. One of them includes the `-e` flag, making beats log to stderr by default on systemd uses. {pull}8942[8942]
|
||||
- Removed dashboards and index patterns generation for Kibana 5. {pull}8927[8927]
|
||||
- Move generator packages of Filebeat from `scripts/generator` to `generator`. {pull}9147[9147]
|
||||
|
||||
==== Bugfixes
|
||||
|
||||
- Fix permissions of generated Filebeat filesets. {pull}7140[7140]
|
||||
- Collect fields from _meta/fields.yml too. {pull}8397[8397]
|
||||
- Fix issue on asset generation that could lead to different results in Windows. {pull}8464[8464]
|
||||
- Remove default version qualifier, you can use `VERSION_QUALIFIER` environment variable to set it. {pull}9148[9148]
|
||||
|
||||
==== Added
|
||||
|
||||
- Libbeat provides a global registry for beats developer that allow to register and retrieve plugin. {pull}7392[7392]
|
||||
- Added more options to control required and optional fields in schema.Apply(), error returned is a plain nil if no error happened {pull}7335[7335]
|
||||
- Packaging on MacOS now produces a .dmg file containing an installer (.pkg) and uninstaller for the Beat. {pull}7481[7481]
|
||||
- Added mage targets `goTestUnit` and `goTestIntegration` for executing
|
||||
'go test'. This captures the log to a file, summarizes the result, produces a
|
||||
coverage profile (.cov), and produces an HTML coverage report. See
|
||||
`mage -h goTestUnit`. {pull}7766[7766]
|
||||
- Beats packaging now build non-oss binaries from code located in the x-pack folder. {issue}7783[7783]
|
||||
- New function `AddTagsWithKey` is added, so `common.MapStr` can be enriched with tags with an arbitrary key. {pull}7991[7991]
|
||||
- Move filebeat/reader to libbeat/reader {pull}8206[8206]
|
||||
- Libbeat provides a new function `cmd.GenRootCmdWithSettings` that should be preferred over deprecated functions
|
||||
`cmd.GenRootCmd`, `cmd.GenRootCmdWithRunFlags`, and `cmd.GenRootCmdWithIndexPrefixWithRunFlags`. {pull}7850[7850]
|
||||
- Set current year in generator templates. {pull}8396[8396]
|
||||
- You can now override default settings of libbeat by using instance.Settings. {pull}8449[8449]
|
||||
- Add `-space-id` option to `export_dashboards.go` script to support Kibana Spaces {pull}7942[7942]
|
||||
- Add `-name` option to `asset.go` script to explicitly name the asset rather than using its filename. {pull}8693[8693]
|
||||
- Add `-out` option to `kibana_index_pattern.go` to control the output dir to make it possible to write the generated output to `build/kibana` instead of `_meta/kibana.generated` (but the output dir remains unchanged at this point). {pull}8615[8615]
|
||||
- Add `module_fields.go` for generated `fields.go` files for modules. {pull}8615[8615]
|
||||
- Add `mage.GenerateModuleReferenceConfig` for generating reference config files that include configuration sections from the module directory. {pull}8615[8615]
|
||||
- Add `mage.GenerateFieldsGo` for generating fields.go files. {pull}8615[8615]
|
||||
- Add `mage.KibanaDashboards` for collecting Kibana dashboards and generating index patterns. {pull}8615[8615]
|
||||
- Allow to disable config resolver using the `Settings.DisableConfigResolver` field when initializing libbeat. {pull}8769[8769]
|
||||
- Add `mage.AddPlatforms` to allow to specify dependent platforms when building a beat. {pull}8889[8889]
|
||||
- Add `cfgwarn.CheckRemoved6xSetting(s)` to display a warning for options removed in 7.0. {pull}8909[8909]
|
||||
- Add docker image building to `mage.Package`. {pull}8898[8898]
|
||||
- Simplified exporting of dashboards. {pull}7730[7730]
|
||||
- Update Beats to use go 1.11.2 {pull}8746[8746]
|
||||
- Allow/Merge fields.yml overrides {pull}9188[9188]
|
||||
- Filesets can now define multiple ingest pipelines, with the first one considered as the entry point pipeline. {pull}8914[8914]
|
||||
- Add `group_measurements_by_instance` option to windows perfmon metricset. {pull}8688[8688]
|
|
@ -1,55 +0,0 @@
|
|||
// Use these for links to issue and pulls. Note issues and pulls redirect one to
|
||||
// each other on Github, so don't worry too much on using the right prefix.
|
||||
:issue: https://github.com/elastic/beats/issues/
|
||||
:pull: https://github.com/elastic/beats/pull/
|
||||
|
||||
This changelog is intended for community Beat developers. It covers the major
|
||||
breaking changes to the internal APIs in the official Beats and changes related
|
||||
to developing a Beat like code generators or `fields.yml`. Only the major
|
||||
changes will be covered in this changelog that are expected to affect community
|
||||
developers. Each breaking change added here should have an explanation on how
|
||||
other Beats should be migrated.
|
||||
|
||||
Note: This changelog documents the current changes which are not yet present in
|
||||
an actual release.
|
||||
|
||||
=== Beats version HEAD
|
||||
https://github.com/elastic/beats/compare/v7.0.0-rc2..master[Check the HEAD diff]
|
||||
|
||||
The list below covers the major changes between 7.0.0-rc2 and master only.
|
||||
|
||||
==== Breaking changes
|
||||
|
||||
- Move Fields from package libbeat/common to libbeat/mapping. {pull}11198[11198]
|
||||
- For "metricbeat style" generated custom beats, the mage target `GoTestIntegration` has changed to `GoIntegTest` and `GoTestUnit` has changed to `GoUnitTest`. {pull}13341[13341]
|
||||
|
||||
==== Bugfixes
|
||||
|
||||
- Stop using `mage:import` in community beats. This was ignoring the vendorized beats directory for some mage targets, using the code available in GOPATH, this causes inconsistencies and compilation problems if the version of the code in the GOPATH is different to the vendored one. Use of `mage:import` will continue to be unsupported in custom beats till beats is migrated to go modules, or mage supports vendored dependencies. {issue}13998[13998] {pull}14162[14162]
|
||||
|
||||
==== Added
|
||||
|
||||
- Metricset generator generates beta modules by default now. {pull}10657[10657]
|
||||
- The `beat.Event` accessor methods now support `@metadata` keys. {pull}10761[10761]
|
||||
- Assertion for documented fields in tests fails if any of the fields in the tested event is documented as an alias. {pull}10921[10921]
|
||||
- Support for Logger in the Metricset base instance. {pull}11106[11106]
|
||||
- Filebeat modules can now use ingest pipelines in YAML format. {pull}11209[11209]
|
||||
- Prometheus helper for metricbeat contains now `Namespace` field for `prometheus.MetricsMappings` {pull}11424[11424]
|
||||
- Update Jinja2 version to 2.10.1. {pull}11817[11817]
|
||||
- Reduce idxmgmt.Supporter interface and rework export commands to reuse logic. {pull}11777[11777],{pull}12065[12065],{pull}12067[12067],{pull}12160[12160]
|
||||
- Update urllib3 version to 1.24.2 {pull}11930[11930]
|
||||
- Add libbeat/common/cleanup package. {pull}12134[12134]
|
||||
- New helper to check for leaked goroutines on tests. {pull}12106[12106]
|
||||
- Only Load minimal template if no fields are provided. {pull}12103[12103]
|
||||
- Add new option `IgnoreAllErrors` to `libbeat.common.schema` for skipping fields that failed while converting. {pull}12089[12089]
|
||||
- Deprecate setup cmds for `template` and `ilm-policy`. Add new setup cmd for `index-management`. {pull}12132[12132]
|
||||
- Use the go-lookslike library for testing in heartbeat. Eventually the mapval package will be replaced with it. {pull}12540[12540]
|
||||
- New ReporterV2 interfaces that can receive a context on `Fetch(ctx, reporter)`, or `Run(ctx, reporter)`. {pull}11981[11981]
|
||||
- Generate configuration from `mage` for all Beats. {pull}12618[12618]
|
||||
- Add ClientFactory to TCP input source to add SplitFunc/NetworkFuncs per client. {pull}8543[8543]
|
||||
- Introduce beat.OutputChooses publisher mode. {pull}12996[12996]
|
||||
- Ensure that beat.Processor, beat.ProcessorList, and processors.ProcessorList are compatible and can be composed more easily. {pull}12996[12996]
|
||||
- Add support to close beat.Client via beat.CloseRef (a subset of context.Context). {pull}13031[13031]
|
||||
- Add checks for types and formats used in fields definitions in `fields.yml` files. {pull}13188[13188]
|
||||
- Makefile included in generator copies files from beats repository using `git archive` instead of cp. {pull}13193[13193]
|
||||
- Strip debug symbols from binaries to reduce binary sizes. {issue}12768[12768]
|
|
@ -1,145 +0,0 @@
|
|||
// Use these for links to issue and pulls. Note issues and pulls redirect one to
|
||||
// each other on Github, so don't worry too much on using the right prefix.
|
||||
:issue: https://github.com/elastic/beats/issues/
|
||||
:pull: https://github.com/elastic/beats/pull/
|
||||
|
||||
=== Beats version HEAD
|
||||
https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD diff]
|
||||
|
||||
==== Breaking changes
|
||||
|
||||
*Affecting all Beats*
|
||||
|
||||
- Update to Golang 1.12.1. {pull}11330[11330]
|
||||
|
||||
*Auditbeat*
|
||||
|
||||
|
||||
*Filebeat*
|
||||
|
||||
- Fix parsing of Elasticsearch node name by `elasticsearch/slowlog` fileset. {pull}14547[14547]
|
||||
|
||||
*Heartbeat*
|
||||
|
||||
|
||||
*Journalbeat*
|
||||
|
||||
- Remove broken dashboard. {pull}15288[15288]
|
||||
|
||||
*Metricbeat*
|
||||
|
||||
- kubernetes.container.cpu.limit.cores and kubernetes.container.cpu.requests.cores are now floats. {issue}11975[11975]
|
||||
|
||||
*Packetbeat*
|
||||
|
||||
|
||||
*Winlogbeat*
|
||||
|
||||
*Functionbeat*
|
||||
|
||||
|
||||
==== Bugfixes
|
||||
|
||||
*Affecting all Beats*
|
||||
|
||||
- Fix a race condition with the Kafka pipeline client, it is possible that `Close()` get called before `Connect()` . {issue}11945[11945]
|
||||
- Allow users to configure only `cluster_uuid` setting under `monitoring` namespace. {pull}14338[14338]
|
||||
|
||||
*Auditbeat*
|
||||
|
||||
|
||||
*Filebeat*
|
||||
|
||||
- cisco/asa fileset: Fix parsing of 302021 message code. {pull}14519[14519]
|
||||
- Fix filebeat azure dashboards, event category should be `Alert`. {pull}14668[14668]
|
||||
- Check content-type when creating new reader in s3 input. {pull}15252[15252] {issue}15225[15225]
|
||||
- Fix session reset detection and a crash in Netflow input. {pull}14904[14904]
|
||||
- netflow: Allow for options templates without scope fields. {pull}15449[15449]
|
||||
- netflow: Fix bytes/packets counters on some devices (NSEL and Netstream). {pull}15449[15449]
|
||||
- netflow: Fix compatibility with some Cisco devices by changing the field `class_id` from short to long. {pull}15449[15449]
|
||||
- Fixed dashboard for Cisco ASA Firewall. {issue}15420[15420] {pull}15553[15553]
|
||||
|
||||
*Heartbeat*
|
||||
|
||||
- Fix recording of SSL cert metadata for Expired/Unvalidated x509 certs. {pull}13687[13687]
|
||||
|
||||
*Journalbeat*
|
||||
|
||||
|
||||
*Metricbeat*
|
||||
|
||||
- Fix checking tagsFilter using length in cloudwatch metricset. {pull}14525[14525]
|
||||
- Fixed bug with `elasticsearch/cluster_stats` metricset not recording license expiration date correctly. {issue}14541[14541] {pull}14591[14591]
|
||||
- Log bulk failures from bulk API requests to monitoring cluster. {issue}14303[14303] {pull}14356[14356]
|
||||
- Fix regular expression to detect instance name in perfmon metricset. {issue}14273[14273] {pull}14666[14666]
|
||||
- Fixed bug with `elasticsearch/cluster_stats` metricset not recording license ID in the correct field. {pull}14592[14592]
|
||||
- Fix `docker.container.size` fields values {issue}14979[14979] {pull}15224[15224]
|
||||
- Make `kibana` module more resilient to Kibana unavailability. {issue}15258[15258] {pull}15270[15270]
|
||||
- Fix panic exception with some unicode strings in perfmon metricset. {issue}15264[15264]
|
||||
- Make `logstash` module more resilient to Logstash unavailability. {issue}15276[15276] {pull}15306[15306]
|
||||
|
||||
*Packetbeat*
|
||||
|
||||
|
||||
*Winlogbeat*
|
||||
|
||||
|
||||
*Functionbeat*
|
||||
|
||||
|
||||
==== Added
|
||||
|
||||
*Affecting all Beats*
|
||||
|
||||
- Add a friendly log message when a request to docker has exceeded the deadline. {pull}15336[15336]
|
||||
|
||||
*Auditbeat*
|
||||
|
||||
|
||||
*Filebeat*
|
||||
|
||||
- `container` and `docker` inputs now support reading of labels and env vars written by docker JSON file logging driver. {issue}8358[8358]
|
||||
- Add `index` option to all inputs to directly set a per-input index value. {pull}14010[14010]
|
||||
- Include log.source.address for unparseable syslog messages. {issue}13268[13268] {pull}15453[15453]
|
||||
|
||||
*Heartbeat*
|
||||
|
||||
|
||||
*Journalbeat*
|
||||
|
||||
*Metricbeat*
|
||||
|
||||
|
||||
*Packetbeat*
|
||||
|
||||
|
||||
*Functionbeat*
|
||||
|
||||
|
||||
*Winlogbeat*
|
||||
|
||||
|
||||
==== Deprecated
|
||||
|
||||
*Affecting all Beats*
|
||||
|
||||
*Filebeat*
|
||||
|
||||
|
||||
*Heartbeat*
|
||||
|
||||
*Journalbeat*
|
||||
|
||||
*Metricbeat*
|
||||
|
||||
|
||||
*Packetbeat*
|
||||
|
||||
*Winlogbeat*
|
||||
|
||||
*Functionbeat*
|
||||
|
||||
==== Known Issue
|
||||
|
||||
*Journalbeat*
|
||||
|
|
@ -1,17 +0,0 @@
|
|||
Please post all questions and issues first on
|
||||
[https://discuss.elastic.co/c/beats](https://discuss.elastic.co/c/beats)
|
||||
before opening a Github Issue.
|
||||
|
||||
# Contributing to Beats
|
||||
|
||||
The Beats are open source and we love to receive contributions from our
|
||||
community — you!
|
||||
|
||||
There are many ways to contribute, from writing tutorials or blog posts,
|
||||
improving the documentation, submitting bug reports and feature requests or
|
||||
writing code for implementing a whole new protocol.
|
||||
|
||||
If you want to contribute to the Beats project, you can start by reading
|
||||
the [contributing guidelines](https://www.elastic.co/guide/en/beats/devguide/current/beats-contributing.html)
|
||||
in the _Beats Developer Guide_.
|
||||
|
|
@ -1,125 +0,0 @@
|
|||
#!/usr/bin/env groovy
|
||||
|
||||
library identifier: 'apm@current',
|
||||
retriever: modernSCM(
|
||||
[$class: 'GitSCMSource',
|
||||
credentialsId: 'f94e9298-83ae-417e-ba91-85c279771570',
|
||||
id: '37cf2c00-2cc7-482e-8c62-7bbffef475e2',
|
||||
remote: 'git@github.com:elastic/apm-pipeline-library.git'])
|
||||
|
||||
pipeline {
|
||||
agent none
|
||||
environment {
|
||||
BASE_DIR = 'src/github.com/elastic/beats'
|
||||
}
|
||||
options {
|
||||
timeout(time: 1, unit: 'HOURS')
|
||||
buildDiscarder(logRotator(numToKeepStr: '20', artifactNumToKeepStr: '20', daysToKeepStr: '30'))
|
||||
timestamps()
|
||||
ansiColor('xterm')
|
||||
disableResume()
|
||||
durabilityHint('PERFORMANCE_OPTIMIZED')
|
||||
}
|
||||
triggers {
|
||||
issueCommentTrigger('(?i).*(?:jenkins\\W+)?run\\W+(?:the\\W+)?tests(?:\\W+please)?.*')
|
||||
}
|
||||
parameters {
|
||||
booleanParam(name: 'Run_As_Master_Branch', defaultValue: false, description: 'Allow to run any steps on a PR, some steps normally only run on master branch.')
|
||||
}
|
||||
stages {
|
||||
/**
|
||||
Checkout the code and stash it, to use it on other stages.
|
||||
*/
|
||||
stage('Checkout') {
|
||||
agent { label 'linux && immutable' }
|
||||
environment {
|
||||
PATH = "${env.PATH}:${env.WORKSPACE}/bin"
|
||||
HOME = "${env.WORKSPACE}"
|
||||
GOPATH = "${env.WORKSPACE}"
|
||||
}
|
||||
options { skipDefaultCheckout() }
|
||||
steps {
|
||||
dir("${BASE_DIR}"){
|
||||
checkout scm
|
||||
}
|
||||
stash allowEmpty: true, name: 'source', useDefaultExcludes: false
|
||||
script {
|
||||
env.GO_VERSION = readFile("${BASE_DIR}/.go-version")
|
||||
}
|
||||
}
|
||||
}
|
||||
/**
|
||||
Updating generated files for Beat.
|
||||
Checks the GO environment.
|
||||
Checks the Python environment.
|
||||
Checks YAML files are generated.
|
||||
Validate that all updates were committed.
|
||||
*/
|
||||
stage('Intake') {
|
||||
agent { label 'linux && immutable' }
|
||||
options { skipDefaultCheckout() }
|
||||
environment {
|
||||
PATH = "${env.PATH}:${env.WORKSPACE}/bin"
|
||||
HOME = "${env.WORKSPACE}"
|
||||
GOPATH = "${env.WORKSPACE}"
|
||||
}
|
||||
steps {
|
||||
withGithubNotify(context: 'Intake') {
|
||||
deleteDir()
|
||||
unstash 'source'
|
||||
dir("${BASE_DIR}"){
|
||||
sh './dev-tools/jenkins_intake.sh'
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
stage('Test') {
|
||||
failFast true
|
||||
parallel {
|
||||
/**
|
||||
Run unit tests and report junit results.
|
||||
*/
|
||||
stage('Filebeat') {
|
||||
agent { label 'linux && immutable' }
|
||||
options { skipDefaultCheckout() }
|
||||
environment {
|
||||
PATH = "${env.PATH}:${env.WORKSPACE}/bin"
|
||||
HOME = "${env.WORKSPACE}"
|
||||
GOPATH = "${env.WORKSPACE}"
|
||||
}
|
||||
steps {
|
||||
withGithubNotify(context: 'Test', tab: 'tests') {
|
||||
deleteDir()
|
||||
unstash 'source'
|
||||
dir("${BASE_DIR}"){
|
||||
sh './filebeat/scripts/jenkins/unit-test.sh'
|
||||
}
|
||||
}
|
||||
}
|
||||
post {
|
||||
always {
|
||||
junit(allowEmptyResults: true,
|
||||
keepLongStdio: true,
|
||||
testResults: "${BASE_DIR}/build/junit-*.xml")
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
post {
|
||||
success {
|
||||
echoColor(text: '[SUCCESS]', colorfg: 'green', colorbg: 'default')
|
||||
}
|
||||
aborted {
|
||||
echoColor(text: '[ABORTED]', colorfg: 'magenta', colorbg: 'default')
|
||||
}
|
||||
failure {
|
||||
echoColor(text: '[FAILURE]', colorfg: 'red', colorbg: 'default')
|
||||
//step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: "${NOTIFY_TO}", sendToIndividuals: false])
|
||||
}
|
||||
unstable {
|
||||
echoColor(text: '[UNSTABLE]', colorfg: 'yellow', colorbg: 'default')
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,13 +0,0 @@
|
|||
Source code in this repository is variously licensed under the Apache License
|
||||
Version 2.0, an Apache compatible license, or the Elastic License. Outside of
|
||||
the "x-pack" folder, source code in a given file is licensed under the Apache
|
||||
License Version 2.0, unless otherwise noted at the beginning of the file or a
|
||||
LICENSE file present in the directory subtree declares a separate license.
|
||||
Within the "x-pack" folder, source code in a given file is licensed under the
|
||||
Elastic License, unless otherwise noted at the beginning of the file or a
|
||||
LICENSE file present in the directory subtree declares a separate license.
|
||||
|
||||
The build produces two sets of binaries - one set that falls under the Elastic
|
||||
License and another set that falls under Apache License Version 2.0. The
|
||||
binaries that contain `-oss` in the artifact name are licensed under the Apache
|
||||
License Version 2.0.
|
|
@ -1,184 +0,0 @@
|
|||
BUILD_DIR=$(CURDIR)/build
|
||||
COVERAGE_DIR=$(BUILD_DIR)/coverage
|
||||
BEATS?=auditbeat filebeat heartbeat journalbeat metricbeat packetbeat winlogbeat x-pack/functionbeat
|
||||
PROJECTS=libbeat $(BEATS)
|
||||
PROJECTS_ENV=libbeat filebeat metricbeat
|
||||
PYTHON_ENV?=$(BUILD_DIR)/python-env
|
||||
VIRTUALENV_PARAMS?=
|
||||
FIND=find . -type f -not -path "*/vendor/*" -not -path "*/build/*" -not -path "*/.git/*"
|
||||
GOLINT=golint
|
||||
GOLINT_REPO=golang.org/x/lint/golint
|
||||
REVIEWDOG=reviewdog
|
||||
REVIEWDOG_OPTIONS?=-diff "git diff master"
|
||||
REVIEWDOG_REPO=github.com/haya14busa/reviewdog/cmd/reviewdog
|
||||
XPACK_SUFFIX=x-pack/
|
||||
|
||||
# PROJECTS_XPACK_PKG is a list of Beats that have independent packaging support
|
||||
# in the x-pack directory (rather than having the OSS build produce both sets
|
||||
# of artifacts). This will be removed once we complete the transition.
|
||||
PROJECTS_XPACK_PKG=x-pack/auditbeat x-pack/filebeat x-pack/metricbeat x-pack/winlogbeat
|
||||
# PROJECTS_XPACK_MAGE is a list of Beats whose primary build logic is based in
|
||||
# Mage. For compatibility with CI testing these projects support a subset of the
|
||||
# makefile targets. After all Beats converge to primarily using Mage we can
|
||||
# remove this and treat all sub-projects the same.
|
||||
PROJECTS_XPACK_MAGE=$(PROJECTS_XPACK_PKG)
|
||||
|
||||
#
|
||||
# Includes
|
||||
#
|
||||
include dev-tools/make/mage.mk
|
||||
|
||||
# Runs complete testsuites (unit, system, integration) for all beats with coverage and race detection.
|
||||
# Also it builds the docs and the generators
|
||||
|
||||
.PHONY: testsuite
|
||||
testsuite:
|
||||
@$(foreach var,$(PROJECTS) $(PROJECTS_XPACK_MAGE),$(MAKE) -C $(var) testsuite || exit 1;)
|
||||
|
||||
.PHONY: setup-commit-hook
|
||||
setup-commit-hook:
|
||||
@cp script/pre_commit.sh .git/hooks/pre-commit
|
||||
@chmod 751 .git/hooks/pre-commit
|
||||
|
||||
stop-environments:
|
||||
@$(foreach var,$(PROJECTS_ENV),$(MAKE) -C $(var) stop-environment || exit 0;)
|
||||
|
||||
# Runs unit and system tests without coverage and race detection.
|
||||
.PHONY: test
|
||||
test:
|
||||
@$(foreach var,$(PROJECTS),$(MAKE) -C $(var) test || exit 1;)
|
||||
|
||||
# Runs unit tests without coverage and race detection.
|
||||
.PHONY: unit
|
||||
unit:
|
||||
@$(foreach var,$(PROJECTS),$(MAKE) -C $(var) unit || exit 1;)
|
||||
|
||||
# Crosscompile all beats.
|
||||
.PHONY: crosscompile
|
||||
crosscompile:
|
||||
@$(foreach var,filebeat winlogbeat metricbeat heartbeat auditbeat,$(MAKE) -C $(var) crosscompile || exit 1;)
|
||||
|
||||
.PHONY: coverage-report
|
||||
coverage-report:
|
||||
@mkdir -p $(COVERAGE_DIR)
|
||||
@echo 'mode: atomic' > ./$(COVERAGE_DIR)/full.cov
|
||||
@# Collects all coverage files and skips top line with mode
|
||||
@$(foreach var,$(PROJECTS),tail -q -n +2 ./$(var)/$(COVERAGE_DIR)/*.cov >> ./$(COVERAGE_DIR)/full.cov || true;)
|
||||
@go tool cover -html=./$(COVERAGE_DIR)/full.cov -o $(COVERAGE_DIR)/full.html
|
||||
@echo "Generated coverage report $(COVERAGE_DIR)/full.html"
|
||||
|
||||
.PHONY: update
|
||||
update: notice
|
||||
@$(foreach var,$(PROJECTS) $(PROJECTS_XPACK_MAGE),$(MAKE) -C $(var) update || exit 1;)
|
||||
@$(MAKE) -C deploy/kubernetes all
|
||||
|
||||
.PHONY: clean
|
||||
clean: mage
|
||||
@rm -rf build
|
||||
@$(foreach var,$(PROJECTS) $(PROJECTS_XPACK_MAGE),$(MAKE) -C $(var) clean || exit 1;)
|
||||
@$(MAKE) -C generator clean
|
||||
@-mage -clean
|
||||
|
||||
# Cleans up the vendor directory from unnecessary files
|
||||
# This should always be run after updating the dependencies
|
||||
.PHONY: clean-vendor
|
||||
clean-vendor:
|
||||
@sh script/clean_vendor.sh
|
||||
|
||||
.PHONY: check
|
||||
check: python-env
|
||||
@$(foreach var,$(PROJECTS) dev-tools $(PROJECTS_XPACK_MAGE),$(MAKE) -C $(var) check || exit 1;)
|
||||
@# Checks also python files which are not part of the beats
|
||||
@$(FIND) -name *.py -exec $(PYTHON_ENV)/bin/autopep8 -d --max-line-length 120 {} \; | (! grep . -q) || (echo "Code differs from autopep8's style" && false)
|
||||
@# Validate that all updates were committed
|
||||
@$(MAKE) update
|
||||
@$(MAKE) check-headers
|
||||
@git diff | cat
|
||||
@git update-index --refresh
|
||||
@git diff-index --exit-code HEAD --
|
||||
|
||||
.PHONY: check-headers
|
||||
check-headers: mage
|
||||
@mage checkLicenseHeaders
|
||||
|
||||
.PHONY: add-headers
|
||||
add-headers: mage
|
||||
@mage addLicenseHeaders
|
||||
|
||||
# Corrects spelling errors
|
||||
.PHONY: misspell
|
||||
misspell:
|
||||
go get -u github.com/client9/misspell/cmd/misspell
|
||||
# Ignore Kibana files (.json)
|
||||
$(FIND) \
|
||||
-not -path "*.json" \
|
||||
-not -path "*.log" \
|
||||
-name '*' \
|
||||
-exec misspell -w {} \;
|
||||
|
||||
.PHONY: fmt
|
||||
fmt: add-headers python-env
|
||||
@$(foreach var,$(PROJECTS) dev-tools $(PROJECTS_XPACK_MAGE),$(MAKE) -C $(var) fmt || exit 1;)
|
||||
@# Cleans also python files which are not part of the beats
|
||||
@$(FIND) -name "*.py" -exec $(PYTHON_ENV)/bin/autopep8 --in-place --max-line-length 120 {} \;
|
||||
|
||||
.PHONY: lint
|
||||
lint:
|
||||
@go get $(GOLINT_REPO) $(REVIEWDOG_REPO)
|
||||
$(REVIEWDOG) $(REVIEWDOG_OPTIONS)
|
||||
|
||||
# Builds the documents for each beat
|
||||
.PHONY: docs
|
||||
docs:
|
||||
@$(foreach var,$(PROJECTS),BUILD_DIR=${BUILD_DIR} $(MAKE) -C $(var) docs || exit 1;)
|
||||
sh ./script/build_docs.sh dev-guide github.com/elastic/beats/docs/devguide ${BUILD_DIR}
|
||||
|
||||
.PHONY: notice
|
||||
notice: python-env
|
||||
@echo "Generating NOTICE"
|
||||
@$(PYTHON_ENV)/bin/python dev-tools/generate_notice.py .
|
||||
|
||||
# Sets up the virtual python environment
|
||||
.PHONY: python-env
|
||||
python-env:
|
||||
@test -d $(PYTHON_ENV) || virtualenv $(VIRTUALENV_PARAMS) $(PYTHON_ENV)
|
||||
@$(PYTHON_ENV)/bin/pip install -q --upgrade pip autopep8==1.3.5 six
|
||||
@# Work around pip bug. See: https://github.com/pypa/pip/issues/4464
|
||||
@find $(PYTHON_ENV) -type d -name dist-packages -exec sh -c "echo dist-packages > {}.pth" ';'
|
||||
|
||||
# Tests if apm works with the current code
|
||||
.PHONY: test-apm
|
||||
test-apm:
|
||||
sh ./script/test_apm.sh
|
||||
|
||||
### Packaging targets ####
|
||||
|
||||
# Builds a snapshot release.
|
||||
.PHONY: snapshot
|
||||
snapshot:
|
||||
@$(MAKE) SNAPSHOT=true release
|
||||
|
||||
# Builds a release.
|
||||
.PHONY: release
|
||||
release: beats-dashboards
|
||||
@$(foreach var,$(BEATS) $(PROJECTS_XPACK_PKG),$(MAKE) -C $(var) release || exit 1;)
|
||||
@$(foreach var,$(BEATS) $(PROJECTS_XPACK_PKG), \
|
||||
test -d $(var)/build/distributions && test -n "$$(ls $(var)/build/distributions)" || exit 0; \
|
||||
mkdir -p build/distributions/$(subst $(XPACK_SUFFIX),'',$(var)) && mv -f $(var)/build/distributions/* build/distributions/$(subst $(XPACK_SUFFIX),'',$(var))/ || exit 1;)
|
||||
|
||||
# Builds a snapshot release. The Go version defined in .go-version will be
|
||||
# installed and used for the build.
|
||||
.PHONY: release-manager-snapshot
|
||||
release-manager-snapshot:
|
||||
@$(MAKE) SNAPSHOT=true release-manager-release
|
||||
|
||||
# Builds a snapshot release. The Go version defined in .go-version will be
|
||||
# installed and used for the build.
|
||||
.PHONY: release-manager-release
|
||||
release-manager-release:
|
||||
./dev-tools/run_with_go_ver $(MAKE) release
|
||||
|
||||
# Collects dashboards from all Beats and generates a zip file distribution.
|
||||
.PHONY: beats-dashboards
|
||||
beats-dashboards: mage update
|
||||
@mage packageBeatDashboards
|
|
@ -1,87 +0,0 @@
|
|||
[![Travis](https://travis-ci.org/elastic/beats.svg?branch=master)](https://travis-ci.org/elastic/beats)
|
||||
[![GoReportCard](http://goreportcard.com/badge/elastic/beats)](http://goreportcard.com/report/elastic/beats)
|
||||
[![codecov.io](https://codecov.io/github/elastic/beats/coverage.svg?branch=master)](https://codecov.io/github/elastic/beats?branch=master)
|
||||
|
||||
# Beats - The Lightweight Shippers of the Elastic Stack
|
||||
|
||||
The [Beats](https://www.elastic.co/products/beats) are lightweight data
|
||||
shippers, written in Go, that you install on your servers to capture all sorts
|
||||
of operational data (think of logs, metrics, or network packet data). The Beats
|
||||
send the operational data to Elasticsearch, either directly or via Logstash, so
|
||||
it can be visualized with Kibana.
|
||||
|
||||
By "lightweight", we mean that Beats have a small installation footprint, use
|
||||
limited system resources, and have no runtime dependencies.
|
||||
|
||||
This repository contains
|
||||
[libbeat](https://github.com/elastic/beats/tree/master/libbeat), our Go
|
||||
framework for creating Beats, and all the officially supported Beats:
|
||||
|
||||
Beat | Description
|
||||
--- | ---
|
||||
[Auditbeat](https://github.com/elastic/beats/tree/master/auditbeat) | Collect your Linux audit framework data and monitor the integrity of your files.
|
||||
[Filebeat](https://github.com/elastic/beats/tree/master/filebeat) | Tails and ships log files
|
||||
[Functionbeat](https://github.com/elastic/beats/tree/master/x-pack/functionbeat) | Read and ships events from serverless infrastructure.
|
||||
[Heartbeat](https://github.com/elastic/beats/tree/master/heartbeat) | Ping remote services for availability
|
||||
[Journalbeat](https://github.com/elastic/beats/tree/master/journalbeat) | Read and ships event from Journald.
|
||||
[Metricbeat](https://github.com/elastic/beats/tree/master/metricbeat) | Fetches sets of metrics from the operating system and services
|
||||
[Packetbeat](https://github.com/elastic/beats/tree/master/packetbeat) | Monitors the network and applications by sniffing packets
|
||||
[Winlogbeat](https://github.com/elastic/beats/tree/master/winlogbeat) | Fetches and ships Windows Event logs
|
||||
|
||||
In addition to the above Beats, which are officially supported by
|
||||
[Elastic](https://elastic.co), the community has created a set of other Beats
|
||||
that make use of libbeat but live outside of this Github repository. We maintain
|
||||
a list of community Beats
|
||||
[here](https://www.elastic.co/guide/en/beats/libbeat/master/community-beats.html).
|
||||
|
||||
## Documentation and Getting Started
|
||||
|
||||
You can find the documentation and getting started guides for each of the Beats
|
||||
on the [elastic.co site](https://www.elastic.co/guide/):
|
||||
|
||||
* [Beats platform](https://www.elastic.co/guide/en/beats/libbeat/current/index.html)
|
||||
* [Auditbeat](https://www.elastic.co/guide/en/beats/auditbeat/current/index.html)
|
||||
* [Filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/index.html)
|
||||
* [Functionbeat](https://www.elastic.co/guide/en/beats/functionbeat/current/index.html)
|
||||
* [Heartbeat](https://www.elastic.co/guide/en/beats/heartbeat/current/index.html)
|
||||
* [Journalbeat](https://www.elastic.co/guide/en/beats/journalbeat/current/index.html)
|
||||
* [Metricbeat](https://www.elastic.co/guide/en/beats/metricbeat/current/index.html)
|
||||
* [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/index.html)
|
||||
* [Winlogbeat](https://www.elastic.co/guide/en/beats/winlogbeat/current/index.html)
|
||||
|
||||
|
||||
## Getting Help
|
||||
|
||||
If you need help or hit an issue, please start by opening a topic on our
|
||||
[discuss forums](https://discuss.elastic.co/c/beats). Please note that we
|
||||
reserve GitHub tickets for confirmed bugs and enhancement requests.
|
||||
|
||||
## Downloads
|
||||
|
||||
You can download pre-compiled Beats binaries, as well as packages for the
|
||||
supported platforms, from [this page](https://www.elastic.co/downloads/beats).
|
||||
|
||||
## Contributing
|
||||
|
||||
We'd love working with you! You can help make the Beats better in many ways:
|
||||
report issues, help us reproduce issues, fix bugs, add functionality, or even
|
||||
create your own Beat.
|
||||
|
||||
Please start by reading our [CONTRIBUTING](CONTRIBUTING.md) file.
|
||||
|
||||
If you are creating a new Beat, you don't need to submit the code to this
|
||||
repository. You can simply start working in a new repository and make use of the
|
||||
libbeat packages, by following our [developer
|
||||
guide](https://www.elastic.co/guide/en/beats/libbeat/current/new-beat.html).
|
||||
After you have a working prototype, open a pull request to add your Beat to the
|
||||
list of [community
|
||||
Beats](https://github.com/elastic/beats/blob/master/libbeat/docs/communitybeats.asciidoc).
|
||||
|
||||
## Building Beats from the Source
|
||||
|
||||
See our [CONTRIBUTING](CONTRIBUTING.md) file for information about setting up
|
||||
your dev environment to build Beats from the source.
|
||||
|
||||
## Snapshots
|
||||
|
||||
For testing purposes, we generate snapshot builds that you can find [here](https://beats-ci.elastic.co/job/elastic+beats+master+multijob-package-linux/lastSuccessfulBuild/gcsObjects/). Please be aware that these are built on top of master and are not meant for production.
|
|
@ -1,286 +0,0 @@
|
|||
### Documentation
|
||||
#
|
||||
# This is a Vagrantfile for Beats development and testing. These are unofficial
|
||||
# environments to help developers test things in different environments.
|
||||
#
|
||||
# Notes
|
||||
# =====
|
||||
#
|
||||
# win2012, win2016, win2019
|
||||
# -------------------------
|
||||
#
|
||||
# To login install Microsoft Remote Desktop Client (available in Mac App Store).
|
||||
# Then run 'vagrant rdp' and login as user/pass vagrant/vagrant. Or you can
|
||||
# manually configure your RDP client to connect to the mapped 3389 port as shown
|
||||
# by 'vagrant port win2019'.
|
||||
#
|
||||
# The provisioning currently does no install libpcap sources or a pcap driver
|
||||
# (like npcap) so Packetbeat will not build/run without some manually setup.
|
||||
#
|
||||
# solaris
|
||||
# -------------------
|
||||
# - Use gmake instead of make.
|
||||
#
|
||||
# freebsd and openbsd
|
||||
# -------------------
|
||||
# - Use gmake instead of make.
|
||||
# - Folder syncing doesn't work well. Consider copying the files into the box or
|
||||
# cloning the project inside the box.
|
||||
###
|
||||
|
||||
# Read the branch's Go version from the .go-version file.
|
||||
GO_VERSION = File.read(File.join(File.dirname(__FILE__), ".go-version")).strip
|
||||
|
||||
# Provisioning for Windows PowerShell
|
||||
$winPsProvision = <<SCRIPT
|
||||
$gopath_beats = "C:\\Gopath\\src\\github.com\\elastic\\beats"
|
||||
if (-Not (Test-Path $gopath_beats)) {
|
||||
echo 'Creating github.com\\elastic in the GOPATH'
|
||||
New-Item -itemtype directory -path "C:\\Gopath\\src\\github.com\\elastic" -force
|
||||
echo "Symlinking C:\\Vagrant to C:\\Gopath\\src\\github.com\\elastic"
|
||||
cmd /c mklink /d $gopath_beats \\\\vboxsvr\\vagrant
|
||||
}
|
||||
|
||||
if (-Not (Get-Command "gvm" -ErrorAction SilentlyContinue)) {
|
||||
echo "Installing gvm to manage go version"
|
||||
[Net.ServicePointManager]::SecurityProtocol = "tls12"
|
||||
Invoke-WebRequest -URI https://github.com/andrewkroh/gvm/releases/download/v0.2.1/gvm-windows-amd64.exe -Outfile C:\\Windows\\System32\\gvm.exe
|
||||
C:\\Windows\\System32\\gvm.exe --format=powershell #{GO_VERSION} | Invoke-Expression
|
||||
go version
|
||||
|
||||
echo "Configure Go environment variables"
|
||||
[System.Environment]::SetEnvironmentVariable("GOPATH", "C:\\Gopath", [System.EnvironmentVariableTarget]::Machine)
|
||||
[System.Environment]::SetEnvironmentVariable("GOROOT", "C:\\Users\\vagrant\\.gvm\\versions\\go#{GO_VERSION}.windows.amd64", [System.EnvironmentVariableTarget]::Machine)
|
||||
[System.Environment]::SetEnvironmentVariable("PATH", "%GOROOT%\\bin;$env:PATH;C:\\Gopath\\bin", [System.EnvironmentVariableTarget]::Machine)
|
||||
}
|
||||
|
||||
$shell_link = "$Home\\Desktop\\Beats Shell.lnk"
|
||||
if (-Not (Test-Path $shell_link)) {
|
||||
echo "Creating Beats Shell desktop shortcut"
|
||||
$WshShell = New-Object -comObject WScript.Shell
|
||||
$Shortcut = $WshShell.CreateShortcut($shell_link)
|
||||
$Shortcut.TargetPath = "powershell.exe"
|
||||
$Shortcut.Arguments = "-noexit -command '$gopath_beats'"
|
||||
$Shortcut.WorkingDirectory = $gopath_beats
|
||||
$Shortcut.Save()
|
||||
}
|
||||
|
||||
Try {
|
||||
echo "Disabling automatic updates"
|
||||
$AUSettings = (New-Object -com "Microsoft.Update.AutoUpdate").Settings
|
||||
$AUSettings.NotificationLevel = 1
|
||||
$AUSettings.Save()
|
||||
} Catch {
|
||||
echo "Failed to disable automatic updates."
|
||||
}
|
||||
|
||||
if (-Not (Get-Command "choco" -ErrorAction SilentlyContinue)) {
|
||||
Set-ExecutionPolicy Bypass -Scope Process -Force
|
||||
iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
|
||||
}
|
||||
|
||||
choco feature disable -n=showDownloadProgress
|
||||
|
||||
if (-Not (Get-Command "python" -ErrorAction SilentlyContinue)) {
|
||||
echo "Installing python2"
|
||||
choco install python2 -y -r
|
||||
refreshenv
|
||||
$env:PATH = "$env:PATH;C:\\Python27;C:\\Python27\\Scripts"
|
||||
}
|
||||
|
||||
if (-Not (Get-Command "pip" -ErrorAction SilentlyContinue)) {
|
||||
echo "Installing pip"
|
||||
Invoke-WebRequest https://bootstrap.pypa.io/get-pip.py -OutFile get-pip.py
|
||||
python get-pip.py -U --force-reinstall 2>&1 | %{ "$_" }
|
||||
rm get-pip.py
|
||||
Invoke-WebRequest
|
||||
} else {
|
||||
echo "Updating pip"
|
||||
python -m pip install --upgrade pip 2>&1 | %{ "$_" }
|
||||
}
|
||||
|
||||
if (-Not (Get-Command "virtualenv" -ErrorAction SilentlyContinue)) {
|
||||
echo "Installing virtualenv"
|
||||
python -m pip install virtualenv 2>&1 | %{ "$_" }
|
||||
}
|
||||
|
||||
if (-Not (Get-Command "git" -ErrorAction SilentlyContinue)) {
|
||||
echo "Installing git"
|
||||
choco install git -y -r
|
||||
}
|
||||
|
||||
if (-Not (Get-Command "gcc" -ErrorAction SilentlyContinue)) {
|
||||
echo "Installing mingw (gcc)"
|
||||
choco install mingw -y -r
|
||||
}
|
||||
SCRIPT
|
||||
|
||||
# Provisioning for Unix/Linux
|
||||
$unixProvision = <<SCRIPT
|
||||
echo 'Creating github.com/elastic in the GOPATH'
|
||||
mkdir -p ~/go/src/github.com/elastic
|
||||
echo 'Symlinking /vagrant to ~/go/src/github.com/elastic'
|
||||
cd ~/go/src/github.com/elastic
|
||||
if [ -d "/vagrant" ] && [ ! -e "beats" ]; then ln -s /vagrant beats; fi
|
||||
SCRIPT
|
||||
|
||||
# Linux GVM
|
||||
def linuxGvmProvision(arch="amd64")
|
||||
return <<SCRIPT
|
||||
mkdir -p ~/bin
|
||||
if [ ! -e "~/bin/gvm" ]; then
|
||||
curl -sL -o ~/bin/gvm https://github.com/andrewkroh/gvm/releases/download/v0.1.0/gvm-linux-#{arch}
|
||||
chmod +x ~/bin/gvm
|
||||
~/bin/gvm #{GO_VERSION}
|
||||
echo 'export GOPATH=$HOME/go' >> ~/.bash_profile
|
||||
echo 'export PATH=$HOME/bin:$GOPATH/bin:$PATH' >> ~/.bash_profile
|
||||
echo 'eval "$(gvm #{GO_VERSION})"' >> ~/.bash_profile
|
||||
fi
|
||||
SCRIPT
|
||||
end
|
||||
|
||||
# Provision packages for Linux Debian.
|
||||
def linuxDebianProvision()
|
||||
return <<SCRIPT
|
||||
#!/usr/bin/env bash
|
||||
set -eio pipefail
|
||||
apt-get update
|
||||
apt-get install -y make gcc python-pip python-virtualenv git
|
||||
SCRIPT
|
||||
end
|
||||
|
||||
Vagrant.configure(2) do |config|
|
||||
# Windows Server 2012 R2
|
||||
config.vm.define "win2012", primary: true do |c|
|
||||
c.vm.box = "https://s3.amazonaws.com/beats-files/vagrant/beats-win2012-r2-virtualbox-2016-10-28_1224.box"
|
||||
c.vm.guest = :windows
|
||||
|
||||
# Communicator for windows boxes
|
||||
c.vm.communicator = "winrm"
|
||||
|
||||
# Port forward WinRM and RDP
|
||||
c.vm.network :forwarded_port, guest: 22, host: 2222, id: "ssh", auto_correct: true
|
||||
c.vm.network :forwarded_port, guest: 3389, host: 33389, id: "rdp", auto_correct: true
|
||||
c.vm.network :forwarded_port, guest: 5985, host: 55985, id: "winrm", auto_correct: true
|
||||
|
||||
c.vm.provision "shell", inline: $winPsProvision
|
||||
end
|
||||
|
||||
config.vm.define "win2016", primary: true do |c|
|
||||
c.vm.box = "StefanScherer/windows_2016"
|
||||
c.vm.provision "shell", inline: $winPsProvision, privileged: false
|
||||
end
|
||||
|
||||
config.vm.define "win2019", primary: true do |c|
|
||||
c.vm.box = "StefanScherer/windows_2019"
|
||||
c.vm.provision "shell", inline: $winPsProvision, privileged: false
|
||||
end
|
||||
|
||||
# Solaris 11.2
|
||||
config.vm.define "solaris", primary: true do |c|
|
||||
c.vm.box = "https://s3.amazonaws.com/beats-files/vagrant/beats-solaris-11.2-virtualbox-2016-11-02_1603.box"
|
||||
c.vm.network :forwarded_port, guest: 22, host: 2223, id: "ssh", auto_correct: true
|
||||
|
||||
c.vm.provision "shell", inline: $unixProvision, privileged: false
|
||||
end
|
||||
|
||||
# FreeBSD 11.0
|
||||
config.vm.define "freebsd", primary: true do |c|
|
||||
c.vm.box = "https://s3.amazonaws.com/beats-files/vagrant/beats-freebsd-11.0-virtualbox-2016-11-02_1638.box"
|
||||
c.vm.network :forwarded_port, guest: 22, host: 2224, id: "ssh", auto_correct: true
|
||||
|
||||
# Must use NFS to sync a folder on FreeBSD and this requires a host-only network.
|
||||
# To enable the /vagrant folder, set disabled to false and uncomment the private_network.
|
||||
c.vm.synced_folder ".", "/vagrant", id: "vagrant-root", :nfs => true, disabled: true
|
||||
#c.vm.network "private_network", ip: "192.168.135.18"
|
||||
|
||||
c.vm.hostname = "beats-tester"
|
||||
c.vm.provision "shell", inline: $unixProvision, privileged: false
|
||||
end
|
||||
|
||||
# OpenBSD 5.9-stable
|
||||
config.vm.define "openbsd", primary: true do |c|
|
||||
c.vm.box = "https://s3.amazonaws.com/beats-files/vagrant/beats-openbsd-5.9-current-virtualbox-2016-11-02_2007.box"
|
||||
c.vm.network :forwarded_port, guest: 22, host: 2225, id: "ssh", auto_correct: true
|
||||
|
||||
c.vm.synced_folder ".", "/vagrant", type: "rsync", disabled: true
|
||||
c.vm.provider :virtualbox do |vbox|
|
||||
vbox.check_guest_additions = false
|
||||
vbox.functional_vboxsf = false
|
||||
end
|
||||
|
||||
c.vm.provision "shell", inline: $unixProvision, privileged: false
|
||||
end
|
||||
|
||||
config.vm.define "precise32", primary: true do |c|
|
||||
c.vm.box = "ubuntu/precise32"
|
||||
c.vm.network :forwarded_port, guest: 22, host: 2226, id: "ssh", auto_correct: true
|
||||
|
||||
c.vm.provision "shell", inline: $unixProvision, privileged: false
|
||||
c.vm.provision "shell", inline: linuxGvmProvision("386"), privileged: false
|
||||
c.vm.provision "shell", inline: linuxDebianProvision
|
||||
end
|
||||
|
||||
config.vm.define "precise64", primary: true do |c|
|
||||
c.vm.box = "ubuntu/precise64"
|
||||
c.vm.network :forwarded_port, guest: 22, host: 2227, id: "ssh", auto_correct: true
|
||||
|
||||
c.vm.provision "shell", inline: $unixProvision, privileged: false
|
||||
c.vm.provision "shell", inline: linuxGvmProvision, privileged: false
|
||||
c.vm.provision "shell", inline: linuxDebianProvision
|
||||
end
|
||||
|
||||
config.vm.define "ubuntu1804", primary: true do |c|
|
||||
c.vm.box = "ubuntu/bionic64"
|
||||
c.vm.network :forwarded_port, guest: 22, host: 2228, id: "ssh", auto_correct: true
|
||||
|
||||
c.vm.provision "shell", inline: $unixProvision, privileged: false
|
||||
c.vm.provision "shell", inline: linuxGvmProvision, privileged: false
|
||||
c.vm.provision "shell", inline: linuxDebianProvision
|
||||
end
|
||||
|
||||
config.vm.define "centos6", primary: true do |c|
|
||||
c.vm.box = "bento/centos-6.10"
|
||||
c.vm.network :forwarded_port, guest: 22, host: 2229, id: "ssh", auto_correct: true
|
||||
|
||||
c.vm.provision "shell", inline: $unixProvision, privileged: false
|
||||
c.vm.provision "shell", inline: linuxGvmProvision, privileged: false
|
||||
c.vm.provision "shell", inline: "yum install -y make gcc python-pip python-virtualenv git rpm-devel"
|
||||
end
|
||||
|
||||
config.vm.define "centos7", primary: true do |c|
|
||||
c.vm.box = "bento/centos-7"
|
||||
c.vm.network :forwarded_port, guest: 22, host: 2230, id: "ssh", auto_correct: true
|
||||
|
||||
c.vm.provision "shell", inline: $unixProvision, privileged: false
|
||||
c.vm.provision "shell", inline: linuxGvmProvision, privileged: false
|
||||
c.vm.provision "shell", inline: "yum install -y make gcc python-pip python-virtualenv git rpm-devel"
|
||||
end
|
||||
|
||||
config.vm.define "fedora29", primary: true do |c|
|
||||
c.vm.box = "bento/fedora-29"
|
||||
c.vm.network :forwarded_port, guest: 22, host: 2231, id: "ssh", auto_correct: true
|
||||
|
||||
c.vm.provision "shell", inline: $unixProvision, privileged: false
|
||||
c.vm.provision "shell", inline: linuxGvmProvision, privileged: false
|
||||
c.vm.provision "shell", inline: "dnf install -y make gcc python-pip python-virtualenv git rpm-devel"
|
||||
end
|
||||
|
||||
config.vm.define "sles12", primary: true do |c|
|
||||
c.vm.box = "elastic/sles-12-x86_64"
|
||||
c.vm.network :forwarded_port, guest: 22, host: 2232, id: "ssh", auto_correct: true
|
||||
|
||||
c.vm.provision "shell", inline: $unixProvision, privileged: false
|
||||
c.vm.provision "shell", inline: linuxGvmProvision, privileged: false
|
||||
c.vm.provision "shell", inline: "pip install virtualenv"
|
||||
end
|
||||
|
||||
config.vm.define "archlinux", primary: true do |c|
|
||||
c.vm.box = "archlinux/archlinux"
|
||||
c.vm.network :forwarded_port, guest: 22, host: 2233, id: "ssh", auto_correct: true
|
||||
|
||||
c.vm.provision "shell", inline: $unixProvision, privileged: false
|
||||
c.vm.provision "shell", inline: linuxGvmProvision, privileged: false
|
||||
c.vm.provision "shell", inline: "pacman -Sy && pacman -S --noconfirm make gcc python-pip python-virtualenv git"
|
||||
end
|
||||
end
|
|
@ -1,9 +0,0 @@
|
|||
build
|
||||
_meta/beat.yml
|
||||
_meta/beat.reference.yml
|
||||
module/*/_meta/config.yml
|
||||
|
||||
/auditbeat
|
||||
/auditbeat.test
|
||||
/docs/html_docs
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
FROM golang:1.12.12
|
||||
|
||||
RUN \
|
||||
apt-get update \
|
||||
&& apt-get install -y --no-install-recommends \
|
||||
python-pip \
|
||||
virtualenv \
|
||||
librpm-dev \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
RUN pip install --upgrade pip
|
||||
RUN pip install --upgrade setuptools
|
||||
RUN pip install --upgrade docker-compose==1.23.2
|
|
@ -1,13 +0,0 @@
|
|||
BEAT_NAME=auditbeat
|
||||
BEAT_TITLE=Auditbeat
|
||||
SYSTEM_TESTS=true
|
||||
TEST_ENVIRONMENT?=true
|
||||
GOX_OS?=linux windows
|
||||
ES_BEATS?=..
|
||||
EXCLUDE_COMMON_UPDATE_TARGET=true
|
||||
|
||||
include ${ES_BEATS}/libbeat/scripts/Makefile
|
||||
|
||||
.PHONY: update
|
||||
update: mage
|
||||
mage update
|
|
@ -1,14 +0,0 @@
|
|||
auditbeat.modules:
|
||||
|
||||
- module: auditd
|
||||
audit_rules: |
|
||||
-w /etc/passwd -p wa -k identity
|
||||
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
|
||||
|
||||
- module: file_integrity
|
||||
paths:
|
||||
- /bin
|
||||
- /usr/bin
|
||||
- /sbin
|
||||
- /usr/sbin
|
||||
- /etc
|
|
@ -1,12 +0,0 @@
|
|||
###################### Auditbeat Configuration Example #########################
|
||||
|
||||
# This is an example configuration file highlighting only the most common
|
||||
# options. The auditbeat.reference.yml file from the same directory contains all
|
||||
# the supported options with more comments. You can use it as a reference.
|
||||
#
|
||||
# You can find the full configuration reference here:
|
||||
# https://www.elastic.co/guide/en/beats/auditbeat/index.html
|
||||
|
||||
#========================== Modules configuration =============================
|
||||
auditbeat.modules:
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
|
||||
#==================== Elasticsearch template setting ==========================
|
||||
setup.template.settings:
|
||||
index.number_of_shards: 1
|
||||
#index.codec: best_compression
|
||||
#_source.enabled: false
|
|
@ -1,31 +0,0 @@
|
|||
########################## Auditbeat Configuration #############################
|
||||
|
||||
# This is a reference configuration file documenting all non-deprecated options
|
||||
# in comments. For a shorter configuration example that contains only the most
|
||||
# common options, please see auditbeat.yml in the same directory.
|
||||
#
|
||||
# You can find the full configuration reference here:
|
||||
# https://www.elastic.co/guide/en/beats/auditbeat/index.html
|
||||
|
||||
#============================ Config Reloading ================================
|
||||
|
||||
# Config reloading allows to dynamically load modules. Each file which is
|
||||
# monitored must contain one or multiple modules as a list.
|
||||
auditbeat.config.modules:
|
||||
|
||||
# Glob pattern for configuration reloading
|
||||
path: ${path.config}/modules.d/*.yml
|
||||
|
||||
# Period on which files under path should be checked for changes
|
||||
reload.period: 10s
|
||||
|
||||
# Set to true to enable config reloading
|
||||
reload.enabled: false
|
||||
|
||||
# Maximum amount of time to randomly delay the start of a dataset. Use 0 to
|
||||
# disable startup delay.
|
||||
auditbeat.max_start_delay: 10s
|
||||
|
||||
#========================== Modules configuration =============================
|
||||
auditbeat.modules:
|
||||
|
|
@ -1,130 +0,0 @@
|
|||
- key: common
|
||||
title: Common
|
||||
description: >
|
||||
Contains common fields available in all event types.
|
||||
fields:
|
||||
|
||||
- name: file
|
||||
type: group
|
||||
description: File attributes.
|
||||
fields:
|
||||
- name: setuid
|
||||
type: boolean
|
||||
example: true
|
||||
description: Set if the file has the `setuid` bit set. Omitted otherwise.
|
||||
|
||||
- name: setgid
|
||||
type: boolean
|
||||
example: true
|
||||
description: Set if the file has the `setgid` bit set. Omitted otherwise.
|
||||
|
||||
- name: origin
|
||||
type: keyword
|
||||
description: >
|
||||
An array of strings describing a possible external origin for
|
||||
this file. For example, the URL it was downloaded from. Only
|
||||
supported in macOS, via the kMDItemWhereFroms attribute.
|
||||
Omitted if origin information is not available.
|
||||
multi_fields:
|
||||
- name: raw
|
||||
type: keyword
|
||||
description: >
|
||||
This is a non-analyzed field that is useful for aggregations on the
|
||||
origin data.
|
||||
|
||||
- name: selinux
|
||||
type: group
|
||||
description: The SELinux identity of the file.
|
||||
fields:
|
||||
- name: user
|
||||
type: keyword
|
||||
description: The owner of the object.
|
||||
- name: role
|
||||
type: keyword
|
||||
description: The object's SELinux role.
|
||||
- name: domain
|
||||
type: keyword
|
||||
description: The object's SELinux domain or type.
|
||||
- name: level
|
||||
type: keyword
|
||||
example: s0
|
||||
description: The object's SELinux level.
|
||||
|
||||
- name: user
|
||||
type: group
|
||||
description: User information.
|
||||
fields:
|
||||
|
||||
- name: audit
|
||||
type: group
|
||||
description: Audit user information.
|
||||
fields:
|
||||
- name: id
|
||||
type: keyword
|
||||
description: Audit user ID.
|
||||
- name: name
|
||||
type: keyword
|
||||
description: Audit user name.
|
||||
|
||||
- name: effective
|
||||
type: group
|
||||
description: Effective user information.
|
||||
fields:
|
||||
- name: id
|
||||
type: keyword
|
||||
description: Effective user ID.
|
||||
- name: name
|
||||
type: keyword
|
||||
description: Effective user name.
|
||||
- name: group
|
||||
type: group
|
||||
description: Effective group information.
|
||||
fields:
|
||||
- name: id
|
||||
type: keyword
|
||||
description: Effective group ID.
|
||||
- name: name
|
||||
type: keyword
|
||||
description: Effective group name.
|
||||
|
||||
- name: filesystem
|
||||
type: group
|
||||
description: Filesystem user information.
|
||||
fields:
|
||||
- name: id
|
||||
type: keyword
|
||||
description: Filesystem user ID.
|
||||
- name: name
|
||||
type: keyword
|
||||
description: Filesystem user name.
|
||||
- name: group
|
||||
type: group
|
||||
description: Filesystem group information.
|
||||
fields:
|
||||
- name: id
|
||||
type: keyword
|
||||
description: Filesystem group ID.
|
||||
- name: name
|
||||
type: keyword
|
||||
description: Filesystem group name.
|
||||
|
||||
- name: saved
|
||||
type: group
|
||||
description: Saved user information.
|
||||
fields:
|
||||
- name: id
|
||||
type: keyword
|
||||
description: Saved user ID.
|
||||
- name: name
|
||||
type: keyword
|
||||
description: Saved user name.
|
||||
- name: group
|
||||
type: group
|
||||
description: Saved group information.
|
||||
fields:
|
||||
- name: id
|
||||
type: keyword
|
||||
description: Saved group ID.
|
||||
- name: name
|
||||
type: keyword
|
||||
description: Saved group name.
|
|
@ -1,22 +0,0 @@
|
|||
auditbeat.modules:
|
||||
|
||||
- module: auditd
|
||||
audit_rules: |
|
||||
-w /etc/passwd -p wa -k identity
|
||||
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
|
||||
|
||||
- module: file_integrity
|
||||
paths:
|
||||
- /bin
|
||||
- /usr/bin
|
||||
- /sbin
|
||||
- /usr/sbin
|
||||
- /etc
|
||||
processors:
|
||||
- add_cloud_metadata: ~
|
||||
- add_docker_metadata: ~
|
||||
|
||||
output.elasticsearch:
|
||||
hosts: '${ELASTICSEARCH_HOSTS:elasticsearch:9200}'
|
||||
username: '${ELASTICSEARCH_USERNAME:}'
|
||||
password: '${ELASTICSEARCH_PASSWORD:}'
|
|
@ -1,189 +0,0 @@
|
|||
###################### Auditbeat Configuration Example #########################
|
||||
|
||||
# This is an example configuration file highlighting only the most common
|
||||
# options. The auditbeat.reference.yml file from the same directory contains all
|
||||
# the supported options with more comments. You can use it as a reference.
|
||||
#
|
||||
# You can find the full configuration reference here:
|
||||
# https://www.elastic.co/guide/en/beats/auditbeat/index.html
|
||||
|
||||
#========================== Modules configuration =============================
|
||||
auditbeat.modules:
|
||||
|
||||
- module: auditd
|
||||
# Load audit rules from separate files. Same format as audit.rules(7).
|
||||
audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
|
||||
audit_rules: |
|
||||
## Define audit rules here.
|
||||
## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
|
||||
## examples or add your own rules.
|
||||
|
||||
## If you are on a 64 bit platform, everything should be running
|
||||
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
|
||||
## because this might be a sign of someone exploiting a hole in the 32
|
||||
## bit API.
|
||||
#-a always,exit -F arch=b32 -S all -F key=32bit-abi
|
||||
|
||||
## Executions.
|
||||
#-a always,exit -F arch=b64 -S execve,execveat -k exec
|
||||
|
||||
## External access (warning: these can be expensive to audit).
|
||||
#-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
|
||||
|
||||
## Identity changes.
|
||||
#-w /etc/group -p wa -k identity
|
||||
#-w /etc/passwd -p wa -k identity
|
||||
#-w /etc/gshadow -p wa -k identity
|
||||
|
||||
## Unauthorized access attempts.
|
||||
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
|
||||
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
|
||||
|
||||
- module: file_integrity
|
||||
paths:
|
||||
- /bin
|
||||
- /usr/bin
|
||||
- /sbin
|
||||
- /usr/sbin
|
||||
- /etc
|
||||
|
||||
|
||||
#==================== Elasticsearch template setting ==========================
|
||||
setup.template.settings:
|
||||
index.number_of_shards: 1
|
||||
#index.codec: best_compression
|
||||
#_source.enabled: false
|
||||
|
||||
#================================ General =====================================
|
||||
|
||||
# The name of the shipper that publishes the network data. It can be used to group
|
||||
# all the transactions sent by a single shipper in the web interface.
|
||||
#name:
|
||||
|
||||
# The tags of the shipper are included in their own field with each
|
||||
# transaction published.
|
||||
#tags: ["service-X", "web-tier"]
|
||||
|
||||
# Optional fields that you can specify to add additional information to the
|
||||
# output.
|
||||
#fields:
|
||||
# env: staging
|
||||
|
||||
|
||||
#============================== Dashboards =====================================
|
||||
# These settings control loading the sample dashboards to the Kibana index. Loading
|
||||
# the dashboards is disabled by default and can be enabled either by setting the
|
||||
# options here or by using the `setup` command.
|
||||
#setup.dashboards.enabled: false
|
||||
|
||||
# The URL from where to download the dashboards archive. By default this URL
|
||||
# has a value which is computed based on the Beat name and version. For released
|
||||
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
|
||||
# website.
|
||||
#setup.dashboards.url:
|
||||
|
||||
#============================== Kibana =====================================
|
||||
|
||||
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
|
||||
# This requires a Kibana endpoint configuration.
|
||||
setup.kibana:
|
||||
|
||||
# Kibana Host
|
||||
# Scheme and port can be left out and will be set to the default (http and 5601)
|
||||
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
|
||||
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
|
||||
#host: "localhost:5601"
|
||||
|
||||
# Kibana Space ID
|
||||
# ID of the Kibana Space into which the dashboards should be loaded. By default,
|
||||
# the Default Space will be used.
|
||||
#space.id:
|
||||
|
||||
#============================= Elastic Cloud ==================================
|
||||
|
||||
# These settings simplify using Auditbeat with the Elastic Cloud (https://cloud.elastic.co/).
|
||||
|
||||
# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
|
||||
# `setup.kibana.host` options.
|
||||
# You can find the `cloud.id` in the Elastic Cloud web UI.
|
||||
#cloud.id:
|
||||
|
||||
# The cloud.auth setting overwrites the `output.elasticsearch.username` and
|
||||
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
|
||||
#cloud.auth:
|
||||
|
||||
#================================ Outputs =====================================
|
||||
|
||||
# Configure what output to use when sending the data collected by the beat.
|
||||
|
||||
#-------------------------- Elasticsearch output ------------------------------
|
||||
output.elasticsearch:
|
||||
# Array of hosts to connect to.
|
||||
hosts: ["localhost:9200"]
|
||||
|
||||
# Optional protocol and basic auth credentials.
|
||||
#protocol: "https"
|
||||
#username: "elastic"
|
||||
#password: "changeme"
|
||||
|
||||
#----------------------------- Logstash output --------------------------------
|
||||
#output.logstash:
|
||||
# The Logstash hosts
|
||||
#hosts: ["localhost:5044"]
|
||||
|
||||
# Optional SSL. By default is off.
|
||||
# List of root certificates for HTTPS server verifications
|
||||
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
|
||||
|
||||
# Certificate for SSL client authentication
|
||||
#ssl.certificate: "/etc/pki/client/cert.pem"
|
||||
|
||||
# Client Certificate Key
|
||||
#ssl.key: "/etc/pki/client/cert.key"
|
||||
|
||||
#================================ Processors =====================================
|
||||
|
||||
# Configure processors to enhance or manipulate events generated by the beat.
|
||||
|
||||
processors:
|
||||
- add_host_metadata: ~
|
||||
- add_cloud_metadata: ~
|
||||
- add_docker_metadata: ~
|
||||
|
||||
#================================ Logging =====================================
|
||||
|
||||
# Sets log level. The default log level is info.
|
||||
# Available log levels are: error, warning, info, debug
|
||||
#logging.level: debug
|
||||
|
||||
# At debug level, you can selectively enable logging only for some components.
|
||||
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
|
||||
# "publish", "service".
|
||||
#logging.selectors: ["*"]
|
||||
|
||||
#============================== X-Pack Monitoring ===============================
|
||||
# auditbeat can export internal metrics to a central Elasticsearch monitoring
|
||||
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
|
||||
# reporting is disabled by default.
|
||||
|
||||
# Set to true to enable the monitoring reporter.
|
||||
#monitoring.enabled: false
|
||||
|
||||
# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
|
||||
# Auditbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
|
||||
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
|
||||
#monitoring.cluster_uuid:
|
||||
|
||||
# Uncomment to send the metrics to Elasticsearch. Most settings from the
|
||||
# Elasticsearch output are accepted here as well.
|
||||
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
|
||||
# Any setting that is not set is automatically inherited from the Elasticsearch
|
||||
# output configuration, so if you have the Elasticsearch output configured such
|
||||
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
|
||||
# uncomment the following line.
|
||||
#monitoring.elasticsearch:
|
||||
|
||||
#================================= Migration ==================================
|
||||
|
||||
# This allows to enable 6.7 migration aliases
|
||||
#migration.6_to_7.enabled: true
|
|
@ -1,52 +0,0 @@
|
|||
// Licensed to Elasticsearch B.V. under one or more contributor
|
||||
// license agreements. See the NOTICE file distributed with
|
||||
// this work for additional information regarding copyright
|
||||
// ownership. Elasticsearch B.V. licenses this file to you under
|
||||
// the Apache License, Version 2.0 (the "License"); you may
|
||||
// not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing,
|
||||
// software distributed under the License is distributed on an
|
||||
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
// KIND, either express or implied. See the License for the
|
||||
// specific language governing permissions and limitations
|
||||
// under the License.
|
||||
|
||||
package cmd
|
||||
|
||||
import (
|
||||
"github.com/spf13/cobra"
|
||||
"github.com/spf13/pflag"
|
||||
|
||||
"github.com/elastic/beats/auditbeat/core"
|
||||
"github.com/elastic/beats/libbeat/cmd"
|
||||
"github.com/elastic/beats/libbeat/cmd/instance"
|
||||
"github.com/elastic/beats/metricbeat/beater"
|
||||
"github.com/elastic/beats/metricbeat/mb/module"
|
||||
)
|
||||
|
||||
// Name of the beat (auditbeat).
|
||||
const Name = "auditbeat"
|
||||
|
||||
// RootCmd for running auditbeat.
|
||||
var RootCmd *cmd.BeatsRootCmd
|
||||
|
||||
// ShowCmd to display extra information.
|
||||
var ShowCmd = &cobra.Command{
|
||||
Use: "show",
|
||||
Short: "Show modules information",
|
||||
}
|
||||
|
||||
func init() {
|
||||
create := beater.Creator(
|
||||
beater.WithModuleOptions(
|
||||
module.WithEventModifier(core.AddDatasetToEvent),
|
||||
),
|
||||
)
|
||||
var runFlags = pflag.NewFlagSet(Name, pflag.ExitOnError)
|
||||
RootCmd = cmd.GenRootCmdWithSettings(create, instance.Settings{RunFlags: runFlags, Name: Name})
|
||||
RootCmd.AddCommand(ShowCmd)
|
||||
}
|
|
@ -1,39 +0,0 @@
|
|||
// Licensed to Elasticsearch B.V. under one or more contributor
|
||||
// license agreements. See the NOTICE file distributed with
|
||||
// this work for additional information regarding copyright
|
||||
// ownership. Elasticsearch B.V. licenses this file to you under
|
||||
// the Apache License, Version 2.0 (the "License"); you may
|
||||
// not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing,
|
||||
// software distributed under the License is distributed on an
|
||||
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
// KIND, either express or implied. See the License for the
|
||||
// specific language governing permissions and limitations
|
||||
// under the License.
|
||||
|
||||
package core
|
||||
|
||||
import (
|
||||
"github.com/elastic/beats/libbeat/common"
|
||||
"github.com/elastic/beats/metricbeat/mb"
|
||||
)
|
||||
|
||||
// AddDatasetToEvent adds dataset information to the event. In particular this
|
||||
// adds the module name under dataset.module.
|
||||
func AddDatasetToEvent(module, metricSet string, event *mb.Event) {
|
||||
if event.RootFields == nil {
|
||||
event.RootFields = common.MapStr{}
|
||||
}
|
||||
|
||||
event.RootFields.Put("event.module", module)
|
||||
|
||||
// Modules without "datasets" should set their module and metricset names
|
||||
// to the same value then this will omit the event.dataset field.
|
||||
if module != metricSet {
|
||||
event.RootFields.Put("event.dataset", metricSet)
|
||||
}
|
||||
}
|
|
@ -1,191 +0,0 @@
|
|||
// Licensed to Elasticsearch B.V. under one or more contributor
|
||||
// license agreements. See the NOTICE file distributed with
|
||||
// this work for additional information regarding copyright
|
||||
// ownership. Elasticsearch B.V. licenses this file to you under
|
||||
// the Apache License, Version 2.0 (the "License"); you may
|
||||
// not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing,
|
||||
// software distributed under the License is distributed on an
|
||||
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
// KIND, either express or implied. See the License for the
|
||||
// specific language governing permissions and limitations
|
||||
// under the License.
|
||||
|
||||
package datastore
|
||||
|
||||
import (
|
||||
"io"
|
||||
"os"
|
||||
"sync"
|
||||
|
||||
bolt "github.com/coreos/bbolt"
|
||||
|
||||
"github.com/elastic/beats/libbeat/paths"
|
||||
)
|
||||
|
||||
var (
|
||||
initDatastoreOnce sync.Once
|
||||
ds *boltDatastore
|
||||
)
|
||||
|
||||
// OpenBucket returns a new Bucket that stores data in {path.data}/beat.db.
|
||||
// The returned Bucket must be closed when finished to ensure all resources
|
||||
// are released.
|
||||
func OpenBucket(name string) (Bucket, error) {
|
||||
initDatastoreOnce.Do(func() {
|
||||
ds = &boltDatastore{
|
||||
path: paths.Resolve(paths.Data, "beat.db"),
|
||||
mode: 0600,
|
||||
}
|
||||
})
|
||||
|
||||
return ds.OpenBucket(name)
|
||||
}
|
||||
|
||||
// Datastore
|
||||
|
||||
type Datastore interface {
|
||||
OpenBucket(name string) (Bucket, error)
|
||||
}
|
||||
|
||||
type boltDatastore struct {
|
||||
mutex sync.Mutex
|
||||
useCount uint32
|
||||
path string
|
||||
mode os.FileMode
|
||||
db *bolt.DB
|
||||
}
|
||||
|
||||
func New(path string, mode os.FileMode) Datastore {
|
||||
return &boltDatastore{path: path, mode: mode}
|
||||
}
|
||||
|
||||
func (ds *boltDatastore) OpenBucket(bucket string) (Bucket, error) {
|
||||
ds.mutex.Lock()
|
||||
defer ds.mutex.Unlock()
|
||||
|
||||
// Initialize the Bolt DB.
|
||||
if ds.db == nil {
|
||||
var err error
|
||||
ds.db, err = bolt.Open(ds.path, ds.mode, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
// Ensure the name exists.
|
||||
err := ds.db.Update(func(tx *bolt.Tx) error {
|
||||
_, err := tx.CreateBucketIfNotExists([]byte(bucket))
|
||||
return err
|
||||
})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return &boltBucket{ds, bucket}, nil
|
||||
}
|
||||
|
||||
func (ds *boltDatastore) done() {
|
||||
ds.mutex.Lock()
|
||||
defer ds.mutex.Unlock()
|
||||
|
||||
if ds.useCount > 0 {
|
||||
ds.useCount--
|
||||
|
||||
if ds.useCount == 0 {
|
||||
ds.db.Close()
|
||||
ds.db = nil
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Bucket
|
||||
|
||||
type Bucket interface {
|
||||
io.Closer
|
||||
Load(key string, f func(blob []byte) error) error
|
||||
Store(key string, blob []byte) error
|
||||
Delete(key string) error // Delete removes a key from the bucket. If the key does not exist then nothing is done and a nil error is returned.
|
||||
DeleteBucket() error // Deletes and closes the bucket.
|
||||
}
|
||||
|
||||
// BoltBucket is a Bucket that exposes some Bolt specific APIs.
|
||||
type BoltBucket interface {
|
||||
Bucket
|
||||
View(func(tx *bolt.Bucket) error) error
|
||||
Update(func(tx *bolt.Bucket) error) error
|
||||
}
|
||||
|
||||
type boltBucket struct {
|
||||
ds *boltDatastore
|
||||
name string
|
||||
}
|
||||
|
||||
func (b *boltBucket) Load(key string, f func(blob []byte) error) error {
|
||||
return b.ds.db.View(func(tx *bolt.Tx) error {
|
||||
b := tx.Bucket([]byte(b.name))
|
||||
|
||||
data := b.Get([]byte(key))
|
||||
if data == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
return f(data)
|
||||
})
|
||||
}
|
||||
|
||||
func (b *boltBucket) Store(key string, blob []byte) error {
|
||||
return b.ds.db.Update(func(tx *bolt.Tx) error {
|
||||
b := tx.Bucket([]byte(b.name))
|
||||
return b.Put([]byte(key), blob)
|
||||
})
|
||||
}
|
||||
|
||||
func (b *boltBucket) ForEach(f func(key string, blob []byte) error) error {
|
||||
return b.ds.db.View(func(tx *bolt.Tx) error {
|
||||
b := tx.Bucket([]byte(b.name))
|
||||
|
||||
return b.ForEach(func(k, v []byte) error {
|
||||
return f(string(k), v)
|
||||
})
|
||||
})
|
||||
}
|
||||
|
||||
func (b *boltBucket) Delete(key string) error {
|
||||
return b.ds.db.Update(func(tx *bolt.Tx) error {
|
||||
b := tx.Bucket([]byte(b.name))
|
||||
return b.Delete([]byte(key))
|
||||
})
|
||||
}
|
||||
|
||||
func (b *boltBucket) DeleteBucket() error {
|
||||
err := b.ds.db.Update(func(tx *bolt.Tx) error {
|
||||
return tx.DeleteBucket([]byte(b.name))
|
||||
})
|
||||
b.Close()
|
||||
return err
|
||||
}
|
||||
|
||||
func (b *boltBucket) View(f func(*bolt.Bucket) error) error {
|
||||
return b.ds.db.View(func(tx *bolt.Tx) error {
|
||||
b := tx.Bucket([]byte(b.name))
|
||||
return f(b)
|
||||
})
|
||||
}
|
||||
|
||||
func (b *boltBucket) Update(f func(*bolt.Bucket) error) error {
|
||||
return b.ds.db.Update(func(tx *bolt.Tx) error {
|
||||
b := tx.Bucket([]byte(b.name))
|
||||
return f(b)
|
||||
})
|
||||
}
|
||||
|
||||
func (b *boltBucket) Close() error {
|
||||
b.ds.done()
|
||||
b.ds = nil
|
||||
return nil
|
||||
}
|
|
@ -1,39 +0,0 @@
|
|||
version: '2.3'
|
||||
services:
|
||||
beat:
|
||||
build: ${PWD}/.
|
||||
depends_on:
|
||||
- proxy_dep
|
||||
working_dir: /go/src/github.com/elastic/beats/auditbeat
|
||||
environment:
|
||||
- ES_HOST=elasticsearch
|
||||
- ES_PORT=9200
|
||||
- ES_USER=beats
|
||||
- ES_PASS=testing
|
||||
- KIBANA_HOST=kibana
|
||||
- KIBANA_PORT=5601
|
||||
volumes:
|
||||
- ${PWD}/..:/go/src/github.com/elastic/beats/
|
||||
command: make
|
||||
privileged: true
|
||||
pid: host
|
||||
cap_add:
|
||||
- AUDIT_CONTROL
|
||||
|
||||
# This is a proxy used to block beats until all services are healthy.
|
||||
# See: https://github.com/docker/compose/issues/4369
|
||||
proxy_dep:
|
||||
image: busybox
|
||||
depends_on:
|
||||
elasticsearch: { condition: service_healthy }
|
||||
kibana: { condition: service_healthy }
|
||||
|
||||
elasticsearch:
|
||||
extends:
|
||||
file: ../testing/environments/${TESTING_ENVIRONMENT}.yml
|
||||
service: elasticsearch
|
||||
|
||||
kibana:
|
||||
extends:
|
||||
file: ../testing/environments/${TESTING_ENVIRONMENT}.yml
|
||||
service: kibana
|
|
@ -1,6 +0,0 @@
|
|||
[[filtering-and-enhancing-data]]
|
||||
== Filter and enhance the exported data
|
||||
|
||||
include::{libbeat-dir}/processors.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/processors-using.asciidoc[]
|
7
vendor/github.com/elastic/beats/auditbeat/docs/auditbeat-general-options.asciidoc
generated
vendored
|
@ -1,7 +0,0 @@
|
|||
[[configuration-general-options]]
|
||||
== Specify general settings
|
||||
|
||||
You can specify settings in the +{beatname_lc}.yml+ config file to control the
|
||||
general behavior of {beatname_uc}.
|
||||
|
||||
include::{libbeat-dir}/generalconfig.asciidoc[]
|
31
vendor/github.com/elastic/beats/auditbeat/docs/auditbeat-modules-config.asciidoc
generated
vendored
|
@ -1,31 +0,0 @@
|
|||
[id="configuration-{beatname_lc}"]
|
||||
== Specify which modules to run
|
||||
|
||||
To enable specific modules you add entries to the `auditbeat.modules` list in
|
||||
the +{beatname_lc}.yml+ config file. Each entry in the list begins with a dash
|
||||
(-) and is followed by settings for that module.
|
||||
|
||||
The following example shows a configuration that runs the `auditd` and
|
||||
`file_integrity` modules.
|
||||
|
||||
[source,yaml]
|
||||
----
|
||||
auditbeat.modules:
|
||||
|
||||
- module: auditd
|
||||
audit_rules: |
|
||||
-w /etc/passwd -p wa -k identity
|
||||
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
|
||||
|
||||
- module: file_integrity
|
||||
paths:
|
||||
- /bin
|
||||
- /usr/bin
|
||||
- /sbin
|
||||
- /usr/sbin
|
||||
- /etc
|
||||
----
|
||||
|
||||
The configuration details vary by module. See the
|
||||
<<{beatname_lc}-modules,module documentation>> for more detail about configuring
|
||||
the available modules.
|
|
@ -1,56 +0,0 @@
|
|||
//////////////////////////////////////////////////////////////////////////
|
||||
//// This content is shared by all Auditbeat modules. Make sure you keep the
|
||||
//// descriptions generic enough to work for all modules. To include
|
||||
//// this file, use:
|
||||
////
|
||||
//// include::{docdir}/auditbeat-options.asciidoc[]
|
||||
////
|
||||
//////////////////////////////////////////////////////////////////////////
|
||||
|
||||
[id="module-standard-options-{modulename}"]
|
||||
[float]
|
||||
==== Standard configuration options
|
||||
|
||||
You can specify the following options for any {beatname_uc} module.
|
||||
|
||||
*`module`*:: The name of the module to run.
|
||||
|
||||
ifeval::["{modulename}"=="system"]
|
||||
*`datasets`*:: A list of datasets to execute.
|
||||
endif::[]
|
||||
|
||||
*`enabled`*:: A Boolean value that specifies whether the module is enabled.
|
||||
|
||||
ifeval::["{modulename}"=="system"]
|
||||
*`period`*:: The frequency at which the datasets check for changes. If a system
|
||||
is not reachable, {beatname_uc} returns an error for each period. This setting
|
||||
is required. For most datasets, especially `process` and `socket`, a shorter
|
||||
period is recommended.
|
||||
endif::[]
|
||||
|
||||
*`fields`*:: A dictionary of fields that will be sent with the dataset event. This setting
|
||||
is optional.
|
||||
|
||||
*`tags`*:: A list of tags that will be sent with the dataset event. This setting is
|
||||
optional.
|
||||
|
||||
*`processors`*:: A list of processors to apply to the data generated by the dataset.
|
||||
+
|
||||
See <<filtering-and-enhancing-data>> for information about specifying
|
||||
processors in your config.
|
||||
|
||||
*`index`*:: If present, this formatted string overrides the index for events from this
|
||||
module (for elasticsearch outputs), or sets the `raw_index` field of the event's
|
||||
metadata (for other outputs). This string can only refer to the agent name and
|
||||
version and the event timestamp; for access to dynamic fields, use
|
||||
`output.elasticsearch.index` or a processor.
|
||||
+
|
||||
Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might
|
||||
expand to +"{beatname_lc}-myindex-2019.12.13"+.
|
||||
|
||||
*`keep_null`*:: If this option is set to true, fields with `null` values will be published in
|
||||
the output document. By default, `keep_null` is set to `false`.
|
||||
|
||||
*`service.name`*:: A name given by the user to the service the data is collected from. It can be
|
||||
used for example to identify information collected from nodes of different
|
||||
clusters with the same `service.type`.
|
|
@ -1,88 +0,0 @@
|
|||
[id="configuring-howto-{beatname_lc}"]
|
||||
= Configuring {beatname_uc}
|
||||
|
||||
[partintro]
|
||||
--
|
||||
Before modifying configuration settings, make sure you've completed the
|
||||
<<{beatname_lc}-configuration,configuration steps>> in the Getting Started.
|
||||
This section describes some common use cases for changing configuration options.
|
||||
|
||||
To configure {beatname_uc}, you edit the configuration file. For rpm and deb,
|
||||
you’ll find the configuration file at +/etc/{beatname_lc}/{beatname_lc}.yml+.
|
||||
There's also a full example configuration file at
|
||||
+/etc/{beatname_lc}/{beatname_lc}.reference.yml+ that shows all non-deprecated
|
||||
options. For mac and win, look in the archive that you extracted.
|
||||
|
||||
The {beatname_uc} configuration file uses http://yaml.org/[YAML] for its syntax.
|
||||
See the {beats-ref}/config-file-format.html[Config File Format] section of the
|
||||
_Beats Platform Reference_ for more about the structure of the config file.
|
||||
|
||||
The following topics describe how to configure {beatname_uc}:
|
||||
|
||||
* <<configuration-{beatname_lc}>>
|
||||
* <<configuration-general-options>>
|
||||
* <<{beatname_lc}-configuration-reloading>>
|
||||
* <<configuring-internal-queue>>
|
||||
* <<configuring-output>>
|
||||
* <<ilm>>
|
||||
* <<configuration-ssl>>
|
||||
* <<filtering-and-enhancing-data>>
|
||||
* <<configuring-ingest-node>>
|
||||
* <<{beatname_lc}-geoip>>
|
||||
* <<configuration-path>>
|
||||
* <<setup-kibana-endpoint>>
|
||||
* <<configuration-dashboards>>
|
||||
* <<configuration-template>>
|
||||
* <<configuration-logging>>
|
||||
* <<using-environ-vars>>
|
||||
* <<yaml-tips>>
|
||||
* <<regexp-support>>
|
||||
* <<http-endpoint>>
|
||||
* <<{beatname_lc}-reference-yml>>
|
||||
|
||||
After changing configuration settings, you need to restart {beatname_uc} to
|
||||
pick up the changes.
|
||||
|
||||
--
|
||||
|
||||
include::./auditbeat-modules-config.asciidoc[]
|
||||
|
||||
include::./auditbeat-general-options.asciidoc[]
|
||||
|
||||
include::./reload-configuration.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/queueconfig.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/outputconfig.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/shared-ilm.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/shared-ssl-config.asciidoc[]
|
||||
|
||||
include::./auditbeat-filtering.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/shared-config-ingest.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/shared-geoip.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/shared-path-config.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/shared-kibana-config.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/setup-config.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/loggingconfig.asciidoc[]
|
||||
|
||||
:standalone:
|
||||
include::{libbeat-dir}/shared-env-vars.asciidoc[]
|
||||
:standalone!:
|
||||
|
||||
:standalone:
|
||||
include::{libbeat-dir}/yaml.asciidoc[]
|
||||
:standalone!:
|
||||
|
||||
include::{libbeat-dir}/regexp.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/http-endpoint.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/reference-yml.asciidoc[]
|
|
@ -1,28 +0,0 @@
|
|||
[[ulimit]]
|
||||
=== {beatname_uc} fails to watch folders because too many files are open
|
||||
|
||||
Because of the way file monitoring is implemented on macOS, you may see a
|
||||
warning similar to the following:
|
||||
|
||||
[source,shell]
|
||||
----
|
||||
eventreader_fsnotify.go:42: WARN [audit.file] Failed to watch /usr/bin: too many
|
||||
open files (check the max number of open files allowed with 'ulimit -a')
|
||||
----
|
||||
|
||||
To resolve this issue, run {beatname_uc} with the `ulimit` set to a larger
|
||||
value, for example:
|
||||
|
||||
["source","sh",subs="attributes"]
|
||||
----
|
||||
sudo sh -c 'ulimit -n 8192 && ./{beatname_uc} -e
|
||||
----
|
||||
|
||||
Or:
|
||||
|
||||
["source","sh",subs="attributes"]
|
||||
----
|
||||
sudo su
|
||||
ulimit -n 8192
|
||||
./{beatname_lc} -e
|
||||
----
|
|
@ -1,12 +0,0 @@
|
|||
[[faq]]
|
||||
== Common problems
|
||||
|
||||
This section describes common problems you might encounter with
|
||||
{beatname_uc}. Also check out the
|
||||
https://discuss.elastic.co/c/beats/{beatname_lc}[{beatname_uc} discussion forum].
|
||||
|
||||
include::./faq-ulimit.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/faq-limit-bandwidth.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/shared-faq.asciidoc[]
|
|
@ -1,289 +0,0 @@
|
|||
[id="{beatname_lc}-getting-started"]
|
||||
== Getting started with {beatname_uc}
|
||||
|
||||
include::{libbeat-dir}/shared-getting-started-intro.asciidoc[]
|
||||
|
||||
* <<{beatname_lc}-installation>>
|
||||
* <<{beatname_lc}-configuration>>
|
||||
* <<{beatname_lc}-template>>
|
||||
* <<load-kibana-dashboards>>
|
||||
* <<{beatname_lc}-starting>>
|
||||
* <<view-kibana-dashboards>>
|
||||
* <<setup-repositories>>
|
||||
|
||||
[id="{beatname_lc}-installation"]
|
||||
=== Step 1: Install {beatname_uc}
|
||||
|
||||
Install {beatname_uc} on all the servers you want to monitor.
|
||||
|
||||
include::{libbeat-dir}/shared-download-and-install.asciidoc[]
|
||||
|
||||
[[deb]]
|
||||
*deb:*
|
||||
|
||||
ifeval::["{release-state}"=="unreleased"]
|
||||
|
||||
Version {version} of {beatname_uc} has not yet been released.
|
||||
|
||||
endif::[]
|
||||
|
||||
ifeval::["{release-state}"!="unreleased"]
|
||||
|
||||
["source","sh",subs="attributes"]
|
||||
------------------------------------------------
|
||||
curl -L -O https://artifacts.elastic.co/downloads/beats/{beatname_lc}/{beatname_lc}-{version}-amd64.deb
|
||||
sudo dpkg -i {beatname_lc}-{version}-amd64.deb
|
||||
------------------------------------------------
|
||||
|
||||
endif::[]
|
||||
|
||||
[[rpm]]
|
||||
*rpm:*
|
||||
|
||||
ifeval::["{release-state}"=="unreleased"]
|
||||
|
||||
Version {version} of {beatname_uc} has not yet been released.
|
||||
|
||||
endif::[]
|
||||
|
||||
ifeval::["{release-state}"!="unreleased"]
|
||||
|
||||
["source","sh",subs="attributes"]
|
||||
------------------------------------------------
|
||||
curl -L -O https://artifacts.elastic.co/downloads/beats/{beatname_lc}/{beatname_lc}-{version}-x86_64.rpm
|
||||
sudo rpm -vi {beatname_lc}-{version}-x86_64.rpm
|
||||
------------------------------------------------
|
||||
|
||||
endif::[]
|
||||
|
||||
[[mac]]
|
||||
*mac:*
|
||||
|
||||
ifeval::["{release-state}"=="unreleased"]
|
||||
|
||||
Version {version} of {beatname_uc} has not yet been released.
|
||||
|
||||
endif::[]
|
||||
|
||||
ifeval::["{release-state}"!="unreleased"]
|
||||
|
||||
["source","sh",subs="attributes"]
|
||||
------------------------------------------------
|
||||
curl -L -O https://artifacts.elastic.co/downloads/beats/{beatname_lc}/{beatname_lc}-{version}-darwin-x86_64.tar.gz
|
||||
tar xzvf {beatname_lc}-{version}-darwin-x86_64.tar.gz
|
||||
------------------------------------------------
|
||||
|
||||
endif::[]
|
||||
|
||||
include::{libbeat-dir}/shared-brew-install.asciidoc[]
|
||||
|
||||
[[linux]]
|
||||
*linux:*
|
||||
|
||||
ifeval::["{release-state}"=="unreleased"]
|
||||
|
||||
Version {version} of {beatname_uc} has not yet been released.
|
||||
|
||||
endif::[]
|
||||
|
||||
ifeval::["{release-state}"!="unreleased"]
|
||||
|
||||
["source","sh",subs="attributes"]
|
||||
------------------------------------------------
|
||||
curl -L -O https://artifacts.elastic.co/downloads/beats/{beatname_lc}/{beatname_lc}-{version}-linux-x86_64.tar.gz
|
||||
tar xzvf {beatname_lc}-{version}-linux-x86_64.tar.gz
|
||||
------------------------------------------------
|
||||
|
||||
endif::[]
|
||||
|
||||
[[docker]]
|
||||
*docker:*
|
||||
|
||||
ifeval::["{release-state}"=="unreleased"]
|
||||
|
||||
Version {version} of {beatname_uc} has not yet been released.
|
||||
|
||||
endif::[]
|
||||
|
||||
ifeval::["{release-state}"!="unreleased"]
|
||||
|
||||
["source","sh",subs="attributes"]
|
||||
------------------------------------------------
|
||||
curl -L -O https://artifacts.elastic.co/downloads/beats/{beatname_lc}/{beatname_lc}-{version}-linux-x86_64.tar.gz
|
||||
tar xzvf {beatname_lc}-{version}-linux-x86_64.tar.gz
|
||||
------------------------------------------------
|
||||
|
||||
endif::[]
|
||||
|
||||
See <<running-on-docker, Running on Docker>> for deploying Docker containers.
|
||||
|
||||
[[win]]
|
||||
*win:*
|
||||
|
||||
ifeval::["{release-state}"=="unreleased"]
|
||||
|
||||
Version {version} of {beatname_uc} has not yet been released.
|
||||
|
||||
endif::[]
|
||||
|
||||
ifeval::["{release-state}"!="unreleased"]
|
||||
|
||||
. Download the {beatname_uc} Windows zip file from the
|
||||
https://www.elastic.co/downloads/beats/{beatname_lc}[downloads page].
|
||||
|
||||
. Extract the contents of the zip file into `C:\Program Files`.
|
||||
|
||||
. Rename the +{beatname_lc}-<version>-windows+ directory to +{beatname_uc}+.
|
||||
|
||||
. Open a PowerShell prompt as an Administrator (right-click the PowerShell icon
|
||||
and select *Run As Administrator*).
|
||||
|
||||
. From the PowerShell prompt, run the following commands to install {beatname_uc}
|
||||
as a Windows service:
|
||||
+
|
||||
["source","sh",subs="attributes"]
|
||||
----------------------------------------------------------------------
|
||||
PS > cd 'C:{backslash}Program Files{backslash}{beatname_uc}'
|
||||
PS C:{backslash}Program Files{backslash}{beatname_uc}> .{backslash}install-service-{beatname_lc}.ps1
|
||||
----------------------------------------------------------------------
|
||||
|
||||
NOTE: If script execution is disabled on your system, you need to set the
|
||||
execution policy for the current session to allow the script to run. For
|
||||
example: +PowerShell.exe -ExecutionPolicy UnRestricted -File
|
||||
.\install-service-{beatname_lc}.ps1+.
|
||||
|
||||
endif::[]
|
||||
|
||||
Before starting {beatname_uc}, you should look at the configuration options in the
|
||||
configuration file, for example +C:{backslash}Program Files{backslash}{beatname_uc}{backslash}{beatname_lc}.yml+.
|
||||
For more information about these options, see
|
||||
<<configuring-howto-{beatname_lc}>>.
|
||||
|
||||
[id="{beatname_lc}-configuration"]
|
||||
=== Step 2: Configure {beatname_uc}
|
||||
|
||||
include::{libbeat-dir}/shared-configuring.asciidoc[]
|
||||
|
||||
To configure {beatname_uc}:
|
||||
|
||||
. Define the {beatname_uc} modules that you want to enable. {beatname_uc} uses
|
||||
modules to collect the audit information. For each module, specify the
|
||||
metricsets that you want to collect.
|
||||
+
|
||||
The following example shows the `file_integrity` module configured to generate
|
||||
events whenever a file in one of the specified paths changes on disk:
|
||||
+
|
||||
["source","sh",subs="attributes"]
|
||||
-------------------------------------
|
||||
auditbeat.modules:
|
||||
|
||||
- module: file_integrity
|
||||
paths:
|
||||
- /bin
|
||||
- /usr/bin
|
||||
- /sbin
|
||||
- /usr/sbin
|
||||
- /etc
|
||||
-------------------------------------
|
||||
+
|
||||
If you accept the default configuration without specifying additional modules,
|
||||
{beatname_uc} uses a configuration that's tailored to the operating system where
|
||||
{beatname_uc} is running.
|
||||
+
|
||||
See <<configuring-howto-{beatname_lc}>> for more details about configuring modules.
|
||||
|
||||
include::{libbeat-dir}/step-configure-output.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/step-configure-kibana-endpoint.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/step-configure-credentials.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/step-test-config.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/step-look-at-config.asciidoc[]
|
||||
|
||||
[id="{beatname_lc}-template"]
|
||||
=== Step 3: Load the index template in {es}
|
||||
|
||||
include::{libbeat-dir}/shared-template-load.asciidoc[]
|
||||
|
||||
[[load-kibana-dashboards]]
|
||||
=== Step 4: Set up the {kib} dashboards
|
||||
|
||||
include::{libbeat-dir}/dashboards.asciidoc[]
|
||||
|
||||
[id="{beatname_lc}-starting"]
|
||||
=== Step 5: Start {beatname_uc}
|
||||
|
||||
Run {beatname_uc} by issuing the appropriate command for your platform. If you
|
||||
are accessing a secured {es} cluster, make sure you've configured credentials as
|
||||
described in <<{beatname_lc}-configuration>>.
|
||||
|
||||
NOTE: If you use an init.d script to start {beatname_uc} on deb or rpm, you can't
|
||||
specify command line flags (see <<command-line-options>>). To specify flags,
|
||||
start {beatname_uc} in the foreground.
|
||||
|
||||
*deb and rpm:*
|
||||
|
||||
["source","sh",subs="attributes"]
|
||||
----------------------------------------------------------------------
|
||||
sudo service {beatname_lc} start
|
||||
----------------------------------------------------------------------
|
||||
|
||||
*mac and linux:*
|
||||
|
||||
["source","sh",subs="attributes"]
|
||||
----------------------------------------------------------------------
|
||||
sudo chown root {beatname_lc}.yml <1>
|
||||
sudo ./{beatname_lc} -e
|
||||
----------------------------------------------------------------------
|
||||
<1> To monitor system files, you'll be running {beatname_uc} as root, so you
|
||||
need to change ownership of the configuration file, or run {beatname_uc} with
|
||||
`--strict.perms=false` specified. See
|
||||
{beats-ref}/config-file-permissions.html[Config File Ownership and Permissions]
|
||||
in the _Beats Platform Reference_.
|
||||
|
||||
If you see a warning about too many open files, you need to increase the
|
||||
`ulimit`. See the <<ulimit,FAQ>> for more details.
|
||||
|
||||
include::{libbeat-dir}/shared-brew-run.asciidoc[]
|
||||
|
||||
*win:*
|
||||
|
||||
["source","sh",subs="attributes"]
|
||||
----------------------------------------------------------------------
|
||||
PS C:{backslash}Program Files{backslash}{beatname_uc}> Start-Service {beatname_lc}
|
||||
----------------------------------------------------------------------
|
||||
|
||||
By default the log files are stored in +C:{backslash}ProgramData{backslash}{beatname_lc}{backslash}Logs+.
|
||||
|
||||
==== Test the {beatname_uc} installation
|
||||
|
||||
To verify that your server's statistics are present in {es}, issue the following
|
||||
command:
|
||||
|
||||
["source","sh",subs="attributes"]
|
||||
----------------------------------------------------------------------
|
||||
curl -XGET 'http://localhost:9200/{beatname_lc}-*/_search?pretty'
|
||||
----------------------------------------------------------------------
|
||||
|
||||
Make sure that you replace `localhost:9200` with the address of your {es}
|
||||
instance.
|
||||
|
||||
On Windows, if you don't have cURL installed, simply point your browser to the
|
||||
URL.
|
||||
|
||||
[[view-kibana-dashboards]]
|
||||
=== Step 6: View the sample {kib} dashboards
|
||||
|
||||
To make it easier for you to start auditing the activities of users and
|
||||
processes on your system, we have created example {beatname_uc} dashboards.
|
||||
You loaded the dashboards earlier when you ran the `setup` command.
|
||||
|
||||
include::{libbeat-dir}/opendashboards.asciidoc[]
|
||||
|
||||
The dashboards are provided as examples. We recommend that you
|
||||
{kibana-ref}/dashboard.html[customize] them to meet your needs.
|
||||
|
||||
[role="screenshot"]
|
||||
image::./images/auditbeat-file-integrity-dashboard.png[Auditbeat File Integrity Dashboard]
|
BIN
vendor/github.com/elastic/beats/auditbeat/docs/images/auditbeat-file-integrity-dashboard.png
generated
vendored
Before Width: | Height: | Size: 257 KiB |
Before Width: | Height: | Size: 133 KiB |
Before Width: | Height: | Size: 133 KiB |
BIN
vendor/github.com/elastic/beats/auditbeat/docs/images/auditbeat-kernel-sockets-dashboard.png
generated
vendored
Before Width: | Height: | Size: 218 KiB |
Before Width: | Height: | Size: 361 KiB |
BIN
vendor/github.com/elastic/beats/auditbeat/docs/images/kibana-created-indexes.png
generated
vendored
Before Width: | Height: | Size: 90 KiB |
BIN
vendor/github.com/elastic/beats/auditbeat/docs/images/kibana-navigation-vis.png
generated
vendored
Before Width: | Height: | Size: 48 KiB |
|
@ -1,55 +0,0 @@
|
|||
= Auditbeat Reference
|
||||
|
||||
:libbeat-dir: {docdir}/../../libbeat/docs
|
||||
|
||||
include::{libbeat-dir}/version.asciidoc[]
|
||||
|
||||
include::{asciidoc-dir}/../../shared/versions/stack/{source_branch}.asciidoc[]
|
||||
|
||||
include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
|
||||
|
||||
:beatname_lc: auditbeat
|
||||
:beatname_uc: Auditbeat
|
||||
:beatname_pkg: {beatname_lc}
|
||||
:github_repo_name: beats
|
||||
:discuss_forum: beats/{beatname_lc}
|
||||
:beat_default_index_prefix: {beatname_lc}
|
||||
:deb_os:
|
||||
:rpm_os:
|
||||
:mac_os:
|
||||
:docker_platform:
|
||||
:win_os:
|
||||
:linux_os:
|
||||
:no_decode_cef_processor:
|
||||
:no_decode_csv_fields_processor:
|
||||
:no_script_processor:
|
||||
:no_timestamp_processor:
|
||||
|
||||
include::{libbeat-dir}/shared-beats-attributes.asciidoc[]
|
||||
|
||||
include::./overview.asciidoc[]
|
||||
|
||||
include::./getting-started.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/repositories.asciidoc[]
|
||||
|
||||
include::./setting-up-running.asciidoc[]
|
||||
|
||||
include::./upgrading.asciidoc[]
|
||||
|
||||
include::./configuring-howto.asciidoc[]
|
||||
|
||||
include::./modules.asciidoc[]
|
||||
|
||||
include::./fields.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/monitoring/monitoring-beats.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/shared-securing-beat.asciidoc[]
|
||||
|
||||
include::./troubleshooting.asciidoc[]
|
||||
|
||||
include::./faq.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/contributing-to-beats.asciidoc[]
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
[id="{beatname_lc}-modules"]
|
||||
= Modules
|
||||
|
||||
[partintro]
|
||||
--
|
||||
This section contains detailed information about the metric collecting modules
|
||||
contained in {beatname_uc}. More details about each module can be found under
|
||||
the links below.
|
||||
|
||||
include::modules_list.asciidoc[]
|
|
@ -1,306 +0,0 @@
|
|||
////
|
||||
This file is generated! See scripts/docs_collector.py
|
||||
////
|
||||
|
||||
[id="{beatname_lc}-module-auditd"]
|
||||
== Auditd Module
|
||||
|
||||
The `auditd` module receives audit events from the Linux Audit Framework that
|
||||
is a part of the Linux kernel.
|
||||
|
||||
This module is available only for Linux.
|
||||
|
||||
[float]
|
||||
=== How it works
|
||||
|
||||
This module establishes a subscription to the kernel to receive the events
|
||||
as they occur. So unlike most other modules, the `period` configuration
|
||||
option is unused because it is not implemented using polling.
|
||||
|
||||
The Linux Audit Framework can send multiple messages for a single auditable
|
||||
event. For example, a `rename` syscall causes the kernel to send eight separate
|
||||
messages. Each message describes a different aspect of the activity that is
|
||||
occurring (the syscall itself, file paths, current working directory, process
|
||||
title). This module will combine all of the data from each of the messages
|
||||
into a single event.
|
||||
|
||||
Messages for one event can be interleaved with messages from another event. This
|
||||
module will buffer the messages in order to combine related messages into a
|
||||
single event even if they arrive interleaved or out of order.
|
||||
|
||||
[float]
|
||||
=== Useful commands
|
||||
|
||||
When running {beatname_uc} with the `auditd` module enabled, you might find
|
||||
that other monitoring tools interfere with {beatname_uc}.
|
||||
|
||||
For example, you might encounter errors if another process, such as `auditd`, is
|
||||
registered to receive data from the Linux Audit Framework. You can use these
|
||||
commands to see if the `auditd` service is running and stop it:
|
||||
|
||||
* See if `auditd` is running:
|
||||
+
|
||||
[source,shell]
|
||||
-----
|
||||
service auditd status
|
||||
-----
|
||||
|
||||
* Stop the `auditd` service:
|
||||
+
|
||||
[source,shell]
|
||||
-----
|
||||
service auditd stop
|
||||
-----
|
||||
|
||||
* Disable `auditd` from starting on boot:
|
||||
+
|
||||
[source,shell]
|
||||
-----
|
||||
chkconfig auditd off
|
||||
-----
|
||||
|
||||
To save CPU usage and disk space, you can use this command to stop `journald`
|
||||
from listening to audit messages:
|
||||
|
||||
[source,shell]
|
||||
-----
|
||||
systemctl mask systemd-journald-audit.socket
|
||||
-----
|
||||
|
||||
[float]
|
||||
=== Inspect the kernel audit system status
|
||||
|
||||
{beatname_uc} provides useful commands to query the state of the audit system
|
||||
in the Linux kernel.
|
||||
|
||||
* See the list of installed audit rules:
|
||||
+
|
||||
[source,shell]
|
||||
-----
|
||||
auditbeat show auditd-rules
|
||||
-----
|
||||
+
|
||||
Prints the list of loaded rules, similar to `auditctl -l`:
|
||||
+
|
||||
[source,shell]
|
||||
-----
|
||||
-a never,exit -S all -F pid=26253
|
||||
-a always,exit -F arch=b32 -S all -F key=32bit-abi
|
||||
-a always,exit -F arch=b64 -S execve,execveat -F key=exec
|
||||
-a always,exit -F arch=b64 -S connect,accept,bind -F key=external-access
|
||||
-w /etc/group -p wa -k identity
|
||||
-w /etc/passwd -p wa -k identity
|
||||
-w /etc/gshadow -p wa -k identity
|
||||
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F key=access
|
||||
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F key=access
|
||||
-----
|
||||
|
||||
* See the status of the audit system:
|
||||
+
|
||||
[source,shell]
|
||||
-----
|
||||
auditbeat show auditd-status
|
||||
-----
|
||||
+
|
||||
Prints the status of the kernel audit system, similar to `auditctl -s`:
|
||||
+
|
||||
[source,shell]
|
||||
-----
|
||||
enabled 1
|
||||
failure 0
|
||||
pid 0
|
||||
rate_limit 0
|
||||
backlog_limit 8192
|
||||
lost 14407
|
||||
backlog 0
|
||||
backlog_wait_time 0
|
||||
features 0xf
|
||||
-----
|
||||
|
||||
[float]
|
||||
=== Configuration options
|
||||
|
||||
This module has some configuration options for tuning its behavior. The
|
||||
following example shows all configuration options with their default values.
|
||||
|
||||
[source,yaml]
|
||||
----
|
||||
- module: auditd
|
||||
resolve_ids: true
|
||||
failure_mode: silent
|
||||
backlog_limit: 8192
|
||||
rate_limit: 0
|
||||
include_raw_message: false
|
||||
include_warnings: false
|
||||
backpressure_strategy: auto
|
||||
----
|
||||
|
||||
*`socket_type`*:: This optional setting controls the type of
|
||||
socket that {beatname_uc} uses to receive events from the kernel. The two
|
||||
options are `unicast` and `multicast`.
|
||||
+
|
||||
`unicast` should be used when {beatname_uc} is the primary userspace daemon for
|
||||
receiving audit events and managing the rules. Only a single process can receive
|
||||
audit events through the "unicast" connection so any other daemons should be
|
||||
stopped (e.g. stop `auditd`).
|
||||
+
|
||||
`multicast` can be used in kernel versions 3.16 and newer. By using `multicast`
|
||||
{beatname_uc} will receive an audit event broadcast that is not exclusive to a
|
||||
a single process. This is ideal for situations where `auditd` is running and
|
||||
managing the rules. If `multicast` is specified, but the kernel version is less
|
||||
than 3.16 {beatname_uc} will automatically revert to `unicast`.
|
||||
+
|
||||
By default {beatname_uc} will use `multicast` if the kernel version is 3.16 or
|
||||
newer and no rules have been defined. Otherwise `unicast` will be used.
|
||||
|
||||
*`resolve_ids`*:: This boolean setting enables the resolution of UIDs and
|
||||
GIDs to their associated names. The default value is true.
|
||||
|
||||
*`failure_mode`*:: This determines the kernel's behavior on critical
|
||||
failures such as errors sending events to {beatname_uc}, the backlog limit was
|
||||
exceeded, the kernel ran out of memory, or the rate limit was exceeded. The
|
||||
options are `silent`, `log`, or `panic`. `silent` basically makes the kernel
|
||||
ignore the errors, `log` makes the kernel write the audit messages using
|
||||
`printk` so they show up in system's syslog, and `panic` causes the kernel to
|
||||
panic to prevent use of the machine. {beatname_uc}'s default is `silent`.
|
||||
|
||||
*`backlog_limit`*:: This controls the maximum number of audit messages
|
||||
that will be buffered by the kernel.
|
||||
|
||||
*`rate_limit`*:: This sets a rate limit on the number of messages/sec
|
||||
delivered by the kernel. The default is 0, which disables rate limiting.
|
||||
Changing this value to anything other than zero can cause messages to be lost.
|
||||
The preferred approach to reduce the messaging rate is be more selective in the
|
||||
audit ruleset.
|
||||
|
||||
*`include_raw_message`*:: This boolean setting causes {beatname_uc} to
|
||||
include each of the raw messages that contributed to the event in the document
|
||||
as a field called `event.original`. The default value is false. This setting is
|
||||
primarily used for development and debugging purposes.
|
||||
|
||||
*`include_warnings`*:: This boolean setting causes {beatname_uc} to
|
||||
include as warnings any issues that were encountered while parsing the raw
|
||||
messages. The messages are written to the `error.message` field. The default
|
||||
value is false. When this setting is enabled the raw messages will be included
|
||||
in the event regardless of the `include_raw_message` config setting. This
|
||||
setting is primarily used for development and debugging purposes.
|
||||
|
||||
*`audit_rules`*:: A string containing the audit rules that should be
|
||||
installed to the kernel. There should be one rule per line. Comments can be
|
||||
embedded in the string using `#` as a prefix. The format for rules is the same
|
||||
used by the Linux `auditctl` utility. {beatname_uc} supports adding file watches
|
||||
(`-w`) and syscall rules (`-a` or `-A`).
|
||||
|
||||
*`audit_rule_files`*:: A list of files to load audit rules from. This files are
|
||||
loaded after the rules declared in `audit_rules` are loaded. Wildcards are
|
||||
supported and will expand in lexicographical order. The format is the same as
|
||||
that of the `audit_rules` field.
|
||||
|
||||
*`backpressure_strategy`*:: Specifies the strategy that {beatname_uc} uses to
|
||||
prevent backpressure from propagating to the kernel and impacting audited
|
||||
processes.
|
||||
+
|
||||
--
|
||||
The possible values are:
|
||||
|
||||
- `auto` (default): {beatname_uc} uses the `kernel` strategy, if supported, or
|
||||
falls back to the `userspace` strategy.
|
||||
- `kernel`: {beatname_uc} sets the `backlog_wait_time` in the kernel's
|
||||
audit framework to 0. This causes events to be discarded in the kernel if
|
||||
the audit backlog queue fills to capacity. Requires a 3.14 kernel or
|
||||
newer.
|
||||
- `userspace`: {beatname_uc} drops events when there is backpressure
|
||||
from the publishing pipeline. If no `rate_limit` is set, {beatname_uc} sets a rate
|
||||
limit of 5000. Users should test their setup and adjust the `rate_limit`
|
||||
option accordingly.
|
||||
- `both`: {beatname_uc} uses the `kernel` and `userspace` strategies at the same
|
||||
time.
|
||||
- `none`: No backpressure mitigation measures are enabled.
|
||||
--
|
||||
|
||||
*`keep_null`*:: If this option is set to true, fields with `null` values will be
|
||||
published in the output document. By default, `keep_null` is set to `false`.
|
||||
|
||||
[float]
|
||||
=== Audit rules
|
||||
|
||||
The audit rules are where you configure the activities that are audited. These
|
||||
rules are configured as either syscalls or files that should be monitored. For
|
||||
example you can track all `connect` syscalls or file system writes to
|
||||
`/etc/passwd`.
|
||||
|
||||
Auditing a large number of syscalls can place a heavy load on the system so
|
||||
consider carefully the rules you define and try to apply filters in the rules
|
||||
themselves to be as selective as possible.
|
||||
|
||||
The kernel evaluates the rules in the order in which they were defined so place
|
||||
the most active rules first in order to speed up evaluation.
|
||||
|
||||
You can assign keys to each rule for better identification of the rule that
|
||||
triggered an event and easier filtering later in Elasticsearch.
|
||||
|
||||
Defining any audit rules in the config causes {beatname_uc} to purge all
|
||||
existing audit rules prior to adding the rules specified in the config.
|
||||
Therefore it is unnecessary and unsupported to include a `-D` (delete all) rule.
|
||||
|
||||
["source","sh",subs="attributes"]
|
||||
----
|
||||
{beatname_lc}.modules:
|
||||
- module: auditd
|
||||
audit_rules: |
|
||||
# Things that affect identity.
|
||||
-w /etc/group -p wa -k identity
|
||||
-w /etc/passwd -p wa -k identity
|
||||
-w /etc/gshadow -p wa -k identity
|
||||
-w /etc/shadow -p wa -k identity
|
||||
|
||||
# Unauthorized access attempts to files (unsuccessful).
|
||||
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
|
||||
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
|
||||
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
|
||||
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
|
||||
----
|
||||
|
||||
|
||||
[float]
|
||||
=== Example configuration
|
||||
|
||||
The Auditd module supports the common configuration options that are
|
||||
described under <<configuration-{beatname_lc},configuring {beatname_uc}>>. Here
|
||||
is an example configuration:
|
||||
|
||||
[source,yaml]
|
||||
----
|
||||
auditbeat.modules:
|
||||
- module: auditd
|
||||
# Load audit rules from separate files. Same format as audit.rules(7).
|
||||
audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
|
||||
audit_rules: |
|
||||
## Define audit rules here.
|
||||
## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
|
||||
## examples or add your own rules.
|
||||
|
||||
## If you are on a 64 bit platform, everything should be running
|
||||
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
|
||||
## because this might be a sign of someone exploiting a hole in the 32
|
||||
## bit API.
|
||||
#-a always,exit -F arch=b32 -S all -F key=32bit-abi
|
||||
|
||||
## Executions.
|
||||
#-a always,exit -F arch=b64 -S execve,execveat -k exec
|
||||
|
||||
## External access (warning: these can be expensive to audit).
|
||||
#-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
|
||||
|
||||
## Identity changes.
|
||||
#-w /etc/group -p wa -k identity
|
||||
#-w /etc/passwd -p wa -k identity
|
||||
#-w /etc/gshadow -p wa -k identity
|
||||
|
||||
## Unauthorized access attempts.
|
||||
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
|
||||
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
|
||||
|
||||
|
||||
----
|
||||
|
148
vendor/github.com/elastic/beats/auditbeat/docs/modules/file_integrity.asciidoc
generated
vendored
|
@ -1,148 +0,0 @@
|
|||
////
|
||||
This file is generated! See scripts/docs_collector.py
|
||||
////
|
||||
|
||||
[id="{beatname_lc}-module-file_integrity"]
|
||||
== File Integrity Module
|
||||
|
||||
The `file_integrity` module sends events when a file is changed (created,
|
||||
updated, or deleted) on disk. The events contain file metadata and hashes.
|
||||
|
||||
The module is implemented for Linux, macOS (Darwin), and Windows.
|
||||
|
||||
[float]
|
||||
=== How it works
|
||||
|
||||
This module uses features of the operating system to monitor file changes in
|
||||
realtime. When the module starts it creates a subscription with the OS to
|
||||
receive notifications of changes to the specified files or directories. Upon
|
||||
receiving notification of a change the module will read the file's metadata
|
||||
and the compute a hash of the file's contents.
|
||||
|
||||
At startup this module will perform an initial scan of the configured files
|
||||
and directories to generate baseline data for the monitored paths and detect
|
||||
changes since the last time it was run. It uses locally persisted data in order
|
||||
to only send events for new or modified files.
|
||||
|
||||
The operating system features that power this feature are as follows.
|
||||
|
||||
* Linux - `inotify` is used, and therefore the kernel must have inotify support.
|
||||
Inotify was initially merged into the 2.6.13 Linux kernel.
|
||||
* macOS (Darwin) - Uses the `FSEvents` API, present since macOS 10.5. This API
|
||||
coalesces multiple changes to a file into a single event. {beatname_uc} translates
|
||||
this coalesced changes into a meaningful sequence of actions. However,
|
||||
in rare situations the reported events may have a different ordering than what
|
||||
actually happened.
|
||||
* Windows - `ReadDirectoryChangesW` is used.
|
||||
|
||||
The file integrity module should not be used to monitor paths on network file
|
||||
systems.
|
||||
|
||||
[float]
|
||||
=== Configuration options
|
||||
|
||||
This module has some configuration options for tuning its behavior. The
|
||||
following example shows all configuration options with their default values for
|
||||
Linux.
|
||||
|
||||
[source,yaml]
|
||||
----
|
||||
- module: file_integrity
|
||||
paths:
|
||||
- /bin
|
||||
- /usr/bin
|
||||
- /sbin
|
||||
- /usr/sbin
|
||||
- /etc
|
||||
exclude_files:
|
||||
- '(?i)\.sw[nop]$'
|
||||
- '~$'
|
||||
- '/\.git($|/)'
|
||||
include_files: []
|
||||
scan_at_start: true
|
||||
scan_rate_per_sec: 50 MiB
|
||||
max_file_size: 100 MiB
|
||||
hash_types: [sha1]
|
||||
recursive: false
|
||||
----
|
||||
|
||||
*`paths`*:: A list of paths (directories or files) to watch. Globs are
|
||||
not supported. The specified paths should exist when the metricset is started.
|
||||
|
||||
*`exclude_files`*:: A list of regular expressions used to filter out events
|
||||
for unwanted files. The expressions are matched against the full path of every
|
||||
file and directory. When used in conjunction with `include_files`, file paths need
|
||||
to match both `include_files` and not match `exclude_files` to be selected.
|
||||
By default, no files are excluded. See <<regexp-support>>
|
||||
for a list of supported regexp patterns. It is recommended to wrap regular
|
||||
expressions in single quotation marks to avoid issues with YAML escaping
|
||||
rules.
|
||||
|
||||
*`include_files`*:: A list of regular expressions used to specify which files to
|
||||
select. When configured, only files matching the pattern will be monitored.
|
||||
The expressions are matched against the full path of every file and directory.
|
||||
When used in conjunction with `exclude_files`, file paths need
|
||||
to match both `include_files` and not match `exclude_files` to be selected.
|
||||
By default, all files are selected. See <<regexp-support>>
|
||||
for a list of supported regexp patterns. It is recommended to wrap regular
|
||||
expressions in single quotation marks to avoid issues with YAML escaping
|
||||
rules.
|
||||
|
||||
*`scan_at_start`*:: A boolean value that controls if {beatname_uc} scans
|
||||
over the configured file paths at startup and send events for the files
|
||||
that have been modified since the last time {beatname_uc} was running. The
|
||||
default value is true.
|
||||
+
|
||||
This feature depends on data stored locally in `path.data` in order to determine
|
||||
if a file has changed. The first time {beatname_uc} runs it will send an event
|
||||
for each file it encounters.
|
||||
|
||||
*`scan_rate_per_sec`*:: When `scan_at_start` is enabled this sets an
|
||||
average read rate defined in bytes per second for the initial scan. This
|
||||
throttles the amount of CPU and I/O that {beatname_uc} consumes at startup.
|
||||
The default value is "50 MiB". Setting the value to "0" disables throttling.
|
||||
For convenience units can be specified as a suffix to the value. The supported
|
||||
units are `b` (default), `kib`, `kb`, `mib`, `mb`, `gib`, `gb`, `tib`, `tb`,
|
||||
`pib`, `pb`, `eib`, and `eb`.
|
||||
|
||||
*`max_file_size`*:: The maximum size of a file in bytes for which
|
||||
{beatname_uc} will compute hashes. Files larger than this size will not be
|
||||
hashed. The default value is 100 MiB. For convenience units can be specified as
|
||||
a suffix to the value. The supported units are `b` (default), `kib`, `kb`, `mib`,
|
||||
`mb`, `gib`, `gb`, `tib`, `tb`, `pib`, `pb`, `eib`, and `eb`.
|
||||
|
||||
*`hash_types`*:: A list of hash types to compute when the file changes.
|
||||
The supported hash types are `blake2b_256`, `blake2b_384`, `blake2b_512`, `md5`,
|
||||
`sha1`, `sha224`, `sha256`, `sha384`, `sha512`, `sha512_224`, `sha512_256`,
|
||||
`sha3_224`, `sha3_256`, `sha3_384`, `sha3_512`, and `xxh64`. The default value is `sha1`.
|
||||
|
||||
*`recursive`*:: By default, the watches set to the paths specified in
|
||||
`paths` are not recursive. This means that only changes to the contents
|
||||
of this directories are watched. If `recursive` is set to `true`, the
|
||||
`file_integrity` module will watch for changes on this directories and all
|
||||
their subdirectories.
|
||||
|
||||
*`keep_null`*:: If this option is set to true, fields with `null` values will be
|
||||
published in the output document. By default, `keep_null` is set to `false`.
|
||||
|
||||
|
||||
[float]
|
||||
=== Example configuration
|
||||
|
||||
The File Integrity module supports the common configuration options that are
|
||||
described under <<configuration-{beatname_lc},configuring {beatname_uc}>>. Here
|
||||
is an example configuration:
|
||||
|
||||
[source,yaml]
|
||||
----
|
||||
auditbeat.modules:
|
||||
- module: file_integrity
|
||||
paths:
|
||||
- /bin
|
||||
- /usr/bin
|
||||
- /sbin
|
||||
- /usr/sbin
|
||||
- /etc
|
||||
|
||||
----
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
////
|
||||
This file is generated! See scripts/docs_collector.py
|
||||
////
|
||||
|
||||
* <<{beatname_lc}-module-auditd,Auditd>>
|
||||
* <<{beatname_lc}-module-file_integrity,File Integrity>>
|
||||
* <<{beatname_lc}-module-system,System>>
|
||||
|
||||
|
||||
--
|
||||
|
||||
include::./modules/auditd.asciidoc[]
|
||||
include::./modules/file_integrity.asciidoc[]
|
||||
include::../../x-pack/auditbeat/docs/modules/system.asciidoc[]
|
|
@ -1,15 +0,0 @@
|
|||
[id="{beatname_lc}-overview"]
|
||||
== {beatname_uc} overview
|
||||
|
||||
++++
|
||||
<titleabbrev>Overview</titleabbrev>
|
||||
++++
|
||||
|
||||
{beatname_uc} is a lightweight shipper that you can install on your servers to
|
||||
audit the activities of users and processes on your systems. For example, you
|
||||
can use {beatname_uc} to collect and centralize audit events from the Linux
|
||||
Audit Framework. You can also use {beatname_uc} to detect changes to critical
|
||||
files, like binaries and configuration files, and identify potential security
|
||||
policy violations.
|
||||
|
||||
include::{libbeat-dir}/shared-libbeat-description.asciidoc[]
|
|
@ -1,47 +0,0 @@
|
|||
[id="{beatname_lc}-configuration-reloading"]
|
||||
== Reload the configuration dynamically
|
||||
|
||||
beta[]
|
||||
|
||||
You can configure {beatname_uc} to dynamically reload configuration files when
|
||||
there are changes. To do this, you specify a path
|
||||
(https://golang.org/pkg/path/filepath/#Glob[glob]) to watch for module
|
||||
configuration changes. When the files found by the glob change, new modules are
|
||||
started/stopped according to changes in the configuration files.
|
||||
|
||||
To enable dynamic config reloading, you specify the `path` and `reload` options
|
||||
in the main +{beatname_lc}.yml+ config file. For example:
|
||||
|
||||
["source","sh"]
|
||||
------------------------------------------------------------------------------
|
||||
auditbeat.config.modules:
|
||||
path: ${path.config}/conf.d/*.yml
|
||||
reload.enabled: true
|
||||
reload.period: 10s
|
||||
------------------------------------------------------------------------------
|
||||
|
||||
*`path`*:: A glob that defines the files to check for changes.
|
||||
|
||||
*`reload.enabled`*:: When set to `true`, enables dynamic config reload.
|
||||
|
||||
*`reload.period`*:: Specifies how often the files are checked for changes. Do not
|
||||
set the `period` to less than 1s because the modification time of files is often
|
||||
stored in seconds. Setting the `period` to less than 1s will result in
|
||||
unnecessary overhead.
|
||||
|
||||
Each file found by the glob must contain a list of one or more module
|
||||
definitions. For example:
|
||||
|
||||
[source,yaml]
|
||||
------------------------------------------------------------------------------
|
||||
- module: file_integrity
|
||||
paths:
|
||||
- /www/wordpress
|
||||
- /www/wordpress/wp-admin
|
||||
- /www/wordpress/wp-content
|
||||
- /www/wordpress/wp-includes
|
||||
------------------------------------------------------------------------------
|
||||
|
||||
NOTE: On systems with POSIX file permissions, all Beats configuration files are
|
||||
subject to ownership and file permission checks. If you encounter config loading
|
||||
errors related to file ownership, see {beats-ref}/config-file-permissions.html.
|
|
@ -1,14 +0,0 @@
|
|||
include::{libbeat-dir}/shared-docker.asciidoc[]
|
||||
|
||||
==== Special requirements
|
||||
|
||||
Under Docker, {beatname_uc} runs as a non-root user, but requires some privileged
|
||||
capabilities to operate correctly. Ensure that the +AUDIT_CONTROL+ and +AUDIT_READ+
|
||||
capabilities are available to the container.
|
||||
|
||||
It is also essential to run {beatname_uc} in the host PID namespace.
|
||||
|
||||
["source","sh",subs="attributes"]
|
||||
----
|
||||
docker run --cap-add=AUDIT_CONTROL,AUDIT_READ --pid=host {dockerimage}
|
||||
----
|
|
@ -1,75 +0,0 @@
|
|||
[[running-on-kubernetes]]
|
||||
=== Running {beatname_uc} on Kubernetes
|
||||
|
||||
{beatname_uc} <<running-on-docker,Docker images>> can be used on Kubernetes to
|
||||
check files integrity.
|
||||
|
||||
ifeval::["{release-state}"=="unreleased"]
|
||||
|
||||
However, version {version} of {beatname_uc} has not yet been
|
||||
released, so no Docker image is currently available for this version.
|
||||
|
||||
endif::[]
|
||||
|
||||
|
||||
[float]
|
||||
==== Kubernetes deploy manifests
|
||||
|
||||
By deploying {beatname_uc} as a https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/[DaemonSet]
|
||||
we ensure we get a running instance on each node of the cluster.
|
||||
|
||||
Everything is deployed under `kube-system` namespace, you can change that by
|
||||
updating the YAML file.
|
||||
|
||||
To get the manifests just run:
|
||||
|
||||
["source", "sh", subs="attributes"]
|
||||
------------------------------------------------
|
||||
curl -L -O https://raw.githubusercontent.com/elastic/beats/{branch}/deploy/kubernetes/{beatname_lc}-kubernetes.yaml
|
||||
------------------------------------------------
|
||||
|
||||
[WARNING]
|
||||
=======================================
|
||||
If you are using Kubernetes 1.7 or earlier: {beatname_uc} uses a hostPath volume to persist internal data, it's located
|
||||
under /var/lib/{beatname_lc}-data. The manifest uses folder autocreation (`DirectoryOrCreate`), which was introduced in
|
||||
Kubernetes 1.8. You will need to remove `type: DirectoryOrCreate` from the manifest and create the host folder yourself.
|
||||
=======================================
|
||||
|
||||
[float]
|
||||
==== Settings
|
||||
|
||||
Some parameters are exposed in the manifest to configure logs destination, by
|
||||
default they will use an existing Elasticsearch deploy if it's present, but you
|
||||
may want to change that behavior, so just edit the YAML file and modify them:
|
||||
|
||||
["source", "yaml", subs="attributes"]
|
||||
------------------------------------------------
|
||||
- name: ELASTICSEARCH_HOST
|
||||
value: elasticsearch
|
||||
- name: ELASTICSEARCH_PORT
|
||||
value: "9200"
|
||||
- name: ELASTICSEARCH_USERNAME
|
||||
value: elastic
|
||||
- name: ELASTICSEARCH_PASSWORD
|
||||
value: changeme
|
||||
------------------------------------------------
|
||||
|
||||
[float]
|
||||
==== Deploy
|
||||
|
||||
To deploy {beatname_uc} to Kubernetes just run:
|
||||
|
||||
["source", "sh", subs="attributes"]
|
||||
------------------------------------------------
|
||||
kubectl create -f {beatname_lc}-kubernetes.yaml
|
||||
------------------------------------------------
|
||||
|
||||
Then you should be able to check the status by running:
|
||||
|
||||
["source", "sh", subs="attributes"]
|
||||
------------------------------------------------
|
||||
$ kubectl --namespace=kube-system get ds/{beatname_lc}
|
||||
|
||||
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE-SELECTOR AGE
|
||||
{beatname_lc} 32 32 0 32 0 <none> 1m
|
||||
------------------------------------------------
|
|
@ -1,42 +0,0 @@
|
|||
/////
|
||||
// NOTE:
|
||||
// Each beat has its own setup overview to allow for the addition of content
|
||||
// that is unique to each beat.
|
||||
/////
|
||||
|
||||
[[setting-up-and-running]]
|
||||
== Setting up and running {beatname_uc}
|
||||
|
||||
Before reading this section, see the
|
||||
<<{beatname_lc}-getting-started,getting started documentation>> for basic
|
||||
installation instructions to get you started.
|
||||
|
||||
This section includes additional information on how to set up and run
|
||||
{beatname_uc}, including:
|
||||
|
||||
* <<directory-layout>>
|
||||
|
||||
* <<command-line-options>>
|
||||
|
||||
* <<running-on-docker>>
|
||||
|
||||
* <<running-on-kubernetes>>
|
||||
|
||||
* <<running-with-systemd>>
|
||||
|
||||
|
||||
//MAINTAINERS: If you add a new file to this section, make sure you update the bulleted list ^^ too.
|
||||
|
||||
include::{libbeat-dir}/shared-directory-layout.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/keystore.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/command-reference.asciidoc[]
|
||||
|
||||
include::./running-on-docker.asciidoc[]
|
||||
|
||||
include::./running-on-kubernetes.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/shared-systemd.asciidoc[]
|
||||
|
||||
include::{libbeat-dir}/shared-shutdown.asciidoc[]
|
|
@ -1,30 +0,0 @@
|
|||
[[troubleshooting]]
|
||||
= Troubleshooting
|
||||
|
||||
[partintro]
|
||||
--
|
||||
If you have issues installing or running {beatname_uc}, read the
|
||||
following tips:
|
||||
|
||||
* <<getting-help>>
|
||||
* <<enable-{beatname_lc}-debugging>>
|
||||
* <<faq>>
|
||||
|
||||
//sets block macro for getting-help.asciidoc included in next section
|
||||
|
||||
--
|
||||
|
||||
[[getting-help]]
|
||||
== Get Help
|
||||
|
||||
include::{libbeat-dir}/getting-help.asciidoc[]
|
||||
|
||||
//sets block macro for debugging.asciidoc included in next section
|
||||
|
||||
[id="enable-{beatname_lc}-debugging"]
|
||||
== Debug
|
||||
|
||||
include::{libbeat-dir}/debugging.asciidoc[]
|
||||
|
||||
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
[[upgrading-auditbeat]]
|
||||
== Upgrading Auditbeat
|
||||
|
||||
For information about upgrading to a new version, see the following topics in the _Beats Platform Reference_:
|
||||
|
||||
* {beats-ref}/breaking-changes.html[Breaking Changes]
|
||||
* {beats-ref}/upgrading.html[Upgrading]
|
|
@ -1,264 +0,0 @@
|
|||
// Licensed to Elasticsearch B.V. under one or more contributor
|
||||
// license agreements. See the NOTICE file distributed with
|
||||
// this work for additional information regarding copyright
|
||||
// ownership. Elasticsearch B.V. licenses this file to you under
|
||||
// the Apache License, Version 2.0 (the "License"); you may
|
||||
// not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing,
|
||||
// software distributed under the License is distributed on an
|
||||
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
// KIND, either express or implied. See the License for the
|
||||
// specific language governing permissions and limitations
|
||||
// under the License.
|
||||
|
||||
package hasher
|
||||
|
||||
import (
|
||||
"crypto/md5"
|
||||
"crypto/sha1"
|
||||
"crypto/sha256"
|
||||
"crypto/sha512"
|
||||
"encoding/hex"
|
||||
"fmt"
|
||||
"hash"
|
||||
"io"
|
||||
"os"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/OneOfOne/xxhash"
|
||||
"github.com/dustin/go-humanize"
|
||||
"github.com/joeshaw/multierror"
|
||||
"github.com/pkg/errors"
|
||||
"golang.org/x/crypto/blake2b"
|
||||
"golang.org/x/crypto/sha3"
|
||||
"golang.org/x/time/rate"
|
||||
|
||||
"github.com/elastic/beats/libbeat/common/file"
|
||||
)
|
||||
|
||||
// HashType identifies a cryptographic algorithm.
|
||||
type HashType string
|
||||
|
||||
// Unpack unpacks a string to a HashType for config parsing.
|
||||
func (t *HashType) Unpack(v string) error {
|
||||
*t = HashType(strings.ToLower(v))
|
||||
return nil
|
||||
}
|
||||
|
||||
// IsValid checks if the hash type is valid.
|
||||
func (t *HashType) IsValid() bool {
|
||||
_, valid := validHashes[*t]
|
||||
return valid
|
||||
}
|
||||
|
||||
var validHashes = map[HashType](func() hash.Hash){
|
||||
BLAKE2B_256: func() hash.Hash {
|
||||
h, _ := blake2b.New256(nil)
|
||||
return h
|
||||
},
|
||||
BLAKE2B_384: func() hash.Hash {
|
||||
h, _ := blake2b.New384(nil)
|
||||
return h
|
||||
},
|
||||
BLAKE2B_512: func() hash.Hash {
|
||||
h, _ := blake2b.New512(nil)
|
||||
return h
|
||||
},
|
||||
MD5: md5.New,
|
||||
SHA1: sha1.New,
|
||||
SHA224: sha256.New224,
|
||||
SHA256: sha256.New,
|
||||
SHA384: sha512.New384,
|
||||
SHA512: sha512.New,
|
||||
SHA512_224: sha512.New512_224,
|
||||
SHA512_256: sha512.New512_256,
|
||||
SHA3_224: sha3.New224,
|
||||
SHA3_256: sha3.New256,
|
||||
SHA3_384: sha3.New384,
|
||||
SHA3_512: sha3.New512,
|
||||
XXH64: func() hash.Hash {
|
||||
return xxhash.New64()
|
||||
},
|
||||
}
|
||||
|
||||
// Enum of hash types.
|
||||
const (
|
||||
BLAKE2B_256 HashType = "blake2b_256"
|
||||
BLAKE2B_384 HashType = "blake2b_384"
|
||||
BLAKE2B_512 HashType = "blake2b_512"
|
||||
MD5 HashType = "md5"
|
||||
SHA1 HashType = "sha1"
|
||||
SHA224 HashType = "sha224"
|
||||
SHA256 HashType = "sha256"
|
||||
SHA384 HashType = "sha384"
|
||||
SHA3_224 HashType = "sha3_224"
|
||||
SHA3_256 HashType = "sha3_256"
|
||||
SHA3_384 HashType = "sha3_384"
|
||||
SHA3_512 HashType = "sha3_512"
|
||||
SHA512 HashType = "sha512"
|
||||
SHA512_224 HashType = "sha512_224"
|
||||
SHA512_256 HashType = "sha512_256"
|
||||
XXH64 HashType = "xxh64"
|
||||
)
|
||||
|
||||
// Digest is a output of a hash function.
|
||||
type Digest []byte
|
||||
|
||||
// String returns the digest value in lower-case hexadecimal form.
|
||||
func (d Digest) String() string {
|
||||
return hex.EncodeToString(d)
|
||||
}
|
||||
|
||||
// MarshalText encodes the digest to a hexadecimal representation of itself.
|
||||
func (d Digest) MarshalText() ([]byte, error) { return []byte(d.String()), nil }
|
||||
|
||||
// FileTooLargeError is the error that occurs when a file that
|
||||
// exceeds the max file size is attempting to be hashed.
|
||||
type FileTooLargeError struct {
|
||||
fileSize int64
|
||||
}
|
||||
|
||||
// Error returns the error message for FileTooLargeError.
|
||||
func (e FileTooLargeError) Error() string {
|
||||
return fmt.Sprintf("hasher: file size %d exceeds max file size", e.fileSize)
|
||||
}
|
||||
|
||||
// Config contains the configuration of a FileHasher.
|
||||
type Config struct {
|
||||
HashTypes []HashType `config:"hash_types,replace"`
|
||||
MaxFileSize string `config:"max_file_size"`
|
||||
MaxFileSizeBytes uint64 `config:",ignore"`
|
||||
ScanRatePerSec string `config:"scan_rate_per_sec"`
|
||||
ScanRateBytesPerSec uint64 `config:",ignore"`
|
||||
}
|
||||
|
||||
// Validate validates the config.
|
||||
func (c *Config) Validate() error {
|
||||
var errs multierror.Errors
|
||||
|
||||
for _, ht := range c.HashTypes {
|
||||
if !ht.IsValid() {
|
||||
errs = append(errs, errors.Errorf("invalid hash_types value '%v'", ht))
|
||||
}
|
||||
}
|
||||
|
||||
var err error
|
||||
|
||||
c.MaxFileSizeBytes, err = humanize.ParseBytes(c.MaxFileSize)
|
||||
if err != nil {
|
||||
errs = append(errs, errors.Wrap(err, "invalid max_file_size value"))
|
||||
} else if c.MaxFileSizeBytes <= 0 {
|
||||
errs = append(errs, errors.Errorf("max_file_size value (%v) must be positive", c.MaxFileSize))
|
||||
}
|
||||
|
||||
c.ScanRateBytesPerSec, err = humanize.ParseBytes(c.ScanRatePerSec)
|
||||
if err != nil {
|
||||
errs = append(errs, errors.Wrap(err, "invalid scan_rate_per_sec value"))
|
||||
}
|
||||
|
||||
return errs.Err()
|
||||
}
|
||||
|
||||
// FileHasher hashes the contents of files.
|
||||
type FileHasher struct {
|
||||
config Config
|
||||
limiter *rate.Limiter
|
||||
|
||||
// To cancel hashing
|
||||
done <-chan struct{}
|
||||
}
|
||||
|
||||
// NewFileHasher creates a new FileHasher.
|
||||
func NewFileHasher(c Config, done <-chan struct{}) (*FileHasher, error) {
|
||||
return &FileHasher{
|
||||
config: c,
|
||||
limiter: rate.NewLimiter(
|
||||
rate.Limit(c.ScanRateBytesPerSec), // Rate
|
||||
int(c.MaxFileSizeBytes), // Burst
|
||||
),
|
||||
done: done,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// HashFile hashes the contents of a file.
|
||||
func (hasher *FileHasher) HashFile(path string) (map[HashType]Digest, error) {
|
||||
info, err := os.Stat(path)
|
||||
if err != nil {
|
||||
return nil, errors.Wrapf(err, "failed to stat file %v", path)
|
||||
}
|
||||
|
||||
// Throttle reading and hashing rate.
|
||||
if len(hasher.config.HashTypes) > 0 {
|
||||
err = hasher.throttle(info.Size())
|
||||
if err != nil {
|
||||
return nil, errors.Wrapf(err, "failed to hash file %v", path)
|
||||
}
|
||||
}
|
||||
|
||||
var hashes []hash.Hash
|
||||
for _, hashType := range hasher.config.HashTypes {
|
||||
h, valid := validHashes[hashType]
|
||||
if !valid {
|
||||
return nil, errors.Errorf("unknown hash type '%v'", hashType)
|
||||
}
|
||||
|
||||
hashes = append(hashes, h())
|
||||
}
|
||||
|
||||
if len(hashes) > 0 {
|
||||
f, err := file.ReadOpen(path)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "failed to open file for hashing")
|
||||
}
|
||||
defer f.Close()
|
||||
|
||||
hashWriter := multiWriter(hashes)
|
||||
if _, err := io.Copy(hashWriter, f); err != nil {
|
||||
return nil, errors.Wrap(err, "failed to calculate file hashes")
|
||||
}
|
||||
|
||||
nameToHash := make(map[HashType]Digest, len(hashes))
|
||||
for i, h := range hashes {
|
||||
nameToHash[hasher.config.HashTypes[i]] = h.Sum(nil)
|
||||
}
|
||||
|
||||
return nameToHash, nil
|
||||
}
|
||||
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
func (hasher *FileHasher) throttle(fileSize int64) error {
|
||||
reservation := hasher.limiter.ReserveN(time.Now(), int(fileSize))
|
||||
if !reservation.OK() {
|
||||
// File is bigger than the max file size
|
||||
return FileTooLargeError{fileSize}
|
||||
}
|
||||
|
||||
delay := reservation.Delay()
|
||||
if delay == 0 {
|
||||
return nil
|
||||
}
|
||||
|
||||
timer := time.NewTimer(delay)
|
||||
defer timer.Stop()
|
||||
select {
|
||||
case <-hasher.done:
|
||||
case <-timer.C:
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func multiWriter(hash []hash.Hash) io.Writer {
|
||||
writers := make([]io.Writer, 0, len(hash))
|
||||
for _, h := range hash {
|
||||
writers = append(writers, h)
|
||||
}
|
||||
return io.MultiWriter(writers...)
|
||||
}
|
|
@ -1,92 +0,0 @@
|
|||
// Licensed to Elasticsearch B.V. under one or more contributor
|
||||
// license agreements. See the NOTICE file distributed with
|
||||
// this work for additional information regarding copyright
|
||||
// ownership. Elasticsearch B.V. licenses this file to you under
|
||||
// the Apache License, Version 2.0 (the "License"); you may
|
||||
// not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing,
|
||||
// software distributed under the License is distributed on an
|
||||
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
// KIND, either express or implied. See the License for the
|
||||
// specific language governing permissions and limitations
|
||||
// under the License.
|
||||
|
||||
package hasher
|
||||
|
||||
import (
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"testing"
|
||||
|
||||
"github.com/pkg/errors"
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
func TestHasher(t *testing.T) {
|
||||
dir, err := ioutil.TempDir("", "auditbeat-hasher-test")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
defer os.RemoveAll(dir)
|
||||
|
||||
file := filepath.Join(dir, "exe")
|
||||
if err = ioutil.WriteFile(file, []byte("test exe\n"), 0600); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
config := Config{
|
||||
HashTypes: []HashType{SHA1, MD5},
|
||||
MaxFileSize: "100 MiB",
|
||||
MaxFileSizeBytes: 100 * 1024 * 1024,
|
||||
ScanRatePerSec: "50 MiB",
|
||||
ScanRateBytesPerSec: 50 * 1024 * 1024,
|
||||
}
|
||||
hasher, err := NewFileHasher(config, nil)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
hashes, err := hasher.HashFile(file)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
assert.Len(t, hashes, 2)
|
||||
assert.Equal(t, "44a36f2cd27e56794cd405ad8d44e82dba4c54fa", hashes["sha1"].String())
|
||||
assert.Equal(t, "1d7572082f6b0d18a393d618285d7100", hashes["md5"].String())
|
||||
}
|
||||
|
||||
func TestHasherLimits(t *testing.T) {
|
||||
dir, err := ioutil.TempDir("", "auditbeat-hasher-test")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
defer os.RemoveAll(dir)
|
||||
|
||||
file := filepath.Join(dir, "exe")
|
||||
if err = ioutil.WriteFile(file, []byte("test exe\n"), 0600); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
configZeroSize := Config{
|
||||
HashTypes: []HashType{SHA1},
|
||||
MaxFileSize: "0 MiB",
|
||||
MaxFileSizeBytes: 0,
|
||||
ScanRatePerSec: "0 MiB",
|
||||
ScanRateBytesPerSec: 0,
|
||||
}
|
||||
hasher, err := NewFileHasher(configZeroSize, nil)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
hashes, err := hasher.HashFile(file)
|
||||
assert.Empty(t, hashes)
|
||||
assert.Error(t, err)
|
||||
assert.IsType(t, FileTooLargeError{}, errors.Cause(err))
|
||||
}
|
|
@ -1,26 +0,0 @@
|
|||
// Licensed to Elasticsearch B.V. under one or more contributor
|
||||
// license agreements. See the NOTICE file distributed with
|
||||
// this work for additional information regarding copyright
|
||||
// ownership. Elasticsearch B.V. licenses this file to you under
|
||||
// the Apache License, Version 2.0 (the "License"); you may
|
||||
// not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing,
|
||||
// software distributed under the License is distributed on an
|
||||
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
// KIND, either express or implied. See the License for the
|
||||
// specific language governing permissions and limitations
|
||||
// under the License.
|
||||
|
||||
// Code generated by beats/dev-tools/cmd/module_include_list/module_include_list.go - DO NOT EDIT.
|
||||
|
||||
package include
|
||||
|
||||
import (
|
||||
// Import packages that need to register themselves.
|
||||
_ "github.com/elastic/beats/auditbeat/module/auditd"
|
||||
_ "github.com/elastic/beats/auditbeat/module/file_integrity"
|
||||
)
|
|
@ -1,197 +0,0 @@
|
|||
// Licensed to Elasticsearch B.V. under one or more contributor
|
||||
// license agreements. See the NOTICE file distributed with
|
||||
// this work for additional information regarding copyright
|
||||
// ownership. Elasticsearch B.V. licenses this file to you under
|
||||
// the Apache License, Version 2.0 (the "License"); you may
|
||||
// not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing,
|
||||
// software distributed under the License is distributed on an
|
||||
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
// KIND, either express or implied. See the License for the
|
||||
// specific language governing permissions and limitations
|
||||
// under the License.
|
||||
|
||||
// +build mage
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"github.com/magefile/mage/mg"
|
||||
|
||||
auditbeat "github.com/elastic/beats/auditbeat/scripts/mage"
|
||||
devtools "github.com/elastic/beats/dev-tools/mage"
|
||||
|
||||
// mage:import
|
||||
"github.com/elastic/beats/dev-tools/mage/target/common"
|
||||
)
|
||||
|
||||
func init() {
|
||||
common.RegisterCheckDeps(Update)
|
||||
|
||||
devtools.BeatDescription = "Audit the activities of users and processes on your system."
|
||||
}
|
||||
|
||||
// Aliases provides compatibility with CI while we transition all Beats
|
||||
// to having common testing targets.
|
||||
var Aliases = map[string]interface{}{
|
||||
"goTestUnit": GoUnitTest, // dev-tools/jenkins_ci.ps1 uses this.
|
||||
}
|
||||
|
||||
// Build builds the Beat binary.
|
||||
func Build() error {
|
||||
return devtools.Build(devtools.DefaultBuildArgs())
|
||||
}
|
||||
|
||||
// GolangCrossBuild build the Beat binary inside of the golang-builder.
|
||||
// Do not use directly, use crossBuild instead.
|
||||
func GolangCrossBuild() error {
|
||||
return devtools.GolangCrossBuild(devtools.DefaultGolangCrossBuildArgs())
|
||||
}
|
||||
|
||||
// BuildGoDaemon builds the go-daemon binary (use crossBuildGoDaemon).
|
||||
func BuildGoDaemon() error {
|
||||
return devtools.BuildGoDaemon()
|
||||
}
|
||||
|
||||
// CrossBuild cross-builds the beat for all target platforms.
|
||||
func CrossBuild() error {
|
||||
return devtools.CrossBuild()
|
||||
}
|
||||
|
||||
// CrossBuildGoDaemon cross-builds the go-daemon binary using Docker.
|
||||
func CrossBuildGoDaemon() error {
|
||||
return devtools.CrossBuildGoDaemon()
|
||||
}
|
||||
|
||||
// Package packages the Beat for distribution.
|
||||
// Use SNAPSHOT=true to build snapshots.
|
||||
// Use PLATFORMS to control the target platforms.
|
||||
// Use VERSION_QUALIFIER to control the version qualifier.
|
||||
func Package() {
|
||||
start := time.Now()
|
||||
defer func() { fmt.Println("package ran for", time.Since(start)) }()
|
||||
|
||||
devtools.UseElasticBeatOSSPackaging()
|
||||
devtools.PackageKibanaDashboardsFromBuildDir()
|
||||
auditbeat.CustomizePackaging(auditbeat.OSSPackaging)
|
||||
|
||||
mg.SerialDeps(Fields, Dashboards, Config, devtools.GenerateModuleIncludeListGo)
|
||||
mg.Deps(CrossBuild, CrossBuildGoDaemon)
|
||||
mg.SerialDeps(devtools.Package, TestPackages)
|
||||
}
|
||||
|
||||
// TestPackages tests the generated packages (i.e. file modes, owners, groups).
|
||||
func TestPackages() error {
|
||||
return devtools.TestPackages(devtools.WithRootUserContainer())
|
||||
}
|
||||
|
||||
// Update is an alias for running fields, dashboards, config, includes.
|
||||
func Update() {
|
||||
mg.SerialDeps(Fields, Dashboards, Config,
|
||||
devtools.GenerateModuleIncludeListGo, Docs)
|
||||
}
|
||||
|
||||
// Config generates both the short/reference configs and populates the modules.d
|
||||
// directory.
|
||||
func Config() error {
|
||||
return devtools.Config(devtools.AllConfigTypes, auditbeat.OSSConfigFileParams(), ".")
|
||||
}
|
||||
|
||||
// Fields generates fields.yml and fields.go files for the Beat.
|
||||
func Fields() {
|
||||
mg.Deps(libbeatAndAuditbeatCommonFieldsGo, moduleFieldsGo)
|
||||
mg.Deps(fieldsYML)
|
||||
}
|
||||
|
||||
// libbeatAndAuditbeatCommonFieldsGo generates a fields.go containing both
|
||||
// libbeat and auditbeat's common fields.
|
||||
func libbeatAndAuditbeatCommonFieldsGo() error {
|
||||
if err := devtools.GenerateFieldsYAML(); err != nil {
|
||||
return err
|
||||
}
|
||||
return devtools.GenerateAllInOneFieldsGo()
|
||||
}
|
||||
|
||||
// moduleFieldsGo generates a fields.go for each module.
|
||||
func moduleFieldsGo() error {
|
||||
return devtools.GenerateModuleFieldsGo("module")
|
||||
}
|
||||
|
||||
// fieldsYML generates the fields.yml file containing all fields.
|
||||
func fieldsYML() error {
|
||||
return devtools.GenerateFieldsYAML("module")
|
||||
}
|
||||
|
||||
// ExportDashboard exports a dashboard and writes it into the correct directory.
|
||||
//
|
||||
// Required environment variables:
|
||||
// - MODULE: Name of the module
|
||||
// - ID: Dashboard id
|
||||
func ExportDashboard() error {
|
||||
return devtools.ExportDashboard()
|
||||
}
|
||||
|
||||
// Dashboards collects all the dashboards and generates index patterns.
|
||||
func Dashboards() error {
|
||||
return devtools.KibanaDashboards("module")
|
||||
}
|
||||
|
||||
// Docs collects the documentation.
|
||||
func Docs() {
|
||||
mg.Deps(auditbeat.ModuleDocs, auditbeat.FieldDocs)
|
||||
}
|
||||
|
||||
// IntegTest executes integration tests (it uses Docker to run the tests).
|
||||
func IntegTest() {
|
||||
devtools.AddIntegTestUsage()
|
||||
defer devtools.StopIntegTestEnv()
|
||||
mg.SerialDeps(GoIntegTest, PythonIntegTest)
|
||||
}
|
||||
|
||||
// UnitTest executes the unit tests.
|
||||
func UnitTest() {
|
||||
mg.SerialDeps(GoUnitTest, PythonUnitTest)
|
||||
}
|
||||
|
||||
// GoUnitTest executes the Go unit tests.
|
||||
// Use TEST_COVERAGE=true to enable code coverage profiling.
|
||||
// Use RACE_DETECTOR=true to enable the race detector.
|
||||
func GoUnitTest(ctx context.Context) error {
|
||||
mg.Deps(Fields)
|
||||
return devtools.GoTest(ctx, devtools.DefaultGoTestUnitArgs())
|
||||
}
|
||||
|
||||
// GoIntegTest executes the Go integration tests.
|
||||
// Use TEST_COVERAGE=true to enable code coverage profiling.
|
||||
// Use RACE_DETECTOR=true to enable the race detector.
|
||||
func GoIntegTest(ctx context.Context) error {
|
||||
mg.Deps(Fields)
|
||||
return devtools.RunIntegTest("goIntegTest", func() error {
|
||||
return devtools.GoTest(ctx, devtools.DefaultGoTestIntegrationArgs())
|
||||
})
|
||||
}
|
||||
|
||||
// PythonUnitTest executes the python system tests.
|
||||
func PythonUnitTest() error {
|
||||
mg.Deps(devtools.BuildSystemTestBinary)
|
||||
return devtools.PythonNoseTest(devtools.DefaultPythonTestUnitArgs())
|
||||
}
|
||||
|
||||
// PythonIntegTest executes the python system tests in the integration environment (Docker).
|
||||
func PythonIntegTest(ctx context.Context) error {
|
||||
if !devtools.IsInIntegTestEnv() {
|
||||
mg.SerialDeps(Fields, Dashboards)
|
||||
}
|
||||
return devtools.RunIntegTest("pythonIntegTest", func() error {
|
||||
mg.Deps(devtools.BuildSystemTestBinary)
|
||||
return devtools.PythonNoseTest(devtools.DefaultPythonTestIntegrationArgs())
|
||||
})
|
||||
}
|
|
@ -1,37 +0,0 @@
|
|||
// Licensed to Elasticsearch B.V. under one or more contributor
|
||||
// license agreements. See the NOTICE file distributed with
|
||||
// this work for additional information regarding copyright
|
||||
// ownership. Elasticsearch B.V. licenses this file to you under
|
||||
// the Apache License, Version 2.0 (the "License"); you may
|
||||
// not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing,
|
||||
// software distributed under the License is distributed on an
|
||||
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
// KIND, either express or implied. See the License for the
|
||||
// specific language governing permissions and limitations
|
||||
// under the License.
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"os"
|
||||
|
||||
"github.com/elastic/beats/auditbeat/cmd"
|
||||
|
||||
// Register modules.
|
||||
_ "github.com/elastic/beats/auditbeat/module/auditd"
|
||||
_ "github.com/elastic/beats/auditbeat/module/file_integrity"
|
||||
|
||||
// Register includes.
|
||||
_ "github.com/elastic/beats/auditbeat/include"
|
||||
)
|
||||
|
||||
func main() {
|
||||
if err := cmd.RootCmd.Execute(); err != nil {
|
||||
os.Exit(1)
|
||||
}
|
||||
}
|
|
@ -1,43 +0,0 @@
|
|||
// Licensed to Elasticsearch B.V. under one or more contributor
|
||||
// license agreements. See the NOTICE file distributed with
|
||||
// this work for additional information regarding copyright
|
||||
// ownership. Elasticsearch B.V. licenses this file to you under
|
||||
// the Apache License, Version 2.0 (the "License"); you may
|
||||
// not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing,
|
||||
// software distributed under the License is distributed on an
|
||||
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
// KIND, either express or implied. See the License for the
|
||||
// specific language governing permissions and limitations
|
||||
// under the License.
|
||||
|
||||
package main
|
||||
|
||||
// This file is mandatory as otherwise the auditbeat.test binary is not generated correctly.
|
||||
|
||||
import (
|
||||
"flag"
|
||||
"testing"
|
||||
|
||||
"github.com/elastic/beats/auditbeat/cmd"
|
||||
)
|
||||
|
||||
var systemTest *bool
|
||||
|
||||
func init() {
|
||||
systemTest = flag.Bool("systemTest", false, "Set to true when running system tests")
|
||||
|
||||
cmd.RootCmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("systemTest"))
|
||||
cmd.RootCmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("test.coverprofile"))
|
||||
}
|
||||
|
||||
// Test started when the test binary is started. Only calls main.
|
||||
func TestSystem(t *testing.T) {
|
||||
if *systemTest {
|
||||
main()
|
||||
}
|
||||
}
|
|
@ -1,11 +0,0 @@
|
|||
@echo off
|
||||
|
||||
REM Windows wrapper for Mage (https://magefile.org/) that installs it
|
||||
REM to %GOPATH%\bin from the Beats vendor directory.
|
||||
REM
|
||||
REM After running this once you may invoke mage.exe directly.
|
||||
|
||||
WHERE mage
|
||||
IF %ERRORLEVEL% NEQ 0 go install github.com/elastic/beats/vendor/github.com/magefile/mage
|
||||
|
||||
mage %*
|
|
@ -1,95 +0,0 @@
|
|||
{
|
||||
"auditd": {
|
||||
"data": {
|
||||
"a0": "3",
|
||||
"a1": "7ffd0dc80040",
|
||||
"a2": "7ffd0dc7ffd0",
|
||||
"a3": "0",
|
||||
"arch": "x86_64",
|
||||
"exit": "5",
|
||||
"socket": {
|
||||
"addr": "72.83.230.100",
|
||||
"family": "ipv4",
|
||||
"port": "58140"
|
||||
},
|
||||
"syscall": "accept",
|
||||
"tty": "(none)"
|
||||
},
|
||||
"message_type": "syscall",
|
||||
"result": "success",
|
||||
"sequence": 8832,
|
||||
"session": "unset",
|
||||
"summary": {
|
||||
"actor": {
|
||||
"primary": "unset",
|
||||
"secondary": "root"
|
||||
},
|
||||
"how": "/usr/sbin/sshd",
|
||||
"object": {
|
||||
"primary": "72.83.230.100",
|
||||
"secondary": "58140",
|
||||
"type": "socket"
|
||||
}
|
||||
}
|
||||
},
|
||||
"event": {
|
||||
"action": "accepted-connection-from",
|
||||
"category": "audit-rule",
|
||||
"module": "auditd"
|
||||
},
|
||||
"network": {
|
||||
"direction": "incoming"
|
||||
},
|
||||
"process": {
|
||||
"executable": "/usr/sbin/sshd",
|
||||
"name": "sshd",
|
||||
"pid": 1663,
|
||||
"ppid": 1,
|
||||
"title": "(sshd)"
|
||||
},
|
||||
"service": {
|
||||
"type": "auditd"
|
||||
},
|
||||
"source": {
|
||||
"ip": "72.83.230.100",
|
||||
"port": "58140"
|
||||
},
|
||||
"tags": [
|
||||
"net"
|
||||
],
|
||||
"user": {
|
||||
"audit": {
|
||||
"id": "unset"
|
||||
},
|
||||
"effective": {
|
||||
"group": {
|
||||
"id": "0",
|
||||
"name": "root"
|
||||
},
|
||||
"id": "0",
|
||||
"name": "root"
|
||||
},
|
||||
"filesystem": {
|
||||
"group": {
|
||||
"id": "0",
|
||||
"name": "root"
|
||||
},
|
||||
"id": "0",
|
||||
"name": "root"
|
||||
},
|
||||
"group": {
|
||||
"id": "0",
|
||||
"name": "root"
|
||||
},
|
||||
"id": "0",
|
||||
"name": "root",
|
||||
"saved": {
|
||||
"group": {
|
||||
"id": "0",
|
||||
"name": "root"
|
||||
},
|
||||
"id": "0",
|
||||
"name": "root"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,11 +0,0 @@
|
|||
## Executions.
|
||||
-a always,exit -F arch=b32 -S execve,execveat -k exec
|
||||
|
||||
## Identity changes.
|
||||
-w /etc/group -p wa -k identity
|
||||
-w /etc/passwd -p wa -k identity
|
||||
-w /etc/gshadow -p wa -k identity
|
||||
|
||||
## Unauthorized access attempts.
|
||||
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
|
||||
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
|
|
@ -1,17 +0,0 @@
|
|||
## If you are on a 64 bit platform, everything should be running
|
||||
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
|
||||
## because this might be a sign of someone exploiting a hole in the 32
|
||||
## bit API.
|
||||
-a always,exit -F arch=b32 -S all -F key=32bit-abi
|
||||
|
||||
## Executions.
|
||||
-a always,exit -F arch=b64 -S execve,execveat -k exec
|
||||
|
||||
## Identity changes.
|
||||
-w /etc/group -p wa -k identity
|
||||
-w /etc/passwd -p wa -k identity
|
||||
-w /etc/gshadow -p wa -k identity
|
||||
|
||||
## Unauthorized access attempts.
|
||||
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
|
||||
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
|
|
@ -1,49 +0,0 @@
|
|||
{{ if eq .GOOS "linux" -}}
|
||||
{{ if .Reference -}}
|
||||
# The auditd module collects events from the audit framework in the Linux
|
||||
# kernel. You need to specify audit rules for the events that you want to audit.
|
||||
{{ end -}}
|
||||
- module: auditd
|
||||
{{ if .Reference -}}
|
||||
resolve_ids: true
|
||||
failure_mode: silent
|
||||
backlog_limit: 8196
|
||||
rate_limit: 0
|
||||
include_raw_message: false
|
||||
include_warnings: false
|
||||
|
||||
# Set to true to publish fields with null values in events.
|
||||
#keep_null: false
|
||||
|
||||
{{ end -}}
|
||||
# Load audit rules from separate files. Same format as audit.rules(7).
|
||||
audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
|
||||
audit_rules: |
|
||||
## Define audit rules here.
|
||||
## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
|
||||
## examples or add your own rules.
|
||||
|
||||
{{ if eq .GOARCH "amd64" -}}
|
||||
## If you are on a 64 bit platform, everything should be running
|
||||
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
|
||||
## because this might be a sign of someone exploiting a hole in the 32
|
||||
## bit API.
|
||||
#-a always,exit -F arch=b32 -S all -F key=32bit-abi
|
||||
|
||||
{{ end -}}
|
||||
## Executions.
|
||||
#-a always,exit -F arch=b{{call .ArchBits .GOARCH}} -S execve,execveat -k exec
|
||||
|
||||
## External access (warning: these can be expensive to audit).
|
||||
#-a always,exit -F arch=b{{call .ArchBits .GOARCH}} -S accept,bind,connect -F key=external-access
|
||||
|
||||
## Identity changes.
|
||||
#-w /etc/group -p wa -k identity
|
||||
#-w /etc/passwd -p wa -k identity
|
||||
#-w /etc/gshadow -p wa -k identity
|
||||
|
||||
## Unauthorized access attempts.
|
||||
#-a always,exit -F arch=b{{call .ArchBits .GOARCH}} -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
|
||||
#-a always,exit -F arch=b{{call .ArchBits .GOARCH}} -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
|
||||
|
||||
{{ end }}
|
|
@ -1,58 +0,0 @@
|
|||
{
|
||||
"@timestamp": "2017-10-12T08:05:34.853Z",
|
||||
"agent": {
|
||||
"hostname": "host.example.com",
|
||||
"name": "host.example.com"
|
||||
},
|
||||
"auditd": {
|
||||
"data": {
|
||||
"acct": "(invalid user)",
|
||||
"op": "login",
|
||||
"terminal": "sshd"
|
||||
},
|
||||
"message_type": "user_login",
|
||||
"result": "fail",
|
||||
"sequence": 19955,
|
||||
"session": "unset",
|
||||
"summary": {
|
||||
"actor": {
|
||||
"primary": "unset",
|
||||
"secondary": "(invalid user)"
|
||||
},
|
||||
"how": "/usr/sbin/sshd",
|
||||
"object": {
|
||||
"primary": "sshd",
|
||||
"secondary": "179.38.151.221",
|
||||
"type": "user-session"
|
||||
}
|
||||
}
|
||||
},
|
||||
"event": {
|
||||
"action": "logged-in",
|
||||
"category": "user-login",
|
||||
"module": "auditd",
|
||||
"original": [
|
||||
"type=USER_LOGIN msg=audit(1492896301.818:19955): pid=12635 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28696E76616C6964207573657229 exe=\"/usr/sbin/sshd\" hostname=? addr=179.38.151.221 terminal=sshd res=failed'"
|
||||
]
|
||||
},
|
||||
"network": {
|
||||
"direction": "incoming"
|
||||
},
|
||||
"process": {
|
||||
"executable": "/usr/sbin/sshd",
|
||||
"pid": 12635
|
||||
},
|
||||
"service": {
|
||||
"type": "auditd"
|
||||
},
|
||||
"source": {
|
||||
"ip": "179.38.151.221"
|
||||
},
|
||||
"user": {
|
||||
"audit": {
|
||||
"id": "unset"
|
||||
},
|
||||
"id": "0",
|
||||
"name": "root"
|
||||
}
|
||||
}
|
|
@ -1,257 +0,0 @@
|
|||
== Auditd Module
|
||||
|
||||
The `auditd` module receives audit events from the Linux Audit Framework that
|
||||
is a part of the Linux kernel.
|
||||
|
||||
This module is available only for Linux.
|
||||
|
||||
[float]
|
||||
=== How it works
|
||||
|
||||
This module establishes a subscription to the kernel to receive the events
|
||||
as they occur. So unlike most other modules, the `period` configuration
|
||||
option is unused because it is not implemented using polling.
|
||||
|
||||
The Linux Audit Framework can send multiple messages for a single auditable
|
||||
event. For example, a `rename` syscall causes the kernel to send eight separate
|
||||
messages. Each message describes a different aspect of the activity that is
|
||||
occurring (the syscall itself, file paths, current working directory, process
|
||||
title). This module will combine all of the data from each of the messages
|
||||
into a single event.
|
||||
|
||||
Messages for one event can be interleaved with messages from another event. This
|
||||
module will buffer the messages in order to combine related messages into a
|
||||
single event even if they arrive interleaved or out of order.
|
||||
|
||||
[float]
|
||||
=== Useful commands
|
||||
|
||||
When running {beatname_uc} with the `auditd` module enabled, you might find
|
||||
that other monitoring tools interfere with {beatname_uc}.
|
||||
|
||||
For example, you might encounter errors if another process, such as `auditd`, is
|
||||
registered to receive data from the Linux Audit Framework. You can use these
|
||||
commands to see if the `auditd` service is running and stop it:
|
||||
|
||||
* See if `auditd` is running:
|
||||
+
|
||||
[source,shell]
|
||||
-----
|
||||
service auditd status
|
||||
-----
|
||||
|
||||
* Stop the `auditd` service:
|
||||
+
|
||||
[source,shell]
|
||||
-----
|
||||
service auditd stop
|
||||
-----
|
||||
|
||||
* Disable `auditd` from starting on boot:
|
||||
+
|
||||
[source,shell]
|
||||
-----
|
||||
chkconfig auditd off
|
||||
-----
|
||||
|
||||
To save CPU usage and disk space, you can use this command to stop `journald`
|
||||
from listening to audit messages:
|
||||
|
||||
[source,shell]
|
||||
-----
|
||||
systemctl mask systemd-journald-audit.socket
|
||||
-----
|
||||
|
||||
[float]
|
||||
=== Inspect the kernel audit system status
|
||||
|
||||
{beatname_uc} provides useful commands to query the state of the audit system
|
||||
in the Linux kernel.
|
||||
|
||||
* See the list of installed audit rules:
|
||||
+
|
||||
[source,shell]
|
||||
-----
|
||||
auditbeat show auditd-rules
|
||||
-----
|
||||
+
|
||||
Prints the list of loaded rules, similar to `auditctl -l`:
|
||||
+
|
||||
[source,shell]
|
||||
-----
|
||||
-a never,exit -S all -F pid=26253
|
||||
-a always,exit -F arch=b32 -S all -F key=32bit-abi
|
||||
-a always,exit -F arch=b64 -S execve,execveat -F key=exec
|
||||
-a always,exit -F arch=b64 -S connect,accept,bind -F key=external-access
|
||||
-w /etc/group -p wa -k identity
|
||||
-w /etc/passwd -p wa -k identity
|
||||
-w /etc/gshadow -p wa -k identity
|
||||
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F key=access
|
||||
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F key=access
|
||||
-----
|
||||
|
||||
* See the status of the audit system:
|
||||
+
|
||||
[source,shell]
|
||||
-----
|
||||
auditbeat show auditd-status
|
||||
-----
|
||||
+
|
||||
Prints the status of the kernel audit system, similar to `auditctl -s`:
|
||||
+
|
||||
[source,shell]
|
||||
-----
|
||||
enabled 1
|
||||
failure 0
|
||||
pid 0
|
||||
rate_limit 0
|
||||
backlog_limit 8192
|
||||
lost 14407
|
||||
backlog 0
|
||||
backlog_wait_time 0
|
||||
features 0xf
|
||||
-----
|
||||
|
||||
[float]
|
||||
=== Configuration options
|
||||
|
||||
This module has some configuration options for tuning its behavior. The
|
||||
following example shows all configuration options with their default values.
|
||||
|
||||
[source,yaml]
|
||||
----
|
||||
- module: auditd
|
||||
resolve_ids: true
|
||||
failure_mode: silent
|
||||
backlog_limit: 8192
|
||||
rate_limit: 0
|
||||
include_raw_message: false
|
||||
include_warnings: false
|
||||
backpressure_strategy: auto
|
||||
----
|
||||
|
||||
*`socket_type`*:: This optional setting controls the type of
|
||||
socket that {beatname_uc} uses to receive events from the kernel. The two
|
||||
options are `unicast` and `multicast`.
|
||||
+
|
||||
`unicast` should be used when {beatname_uc} is the primary userspace daemon for
|
||||
receiving audit events and managing the rules. Only a single process can receive
|
||||
audit events through the "unicast" connection so any other daemons should be
|
||||
stopped (e.g. stop `auditd`).
|
||||
+
|
||||
`multicast` can be used in kernel versions 3.16 and newer. By using `multicast`
|
||||
{beatname_uc} will receive an audit event broadcast that is not exclusive to a
|
||||
a single process. This is ideal for situations where `auditd` is running and
|
||||
managing the rules. If `multicast` is specified, but the kernel version is less
|
||||
than 3.16 {beatname_uc} will automatically revert to `unicast`.
|
||||
+
|
||||
By default {beatname_uc} will use `multicast` if the kernel version is 3.16 or
|
||||
newer and no rules have been defined. Otherwise `unicast` will be used.
|
||||
|
||||
*`resolve_ids`*:: This boolean setting enables the resolution of UIDs and
|
||||
GIDs to their associated names. The default value is true.
|
||||
|
||||
*`failure_mode`*:: This determines the kernel's behavior on critical
|
||||
failures such as errors sending events to {beatname_uc}, the backlog limit was
|
||||
exceeded, the kernel ran out of memory, or the rate limit was exceeded. The
|
||||
options are `silent`, `log`, or `panic`. `silent` basically makes the kernel
|
||||
ignore the errors, `log` makes the kernel write the audit messages using
|
||||
`printk` so they show up in system's syslog, and `panic` causes the kernel to
|
||||
panic to prevent use of the machine. {beatname_uc}'s default is `silent`.
|
||||
|
||||
*`backlog_limit`*:: This controls the maximum number of audit messages
|
||||
that will be buffered by the kernel.
|
||||
|
||||
*`rate_limit`*:: This sets a rate limit on the number of messages/sec
|
||||
delivered by the kernel. The default is 0, which disables rate limiting.
|
||||
Changing this value to anything other than zero can cause messages to be lost.
|
||||
The preferred approach to reduce the messaging rate is be more selective in the
|
||||
audit ruleset.
|
||||
|
||||
*`include_raw_message`*:: This boolean setting causes {beatname_uc} to
|
||||
include each of the raw messages that contributed to the event in the document
|
||||
as a field called `event.original`. The default value is false. This setting is
|
||||
primarily used for development and debugging purposes.
|
||||
|
||||
*`include_warnings`*:: This boolean setting causes {beatname_uc} to
|
||||
include as warnings any issues that were encountered while parsing the raw
|
||||
messages. The messages are written to the `error.message` field. The default
|
||||
value is false. When this setting is enabled the raw messages will be included
|
||||
in the event regardless of the `include_raw_message` config setting. This
|
||||
setting is primarily used for development and debugging purposes.
|
||||
|
||||
*`audit_rules`*:: A string containing the audit rules that should be
|
||||
installed to the kernel. There should be one rule per line. Comments can be
|
||||
embedded in the string using `#` as a prefix. The format for rules is the same
|
||||
used by the Linux `auditctl` utility. {beatname_uc} supports adding file watches
|
||||
(`-w`) and syscall rules (`-a` or `-A`).
|
||||
|
||||
*`audit_rule_files`*:: A list of files to load audit rules from. This files are
|
||||
loaded after the rules declared in `audit_rules` are loaded. Wildcards are
|
||||
supported and will expand in lexicographical order. The format is the same as
|
||||
that of the `audit_rules` field.
|
||||
|
||||
*`backpressure_strategy`*:: Specifies the strategy that {beatname_uc} uses to
|
||||
prevent backpressure from propagating to the kernel and impacting audited
|
||||
processes.
|
||||
+
|
||||
--
|
||||
The possible values are:
|
||||
|
||||
- `auto` (default): {beatname_uc} uses the `kernel` strategy, if supported, or
|
||||
falls back to the `userspace` strategy.
|
||||
- `kernel`: {beatname_uc} sets the `backlog_wait_time` in the kernel's
|
||||
audit framework to 0. This causes events to be discarded in the kernel if
|
||||
the audit backlog queue fills to capacity. Requires a 3.14 kernel or
|
||||
newer.
|
||||
- `userspace`: {beatname_uc} drops events when there is backpressure
|
||||
from the publishing pipeline. If no `rate_limit` is set, {beatname_uc} sets a rate
|
||||
limit of 5000. Users should test their setup and adjust the `rate_limit`
|
||||
option accordingly.
|
||||
- `both`: {beatname_uc} uses the `kernel` and `userspace` strategies at the same
|
||||
time.
|
||||
- `none`: No backpressure mitigation measures are enabled.
|
||||
--
|
||||
|
||||
*`keep_null`*:: If this option is set to true, fields with `null` values will be
|
||||
published in the output document. By default, `keep_null` is set to `false`.
|
||||
|
||||
[float]
|
||||
=== Audit rules
|
||||
|
||||
The audit rules are where you configure the activities that are audited. These
|
||||
rules are configured as either syscalls or files that should be monitored. For
|
||||
example you can track all `connect` syscalls or file system writes to
|
||||
`/etc/passwd`.
|
||||
|
||||
Auditing a large number of syscalls can place a heavy load on the system so
|
||||
consider carefully the rules you define and try to apply filters in the rules
|
||||
themselves to be as selective as possible.
|
||||
|
||||
The kernel evaluates the rules in the order in which they were defined so place
|
||||
the most active rules first in order to speed up evaluation.
|
||||
|
||||
You can assign keys to each rule for better identification of the rule that
|
||||
triggered an event and easier filtering later in Elasticsearch.
|
||||
|
||||
Defining any audit rules in the config causes {beatname_uc} to purge all
|
||||
existing audit rules prior to adding the rules specified in the config.
|
||||
Therefore it is unnecessary and unsupported to include a `-D` (delete all) rule.
|
||||
|
||||
["source","sh",subs="attributes"]
|
||||
----
|
||||
{beatname_lc}.modules:
|
||||
- module: auditd
|
||||
audit_rules: |
|
||||
# Things that affect identity.
|
||||
-w /etc/group -p wa -k identity
|
||||
-w /etc/passwd -p wa -k identity
|
||||
-w /etc/gshadow -p wa -k identity
|
||||
-w /etc/shadow -p wa -k identity
|
||||
|
||||
# Unauthorized access attempts to files (unsuccessful).
|
||||
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
|
||||
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
|
||||
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
|
||||
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
|
||||
----
|
|
@ -1,114 +0,0 @@
|
|||
{
|
||||
"auditd": {
|
||||
"data": {
|
||||
"a0": "10812c8",
|
||||
"a1": "1070208",
|
||||
"a2": "1152008",
|
||||
"a3": "59a",
|
||||
"arch": "x86_64",
|
||||
"argc": "2",
|
||||
"exit": "0",
|
||||
"syscall": "execve",
|
||||
"tty": "pts0"
|
||||
},
|
||||
"message_type": "syscall",
|
||||
"paths": [
|
||||
{
|
||||
"dev": "08:01",
|
||||
"inode": "155",
|
||||
"item": "0",
|
||||
"mode": "0100755",
|
||||
"name": "/bin/uname",
|
||||
"nametype": "NORMAL",
|
||||
"ogid": "0",
|
||||
"ouid": "0",
|
||||
"rdev": "00:00"
|
||||
},
|
||||
{
|
||||
"dev": "08:01",
|
||||
"inode": "1923",
|
||||
"item": "1",
|
||||
"mode": "0100755",
|
||||
"name": "/lib64/ld-linux-x86-64.so.2",
|
||||
"nametype": "NORMAL",
|
||||
"ogid": "0",
|
||||
"ouid": "0",
|
||||
"rdev": "00:00"
|
||||
}
|
||||
],
|
||||
"result": "success",
|
||||
"sequence": 8972,
|
||||
"session": "11",
|
||||
"summary": {
|
||||
"actor": {
|
||||
"primary": "1001",
|
||||
"secondary": "1001"
|
||||
},
|
||||
"how": "/bin/uname",
|
||||
"object": {
|
||||
"primary": "/bin/uname",
|
||||
"type": "file"
|
||||
}
|
||||
}
|
||||
},
|
||||
"event": {
|
||||
"action": "executed",
|
||||
"category": "audit-rule",
|
||||
"module": "auditd"
|
||||
},
|
||||
"file": {
|
||||
"device": "00:00",
|
||||
"gid": "0",
|
||||
"group": "root",
|
||||
"inode": "155",
|
||||
"mode": "0755",
|
||||
"owner": "root",
|
||||
"path": "/bin/uname",
|
||||
"uid": "0"
|
||||
},
|
||||
"process": {
|
||||
"args": [
|
||||
"uname",
|
||||
"-a"
|
||||
],
|
||||
"executable": "/bin/uname",
|
||||
"name": "uname",
|
||||
"pid": 10043,
|
||||
"ppid": 10027,
|
||||
"title": "uname -a",
|
||||
"working_directory": "/home/andrew_kroh"
|
||||
},
|
||||
"service": {
|
||||
"type": "auditd"
|
||||
},
|
||||
"tags": [
|
||||
"user_commands"
|
||||
],
|
||||
"user": {
|
||||
"audit": {
|
||||
"id": "1001"
|
||||
},
|
||||
"effective": {
|
||||
"group": {
|
||||
"id": "1002"
|
||||
},
|
||||
"id": "1001"
|
||||
},
|
||||
"filesystem": {
|
||||
"group": {
|
||||
"id": "1002"
|
||||
},
|
||||
"id": "1001"
|
||||
},
|
||||
"group": {
|
||||
"id": "1002"
|
||||
},
|
||||
"id": "1001",
|
||||
"saved": {
|
||||
"group": {
|
||||
"id": "1002"
|
||||
},
|
||||
"id": "1001"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,898 +0,0 @@
|
|||
- key: auditd
|
||||
title: Auditd
|
||||
description: These are the fields generated by the auditd module.
|
||||
fields:
|
||||
|
||||
- name: user
|
||||
type: group
|
||||
fields:
|
||||
- name: auid
|
||||
type: alias
|
||||
path: user.audit.id
|
||||
migration: true
|
||||
- name: uid
|
||||
type: alias
|
||||
path: user.id
|
||||
migration: true
|
||||
- name: euid
|
||||
type: alias
|
||||
path: user.effective.id
|
||||
migration: true
|
||||
- name: fsuid
|
||||
type: alias
|
||||
path: user.filesystem.id
|
||||
migration: true
|
||||
- name: suid
|
||||
type: alias
|
||||
path: user.saved.id
|
||||
migration: true
|
||||
- name: gid
|
||||
type: alias
|
||||
path: user.group.id
|
||||
migration: true
|
||||
- name: egid
|
||||
type: alias
|
||||
path: user.effective.group.id
|
||||
migration: true
|
||||
- name: sgid
|
||||
type: alias
|
||||
path: user.saved.group.id
|
||||
migration: true
|
||||
- name: fsgid
|
||||
type: alias
|
||||
path: user.filesystem.group.id
|
||||
migration: true
|
||||
- name: name_map
|
||||
type: group
|
||||
description: >
|
||||
If `resolve_ids` is set to true in the configuration then `name_map`
|
||||
will contain a mapping of uid field names to the resolved name
|
||||
(e.g. auid -> root).
|
||||
fields:
|
||||
- name: auid
|
||||
type: alias
|
||||
path: user.audit.name
|
||||
migration: true
|
||||
- name: uid
|
||||
type: alias
|
||||
path: user.name
|
||||
migration: true
|
||||
- name: euid
|
||||
type: alias
|
||||
path: user.effective.name
|
||||
migration: true
|
||||
- name: fsuid
|
||||
type: alias
|
||||
path: user.filesystem.name
|
||||
migration: true
|
||||
- name: suid
|
||||
type: alias
|
||||
path: user.saved.name
|
||||
migration: true
|
||||
- name: gid
|
||||
type: alias
|
||||
path: user.group.name
|
||||
migration: true
|
||||
- name: egid
|
||||
type: alias
|
||||
path: user.effective.group.name
|
||||
migration: true
|
||||
- name: sgid
|
||||
type: alias
|
||||
path: user.saved.group.name
|
||||
migration: true
|
||||
- name: fsgid
|
||||
type: alias
|
||||
path: user.filesystem.group.name
|
||||
migration: true
|
||||
- name: selinux
|
||||
type: group
|
||||
description: The SELinux identity of the actor.
|
||||
fields:
|
||||
- name: user
|
||||
type: keyword
|
||||
description: account submitted for authentication
|
||||
- name: role
|
||||
type: keyword
|
||||
description: user's SELinux role
|
||||
- name: domain
|
||||
type: keyword
|
||||
description: The actor's SELinux domain or type.
|
||||
- name: level
|
||||
type: keyword
|
||||
example: s0
|
||||
description: The actor's SELinux level.
|
||||
- name: category
|
||||
type: keyword
|
||||
description: The actor's SELinux category or compartments.
|
||||
|
||||
- name: process
|
||||
type: group
|
||||
description: Process attributes.
|
||||
fields:
|
||||
- name: cwd
|
||||
type: alias
|
||||
path: process.working_directory
|
||||
migration: true
|
||||
description: The current working directory.
|
||||
|
||||
- name: source
|
||||
type: group
|
||||
description: Source that triggered the event.
|
||||
fields:
|
||||
- name: path
|
||||
type: keyword
|
||||
description: This is the path associated with a unix socket.
|
||||
|
||||
- name: destination
|
||||
type: group
|
||||
description: Destination address that triggered the event.
|
||||
fields:
|
||||
- name: path
|
||||
type: keyword
|
||||
description: This is the path associated with a unix socket.
|
||||
|
||||
- name: auditd
|
||||
type: group
|
||||
fields:
|
||||
- name: message_type
|
||||
type: keyword
|
||||
example: syscall
|
||||
description: >
|
||||
The audit message type (e.g. syscall or apparmor_denied).
|
||||
- name: sequence
|
||||
type: long
|
||||
description: >
|
||||
The sequence number of the event as assigned by the kernel. Sequence
|
||||
numbers are stored as a uint32 in the kernel and can rollover.
|
||||
- name: session
|
||||
type: keyword
|
||||
description: >
|
||||
The session ID assigned to a login. All events related to a login
|
||||
session will have the same value.
|
||||
- name: result
|
||||
type: keyword
|
||||
example: success or fail
|
||||
description: The result of the audited operation (success/fail).
|
||||
|
||||
- name: summary
|
||||
type: group
|
||||
fields:
|
||||
- name: actor
|
||||
type: group
|
||||
description: The actor is the user that triggered the audit event.
|
||||
fields:
|
||||
- name: primary
|
||||
type: keyword
|
||||
description: >
|
||||
The primary identity of the actor. This is the actor's original login
|
||||
ID. It will not change even if the user changes to another account.
|
||||
- name: secondary
|
||||
type: keyword
|
||||
description: The secondary identity of the actor. This is typically
|
||||
the same as the primary, except for when the user has used `su`.
|
||||
- name: object
|
||||
type: group
|
||||
description: >
|
||||
This is the thing or object being acted upon in the event.
|
||||
fields:
|
||||
- name: type
|
||||
type: keyword
|
||||
description: >
|
||||
A description of the what the "thing" is (e.g. file, socket,
|
||||
user-session).
|
||||
- name: primary
|
||||
type: keyword
|
||||
description: ""
|
||||
- name: secondary
|
||||
type: keyword
|
||||
description: ""
|
||||
- name: how
|
||||
type: keyword
|
||||
description: >
|
||||
This describes how the action was performed. Usually this is the exe
|
||||
or command that was being executed that triggered the event.
|
||||
|
||||
- name: paths
|
||||
type: group
|
||||
description: List of paths associated with the event.
|
||||
fields:
|
||||
- name: inode
|
||||
type: keyword
|
||||
description: inode number
|
||||
- name: dev
|
||||
type: keyword
|
||||
description: device name as found in /dev
|
||||
- name: obj_user
|
||||
type: keyword
|
||||
description: ""
|
||||
- name: obj_role
|
||||
type: keyword
|
||||
description: ""
|
||||
- name: obj_domain
|
||||
type: keyword
|
||||
description: ""
|
||||
- name: obj_level
|
||||
type: keyword
|
||||
description: ""
|
||||
- name: objtype
|
||||
type: keyword
|
||||
description: ""
|
||||
- name: ouid
|
||||
type: keyword
|
||||
description: file owner user ID
|
||||
- name: rdev
|
||||
type: keyword
|
||||
description: the device identifier (special files only)
|
||||
- name: nametype
|
||||
type: keyword
|
||||
description: kind of file operation being referenced
|
||||
- name: ogid
|
||||
type: keyword
|
||||
description: file owner group ID
|
||||
- name: item
|
||||
type: keyword
|
||||
description: which item is being recorded
|
||||
- name: mode
|
||||
type: keyword
|
||||
description: mode flags on a file
|
||||
- name: name
|
||||
type: keyword
|
||||
description: file name in avcs
|
||||
|
||||
- name: data
|
||||
type: group
|
||||
description: The data from the audit messages.
|
||||
fields:
|
||||
- name: action
|
||||
type: keyword
|
||||
description: netfilter packet disposition
|
||||
- name: minor
|
||||
type: keyword
|
||||
description: device minor number
|
||||
- name: acct
|
||||
type: keyword
|
||||
description: a user's account name
|
||||
- name: addr
|
||||
type: keyword
|
||||
description: the remote address that the user is connecting from
|
||||
- name: cipher
|
||||
type: keyword
|
||||
description: name of crypto cipher selected
|
||||
- name: id
|
||||
type: keyword
|
||||
description: during account changes
|
||||
- name: entries
|
||||
type: keyword
|
||||
description: number of entries in the netfilter table
|
||||
- name: kind
|
||||
type: keyword
|
||||
description: server or client in crypto operation
|
||||
- name: ksize
|
||||
type: keyword
|
||||
description: key size for crypto operation
|
||||
- name: spid
|
||||
type: keyword
|
||||
description: sent process ID
|
||||
- name: arch
|
||||
type: keyword
|
||||
description: the elf architecture flags
|
||||
- name: argc
|
||||
type: keyword
|
||||
description: the number of arguments to an execve syscall
|
||||
- name: major
|
||||
type: keyword
|
||||
description: device major number
|
||||
- name: unit
|
||||
type: keyword
|
||||
description: systemd unit
|
||||
- name: table
|
||||
type: keyword
|
||||
description: netfilter table name
|
||||
- name: terminal
|
||||
type: keyword
|
||||
description: terminal name the user is running programs on
|
||||
- name: grantors
|
||||
type: keyword
|
||||
description: pam modules approving the action
|
||||
- name: direction
|
||||
type: keyword
|
||||
description: direction of crypto operation
|
||||
- name: op
|
||||
type: keyword
|
||||
description: the operation being performed that is audited
|
||||
- name: tty
|
||||
type: keyword
|
||||
description: tty udevice the user is running programs on
|
||||
- name: syscall
|
||||
type: keyword
|
||||
description: syscall number in effect when the event occurred
|
||||
- name: data
|
||||
type: keyword
|
||||
description: TTY text
|
||||
- name: family
|
||||
type: keyword
|
||||
description: netfilter protocol
|
||||
- name: mac
|
||||
type: keyword
|
||||
description: crypto MAC algorithm selected
|
||||
- name: pfs
|
||||
type: keyword
|
||||
description: perfect forward secrecy method
|
||||
- name: items
|
||||
type: keyword
|
||||
description: the number of path records in the event
|
||||
- name: a0
|
||||
type: keyword
|
||||
description: ""
|
||||
- name: a1
|
||||
type: keyword
|
||||
description: ""
|
||||
- name: a2
|
||||
type: keyword
|
||||
description: ""
|
||||
- name: a3
|
||||
type: keyword
|
||||
description: ""
|
||||
- name: hostname
|
||||
type: keyword
|
||||
description: the hostname that the user is connecting from
|
||||
- name: lport
|
||||
type: keyword
|
||||
description: local network port
|
||||
- name: rport
|
||||
type: keyword
|
||||
description: remote port number
|
||||
- name: exit
|
||||
type: keyword
|
||||
description: syscall exit code
|
||||
- name: fp
|
||||
type: keyword
|
||||
description: crypto key finger print
|
||||
- name: laddr
|
||||
type: keyword
|
||||
description: local network address
|
||||
- name: sport
|
||||
type: keyword
|
||||
description: local port number
|
||||
- name: capability
|
||||
type: keyword
|
||||
description: posix capabilities
|
||||
- name: nargs
|
||||
type: keyword
|
||||
description: the number of arguments to a socket call
|
||||
- name: new-enabled
|
||||
type: keyword
|
||||
description: new TTY audit enabled setting
|
||||
- name: audit_backlog_limit
|
||||
type: keyword
|
||||
description: audit system's backlog queue size
|
||||
- name: dir
|
||||
type: keyword
|
||||
description: directory name
|
||||
- name: cap_pe
|
||||
type: keyword
|
||||
description: process effective capability map
|
||||
- name: model
|
||||
type: keyword
|
||||
description: security model being used for virt
|
||||
- name: new_pp
|
||||
type: keyword
|
||||
description: new process permitted capability map
|
||||
- name: old-enabled
|
||||
type: keyword
|
||||
description: present TTY audit enabled setting
|
||||
- name: oauid
|
||||
type: keyword
|
||||
description: object's login user ID
|
||||
- name: old
|
||||
type: keyword
|
||||
description: old value
|
||||
- name: banners
|
||||
type: keyword
|
||||
description: banners used on printed page
|
||||
- name: feature
|
||||
type: keyword
|
||||
description: kernel feature being changed
|
||||
- name: vm-ctx
|
||||
type: keyword
|
||||
description: the vm's context string
|
||||
- name: opid
|
||||
type: keyword
|
||||
description: object's process ID
|
||||
- name: seperms
|
||||
type: keyword
|
||||
description: SELinux permissions being used
|
||||
- name: seresult
|
||||
type: keyword
|
||||
description: SELinux AVC decision granted/denied
|
||||
- name: new-rng
|
||||
type: keyword
|
||||
description: device name of rng being added from a vm
|
||||
- name: old-net
|
||||
type: keyword
|
||||
description: present MAC address assigned to vm
|
||||
- name: sigev_signo
|
||||
type: keyword
|
||||
description: signal number
|
||||
- name: ino
|
||||
type: keyword
|
||||
description: inode number
|
||||
- name: old_enforcing
|
||||
type: keyword
|
||||
description: old MAC enforcement status
|
||||
- name: old-vcpu
|
||||
type: keyword
|
||||
description: present number of CPU cores
|
||||
- name: range
|
||||
type: keyword
|
||||
description: user's SE Linux range
|
||||
- name: res
|
||||
type: keyword
|
||||
description: result of the audited operation(success/fail)
|
||||
- name: added
|
||||
type: keyword
|
||||
description: number of new files detected
|
||||
- name: fam
|
||||
type: keyword
|
||||
description: socket address family
|
||||
- name: nlnk-pid
|
||||
type: keyword
|
||||
description: pid of netlink packet sender
|
||||
- name: subj
|
||||
type: keyword
|
||||
description: lspp subject's context string
|
||||
- name: a[0-3]
|
||||
type: keyword
|
||||
description: the arguments to a syscall
|
||||
- name: cgroup
|
||||
type: keyword
|
||||
description: path to cgroup in sysfs
|
||||
- name: kernel
|
||||
type: keyword
|
||||
description: kernel's version number
|
||||
- name: ocomm
|
||||
type: keyword
|
||||
description: object's command line name
|
||||
- name: new-net
|
||||
type: keyword
|
||||
description: MAC address being assigned to vm
|
||||
- name: permissive
|
||||
type: keyword
|
||||
description: SELinux is in permissive mode
|
||||
- name: class
|
||||
type: keyword
|
||||
description: resource class assigned to vm
|
||||
- name: compat
|
||||
type: keyword
|
||||
description: is_compat_task result
|
||||
- name: fi
|
||||
type: keyword
|
||||
description: file assigned inherited capability map
|
||||
- name: changed
|
||||
type: keyword
|
||||
description: number of changed files
|
||||
- name: msg
|
||||
type: keyword
|
||||
description: the payload of the audit record
|
||||
- name: dport
|
||||
type: keyword
|
||||
description: remote port number
|
||||
- name: new-seuser
|
||||
type: keyword
|
||||
description: new SELinux user
|
||||
- name: invalid_context
|
||||
type: keyword
|
||||
description: SELinux context
|
||||
- name: dmac
|
||||
type: keyword
|
||||
description: remote MAC address
|
||||
- name: ipx-net
|
||||
type: keyword
|
||||
description: IPX network number
|
||||
- name: iuid
|
||||
type: keyword
|
||||
description: ipc object's user ID
|
||||
- name: macproto
|
||||
type: keyword
|
||||
description: ethernet packet type ID field
|
||||
- name: obj
|
||||
type: keyword
|
||||
description: lspp object context string
|
||||
- name: ipid
|
||||
type: keyword
|
||||
description: IP datagram fragment identifier
|
||||
- name: new-fs
|
||||
type: keyword
|
||||
description: file system being added to vm
|
||||
- name: vm-pid
|
||||
type: keyword
|
||||
description: vm's process ID
|
||||
- name: cap_pi
|
||||
type: keyword
|
||||
description: process inherited capability map
|
||||
- name: old-auid
|
||||
type: keyword
|
||||
description: previous auid value
|
||||
- name: oses
|
||||
type: keyword
|
||||
description: object's session ID
|
||||
- name: fd
|
||||
type: keyword
|
||||
description: file descriptor number
|
||||
- name: igid
|
||||
type: keyword
|
||||
description: ipc object's group ID
|
||||
- name: new-disk
|
||||
type: keyword
|
||||
description: disk being added to vm
|
||||
- name: parent
|
||||
type: keyword
|
||||
description: the inode number of the parent file
|
||||
- name: len
|
||||
type: keyword
|
||||
description: length
|
||||
- name: oflag
|
||||
type: keyword
|
||||
description: open syscall flags
|
||||
- name: uuid
|
||||
type: keyword
|
||||
description: a UUID
|
||||
- name: code
|
||||
type: keyword
|
||||
description: seccomp action code
|
||||
- name: nlnk-grp
|
||||
type: keyword
|
||||
description: netlink group number
|
||||
- name: cap_fp
|
||||
type: keyword
|
||||
description: file permitted capability map
|
||||
- name: new-mem
|
||||
type: keyword
|
||||
description: new amount of memory in KB
|
||||
- name: seperm
|
||||
type: keyword
|
||||
description: SELinux permission being decided on
|
||||
- name: enforcing
|
||||
type: keyword
|
||||
description: new MAC enforcement status
|
||||
- name: new-chardev
|
||||
type: keyword
|
||||
description: new character device being assigned to vm
|
||||
- name: old-rng
|
||||
type: keyword
|
||||
description: device name of rng being removed from a vm
|
||||
- name: outif
|
||||
type: keyword
|
||||
description: out interface number
|
||||
- name: cmd
|
||||
type: keyword
|
||||
description: command being executed
|
||||
- name: hook
|
||||
type: keyword
|
||||
description: netfilter hook that packet came from
|
||||
- name: new-level
|
||||
type: keyword
|
||||
description: new run level
|
||||
- name: sauid
|
||||
type: keyword
|
||||
description: sent login user ID
|
||||
- name: sig
|
||||
type: keyword
|
||||
description: signal number
|
||||
- name: audit_backlog_wait_time
|
||||
type: keyword
|
||||
description: audit system's backlog wait time
|
||||
- name: printer
|
||||
type: keyword
|
||||
description: printer name
|
||||
- name: old-mem
|
||||
type: keyword
|
||||
description: present amount of memory in KB
|
||||
- name: perm
|
||||
type: keyword
|
||||
description: the file permission being used
|
||||
- name: old_pi
|
||||
type: keyword
|
||||
description: old process inherited capability map
|
||||
- name: state
|
||||
type: keyword
|
||||
description: audit daemon configuration resulting state
|
||||
- name: format
|
||||
type: keyword
|
||||
description: audit log's format
|
||||
- name: new_gid
|
||||
type: keyword
|
||||
description: new group ID being assigned
|
||||
- name: tcontext
|
||||
type: keyword
|
||||
description: the target's or object's context string
|
||||
- name: maj
|
||||
type: keyword
|
||||
description: device major number
|
||||
- name: watch
|
||||
type: keyword
|
||||
description: file name in a watch record
|
||||
- name: device
|
||||
type: keyword
|
||||
description: device name
|
||||
- name: grp
|
||||
type: keyword
|
||||
description: group name
|
||||
- name: bool
|
||||
type: keyword
|
||||
description: name of SELinux boolean
|
||||
- name: icmp_type
|
||||
type: keyword
|
||||
description: type of icmp message
|
||||
- name: new_lock
|
||||
type: keyword
|
||||
description: new value of feature lock
|
||||
- name: old_prom
|
||||
type: keyword
|
||||
description: network promiscuity flag
|
||||
- name: acl
|
||||
type: keyword
|
||||
description: access mode of resource assigned to vm
|
||||
- name: ip
|
||||
type: keyword
|
||||
description: network address of a printer
|
||||
- name: new_pi
|
||||
type: keyword
|
||||
description: new process inherited capability map
|
||||
- name: default-context
|
||||
type: keyword
|
||||
description: default MAC context
|
||||
- name: inode_gid
|
||||
type: keyword
|
||||
description: group ID of the inode's owner
|
||||
- name: new-log_passwd
|
||||
type: keyword
|
||||
description: new value for TTY password logging
|
||||
- name: new_pe
|
||||
type: keyword
|
||||
description: new process effective capability map
|
||||
- name: selected-context
|
||||
type: keyword
|
||||
description: new MAC context assigned to session
|
||||
- name: cap_fver
|
||||
type: keyword
|
||||
description: file system capabilities version number
|
||||
- name: file
|
||||
type: keyword
|
||||
description: file name
|
||||
- name: net
|
||||
type: keyword
|
||||
description: network MAC address
|
||||
- name: virt
|
||||
type: keyword
|
||||
description: kind of virtualization being referenced
|
||||
- name: cap_pp
|
||||
type: keyword
|
||||
description: process permitted capability map
|
||||
- name: old-range
|
||||
type: keyword
|
||||
description: present SELinux range
|
||||
- name: resrc
|
||||
type: keyword
|
||||
description: resource being assigned
|
||||
- name: new-range
|
||||
type: keyword
|
||||
description: new SELinux range
|
||||
- name: obj_gid
|
||||
type: keyword
|
||||
description: group ID of object
|
||||
- name: proto
|
||||
type: keyword
|
||||
description: network protocol
|
||||
- name: old-disk
|
||||
type: keyword
|
||||
description: disk being removed from vm
|
||||
- name: audit_failure
|
||||
type: keyword
|
||||
description: audit system's failure mode
|
||||
- name: inif
|
||||
type: keyword
|
||||
description: in interface number
|
||||
- name: vm
|
||||
type: keyword
|
||||
description: virtual machine name
|
||||
- name: flags
|
||||
type: keyword
|
||||
description: mmap syscall flags
|
||||
- name: nlnk-fam
|
||||
type: keyword
|
||||
description: netlink protocol number
|
||||
- name: old-fs
|
||||
type: keyword
|
||||
description: file system being removed from vm
|
||||
- name: old-ses
|
||||
type: keyword
|
||||
description: previous ses value
|
||||
- name: seqno
|
||||
type: keyword
|
||||
description: sequence number
|
||||
- name: fver
|
||||
type: keyword
|
||||
description: file system capabilities version number
|
||||
- name: qbytes
|
||||
type: keyword
|
||||
description: ipc objects quantity of bytes
|
||||
- name: seuser
|
||||
type: keyword
|
||||
description: user's SE Linux user acct
|
||||
- name: cap_fe
|
||||
type: keyword
|
||||
description: file assigned effective capability map
|
||||
- name: new-vcpu
|
||||
type: keyword
|
||||
description: new number of CPU cores
|
||||
- name: old-level
|
||||
type: keyword
|
||||
description: old run level
|
||||
- name: old_pp
|
||||
type: keyword
|
||||
description: old process permitted capability map
|
||||
- name: daddr
|
||||
type: keyword
|
||||
description: remote IP address
|
||||
- name: old-role
|
||||
type: keyword
|
||||
description: present SELinux role
|
||||
- name: ioctlcmd
|
||||
type: keyword
|
||||
description: The request argument to the ioctl syscall
|
||||
- name: smac
|
||||
type: keyword
|
||||
description: local MAC address
|
||||
- name: apparmor
|
||||
type: keyword
|
||||
description: apparmor event information
|
||||
- name: fe
|
||||
type: keyword
|
||||
description: file assigned effective capability map
|
||||
- name: perm_mask
|
||||
type: keyword
|
||||
description: file permission mask that triggered a watch event
|
||||
- name: ses
|
||||
type: keyword
|
||||
description: login session ID
|
||||
- name: cap_fi
|
||||
type: keyword
|
||||
description: file inherited capability map
|
||||
- name: obj_uid
|
||||
type: keyword
|
||||
description: user ID of object
|
||||
- name: reason
|
||||
type: keyword
|
||||
description: text string denoting a reason for the action
|
||||
- name: list
|
||||
type: keyword
|
||||
description: the audit system's filter list number
|
||||
- name: old_lock
|
||||
type: keyword
|
||||
description: present value of feature lock
|
||||
- name: bus
|
||||
type: keyword
|
||||
description: name of subsystem bus a vm resource belongs to
|
||||
- name: old_pe
|
||||
type: keyword
|
||||
description: old process effective capability map
|
||||
- name: new-role
|
||||
type: keyword
|
||||
description: new SELinux role
|
||||
- name: prom
|
||||
type: keyword
|
||||
description: network promiscuity flag
|
||||
- name: uri
|
||||
type: keyword
|
||||
description: URI pointing to a printer
|
||||
- name: audit_enabled
|
||||
type: keyword
|
||||
description: audit systems's enable/disable status
|
||||
- name: old-log_passwd
|
||||
type: keyword
|
||||
description: present value for TTY password logging
|
||||
- name: old-seuser
|
||||
type: keyword
|
||||
description: present SELinux user
|
||||
- name: per
|
||||
type: keyword
|
||||
description: linux personality
|
||||
- name: scontext
|
||||
type: keyword
|
||||
description: the subject's context string
|
||||
- name: tclass
|
||||
type: keyword
|
||||
description: target's object classification
|
||||
- name: ver
|
||||
type: keyword
|
||||
description: audit daemon's version number
|
||||
- name: new
|
||||
type: keyword
|
||||
description: value being set in feature
|
||||
- name: val
|
||||
type: keyword
|
||||
description: generic value associated with the operation
|
||||
- name: img-ctx
|
||||
type: keyword
|
||||
description: the vm's disk image context string
|
||||
- name: old-chardev
|
||||
type: keyword
|
||||
description: present character device assigned to vm
|
||||
- name: old_val
|
||||
type: keyword
|
||||
description: current value of SELinux boolean
|
||||
- name: success
|
||||
type: keyword
|
||||
description: whether the syscall was successful or not
|
||||
- name: inode_uid
|
||||
type: keyword
|
||||
description: user ID of the inode's owner
|
||||
- name: removed
|
||||
type: keyword
|
||||
description: number of deleted files
|
||||
- name: socket
|
||||
type: group
|
||||
fields:
|
||||
- name: port
|
||||
type: keyword
|
||||
description: The port number.
|
||||
- name: saddr
|
||||
type: keyword
|
||||
description: The raw socket address structure.
|
||||
- name: addr
|
||||
type: keyword
|
||||
description: The remote address.
|
||||
- name: family
|
||||
type: keyword
|
||||
example: unix
|
||||
description: The socket family (unix, ipv4, ipv6, netlink).
|
||||
- name: path
|
||||
type: keyword
|
||||
description: This is the path associated with a unix socket.
|
||||
|
||||
- name: messages
|
||||
type: alias
|
||||
migration: true
|
||||
path: event.original
|
||||
description: >
|
||||
An ordered list of the raw messages received from the kernel that
|
||||
were used to construct this document. This field is present if an error
|
||||
occurred processing the data or if `include_raw_message` is set
|
||||
in the config.
|
||||
- name: warnings
|
||||
type: alias
|
||||
migration: true
|
||||
path: error.message
|
||||
description: >
|
||||
The warnings generated by the Beat during the construction of the event.
|
||||
These are disabled by default and are used for development and debug
|
||||
purposes only.
|
||||
|
||||
- name: geoip
|
||||
type: group
|
||||
description: >
|
||||
The geoip fields are defined as a convenience in case you decide to
|
||||
enrich the data using a geoip filter in Logstash or Ingest Node.
|
||||
fields:
|
||||
- name: continent_name
|
||||
type: keyword
|
||||
description: >
|
||||
The name of the continent.
|
||||
- name: city_name
|
||||
type: keyword
|
||||
description: >
|
||||
The name of the city.
|
||||
- name: region_name
|
||||
type: keyword
|
||||
description: >
|
||||
The name of the region.
|
||||
- name: country_iso_code
|
||||
type: keyword
|
||||
description: >
|
||||
Country ISO code.
|
||||
- name: location
|
||||
type: geo_point
|
||||
description: >
|
||||
The longitude and latitude.
|
|
@ -1,336 +0,0 @@
|
|||
{
|
||||
"objects": [
|
||||
{
|
||||
"attributes": {
|
||||
"description": "Command executions",
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": {
|
||||
"filter": [],
|
||||
"query": {
|
||||
"language": "kuery",
|
||||
"query": ""
|
||||
}
|
||||
}
|
||||
},
|
||||
"savedSearchId": "d382f5b0-c1c6-11e7-8995-936807a28b16-ecs",
|
||||
"title": "Error Codes [Auditbeat Auditd] ECS",
|
||||
"uiStateJSON": {},
|
||||
"version": 1,
|
||||
"visState": {
|
||||
"aggs": [
|
||||
{
|
||||
"enabled": true,
|
||||
"id": "1",
|
||||
"params": {},
|
||||
"schema": "metric",
|
||||
"type": "count"
|
||||
},
|
||||
{
|
||||
"enabled": true,
|
||||
"id": "2",
|
||||
"params": {
|
||||
"exclude": "0",
|
||||
"field": "auditd.data.exit",
|
||||
"order": "desc",
|
||||
"orderBy": "1",
|
||||
"size": 10
|
||||
},
|
||||
"schema": "segment",
|
||||
"type": "terms"
|
||||
}
|
||||
],
|
||||
"params": {
|
||||
"addLegend": true,
|
||||
"addTooltip": true,
|
||||
"isDonut": true,
|
||||
"legendPosition": "right",
|
||||
"type": "pie"
|
||||
},
|
||||
"title": "Error Codes [Auditbeat Auditd] ECS",
|
||||
"type": "pie"
|
||||
}
|
||||
},
|
||||
"id": "20a8e8d0-c1c8-11e7-8995-936807a28b16-ecs",
|
||||
"type": "visualization",
|
||||
"updated_at": "2018-01-16T22:10:23.921Z",
|
||||
"version": 4
|
||||
},
|
||||
{
|
||||
"attributes": {
|
||||
"description": "",
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": {
|
||||
"filter": [],
|
||||
"index": "auditbeat-*",
|
||||
"query": {
|
||||
"language": "kuery",
|
||||
"query": ""
|
||||
}
|
||||
}
|
||||
},
|
||||
"title": "Primary Username Tag Cloud [Auditbeat Auditd] ECS",
|
||||
"uiStateJSON": {},
|
||||
"version": 1,
|
||||
"visState": {
|
||||
"aggs": [
|
||||
{
|
||||
"enabled": true,
|
||||
"id": "1",
|
||||
"params": {},
|
||||
"schema": "metric",
|
||||
"type": "count"
|
||||
},
|
||||
{
|
||||
"enabled": true,
|
||||
"id": "2",
|
||||
"params": {
|
||||
"field": "auditd.summary.actor.primary",
|
||||
"order": "desc",
|
||||
"orderBy": "1",
|
||||
"size": 10
|
||||
},
|
||||
"schema": "segment",
|
||||
"type": "terms"
|
||||
}
|
||||
],
|
||||
"params": {
|
||||
"maxFontSize": 45,
|
||||
"minFontSize": 18,
|
||||
"orientation": "single",
|
||||
"scale": "linear"
|
||||
},
|
||||
"title": "Primary Username Tag Cloud [Auditbeat Auditd] ECS",
|
||||
"type": "tagcloud"
|
||||
}
|
||||
},
|
||||
"id": "f81a6de0-c1c1-11e7-8995-936807a28b16-ecs",
|
||||
"type": "visualization",
|
||||
"updated_at": "2018-01-16T22:12:18.730Z",
|
||||
"version": 3
|
||||
},
|
||||
{
|
||||
"attributes": {
|
||||
"description": "",
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": {
|
||||
"filter": [],
|
||||
"query": {
|
||||
"language": "kuery",
|
||||
"query": ""
|
||||
}
|
||||
}
|
||||
},
|
||||
"savedSearchId": "d382f5b0-c1c6-11e7-8995-936807a28b16-ecs",
|
||||
"title": "Exe Name Tag Cloud [Auditbeat Auditd] ECS",
|
||||
"uiStateJSON": {},
|
||||
"version": 1,
|
||||
"visState": {
|
||||
"aggs": [
|
||||
{
|
||||
"enabled": true,
|
||||
"id": "1",
|
||||
"params": {},
|
||||
"schema": "metric",
|
||||
"type": "count"
|
||||
},
|
||||
{
|
||||
"enabled": true,
|
||||
"id": "2",
|
||||
"params": {
|
||||
"field": "process.executable",
|
||||
"order": "desc",
|
||||
"orderBy": "1",
|
||||
"size": 10
|
||||
},
|
||||
"schema": "segment",
|
||||
"type": "terms"
|
||||
}
|
||||
],
|
||||
"params": {
|
||||
"maxFontSize": 45,
|
||||
"minFontSize": 14,
|
||||
"orientation": "single",
|
||||
"scale": "linear"
|
||||
},
|
||||
"title": "Exe Name Tag Cloud [Auditbeat Auditd] ECS",
|
||||
"type": "tagcloud"
|
||||
}
|
||||
},
|
||||
"id": "2efac370-c1ca-11e7-8995-936807a28b16-ecs",
|
||||
"type": "visualization",
|
||||
"updated_at": "2018-01-16T22:57:41.411Z",
|
||||
"version": 4
|
||||
},
|
||||
{
|
||||
"attributes": {
|
||||
"columns": [
|
||||
"agent.hostname",
|
||||
"process.args",
|
||||
"auditd.summary.actor.primary",
|
||||
"auditd.summary.actor.secondary",
|
||||
"process.executable"
|
||||
],
|
||||
"description": "",
|
||||
"hits": 0,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": {
|
||||
"filter": [
|
||||
{
|
||||
"$state": {
|
||||
"store": "appState"
|
||||
},
|
||||
"meta": {
|
||||
"alias": null,
|
||||
"disabled": false,
|
||||
"index": "auditbeat-*",
|
||||
"key": "event.module",
|
||||
"negate": false,
|
||||
"params": {
|
||||
"query": "auditd",
|
||||
"type": "phrase"
|
||||
},
|
||||
"type": "phrase",
|
||||
"value": "auditd"
|
||||
},
|
||||
"query": {
|
||||
"match": {
|
||||
"event.module": {
|
||||
"query": "auditd",
|
||||
"type": "phrase"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"$state": {
|
||||
"store": "appState"
|
||||
},
|
||||
"meta": {
|
||||
"alias": null,
|
||||
"disabled": false,
|
||||
"index": "auditbeat-*",
|
||||
"key": "event.action",
|
||||
"negate": false,
|
||||
"params": {
|
||||
"query": "executed",
|
||||
"type": "phrase"
|
||||
},
|
||||
"type": "phrase",
|
||||
"value": "executed"
|
||||
},
|
||||
"query": {
|
||||
"match": {
|
||||
"event.action": {
|
||||
"query": "executed",
|
||||
"type": "phrase"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
],
|
||||
"highlightAll": true,
|
||||
"index": "auditbeat-*",
|
||||
"query": {
|
||||
"language": "kuery",
|
||||
"query": ""
|
||||
},
|
||||
"version": true
|
||||
}
|
||||
},
|
||||
"sort": [
|
||||
"@timestamp",
|
||||
"desc"
|
||||
],
|
||||
"title": "Process Executions [Auditbeat Auditd] ECS",
|
||||
"version": 1
|
||||
},
|
||||
"id": "d382f5b0-c1c6-11e7-8995-936807a28b16-ecs",
|
||||
"type": "search",
|
||||
"updated_at": "2018-01-16T22:26:35.050Z",
|
||||
"version": 5
|
||||
},
|
||||
{
|
||||
"attributes": {
|
||||
"description": "Overview of kernel executions",
|
||||
"hits": 0,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": {
|
||||
"filter": [],
|
||||
"highlightAll": true,
|
||||
"query": {
|
||||
"language": "kuery",
|
||||
"query": ""
|
||||
},
|
||||
"version": true
|
||||
}
|
||||
},
|
||||
"optionsJSON": {
|
||||
"darkTheme": false,
|
||||
"useMargins": false
|
||||
},
|
||||
"panelsJSON": [
|
||||
{
|
||||
"gridData": {
|
||||
"h": 3,
|
||||
"i": "1",
|
||||
"w": 4,
|
||||
"x": 4,
|
||||
"y": 0
|
||||
},
|
||||
"id": "20a8e8d0-c1c8-11e7-8995-936807a28b16-ecs",
|
||||
"panelIndex": "1",
|
||||
"type": "visualization",
|
||||
"version": "6.2.4"
|
||||
},
|
||||
{
|
||||
"gridData": {
|
||||
"h": 3,
|
||||
"i": "3",
|
||||
"w": 4,
|
||||
"x": 8,
|
||||
"y": 0
|
||||
},
|
||||
"id": "f81a6de0-c1c1-11e7-8995-936807a28b16-ecs",
|
||||
"panelIndex": "3",
|
||||
"type": "visualization",
|
||||
"version": "6.2.4"
|
||||
},
|
||||
{
|
||||
"gridData": {
|
||||
"h": 3,
|
||||
"i": "5",
|
||||
"w": 4,
|
||||
"x": 0,
|
||||
"y": 0
|
||||
},
|
||||
"id": "2efac370-c1ca-11e7-8995-936807a28b16-ecs",
|
||||
"panelIndex": "5",
|
||||
"type": "visualization",
|
||||
"version": "6.2.4"
|
||||
},
|
||||
{
|
||||
"gridData": {
|
||||
"h": 5,
|
||||
"i": "6",
|
||||
"w": 12,
|
||||
"x": 0,
|
||||
"y": 3
|
||||
},
|
||||
"id": "d382f5b0-c1c6-11e7-8995-936807a28b16-ecs",
|
||||
"panelIndex": "6",
|
||||
"type": "search",
|
||||
"version": "6.2.4"
|
||||
}
|
||||
],
|
||||
"timeRestore": false,
|
||||
"title": "[Auditbeat Auditd] Executions ECS",
|
||||
"version": 1
|
||||
},
|
||||
"id": "7de391b0-c1ca-11e7-8995-936807a28b16-ecs",
|
||||
"type": "dashboard",
|
||||
"updated_at": "2018-01-16T22:58:11.243Z",
|
||||
"version": 5
|
||||
}
|
||||
],
|
||||
"version": "6.2.4"
|
||||
}
|
|
@ -1,283 +0,0 @@
|
|||
{
|
||||
"objects": [
|
||||
{
|
||||
"attributes": {
|
||||
"description": "",
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": {}
|
||||
},
|
||||
"title": "Event Actions [Auditbeat Auditd] ECS",
|
||||
"uiStateJSON": {},
|
||||
"version": 1,
|
||||
"visState": {
|
||||
"aggs": [],
|
||||
"params": {
|
||||
"axis_formatter": "number",
|
||||
"axis_position": "left",
|
||||
"background_color_rules": [
|
||||
{
|
||||
"id": "58c95a20-c1bd-11e7-938f-ab0645b6c431"
|
||||
}
|
||||
],
|
||||
"bar_color_rules": [
|
||||
{
|
||||
"id": "5bfc71a0-c1bd-11e7-938f-ab0645b6c431"
|
||||
}
|
||||
],
|
||||
"filter": "event.module:auditd",
|
||||
"gauge_color_rules": [
|
||||
{
|
||||
"id": "5d20a650-c1bd-11e7-938f-ab0645b6c431"
|
||||
}
|
||||
],
|
||||
"gauge_inner_width": 10,
|
||||
"gauge_style": "half",
|
||||
"gauge_width": 10,
|
||||
"id": "61ca57f0-469d-11e7-af02-69e470af7417",
|
||||
"index_pattern": "auditbeat-*",
|
||||
"interval": "auto",
|
||||
"legend_position": "left",
|
||||
"series": [
|
||||
{
|
||||
"axis_position": "right",
|
||||
"chart_type": "line",
|
||||
"color": "#68BC00",
|
||||
"fill": 0.5,
|
||||
"formatter": "number",
|
||||
"id": "61ca57f1-469d-11e7-af02-69e470af7417",
|
||||
"label": "Actions",
|
||||
"line_width": 1,
|
||||
"metrics": [
|
||||
{
|
||||
"id": "6b9fb2d0-c1bc-11e7-938f-ab0645b6c431",
|
||||
"type": "count"
|
||||
}
|
||||
],
|
||||
"point_size": 1,
|
||||
"seperate_axis": 0,
|
||||
"split_mode": "terms",
|
||||
"stacked": "none",
|
||||
"terms_field": "event.action"
|
||||
}
|
||||
],
|
||||
"show_grid": 1,
|
||||
"show_legend": 1,
|
||||
"time_field": "@timestamp",
|
||||
"type": "timeseries"
|
||||
},
|
||||
"title": "Event Actions [Auditbeat Auditd] ECS",
|
||||
"type": "metrics"
|
||||
}
|
||||
},
|
||||
"id": "97680df0-c1c0-11e7-8995-936807a28b16-ecs",
|
||||
"type": "visualization",
|
||||
"updated_at": "2018-01-16T22:11:01.438Z",
|
||||
"version": 3
|
||||
},
|
||||
{
|
||||
"attributes": {
|
||||
"description": "",
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": {
|
||||
"filter": [],
|
||||
"index": "auditbeat-*",
|
||||
"query": {
|
||||
"language": "kuery",
|
||||
"query": ""
|
||||
}
|
||||
}
|
||||
},
|
||||
"savedSearchId": "0f10c430-c1c3-11e7-8995-936807a28b16-ecs",
|
||||
"title": "Event Categories [Auditbeat Auditd] ECS",
|
||||
"uiStateJSON": {},
|
||||
"version": 1,
|
||||
"visState": {
|
||||
"aggs": [
|
||||
{
|
||||
"enabled": true,
|
||||
"id": "1",
|
||||
"params": {},
|
||||
"schema": "metric",
|
||||
"type": "count"
|
||||
},
|
||||
{
|
||||
"enabled": true,
|
||||
"id": "2",
|
||||
"params": {
|
||||
"customLabel": "Category",
|
||||
"field": "event.category",
|
||||
"order": "desc",
|
||||
"orderBy": "1",
|
||||
"size": 5
|
||||
},
|
||||
"schema": "segment",
|
||||
"type": "terms"
|
||||
},
|
||||
{
|
||||
"enabled": true,
|
||||
"id": "3",
|
||||
"params": {
|
||||
"customLabel": "Action",
|
||||
"field": "event.action",
|
||||
"order": "desc",
|
||||
"orderBy": "1",
|
||||
"size": 20
|
||||
},
|
||||
"schema": "segment",
|
||||
"type": "terms"
|
||||
}
|
||||
],
|
||||
"params": {
|
||||
"addLegend": true,
|
||||
"addTooltip": true,
|
||||
"isDonut": true,
|
||||
"legendPosition": "right",
|
||||
"type": "pie"
|
||||
},
|
||||
"title": "Event Categories [Auditbeat Auditd] ECS",
|
||||
"type": "pie"
|
||||
}
|
||||
},
|
||||
"id": "08679220-c25a-11e7-8692-232bd1143e8a-ecs",
|
||||
"type": "visualization",
|
||||
"updated_at": "2018-01-16T22:54:10.330Z",
|
||||
"version": 4
|
||||
},
|
||||
{
|
||||
"attributes": {
|
||||
"columns": [
|
||||
"agent.hostname",
|
||||
"auditd.summary.actor.primary",
|
||||
"auditd.summary.actor.secondary",
|
||||
"event.action",
|
||||
"auditd.summary.object.type",
|
||||
"auditd.summary.object.primary",
|
||||
"auditd.summary.object.secondary",
|
||||
"auditd.summary.how",
|
||||
"auditd.result"
|
||||
],
|
||||
"description": "",
|
||||
"hits": 0,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": {
|
||||
"filter": [
|
||||
{
|
||||
"$state": {
|
||||
"store": "appState"
|
||||
},
|
||||
"meta": {
|
||||
"alias": null,
|
||||
"disabled": false,
|
||||
"index": "auditbeat-*",
|
||||
"key": "event.module",
|
||||
"negate": false,
|
||||
"params": {
|
||||
"query": "auditd",
|
||||
"type": "phrase"
|
||||
},
|
||||
"type": "phrase",
|
||||
"value": "auditd"
|
||||
},
|
||||
"query": {
|
||||
"match": {
|
||||
"event.module": {
|
||||
"query": "auditd",
|
||||
"type": "phrase"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
],
|
||||
"highlightAll": true,
|
||||
"index": "auditbeat-*",
|
||||
"query": {
|
||||
"language": "kuery",
|
||||
"query": ""
|
||||
},
|
||||
"version": true
|
||||
}
|
||||
},
|
||||
"sort": [
|
||||
"@timestamp",
|
||||
"desc"
|
||||
],
|
||||
"title": "Audit Event Table [Auditbeat Auditd] ECS",
|
||||
"version": 1
|
||||
},
|
||||
"id": "0f10c430-c1c3-11e7-8995-936807a28b16-ecs",
|
||||
"type": "search",
|
||||
"updated_at": "2018-01-16T22:51:24.572Z",
|
||||
"version": 4
|
||||
},
|
||||
{
|
||||
"attributes": {
|
||||
"description": "Summary of Linux kernel audit events.",
|
||||
"hits": 0,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": {
|
||||
"filter": [],
|
||||
"highlightAll": true,
|
||||
"query": {
|
||||
"language": "kuery",
|
||||
"query": ""
|
||||
},
|
||||
"version": true
|
||||
}
|
||||
},
|
||||
"optionsJSON": {
|
||||
"darkTheme": false,
|
||||
"useMargins": false
|
||||
},
|
||||
"panelsJSON": [
|
||||
{
|
||||
"gridData": {
|
||||
"h": 3,
|
||||
"i": "1",
|
||||
"w": 7,
|
||||
"x": 0,
|
||||
"y": 0
|
||||
},
|
||||
"id": "97680df0-c1c0-11e7-8995-936807a28b16-ecs",
|
||||
"panelIndex": "1",
|
||||
"type": "visualization",
|
||||
"version": "6.2.4"
|
||||
},
|
||||
{
|
||||
"gridData": {
|
||||
"h": 3,
|
||||
"i": "4",
|
||||
"w": 5,
|
||||
"x": 7,
|
||||
"y": 0
|
||||
},
|
||||
"id": "08679220-c25a-11e7-8692-232bd1143e8a-ecs",
|
||||
"panelIndex": "4",
|
||||
"type": "visualization",
|
||||
"version": "6.2.4"
|
||||
},
|
||||
{
|
||||
"gridData": {
|
||||
"h": 5,
|
||||
"i": "5",
|
||||
"w": 12,
|
||||
"x": 0,
|
||||
"y": 3
|
||||
},
|
||||
"id": "0f10c430-c1c3-11e7-8995-936807a28b16-ecs",
|
||||
"panelIndex": "5",
|
||||
"type": "search",
|
||||
"version": "6.2.4"
|
||||
}
|
||||
],
|
||||
"timeRestore": false,
|
||||
"title": "[Auditbeat Auditd] Overview ECS",
|
||||
"version": 1
|
||||
},
|
||||
"id": "c0ac2c00-c1c0-11e7-8995-936807a28b16-ecs",
|
||||
"type": "dashboard",
|
||||
"updated_at": "2018-01-16T22:55:17.775Z",
|
||||
"version": 5
|
||||
}
|
||||
],
|
||||
"version": "6.2.4"
|
||||
}
|
|
@ -1,930 +0,0 @@
|
|||
{
|
||||
"objects": [
|
||||
{
|
||||
"attributes": {
|
||||
"description": "",
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": {
|
||||
"filter": [
|
||||
{
|
||||
"$state": {
|
||||
"store": "appState"
|
||||
},
|
||||
"meta": {
|
||||
"alias": null,
|
||||
"apply": true,
|
||||
"disabled": false,
|
||||
"index": "auditbeat-*",
|
||||
"key": "auditd.summary.object.secondary",
|
||||
"negate": true,
|
||||
"params": {
|
||||
"query": "0",
|
||||
"type": "phrase"
|
||||
},
|
||||
"type": "phrase",
|
||||
"value": "0"
|
||||
},
|
||||
"query": {
|
||||
"match": {
|
||||
"auditd.summary.object.secondary": {
|
||||
"query": "0",
|
||||
"type": "phrase"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
],
|
||||
"query": {
|
||||
"language": "kuery",
|
||||
"query": ""
|
||||
}
|
||||
}
|
||||
},
|
||||
"savedSearchId": "b4c93470-c240-11e7-8692-232bd1143e8a-ecs",
|
||||
"title": "Bind (non-ephemeral) [Auditbeat Auditd] ECS",
|
||||
"uiStateJSON": {
|
||||
"vis": {
|
||||
"params": {
|
||||
"sort": {
|
||||
"columnIndex": null,
|
||||
"direction": null
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"version": 1,
|
||||
"visState": {
|
||||
"aggs": [
|
||||
{
|
||||
"enabled": true,
|
||||
"id": "1",
|
||||
"params": {},
|
||||
"schema": "metric",
|
||||
"type": "count"
|
||||
},
|
||||
{
|
||||
"enabled": true,
|
||||
"id": "2",
|
||||
"params": {
|
||||
"customLabel": "Exe",
|
||||
"field": "auditd.summary.how",
|
||||
"order": "desc",
|
||||
"orderBy": "_term",
|
||||
"size": 50
|
||||
},
|
||||
"schema": "bucket",
|
||||
"type": "terms"
|
||||
},
|
||||
{
|
||||
"enabled": true,
|
||||
"id": "3",
|
||||
"params": {
|
||||
"customLabel": "Address",
|
||||
"field": "auditd.summary.object.primary",
|
||||
"order": "desc",
|
||||
"orderBy": "_term",
|
||||
"size": 10
|
||||
},
|
||||
"schema": "bucket",
|
||||
"type": "terms"
|
||||
},
|
||||
{
|
||||
"enabled": true,
|
||||
"id": "4",
|
||||
"params": {
|
||||
"customLabel": "Port",
|
||||
"field": "auditd.summary.object.secondary",
|
||||
"order": "desc",
|
||||
"orderBy": "_term",
|
||||
"size": 10
|
||||
},
|
||||
"schema": "bucket",
|
||||
"type": "terms"
|
||||
}
|
||||
],
|
||||
"params": {
|
||||
"perPage": 10,
|
||||
"showMeticsAtAllLevels": false,
|
||||
"showPartialRows": false,
|
||||
"showTotal": false,
|
||||
"sort": {
|
||||
"columnIndex": null,
|
||||
"direction": null
|
||||
},
|
||||
"totalFunc": "sum"
|
||||
},
|
||||
"title": "Bind (non-ephemeral) [Auditbeat Auditd] ECS",
|
||||
"type": "table"
|
||||
}
|
||||
},
|
||||
"id": "faf882f0-c242-11e7-8692-232bd1143e8a-ecs",
|
||||
"type": "visualization",
|
||||
"updated_at": "2018-01-16T22:08:02.522Z",
|
||||
"version": 3
|
||||
},
|
||||
{
|
||||
"attributes": {
|
||||
"description": "",
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": {
|
||||
"filter": [],
|
||||
"query": {
|
||||
"language": "kuery",
|
||||
"query": ""
|
||||
}
|
||||
}
|
||||
},
|
||||
"savedSearchId": "5438b030-c246-11e7-8692-232bd1143e8a-ecs",
|
||||
"title": "Connect [Auditbeat Auditd] ECS",
|
||||
"uiStateJSON": {
|
||||
"vis": {
|
||||
"params": {
|
||||
"sort": {
|
||||
"columnIndex": null,
|
||||
"direction": null
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"version": 1,
|
||||
"visState": {
|
||||
"aggs": [
|
||||
{
|
||||
"enabled": true,
|
||||
"id": "1",
|
||||
"params": {},
|
||||
"schema": "metric",
|
||||
"type": "count"
|
||||
},
|
||||
{
|
||||
"enabled": true,
|
||||
"id": "2",
|
||||
"params": {
|
||||
"customLabel": "Exe",
|
||||
"field": "process.executable",
|
||||
"order": "desc",
|
||||
"orderBy": "1",
|
||||
"size": 50
|
||||
},
|
||||
"schema": "bucket",
|
||||
"type": "terms"
|
||||
},
|
||||
{
|
||||
"enabled": true,
|
||||
"id": "3",
|
||||
"params": {
|
||||
"customLabel": "Address",
|
||||
"field": "auditd.summary.object.primary",
|
||||
"order": "desc",
|
||||
"orderBy": "1",
|
||||
"size": 10
|
||||
},
|
||||
"schema": "bucket",
|
||||
"type": "terms"
|
||||
},
|
||||
{
|
||||
"enabled": true,
|
||||
"id": "4",
|
||||
"params": {
|
||||
"customLabel": "Port",
|
||||
"field": "auditd.summary.object.secondary",
|
||||
"order": "desc",
|
||||
"orderBy": "1",
|
||||
"size": 5
|
||||
},
|
||||
"schema": "bucket",
|
||||
"type": "terms"
|
||||
}
|
||||
],
|
||||
"params": {
|
||||
"perPage": 10,
|
||||
"showMeticsAtAllLevels": false,
|
||||
"showPartialRows": false,
|
||||
"showTotal": false,
|
||||
"sort": {
|
||||
"columnIndex": null,
|
||||
"direction": null
|
||||
},
|
||||
"totalFunc": "sum"
|
||||
},
|
||||
"title": "Connect [Auditbeat Auditd] ECS",
|
||||
"type": "table"
|
||||
}
|
||||
},
|
||||
"id": "ea483730-c246-11e7-8692-232bd1143e8a-ecs",
|
||||
"type": "visualization",
|
||||
"updated_at": "2018-01-16T23:24:16.851Z",
|
||||
"version": 4
|
||||
},
|
||||
{
|
||||
"attributes": {
|
||||
"description": "",
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": {
|
||||
"filter": [],
|
||||
"query": {
|
||||
"language": "kuery",
|
||||
"query": ""
|
||||
}
|
||||
}
|
||||
},
|
||||
"savedSearchId": "e8734160-c24c-11e7-8692-232bd1143e8a-ecs",
|
||||
"title": "Accept / Recvfrom Unique Address Table [Auditbeat Auditd] ECS",
|
||||
"uiStateJSON": {
|
||||
"spy": {
|
||||
"mode": {
|
||||
"fill": false,
|
||||
"name": null
|
||||
}
|
||||
},
|
||||
"vis": {
|
||||
"params": {
|
||||
"sort": {
|
||||
"columnIndex": null,
|
||||
"direction": null
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"version": 1,
|
||||
"visState": {
|
||||
"aggs": [
|
||||
{
|
||||
"enabled": true,
|
||||
"id": "1",
|
||||
"params": {
|
||||
"customLabel": "Unique Addresses",
|
||||
"field": "auditd.summary.object.primary"
|
||||
},
|
||||
"schema": "metric",
|
||||
"type": "cardinality"
|
||||
},
|
||||
{
|
||||
"enabled": true,
|
||||
"id": "2",
|
||||
"params": {
|
||||
"customLabel": "Exe",
|
||||
"field": "process.executable",
|
||||
"order": "desc",
|
||||
"orderBy": "1",
|
||||
"size": 50
|
||||
},
|
||||
"schema": "bucket",
|
||||
"type": "terms"
|
||||
},
|
||||
{
|
||||
"enabled": true,
|
||||
"id": "3",
|
||||
"params": {
|
||||
"customLabel": "Syscall",
|
||||
"field": "auditd.data.syscall",
|
||||
"order": "desc",
|
||||
"orderBy": "1",
|
||||
"size": 5
|
||||
},
|
||||
"schema": "bucket",
|
||||
"type": "terms"
|
||||
}
|
||||
],
|
||||
"params": {
|
||||
"perPage": 10,
|
||||
"showMeticsAtAllLevels": false,
|
||||
"showPartialRows": false,
|
||||
"showTotal": false,
|
||||
"sort": {
|
||||
"columnIndex": null,
|
||||
"direction": null
|
||||
},
|
||||
"totalFunc": "sum"
|
||||
},
|
||||
"title": "Accept / Recvfrom Unique Address Table [Auditbeat Auditd] ECS",
|
||||
"type": "table"
|
||||
}
|
||||
},
|
||||
"id": "ceb91de0-c250-11e7-8692-232bd1143e8a-ecs",
|
||||
"type": "visualization",
|
||||
"updated_at": "2018-01-16T22:16:51.535Z",
|
||||
"version": 5
|
||||
},
|
||||
{
|
||||
"attributes": {
|
||||
"description": "",
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": {}
|
||||
},
|
||||
"title": "Socket Syscalls Time Series [Auditbeat Auditd] ECS",
|
||||
"uiStateJSON": {},
|
||||
"version": 1,
|
||||
"visState": {
|
||||
"aggs": [],
|
||||
"params": {
|
||||
"axis_formatter": "number",
|
||||
"axis_position": "left",
|
||||
"background_color_rules": [
|
||||
{
|
||||
"id": "95b603d0-c252-11e7-8a68-93ffe9ec5950"
|
||||
}
|
||||
],
|
||||
"bar_color_rules": [
|
||||
{
|
||||
"id": "2cebb0c0-c252-11e7-8a68-93ffe9ec5950"
|
||||
}
|
||||
],
|
||||
"filter": "auditd.summary.object.type:socket",
|
||||
"gauge_color_rules": [
|
||||
{
|
||||
"id": "6c891740-c252-11e7-8a68-93ffe9ec5950"
|
||||
}
|
||||
],
|
||||
"gauge_inner_width": 10,
|
||||
"gauge_style": "half",
|
||||
"gauge_width": 10,
|
||||
"id": "61ca57f0-469d-11e7-af02-69e470af7417",
|
||||
"index_pattern": "auditbeat-*",
|
||||
"interval": "auto",
|
||||
"legend_position": "left",
|
||||
"series": [
|
||||
{
|
||||
"axis_position": "right",
|
||||
"chart_type": "line",
|
||||
"color": "#68BC00",
|
||||
"fill": 0.5,
|
||||
"formatter": "number",
|
||||
"id": "61ca57f1-469d-11e7-af02-69e470af7417",
|
||||
"label": "syscall",
|
||||
"line_width": 1,
|
||||
"metrics": [
|
||||
{
|
||||
"id": "61ca57f2-469d-11e7-af02-69e470af7417",
|
||||
"type": "count"
|
||||
}
|
||||
],
|
||||
"point_size": 1,
|
||||
"seperate_axis": 0,
|
||||
"split_mode": "terms",
|
||||
"stacked": "none",
|
||||
"terms_field": "auditd.data.syscall"
|
||||
}
|
||||
],
|
||||
"show_grid": 1,
|
||||
"show_legend": 1,
|
||||
"time_field": "@timestamp",
|
||||
"type": "timeseries"
|
||||
},
|
||||
"title": "Socket Syscalls Time Series [Auditbeat Auditd] ECS",
|
||||
"type": "metrics"
|
||||
}
|
||||
},
|
||||
"id": "b21e0c70-c252-11e7-8692-232bd1143e8a-ecs",
|
||||
"type": "visualization",
|
||||
"updated_at": "2018-01-16T22:13:38.857Z",
|
||||
"version": 3
|
||||
},
|
||||
{
|
||||
"attributes": {
|
||||
"description": "",
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": {
|
||||
"filter": [],
|
||||
"index": "auditbeat-*",
|
||||
"query": {
|
||||
"language": "kuery",
|
||||
"query": ""
|
||||
}
|
||||
}
|
||||
},
|
||||
"title": "Socket Families [Auditbeat Auditd] ECS",
|
||||
"uiStateJSON": {},
|
||||
"version": 1,
|
||||
"visState": {
|
||||
"aggs": [
|
||||
{
|
||||
"enabled": true,
|
||||
"id": "1",
|
||||
"params": {},
|
||||
"schema": "metric",
|
||||
"type": "count"
|
||||
},
|
||||
{
|
||||
"enabled": true,
|
||||
"id": "2",
|
||||
"params": {
|
||||
"customLabel": "Socket Family",
|
||||
"field": "auditd.data.socket.family",
|
||||
"order": "desc",
|
||||
"orderBy": "1",
|
||||
"size": 10
|
||||
},
|
||||
"schema": "segment",
|
||||
"type": "terms"
|
||||
},
|
||||
{
|
||||
"enabled": true,
|
||||
"id": "3",
|
||||
"params": {
|
||||
"customLabel": "Syscall",
|
||||
"field": "auditd.data.syscall",
|
||||
"order": "desc",
|
||||
"orderBy": "1",
|
||||
"size": 10
|
||||
},
|
||||
"schema": "segment",
|
||||
"type": "terms"
|
||||
}
|
||||
],
|
||||
"params": {
|
||||
"addLegend": true,
|
||||
"addTooltip": true,
|
||||
"isDonut": true,
|
||||
"legendPosition": "left",
|
||||
"type": "pie"
|
||||
},
|
||||
"title": "Socket Families [Auditbeat Auditd] ECS",
|
||||
"type": "pie"
|
||||
}
|
||||
},
|
||||
"id": "a8e20450-c256-11e7-8692-232bd1143e8a-ecs",
|
||||
"type": "visualization",
|
||||
"updated_at": "2018-01-16T22:12:51.655Z",
|
||||
"version": 3
|
||||
},
|
||||
{
|
||||
"attributes": {
|
||||
"columns": [
|
||||
"agent.hostname",
|
||||
"auditd.summary.how",
|
||||
"auditd.summary.object.primary",
|
||||
"auditd.summary.object.secondary",
|
||||
"auditd.data.socket.family",
|
||||
"auditd.result"
|
||||
],
|
||||
"description": "",
|
||||
"hits": 0,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": {
|
||||
"filter": [
|
||||
{
|
||||
"$state": {
|
||||
"store": "appState"
|
||||
},
|
||||
"meta": {
|
||||
"alias": null,
|
||||
"disabled": false,
|
||||
"index": "auditbeat-*",
|
||||
"key": "event.module",
|
||||
"negate": false,
|
||||
"params": {
|
||||
"query": "auditd",
|
||||
"type": "phrase"
|
||||
},
|
||||
"type": "phrase",
|
||||
"value": "auditd"
|
||||
},
|
||||
"query": {
|
||||
"match": {
|
||||
"event.module": {
|
||||
"query": "auditd",
|
||||
"type": "phrase"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"$state": {
|
||||
"store": "appState"
|
||||
},
|
||||
"meta": {
|
||||
"alias": null,
|
||||
"disabled": false,
|
||||
"index": "auditbeat-*",
|
||||
"key": "auditd.data.syscall",
|
||||
"negate": false,
|
||||
"params": {
|
||||
"query": "bind",
|
||||
"type": "phrase"
|
||||
},
|
||||
"type": "phrase",
|
||||
"value": "bind"
|
||||
},
|
||||
"query": {
|
||||
"match": {
|
||||
"auditd.data.syscall": {
|
||||
"query": "bind",
|
||||
"type": "phrase"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"$state": {
|
||||
"store": "appState"
|
||||
},
|
||||
"meta": {
|
||||
"alias": null,
|
||||
"disabled": false,
|
||||
"index": "auditbeat-*",
|
||||
"key": "auditd.data.socket.family",
|
||||
"negate": true,
|
||||
"params": {
|
||||
"query": "netlink",
|
||||
"type": "phrase"
|
||||
},
|
||||
"type": "phrase",
|
||||
"value": "netlink"
|
||||
},
|
||||
"query": {
|
||||
"match": {
|
||||
"auditd.data.socket.family": {
|
||||
"query": "netlink",
|
||||
"type": "phrase"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
],
|
||||
"highlightAll": true,
|
||||
"index": "auditbeat-*",
|
||||
"query": {
|
||||
"language": "kuery",
|
||||
"query": ""
|
||||
},
|
||||
"version": true
|
||||
}
|
||||
},
|
||||
"sort": [
|
||||
"@timestamp",
|
||||
"desc"
|
||||
],
|
||||
"title": "Socket Binds [Auditbeat Auditd] ECS",
|
||||
"version": 1
|
||||
},
|
||||
"id": "b4c93470-c240-11e7-8692-232bd1143e8a-ecs",
|
||||
"type": "search",
|
||||
"updated_at": "2018-01-16T23:05:58.935Z",
|
||||
"version": 5
|
||||
},
|
||||
{
|
||||
"attributes": {
|
||||
"columns": [
|
||||
"agent.hostname",
|
||||
"auditd.summary.how",
|
||||
"auditd.summary.object.primary",
|
||||
"auditd.summary.object.secondary",
|
||||
"auditd.data.socket.family",
|
||||
"auditd.result",
|
||||
"auditd.data.exit"
|
||||
],
|
||||
"description": "",
|
||||
"hits": 0,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": {
|
||||
"filter": [
|
||||
{
|
||||
"$state": {
|
||||
"store": "appState"
|
||||
},
|
||||
"meta": {
|
||||
"alias": null,
|
||||
"disabled": false,
|
||||
"index": "auditbeat-*",
|
||||
"key": "event.module",
|
||||
"negate": false,
|
||||
"params": {
|
||||
"query": "auditd",
|
||||
"type": "phrase"
|
||||
},
|
||||
"type": "phrase",
|
||||
"value": "auditd"
|
||||
},
|
||||
"query": {
|
||||
"match": {
|
||||
"event.module": {
|
||||
"query": "auditd",
|
||||
"type": "phrase"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"$state": {
|
||||
"store": "appState"
|
||||
},
|
||||
"meta": {
|
||||
"alias": null,
|
||||
"disabled": false,
|
||||
"index": "auditbeat-*",
|
||||
"key": "event.action",
|
||||
"negate": false,
|
||||
"params": {
|
||||
"query": "connected-to",
|
||||
"type": "phrase"
|
||||
},
|
||||
"type": "phrase",
|
||||
"value": "connected-to"
|
||||
},
|
||||
"query": {
|
||||
"match": {
|
||||
"event.action": {
|
||||
"query": "connected-to",
|
||||
"type": "phrase"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"$state": {
|
||||
"store": "appState"
|
||||
},
|
||||
"exists": {
|
||||
"field": "auditd.summary.object.primary"
|
||||
},
|
||||
"meta": {
|
||||
"alias": null,
|
||||
"disabled": false,
|
||||
"index": "auditbeat-*",
|
||||
"key": "auditd.summary.object.primary",
|
||||
"negate": false,
|
||||
"type": "exists",
|
||||
"value": "exists"
|
||||
}
|
||||
}
|
||||
],
|
||||
"highlightAll": true,
|
||||
"index": "auditbeat-*",
|
||||
"query": {
|
||||
"language": "kuery",
|
||||
"query": ""
|
||||
},
|
||||
"version": true
|
||||
}
|
||||
},
|
||||
"sort": [
|
||||
"@timestamp",
|
||||
"desc"
|
||||
],
|
||||
"title": "Socket Connects [Auditbeat Auditd] ECS",
|
||||
"version": 1
|
||||
},
|
||||
"id": "5438b030-c246-11e7-8692-232bd1143e8a-ecs",
|
||||
"type": "search",
|
||||
"updated_at": "2018-01-16T23:09:43.937Z",
|
||||
"version": 5
|
||||
},
|
||||
{
|
||||
"attributes": {
|
||||
"columns": [
|
||||
"agent.hostname",
|
||||
"auditd.summary.how",
|
||||
"auditd.summary.object.primary",
|
||||
"auditd.summary.object.secondary",
|
||||
"auditd.data.socket.family",
|
||||
"event.action"
|
||||
],
|
||||
"description": "",
|
||||
"hits": 0,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": {
|
||||
"filter": [
|
||||
{
|
||||
"$state": {
|
||||
"store": "appState"
|
||||
},
|
||||
"meta": {
|
||||
"alias": null,
|
||||
"disabled": false,
|
||||
"index": "auditbeat-*",
|
||||
"key": "event.module",
|
||||
"negate": false,
|
||||
"params": {
|
||||
"query": "auditd",
|
||||
"type": "phrase"
|
||||
},
|
||||
"type": "phrase",
|
||||
"value": "auditd"
|
||||
},
|
||||
"query": {
|
||||
"match": {
|
||||
"event.module": {
|
||||
"query": "auditd",
|
||||
"type": "phrase"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"$state": {
|
||||
"store": "appState"
|
||||
},
|
||||
"meta": {
|
||||
"alias": null,
|
||||
"disabled": false,
|
||||
"index": "auditbeat-*",
|
||||
"key": "auditd.summary.object.type",
|
||||
"negate": false,
|
||||
"params": {
|
||||
"query": "socket",
|
||||
"type": "phrase"
|
||||
},
|
||||
"type": "phrase",
|
||||
"value": "socket"
|
||||
},
|
||||
"query": {
|
||||
"match": {
|
||||
"auditd.summary.object.type": {
|
||||
"query": "socket",
|
||||
"type": "phrase"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"$state": {
|
||||
"store": "appState"
|
||||
},
|
||||
"exists": {
|
||||
"field": "auditd.summary.object.primary"
|
||||
},
|
||||
"meta": {
|
||||
"alias": null,
|
||||
"disabled": false,
|
||||
"index": "auditbeat-*",
|
||||
"key": "auditd.summary.object.primary",
|
||||
"negate": false,
|
||||
"type": "exists",
|
||||
"value": "exists"
|
||||
}
|
||||
},
|
||||
{
|
||||
"$state": {
|
||||
"store": "appState"
|
||||
},
|
||||
"meta": {
|
||||
"alias": null,
|
||||
"disabled": false,
|
||||
"index": "auditbeat-*",
|
||||
"key": "query",
|
||||
"negate": false,
|
||||
"type": "custom",
|
||||
"value": "{\"terms\":{\"auditd.data.syscall\":[\"accept\",\"accept4\",\"recvfrom\",\"recvmsg\"]}}"
|
||||
},
|
||||
"query": {
|
||||
"terms": {
|
||||
"auditd.data.syscall": [
|
||||
"accept",
|
||||
"accept4",
|
||||
"recvfrom",
|
||||
"recvmsg"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
],
|
||||
"highlightAll": true,
|
||||
"index": "auditbeat-*",
|
||||
"query": {
|
||||
"language": "kuery",
|
||||
"query": ""
|
||||
},
|
||||
"version": true
|
||||
}
|
||||
},
|
||||
"sort": [
|
||||
"@timestamp",
|
||||
"desc"
|
||||
],
|
||||
"title": "Socket Accept / Recvfrom [Auditbeat Auditd] ECS",
|
||||
"version": 1
|
||||
},
|
||||
"id": "e8734160-c24c-11e7-8692-232bd1143e8a-ecs",
|
||||
"type": "search",
|
||||
"updated_at": "2018-01-16T23:20:51.403Z",
|
||||
"version": 4
|
||||
},
|
||||
{
|
||||
"attributes": {
|
||||
"description": "Summary of socket related syscall events.",
|
||||
"hits": 0,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": {
|
||||
"filter": [],
|
||||
"highlightAll": true,
|
||||
"query": {
|
||||
"language": "kuery",
|
||||
"query": ""
|
||||
},
|
||||
"version": true
|
||||
}
|
||||
},
|
||||
"optionsJSON": {
|
||||
"darkTheme": false,
|
||||
"useMargins": false
|
||||
},
|
||||
"panelsJSON": [
|
||||
{
|
||||
"embeddableConfig": {
|
||||
"vis": {
|
||||
"params": {
|
||||
"sort": {
|
||||
"columnIndex": null,
|
||||
"direction": null
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"gridData": {
|
||||
"h": 4,
|
||||
"i": "1",
|
||||
"w": 6,
|
||||
"x": 6,
|
||||
"y": 3
|
||||
},
|
||||
"id": "faf882f0-c242-11e7-8692-232bd1143e8a-ecs",
|
||||
"panelIndex": "1",
|
||||
"type": "visualization",
|
||||
"version": "6.2.4"
|
||||
},
|
||||
{
|
||||
"embeddableConfig": {
|
||||
"vis": {
|
||||
"params": {
|
||||
"sort": {
|
||||
"columnIndex": null,
|
||||
"direction": null
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"gridData": {
|
||||
"h": 5,
|
||||
"i": "2",
|
||||
"w": 6,
|
||||
"x": 0,
|
||||
"y": 7
|
||||
},
|
||||
"id": "ea483730-c246-11e7-8692-232bd1143e8a-ecs",
|
||||
"panelIndex": "2",
|
||||
"type": "visualization",
|
||||
"version": "6.2.4"
|
||||
},
|
||||
{
|
||||
"embeddableConfig": {
|
||||
"vis": {
|
||||
"params": {
|
||||
"sort": {
|
||||
"columnIndex": null,
|
||||
"direction": null
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"gridData": {
|
||||
"h": 5,
|
||||
"i": "3",
|
||||
"w": 6,
|
||||
"x": 6,
|
||||
"y": 7
|
||||
},
|
||||
"id": "ceb91de0-c250-11e7-8692-232bd1143e8a-ecs",
|
||||
"panelIndex": "3",
|
||||
"type": "visualization",
|
||||
"version": "6.2.4"
|
||||
},
|
||||
{
|
||||
"gridData": {
|
||||
"h": 3,
|
||||
"i": "4",
|
||||
"w": 12,
|
||||
"x": 0,
|
||||
"y": 0
|
||||
},
|
||||
"id": "b21e0c70-c252-11e7-8692-232bd1143e8a-ecs",
|
||||
"panelIndex": "4",
|
||||
"type": "visualization",
|
||||
"version": "6.2.4"
|
||||
},
|
||||
{
|
||||
"gridData": {
|
||||
"h": 4,
|
||||
"i": "5",
|
||||
"w": 6,
|
||||
"x": 0,
|
||||
"y": 3
|
||||
},
|
||||
"id": "a8e20450-c256-11e7-8692-232bd1143e8a-ecs",
|
||||
"panelIndex": "5",
|
||||
"type": "visualization",
|
||||
"version": "6.2.4"
|
||||
}
|
||||
],
|
||||
"timeRestore": false,
|
||||
"title": "[Auditbeat Auditd] Sockets ECS",
|
||||
"version": 1
|
||||
},
|
||||
"id": "693a5f40-c243-11e7-8692-232bd1143e8a-ecs",
|
||||
"type": "dashboard",
|
||||
"updated_at": "2018-01-16T23:24:37.521Z",
|
||||
"version": 4
|
||||
}
|
||||
],
|
||||
"version": "6.2.4"
|
||||
}
|
|
@ -1,999 +0,0 @@
|
|||
// Licensed to Elasticsearch B.V. under one or more contributor
|
||||
// license agreements. See the NOTICE file distributed with
|
||||
// this work for additional information regarding copyright
|
||||
// ownership. Elasticsearch B.V. licenses this file to you under
|
||||
// the Apache License, Version 2.0 (the "License"); you may
|
||||
// not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing,
|
||||
// software distributed under the License is distributed on an
|
||||
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
// KIND, either express or implied. See the License for the
|
||||
// specific language governing permissions and limitations
|
||||
// under the License.
|
||||
|
||||
package auditd
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"os/user"
|
||||
"runtime"
|
||||
"strconv"
|
||||
"strings"
|
||||
"sync"
|
||||
"syscall"
|
||||
"time"
|
||||
|
||||
"github.com/pkg/errors"
|
||||
|
||||
"github.com/elastic/beats/libbeat/common"
|
||||
"github.com/elastic/beats/libbeat/logp"
|
||||
"github.com/elastic/beats/libbeat/monitoring"
|
||||
"github.com/elastic/beats/metricbeat/mb"
|
||||
"github.com/elastic/beats/metricbeat/mb/parse"
|
||||
"github.com/elastic/go-libaudit"
|
||||
"github.com/elastic/go-libaudit/aucoalesce"
|
||||
"github.com/elastic/go-libaudit/auparse"
|
||||
"github.com/elastic/go-libaudit/rule"
|
||||
)
|
||||
|
||||
const (
|
||||
namespace = "auditd"
|
||||
|
||||
auditLocked = 2
|
||||
|
||||
unicast = "unicast"
|
||||
multicast = "multicast"
|
||||
uidUnset = "unset"
|
||||
|
||||
lostEventsUpdateInterval = time.Second * 15
|
||||
maxDefaultStreamBufferConsumers = 4
|
||||
)
|
||||
|
||||
type backpressureStrategy uint8
|
||||
|
||||
const (
|
||||
bsKernel backpressureStrategy = 1 << iota
|
||||
bsUserSpace
|
||||
bsAuto
|
||||
)
|
||||
|
||||
var (
|
||||
auditdMetrics = monitoring.Default.NewRegistry(moduleName)
|
||||
reassemblerGapsMetric = monitoring.NewInt(auditdMetrics, "reassembler_seq_gaps")
|
||||
kernelLostMetric = monitoring.NewInt(auditdMetrics, "kernel_lost")
|
||||
userspaceLostMetric = monitoring.NewInt(auditdMetrics, "userspace_lost")
|
||||
receivedMetric = monitoring.NewInt(auditdMetrics, "received_msgs")
|
||||
)
|
||||
|
||||
func init() {
|
||||
mb.Registry.MustAddMetricSet(moduleName, metricsetName, New,
|
||||
mb.DefaultMetricSet(),
|
||||
mb.WithHostParser(parse.EmptyHostParser),
|
||||
mb.WithNamespace(namespace),
|
||||
)
|
||||
}
|
||||
|
||||
// MetricSet listens for audit messages from the Linux kernel using a netlink
|
||||
// socket. It buffers the messages to ensure ordering and then streams the
|
||||
// output. MetricSet implements the mb.PushMetricSet interface, and therefore
|
||||
// does not rely on polling.
|
||||
type MetricSet struct {
|
||||
mb.BaseMetricSet
|
||||
config Config
|
||||
client *libaudit.AuditClient
|
||||
log *logp.Logger
|
||||
kernelLost struct {
|
||||
enabled bool
|
||||
counter uint32
|
||||
}
|
||||
backpressureStrategy backpressureStrategy
|
||||
}
|
||||
|
||||
// New constructs a new MetricSet.
|
||||
func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
|
||||
config := defaultConfig
|
||||
if err := base.Module().UnpackConfig(&config); err != nil {
|
||||
return nil, errors.Wrap(err, "failed to unpack the auditd config")
|
||||
}
|
||||
|
||||
log := logp.NewLogger(moduleName)
|
||||
_, _, kernel, _ := kernelVersion()
|
||||
log.Infof("auditd module is running as euid=%v on kernel=%v", os.Geteuid(), kernel)
|
||||
|
||||
client, err := newAuditClient(&config, log)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "failed to create audit client")
|
||||
}
|
||||
|
||||
reassemblerGapsMetric.Set(0)
|
||||
kernelLostMetric.Set(0)
|
||||
userspaceLostMetric.Set(0)
|
||||
receivedMetric.Set(0)
|
||||
|
||||
return &MetricSet{
|
||||
BaseMetricSet: base,
|
||||
client: client,
|
||||
config: config,
|
||||
log: log,
|
||||
backpressureStrategy: getBackpressureStrategy(config.BackpressureStrategy, log),
|
||||
}, nil
|
||||
}
|
||||
|
||||
func newAuditClient(c *Config, log *logp.Logger) (*libaudit.AuditClient, error) {
|
||||
var err error
|
||||
c.SocketType, err = determineSocketType(c, log)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
log.Infof("socket_type=%s will be used.", c.SocketType)
|
||||
|
||||
if c.SocketType == multicast {
|
||||
return libaudit.NewMulticastAuditClient(nil)
|
||||
}
|
||||
return libaudit.NewAuditClient(nil)
|
||||
}
|
||||
|
||||
// Run initializes the audit client and receives audit messages from the
|
||||
// kernel until the reporter's done channel is closed.
|
||||
func (ms *MetricSet) Run(reporter mb.PushReporterV2) {
|
||||
defer ms.client.Close()
|
||||
|
||||
if err := ms.addRules(reporter); err != nil {
|
||||
reporter.Error(err)
|
||||
ms.log.Errorw("Failure adding audit rules", "error", err)
|
||||
return
|
||||
}
|
||||
|
||||
out, err := ms.receiveEvents(reporter.Done())
|
||||
if err != nil {
|
||||
reporter.Error(err)
|
||||
ms.log.Errorw("Failure receiving audit events", "error", err)
|
||||
return
|
||||
}
|
||||
|
||||
if ms.kernelLost.enabled {
|
||||
client, err := libaudit.NewAuditClient(nil)
|
||||
if err != nil {
|
||||
reporter.Error(err)
|
||||
ms.log.Errorw("Failure creating audit monitoring client", "error", err)
|
||||
}
|
||||
go func() {
|
||||
defer client.Close()
|
||||
timer := time.NewTicker(lostEventsUpdateInterval)
|
||||
defer timer.Stop()
|
||||
for {
|
||||
select {
|
||||
case <-reporter.Done():
|
||||
return
|
||||
case <-timer.C:
|
||||
if status, err := client.GetStatus(); err == nil {
|
||||
ms.updateKernelLostMetric(status.Lost)
|
||||
} else {
|
||||
ms.log.Error("get status request failed:", err)
|
||||
}
|
||||
}
|
||||
}
|
||||
}()
|
||||
}
|
||||
|
||||
// Spawn the stream buffer consumers
|
||||
numConsumers := ms.config.StreamBufferConsumers
|
||||
// By default (stream_buffer_consumers=0) use as many consumers as local CPUs
|
||||
// with a max of `maxDefaultStreamBufferConsumers`
|
||||
if numConsumers == 0 {
|
||||
if numConsumers = runtime.GOMAXPROCS(-1); numConsumers > maxDefaultStreamBufferConsumers {
|
||||
numConsumers = maxDefaultStreamBufferConsumers
|
||||
}
|
||||
}
|
||||
var wg sync.WaitGroup
|
||||
wg.Add(numConsumers)
|
||||
|
||||
for i := 0; i < numConsumers; i++ {
|
||||
go func() {
|
||||
defer wg.Done()
|
||||
for {
|
||||
select {
|
||||
case <-reporter.Done():
|
||||
return
|
||||
case msgs := <-out:
|
||||
reporter.Event(buildMetricbeatEvent(msgs, ms.config))
|
||||
}
|
||||
}
|
||||
}()
|
||||
}
|
||||
wg.Wait()
|
||||
}
|
||||
|
||||
func (ms *MetricSet) addRules(reporter mb.PushReporterV2) error {
|
||||
rules := ms.config.rules()
|
||||
|
||||
if len(rules) == 0 {
|
||||
ms.log.Info("No audit_rules were specified.")
|
||||
return nil
|
||||
}
|
||||
|
||||
client, err := libaudit.NewAuditClient(nil)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "failed to create audit client for adding rules")
|
||||
}
|
||||
defer client.Close()
|
||||
|
||||
// Don't attempt to change configuration if audit rules are locked (enabled == 2).
|
||||
// Will result in EPERM.
|
||||
status, err := client.GetStatus()
|
||||
if err != nil {
|
||||
err = errors.Wrap(err, "failed to get audit status before adding rules")
|
||||
reporter.Error(err)
|
||||
return err
|
||||
}
|
||||
if status.Enabled == auditLocked {
|
||||
return errors.New("Skipping rule configuration: Audit rules are locked")
|
||||
}
|
||||
|
||||
// Delete existing rules.
|
||||
n, err := client.DeleteRules()
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "failed to delete existing rules")
|
||||
}
|
||||
ms.log.Infof("Deleted %v pre-existing audit rules.", n)
|
||||
|
||||
// Add rule to ignore syscalls from this process
|
||||
if rule, err := buildPIDIgnoreRule(os.Getpid()); err == nil {
|
||||
rules = append([]auditRule{rule}, rules...)
|
||||
} else {
|
||||
ms.log.Errorf("Failed to build a rule to ignore self: %v", err)
|
||||
}
|
||||
// Add rules from config.
|
||||
var failCount int
|
||||
for _, rule := range rules {
|
||||
if err = client.AddRule(rule.data); err != nil {
|
||||
// Treat rule add errors as warnings and continue.
|
||||
err = errors.Wrapf(err, "failed to add audit rule '%v'", rule.flags)
|
||||
reporter.Error(err)
|
||||
ms.log.Warnw("Failure adding audit rule", "error", err)
|
||||
failCount++
|
||||
}
|
||||
}
|
||||
ms.log.Infof("Successfully added %d of %d audit rules.",
|
||||
len(rules)-failCount, len(rules))
|
||||
return nil
|
||||
}
|
||||
|
||||
func (ms *MetricSet) initClient() error {
|
||||
if ms.config.SocketType == "multicast" {
|
||||
// This request will fail with EPERM if this process does not have
|
||||
// CAP_AUDIT_CONTROL, but we will ignore the response. The user will be
|
||||
// required to ensure that auditing is enabled if the process is only
|
||||
// given CAP_AUDIT_READ.
|
||||
err := ms.client.SetEnabled(true, libaudit.NoWait)
|
||||
return errors.Wrap(err, "failed to enable auditing in the kernel")
|
||||
}
|
||||
|
||||
// Unicast client initialization (requires CAP_AUDIT_CONTROL and that the
|
||||
// process be in initial PID namespace).
|
||||
status, err := ms.client.GetStatus()
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "failed to get audit status")
|
||||
}
|
||||
ms.kernelLost.enabled = true
|
||||
ms.kernelLost.counter = status.Lost
|
||||
|
||||
ms.log.Infow("audit status from kernel at start", "audit_status", status)
|
||||
|
||||
if status.Enabled == auditLocked {
|
||||
return errors.New("failed to configure: The audit system is locked")
|
||||
}
|
||||
|
||||
if fm, _ := ms.config.failureMode(); status.Failure != fm {
|
||||
if err = ms.client.SetFailure(libaudit.FailureMode(fm), libaudit.NoWait); err != nil {
|
||||
return errors.Wrap(err, "failed to set audit failure mode in kernel")
|
||||
}
|
||||
}
|
||||
|
||||
if status.BacklogLimit != ms.config.BacklogLimit {
|
||||
if err = ms.client.SetBacklogLimit(ms.config.BacklogLimit, libaudit.NoWait); err != nil {
|
||||
return errors.Wrap(err, "failed to set audit backlog limit in kernel")
|
||||
}
|
||||
}
|
||||
|
||||
if ms.backpressureStrategy&(bsKernel|bsAuto) != 0 {
|
||||
// "kernel" backpressure mitigation strategy
|
||||
//
|
||||
// configure the kernel to drop audit events immediately if the
|
||||
// backlog queue is full.
|
||||
if status.FeatureBitmap&libaudit.AuditFeatureBitmapBacklogWaitTime != 0 {
|
||||
ms.log.Info("Setting kernel backlog wait time to prevent backpressure propagating to the kernel.")
|
||||
if err = ms.client.SetBacklogWaitTime(0, libaudit.NoWait); err != nil {
|
||||
return errors.Wrap(err, "failed to set audit backlog wait time in kernel")
|
||||
}
|
||||
} else {
|
||||
if ms.backpressureStrategy == bsAuto {
|
||||
ms.log.Warn("setting backlog wait time is not supported in this kernel. Enabling workaround.")
|
||||
ms.backpressureStrategy |= bsUserSpace
|
||||
} else {
|
||||
return errors.New("kernel backlog wait time not supported by kernel, but required by backpressure_strategy")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ms.backpressureStrategy&(bsKernel|bsUserSpace) == bsUserSpace && ms.config.RateLimit == 0 {
|
||||
// force a rate limit if the user-space strategy will be used without
|
||||
// corresponding backlog_wait_time setting in the kernel
|
||||
ms.config.RateLimit = 5000
|
||||
}
|
||||
|
||||
if status.RateLimit != ms.config.RateLimit {
|
||||
if err = ms.client.SetRateLimit(ms.config.RateLimit, libaudit.NoWait); err != nil {
|
||||
return errors.Wrap(err, "failed to set audit rate limit in kernel")
|
||||
}
|
||||
}
|
||||
|
||||
if status.Enabled == 0 {
|
||||
if err = ms.client.SetEnabled(true, libaudit.NoWait); err != nil {
|
||||
return errors.Wrap(err, "failed to enable auditing in the kernel")
|
||||
}
|
||||
}
|
||||
if err := ms.client.WaitForPendingACKs(); err != nil {
|
||||
return errors.Wrap(err, "failed to wait for ACKs")
|
||||
}
|
||||
if err := ms.client.SetPID(libaudit.WaitForReply); err != nil {
|
||||
if errno, ok := err.(syscall.Errno); ok && errno == syscall.EEXIST && status.PID != 0 {
|
||||
return fmt.Errorf("failed to set audit PID. An audit process is already running (PID %d)", status.PID)
|
||||
}
|
||||
return errors.Wrapf(err, "failed to set audit PID (current audit PID %d)", status.PID)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (ms *MetricSet) updateKernelLostMetric(lost uint32) {
|
||||
if !ms.kernelLost.enabled {
|
||||
return
|
||||
}
|
||||
delta := int64(lost - ms.kernelLost.counter)
|
||||
if delta >= 0 {
|
||||
logFn := ms.log.Debugf
|
||||
if delta > 0 {
|
||||
logFn = ms.log.Infof
|
||||
kernelLostMetric.Add(delta)
|
||||
}
|
||||
logFn("kernel lost events: %d (total: %d)", delta, lost)
|
||||
} else {
|
||||
ms.log.Warnf("kernel lost event counter reset from %d to %d", ms.kernelLost, lost)
|
||||
}
|
||||
ms.kernelLost.counter = lost
|
||||
}
|
||||
|
||||
func (ms *MetricSet) receiveEvents(done <-chan struct{}) (<-chan []*auparse.AuditMessage, error) {
|
||||
if err := ms.initClient(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
out := make(chan []*auparse.AuditMessage, ms.config.StreamBufferQueueSize)
|
||||
|
||||
var st libaudit.Stream = &stream{done, out}
|
||||
if ms.backpressureStrategy&bsUserSpace != 0 {
|
||||
// "user-space" backpressure mitigation strategy
|
||||
//
|
||||
// Consume events from our side as fast as possible, by dropping events
|
||||
// if the publishing pipeline would block.
|
||||
ms.log.Info("Using non-blocking stream to prevent backpressure propagating to the kernel.")
|
||||
st = &nonBlockingStream{done, out}
|
||||
}
|
||||
reassembler, err := libaudit.NewReassembler(int(ms.config.ReassemblerMaxInFlight), ms.config.ReassemblerTimeout, st)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "failed to create Reassembler")
|
||||
}
|
||||
go maintain(done, reassembler)
|
||||
|
||||
go func() {
|
||||
defer ms.log.Debug("receiveEvents goroutine exited")
|
||||
defer close(out)
|
||||
defer reassembler.Close()
|
||||
|
||||
for {
|
||||
raw, err := ms.client.Receive(false)
|
||||
if err != nil {
|
||||
if errors.Cause(err) == syscall.EBADF {
|
||||
// Client has been closed.
|
||||
break
|
||||
}
|
||||
continue
|
||||
}
|
||||
|
||||
if filterRecordType(raw.Type) {
|
||||
continue
|
||||
}
|
||||
receivedMetric.Inc()
|
||||
if err := reassembler.Push(raw.Type, raw.Data); err != nil {
|
||||
ms.log.Debugw("Dropping audit message",
|
||||
"record_type", raw.Type,
|
||||
"message", string(raw.Data),
|
||||
"error", err)
|
||||
continue
|
||||
}
|
||||
}
|
||||
}()
|
||||
|
||||
return out, nil
|
||||
}
|
||||
|
||||
// maintain periodically evicts timed-out events from the Reassembler. This
|
||||
// function will block until the done channel is closed or the Reassembler is
|
||||
// closed.
|
||||
func maintain(done <-chan struct{}, reassembler *libaudit.Reassembler) {
|
||||
tick := time.NewTicker(500 * time.Millisecond)
|
||||
defer tick.Stop()
|
||||
|
||||
for {
|
||||
select {
|
||||
case <-done:
|
||||
return
|
||||
case <-tick.C:
|
||||
if err := reassembler.Maintain(); err != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func filterRecordType(typ auparse.AuditMessageType) bool {
|
||||
switch {
|
||||
// REPLACE messages are tests to check if Auditbeat is still healthy by
|
||||
// seeing if unicast messages can be sent without error from the kernel.
|
||||
// Ignore them.
|
||||
case typ == auparse.AUDIT_REPLACE:
|
||||
return true
|
||||
// Messages from 1300-2999 are valid audit message types.
|
||||
case typ < auparse.AUDIT_USER_AUTH || typ > auparse.AUDIT_LAST_USER_MSG2:
|
||||
return true
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
func buildMetricbeatEvent(msgs []*auparse.AuditMessage, config Config) mb.Event {
|
||||
auditEvent, err := aucoalesce.CoalesceMessages(msgs)
|
||||
if err != nil {
|
||||
// Add messages on error so that it's possible to debug the problem.
|
||||
out := mb.Event{RootFields: common.MapStr{}}
|
||||
addEventOriginal(msgs, out.RootFields)
|
||||
return out
|
||||
}
|
||||
|
||||
if config.ResolveIDs {
|
||||
aucoalesce.ResolveIDs(auditEvent)
|
||||
}
|
||||
|
||||
eventOutcome := auditEvent.Result
|
||||
if eventOutcome == "fail" {
|
||||
eventOutcome = "failure"
|
||||
}
|
||||
out := mb.Event{
|
||||
Timestamp: auditEvent.Timestamp,
|
||||
RootFields: common.MapStr{
|
||||
"event": common.MapStr{
|
||||
"category": auditEvent.Category.String(),
|
||||
"action": auditEvent.Summary.Action,
|
||||
"outcome": eventOutcome,
|
||||
},
|
||||
},
|
||||
ModuleFields: common.MapStr{
|
||||
"message_type": strings.ToLower(auditEvent.Type.String()),
|
||||
"sequence": auditEvent.Sequence,
|
||||
"result": auditEvent.Result,
|
||||
"data": createAuditdData(auditEvent.Data),
|
||||
},
|
||||
}
|
||||
if auditEvent.Session != uidUnset {
|
||||
out.ModuleFields.Put("session", auditEvent.Session)
|
||||
}
|
||||
|
||||
// Add root level fields.
|
||||
addUser(auditEvent.User, out.RootFields)
|
||||
addProcess(auditEvent.Process, out.RootFields)
|
||||
addFile(auditEvent.File, out.RootFields)
|
||||
addAddress(auditEvent.Source, "source", out.RootFields)
|
||||
addAddress(auditEvent.Dest, "destination", out.RootFields)
|
||||
addNetwork(auditEvent.Net, out.RootFields)
|
||||
if len(auditEvent.Tags) > 0 {
|
||||
out.RootFields.Put("tags", auditEvent.Tags)
|
||||
}
|
||||
if config.Warnings && len(auditEvent.Warnings) > 0 {
|
||||
warnings := make([]string, 0, len(auditEvent.Warnings))
|
||||
for _, err := range auditEvent.Warnings {
|
||||
warnings = append(warnings, err.Error())
|
||||
}
|
||||
out.RootFields.Put("error.message", warnings)
|
||||
addEventOriginal(msgs, out.RootFields)
|
||||
}
|
||||
if config.RawMessage {
|
||||
addEventOriginal(msgs, out.RootFields)
|
||||
}
|
||||
|
||||
// Add module fields.
|
||||
m := out.ModuleFields
|
||||
if auditEvent.Summary.Actor.Primary != "" {
|
||||
m.Put("summary.actor.primary", auditEvent.Summary.Actor.Primary)
|
||||
}
|
||||
if auditEvent.Summary.Actor.Secondary != "" {
|
||||
m.Put("summary.actor.secondary", auditEvent.Summary.Actor.Secondary)
|
||||
}
|
||||
if auditEvent.Summary.Object.Primary != "" {
|
||||
m.Put("summary.object.primary", auditEvent.Summary.Object.Primary)
|
||||
}
|
||||
if auditEvent.Summary.Object.Secondary != "" {
|
||||
m.Put("summary.object.secondary", auditEvent.Summary.Object.Secondary)
|
||||
}
|
||||
if auditEvent.Summary.Object.Type != "" {
|
||||
m.Put("summary.object.type", auditEvent.Summary.Object.Type)
|
||||
}
|
||||
if auditEvent.Summary.How != "" {
|
||||
m.Put("summary.how", auditEvent.Summary.How)
|
||||
}
|
||||
if len(auditEvent.Paths) > 0 {
|
||||
m.Put("paths", auditEvent.Paths)
|
||||
}
|
||||
|
||||
switch auditEvent.Category {
|
||||
case aucoalesce.EventTypeUserLogin:
|
||||
// Customize event.type / event.category to match unified values.
|
||||
normalizeEventFields(out.RootFields)
|
||||
// Set ECS user fields from the attempted login account.
|
||||
if usernameOrID := auditEvent.Summary.Actor.Secondary; usernameOrID != "" {
|
||||
if usr, err := resolveUsernameOrID(usernameOrID); err == nil {
|
||||
out.RootFields.Put("user.name", usr.Username)
|
||||
out.RootFields.Put("user.id", usr.Uid)
|
||||
} else {
|
||||
// The login account doesn't exists. Treat it as a user name
|
||||
out.RootFields.Put("user.name", usernameOrID)
|
||||
out.RootFields.Delete("user.id")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return out
|
||||
}
|
||||
|
||||
func resolveUsernameOrID(userOrID string) (usr *user.User, err error) {
|
||||
usr, err = user.Lookup(userOrID)
|
||||
if err == nil {
|
||||
// User found by name
|
||||
return
|
||||
}
|
||||
if _, ok := err.(user.UnknownUserError); !ok {
|
||||
// Lookup failed by a reason other than user not found
|
||||
return
|
||||
}
|
||||
return user.LookupId(userOrID)
|
||||
}
|
||||
|
||||
func normalizeEventFields(m common.MapStr) {
|
||||
getFieldAsStr := func(key string) (s string, found bool) {
|
||||
iface, err := m.GetValue(key)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
s, found = iface.(string)
|
||||
return
|
||||
}
|
||||
|
||||
category, ok1 := getFieldAsStr("event.category")
|
||||
action, ok2 := getFieldAsStr("event.action")
|
||||
outcome, ok3 := getFieldAsStr("event.outcome")
|
||||
if !ok1 || !ok2 || !ok3 {
|
||||
return
|
||||
}
|
||||
if category == "user-login" && action == "logged-in" { // USER_LOGIN
|
||||
m.Put("event.category", "authentication")
|
||||
m.Put("event.type", fmt.Sprintf("authentication_%s", outcome))
|
||||
}
|
||||
}
|
||||
|
||||
func addUser(u aucoalesce.User, m common.MapStr) {
|
||||
user := common.MapStr{}
|
||||
m.Put("user", user)
|
||||
|
||||
for id, value := range u.IDs {
|
||||
if value == uidUnset {
|
||||
continue
|
||||
}
|
||||
switch id {
|
||||
case "uid":
|
||||
user["id"] = value
|
||||
case "gid":
|
||||
user.Put("group.id", value)
|
||||
case "euid":
|
||||
user.Put("effective.id", value)
|
||||
case "egid":
|
||||
user.Put("effective.group.id", value)
|
||||
case "suid":
|
||||
user.Put("saved.id", value)
|
||||
case "sgid":
|
||||
user.Put("saved.group.id", value)
|
||||
case "fsuid":
|
||||
user.Put("filesystem.id", value)
|
||||
case "fsgid":
|
||||
user.Put("filesystem.group.id", value)
|
||||
case "auid":
|
||||
user.Put("audit.id", value)
|
||||
default:
|
||||
user.Put(id+".id", value)
|
||||
}
|
||||
|
||||
if len(u.SELinux) > 0 {
|
||||
user["selinux"] = u.SELinux
|
||||
}
|
||||
}
|
||||
|
||||
for id, value := range u.Names {
|
||||
switch id {
|
||||
case "uid":
|
||||
user["name"] = value
|
||||
case "gid":
|
||||
user.Put("group.name", value)
|
||||
case "euid":
|
||||
user.Put("effective.name", value)
|
||||
case "egid":
|
||||
user.Put("effective.group.name", value)
|
||||
case "suid":
|
||||
user.Put("saved.name", value)
|
||||
case "sgid":
|
||||
user.Put("saved.group.name", value)
|
||||
case "fsuid":
|
||||
user.Put("filesystem.name", value)
|
||||
case "fsgid":
|
||||
user.Put("filesystem.group.name", value)
|
||||
case "auid":
|
||||
user.Put("audit.name", value)
|
||||
default:
|
||||
user.Put(id+".name", value)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func addProcess(p aucoalesce.Process, m common.MapStr) {
|
||||
if p.IsEmpty() {
|
||||
return
|
||||
}
|
||||
|
||||
process := common.MapStr{}
|
||||
m.Put("process", process)
|
||||
if p.PID != "" {
|
||||
if pid, err := strconv.Atoi(p.PID); err == nil {
|
||||
process["pid"] = pid
|
||||
}
|
||||
}
|
||||
if p.PPID != "" {
|
||||
if ppid, err := strconv.Atoi(p.PPID); err == nil {
|
||||
process["ppid"] = ppid
|
||||
}
|
||||
}
|
||||
if p.Title != "" {
|
||||
process["title"] = p.Title
|
||||
}
|
||||
if p.Name != "" {
|
||||
process["name"] = p.Name
|
||||
}
|
||||
if p.Exe != "" {
|
||||
process["executable"] = p.Exe
|
||||
}
|
||||
if p.CWD != "" {
|
||||
process["working_directory"] = p.CWD
|
||||
}
|
||||
if len(p.Args) > 0 {
|
||||
process["args"] = p.Args
|
||||
}
|
||||
}
|
||||
|
||||
func addFile(f *aucoalesce.File, m common.MapStr) {
|
||||
if f == nil {
|
||||
return
|
||||
}
|
||||
|
||||
file := common.MapStr{}
|
||||
m.Put("file", file)
|
||||
if f.Path != "" {
|
||||
file["path"] = f.Path
|
||||
}
|
||||
if f.Device != "" {
|
||||
file["device"] = f.Device
|
||||
}
|
||||
if f.Inode != "" {
|
||||
file["inode"] = f.Inode
|
||||
}
|
||||
if f.Mode != "" {
|
||||
file["mode"] = f.Mode
|
||||
}
|
||||
if f.UID != "" {
|
||||
file["uid"] = f.UID
|
||||
}
|
||||
if f.GID != "" {
|
||||
file["gid"] = f.GID
|
||||
}
|
||||
if f.Owner != "" {
|
||||
file["owner"] = f.Owner
|
||||
}
|
||||
if f.Group != "" {
|
||||
file["group"] = f.Group
|
||||
}
|
||||
if len(f.SELinux) > 0 {
|
||||
file["selinux"] = f.SELinux
|
||||
}
|
||||
}
|
||||
|
||||
func addAddress(addr *aucoalesce.Address, key string, m common.MapStr) {
|
||||
if addr == nil {
|
||||
return
|
||||
}
|
||||
|
||||
address := common.MapStr{}
|
||||
m.Put(key, address)
|
||||
if addr.Hostname != "" {
|
||||
address["domain"] = addr.Hostname
|
||||
}
|
||||
if addr.IP != "" {
|
||||
address["ip"] = addr.IP
|
||||
}
|
||||
if addr.Port != "" {
|
||||
address["port"] = addr.Port
|
||||
}
|
||||
if addr.Path != "" {
|
||||
address["path"] = addr.Path
|
||||
}
|
||||
}
|
||||
|
||||
func addNetwork(net *aucoalesce.Network, m common.MapStr) {
|
||||
if net == nil {
|
||||
return
|
||||
}
|
||||
|
||||
network := common.MapStr{
|
||||
"direction": net.Direction,
|
||||
}
|
||||
m.Put("network", network)
|
||||
}
|
||||
|
||||
func addEventOriginal(msgs []*auparse.AuditMessage, m common.MapStr) {
|
||||
const key = "event.original"
|
||||
if len(msgs) == 0 {
|
||||
return
|
||||
}
|
||||
original, _ := m.GetValue(key)
|
||||
if original != nil {
|
||||
return
|
||||
}
|
||||
rawMsgs := make([]string, 0, len(msgs))
|
||||
for _, msg := range msgs {
|
||||
rawMsgs = append(rawMsgs, "type="+msg.RecordType.String()+" msg="+msg.RawData)
|
||||
}
|
||||
m.Put(key, rawMsgs)
|
||||
}
|
||||
|
||||
func createAuditdData(data map[string]string) common.MapStr {
|
||||
out := make(common.MapStr, len(data))
|
||||
for key, v := range data {
|
||||
if strings.HasPrefix(key, "socket_") {
|
||||
out.Put("socket."+key[7:], v)
|
||||
continue
|
||||
}
|
||||
|
||||
out.Put(key, v)
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
// stream type
|
||||
|
||||
// stream receives callbacks from the libaudit.Reassembler for completed events
|
||||
// or lost events that are detected by gaps in sequence numbers.
|
||||
type stream struct {
|
||||
done <-chan struct{}
|
||||
out chan<- []*auparse.AuditMessage
|
||||
}
|
||||
|
||||
func (s *stream) ReassemblyComplete(msgs []*auparse.AuditMessage) {
|
||||
select {
|
||||
case <-s.done:
|
||||
return
|
||||
case s.out <- msgs:
|
||||
}
|
||||
}
|
||||
|
||||
func (s *stream) EventsLost(count int) {
|
||||
reassemblerGapsMetric.Add(int64(count))
|
||||
}
|
||||
|
||||
// nonBlockingStream behaves as stream above, except that it will never block
|
||||
// on backpressure from the publishing pipeline.
|
||||
// Instead, events will be discarded.
|
||||
type nonBlockingStream stream
|
||||
|
||||
func (s *nonBlockingStream) ReassemblyComplete(msgs []*auparse.AuditMessage) {
|
||||
select {
|
||||
case <-s.done:
|
||||
return
|
||||
case s.out <- msgs:
|
||||
default:
|
||||
userspaceLostMetric.Add(int64(len(msgs)))
|
||||
}
|
||||
}
|
||||
|
||||
func (s *nonBlockingStream) EventsLost(count int) {
|
||||
(*stream)(s).EventsLost(count)
|
||||
}
|
||||
|
||||
func hasMulticastSupport() bool {
|
||||
// Check the kernel version because 3.16+ should have multicast
|
||||
// support.
|
||||
major, minor, _, err := kernelVersion()
|
||||
if err != nil {
|
||||
// Assume not supported.
|
||||
return false
|
||||
}
|
||||
|
||||
switch {
|
||||
case major > 3,
|
||||
major == 3 && minor >= 16:
|
||||
return true
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
func kernelVersion() (major, minor int, full string, err error) {
|
||||
var uname syscall.Utsname
|
||||
if err := syscall.Uname(&uname); err != nil {
|
||||
return 0, 0, "", err
|
||||
}
|
||||
|
||||
length := len(uname.Release)
|
||||
data := make([]byte, length)
|
||||
for i, v := range uname.Release {
|
||||
if v == 0 {
|
||||
length = i
|
||||
break
|
||||
}
|
||||
data[i] = byte(v)
|
||||
}
|
||||
|
||||
release := string(data[:length])
|
||||
parts := strings.SplitN(release, ".", 3)
|
||||
if len(parts) < 2 {
|
||||
return 0, 0, release, errors.Errorf("failed to parse uname release '%v'", release)
|
||||
}
|
||||
|
||||
major, err = strconv.Atoi(parts[0])
|
||||
if err != nil {
|
||||
return 0, 0, release, errors.Wrapf(err, "failed to parse major version from '%v'", release)
|
||||
}
|
||||
|
||||
minor, err = strconv.Atoi(parts[1])
|
||||
if err != nil {
|
||||
return 0, 0, release, errors.Wrapf(err, "failed to parse minor version from '%v'", release)
|
||||
}
|
||||
|
||||
return major, minor, release, nil
|
||||
}
|
||||
|
||||
func determineSocketType(c *Config, log *logp.Logger) (string, error) {
|
||||
client, err := libaudit.NewAuditClient(nil)
|
||||
if err != nil {
|
||||
if c.SocketType == "" {
|
||||
return "", errors.Wrap(err, "failed to create audit client")
|
||||
}
|
||||
// Ignore errors if a socket type has been specified. It will fail during
|
||||
// further setup and its necessary for unit tests to pass
|
||||
return c.SocketType, nil
|
||||
}
|
||||
defer client.Close()
|
||||
status, err := client.GetStatus()
|
||||
if err != nil {
|
||||
if c.SocketType == "" {
|
||||
return "", errors.Wrap(err, "failed to get audit status")
|
||||
}
|
||||
return c.SocketType, nil
|
||||
}
|
||||
rules := c.rules()
|
||||
|
||||
isLocked := status.Enabled == auditLocked
|
||||
hasMulticast := hasMulticastSupport()
|
||||
hasRules := len(rules) > 0
|
||||
|
||||
const useAutodetect = "Remove the socket_type option to have auditbeat " +
|
||||
"select the most suitable subscription method."
|
||||
switch c.SocketType {
|
||||
case unicast:
|
||||
if isLocked {
|
||||
log.Errorf("requested unicast socket_type is not available "+
|
||||
"because audit configuration is locked in the kernel "+
|
||||
"(enabled=2). %s", useAutodetect)
|
||||
return "", errors.New("unicast socket_type not available")
|
||||
}
|
||||
return c.SocketType, nil
|
||||
|
||||
case multicast:
|
||||
if hasMulticast {
|
||||
if hasRules {
|
||||
log.Warn("The audit rules specified in the configuration " +
|
||||
"cannot be applied when using a multicast socket_type.")
|
||||
}
|
||||
return c.SocketType, nil
|
||||
}
|
||||
log.Errorf("socket_type is set to multicast but based on the "+
|
||||
"kernel version, multicast audit subscriptions are not supported. %s",
|
||||
useAutodetect)
|
||||
return "", errors.New("multicast socket_type not available")
|
||||
|
||||
default:
|
||||
// attempt to determine the optimal socket_type
|
||||
if hasMulticast {
|
||||
if hasRules {
|
||||
if isLocked {
|
||||
log.Warn("Audit rules specified in the configuration " +
|
||||
"cannot be applied because the audit rules have been locked " +
|
||||
"in the kernel (enabled=2). A multicast audit subscription " +
|
||||
"will be used instead, which does not support setting rules")
|
||||
return multicast, nil
|
||||
}
|
||||
return unicast, nil
|
||||
}
|
||||
return multicast, nil
|
||||
}
|
||||
if isLocked {
|
||||
log.Errorf("Cannot continue: audit configuration is locked " +
|
||||
"in the kernel (enabled=2) which prevents using unicast " +
|
||||
"sockets. Multicast audit subscriptions are not available " +
|
||||
"in this kernel. Disable locking the audit configuration " +
|
||||
"to use auditbeat.")
|
||||
return "", errors.New("no connection to audit available")
|
||||
}
|
||||
return unicast, nil
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
func getBackpressureStrategy(value string, logger *logp.Logger) backpressureStrategy {
|
||||
switch value {
|
||||
case "kernel":
|
||||
return bsKernel
|
||||
case "userspace", "user-space":
|
||||
return bsUserSpace
|
||||
case "auto":
|
||||
return bsAuto
|
||||
case "both":
|
||||
return bsKernel | bsUserSpace
|
||||
case "none":
|
||||
return 0
|
||||
default:
|
||||
logger.Warn("Unknown value for the 'backpressure_strategy' option. Using default.")
|
||||
fallthrough
|
||||
case "", "default":
|
||||
return bsAuto
|
||||
}
|
||||
}
|
||||
|
||||
func buildPIDIgnoreRule(pid int) (ruleData auditRule, err error) {
|
||||
r := rule.SyscallRule{
|
||||
Type: rule.AppendSyscallRuleType,
|
||||
List: "exit",
|
||||
Action: "never",
|
||||
Filters: []rule.FilterSpec{
|
||||
{
|
||||
Type: rule.ValueFilterType,
|
||||
LHS: "pid",
|
||||
Comparator: "=",
|
||||
RHS: strconv.Itoa(pid),
|
||||
},
|
||||
},
|
||||
Syscalls: []string{"all"},
|
||||
Keys: nil,
|
||||
}
|
||||
ruleData.flags = fmt.Sprintf("-A exit,never -F pid=%d -S all", pid)
|
||||
ruleData.data, err = rule.Build(&r)
|
||||
return ruleData, err
|
||||
}
|
|
@ -1,389 +0,0 @@
|
|||
// Licensed to Elasticsearch B.V. under one or more contributor
|
||||
// license agreements. See the NOTICE file distributed with
|
||||
// this work for additional information regarding copyright
|
||||
// ownership. Elasticsearch B.V. licenses this file to you under
|
||||
// the Apache License, Version 2.0 (the "License"); you may
|
||||
// not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing,
|
||||
// software distributed under the License is distributed on an
|
||||
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
// KIND, either express or implied. See the License for the
|
||||
// specific language governing permissions and limitations
|
||||
// under the License.
|
||||
|
||||
package auditd
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"flag"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"os/exec"
|
||||
"os/user"
|
||||
"sort"
|
||||
"strings"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
|
||||
"github.com/prometheus/procfs"
|
||||
|
||||
"github.com/elastic/beats/auditbeat/core"
|
||||
"github.com/elastic/beats/libbeat/common"
|
||||
"github.com/elastic/beats/libbeat/logp"
|
||||
"github.com/elastic/beats/libbeat/mapping"
|
||||
"github.com/elastic/beats/metricbeat/mb"
|
||||
mbtest "github.com/elastic/beats/metricbeat/mb/testing"
|
||||
"github.com/elastic/go-libaudit"
|
||||
"github.com/elastic/go-libaudit/auparse"
|
||||
)
|
||||
|
||||
// Specify the -audit flag when running these tests to interact with the real
|
||||
// kernel instead of mocks. If running in Docker this requires being in the
|
||||
// host PID namespace (--pid=host) and having CAP_AUDIT_CONTROL and
|
||||
// CAP_AUDIT_WRITE (so use --privileged).
|
||||
var audit = flag.Bool("audit", false, "interact with the real audit framework")
|
||||
|
||||
var (
|
||||
userLoginFailMsg = `type=USER_LOGIN msg=audit(1492896301.818:19955): pid=12635 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=179.38.151.221 terminal=sshd res=failed'`
|
||||
userLoginSuccessMsg = `type=USER_LOGIN msg=audit(1492896303.915:19956): pid=12635 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=61647269616E exe="/usr/sbin/sshd" hostname=? addr=179.38.151.221 terminal=sshd res=success'`
|
||||
userAuthMsg = `type=USER_AUTH msg=audit(1552714590.571:21114): pid=11312 uid=0 auid=0 ses=62 msg='op=PAM:authentication acct="root" exe="/bin/su" hostname="test" addr="127.0.0.1" terminal=/dev/pts/0 res=success'`
|
||||
|
||||
execveMsgs = []string{
|
||||
`type=SYSCALL msg=audit(1492752522.985:8972): arch=c000003e syscall=59 success=yes exit=0 a0=10812c8 a1=1070208 a2=1152008 a3=59a items=2 ppid=10027 pid=10043 auid=1001 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 tty=pts0 ses=11 comm="uname" exe="/bin/uname" key="key=user_commands"`,
|
||||
`type=EXECVE msg=audit(1492752522.985:8972): argc=2 a0="uname" a1="-a"`,
|
||||
`type=CWD msg=audit(1492752522.985:8972): cwd="/home/andrew_kroh"`,
|
||||
`type=PATH msg=audit(1492752522.985:8972): item=0 name="/bin/uname" inode=155 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL`,
|
||||
`type=PATH msg=audit(1492752522.985:8972): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=1923 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL`,
|
||||
`type=PROCTITLE msg=audit(1492752522.985:8972): proctitle=756E616D65002D61`,
|
||||
`type=EOE msg=audit(1492752522.985:8972):`,
|
||||
}
|
||||
|
||||
acceptMsgs = []string{
|
||||
`type=SYSCALL msg=audit(1492752520.441:8832): arch=c000003e syscall=43 success=yes exit=5 a0=3 a1=7ffd0dc80040 a2=7ffd0dc7ffd0 a3=0 items=0 ppid=1 pid=1663 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" key="key=net"`,
|
||||
`type=SOCKADDR msg=audit(1492752520.441:8832): saddr=0200E31C4853E6640000000000000000`,
|
||||
`type=PROCTITLE msg=audit(1492752520.441:8832): proctitle="(sshd)"`,
|
||||
`type=EOE msg=audit(1492752520.441:8832):`,
|
||||
}
|
||||
)
|
||||
|
||||
func TestData(t *testing.T) {
|
||||
logp.TestingSetup()
|
||||
|
||||
// Create a mock netlink client that provides the expected responses.
|
||||
mock := NewMock().
|
||||
// Get Status response for initClient
|
||||
returnACK().returnStatus().
|
||||
// Send expected ACKs for initialization
|
||||
returnACK().returnACK().returnACK().returnACK().returnACK().
|
||||
// Send three auditd messages.
|
||||
returnMessage(userLoginFailMsg).
|
||||
returnMessage(execveMsgs...).
|
||||
returnMessage(acceptMsgs...)
|
||||
|
||||
// Replace the default AuditClient with a mock.
|
||||
ms := mbtest.NewPushMetricSetV2(t, getConfig())
|
||||
auditMetricSet := ms.(*MetricSet)
|
||||
auditMetricSet.client.Close()
|
||||
auditMetricSet.client = &libaudit.AuditClient{Netlink: mock}
|
||||
|
||||
events := mbtest.RunPushMetricSetV2(10*time.Second, 3, ms)
|
||||
if len(events) != 3 {
|
||||
t.Fatalf("expected 3 events, but received %d", len(events))
|
||||
}
|
||||
assertNoErrors(t, events)
|
||||
|
||||
assertFieldsAreDocumented(t, events)
|
||||
|
||||
beatEvent := mbtest.StandardizeEvent(ms, events[0], core.AddDatasetToEvent)
|
||||
mbtest.WriteEventToDataJSON(t, beatEvent, "")
|
||||
}
|
||||
|
||||
func TestLoginType(t *testing.T) {
|
||||
logp.TestingSetup()
|
||||
|
||||
// Create a mock netlink client that provides the expected responses.
|
||||
mock := NewMock().
|
||||
// Get Status response for initClient
|
||||
returnACK().returnStatus().
|
||||
// Send expected ACKs for initialization
|
||||
returnACK().returnACK().returnACK().returnACK().returnACK().
|
||||
// Send an authentication failure and a success.
|
||||
returnMessage(userLoginFailMsg).
|
||||
returnMessage(userLoginSuccessMsg).
|
||||
returnMessage(userAuthMsg)
|
||||
|
||||
// Replace the default AuditClient with a mock.
|
||||
ms := mbtest.NewPushMetricSetV2(t, getConfig())
|
||||
auditMetricSet := ms.(*MetricSet)
|
||||
auditMetricSet.client.Close()
|
||||
auditMetricSet.client = &libaudit.AuditClient{Netlink: mock}
|
||||
|
||||
const expectedEvents = 3
|
||||
events := mbtest.RunPushMetricSetV2(10*time.Second, expectedEvents, ms)
|
||||
if len(events) != expectedEvents {
|
||||
t.Fatalf("expected %d events, but received %d", expectedEvents, len(events))
|
||||
}
|
||||
assertNoErrors(t, events)
|
||||
|
||||
assertFieldsAreDocumented(t, events)
|
||||
|
||||
sort.Slice(events,
|
||||
func(i, j int) bool {
|
||||
return events[i].ModuleFields["sequence"].(uint32) < events[j].ModuleFields["sequence"].(uint32)
|
||||
})
|
||||
|
||||
for idx, expected := range []common.MapStr{
|
||||
{
|
||||
"event.category": "authentication",
|
||||
"event.type": "authentication_failure",
|
||||
"event.outcome": "failure",
|
||||
"user.name": "(invalid user)",
|
||||
"user.id": nil,
|
||||
"session": nil,
|
||||
},
|
||||
{
|
||||
"event.category": "authentication",
|
||||
"event.type": "authentication_success",
|
||||
"event.outcome": "success",
|
||||
"user.name": "adrian",
|
||||
"user.audit.id": nil,
|
||||
"auditd.session": nil,
|
||||
},
|
||||
{
|
||||
"event.category": "user-login",
|
||||
"event.outcome": "success",
|
||||
"user.name": "root",
|
||||
"user.id": "0",
|
||||
"user.audit.id": "0",
|
||||
"auditd.session": "62",
|
||||
},
|
||||
} {
|
||||
beatEvent := mbtest.StandardizeEvent(ms, events[idx], core.AddDatasetToEvent)
|
||||
mbtest.WriteEventToDataJSON(t, beatEvent, "")
|
||||
for k, v := range expected {
|
||||
msg := fmt.Sprintf("%s[%d]", k, idx)
|
||||
cur, err := beatEvent.GetValue(k)
|
||||
if v != nil {
|
||||
assert.NoError(t, err, msg)
|
||||
assert.Equal(t, v, cur, msg)
|
||||
} else {
|
||||
_, err := beatEvent.GetValue(k)
|
||||
assert.Equal(t, common.ErrKeyNotFound, err, msg)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// assertFieldsAreDocumented mimics assert_fields_are_documented in Python system tests.
|
||||
func assertFieldsAreDocumented(t *testing.T, events []mb.Event) {
|
||||
fieldsYml, err := mapping.LoadFieldsYaml("../../fields.yml")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
documentedFields := fieldsYml.GetKeys()
|
||||
|
||||
for _, e := range events {
|
||||
beatEvent := e.BeatEvent(moduleName, metricsetName, core.AddDatasetToEvent)
|
||||
for eventFieldName := range beatEvent.Fields.Flatten() {
|
||||
found := false
|
||||
for _, documentedFieldName := range documentedFields {
|
||||
// Have to use HasPrefix and not "==" since fields in auditd.paths.* get flattened
|
||||
// to auditd.paths which does not exist in fields.yml.
|
||||
if strings.HasPrefix(documentedFieldName, eventFieldName) {
|
||||
found = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if !found {
|
||||
assert.Fail(t, "Field not documented", "Key '%v' found in event is not documented.", eventFieldName)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func getConfig() map[string]interface{} {
|
||||
return map[string]interface{}{
|
||||
"module": "auditd",
|
||||
"failure_mode": "log",
|
||||
"socket_type": "unicast",
|
||||
"include_warnings": true,
|
||||
"include_raw_message": true,
|
||||
}
|
||||
}
|
||||
|
||||
func TestUnicastClient(t *testing.T) {
|
||||
if !*audit {
|
||||
t.Skip("-audit was not specified")
|
||||
}
|
||||
|
||||
logp.TestingSetup()
|
||||
FailIfAuditdIsRunning(t)
|
||||
|
||||
c := map[string]interface{}{
|
||||
"module": "auditd",
|
||||
"socket_type": "unicast",
|
||||
"audit_rules": fmt.Sprintf(`
|
||||
-a always,exit -F arch=b64 -F ppid=%d -S execve -k exec
|
||||
`, os.Getpid()),
|
||||
}
|
||||
|
||||
// Any commands executed by this process will generate events due to the
|
||||
// PPID filter we applied to the rule.
|
||||
time.AfterFunc(time.Second, func() { exec.Command("cat", "/proc/self/status").Output() })
|
||||
|
||||
ms := mbtest.NewPushMetricSetV2(t, c)
|
||||
events := mbtest.RunPushMetricSetV2(5*time.Second, 0, ms)
|
||||
assertNoErrors(t, events)
|
||||
assertHasBinCatExecve(t, events)
|
||||
}
|
||||
|
||||
func TestMulticastClient(t *testing.T) {
|
||||
if !*audit {
|
||||
t.Skip("-audit was not specified")
|
||||
}
|
||||
|
||||
if !hasMulticastSupport() {
|
||||
t.Skip("no multicast support")
|
||||
}
|
||||
|
||||
logp.TestingSetup()
|
||||
FailIfAuditdIsRunning(t)
|
||||
|
||||
c := map[string]interface{}{
|
||||
"module": "auditd",
|
||||
"socket_type": "multicast",
|
||||
"audit_rules": fmt.Sprintf(`
|
||||
-a always,exit -F arch=b64 -F ppid=%d -S execve -k exec
|
||||
`, os.Getpid()),
|
||||
}
|
||||
|
||||
// Any commands executed by this process will generate events due to the
|
||||
// PPID filter we applied to the rule.
|
||||
time.AfterFunc(time.Second, func() { exec.Command("cat", "/proc/self/status").Output() })
|
||||
|
||||
ms := mbtest.NewPushMetricSetV2(t, c)
|
||||
events := mbtest.RunPushMetricSetV2(5*time.Second, 0, ms)
|
||||
assertNoErrors(t, events)
|
||||
assertHasBinCatExecve(t, events)
|
||||
}
|
||||
|
||||
func TestKernelVersion(t *testing.T) {
|
||||
major, minor, full, err := kernelVersion()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
t.Logf("major=%v, minor=%v, full=%v", major, minor, full)
|
||||
}
|
||||
|
||||
func FailIfAuditdIsRunning(t testing.TB) {
|
||||
t.Helper()
|
||||
|
||||
procs, err := procfs.AllProcs()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
for _, proc := range procs {
|
||||
comm, err := proc.Comm()
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
continue
|
||||
}
|
||||
|
||||
if comm == "auditd" {
|
||||
t.Fatalf("auditd is running (pid=%d). This test cannot run while "+
|
||||
"auditd is running.", proc.PID)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestBuildMetricbeatEvent(t *testing.T) {
|
||||
if f := flag.Lookup("data"); f != nil && f.Value.String() == "false" {
|
||||
t.Skip("skip data generation tests")
|
||||
}
|
||||
buildSampleEvent(t, acceptMsgs, "_meta/accept.json")
|
||||
buildSampleEvent(t, execveMsgs, "_meta/execve.json")
|
||||
}
|
||||
|
||||
func buildSampleEvent(t testing.TB, lines []string, filename string) {
|
||||
var msgs []*auparse.AuditMessage
|
||||
for _, txt := range lines {
|
||||
m, err := auparse.ParseLogLine(txt)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
msgs = append(msgs, m)
|
||||
}
|
||||
|
||||
e := buildMetricbeatEvent(msgs, defaultConfig)
|
||||
beatEvent := e.BeatEvent(moduleName, metricsetName, core.AddDatasetToEvent)
|
||||
output, err := json.MarshalIndent(&beatEvent.Fields, "", " ")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
if err := ioutil.WriteFile(filename, output, 0644); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
}
|
||||
|
||||
func assertHasBinCatExecve(t *testing.T, events []mb.Event) {
|
||||
t.Helper()
|
||||
|
||||
for _, e := range events {
|
||||
v, err := e.RootFields.GetValue("process.executable")
|
||||
if err == nil {
|
||||
if exe, ok := v.(string); ok && exe == "/bin/cat" {
|
||||
return
|
||||
}
|
||||
}
|
||||
}
|
||||
assert.Fail(t, "expected an execve event for /bin/cat")
|
||||
}
|
||||
|
||||
func assertNoErrors(t *testing.T, events []mb.Event) {
|
||||
t.Helper()
|
||||
|
||||
for _, e := range events {
|
||||
t.Log(e)
|
||||
|
||||
if e.Error != nil {
|
||||
t.Errorf("received error: %+v", e.Error)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func BenchmarkResolveUsernameOrID(b *testing.B) {
|
||||
for _, query := range []struct {
|
||||
input string
|
||||
name string
|
||||
id string
|
||||
err bool
|
||||
}{
|
||||
{input: "0", name: "root", id: "0"},
|
||||
{input: "root", name: "root", id: "0"},
|
||||
{input: "vagrant", name: "vagrant", id: "1000"},
|
||||
{input: "1000", name: "vagrant", id: "1000"},
|
||||
{input: "nonexisting", err: true},
|
||||
{input: "9987", err: true},
|
||||
} {
|
||||
b.Run(query.input, func(b *testing.B) {
|
||||
var usr *user.User
|
||||
var err error
|
||||
for i := 0; i < b.N; i++ {
|
||||
usr, err = resolveUsernameOrID(query.input)
|
||||
}
|
||||
if assert.Equal(b, query.err, err != nil, fmt.Sprintf("%v", err)) && !query.err {
|
||||
assert.Equal(b, query.name, usr.Username)
|
||||
assert.Equal(b, query.id, usr.Uid)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
|
@ -1,39 +0,0 @@
|
|||
// Licensed to Elasticsearch B.V. under one or more contributor
|
||||
// license agreements. See the NOTICE file distributed with
|
||||
// this work for additional information regarding copyright
|
||||
// ownership. Elasticsearch B.V. licenses this file to you under
|
||||
// the Apache License, Version 2.0 (the "License"); you may
|
||||
// not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing,
|
||||
// software distributed under the License is distributed on an
|
||||
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
// KIND, either express or implied. See the License for the
|
||||
// specific language governing permissions and limitations
|
||||
// under the License.
|
||||
|
||||
// +build !linux
|
||||
|
||||
package auditd
|
||||
|
||||
import (
|
||||
"github.com/pkg/errors"
|
||||
|
||||
"github.com/elastic/beats/metricbeat/mb"
|
||||
"github.com/elastic/beats/metricbeat/mb/parse"
|
||||
)
|
||||
|
||||
func init() {
|
||||
mb.Registry.MustAddMetricSet(metricsetName, metricsetName, New,
|
||||
mb.DefaultMetricSet(),
|
||||
mb.WithHostParser(parse.EmptyHostParser),
|
||||
)
|
||||
}
|
||||
|
||||
// New constructs a new MetricSet.
|
||||
func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
|
||||
return nil, errors.Errorf("the %v module is only supported on Linux", metricsetName)
|
||||
}
|
|
@ -1,215 +0,0 @@
|
|||
// Licensed to Elasticsearch B.V. under one or more contributor
|
||||
// license agreements. See the NOTICE file distributed with
|
||||
// this work for additional information regarding copyright
|
||||
// ownership. Elasticsearch B.V. licenses this file to you under
|
||||
// the Apache License, Version 2.0 (the "License"); you may
|
||||
// not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing,
|
||||
// software distributed under the License is distributed on an
|
||||
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
// KIND, either express or implied. See the License for the
|
||||
// specific language governing permissions and limitations
|
||||
// under the License.
|
||||
|
||||
package auditd
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"bytes"
|
||||
"fmt"
|
||||
"io"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"sort"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/joeshaw/multierror"
|
||||
"github.com/pkg/errors"
|
||||
|
||||
"github.com/elastic/go-libaudit/rule"
|
||||
"github.com/elastic/go-libaudit/rule/flags"
|
||||
)
|
||||
|
||||
const (
|
||||
moduleName = "auditd"
|
||||
metricsetName = "auditd"
|
||||
recursiveGlobDepth = 8
|
||||
)
|
||||
|
||||
// Config defines the kernel metricset's possible configuration options.
|
||||
type Config struct {
|
||||
ResolveIDs bool `config:"resolve_ids"` // Resolve UID/GIDs to names.
|
||||
FailureMode string `config:"failure_mode"` // Failure mode for the kernel (silent, log, panic).
|
||||
BacklogLimit uint32 `config:"backlog_limit"` // Max number of message to buffer in the auditd.
|
||||
RateLimit uint32 `config:"rate_limit"` // Rate limit in messages/sec of messages from auditd.
|
||||
RawMessage bool `config:"include_raw_message"` // Include the list of raw audit messages in the event.
|
||||
Warnings bool `config:"include_warnings"` // Include warnings in the event (for dev/debug purposes only).
|
||||
RulesBlob string `config:"audit_rules"` // Audit rules. One rule per line.
|
||||
RuleFiles []string `config:"audit_rule_files"` // List of rule files.
|
||||
SocketType string `config:"socket_type"` // Socket type to use with the kernel (unicast or multicast).
|
||||
|
||||
// Tuning options (advanced, use with care)
|
||||
ReassemblerMaxInFlight uint32 `config:"reassembler.max_in_flight"`
|
||||
ReassemblerTimeout time.Duration `config:"reassembler.timeout"`
|
||||
StreamBufferQueueSize uint32 `config:"reassembler.queue_size"`
|
||||
// BackpressureStrategy defines the strategy used to mitigate backpressure
|
||||
// propagating to the kernel causing audited processes to block until
|
||||
// Auditbeat can keep-up.
|
||||
// One of "user-space", "kernel", "both", "none", "auto" (default)
|
||||
BackpressureStrategy string `config:"backpressure_strategy"`
|
||||
StreamBufferConsumers int `config:"stream_buffer_consumers"`
|
||||
|
||||
auditRules []auditRule
|
||||
}
|
||||
|
||||
type auditRule struct {
|
||||
flags string
|
||||
data []byte
|
||||
}
|
||||
|
||||
type ruleWithSource struct {
|
||||
rule auditRule
|
||||
source string
|
||||
}
|
||||
|
||||
type ruleSet map[string]ruleWithSource
|
||||
|
||||
var defaultConfig = Config{
|
||||
ResolveIDs: true,
|
||||
FailureMode: "silent",
|
||||
BacklogLimit: 8192,
|
||||
RateLimit: 0,
|
||||
RawMessage: false,
|
||||
Warnings: false,
|
||||
ReassemblerMaxInFlight: 50,
|
||||
ReassemblerTimeout: 2 * time.Second,
|
||||
StreamBufferQueueSize: 8192,
|
||||
StreamBufferConsumers: 0,
|
||||
}
|
||||
|
||||
// Validate validates the rules specified in the config.
|
||||
func (c *Config) Validate() error {
|
||||
var errs multierror.Errors
|
||||
err := c.loadRules()
|
||||
if err != nil {
|
||||
errs = append(errs, err)
|
||||
}
|
||||
_, err = c.failureMode()
|
||||
if err != nil {
|
||||
errs = append(errs, err)
|
||||
}
|
||||
|
||||
c.SocketType = strings.ToLower(c.SocketType)
|
||||
switch c.SocketType {
|
||||
case "", "unicast", "multicast":
|
||||
default:
|
||||
errs = append(errs, errors.Errorf("invalid socket_type "+
|
||||
"'%v' (use unicast, multicast, or don't set a value)", c.SocketType))
|
||||
}
|
||||
|
||||
return errs.Err()
|
||||
}
|
||||
|
||||
// Rules returns a list of rules specified in the config.
|
||||
func (c Config) rules() []auditRule {
|
||||
return c.auditRules
|
||||
}
|
||||
|
||||
func (c *Config) loadRules() error {
|
||||
var paths []string
|
||||
for _, pattern := range c.RuleFiles {
|
||||
absPattern, err := filepath.Abs(pattern)
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to get the absolute path for %s: %v", pattern, err)
|
||||
}
|
||||
files, err := filepath.Glob(absPattern)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
sort.Strings(files)
|
||||
paths = append(paths, files...)
|
||||
}
|
||||
|
||||
knownRules := ruleSet{}
|
||||
|
||||
rules, err := readRules(bytes.NewBufferString(c.RulesBlob), "(audit_rules at auditbeat.yml)", knownRules)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
c.auditRules = append(c.auditRules, rules...)
|
||||
|
||||
for _, filename := range paths {
|
||||
fHandle, err := os.Open(filename)
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to open rule file '%s': %v", filename, err)
|
||||
}
|
||||
rules, err = readRules(fHandle, filename, knownRules)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
c.auditRules = append(c.auditRules, rules...)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c Config) failureMode() (uint32, error) {
|
||||
switch strings.ToLower(c.FailureMode) {
|
||||
case "silent":
|
||||
return 0, nil
|
||||
case "log":
|
||||
return 1, nil
|
||||
case "panic":
|
||||
return 2, nil
|
||||
default:
|
||||
return 0, errors.Errorf("invalid failure_mode '%v' (use silent, log, or panic)", c.FailureMode)
|
||||
}
|
||||
}
|
||||
|
||||
func readRules(reader io.Reader, source string, knownRules ruleSet) (rules []auditRule, err error) {
|
||||
var errs multierror.Errors
|
||||
|
||||
s := bufio.NewScanner(reader)
|
||||
for lineNum := 1; s.Scan(); lineNum++ {
|
||||
location := fmt.Sprintf("%s:%d", source, lineNum)
|
||||
line := strings.TrimSpace(s.Text())
|
||||
if len(line) == 0 || line[0] == '#' {
|
||||
continue
|
||||
}
|
||||
|
||||
// Parse the CLI flags into an intermediate rule specification.
|
||||
r, err := flags.Parse(line)
|
||||
if err != nil {
|
||||
errs = append(errs, errors.Wrapf(err, "at %s: failed to parse rule '%v'", location, line))
|
||||
continue
|
||||
}
|
||||
|
||||
// Convert rule specification to a binary rule representation.
|
||||
data, err := rule.Build(r)
|
||||
if err != nil {
|
||||
errs = append(errs, errors.Wrapf(err, "at %s: failed to interpret rule '%v'", location, line))
|
||||
continue
|
||||
}
|
||||
|
||||
// Detect duplicates based on the normalized binary rule representation.
|
||||
existing, found := knownRules[string(data)]
|
||||
if found {
|
||||
errs = append(errs, errors.Errorf("at %s: rule '%v' is a duplicate of '%v' at %s", location, line, existing.rule.flags, existing.source))
|
||||
continue
|
||||
}
|
||||
rule := auditRule{flags: line, data: []byte(data)}
|
||||
knownRules[string(data)] = ruleWithSource{rule, location}
|
||||
|
||||
rules = append(rules, rule)
|
||||
}
|
||||
|
||||
if len(errs) > 0 {
|
||||
return nil, errors.Wrap(errs.Err(), "failed loading rules")
|
||||
}
|
||||
return rules, nil
|
||||
}
|