tyler.durden/icingabeat
1
0
Fork 0
mirror of https://github.com/Icinga/icingabeat.git synced 2025-07-27 15:54:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update to libbeat 6.2

Browse Source
This commit is contained in:
Blerim Sheqa 2018-04-06 12:44:37 +02:00
parent d9d582d921
commit defa035fa8
1809 changed files with 86751 additions and 30697 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

667
_meta/fields.generated.yml
View File

@ -1,667 +0,0 @@
- key: icingabeat
title: icingabeat
description: Data received from the Icinga 2 API
fields:
- name: timestamp
type: date
description: >
Timestamp of event occurrence
- name: type
type: keyword
description: >
Type of the document
- name: host
type: keyword
description: >
Host that triggered the event
- name: service
type: keyword
description: >
Service that triggered the event
- name: state
type: integer
description: >
State of the check
- name: state_type
type: integer
description: >
State type of the check
- name: author
type: keyword
description: >
Author of a message
- name: notification_type
type: keyword
description: >
Type of notification
- name: text
type: text
description: >
Text of a message
- name: users
type: keyword
description: >
Affected users of a notification
- name: acknowledgement_type
type: integer
description: >
Type of an acknowledgement
- name: expiry
type: date
description: >
Expiry of an acknowledgement
- name: notify
type: keyword
description: >
If has been sent out
- name: check_result.active
type: boolean
description: >
If check was active or passive
- name: check_result.check_source
type: keyword
description: >
Icinga instance that scheduled the check
- name: check_result.command
type: text
description: >
Command that was executed
- name: check_result.execution_end
type: date
description: >
Time when execution of check ended
- name: check_result.execution_start
type: date
description: >
Time when execution of check started
- name: check_result.exit_status
type: integer
description: >
Exit status
- name: check_result.output
type: text
description: >
Output of check
- name: check_result.performance_data
type: text
description: >
Performance data in text format
- name: check_result.schedule_end
type: date
description: >
Time when scheduling of the check ended
- name: check_result.schedule_start
type: date
description: >
Time when check was scheduled
- name: check_result.state
type: integer
description: >
State of the check
- name: check_result.type
type: keyword
description: >
Type of this event
- name: check_result.vars_after.attempt
type: integer
description: >
Check attempt after check execution
- name: check_result.vars_after.reachable
type: boolean
description: >
Reachable state after check execution
- name: check_result.vars_after.state
type: integer
description: >
State of the check after execution
- name: check_result.vars_after.state_type
type: integer
description: >
State type after execution
- name: check_result.vars_before.attempt
type: integer
description: >
Check attempt before check execution
- name: check_result.vars_before.reachable
type: boolean
description: >
Reachable state before check execution
- name: check_result.vars_before.state
type: integer
description: >
Check state before check execution
- name: check_result.vars_before.state_type
type: integer
description: >
State type before check execution
- name: comment.__name
type: text
description: >
Unique identifier of a comment
- name: comment.author
type: keyword
description: >
Author of a comment
- name: comment.entry_time
type: date
description: >
Entry time of a comment
- name: comment.entry_type
type: integer
description: >
Entry type of a comment
- name: comment.expire_time
type: date
description: >
Expire time of a comment
- name: comment.host_name
type: keyword
description: >
Host name of a comment
- name: comment.legacy_id
type: integer
description: >
Legacy ID of a comment
- name: comment.name
type: keyword
description: >
Identifier of a comment
- name: comment.package
type: keyword
description: >
Config package of a comment
- name: comment.service_name
type: keyword
description: >
Service name of a comment
- name: comment.templates
type: text
description: >
Templates used by a comment
- name: comment.text
type: text
description: >
Text of a comment
- name: comment.type
type: keyword
description: >
Comment type
- name: comment.version
type: keyword
description: >
Config version of comment object
- name: comment.zone
type: keyword
description: >
Zone where comment was generated
- name: downtime.__name
type: text
description: >
Unique identifier of a downtime
- name: downtime.author
type: keyword
description: >
Author of a downtime
- name: downtime.comment
type: text
description: >
Text of a downtime
- name: downtime.config_owner
type: text
description: >
Config owner
- name: downtime.duration
type: integer
description: >
Duration of a downtime
- name: downtime.end_time
type: date
description: >
Timestamp of downtime end
- name: downtime.entry_time
type: date
description: >
Timestamp when downtime was created
- name: downtime.fixed
type: boolean
description: >
If downtime is fixed or flexible
- name: downtime.host_name
type: keyword
description: >
Hostname of a downtime
- name: downtime.legacy_id
type: integer
description: >
The integer ID of a downtime
- name: downtime.name
type: keyword
description: >
Downtime config identifier
- name: downtime.package
type: keyword
description: >
Configuration package of downtime
- name: downtime.scheduled_by
type: text
description: >
By whom downtime was scheduled
- name: downtime.service_name
type: keyword
description: >
Service name of a downtime
- name: downtime.start_time
type: date
description: >
Timestamp when downtime starts
- name: downtime.templates
type: text
description: >
Templates used by this downtime
- name: downtime.trigger_time
type: date
description: >
Timestamp when downtime was triggered
- name: downtime.triggered_by
type: text
description: >
By whom downtime was triggered
- name: downtime.triggers
type: text
description: >
Downtime triggers
- name: downtime.type
type: keyword
description: >
Downtime type
- name: downtime.version
type: keyword
description: >
Config version of downtime
- name: downtime.was_cancelled
type: boolean
description: >
If downtime was cancelled
- name: downtime.zone
type: keyword
description: >
Zone of downtime
- name: status.active_host_checks
type: integer
description: >
Active host checks
- name: status.active_host_checks_15min
type: integer
description: >
Active host checks in the last 15 minutes
- name: status.active_host_checks_1min
type: integer
description: >
Acitve host checks in the last minute
- name: status.active_host_checks_5min
type: integer
description: >
Active host checks in the last 5 minutes
- name: status.active_service_checks
type: integer
description: >
Active service checks
- name: status.active_service_checks_15min
type: integer
description: >
Active service checks in the last 15 minutes
- name: status.active_service_checks_1min
type: integer
description: >
Active service checks in the last minute
- name: status.active_service_checks_5min
type: integer
description: >
Active service checks in the last 5 minutes
- name: status.api.identity
type: keyword
description: >
API identity
- name: status.api.num_conn_endpoints
type: integer
description: >
Number of connected endpoints
- name: status.api.num_endpoints
type: integer
description: >
Total number of endpoints
- name: status.api.num_not_conn_endpoints
type: integer
description: >
Number of not connected endpoints
- name: status.avg_execution_time
type: integer
description: >
Average execution time of checks
- name: status.avg_latency
type: integer
description: >
Average latency time
- name: status.checkercomponent.checker.idle
type: integer
description: >
Idle checks
- name: status.checkercomponent.checker.pending
type: integer
description: >
Pending checks
- name: status.filelogger.main-log
type: integer
description: >
Mainlog enabled
- name: status.icingaapplication.app.enable_event_handlers
type: boolean
description: >
Event handlers enabled
- name: status.icingaapplication.app.enable_flapping
type: boolean
description: >
Flapping detection enabled
- name: status.icingaapplication.app.enable_host_checks
type: boolean
description: >
Host checks enabled
- name: status.icingaapplication.app.enable_notifications
type: boolean
description: >
Notifications enabled
- name: status.icingaapplication.app.enable_perfdata
type: boolean
description: >
Perfdata enabled
- name: status.icingaapplication.app.enable_service_checks
type: boolean
description: >
Service checks enabled
- name: status.icingaapplication.app.node_name
type: keyword
description: >
Node name
- name: status.icingaapplication.app.pid
type: integer
description: >
PID
- name: status.icingaapplication.app.program_start
type: integer
description: >
Time when Icinga started
- name: status.icingaapplication.app.version
type: keyword
description: >
Version
- name: status.idomysqlconnection.ido-mysql.connected
type: boolean
description: >
IDO connected
- name: status.idomysqlconnection.ido-mysql.instance_name
type: keyword
description: >
IDO Instance name
- name: status.idomysqlconnection.ido-mysql.query_queue_items
type: integer
description: >
IDO query items in the queue
- name: status.idomysqlconnection.ido-mysql.version
type: keyword
description: >
IDO schema version
- name: status.max_execution_time
type: integer
description: >
Max execution time
- name: status.max_latency
type: integer
description: >
Max latency
- name: status.min_execution_time
type: integer
description: >
Min execution time
- name: status.min_latency
type: integer
description: >
Min latency
- name: status.notificationcomponent.notification
type: integer
description: >
Notification
- name: status.num_hosts_acknowledged
type: integer
description: >
Amount of acknowledged hosts
- name: status.num_hosts_down
type: integer
description: >
Amount of down hosts
- name: status.num_hosts_flapping
type: integer
description: >
Amount of flapping hosts
- name: status.num_hosts_in_downtime
type: integer
description: >
Amount of hosts in downtime
- name: status.num_hosts_pending
type: integer
description: >
Amount of pending hosts
- name: status.num_hosts_unreachable
type: integer
description: >
Amount of unreachable hosts
- name: status.num_hosts_up
type: integer
description: >
Amount of hosts in up state
- name: status.num_services_acknowledged
type: integer
description: >
Amount of acknowledged services
- name: status.num_services_critical
type: integer
description: >
Amount of critical services
- name: status.num_services_flapping
type: integer
description: >
Amount of flapping services
- name: status.num_services_in_downtime
type: integer
description: >
Amount of services in downtime
- name: status.num_services_ok
type: integer
description: >
Amount of services in ok state
- name: status.num_services_pending
type: integer
description: >
Amount of pending services
- name: status.num_services_unknown
type: integer
description: >
Amount of unknown services
- name: status.num_services_unreachable
type: integer
description: >
Amount of unreachable services
- name: status.num_services_warning
type: integer
description: >
Amount of services in warning state
- name: status.passive_host_checks
type: integer
description: >
Amount of passive host checks
- name: status.passive_host_checks_15min
type: integer
description: >
Amount of passive host checks in the last 15 minutes
- name: status.passive_host_checks_1min
type: integer
description: >
Amount of passive host checks in the last minute
- name: status.passive_host_checks_5min
type: integer
description: >
Amount of passive host checks in the last 5 minutes
- name: status.passive_service_checks
type: integer
description: >
Amount of passive service checks
- name: status.passive_service_checks_15min
type: integer
description: >
Amount of passive service checks in the last 15 minutes
- name: status.passive_service_checks_1min
type: integer
description: >
Amount of passive service checks in the last minute
- name: status.passive_service_checks_5min
type: integer
description: >
Amount of passive service checks in the last 5 minutes
- name: status.uptime
type: integer
description: >
Uptime

10
docs/fields.asciidoc
View File

@ -169,7 +169,6 @@ Region in which this host is running.
[[exported-fields-docker-processor]]
== Docker fields
beta[]
Docker stats collected from Docker.
@ -1272,7 +1271,6 @@ Uptime
[[exported-fields-kubernetes-processor]]
== Kubernetes fields
beta[]
Kubernetes metadata added by the kubernetes processor
@ -1294,6 +1292,14 @@ type: keyword
Kubernetes namespace
[float]
=== `kubernetes.node.name`
type: keyword
Kubernetes node name
[float]
=== `kubernetes.labels`

835
fields.yml
View File

@ -1,835 +0,0 @@
- key: beat
title: Beat
description: >
Contains common beat fields available in all event types.
fields:
- name: beat.name
description: >
The name of the Beat sending the log messages. If the Beat name is
set in the configuration file, then that value is used. If it is not
set, the hostname is used. To set the Beat name, use the `name`
option in the configuration file.
- name: beat.hostname
description: >
The hostname as returned by the operating system on which the Beat is
running.
- name: beat.timezone
description: >
The timezone as returned by the operating system on which the Beat is
running.
- name: beat.version
description: >
The version of the beat that generated this event.
- name: "@timestamp"
type: date
required: true
format: date
example: August 26th 2016, 12:35:53.332
description: >
The timestamp when the event log record was generated.
- name: tags
description: >
Arbitrary tags that can be set per Beat and per transaction
type.
- name: fields
type: object
object_type: keyword
description: >
Contains user configurable fields.
- name: error
type: group
description: >
Error fields containing additional info in case of errors.
fields:
- name: message
type: text
description: >
Error message.
- name: code
type: long
description: >
Error code.
- name: type
type: keyword
description: >
Error type.
- key: cloud
title: Cloud provider metadata
description: >
Metadata from cloud providers added by the add_cloud_metadata processor.
fields:
- name: meta.cloud.provider
example: ec2
description: >
Name of the cloud provider. Possible values are ec2, gce, or digitalocean.
- name: meta.cloud.instance_id
description: >
Instance ID of the host machine.
- name: meta.cloud.instance_name
description: >
Instance name of the host machine.
- name: meta.cloud.machine_type
example: t2.medium
description: >
Machine type of the host machine.
- name: meta.cloud.availability_zone
example: us-east-1c
description: >
Availability zone in which this host is running.
- name: meta.cloud.project_id
example: project-x
description: >
Name of the project in Google Cloud.
- name: meta.cloud.region
description: >
Region in which this host is running.
- key: docker
title: Docker
description: >
beta[]
Docker stats collected from Docker.
short_config: false
anchor: docker-processor
fields:
- name: docker
type: group
fields:
- name: container.id
type: keyword
description: >
Unique container id.
- name: container.image
type: keyword
description: >
Name of the image the container was built on.
- name: container.name
type: keyword
description: >
Container name.
- name: container.labels
type: object
object_type: keyword
description: >
Image labels.
- key: kubernetes
title: Kubernetes
description: >
beta[]
Kubernetes metadata added by the kubernetes processor
short_config: false
anchor: kubernetes-processor
fields:
- name: kubernetes
type: group
fields:
- name: pod.name
type: keyword
description: >
Kubernetes pod name
- name: namespace
type: keyword
description: >
Kubernetes namespace
- name: labels
type: object
description: >
Kubernetes labels map
- name: annotations
type: object
description: >
Kubernetes annotations map
- name: container.name
type: keyword
description: >
Kubernetes container name
- name: container.image
type: keyword
description: >
Kubernetes container image
- key: icingabeat
title: icingabeat
description: Data received from the Icinga 2 API
fields:
- name: timestamp
type: date
description: >
Timestamp of event occurrence
- name: type
type: keyword
description: >
Type of the document
- name: host
type: keyword
description: >
Host that triggered the event
- name: service
type: keyword
description: >
Service that triggered the event
- name: state
type: integer
description: >
State of the check
- name: state_type
type: integer
description: >
State type of the check
- name: author
type: keyword
description: >
Author of a message
- name: notification_type
type: keyword
description: >
Type of notification
- name: text
type: text
description: >
Text of a message
- name: users
type: keyword
description: >
Affected users of a notification
- name: acknowledgement_type
type: integer
description: >
Type of an acknowledgement
- name: expiry
type: date
description: >
Expiry of an acknowledgement
- name: notify
type: keyword
description: >
If has been sent out
- name: check_result.active
type: boolean
description: >
If check was active or passive
- name: check_result.check_source
type: keyword
description: >
Icinga instance that scheduled the check
- name: check_result.command
type: text
description: >
Command that was executed
- name: check_result.execution_end
type: date
description: >
Time when execution of check ended
- name: check_result.execution_start
type: date
description: >
Time when execution of check started
- name: check_result.exit_status
type: integer
description: >
Exit status
- name: check_result.output
type: text
description: >
Output of check
- name: check_result.performance_data
type: text
description: >
Performance data in text format
- name: check_result.schedule_end
type: date
description: >
Time when scheduling of the check ended
- name: check_result.schedule_start
type: date
description: >
Time when check was scheduled
- name: check_result.state
type: integer
description: >
State of the check
- name: check_result.type
type: keyword
description: >
Type of this event
- name: check_result.vars_after.attempt
type: integer
description: >
Check attempt after check execution
- name: check_result.vars_after.reachable
type: boolean
description: >
Reachable state after check execution
- name: check_result.vars_after.state
type: integer
description: >
State of the check after execution
- name: check_result.vars_after.state_type
type: integer
description: >
State type after execution
- name: check_result.vars_before.attempt
type: integer
description: >
Check attempt before check execution
- name: check_result.vars_before.reachable
type: boolean
description: >
Reachable state before check execution
- name: check_result.vars_before.state
type: integer
description: >
Check state before check execution
- name: check_result.vars_before.state_type
type: integer
description: >
State type before check execution
- name: comment.__name
type: text
description: >
Unique identifier of a comment
- name: comment.author
type: keyword
description: >
Author of a comment
- name: comment.entry_time
type: date
description: >
Entry time of a comment
- name: comment.entry_type
type: integer
description: >
Entry type of a comment
- name: comment.expire_time
type: date
description: >
Expire time of a comment
- name: comment.host_name
type: keyword
description: >
Host name of a comment
- name: comment.legacy_id
type: integer
description: >
Legacy ID of a comment
- name: comment.name
type: keyword
description: >
Identifier of a comment
- name: comment.package
type: keyword
description: >
Config package of a comment
- name: comment.service_name
type: keyword
description: >
Service name of a comment
- name: comment.templates
type: text
description: >
Templates used by a comment
- name: comment.text
type: text
description: >
Text of a comment
- name: comment.type
type: keyword
description: >
Comment type
- name: comment.version
type: keyword
description: >
Config version of comment object
- name: comment.zone
type: keyword
description: >
Zone where comment was generated
- name: downtime.__name
type: text
description: >
Unique identifier of a downtime
- name: downtime.author
type: keyword
description: >
Author of a downtime
- name: downtime.comment
type: text
description: >
Text of a downtime
- name: downtime.config_owner
type: text
description: >
Config owner
- name: downtime.duration
type: integer
description: >
Duration of a downtime
- name: downtime.end_time
type: date
description: >
Timestamp of downtime end
- name: downtime.entry_time
type: date
description: >
Timestamp when downtime was created
- name: downtime.fixed
type: boolean
description: >
If downtime is fixed or flexible
- name: downtime.host_name
type: keyword
description: >
Hostname of a downtime
- name: downtime.legacy_id
type: integer
description: >
The integer ID of a downtime
- name: downtime.name
type: keyword
description: >
Downtime config identifier
- name: downtime.package
type: keyword
description: >
Configuration package of downtime
- name: downtime.scheduled_by
type: text
description: >
By whom downtime was scheduled
- name: downtime.service_name
type: keyword
description: >
Service name of a downtime
- name: downtime.start_time
type: date
description: >
Timestamp when downtime starts
- name: downtime.templates
type: text
description: >
Templates used by this downtime
- name: downtime.trigger_time
type: date
description: >
Timestamp when downtime was triggered
- name: downtime.triggered_by
type: text
description: >
By whom downtime was triggered
- name: downtime.triggers
type: text
description: >
Downtime triggers
- name: downtime.type
type: keyword
description: >
Downtime type
- name: downtime.version
type: keyword
description: >
Config version of downtime
- name: downtime.was_cancelled
type: boolean
description: >
If downtime was cancelled
- name: downtime.zone
type: keyword
description: >
Zone of downtime
- name: status.active_host_checks
type: integer
description: >
Active host checks
- name: status.active_host_checks_15min
type: integer
description: >
Active host checks in the last 15 minutes
- name: status.active_host_checks_1min
type: integer
description: >
Acitve host checks in the last minute
- name: status.active_host_checks_5min
type: integer
description: >
Active host checks in the last 5 minutes
- name: status.active_service_checks
type: integer
description: >
Active service checks
- name: status.active_service_checks_15min
type: integer
description: >
Active service checks in the last 15 minutes
- name: status.active_service_checks_1min
type: integer
description: >
Active service checks in the last minute
- name: status.active_service_checks_5min
type: integer
description: >
Active service checks in the last 5 minutes
- name: status.api.identity
type: keyword
description: >
API identity
- name: status.api.num_conn_endpoints
type: integer
description: >
Number of connected endpoints
- name: status.api.num_endpoints
type: integer
description: >
Total number of endpoints
- name: status.api.num_not_conn_endpoints
type: integer
description: >
Number of not connected endpoints
- name: status.avg_execution_time
type: integer
description: >
Average execution time of checks
- name: status.avg_latency
type: integer
description: >
Average latency time
- name: status.checkercomponent.checker.idle
type: integer
description: >
Idle checks
- name: status.checkercomponent.checker.pending
type: integer
description: >
Pending checks
- name: status.filelogger.main-log
type: integer
description: >
Mainlog enabled
- name: status.icingaapplication.app.enable_event_handlers
type: boolean
description: >
Event handlers enabled
- name: status.icingaapplication.app.enable_flapping
type: boolean
description: >
Flapping detection enabled
- name: status.icingaapplication.app.enable_host_checks
type: boolean
description: >
Host checks enabled
- name: status.icingaapplication.app.enable_notifications
type: boolean
description: >
Notifications enabled
- name: status.icingaapplication.app.enable_perfdata
type: boolean
description: >
Perfdata enabled
- name: status.icingaapplication.app.enable_service_checks
type: boolean
description: >
Service checks enabled
- name: status.icingaapplication.app.node_name
type: keyword
description: >
Node name
- name: status.icingaapplication.app.pid
type: integer
description: >
PID
- name: status.icingaapplication.app.program_start
type: integer
description: >
Time when Icinga started
- name: status.icingaapplication.app.version
type: keyword
description: >
Version
- name: status.idomysqlconnection.ido-mysql.connected
type: boolean
description: >
IDO connected
- name: status.idomysqlconnection.ido-mysql.instance_name
type: keyword
description: >
IDO Instance name
- name: status.idomysqlconnection.ido-mysql.query_queue_items
type: integer
description: >
IDO query items in the queue
- name: status.idomysqlconnection.ido-mysql.version
type: keyword
description: >
IDO schema version
- name: status.max_execution_time
type: integer
description: >
Max execution time
- name: status.max_latency
type: integer
description: >
Max latency
- name: status.min_execution_time
type: integer
description: >
Min execution time
- name: status.min_latency
type: integer
description: >
Min latency
- name: status.notificationcomponent.notification
type: integer
description: >
Notification
- name: status.num_hosts_acknowledged
type: integer
description: >
Amount of acknowledged hosts
- name: status.num_hosts_down
type: integer
description: >
Amount of down hosts
- name: status.num_hosts_flapping
type: integer
description: >
Amount of flapping hosts
- name: status.num_hosts_in_downtime
type: integer
description: >
Amount of hosts in downtime
- name: status.num_hosts_pending
type: integer
description: >
Amount of pending hosts
- name: status.num_hosts_unreachable
type: integer
description: >
Amount of unreachable hosts
- name: status.num_hosts_up
type: integer
description: >
Amount of hosts in up state
- name: status.num_services_acknowledged
type: integer
description: >
Amount of acknowledged services
- name: status.num_services_critical
type: integer
description: >
Amount of critical services
- name: status.num_services_flapping
type: integer
description: >
Amount of flapping services
- name: status.num_services_in_downtime
type: integer
description: >
Amount of services in downtime
- name: status.num_services_ok
type: integer
description: >
Amount of services in ok state
- name: status.num_services_pending
type: integer
description: >
Amount of pending services
- name: status.num_services_unknown
type: integer
description: >
Amount of unknown services
- name: status.num_services_unreachable
type: integer
description: >
Amount of unreachable services
- name: status.num_services_warning
type: integer
description: >
Amount of services in warning state
- name: status.passive_host_checks
type: integer
description: >
Amount of passive host checks
- name: status.passive_host_checks_15min
type: integer
description: >
Amount of passive host checks in the last 15 minutes
- name: status.passive_host_checks_1min
type: integer
description: >
Amount of passive host checks in the last minute
- name: status.passive_host_checks_5min
type: integer
description: >
Amount of passive host checks in the last 5 minutes
- name: status.passive_service_checks
type: integer
description: >
Amount of passive service checks
- name: status.passive_service_checks_15min
type: integer
description: >
Amount of passive service checks in the last 15 minutes
- name: status.passive_service_checks_1min
type: integer
description: >
Amount of passive service checks in the last minute
- name: status.passive_service_checks_5min
type: integer
description: >
Amount of passive service checks in the last 5 minutes
- name: status.uptime
type: integer
description: >
Uptime

125
icingabeat.reference.yml
View File

@ -170,6 +170,10 @@ icingabeat:
#- add_docker_metadata:
# host: "unix:///var/run/docker.sock"
# match_fields: ["system.process.cgroup.id"]
# match_pids: ["process.pid", "process.ppid"]
# match_source: true
# match_source_index: 4
# cleanup_timeout: 60
# # To connect to Docker over TLS you must specify a client and CA certificate.
# #ssl:
# # certificate_authority: "/etc/pki/root/ca.pem"
@ -257,7 +261,7 @@ output.elasticsearch:
# Configure http request timeout before failing an request to Elasticsearch.
#timeout: 90
# Use SSL settings for HTTPS. Default is true.
# Use SSL settings for HTTPS.
#ssl.enabled: true
# Configure SSL verification mode. If `none` is configured, all server hosts
@ -320,7 +324,7 @@ output.elasticsearch:
# Number of batches to be sent asynchronously to logstash while processing
# new batches.
#pipelining: 5
#pipelining: 2
# If enabled only a subset of events in a batch of events is transferred per
# transaction. The number of events to be sent increases up to `bulk_max_size`
@ -800,12 +804,11 @@ setup.kibana:
#================================ Logging ======================================
# There are three options for the log output: syslog, file, stderr.
# Under Windows systems, the log files are per default sent to the file output,
# under all other system per default to syslog.
# There are four options for the log output: file, stderr, syslog, eventlog
# The file output is the default.
# Sets log level. The default log level is info.
# Available log levels are: critical, error, warning, info, debug
# Available log levels are: error, warning, info, debug
#logging.level: info
# Enable debug output for selected components. To enable all selectors use ["*"]
@ -814,7 +817,10 @@ setup.kibana:
#logging.selectors: [ ]
# Send all logging output to syslog. The default is false.
#logging.to_syslog: true
#logging.to_syslog: false
# Send all logging output to Windows Event Logs. The default is false.
#logging.to_eventlog: false
# If enabled, icingabeat periodically logs its internal metrics that have changed
# in the last period. For each metric that changed, the delta from the value at
@ -849,3 +855,108 @@ logging.files:
# Set to true to log messages in json format.
#logging.json: false
#============================== Xpack Monitoring =====================================
# icingabeat can export internal metrics to a central Elasticsearch monitoring cluster.
# This requires xpack monitoring to be enabled in Elasticsearch.
# The reporting is disabled by default.
# Set to true to enable the monitoring reporter.
#xpack.monitoring.enabled: false
# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well. Any setting that is not set is
# automatically inherited from the Elasticsearch output configuration, so if you
# have the Elasticsearch output configured, you can simply uncomment the
# following line, and leave the rest commented out.
#xpack.monitoring.elasticsearch:
# Array of hosts to connect to.
# Scheme and port can be left out and will be set to the default (http and 9200)
# In case you specify and additional path, the scheme is required: http://localhost:9200/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
#hosts: ["localhost:9200"]
# Set gzip compression level.
#compression_level: 0
# Optional protocol and basic auth credentials.
#protocol: "https"
#username: "beats_system"
#password: "changeme"
# Dictionary of HTTP parameters to pass within the url with index operations.
#parameters:
#param1: value1
#param2: value2
# Custom HTTP headers to add to each request
#headers:
# X-My-Header: Contents of the header
# Proxy server url
#proxy_url: http://proxy:3128
# The number of times a particular Elasticsearch index operation is attempted. If
# the indexing operation doesn't succeed after this many retries, the events are
# dropped. The default is 3.
#max_retries: 3
# The maximum number of events to bulk in a single Elasticsearch bulk API index request.
# The default is 50.
#bulk_max_size: 50
# Configure http request timeout before failing an request to Elasticsearch.
#timeout: 90
# Use SSL settings for HTTPS.
#ssl.enabled: true
# Configure SSL verification mode. If `none` is configured, all server hosts
# and certificates will be accepted. In this mode, SSL based connections are
# susceptible to man-in-the-middle attacks. Use only for testing. Default is
# `full`.
#ssl.verification_mode: full
# List of supported/valid TLS versions. By default all TLS versions 1.0 up to
# 1.2 are enabled.
#ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
# SSL configuration. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
# Optional passphrase for decrypting the Certificate Key.
#ssl.key_passphrase: ''
# Configure cipher suites to be used for SSL connections
#ssl.cipher_suites: []
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []
# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never
#================================ HTTP Endpoint ======================================
# Each beat can expose internal metrics through a HTTP endpoint. For security
# reasons the endpoint is disabled by default. This feature is currently experimental.
# Stats can be access through http://localhost:5066/stats . For pretty JSON output
# append ?pretty to the URL.
# Defines if the HTTP endpoint is enabled.
#http.enabled: false
# The HTTP endpoint will bind to this hostname or IP address. It is recommended to use only localhost.
#http.host: localhost
# Port on which the HTTP endpoint will bind. Default is 5066.
#http.port: 5066

17
icingabeat.yml
View File

@ -157,10 +157,25 @@ output.elasticsearch:
#================================ Logging =====================================
# Sets log level. The default log level is info.
# Available log levels are: critical, error, warning, info, debug
# Available log levels are: error, warning, info, debug
#logging.level: debug
# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]
#============================== Xpack Monitoring ===============================
# icingabeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
# reporting is disabled by default.
# Set to true to enable the monitoring reporter.
#xpack.monitoring.enabled: false
# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well. Any setting that is not set is
# automatically inherited from the Elasticsearch output configuration, so if you
# have the Elasticsearch output configured, you can simply uncomment the
# following line.
#xpack.monitoring.elasticsearch:

1
vendor/github.com/elastic/beats/.gitignore generated vendored
View File

@ -16,6 +16,7 @@
coverage.out
.python-version
beat.db
*.keystore
# Editor swap files
*.swp

12
vendor/github.com/elastic/beats/.travis.yml generated vendored
View File

@ -49,6 +49,14 @@ jobs:
env: TARGETS="-C auditbeat testsuite"
go: $GO_VERSION
stage: test
- os: osx
env: TARGETS="-C auditbeat testsuite"
go: $GO_VERSION
stage: test
- os: linux
env: TARGETS="-C auditbeat crosscompile"
go: $GO_VERSION
stage: test
# Libbeat
- os: linux
@ -59,6 +67,10 @@ jobs:
env: TARGETS="-C libbeat crosscompile"
go: $GO_VERSION
stage: test
- os: linux
env: TARGETS="-C libbeat stress-tests"
go: $GO_VERSION
stage: test
# Metricbeat
- os: linux

242
vendor/github.com/elastic/beats/CHANGELOG.asciidoc generated vendored
View File

@ -8,7 +8,7 @@
// Template, add newest changes here
=== Beats version HEAD
https://github.com/elastic/beats/compare/v6.1.1...6.1[Check the HEAD diff]
https://github.com/elastic/beats/compare/v6.2.2...6.2[Check the HEAD diff]
==== Breaking changes
@ -32,6 +32,8 @@ https://github.com/elastic/beats/compare/v6.1.1...6.1[Check the HEAD diff]
*Auditbeat*
- Add hex decoding for the name field in audit path records. {pull}6687[6687]
*Filebeat*
*Heartbeat*
@ -40,6 +42,8 @@ https://github.com/elastic/beats/compare/v6.1.1...6.1[Check the HEAD diff]
*Packetbeat*
- HTTP parses successfully on empty status phrase. {issue}6176[6176]
*Winlogbeat*
==== Added
@ -77,6 +81,175 @@ https://github.com/elastic/beats/compare/v6.1.1...6.1[Check the HEAD diff]
////////////////////////////////////////////////////////////
[[release-notes-6.2.3]]
=== Beats version 6.2.3
https://github.com/elastic/beats/compare/v6.2.2...v6.2.3[View commits]
==== Breaking changes
*Affecting all Beats*
- Fix conditions checking on autodiscover Docker labels. {pull}6412[6412]
==== Bugfixes
*Affecting all Beats*
- Avoid panic errors when processing nil Pod events in add_kubernetes_metadata. {issue}6372[6372]
- Fix infinite failure on Kubernetes watch {pull}6504[6504]
*Metricbeat*
- Fix Kubernetes overview dashboard views for non default time ranges. {issue}6395{6395}
[[release-notes-6.2.2]]
=== Beats version 6.2.2
https://github.com/elastic/beats/compare/v6.2.1...v6.2.2[View commits]
==== Bugfixes
*Affecting all Beats*
- Add logging when monitoring cannot connect to Elasticsearch. {pull}6365[6365]
- Fix infinite loop when event unmarshal fails in Kubernetes pod watcher. {pull}6353[6353]
*Filebeat*
- Fix a conversion issue for time related fields in the Logstash module for the slowlog
fileset. {issue}6317[6317]
[[release-notes-6.2.1]]
=== Beats version 6.2.1
https://github.com/elastic/beats/compare/v6.2.0...v6.2.1[View commits]
No changes in this release.
[[release-notes-6.2.0]]
=== Beats version 6.2.0
https://github.com/elastic/beats/compare/v6.1.3...v6.2.0[View commits]
==== Breaking changes
*Affecting all Beats*
- The log format may differ due to logging library changes. {pull}5901[5901]
- The default value for pipelining is reduced to 2 to avoid high memory in the Logstash beats input. {pull}6250[6250]
*Auditbeat*
- Split the audit.kernel and audit.file metricsets into their own modules
named auditd and file_integrity, respectively. This change requires
existing users to update their config. {issue}5422[5422]
- Renamed file_integrity module fields. {issue}5423[5423] {pull}5995[5995]
- Renamed auditd module fields. {issue}5423[5423] {pull}6080[6080]
*Metricbeat*
- Rename `golang.heap.system.optained` field to `golang.heap.system.obtained`. {issue}5703[5703]
- De dot keys in jolokia/jmx metricset to prevent collisions. {pull}5957[5957]
==== Bugfixes
*Auditbeat*
- Fixed an issue where the proctitle value was being truncated. {pull}6080[6080]
- Fixed an issue where values were incorrectly interpretted as hex data. {pull}6080[6080]
- Fixed parsing of the `key` value when multiple keys are present. {pull}6080[6080]
- Fix possible resource leak if file_integrity module is used with config
reloading on Windows or Linux. {pull}6198[6198]
*Filebeat*
- Fix variable name for `convert_timezone` in the system module. {pull}5936[5936]
*Metricbeat*
- Fix error `datastore '*' not found` in Vsphere module. {issue}4879[4879]
- Fix error `NotAuthenticated` in Vsphere module. {issue}4673[4673]
- Fix mongodb session consistency mode to allow command execution on secondary nodes. {issue}4689[4689]
- Fix kubernetes `state_pod` `status.phase` so that the active phase is returned instead of `unknown`. {pull}5980[5980]
- Fix error collecting network_names in Vsphere module. {pull}5962[5962]
- Fix process cgroup memory metrics for memsw, kmem, and kmem_tcp. {issue}6033[6033]
- Fix kafka OffsetFetch request missing topic and partition parameters. {pull}5880[5880]
*Packetbeat*
- Fix mysql SQL parser to trim `\r` from Windows Server `SELECT\r\n\t1`. {pull}5572[5572]
==== Added
*Affecting all Beats*
- Adding a local keystore to allow user to obfuscate password {pull}5687[5687]
- Add autodiscover for kubernetes. {pull}6055[6055]
- Add Beats metrics reporting to Xpack. {issue}3422[3422]
- Update the command line library cobra and add support for zsh completion {pull}5761[5761]
- Update to Golang 1.9.2
- Moved `ip_port` indexer for `add_kubernetes_metadata` to all beats. {pull}5707[5707]
- `ip_port` indexer now index both IP and IP:port pairs. {pull}5721[5721]
- Add the ability to write structured logs. {pull}5901[5901]
- Use structured logging for the metrics that are periodically logged via the
`logging.metrics` feature. {pull}5915[5915]
- Improve Elasticsearch output metrics to count number of dropped and duplicate (if event ID is given) events. {pull}5811[5811]
- Add the abilility for the add_docker_metadata process to enrich based on process ID. {pull}6100[6100]
- The `add_docker_metadata` and `add_kubernetes_metadata` processors are now GA, instead of Beta. {pull}6105[6105]
- Update go-ucfg library to support top level key reference and cyclic key reference for the
keystore {pull}6098[6098]
*Auditbeat*
- Auditbeat is marked as GA, no longer Beta. {issue}5432[5432]
- Add support for BLAKE2b hash algorithms to the file integrity module. {pull}5926[5926]
- Add support for recursive file watches. {pull}5575[5575] {pull}5833[5833]
*Filebeat*
- Add Osquery module. {pull}5971[5971]
- Add stream filtering when using `docker` prospector. {pull}6057[6057]
*Metricbeat*
- Add ceph osd_df to metricbeat {pull}5606[5606]
- Add field network_names of hosts and virtual machines. {issue}5646[5646]
- Add experimental system/raid metricset. {pull}5642[5642]
- Add a dashboard for the Nginx module. {pull}5991[5991]
- Add experimental mongodb/collstats metricset. {pull}5852[5852]
- Update the MySQL dashboard to use the Time Series Visual Builder. {pull}5996[5996]
- Add experimental uwsgi module. {pull}6006[6006]
- Docker and Kubernetes modules are now GA, instead of Beta. {pull}6105[6105]
- Support haproxy stats gathering using http (additionaly to tcp socket). {pull}5819[5819]
- Support to optionally 'de dot' keys in http/json metricset to prevent collisions. {pull}5957[5957]
*Packetbeat*
- Configure good defaults for `add_kubernetes_metadata`. {pull}5707[5707]
[[release-notes-6.1.3]]
=== Beats version 6.1.3
https://github.com/elastic/beats/compare/v6.1.2...v6.1.3[View commits]
No changes in this release.
[[release-notes-6.1.2]]
=== Beats version 6.1.2
https://github.com/elastic/beats/compare/v6.1.1...v6.1.2[View commits]
==== Bugfixes
*Auditbeat*
- Add an error check to the file integrity scanner to prevent a panic when
there is an error reading file info via lstat. {issue}6005[6005]
==== Added
*Filebeat*
- Switch to docker prospector in sample manifests for Kubernetes deployment {pull}5963[5963]
[[release-notes-6.1.1]]
=== Beats version 6.1.1
https://github.com/elastic/beats/compare/v6.1.0...v6.1.1[View commits]
@ -109,6 +282,7 @@ https://github.com/elastic/beats/compare/v6.0.1...v6.1.0[View commits]
- Fix console color output for Windows. {issue}5611[5611]
- Fix logstash output debug message. {pull}5799{5799]
- Fix isolation of modules when merging local and global field settings. {issue}5795[5795]
- Report ephemeral ID and uptime in monitoring events on all platforms {pull}6501[6501]
*Filebeat*
@ -124,16 +298,22 @@ https://github.com/elastic/beats/compare/v6.0.1...v6.1.0[View commits]
- Change `MySQL active connections` visualization title to `MySQL total connections`. {issue}4812[4812]
- Fix `ProcState` on Linux and FreeBSD when process names contain parentheses. {pull}5775[5775]
- Fix incorrect `Mem.Used` calculation under linux. {pull}5775[5775]
- Fix `open_file_descriptor_count` and `max_file_descriptor_count` lost in zookeeper module {pull}5902[5902]
- Fix system process metricset for kernel processes. {issue}5700[5700]
- Change kubernetes.node.cpu.allocatable.cores to float. {pull}6130[6130]
*Packetbeat*
- Fix http status phrase parsing not allow spaces. {pull}5312[5312]
- Fix http parse to allow to parse get request with space in the URI. {pull}5495[5495]
- Fix mysql SQL parser to trim `\r` from Windows Server `SELECT\r\n\t1`. {pull}5572[5572]
- Fix corruption when parsing repeated headers in an HTTP request or response. {pull}6325[6325]
*Winlogbeat*
- Fix the registry file. It was not correctly storing event log names, and
upon restart it would begin reading at the start of each event log. {issue}5813[5813]
- Fix config validation to allow `event_logs.processors`. [pull]6217[6217]
==== Added
@ -189,6 +369,8 @@ https://github.com/elastic/beats/compare/v6.0.1...v6.1.0[View commits]
*Packetbeat*
- Add support for decoding the TLS envelopes. {pull}5476[5476]
- HTTP parses successfully on empty status phrase. {issue}6176[6176]
- HTTP parser supports broken status line. {pull}6631[6631]
[[release-notes-6.0.1]]
=== Beats version 6.0.1
@ -212,6 +394,7 @@ https://github.com/elastic/beats/compare/v6.0.0...v6.0.1[View commits]
- Fix the include top N processes feature for cases where there are fewer
processes than N. {pull}5729[5729]
include::libbeat/docs/release-notes/6.0.0.asciidoc[]
[[release-notes-6.0.0-ga]]
@ -740,6 +923,63 @@ https://github.com/elastic/beats/compare/v5.4.0...v6.0.0-alpha1[View commits]
- Prospector reloading only works properly with new files. {pull}3546[3546]
[[release-notes-5.6.7]]
=== Beats version 5.6.7
https://github.com/elastic/beats/compare/v5.6.6...v5.6.7[View commits]
No changes in this release.
[[release-notes-5.6.6]]
=== Beats version 5.6.6
https://github.com/elastic/beats/compare/v5.6.5...v5.6.6[View commits]
No changes in this release.
[[release-notes-5.6.5]]
=== Beats version 5.6.5
https://github.com/elastic/beats/compare/v5.6.4...v5.6.5[View commits]
==== Bugfixes
*Affecting all Beats*
- Fix duplicate batches of events in retry queue. {pull}5520[5520]
*Metricbeat*
- Clarify meaning of percentages reported by system core metricset. {pull}5565[5565]
- Fix map overwrite in docker diskio module. {issue}5582[5582]
[[release-notes-5.6.4]]
=== Beats version 5.6.4
https://github.com/elastic/beats/compare/v5.6.3...v5.6.4[View commits]
==== Bugfixes
*Affecting all Beats*
- Fix race condition in internal logging rotator. {pull}4519[4519]
*Packetbeat*
- Fix missing length check in the PostgreSQL module. {pull}5457[5457]
==== Added
*Affecting all Beats*
- Add support for enabling TLS renegotiation. {issue}4386[4386]
- Add setting to enable/disable the slow start in logstash output. {pull}5400[5400]
[[release-notes-5.6.3]]
=== Beats version 5.6.3
https://github.com/elastic/beats/compare/v5.6.2...v5.6.3[View commits]
No changes in this release.
[[release-notes-5.6.2]]
=== Beats version 5.6.2
https://github.com/elastic/beats/compare/v5.6.1...v5.6.2[View commits]

5
vendor/github.com/elastic/beats/Makefile generated vendored
View File

@ -38,6 +38,11 @@ test:
unit:
@$(foreach var,$(PROJECTS),$(MAKE) -C $(var) unit || exit 1;)
# Crosscompile all beats.
.PHONY: crosscompile
crosscompile:
@$(foreach var,filebeat winlogbeat metricbeat heartbeat auditbeat,$(MAKE) -C $(var) crosscompile || exit 1;)
.PHONY: coverage-report
coverage-report:
@mkdir -p $(COVERAGE_DIR)

416
vendor/github.com/elastic/beats/NOTICE.txt generated vendored
View File

@ -1,5 +1,5 @@
Elastic Beats
Copyright 2014-2017 Elasticsearch BV
Copyright 2014-2018 Elasticsearch BV
This product includes software developed by The Apache Software
Foundation (http://www.apache.org/).
@ -342,8 +342,8 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
--------------------------------------------------------------------
Dependency: github.com/elastic/go-libaudit
Version: v0.0.6
Revision: df0d4981f3fce65ffd3d7411dfec3e03231b491c
Version: v0.1.0
Revision: 4a806edf821706e315ef7d4f3b5d0cac6d638b34
License type (autodetected): Apache-2.0
./vendor/github.com/elastic/go-libaudit/LICENSE:
--------------------------------------------------------------------
@ -361,7 +361,8 @@ Apache License 2.0
--------------------------------------------------------------------
Dependency: github.com/elastic/go-ucfg
Revision: ec8488a52542c0c51e42e8ea204dcaff400bc644
Version: v0.5.1
Revision: 0ba28e36add27704e6b49a7ed8557989a8f4a635
License type (autodetected): Apache-2.0
./vendor/github.com/elastic/go-ucfg/LICENSE:
--------------------------------------------------------------------
@ -370,8 +371,8 @@ Apache License 2.0
--------------------------------------------------------------------
Dependency: github.com/elastic/gosigar
Version: v0.6.0
Revision: 5cb8fed1ceb7f0fd69e4ad61c715a80601dddfd2
Version: v0.8.0
Revision: 16df19fe5efee4ea2938bde5f56c02d9929dc054
License type (autodetected): Apache-2.0
./vendor/github.com/elastic/gosigar/LICENSE:
--------------------------------------------------------------------
@ -443,7 +444,7 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
--------------------------------------------------------------------
Dependency: github.com/fsnotify/fsevents
Revision: 3ceee05210c3babaa38cdc9181dabdcc83076a44
Revision: 690cb784149d5facd7fe613c52757445c43afcde
License type (autodetected): BSD-3-Clause
./vendor/github.com/fsnotify/fsevents/LICENSE:
--------------------------------------------------------------------
@ -1134,7 +1135,7 @@ Apache License 2.0
--------------------------------------------------------------------
Dependency: github.com/google/uuid
Revision: 6a5e28554805e78ea6141142aba763936c4761c0
Revision: 281f560d28af7174109514e936f94c2ab2cb2823
License type (autodetected): BSD-3-Clause
./metricbeat/module/vsphere/vendor/github.com/google/uuid/LICENSE:
--------------------------------------------------------------------
@ -1573,204 +1574,6 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
--------------------------------------------------------------------
Dependency: github.com/juju/ratelimit
Revision: 5b9ff866471762aa2ab2dced63c9fb6f53921342
License type (autodetected): LGPL-3.0
./vendor/github.com/juju/ratelimit/LICENSE:
--------------------------------------------------------------------
All files in this repository are licensed as follows. If you contribute
to this repository, it is assumed that you license your contribution
under the same license unless you state otherwise.
All files Copyright (C) 2015 Canonical Ltd. unless otherwise specified in the file.
This software is licensed under the LGPLv3, included below.
As a special exception to the GNU Lesser General Public License version 3
("LGPL3"), the copyright holders of this Library give you permission to
convey to a third party a Combined Work that links statically or dynamically
to this Library without providing any Minimal Corresponding Source or
Minimal Application Code as set out in 4d or providing the installation
information set out in section 4e, provided that you comply with the other
provisions of LGPL3 and provided that you meet, for the Application the
terms and conditions of the license(s) which apply to the Application.
Except as stated in this special exception, the provisions of LGPL3 will
continue to comply in full to this Library. If you modify this Library, you
may apply this exception to your version of this Library, but you are not
obliged to do so. If you do not wish to do so, delete this exception
statement from your version. This exception does not (and cannot) modify any
license terms which apply to the Application, with which you must still
comply.
GNU LESSER GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
This version of the GNU Lesser General Public License incorporates
the terms and conditions of version 3 of the GNU General Public
License, supplemented by the additional permissions listed below.
0. Additional Definitions.
As used herein, "this License" refers to version 3 of the GNU Lesser
General Public License, and the "GNU GPL" refers to version 3 of the GNU
General Public License.
"The Library" refers to a covered work governed by this License,
other than an Application or a Combined Work as defined below.
An "Application" is any work that makes use of an interface provided
by the Library, but which is not otherwise based on the Library.
Defining a subclass of a class defined by the Library is deemed a mode
of using an interface provided by the Library.
A "Combined Work" is a work produced by combining or linking an
Application with the Library. The particular version of the Library
with which the Combined Work was made is also called the "Linked
Version".
The "Minimal Corresponding Source" for a Combined Work means the
Corresponding Source for the Combined Work, excluding any source code
for portions of the Combined Work that, considered in isolation, are
based on the Application, and not on the Linked Version.
The "Corresponding Application Code" for a Combined Work means the
object code and/or source code for the Application, including any data
and utility programs needed for reproducing the Combined Work from the
Application, but excluding the System Libraries of the Combined Work.
1. Exception to Section 3 of the GNU GPL.
You may convey a covered work under sections 3 and 4 of this License
without being bound by section 3 of the GNU GPL.
2. Conveying Modified Versions.
If you modify a copy of the Library, and, in your modifications, a
facility refers to a function or data to be supplied by an Application
that uses the facility (other than as an argument passed when the
facility is invoked), then you may convey a copy of the modified
version:
a) under this License, provided that you make a good faith effort to
ensure that, in the event an Application does not supply the
function or data, the facility still operates, and performs
whatever part of its purpose remains meaningful, or
b) under the GNU GPL, with none of the additional permissions of
this License applicable to that copy.
3. Object Code Incorporating Material from Library Header Files.
The object code form of an Application may incorporate material from
a header file that is part of the Library. You may convey such object
code under terms of your choice, provided that, if the incorporated
material is not limited to numerical parameters, data structure
layouts and accessors, or small macros, inline functions and templates
(ten or fewer lines in length), you do both of the following:
a) Give prominent notice with each copy of the object code that the
Library is used in it and that the Library and its use are
covered by this License.
b) Accompany the object code with a copy of the GNU GPL and this license
document.
4. Combined Works.
You may convey a Combined Work under terms of your choice that,
taken together, effectively do not restrict modification of the
portions of the Library contained in the Combined Work and reverse
engineering for debugging such modifications, if you also do each of
the following:
a) Give prominent notice with each copy of the Combined Work that
the Library is used in it and that the Library and its use are
covered by this License.
b) Accompany the Combined Work with a copy of the GNU GPL and this license
document.
c) For a Combined Work that displays copyright notices during
execution, include the copyright notice for the Library among
these notices, as well as a reference directing the user to the
copies of the GNU GPL and this license document.
d) Do one of the following:
0) Convey the Minimal Corresponding Source under the terms of this
License, and the Corresponding Application Code in a form
suitable for, and under terms that permit, the user to
recombine or relink the Application with a modified version of
the Linked Version to produce a modified Combined Work, in the
manner specified by section 6 of the GNU GPL for conveying
Corresponding Source.
1) Use a suitable shared library mechanism for linking with the
Library. A suitable mechanism is one that (a) uses at run time
a copy of the Library already present on the user's computer
system, and (b) will operate properly with a modified version
of the Library that is interface-compatible with the Linked
Version.
e) Provide Installation Information, but only if you would otherwise
be required to provide such information under section 6 of the
GNU GPL, and only to the extent that such information is
necessary to install and execute a modified version of the
Combined Work produced by recombining or relinking the
Application with a modified version of the Linked Version. (If
you use option 4d0, the Installation Information must accompany
the Minimal Corresponding Source and Corresponding Application
Code. If you use option 4d1, you must provide the Installation
Information in the manner specified by section 6 of the GNU GPL
for conveying Corresponding Source.)
5. Combined Libraries.
You may place library facilities that are a work based on the
Library side by side in a single library together with other library
facilities that are not Applications and are not covered by this
License, and convey such a combined library under terms of your
choice, if you do both of the following:
a) Accompany the combined library with a copy of the same work based
on the Library, uncombined with any other library facilities,
conveyed under the terms of this License.
b) Give prominent notice with the combined library that part of it
is a work based on the Library, and explaining where to find the
accompanying uncombined form of the same work.
6. Revised Versions of the GNU Lesser General Public License.
The Free Software Foundation may publish revised and/or new versions
of the GNU Lesser General Public License from time to time. Such new
versions will be similar in spirit to the present version, but may
differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the
Library as you received it specifies that a certain numbered version
of the GNU Lesser General Public License "or any later version"
applies to it, you have the option of following the terms and
conditions either of that published version or of any later version
published by the Free Software Foundation. If the Library as you
received it does not specify a version number of the GNU Lesser
General Public License, you may choose any version of the GNU Lesser
General Public License ever published by the Free Software Foundation.
If the Library as you received it specifies that a proxy can decide
whether future versions of the GNU Lesser General Public License shall
apply, that proxy's public statement of acceptance of any version is
permanent authorization for you to choose that version for the
Library.
--------------------------------------------------------------------
Dependency: github.com/klauspost/compress
Revision: 14c9a76e3c95e47f8ccce949bba2c1101a8b85e6
@ -3327,7 +3130,7 @@ THE SOFTWARE.
--------------------------------------------------------------------
Dependency: github.com/spf13/cobra
Revision: e606913c4ee45fec232e67e70105fb6c866b95d9
Revision: 1be1d2841c773c01bee8289f55f7463b6e2c2539
License type (autodetected): Apache-2.0
./vendor/github.com/spf13/cobra/LICENSE.txt:
--------------------------------------------------------------------
@ -3491,8 +3294,8 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--------------------------------------------------------------------
Dependency: github.com/urso/go-structform
Version: v0.0.1
Revision: a59a4e97c96431f4ad25ed3bd027981f2e0ff5c2
Version: v0.0.2
Revision: 844d7d44009e9e8c0f08016fc4dab64e136ca040
License type (autodetected): Apache-2.0
./vendor/github.com/urso/go-structform/LICENSE:
--------------------------------------------------------------------
@ -3501,7 +3304,7 @@ Apache License 2.0
--------------------------------------------------------------------
Dependency: github.com/vmware/govmomi
Revision: 9bfdc5ce62c0585b48b154cc460f8664dcd124c3
Revision: 2cad15190b417804d82edb4981e7b3e62907c4ee
License type (autodetected): Apache-2.0
./metricbeat/module/vsphere/vendor/github.com/vmware/govmomi/LICENSE.txt:
--------------------------------------------------------------------
@ -3510,7 +3313,7 @@ Apache License 2.0
--------------------------------------------------------------------
Dependency: github.com/vmware/govmomi/vim25/xml
Revision: 5072cda664c79ada30834d171d2ed1f76317d3b2
Revision: 2cad15190b417804d82edb4981e7b3e62907c4ee
License type (autodetected): BSD-3-Clause
./metricbeat/module/vsphere/vendor/github.com/vmware/govmomi/vim25/xml/LICENSE:
--------------------------------------------------------------------
@ -3542,15 +3345,6 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--------------------------------------------------------------------
Dependency: github.com/vmware/vic
Revision: a2b2afb419d70009cd4d0b58f37b1a095c58b526
License type (autodetected): Apache-2.0
./metricbeat/module/vsphere/vendor/github.com/vmware/vic/LICENSE:
--------------------------------------------------------------------
Apache License 2.0
--------------------------------------------------------------------
Dependency: github.com/yuin/gopher-lua
Revision: b402f3114ec730d8bddb074a6c137309f561aa78
@ -3579,9 +3373,88 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
--------------------------------------------------------------------
Dependency: go.uber.org/atomic
Revision: 8474b86a5a6f79c443ce4b2992817ff32cf208b8
License type (autodetected): MIT
./vendor/go.uber.org/atomic/LICENSE.txt:
--------------------------------------------------------------------
Copyright (c) 2016 Uber Technologies, Inc.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
--------------------------------------------------------------------
Dependency: go.uber.org/multierr
Revision: fb7d312c2c04c34f0ad621048bbb953b168f9ff6
License type (autodetected): MIT
./vendor/go.uber.org/multierr/LICENSE.txt:
--------------------------------------------------------------------
Copyright (c) 2017 Uber Technologies, Inc.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
--------------------------------------------------------------------
Dependency: go.uber.org/zap
Version: v1.7.1
Revision: 35aad584952c3e7020db7b839f6b102de6271f89
License type (autodetected): MIT
./vendor/go.uber.org/zap/LICENSE.txt:
--------------------------------------------------------------------
Copyright (c) 2016-2017 Uber Technologies, Inc.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
--------------------------------------------------------------------
Dependency: golang.org/x/crypto
Revision: 9419663f5a44be8b34ca85f08abc5fe1be11f8a3
Revision: d585fd2cc9195196078f516b69daff6744ef5e84
License type (autodetected): BSD-3-Clause
./vendor/golang.org/x/crypto/LICENSE:
--------------------------------------------------------------------
@ -3649,7 +3522,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--------------------------------------------------------------------
Dependency: golang.org/x/sys
Revision: a55a76086885b80f79961eacb876ebd8caf3868d
Revision: b76f9891dc1d975623261def70f9b89661f5baab
License type (autodetected): BSD-3-Clause
./vendor/golang.org/x/sys/LICENSE:
--------------------------------------------------------------------
@ -3715,6 +3588,40 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--------------------------------------------------------------------
Dependency: golang.org/x/time
Revision: 26559e0f760e39c24d730d3224364aef164ee23f
License type (autodetected): BSD-3-Clause
./vendor/golang.org/x/time/LICENSE:
--------------------------------------------------------------------
Copyright (c) 2009 The Go Authors. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following disclaimer
in the documentation and/or other materials provided with the
distribution.
* Neither the name of Google Inc. nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--------------------------------------------------------------------
Dependency: golang.org/x/tools
Revision: 9be3b7cbc7ccd19baaa3b7704c22f57db5ebbdf2
@ -3957,3 +3864,68 @@ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
--------------------------------------------------------------------
Dependency: howett.net/plist
Revision: 233df3c4f07b0c562da0e8a6fb850681ac49bb90
License type (autodetected): BSD-2-Clause
./vendor/howett.net/plist/LICENSE:
--------------------------------------------------------------------
Copyright (c) 2013, Dustin L. Howett. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The views and conclusions contained in the software and documentation are those
of the authors and should not be interpreted as representing official policies,
either expressed or implied, of the FreeBSD Project.
--------------------------------------------------------------------------------
Parts of this package were made available under the license covering
the Go language and all attended core libraries. That license follows.
--------------------------------------------------------------------------------
Copyright (c) 2012 The Go Authors. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following disclaimer
in the documentation and/or other materials provided with the
distribution.
* Neither the name of Google Inc. nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

38
vendor/github.com/elastic/beats/Vagrantfile generated vendored
View File

@ -52,16 +52,19 @@ echo 'Creating github.com/elastic in the GOPATH'
mkdir -p ~/go/src/github.com/elastic
echo 'Symlinking /vagrant to ~/go/src/github.com/elastic'
cd ~/go/src/github.com/elastic
if [ -d "/vagrant" ]; then ln -s /vagrant beats; fi
if [ -d "/vagrant" ] && [ ! -e "beats" ]; then ln -s /vagrant beats; fi
SCRIPT
# Linux GVM
$linuxGvmProvision = <<SCRIPT
mkdir -p ~/bin
curl -sL -o ~/bin/gvm https://github.com/andrewkroh/gvm/releases/download/v0.0.1/gvm-linux-amd64
chmod +x ~/bin/gvm
echo 'export PATH=~/bin:$PATH' >> ~/.bash_profile
echo 'eval "$(gvm 1.9.2)"' >> ~/.bash_profile
if [ ! -e "~/bin/gvm" ]; then
curl -sL -o ~/bin/gvm https://github.com/andrewkroh/gvm/releases/download/v0.0.5/gvm-linux-amd64
chmod +x ~/bin/gvm
echo 'export GOPATH=$HOME/go' >> ~/.bash_profile
echo 'export PATH=$HOME/bin:$GOPATH/bin:$PATH' >> ~/.bash_profile
echo 'eval "$(gvm 1.9.2)"' >> ~/.bash_profile
fi
SCRIPT
Vagrant.configure(2) do |config|
@ -119,16 +122,25 @@ Vagrant.configure(2) do |config|
openbsd.vm.provision "shell", inline: $unixProvision, privileged: false
end
# CentOS 7
config.vm.define "centos7", primary: true do |centos7|
#centos7.vm.box = "http://cloud.centos.org/centos/7/vagrant/x86_64/images/CentOS-7-x86_64-Vagrant-1706_02.VirtualBox.box"
centos7.vm.box = "ubuntu/precise64"
centos7.vm.network :forwarded_port, guest: 22, host: 2226, id: "ssh", auto_correct: true
config.vm.define "precise64", primary: true do |c|
c.vm.box = "ubuntu/precise64"
c.vm.network :forwarded_port, guest: 22, host: 2226, id: "ssh", auto_correct: true
centos7.vm.provision "shell", inline: $unixProvision, privileged: false
centos7.vm.provision "shell", inline: $linuxGvmProvision, privileged: false
c.vm.provision "shell", inline: $unixProvision, privileged: false
c.vm.provision "shell", inline: $linuxGvmProvision, privileged: false
centos7.vm.synced_folder ".", "/vagrant", type: "virtualbox"
c.vm.synced_folder ".", "/vagrant", type: "virtualbox"
end
config.vm.define "fedora26", primary: true do |c|
c.vm.box = "bento/fedora-26"
c.vm.network :forwarded_port, guest: 22, host: 2227, id: "ssh", auto_correct: true
c.vm.provision "shell", inline: $unixProvision, privileged: false
c.vm.provision "shell", inline: $linuxGvmProvision, privileged: false
c.vm.provision "shell", inline: "dnf install -y make gcc python-pip python-virtualenv git"
c.vm.synced_folder ".", "/vagrant", type: "virtualbox"
end
end

16
vendor/github.com/elastic/beats/auditbeat/Makefile generated vendored
View File

@ -3,6 +3,8 @@ BEAT_TITLE=Auditbeat
BEAT_DESCRIPTION=Audit the activities of users and processes on your system.
SYSTEM_TESTS=false
TEST_ENVIRONMENT=false
GOX_OS?=linux windows ## @Building List of all OS to be supported by "make crosscompile".
DEV_OS?=linux
# Path to the libbeat Makefile
-include ../libbeat/scripts/Makefile
@ -16,7 +18,7 @@ before-build:
${ES_BEATS}/libbeat/_meta/config.yml > \
${PREFIX}/${BEAT_NAME}-win.yml
@cat ${ES_BEATS}/auditbeat/_meta/common.reference.yml \
<(go run scripts/generate_config.go -os windows -concat) \
<(go run scripts/generate_config.go -os windows -concat -ref) \
${ES_BEATS}/libbeat/_meta/config.reference.yml > \
${PREFIX}/${BEAT_NAME}-win.reference.yml
@ -26,7 +28,7 @@ before-build:
${ES_BEATS}/libbeat/_meta/config.yml > \
${PREFIX}/${BEAT_NAME}-darwin.yml
@cat ${ES_BEATS}/auditbeat/_meta/common.reference.yml \
<(go run scripts/generate_config.go -os darwin -concat) \
<(go run scripts/generate_config.go -os darwin -concat -ref) \
${ES_BEATS}/libbeat/_meta/config.reference.yml > \
${PREFIX}/${BEAT_NAME}-darwin.reference.yml
@ -36,7 +38,7 @@ before-build:
${ES_BEATS}/libbeat/_meta/config.yml > \
${PREFIX}/${BEAT_NAME}-linux.yml
@cat ${ES_BEATS}/auditbeat/_meta/common.reference.yml \
<(go run scripts/generate_config.go -os linux -concat) \
<(go run scripts/generate_config.go -os linux -concat -ref) \
${ES_BEATS}/libbeat/_meta/config.reference.yml > \
${PREFIX}/${BEAT_NAME}-linux.reference.yml
@ -48,17 +50,17 @@ collect: fields collect-docs configs kibana
.PHONY: fields
fields: python-env
@mkdir -p _meta
@cp ${ES_BEATS}/metricbeat/_meta/fields.common.yml _meta/fields.generated.yml
@cp _meta/fields.common.yml _meta/fields.generated.yml
@${PYTHON_ENV}/bin/python ${ES_BEATS}/metricbeat/scripts/fields_collector.py >> _meta/fields.generated.yml
# Collects all module configs
.PHONY: configs
configs: python-env
@cat ${ES_BEATS}/auditbeat/_meta/common.p1.yml \
<(go run scripts/generate_config.go -os linux -concat) \
<(go run scripts/generate_config.go -os ${DEV_OS} -concat) \
${ES_BEATS}/auditbeat/_meta/common.p2.yml > _meta/beat.yml
@cat ${ES_BEATS}/auditbeat/_meta/common.reference.yml \
<(go run scripts/generate_config.go -os linux -ref -concat) > _meta/beat.reference.yml
<(go run scripts/generate_config.go -os ${DEV_OS} -ref -concat) > _meta/beat.reference.yml
# Collects all module docs
.PHONY: collect-docs
@ -71,7 +73,7 @@ collect-docs: python-env
# Collects all module dashboards
.PHONY: kibana
kibana:
@-rm -rf _meta/kibana/dashboard _meta/kibana/search _meta/kibana/visualization # Skip index-pattern
@-rm -rf _meta/kibana
@mkdir -p _meta/kibana
@-cp -pr module/*/_meta/kibana _meta/

133
vendor/github.com/elastic/beats/auditbeat/_meta/fields.common.yml generated vendored
View File

@ -3,34 +3,121 @@
description: >
Contains common fields available in all event types.
fields:
- name: event.module
description: >
The name of the module that generated the event.
- name: metricset.module
description: >
The name of the module that generated the event.
- name: event.action
type: keyword
example: logged-in
description: >
Action describes the change that triggered the event.
- name: metricset.name
description: >
The name of the metricset that generated the event.
For the file integrity module the possible values are:
attributes_modified, created, deleted, updated, moved, and config_change.
- name: metricset.host
description: >
Hostname of the machine from which the metricset was collected. This
field may not be present when the data was collected locally.
- name: file
type: group
description: File attributes.
fields:
- name: path
type: text
description: The path to the file.
multi_fields:
- name: raw
type: keyword
description: >
The path to the file. This is a non-analyzed field that is useful
for aggregations.
- name: metricset.rtt
type: long
required: true
description: >
Event round trip time in microseconds.
- name: metricset.namespace
- name: target_path
type: keyword
description: >
Namespace of dynamic metricsets.
description: The target path for symlinks.
- name: type
required: true
example: metricsets
description: >
The document type. Always set to "metricsets".
type: keyword
description: The file type (file, dir, or symlink).
- name: device
type: keyword
description: The device.
- name: inode
type: keyword
description: The inode representing the file in the filesystem.
- name: uid
type: keyword
description: >
The user ID (UID) or security identifier (SID) of the file owner.
- name: owner
type: keyword
description: The file owner's username.
- name: gid
type: keyword
description: The primary group ID (GID) of the file.
- name: group
type: keyword
description: The primary group name of the file.
- name: mode
type: keyword
example: 0640
description: The mode of the file in octal representation.
- name: setuid
type: boolean
example: true
description: Set if the file has the `setuid` bit set. Omitted otherwise.
- name: setgid
type: boolean
example: true
description: Set if the file has the `setgid` bit set. Omitted otherwise.
- name: size
type: long
description: The file size in bytes (field is only added when `type` is `file`).
- name: mtime
type: date
description: The last modified time of the file (time when content was modified).
- name: ctime
type: date
description: The last change time of the file (time when metadata was changed).
- name: origin
type: text
description: >
An array of strings describing a possible external origin for
this file. For example, the URL it was downloaded from. Only
supported in macOS, via the kMDItemWhereFroms attribute.
Omitted if origin information is not available.
multi_fields:
- name: raw
type: keyword
description: >
This is a non-analyzed field that is useful for aggregations on the
origin data.
- name: selinux
type: group
description: The SELinux identity of the file.
fields:
- name: user
type: keyword
description: The owner of the object.
- name: role
type: keyword
description: The object's SELinux role.
- name: domain
type: keyword
description: The object's SELinux domain or type.
- name: level
type: keyword
example: s0
description: The object's SELinux level.

184
vendor/github.com/elastic/beats/auditbeat/auditbeat.reference.yml generated vendored
View File

@ -29,17 +29,16 @@ auditbeat.max_start_delay: 10s
#========================== Modules configuration =============================
auditbeat.modules:
# The kernel metricset collects events from the audit framework in the Linux
# The auditd module collects events from the audit framework in the Linux
# kernel. You need to specify audit rules for the events that you want to audit.
- module: audit
metricsets: [kernel]
kernel.resolve_ids: true
kernel.failure_mode: silent
kernel.backlog_limit: 8196
kernel.rate_limit: 0
kernel.include_raw_message: false
kernel.include_warnings: false
kernel.audit_rules: |
- module: auditd
resolve_ids: true
failure_mode: silent
backlog_limit: 8196
rate_limit: 0
include_raw_message: false
include_warnings: false
audit_rules: |
## Define audit rules here.
## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
## examples or add your own rules.
@ -53,8 +52,8 @@ auditbeat.modules:
## Executions.
#-a always,exit -F arch=b64 -S execve,execveat -k exec
## External access.
#-a always,exit -F arch=b64 -S accept,bind,connect,recvfrom -F key=external-access
## External access (warning: these can be expensive to audit).
#-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
## Identity changes.
#-w /etc/group -p wa -k identity
@ -65,32 +64,44 @@ auditbeat.modules:
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
# The file integrity metricset sends events when files are changed (created,
# The file integrity module sends events when files are changed (created,
# updated, deleted). The events contain file metadata and hashes.
- module: audit
metricsets: [file]
file.paths:
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
# List of regular expressions to filter out notifications for unwanted files.
# Wrap in single quotes to workaround YAML escaping rules. By default no files
# are ignored.
exclude_files:
- '(?i)\.sw[nop]$'
- '~$'
- '/\.git($|/)'
# Scan over the configured file paths at startup and send events for new or
# modified files since the last time Auditbeat was running.
file.scan_at_start: true
scan_at_start: true
# Average scan rate. This throttles the amount of CPU and I/O that Auditbeat
# consumes at startup while scanning. Default is "50 MiB".
file.scan_rate_per_sec: 50 MiB
scan_rate_per_sec: 50 MiB
# Limit on the size of files that will be hashed. Default is "100 MiB".
file.max_file_size: 100 MiB
# Limit on the size of files that will be hashed. Default is "100 MiB".
max_file_size: 100 MiB
# Hash types to compute when the file changes. Supported types are md5, sha1,
# sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224, sha3_256,
# sha3_384 and sha3_512. Default is sha1.
file.hash_types: [sha1]
# Hash types to compute when the file changes. Supported types are
# blake2b_256, blake2b_384, blake2b_512, md5, sha1, sha224, sha256, sha384,
# sha512, sha512_224, sha512_256, sha3_224, sha3_256, sha3_384 and sha3_512.
# Default is sha1.
hash_types: [sha1]
# Detect changes to files included in subdirectories. Disabled by default.
recursive: false
#================================ General ======================================
@ -191,6 +202,10 @@ auditbeat.modules:
#- add_docker_metadata:
# host: "unix:///var/run/docker.sock"
# match_fields: ["system.process.cgroup.id"]
# match_pids: ["process.pid", "process.ppid"]
# match_source: true
# match_source_index: 4
# cleanup_timeout: 60
# # To connect to Docker over TLS you must specify a client and CA certificate.
# #ssl:
# # certificate_authority: "/etc/pki/root/ca.pem"
@ -278,7 +293,7 @@ output.elasticsearch:
# Configure http request timeout before failing an request to Elasticsearch.
#timeout: 90
# Use SSL settings for HTTPS. Default is true.
# Use SSL settings for HTTPS.
#ssl.enabled: true
# Configure SSL verification mode. If `none` is configured, all server hosts
@ -341,7 +356,7 @@ output.elasticsearch:
# Number of batches to be sent asynchronously to logstash while processing
# new batches.
#pipelining: 5
#pipelining: 2
# If enabled only a subset of events in a batch of events is transferred per
# transaction. The number of events to be sent increases up to `bulk_max_size`
@ -821,12 +836,11 @@ setup.kibana:
#================================ Logging ======================================
# There are three options for the log output: syslog, file, stderr.
# Under Windows systems, the log files are per default sent to the file output,
# under all other system per default to syslog.
# There are four options for the log output: file, stderr, syslog, eventlog
# The file output is the default.
# Sets log level. The default log level is info.
# Available log levels are: critical, error, warning, info, debug
# Available log levels are: error, warning, info, debug
#logging.level: info
# Enable debug output for selected components. To enable all selectors use ["*"]
@ -835,7 +849,10 @@ setup.kibana:
#logging.selectors: [ ]
# Send all logging output to syslog. The default is false.
#logging.to_syslog: true
#logging.to_syslog: false
# Send all logging output to Windows Event Logs. The default is false.
#logging.to_eventlog: false
# If enabled, auditbeat periodically logs its internal metrics that have changed
# in the last period. For each metric that changed, the delta from the value at
@ -870,3 +887,108 @@ logging.files:
# Set to true to log messages in json format.
#logging.json: false
#============================== Xpack Monitoring =====================================
# auditbeat can export internal metrics to a central Elasticsearch monitoring cluster.
# This requires xpack monitoring to be enabled in Elasticsearch.
# The reporting is disabled by default.
# Set to true to enable the monitoring reporter.
#xpack.monitoring.enabled: false
# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well. Any setting that is not set is
# automatically inherited from the Elasticsearch output configuration, so if you
# have the Elasticsearch output configured, you can simply uncomment the
# following line, and leave the rest commented out.
#xpack.monitoring.elasticsearch:
# Array of hosts to connect to.
# Scheme and port can be left out and will be set to the default (http and 9200)
# In case you specify and additional path, the scheme is required: http://localhost:9200/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
#hosts: ["localhost:9200"]
# Set gzip compression level.
#compression_level: 0
# Optional protocol and basic auth credentials.
#protocol: "https"
#username: "beats_system"
#password: "changeme"
# Dictionary of HTTP parameters to pass within the url with index operations.
#parameters:
#param1: value1
#param2: value2
# Custom HTTP headers to add to each request
#headers:
# X-My-Header: Contents of the header
# Proxy server url
#proxy_url: http://proxy:3128
# The number of times a particular Elasticsearch index operation is attempted. If
# the indexing operation doesn't succeed after this many retries, the events are
# dropped. The default is 3.
#max_retries: 3
# The maximum number of events to bulk in a single Elasticsearch bulk API index request.
# The default is 50.
#bulk_max_size: 50
# Configure http request timeout before failing an request to Elasticsearch.
#timeout: 90
# Use SSL settings for HTTPS.
#ssl.enabled: true
# Configure SSL verification mode. If `none` is configured, all server hosts
# and certificates will be accepted. In this mode, SSL based connections are
# susceptible to man-in-the-middle attacks. Use only for testing. Default is
# `full`.
#ssl.verification_mode: full
# List of supported/valid TLS versions. By default all TLS versions 1.0 up to
# 1.2 are enabled.
#ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
# SSL configuration. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
# Optional passphrase for decrypting the Certificate Key.
#ssl.key_passphrase: ''
# Configure cipher suites to be used for SSL connections
#ssl.cipher_suites: []
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []
# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never
#================================ HTTP Endpoint ======================================
# Each beat can expose internal metrics through a HTTP endpoint. For security
# reasons the endpoint is disabled by default. This feature is currently experimental.
# Stats can be access through http://localhost:5066/stats . For pretty JSON output
# append ?pretty to the URL.
# Defines if the HTTP endpoint is enabled.
#http.enabled: false
# The HTTP endpoint will bind to this hostname or IP address. It is recommended to use only localhost.
#http.host: localhost
# Port on which the HTTP endpoint will bind. Default is 5066.
#http.port: 5066

33
vendor/github.com/elastic/beats/auditbeat/auditbeat.yml generated vendored
View File

@ -10,9 +10,8 @@
#========================== Modules configuration =============================
auditbeat.modules:
- module: audit
metricsets: [kernel]
kernel.audit_rules: |
- module: auditd
audit_rules: |
## Define audit rules here.
## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
## examples or add your own rules.
@ -26,8 +25,8 @@ auditbeat.modules:
## Executions.
#-a always,exit -F arch=b64 -S execve,execveat -k exec
## External access.
#-a always,exit -F arch=b64 -S accept,bind,connect,recvfrom -F key=external-access
## External access (warning: these can be expensive to audit).
#-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
## Identity changes.
#-w /etc/group -p wa -k identity
@ -38,15 +37,14 @@ auditbeat.modules:
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
- module: audit
metricsets: [file]
file.paths:
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
#==================== Elasticsearch template setting ==========================
@ -140,10 +138,25 @@ output.elasticsearch:
#================================ Logging =====================================
# Sets log level. The default log level is info.
# Available log levels are: critical, error, warning, info, debug
# Available log levels are: error, warning, info, debug
#logging.level: debug
# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]
#============================== Xpack Monitoring ===============================
# auditbeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
# reporting is disabled by default.
# Set to true to enable the monitoring reporter.
#xpack.monitoring.enabled: false
# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well. Any setting that is not set is
# automatically inherited from the Elasticsearch output configuration, so if you
# have the Elasticsearch output configured, you can simply uncomment the
# following line.
#xpack.monitoring.elasticsearch:

9
vendor/github.com/elastic/beats/auditbeat/cmd/root.go generated vendored
View File

@ -5,7 +5,9 @@ import (
"github.com/elastic/beats/metricbeat/beater"
"github.com/elastic/beats/auditbeat/core"
cmd "github.com/elastic/beats/libbeat/cmd"
"github.com/elastic/beats/metricbeat/mb/module"
)
// Name of the beat (auditbeat).
@ -15,6 +17,11 @@ const Name = "auditbeat"
var RootCmd *cmd.BeatsRootCmd
func init() {
create := beater.Creator(
beater.WithModuleOptions(
module.WithEventModifier(core.AddDatasetToEvent),
),
)
var runFlags = pflag.NewFlagSet(Name, pflag.ExitOnError)
RootCmd = cmd.GenRootCmdWithRunFlags(Name, "", beater.New, runFlags)
RootCmd = cmd.GenRootCmdWithRunFlags(Name, "", create, runFlags)
}

16
vendor/github.com/elastic/beats/auditbeat/core/eventmod.go generated vendored Normal file
View File

@ -0,0 +1,16 @@
package core
import (
"github.com/elastic/beats/libbeat/common"
"github.com/elastic/beats/metricbeat/mb"
)
// AddDatasetToEvent adds dataset information to the event. In particular this
// adds the module name under dataset.module.
func AddDatasetToEvent(module, metricSet string, event *mb.Event) {
if event.RootFields == nil {
event.RootFields = common.MapStr{}
}
event.RootFields.Put("event.module", module)
}

24
vendor/github.com/elastic/beats/auditbeat/docs/auditbeat-modules-config.asciidoc generated vendored
View File

@ -1,26 +1,24 @@
[id="configuration-{beatname_lc}"]
== Specify which modules to run
To enable specific modules and metricsets, you add entries to the
`auditbeat.modules` list in the +{beatname_lc}.yml+ config file. Each entry in
the list begins with a dash (-) and is followed by settings for that module.
To enable specific modules you add entries to the `auditbeat.modules` list in
the +{beatname_lc}.yml+ config file. Each entry in the list begins with a dash
(-) and is followed by settings for that module.
The following example shows a configuration that runs the `audit` module with
the `kernel` and `file` metricsets enabled:
The following example shows a configuration that runs the `auditd` and
`file_integrity` moduled.
[source,yaml]
----
auditbeat.modules:
- module: audit
metricsets: [kernel]
kernel.audit_rules: |
- module: auditd
audit_rules: |
-w /etc/passwd -p wa -k identity
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
- module: audit
metricsets: [file]
file.paths:
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
@ -29,5 +27,5 @@ auditbeat.modules:
----
The configuration details vary by module. See the
<<{beatname_lc}-modules,module documentation>> for more detail about
configuring the available modules and metricsets.
<<{beatname_lc}-modules,module documentation>> for more detail about configuring
the available modules.

126
vendor/github.com/elastic/beats/auditbeat/docs/breaking.asciidoc generated vendored Normal file
View File

@ -0,0 +1,126 @@
[[auditbeat-breaking-changes]]
== Breaking changes in 6.2
As a general rule, we strive to keep backwards compatibility between minor
versions (e.g. 6.x to 6.y) so you can upgrade without any configuration file
changes, but there are breaking changes between the earlier beta releases and
the 6.2 GA release.
There are changes that affect both the configuration and the event schema.
[float]
=== Configuration Changes
The audit module has been renamed and is now two separate modules: the
<<auditbeat-module-auditd,auditd module>> and the
<<auditbeat-module-file_integrity,file_integrity module>>. You must update your
configuration to use these modules.
The `kernel` metricset has become the <<auditbeat-module-auditd,auditd module>>.
.Old Config
[source,yaml]
----
- module: audit
metricsets: ["kernel"]
kernel.resolve_ids: true
kernel.failure_mode: silent
kernel.backlog_limit: 8196
kernel.rate_limit: 0
kernel.include_raw_message: false
kernel.include_warnings: false
kernel.audit_rules: |
# Rules
----
.New Config
[source,yaml]
----
- module: auditd
resolve_ids: true
failure_mode: silent
backlog_limit: 8196
rate_limit: 0
include_raw_message: false
include_warnings: false
audit_rules: |
# Rules
----
The `file` metricset has become the
<<auditbeat-module-file_integrity,file_integrity module>>.
.Old Config
[source,yaml]
----
- module: audit
metricsets: [file]
file.paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
file.scan_at_start: true
file.scan_rate_per_sec: 50 MiB
file.max_file_size: 100 MiB
file.hash_types: [sha1]
----
.New Config
[source,yaml]
----
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
scan_at_start: true
scan_rate_per_sec: 50 MiB
max_file_size: 100 MiB
hash_types: [sha1]
recursive: false <1>
----
<1> `recursive` is a new option in 6.2 and is disabled by default. Set the value
to true to watch for changes in all sub-directories.
[float]
=== Event Schema Changes
Most field names were changed in 6.2. We wanted to rename the modules and use
common field names for similar data types across all the modules. The table
below provides a summary of the field changes.
In Kibana you need to <<load-kibana-dashboards,import>> the latest dashboards
that work with the new event format. The new dashboards will not work with data
produced by older versions of Auditbeat.
.Renamed Fields
[frame="topbot",options="header"]
|======================
|Old Field|New Field
|`metricset.module` |`event.module`
|`metricset.name` |_Removed_
|`audit.kernel.action` |`event.action`
|`audit.kernel.category` |`event.category`
|`audit.kernel.record_type`|`event.type`
|`audit.kernel.key` |`tags`
|`audit.kernel.actor.attrs`|`user`
|`audit.kernel.actor` |`auditd.summary.actor`
|`audit.kernel.thing` |`auditd.summary.object`
|`audit.kernel.how` |`auditd.summary.how`
|`audit.kernel.socket` |`auditd.data.socket`, `source`, `destination`
footnote:[Based on the syscall type either the `source` or `destination` may
also be populated.]
|`audit.kernel.data.*` |`process.*` footnote:[Fields related to a process
will be moved under the `process` namespace.]
|`audit.kernel.data.*` |`file.*` footnote:[Fields related to a file will be
moved under the `file` namespace.]
|`audit.kernel.data` |`auditd.data`
|`audit.file.action` |`event.action`
|`audit.file.hash` |`hash`
|`audit.file` |`file`
|======================

3
vendor/github.com/elastic/beats/auditbeat/docs/configuring-howto.asciidoc generated vendored
View File

@ -34,6 +34,7 @@ The following topics describe how to configure {beatname_uc}:
* <<configuration-logging>>
* <<using-environ-vars>>
* <<yaml-tips>>
* <<regexp-support>>
* <<{beatname_lc}-reference-yml>>
After changing configuration settings, you need to restart {beatname_uc} to
@ -73,5 +74,7 @@ include::../../libbeat/docs/shared-env-vars.asciidoc[]
:allplatforms:
include::../../libbeat/docs/yaml.asciidoc[]
include::../../libbeat/docs/regexp.asciidoc[]
include::../../libbeat/docs/reference-yml.asciidoc[]

1769
vendor/github.com/elastic/beats/auditbeat/docs/fields.asciidoc generated vendored
View File

File diff suppressed because it is too large Load Diff

7
vendor/github.com/elastic/beats/auditbeat/docs/getting-started.asciidoc generated vendored
View File

@ -158,16 +158,15 @@ To configure {beatname_uc}:
modules to collect the audit information. For each module, specify the
metricsets that you want to collect.
+
The following example shows the `file` metricset configured to generate
The following example shows the `file_integrity` module configured to generate
events whenever a file in one of the specified paths changes on disk:
+
["source","sh",subs="attributes"]
-------------------------------------
auditbeat.modules:
- module: audit
metricsets: [file]
file.paths:
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin

20
vendor/github.com/elastic/beats/auditbeat/docs/index.asciidoc generated vendored
View File

@ -2,22 +2,14 @@
include::../../libbeat/docs/version.asciidoc[]
include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
include::{asciidoc-dir}/../../shared/attributes62.asciidoc[]
:libbeat: http://www.elastic.co/guide/en/beats/libbeat/{doc-branch}
:kibana-ref: https://www.elastic.co/guide/en/kibana/{doc-branch}
:beatsdevguide: http://www.elastic.co/guide/en/beats/devguide/{doc-branch}
:filebeat: http://www.elastic.co/guide/en/beats/filebeat/{doc-branch}
:logstashdoc: https://www.elastic.co/guide/en/logstash/{doc-branch}
:elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/{doc-branch}
:securitydoc: https://www.elastic.co/guide/en/x-pack/{doc-branch}
:monitoringdoc: https://www.elastic.co/guide/en/x-pack/{doc-branch}
:version: {stack-version}
:beatname_lc: auditbeat
:beatname_uc: Auditbeat
:beatname_pkg: {beatname_lc}
:security: X-Pack Security
:dockerimage: docker.elastic.co/beats/{beatname_lc}:{version}
include::../../libbeat/docs/shared-beats-attributes.asciidoc[]
include::./overview.asciidoc[]
@ -27,6 +19,8 @@ include::./getting-started.asciidoc[]
include::../../libbeat/docs/repositories.asciidoc[]
include::./breaking.asciidoc[]
include::./setting-up-running.asciidoc[]
include::./configuring-howto.asciidoc[]
@ -35,8 +29,12 @@ include::./modules.asciidoc[]
include::./fields.asciidoc[]
include::../../libbeat/docs/monitoring/monitoring-beats.asciidoc[]
include::./securing-auditbeat.asciidoc[]
include::../../libbeat/docs/security/securing-beats.asciidoc[]
include::./troubleshooting.asciidoc[]
include::./faq.asciidoc[]

4
vendor/github.com/elastic/beats/auditbeat/docs/modules.asciidoc generated vendored
View File

@ -4,8 +4,8 @@
[partintro]
--
This section contains detailed information about the metric collecting modules
contained in {beatname_uc}. Each module contains one or multiple metricsets. More details
about each module can be found under the links below.
contained in {beatname_uc}. More details about each module can be found under
the links below.
//pass macro block used here to remove Edit links from modules documentation because it is generated
pass::[<?edit_url?>]

75
vendor/github.com/elastic/beats/auditbeat/docs/modules/audit.asciidoc generated vendored
View File

@ -1,75 +0,0 @@
////
This file is generated! See scripts/docs_collector.py
////
[id="{beatname_lc}-module-audit"]
== Audit Module
The `audit` module reports security-relevant information based on data captured
from the operating system (OS) or services running on the OS. Although this
feature doesnt provide additional security to your system, it does make it
easier for you to discover and track security policy violations.
[float]
=== Example configuration
The Audit module supports the common configuration options that are
described under <<configuration-{beatname_lc},configuring {beatname_uc}>>. Here
is an example configuration:
[source,yaml]
----
auditbeat.modules:
- module: audit
metricsets: [kernel]
kernel.audit_rules: |
## Define audit rules here.
## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
## examples or add your own rules.
## If you are on a 64 bit platform, everything should be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
#-a always,exit -F arch=b32 -S all -F key=32bit-abi
## Executions.
#-a always,exit -F arch=b64 -S execve,execveat -k exec
## External access.
#-a always,exit -F arch=b64 -S accept,bind,connect,recvfrom -F key=external-access
## Identity changes.
#-w /etc/group -p wa -k identity
#-w /etc/passwd -p wa -k identity
#-w /etc/gshadow -p wa -k identity
## Unauthorized access attempts.
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
- module: audit
metricsets: [file]
file.paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
----
[float]
=== Metricsets
The following metricsets are available:
* <<{beatname_lc}-metricset-audit-file,file>>
* <<{beatname_lc}-metricset-audit-kernel,kernel>>
include::audit/file.asciidoc[]
include::audit/kernel.asciidoc[]

19
vendor/github.com/elastic/beats/auditbeat/docs/modules/audit/file.asciidoc generated vendored
View File

@ -1,19 +0,0 @@
////
This file is generated! See scripts/docs_collector.py
////
[id="{beatname_lc}-metricset-audit-file"]
include::../../../module/audit/file/_meta/docs.asciidoc[]
==== Fields
For a description of each field in the metricset, see the
<<exported-fields-audit,exported fields>> section.
Here is an example document generated by this metricset:
[source,json]
----
include::../../../module/audit/file/_meta/data.json[]
----

19
vendor/github.com/elastic/beats/auditbeat/docs/modules/audit/kernel.asciidoc generated vendored
View File

@ -1,19 +0,0 @@
////
This file is generated! See scripts/docs_collector.py
////
[id="{beatname_lc}-metricset-audit-kernel"]
include::../../../module/audit/kernel/_meta/docs.asciidoc[]
==== Fields
For a description of each field in the metricset, see the
<<exported-fields-audit,exported fields>> section.
Here is an example document generated by this metricset:
[source,json]
----
include::../../../module/audit/kernel/_meta/data.json[]
----

222
vendor/github.com/elastic/beats/auditbeat/docs/modules/auditd.asciidoc generated vendored Normal file
View File

@ -0,0 +1,222 @@
////
This file is generated! See scripts/docs_collector.py
////
[id="{beatname_lc}-module-auditd"]
== Auditd Module
The `auditd` module receives audit events from the Linux Audit Framework that
is a part of the Linux kernel.
This module is available only for Linux.
[float]
=== How it works
This module establishes a subscription to the kernel to receive the events
as they occur. So unlike most other modules, the `period` configuration
option is unused because it is not implemented using polling.
The Linux Audit Framework can send multiple messages for a single auditable
event. For example, a `rename` syscall causes the kernel to send eight separate
messages. Each message describes a different aspect of the activity that is
occurring (the syscall itself, file paths, current working directory, process
title). This module will combine all of the data from each of the messages
into a single event.
Messages for one event can be interleaved with messages from another event. This
module will buffer the messages in order to combine related messages into a
single event even if they arrive interleaved or out of order.
[float]
=== Useful commands
When running {beatname_uc} with the `auditd` module enabled, you might find
that other monitoring tools interfere with {beatname_uc}.
For example, you might encounter errors if another process, such as `auditd`, is
registered to receive data from the Linux Audit Framework. You can use these
commands to see if the `auditd` service is running and stop it:
* See if `auditd` is running:
+
[source,shell]
-----
service auditd status
-----
* Stop the `auditd` service:
+
[source,shell]
-----
service auditd stop
-----
* Disable `auditd` from starting on boot:
+
[source,shell]
-----
chkconfig auditd off
-----
To save CPU usage and disk space, you can use this command to stop `journald`
from listening to audit messages:
[source,shell]
-----
systemctl mask systemd-journald-audit.socket
-----
[float]
=== Configuration options
This module has some configuration options for tuning its behavior. The
following example shows all configuration options with their default values.
[source,yaml]
----
- module: auditd
resolve_ids: true
failure_mode: silent
backlog_limit: 8196
rate_limit: 0
include_raw_message: false
include_warnings: false
----
*`socket_type`*:: This optional setting controls the type of
socket that {beatname_uc} uses to receive events from the kernel. The two
options are `unicast` and `multicast`.
+
`unicast` should be used when {beatname_uc} is the primary userspace daemon for
receiving audit events and managing the rules. Only a single process can receive
audit events through the "unicast" connection so any other daemons should be
stopped (e.g. stop `auditd`).
+
`multicast` can be used in kernel versions 3.16 and newer. By using `multicast`
{beatname_uc} will receive an audit event broadcast that is not exclusive to a
a single process. This is ideal for situations where `auditd` is running and
managing the rules. If `multicast` is specified, but the kernel version is less
than 3.16 {beatname_uc} will automatically revert to `unicast`.
+
By default {beatname_uc} will use `multicast` if the kernel version is 3.16 or
newer and no rules have been defined. Otherwise `unicast` will be used.
*`resolve_ids`*:: This boolean setting enables the resolution of UIDs and
GIDs to their associated names. The default value is true.
*`failure_mode`*:: This determines the kernel's behavior on critical
failures such as errors sending events to {beatname_uc}, the backlog limit was
exceeded, the kernel ran out of memory, or the rate limit was exceeded. The
options are `silent`, `log`, or `panic`. `silent` basically makes the kernel
ignore the errors, `log` makes the kernel write the audit messages using
`printk` so they show up in system's syslog, and `panic` causes the kernel to
panic to prevent use of the machine. {beatname_uc}'s default is `silent`.
*`backlog_limit`*:: This controls the maximum number of audit messages
that will be buffered by the kernel.
*`rate_limit`*:: This sets a rate limit on the number of messages/sec
delivered by the kernel. The default is 0, which disables rate limiting.
Changing this value to anything other than zero can cause messages to be lost.
The preferred approach to reduce the messaging rate is be more selective in the
audit ruleset.
*`include_raw_message`*:: This boolean setting causes {beatname_uc} to
include each of the raw messages that contributed to the event in the document
as a field called `messages`. The default value is false. This setting is
primarily used for development and debugging purposes.
*`include_warnings`*:: This boolean setting causes {beatname_uc} to
include as warnings any issues that were encountered while parsing the raw
messages. The default value is false. When this setting is enabled the raw
messages will be included in the event regardless of the
`include_raw_message` config setting. This setting is primarily used for
development and debugging purposes.
*`audit_rules`*:: A string containing the audit rules that should be
installed to the kernel. There should be one rule per line. Comments can be
embedded in the string using `#` as a prefix. The format for rules is the same
used by the Linux `auditctl` utility. {beatname_uc} supports adding file watches
(`-w`) and syscall rules (`-a` or `-A`).
[float]
=== Audit rules
The audit rules are where you configure the activities that are audited. These
rules are configured as either syscalls or files that should be monitored. For
example you can track all `connect` syscalls or file system writes to
`/etc/passwd`.
Auditing a large number of syscalls can place a heavy load on the system so
consider carefully the rules you define and try to apply filters in the rules
themselves to be as selective as possible.
The kernel evaluates the rules in the order in which they were defined so place
the most active rules first in order to speed up evaluation.
You can assign keys to each rule for better identification of the rule that
triggered an event and easier filtering later in Elasticsearch.
Defining any audit rules in the config causes {beatname_uc} to purge all
existing audit rules prior to adding the rules specified in the config.
Therefore it is unnecessary and unsupported to include a `-D` (delete all) rule.
["source","sh",subs="attributes"]
----
{beatname_lc}.modules:
- module: auditd
audit_rules: |
# Things that affect identity.
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
# Unauthorized access attempts to files (unsuccessful).
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
----
[float]
=== Example configuration
The Auditd module supports the common configuration options that are
described under <<configuration-{beatname_lc},configuring {beatname_uc}>>. Here
is an example configuration:
[source,yaml]
----
auditbeat.modules:
- module: auditd
audit_rules: |
## Define audit rules here.
## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
## examples or add your own rules.
## If you are on a 64 bit platform, everything should be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
#-a always,exit -F arch=b32 -S all -F key=32bit-abi
## Executions.
#-a always,exit -F arch=b64 -S execve,execveat -k exec
## External access (warning: these can be expensive to audit).
#-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
## Identity changes.
#-w /etc/group -p wa -k identity
#-w /etc/passwd -p wa -k identity
#-w /etc/gshadow -p wa -k identity
## Unauthorized access attempts.
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
----

132
vendor/github.com/elastic/beats/auditbeat/docs/modules/file_integrity.asciidoc generated vendored Normal file
View File

@ -0,0 +1,132 @@
////
This file is generated! See scripts/docs_collector.py
////
[id="{beatname_lc}-module-file_integrity"]
== File Integrity Module
The `file_integrity` module sends events when a file is changed (created,
updated, or deleted) on disk. The events contain file metadata and hashes.
The module is implemented for Linux, macOS (Darwin), and Windows.
[float]
=== How it works
This module uses features of the operating system to monitor file changes in
realtime. When the module starts it creates a subscription with the OS to
receive notifications of changes to the specified files or directories. Upon
receiving notification of a change the module will read the file's metadata
and the compute a hash of the file's contents.
At startup this module will perform an initial scan of the configured files
and directories to generate baseline data for the monitored paths and detect
changes since the last time it was run. It uses locally persisted data in order
to only send events for new or modified files.
The operating system features that power this feature are as follows.
* Linux - `inotify` is used, and therefore the kernel must have inotify support.
Inotify was initially merged into the 2.6.13 Linux kernel.
* macOS (Darwin) - Uses the `FSEvents` API, present since macOS 10.5. This API
coalesces multiple changes to a file into a single event. {beatname_uc} translates
this coalesced changes into a meaningful sequence of actions. However,
in rare situations the reported events may have a different ordering than what
actually happened.
* Windows - `ReadDirectoryChangesW` is used.
The file integrity module should not be used to monitor paths on network file
systems.
[float]
=== Configuration options
This module has some configuration options for tuning its behavior. The
following example shows all configuration options with their default values for
Linux.
[source,yaml]
----
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
exclude_files:
- '(?i)\.sw[nop]$'
- '~$'
- '/\.git($|/)'
scan_at_start: true
scan_rate_per_sec: 50 MiB
max_file_size: 100 MiB
hash_types: [sha1]
recursive: false
----
*`paths`*:: A list of paths (directories or files) to watch. Globs are
not supported. The specified paths should exist when the metricset is started.
*`exclude_files`*:: A list of regular expressions used to filter out events
for unwanted files. The expressions are matched against the full path of every
file and directory. By default, no files are excluded. See <<regexp-support>>
for a list of supported regexp patterns. It is recommended to wrap regular
expressions in single quotation marks to avoid issues with YAML escaping
rules.
*`scan_at_start`*:: A boolean value that controls if {beatname_uc} scans
over the configured file paths at startup and send events for the files
that have been modified since the last time {beatname_uc} was running. The
default value is true.
+
This feature depends on data stored locally in `path.data` in order to determine
if a file has changed. The first time {beatname_uc} runs it will send an event
for each file it encounters.
*`scan_rate_per_sec`*:: When `scan_at_start` is enabled this sets an
average read rate defined in bytes per second for the initial scan. This
throttles the amount of CPU and I/O that {beatname_uc} consumes at startup.
The default value is "50 MiB". Setting the value to "0" disables throttling.
For convenience units can be specified as a suffix to the value. The supported
units are `b` (default), `kib`, `kb`, `mib`, `mb`, `gib`, `gb`, `tib`, `tb`,
`pib`, `pb`, `eib`, and `eb`.
*`max_file_size`*:: The maximum size of a file in bytes for which
{beatname_uc} will compute hashes. Files larger than this size will not be
hashed. The default value is 100 MiB. For convenience units can be specified as
a suffix to the value. The supported units are `b` (default), `kib`, `kb`, `mib`,
`mb`, `gib`, `gb`, `tib`, `tb`, `pib`, `pb`, `eib`, and `eb`.
*`hash_types`*:: A list of hash types to compute when the file changes.
The supported hash types are `blake2b_256`, `blake2b_384`, `blake2b_512`, `md5`,
`sha1`, `sha224`, `sha256`, `sha384`, `sha512`, `sha512_224`, `sha512_256`,
`sha3_224`, `sha3_256`, `sha3_384`, and `sha3_512`. The default value is `sha1`.
*`recursive`*:: By default, the watches set to the paths specified in
`paths` are not recursive. This means that only changes to the contents
of this directories are watched. If `recursive` is set to `true`, the
`file_integrity` module will watch for changes on this directories and all
their subdirectories.
[float]
=== Example configuration
The File Integrity module supports the common configuration options that are
described under <<configuration-{beatname_lc},configuring {beatname_uc}>>. Here
is an example configuration:
[source,yaml]
----
auditbeat.modules:
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
----

6
vendor/github.com/elastic/beats/auditbeat/docs/modules_list.asciidoc generated vendored
View File

@ -2,9 +2,11 @@
This file is generated! See scripts/docs_collector.py
////
* <<{beatname_lc}-module-audit,Audit>>
* <<{beatname_lc}-module-auditd,Auditd>>
* <<{beatname_lc}-module-file_integrity,File Integrity>>
--
include::modules/audit.asciidoc[]
include::modules/auditd.asciidoc[]
include::modules/file_integrity.asciidoc[]

4
vendor/github.com/elastic/beats/auditbeat/docs/page_header.html generated vendored
View File

@ -1,4 +0,0 @@
This functionality is experimental and may be changed or removed completely in a
future release. Elastic will take a best effort approach to fix any issues, but
experimental features are not subject to the support SLA of official GA
features.

24
vendor/github.com/elastic/beats/auditbeat/docs/reload-configuration.asciidoc generated vendored
View File

@ -5,8 +5,8 @@ beta[]
You can configure {beatname_uc} to dynamically reload configuration files when
there are changes. To do this, you specify a path
(https://golang.org/pkg/path/filepath/#Glob[Glob]) to watch for module
configuration changes. When the files found by the Glob change, new modules are
(https://golang.org/pkg/path/filepath/#Glob[glob]) to watch for module
configuration changes. When the files found by the glob change, new modules are
started/stopped according to changes in the configuration files.
To enable dynamic config reloading, you specify the `path` and `reload` options
@ -20,7 +20,7 @@ auditbeat.config.modules:
reload.period: 10s
------------------------------------------------------------------------------
*`path`*:: A Glob that defines the files to check for changes.
*`path`*:: A glob that defines the files to check for changes.
*`reload.enabled`*:: When set to `true`, enables dynamic config reload.
@ -29,21 +29,17 @@ set the `period` to less than 1s because the modification time of files is often
stored in seconds. Setting the `period` to less than 1s will result in
unnecessary overhead.
Each file found by the Glob must contain a list of one or more module
Each file found by the glob must contain a list of one or more module
definitions. For example:
[source,yaml]
------------------------------------------------------------------------------
auditbeat.modules:
- module: audit
metricsets: [file]
file.paths:
wordpress:
- /www/wordpress
- /www/wordpress/wp-admin
- /www/wordpress/wp-content
- /www/wordpress/wp-includes
- module: file_integrity
paths:
- /www/wordpress
- /www/wordpress/wp-admin
- /www/wordpress/wp-content
- /www/wordpress/wp-includes
------------------------------------------------------------------------------
NOTE: On systems with POSIX file permissions, all Beats configuration files are

2
vendor/github.com/elastic/beats/auditbeat/docs/setting-up-running.asciidoc generated vendored
View File

@ -25,6 +25,8 @@ This section includes additional information on how to set up and run
include::../../libbeat/docs/shared-directory-layout.asciidoc[]
include::../../libbeat/docs/keystore.asciidoc[]
include::../../libbeat/docs/command-reference.asciidoc[]
include::./running-on-docker.asciidoc[]

6
vendor/github.com/elastic/beats/auditbeat/main.go generated vendored
View File

@ -5,9 +5,9 @@ import (
"github.com/elastic/beats/auditbeat/cmd"
_ "github.com/elastic/beats/auditbeat/module/audit"
_ "github.com/elastic/beats/auditbeat/module/audit/file"
_ "github.com/elastic/beats/auditbeat/module/audit/kernel"
// Register modules.
_ "github.com/elastic/beats/auditbeat/module/auditd"
_ "github.com/elastic/beats/auditbeat/module/file_integrity"
)
func main() {

88
vendor/github.com/elastic/beats/auditbeat/module/audit/_meta/config.yml.tpl generated vendored
View File

@ -1,88 +0,0 @@
{{ if eq .goos "linux" -}}
{{ if .reference -}}
# The kernel metricset collects events from the audit framework in the Linux
# kernel. You need to specify audit rules for the events that you want to audit.
{{ end -}}
- module: audit
metricsets: [kernel]
{{ if .reference -}}
kernel.resolve_ids: true
kernel.failure_mode: silent
kernel.backlog_limit: 8196
kernel.rate_limit: 0
kernel.include_raw_message: false
kernel.include_warnings: false
{{ end -}}
kernel.audit_rules: |
## Define audit rules here.
## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
## examples or add your own rules.
## If you are on a 64 bit platform, everything should be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
#-a always,exit -F arch=b32 -S all -F key=32bit-abi
## Executions.
#-a always,exit -F arch=b64 -S execve,execveat -k exec
## External access.
#-a always,exit -F arch=b64 -S accept,bind,connect,recvfrom -F key=external-access
## Identity changes.
#-w /etc/group -p wa -k identity
#-w /etc/passwd -p wa -k identity
#-w /etc/gshadow -p wa -k identity
## Unauthorized access attempts.
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
{{ end -}}
{{ if .reference -}}
# The file integrity metricset sends events when files are changed (created,
# updated, deleted). The events contain file metadata and hashes.
{{ end -}}
- module: audit
metricsets: [file]
{{ if eq .goos "darwin" -}}
file.paths:
- /bin
- /usr/bin
- /usr/local/bin
- /sbin
- /usr/sbin
- /usr/local/sbin
{{ else if eq .goos "windows" -}}
file.paths:
- C:/windows
- C:/windows/system32
- C:/Program Files
- C:/Program Files (x86)
{{ else -}}
file.paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
{{ end -}}
{{ if .reference }}
# Scan over the configured file paths at startup and send events for new or
# modified files since the last time Auditbeat was running.
file.scan_at_start: true
# Average scan rate. This throttles the amount of CPU and I/O that Auditbeat
# consumes at startup while scanning. Default is "50 MiB".
file.scan_rate_per_sec: 50 MiB
# Limit on the size of files that will be hashed. Default is "100 MiB".
file.max_file_size: 100 MiB
# Hash types to compute when the file changes. Supported types are md5, sha1,
# sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224, sha3_256,
# sha3_384 and sha3_512. Default is sha1.
file.hash_types: [sha1]
{{- end }}

6
vendor/github.com/elastic/beats/auditbeat/module/audit/_meta/docs.asciidoc generated vendored
View File

@ -1,6 +0,0 @@
== Audit Module
The `audit` module reports security-relevant information based on data captured
from the operating system (OS) or services running on the OS. Although this
feature doesnt provide additional security to your system, it does make it
easier for you to discover and track security policy violations.

11
vendor/github.com/elastic/beats/auditbeat/module/audit/_meta/fields.yml generated vendored
View File

@ -1,11 +0,0 @@
- key: audit
title: Audit
short_config: true
description: >
The `audit` module reports security-relevant information based on data
captured from the operating system (OS) or services running on the OS.
fields:
- name: audit
type: group
description: >
fields:

13
vendor/github.com/elastic/beats/auditbeat/module/audit/_meta/kibana/5.x/dashboard/AV0tXkjYg1PYniApZbKP.json generated vendored
View File

@ -1,13 +0,0 @@
{
"hits": 0,
"timeRestore": false,
"description": "",
"title": "Auditbeat - File Integrity",
"uiStateJSON": "{\"P-1\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-6\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-7\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-8\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-9\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}",
"panelsJSON": "[{\"col\":1,\"id\":\"AV0tVcg6g1PYniApZa-v\",\"panelIndex\":1,\"row\":1,\"size_x\":2,\"size_y\":6,\"type\":\"visualization\"},{\"col\":3,\"id\":\"AV0tV05vg1PYniApZbA2\",\"panelIndex\":2,\"row\":1,\"size_x\":7,\"size_y\":6,\"type\":\"visualization\"},{\"col\":10,\"id\":\"AV0tWL-Yg1PYniApZbCs\",\"panelIndex\":3,\"row\":1,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":10,\"id\":\"AV0tWSdXg1PYniApZbDU\",\"panelIndex\":4,\"row\":4,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":5,\"id\":\"AV0tW0djg1PYniApZbGL\",\"panelIndex\":5,\"row\":9,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"AV0tY6jwg1PYniApZbRY\",\"panelIndex\":6,\"row\":7,\"size_x\":4,\"size_y\":2,\"type\":\"visualization\"},{\"col\":5,\"id\":\"AV0tav8Ag1PYniApZbbK\",\"panelIndex\":7,\"row\":7,\"size_x\":4,\"size_y\":2,\"type\":\"visualization\"},{\"col\":9,\"id\":\"AV0tbcUdg1PYniApZbe1\",\"panelIndex\":8,\"row\":7,\"size_x\":4,\"size_y\":2,\"type\":\"visualization\"},{\"size_x\":12,\"size_y\":5,\"panelIndex\":9,\"type\":\"visualization\",\"id\":\"AV0tc_xZg1PYniApZbnL\",\"col\":1,\"row\":12},{\"size_x\":4,\"size_y\":3,\"panelIndex\":10,\"type\":\"visualization\",\"id\":\"AV0tes4Eg1PYniApZbwV\",\"col\":9,\"row\":9},{\"size_x\":4,\"size_y\":3,\"panelIndex\":11,\"type\":\"visualization\",\"id\":\"AV0te0TCg1PYniApZbw9\",\"col\":1,\"row\":9}]",
"optionsJSON": "{\"darkTheme\":false}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}],\"highlightAll\":true,\"version\":true}"
}
}

10
vendor/github.com/elastic/beats/auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tV05vg1PYniApZbA2.json generated vendored
View File

@ -1,10 +0,0 @@
{
"visState": "{\"title\":\"Auditbeat - File - Events over time\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 5 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"audit.file.action\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}}],\"listeners\":{}}",
"description": "",
"title": "Auditbeat - File - Events over time",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
}
}

10
vendor/github.com/elastic/beats/auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tVcg6g1PYniApZa-v.json generated vendored
View File

@ -1,10 +0,0 @@
{
"visState": "{\"title\":\"Auditbeat - File - Action Metrics\",\"type\":\"metric\",\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":true,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"24\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":true,\"extendRange\":false},\"type\":\"gauge\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Actions\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"audit.file.action\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
"description": "",
"title": "Auditbeat - File - Action Metrics",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
}
}

10
vendor/github.com/elastic/beats/auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tW0djg1PYniApZbGL.json generated vendored
View File

@ -1,10 +0,0 @@
{
"visState": "{\"title\":\"Auditbeat - File - Top updated\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.file.path\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Path\"}}],\"listeners\":{}}",
"description": "",
"title": "Auditbeat - File - Top updated",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"query\":{\"query_string\":{\"query\":\"audit.file.action:updated OR audit.file.action:attributes_modified\",\"analyze_wildcard\":true}},\"filter\":[]}"
}
}

10
vendor/github.com/elastic/beats/auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tWL-Yg1PYniApZbCs.json generated vendored
View File

@ -1,10 +0,0 @@
{
"visState": "{\n \"title\": \"Auditbeat - File - Top owners\",\n \"type\": \"pie\",\n \"params\": {\n \"addTooltip\": true,\n \"addLegend\": true,\n \"legendPosition\": \"right\",\n \"isDonut\": true\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"audit.file.owner\",\n \"size\": 5,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Owner\"\n }\n }\n ],\n \"listeners\": {}\n}",
"description": "",
"title": "Auditbeat - File - Top owners",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true\n }\n },\n \"filter\": []\n}"
}
}

10
vendor/github.com/elastic/beats/auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tWSdXg1PYniApZbDU.json generated vendored
View File

@ -1,10 +0,0 @@
{
"visState": "{\n \"title\": \"Auditbeat - File - Top groups\",\n \"type\": \"pie\",\n \"params\": {\n \"addTooltip\": true,\n \"addLegend\": true,\n \"legendPosition\": \"right\",\n \"isDonut\": true\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"audit.file.group\",\n \"size\": 5,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Group\"\n }\n }\n ],\n \"listeners\": {}\n}",
"description": "",
"title": "Auditbeat - File - Top groups",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true\n }\n },\n \"filter\": []\n}"
}
}

10
vendor/github.com/elastic/beats/auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tY6jwg1PYniApZbRY.json generated vendored
View File

@ -1,10 +0,0 @@
{
"visState": "{\"title\":\"Auditbeat - File - Top agent by count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"23\",\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Top agent by count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"beat.hostname\",\"size\":1,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
"description": "",
"title": "Auditbeat - File - Top agent by count",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"query\":{\"query_string\":{\"query\":\"_exists_:audit.file\",\"analyze_wildcard\":true}},\"filter\":[]}"
}
}

10
vendor/github.com/elastic/beats/auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tav8Ag1PYniApZbbK.json generated vendored
View File

@ -1,10 +0,0 @@
{
"visState": "{\"title\":\"Auditbeat - File - Most changed file by count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"20\",\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Most changed file by count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"audit.file.path\",\"size\":1,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
"description": "",
"title": "Auditbeat - File - Most changed file by count",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"query\":{\"query_string\":{\"query\":\"audit.file.type:file\",\"analyze_wildcard\":true}},\"filter\":[]}"
}
}

10
vendor/github.com/elastic/beats/auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tbcUdg1PYniApZbe1.json generated vendored
View File

@ -1,10 +0,0 @@
{
"visState": "{\"title\":\"Auditbeat - File - Most common mode by count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"20\",\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Most common mode by count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"audit.file.mode\",\"size\":1,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
"description": "",
"title": "Auditbeat - File - Most common mode by count",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
}
}

10
vendor/github.com/elastic/beats/auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tc_xZg1PYniApZbnL.json generated vendored
View File

@ -1,10 +0,0 @@
{
"visState": "{\"title\":\"Auditbeat - File - Event summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"beat.hostname\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"audit.file.path\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Path\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"audit.file.action\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}}],\"listeners\":{}}",
"description": "",
"title": "Auditbeat - File - Event summary",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
}
}

10
vendor/github.com/elastic/beats/auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0te0TCg1PYniApZbw9.json generated vendored
View File

@ -1,10 +0,0 @@
{
"visState": "{\"title\":\"Auditbeat - File - Top created\",\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"legendPosition\":\"right\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.file.path\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Path\"}}],\"listeners\":{}}",
"description": "",
"title": "Auditbeat - File - Top created",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"query\":{\"query_string\":{\"query\":\"audit.file.action:created\",\"analyze_wildcard\":true}},\"filter\":[]}"
}
}

10
vendor/github.com/elastic/beats/auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tes4Eg1PYniApZbwV.json generated vendored
View File

@ -1,10 +0,0 @@
{
"visState": "{\"title\":\"Auditbeat - File - Top deleted\",\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"legendPosition\":\"right\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.file.path\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Path\"}}],\"listeners\":{}}",
"description": "",
"title": "Auditbeat - File - Top deleted",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"audit.file.action:deleted\"}},\"filter\":[]}"
}
}

210
vendor/github.com/elastic/beats/auditbeat/module/audit/_meta/kibana/default/dashboard/auditbeat-file-integrity.json generated vendored
View File

@ -1,210 +0,0 @@
{
"objects": [
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "Actions [Auditbeat File Integrity]",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"version": 1,
"visState": "{\"title\":\"Actions [Auditbeat File Integrity]\",\"type\":\"metric\",\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":true,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"24\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":true,\"extendRange\":false},\"type\":\"gauge\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"audit.file.action\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}}]}"
},
"id": "AV0tVcg6g1PYniApZa-v",
"type": "visualization",
"version": 3
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "Events Over Time [Auditbeat File Integrity]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Events Over Time [Auditbeat File Integrity]\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 5 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\",\"defaultYExtents\":true},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"left\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"audit.file.action\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}}]}"
},
"id": "AV0tV05vg1PYniApZbA2",
"type": "visualization",
"version": 4
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "Top owners [Auditbeat File Integrity]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Top owners [Auditbeat File Integrity]\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.file.owner\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Owner\"}}]}"
},
"id": "AV0tWL-Yg1PYniApZbCs",
"type": "visualization",
"version": 2
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "Top groups [Auditbeat File Integrity]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Top groups [Auditbeat File Integrity]\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.file.group\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Group\"}}]}"
},
"id": "AV0tWSdXg1PYniApZbDU",
"type": "visualization",
"version": 2
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"query\":{\"query\":{\"query_string\":{\"query\":\"audit.file.action:updated OR audit.file.action:attributes_modified\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "Top updated [Auditbeat File Integrity]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Top updated [Auditbeat File Integrity]\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false,\"type\":\"pie\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.file.path.raw\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Path\"}}]}"
},
"id": "AV0tW0djg1PYniApZbGL",
"type": "visualization",
"version": 3
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"query\":{\"query\":\"audit.file.mode:/0..[2367]/\",\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "World Writable File Count [Auditbeat File Integrity]",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"version": 1,
"visState": "{\"title\":\"World Writable File Count [Auditbeat File Integrity]\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"23\",\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"audit.file.inode\",\"customLabel\":\"World Writable Files\"}}]}"
},
"id": "AV0tY6jwg1PYniApZbRY",
"type": "visualization",
"version": 3
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"query\":{\"query\":\"*\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"index\":\"auditbeat-*\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"audit.file.type\",\"value\":\"file\",\"params\":{\"query\":\"file\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"audit.file.type\":{\"query\":\"file\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"
},
"title": "Most changed file by count [Auditbeat File Integrity]",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"version": 1,
"visState": "{\"title\":\"Most changed file by count [Auditbeat File Integrity]\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"20\",\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Most changed file by count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"audit.file.path.raw\",\"size\":1,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File\"}}]}"
},
"id": "AV0tav8Ag1PYniApZbbK",
"type": "visualization",
"version": 5
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "Most common mode by count [Auditbeat File Integrity]",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"version": 1,
"visState": "{\"title\":\"Most common mode by count [Auditbeat File Integrity]\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"20\",\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Most common mode by count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"audit.file.mode\",\"size\":1,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Mode\"}}]}"
},
"id": "AV0tbcUdg1PYniApZbe1",
"type": "visualization",
"version": 3
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "File Event Summary By Host [Auditbeat File Integrity]",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"visState": "{\"title\":\"File Event Summary By Host [Auditbeat File Integrity]\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":true,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Total Events\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"beat.name\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Host\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"top_hits\",\"schema\":\"metric\",\"params\":{\"field\":\"@timestamp\",\"aggregate\":\"concat\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\",\"customLabel\":\"Last Report\"}}]}"
},
"id": "AV0tc_xZg1PYniApZbnL",
"type": "visualization",
"version": 4
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"audit.file.action:deleted\",\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "Top deleted [Auditbeat File Integrity]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Top deleted [Auditbeat File Integrity]\",\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"type\":\"pie\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.file.path.raw\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Path\"}}]}"
},
"id": "AV0tes4Eg1PYniApZbwV",
"type": "visualization",
"version": 3
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"query\":{\"query\":{\"query_string\":{\"query\":\"audit.file.action:created\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "Top created [Auditbeat File Integrity]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Top created [Auditbeat File Integrity]\",\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"type\":\"pie\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.file.path.raw\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Path\"}}]}"
},
"id": "AV0te0TCg1PYniApZbw9",
"type": "visualization",
"version": 3
},
{
"attributes": {
"columns": [
"audit.file.path",
"audit.file.action"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}"
},
"sort": [
"@timestamp",
"desc"
],
"title": "File Integrity Events [Auditbeat File Integrity]",
"version": 1
},
"id": "a380a060-cb44-11e7-9835-2f31fe08873b",
"type": "search",
"version": 1
},
{
"attributes": {
"description": "Monitor file integrity events.",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
},
"optionsJSON": "{\"darkTheme\":false}",
"panelsJSON": "[{\"col\":1,\"id\":\"AV0tVcg6g1PYniApZa-v\",\"panelIndex\":1,\"row\":1,\"size_x\":2,\"size_y\":6,\"type\":\"visualization\"},{\"col\":3,\"id\":\"AV0tV05vg1PYniApZbA2\",\"panelIndex\":2,\"row\":1,\"size_x\":7,\"size_y\":6,\"type\":\"visualization\"},{\"col\":10,\"id\":\"AV0tWL-Yg1PYniApZbCs\",\"panelIndex\":3,\"row\":1,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":10,\"id\":\"AV0tWSdXg1PYniApZbDU\",\"panelIndex\":4,\"row\":4,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":5,\"id\":\"AV0tW0djg1PYniApZbGL\",\"panelIndex\":5,\"row\":9,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"AV0tY6jwg1PYniApZbRY\",\"panelIndex\":6,\"row\":7,\"size_x\":4,\"size_y\":2,\"type\":\"visualization\"},{\"col\":5,\"id\":\"AV0tav8Ag1PYniApZbbK\",\"panelIndex\":7,\"row\":7,\"size_x\":4,\"size_y\":2,\"type\":\"visualization\"},{\"col\":9,\"id\":\"AV0tbcUdg1PYniApZbe1\",\"panelIndex\":8,\"row\":7,\"size_x\":4,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"AV0tc_xZg1PYniApZbnL\",\"panelIndex\":9,\"row\":12,\"size_x\":6,\"size_y\":5,\"type\":\"visualization\"},{\"col\":9,\"id\":\"AV0tes4Eg1PYniApZbwV\",\"panelIndex\":10,\"row\":9,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"AV0te0TCg1PYniApZbw9\",\"panelIndex\":11,\"row\":9,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"columns\":[\"audit.file.path\",\"audit.file.action\"],\"id\":\"a380a060-cb44-11e7-9835-2f31fe08873b\",\"panelIndex\":12,\"row\":12,\"size_x\":6,\"size_y\":5,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"}]",
"timeRestore": false,
"title": "[Auditbeat File Integrity] Overview",
"uiStateJSON": "{\"P-1\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-6\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-7\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-8\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-9\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}",
"version": 1
},
"id": "AV0tXkjYg1PYniApZbKP",
"type": "dashboard",
"version": 5
}
],
"version": "6.0.0"
}

95
vendor/github.com/elastic/beats/auditbeat/module/audit/_meta/kibana/default/dashboard/auditbeat-kernel-executions.json generated vendored
View File

@ -1,95 +0,0 @@
{
"objects": [
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchId": "d382f5b0-c1c6-11e7-8995-936807a28b16",
"title": "Error Codes [Auditbeat Kernel Executions]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Error Codes [Auditbeat Kernel Executions]\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.kernel.data.exit\",\"exclude\":\"0\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"
},
"id": "20a8e8d0-c1c8-11e7-8995-936807a28b16",
"type": "visualization",
"version": 1
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"title": "Primary Username Tag Cloud [Auditbeat Kernel]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Primary Username Tag Cloud [Auditbeat Kernel]\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":45},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.kernel.actor.primary\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"
},
"id": "f81a6de0-c1c1-11e7-8995-936807a28b16",
"type": "visualization",
"version": 1
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchId": "d382f5b0-c1c6-11e7-8995-936807a28b16",
"title": "Exe Name Tag Cloud [Auditbeat Kernel]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Exe Name Tag Cloud [Auditbeat Kernel]\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":45},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.kernel.data.exe\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"
},
"id": "2efac370-c1ca-11e7-8995-936807a28b16",
"type": "visualization",
"version": 1
},
{
"attributes": {
"columns": [
"beat.hostname",
"audit.kernel.data.cmdline",
"audit.kernel.actor.primary",
"audit.kernel.actor.secondary",
"audit.kernel.data.exe"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"auditbeat-*\",\"key\":\"metricset.name\",\"negate\":false,\"params\":{\"query\":\"kernel\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"kernel\"},\"query\":{\"match\":{\"metricset.name\":{\"query\":\"kernel\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"auditbeat-*\",\"key\":\"audit.kernel.action\",\"negate\":false,\"params\":{\"query\":\"executed\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"executed\"},\"query\":{\"match\":{\"audit.kernel.action\":{\"query\":\"executed\",\"type\":\"phrase\"}}}}]}"
},
"sort": [
"@timestamp",
"desc"
],
"title": "Process Executions [Auditbeat Kernel]",
"version": 1
},
"id": "d382f5b0-c1c6-11e7-8995-936807a28b16",
"type": "search",
"version": 1
},
{
"attributes": {
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}"
},
"optionsJSON": "{\"darkTheme\":false}",
"panelsJSON": "[{\"col\":5,\"id\":\"20a8e8d0-c1c8-11e7-8995-936807a28b16\",\"panelIndex\":1,\"row\":1,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":9,\"id\":\"f81a6de0-c1c1-11e7-8995-936807a28b16\",\"panelIndex\":3,\"row\":1,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"2efac370-c1ca-11e7-8995-936807a28b16\",\"panelIndex\":5,\"row\":1,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"size_x\":12,\"size_y\":5,\"panelIndex\":6,\"type\":\"search\",\"id\":\"d382f5b0-c1c6-11e7-8995-936807a28b16\",\"col\":1,\"row\":4,\"columns\":[\"beat.hostname\",\"audit.kernel.data.cmdline\",\"audit.kernel.actor.primary\",\"audit.kernel.actor.secondary\",\"audit.kernel.data.exe\"],\"sort\":[\"@timestamp\",\"desc\"]}]",
"timeRestore": false,
"title": "[Auditbeat Kernel] Executions",
"uiStateJSON": "{}",
"version": 1
},
"id": "7de391b0-c1ca-11e7-8995-936807a28b16",
"type": "dashboard",
"version": 1
}
],
"version": "6.0.0"
}

82
vendor/github.com/elastic/beats/auditbeat/module/audit/_meta/kibana/default/dashboard/auditbeat-kernel-overview.json generated vendored
View File

@ -1,82 +0,0 @@
{
"objects": [
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"title": "Event Actions [Auditbeat Kernel Overview]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Event Actions [Auditbeat Kernel Overview]\",\"type\":\"metrics\",\"params\":{\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\",\"series\":[{\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"color\":\"#68BC00\",\"split_mode\":\"terms\",\"metrics\":[{\"id\":\"6b9fb2d0-c1bc-11e7-938f-ab0645b6c431\",\"type\":\"count\"}],\"seperate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"number\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"terms_field\":\"audit.kernel.action\",\"label\":\"Actions\"}],\"time_field\":\"@timestamp\",\"index_pattern\":\"auditbeat-*\",\"interval\":\"auto\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"show_legend\":1,\"show_grid\":1,\"filter\":\"metricset.name:kernel\",\"background_color_rules\":[{\"id\":\"58c95a20-c1bd-11e7-938f-ab0645b6c431\"}],\"bar_color_rules\":[{\"id\":\"5bfc71a0-c1bd-11e7-938f-ab0645b6c431\"}],\"gauge_color_rules\":[{\"id\":\"5d20a650-c1bd-11e7-938f-ab0645b6c431\"}],\"gauge_width\":10,\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"legend_position\":\"left\"},\"aggs\":[]}"
},
"id": "97680df0-c1c0-11e7-8995-936807a28b16",
"type": "visualization",
"version": 1
},
{
"attributes": {
"columns": [
"beat.hostname",
"audit.kernel.actor.primary",
"audit.kernel.actor.secondary",
"audit.kernel.action",
"audit.kernel.thing.what",
"audit.kernel.thing.primary",
"audit.kernel.thing.secondary",
"audit.kernel.how",
"audit.kernel.result"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"index\":\"auditbeat-*\",\"type\":\"phrase\",\"key\":\"metricset.name\",\"value\":\"kernel\",\"params\":{\"query\":\"kernel\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"metricset.name\":{\"query\":\"kernel\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"
},
"sort": [
"@timestamp",
"desc"
],
"title": "Audit Event Table [Auditbeat Kernel]",
"version": 1
},
"id": "0f10c430-c1c3-11e7-8995-936807a28b16",
"type": "search",
"version": 1
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"title": "Event Categories [Auditbeat Kernel]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Event Categories [Auditbeat Kernel]\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.kernel.category\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Category\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.kernel.action\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}}]}"
},
"id": "08679220-c25a-11e7-8692-232bd1143e8a",
"type": "visualization",
"version": 1
},
{
"attributes": {
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}"
},
"optionsJSON": "{\"darkTheme\":false}",
"panelsJSON": "[{\"col\":1,\"id\":\"97680df0-c1c0-11e7-8995-936807a28b16\",\"panelIndex\":1,\"row\":1,\"size_x\":7,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"columns\":[\"beat.hostname\",\"audit.kernel.actor.primary\",\"audit.kernel.actor.secondary\",\"audit.kernel.action\",\"audit.kernel.thing.what\",\"audit.kernel.thing.primary\",\"audit.kernel.thing.secondary\",\"audit.kernel.how\",\"audit.kernel.result\"],\"id\":\"0f10c430-c1c3-11e7-8995-936807a28b16\",\"panelIndex\":3,\"row\":4,\"size_x\":12,\"size_y\":4,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"},{\"size_x\":5,\"size_y\":3,\"panelIndex\":4,\"type\":\"visualization\",\"id\":\"08679220-c25a-11e7-8692-232bd1143e8a\",\"col\":8,\"row\":1}]",
"timeRestore": false,
"title": "[Auditbeat Kernel] Overview",
"uiStateJSON": "{}",
"version": 1
},
"id": "c0ac2c00-c1c0-11e7-8995-936807a28b16",
"type": "dashboard",
"version": 1
}
],
"version": "6.0.0"
}

180
vendor/github.com/elastic/beats/auditbeat/module/audit/_meta/kibana/default/dashboard/auditbeat-kernel-sockets.json generated vendored
View File

@ -1,180 +0,0 @@
{
"objects": [
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[{\"meta\":{\"index\":\"auditbeat-*\",\"negate\":true,\"type\":\"phrase\",\"key\":\"audit.kernel.thing.secondary\",\"value\":\"0\",\"params\":{\"query\":\"0\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null,\"apply\":true},\"query\":{\"match\":{\"audit.kernel.thing.secondary\":{\"query\":\"0\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchId": "b4c93470-c240-11e7-8692-232bd1143e8a",
"title": "Bind (non-ephemeral) [Auditbeat Kernel]",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"visState": "{\"title\":\"Bind (non-ephemeral) [Auditbeat Kernel]\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"audit.kernel.how\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Exe\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"audit.kernel.thing.primary\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"audit.kernel.thing.secondary\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Port\"}}]}"
},
"id": "faf882f0-c242-11e7-8692-232bd1143e8a",
"type": "visualization",
"version": 1
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchId": "5438b030-c246-11e7-8692-232bd1143e8a",
"title": "Connect [Auditbeat Kernel]",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"visState": "{\"title\":\"Connect [Auditbeat Kernel]\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"audit.kernel.data.exe\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Exe\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"audit.kernel.thing.primary\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"audit.kernel.thing.secondary\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}]}"
},
"id": "ea483730-c246-11e7-8692-232bd1143e8a",
"type": "visualization",
"version": 1
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchId": "e8734160-c24c-11e7-8692-232bd1143e8a",
"title": "Accept / Recvfrom Unique Address Table [Auditbeat Kernel]",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"spy\":{\"mode\":{\"name\":null,\"fill\":false}}}",
"version": 1,
"visState": "{\"title\":\"Accept / Recvfrom Unique Address Table [Auditbeat Kernel]\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"audit.kernel.thing.primary\",\"customLabel\":\"Unique Addresses\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"audit.kernel.how\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Exe\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"audit.kernel.data.syscall\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Syscall\"}}]}"
},
"id": "ceb91de0-c250-11e7-8692-232bd1143e8a",
"type": "visualization",
"version": 1
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"title": "Socket Syscalls Time Series [Auditbeat Kernel]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Socket Syscalls Time Series [Auditbeat Kernel]\",\"type\":\"metrics\",\"params\":{\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\",\"series\":[{\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"color\":\"#68BC00\",\"split_mode\":\"terms\",\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"seperate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"number\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"terms_field\":\"audit.kernel.data.syscall\",\"label\":\"syscall\"}],\"time_field\":\"@timestamp\",\"index_pattern\":\"*\",\"interval\":\"auto\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"show_legend\":1,\"show_grid\":1,\"filter\":\"audit.kernel.thing.what:socket\",\"legend_position\":\"left\",\"bar_color_rules\":[{\"id\":\"2cebb0c0-c252-11e7-8a68-93ffe9ec5950\"}],\"gauge_color_rules\":[{\"id\":\"6c891740-c252-11e7-8a68-93ffe9ec5950\"}],\"gauge_width\":10,\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"background_color_rules\":[{\"id\":\"95b603d0-c252-11e7-8a68-93ffe9ec5950\"}]},\"aggs\":[]}"
},
"id": "b21e0c70-c252-11e7-8692-232bd1143e8a",
"type": "visualization",
"version": 1
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"title": "Socket Families [Auditbeat Kernel]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Socket Families [Auditbeat Kernel]\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"left\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.kernel.socket.family\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Socket Family\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.kernel.data.syscall\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Syscall\"}}]}"
},
"id": "a8e20450-c256-11e7-8692-232bd1143e8a",
"type": "visualization",
"version": 1
},
{
"attributes": {
"columns": [
"beat.hostname",
"audit.kernel.how",
"audit.kernel.thing.primary",
"audit.kernel.thing.secondary",
"audit.kernel.socket.family",
"audit.kernel.result"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"auditbeat-*\",\"key\":\"metricset.name\",\"negate\":false,\"params\":{\"query\":\"kernel\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"kernel\"},\"query\":{\"match\":{\"metricset.name\":{\"query\":\"kernel\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"auditbeat-*\",\"key\":\"audit.kernel.action\",\"negate\":false,\"params\":{\"query\":\"bound-socket\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"bound-socket\"},\"query\":{\"match\":{\"audit.kernel.action\":{\"query\":\"bound-socket\",\"type\":\"phrase\"}}}},{\"meta\":{\"negate\":true,\"index\":\"auditbeat-*\",\"type\":\"phrase\",\"key\":\"audit.kernel.socket.family\",\"value\":\"netlink\",\"params\":{\"query\":\"netlink\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"audit.kernel.socket.family\":{\"query\":\"netlink\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"
},
"sort": [
"@timestamp",
"desc"
],
"title": "Socket Binds [Auditbeat Kernel]",
"version": 1
},
"id": "b4c93470-c240-11e7-8692-232bd1143e8a",
"type": "search",
"version": 1
},
{
"attributes": {
"columns": [
"beat.hostname",
"audit.kernel.how",
"audit.kernel.thing.primary",
"audit.kernel.thing.secondary",
"audit.kernel.socket.family",
"audit.kernel.result",
"audit.kernel.data.exit"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"auditbeat-*\",\"key\":\"metricset.name\",\"negate\":false,\"params\":{\"query\":\"kernel\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"kernel\"},\"query\":{\"match\":{\"metricset.name\":{\"query\":\"kernel\",\"type\":\"phrase\"}}}},{\"meta\":{\"negate\":false,\"index\":\"auditbeat-*\",\"type\":\"phrase\",\"key\":\"audit.kernel.action\",\"value\":\"connected-to\",\"params\":{\"query\":\"connected-to\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"audit.kernel.action\":{\"query\":\"connected-to\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"index\":\"auditbeat-*\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"exists\",\"key\":\"audit.kernel.thing.primary\",\"value\":\"exists\"},\"exists\":{\"field\":\"audit.kernel.thing.primary\"},\"$state\":{\"store\":\"appState\"}}]}"
},
"sort": [
"@timestamp",
"desc"
],
"title": "Socket Connects [Auditbeat Kernel]",
"version": 1
},
"id": "5438b030-c246-11e7-8692-232bd1143e8a",
"type": "search",
"version": 1
},
{
"attributes": {
"columns": [
"beat.hostname",
"audit.kernel.how",
"audit.kernel.thing.primary",
"audit.kernel.thing.secondary",
"audit.kernel.socket.family",
"audit.kernel.action"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"auditbeat-*\",\"key\":\"metricset.name\",\"negate\":false,\"params\":{\"query\":\"kernel\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"kernel\"},\"query\":{\"match\":{\"metricset.name\":{\"query\":\"kernel\",\"type\":\"phrase\"}}}},{\"meta\":{\"negate\":false,\"index\":\"auditbeat-*\",\"type\":\"phrase\",\"key\":\"audit.kernel.thing.what\",\"value\":\"socket\",\"params\":{\"query\":\"socket\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"audit.kernel.thing.what\":{\"query\":\"socket\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"index\":\"auditbeat-*\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"exists\",\"key\":\"audit.kernel.thing.primary\",\"value\":\"exists\"},\"exists\":{\"field\":\"audit.kernel.thing.primary\"},\"$state\":{\"store\":\"appState\"}},{\"query\":{\"terms\":{\"audit.kernel.action\":[\"received-from\",\"accepted-connection-from\"]}},\"meta\":{\"negate\":false,\"index\":\"auditbeat-*\",\"disabled\":false,\"alias\":\"action accepted or received from\",\"type\":\"custom\",\"key\":\"query\",\"value\":\"{\\\"terms\\\":{\\\"audit.kernel.action\\\":[\\\"received-from\\\",\\\"accepted-connection-from\\\"]}}\"},\"$state\":{\"store\":\"appState\"}}]}"
},
"sort": [
"@timestamp",
"desc"
],
"title": "Socket Accept / Recvfrom [Auditbeat Kernel]",
"version": 1
},
"id": "e8734160-c24c-11e7-8692-232bd1143e8a",
"type": "search",
"version": 1
},
{
"attributes": {
"description": "Summary of socket related syscall events.",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[],\"highlightAll\":true,\"version\":true}"
},
"optionsJSON": "{\"darkTheme\":false}",
"panelsJSON": "[{\"col\":7,\"id\":\"faf882f0-c242-11e7-8692-232bd1143e8a\",\"panelIndex\":1,\"row\":4,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"ea483730-c246-11e7-8692-232bd1143e8a\",\"panelIndex\":2,\"row\":8,\"size_x\":6,\"size_y\":5,\"type\":\"visualization\"},{\"col\":7,\"id\":\"ceb91de0-c250-11e7-8692-232bd1143e8a\",\"panelIndex\":3,\"row\":8,\"size_x\":6,\"size_y\":5,\"type\":\"visualization\"},{\"col\":1,\"id\":\"b21e0c70-c252-11e7-8692-232bd1143e8a\",\"panelIndex\":4,\"row\":1,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"a8e20450-c256-11e7-8692-232bd1143e8a\",\"panelIndex\":5,\"row\":4,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"}]",
"timeRestore": false,
"title": "[Auditbeat Kernel] Sockets",
"uiStateJSON": "{\"P-1\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-2\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-3\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}",
"version": 1
},
"id": "693a5f40-c243-11e7-8692-232bd1143e8a",
"type": "dashboard",
"version": 1
}
],
"version": "6.0.0"
}

4
vendor/github.com/elastic/beats/auditbeat/module/audit/doc.go generated vendored
View File

@ -1,4 +0,0 @@
// Package audit is an Auditbeat module that reports security-relevant
// information based on data captured from the operating system (OS) or services
// running on the OS.
package audit

34
vendor/github.com/elastic/beats/auditbeat/module/audit/file/_meta/data.json generated vendored
View File

@ -1,34 +0,0 @@
{
"@timestamp": "2017-10-06T17:35:33.773Z",
"@metadata": {
"beat": "noindex",
"type": "doc",
"version": "1.2.3"
},
"audit": {
"file": {
"hashed": true,
"inode": "15329399",
"uid": 501,
"group": "staff",
"ctime": "2017-10-06T17:35:33.000Z",
"gid": 20,
"path": "/private/var/folders/8x/rnyk6yxn6w97lddn3bs02gf00000gn/T/audit-file387158249/file.data",
"mode": "0600",
"action": "created",
"mtime": "2017-10-06T17:35:33.000Z",
"size": 11,
"owner": "akroh",
"sha1": "2aae6c35c94fcfb415dbe95f408b9ce91ee846ed"
}
},
"metricset": {
"module": "audit",
"name": "file",
"rtt": 5928
},
"beat": {
"name": "host.example.com",
"hostname": "host.example.com"
}
}

87
vendor/github.com/elastic/beats/auditbeat/module/audit/file/_meta/docs.asciidoc generated vendored
View File

@ -1,87 +0,0 @@
=== Audit file metricset
The `file` metricset sends events when a file is changed (created, updated, or
deleted) on disk. The events contain file metadata and hashes.
The metricset is implemented for Linux, macOS (Darwin), and Windows.
[float]
=== How it works
This metricset uses features of the operating system to monitor file changes in
realtime. When the metricset starts it creates a subscription with the OS to
receive notifications of changes to the specified files or directories. Upon
receiving notification of a change the metricset will read the file's metadata
and the compute a hash of the file's contents.
At startup this metricset will perform an initial scan of the configured files
and directories to generate baseline data for the monitored paths and detect
changes since the last time it was run. It uses locally persisted data in order
to only send events for new or modified files.
The operating system features that power this feature are as follows.
* Linux - `inotify` is used, and therefore the kernel must have inotify support.
Inotify was initially merged into the 2.6.13 Linux kernel.
* macOS (Darwin) - `kqueue` is used. It requires one file descriptor for each
file so please check the `ulimit` values used with {beatname_uc}. The FSEvents
API was considered for the implementation, but FSEvents coalesces multiple
notifications into a single event which is inconsistent with the metricset's
behavior on other operating systems.
* Windows - `ReadDirectoryChangesW` is used.
The file metricset should not be used to monitor paths on network file systems.
[float]
=== Configuration options
This metricset has some configuration options for tuning its behavior. The
following example shows all configuration options with their default values for
Linux.
[source,yaml]
----
- module: audit
metricsets: [file]
file.paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
file.scan_at_start: true
file.scan_rate_per_sec: 50 MiB
file.max_file_size: 100 MiB
file.hash_types: [sha1]
----
*`file.paths`*:: A list of paths (directories or files) to watch. The watches
are non-recursive and globs are not supported. The specified paths should exist
when the metricset is started.
*`file.scan_at_start`*:: A boolean value that controls if {beatname_uc} scans
over the configured file paths at startup and send events for the files
that have been modified since the last time {beatname_uc} was running. The
default value is true.
+
This feature depends on data stored locally in `path.data` in order to determine
if a file has changed. The first time {beatname_uc} runs it will send an event
for each file it encounters.
*`file.scan_rate_per_sec`*:: When `file.scan_at_start` is enabled this sets an
average read rate defined in bytes per second for the initial scan. This
throttles the amount of CPU and I/O that {beatname_uc} consumes at startup.
The default value is "50 MiB". Setting the value to "0" disables throttling.
For convenience units can be specified as a suffix to the value. The supported
units are `b` (default), `kib`, `kb`, `mib`, `mb`, `gib`, `gb`, `tib`, `tb`,
`pib`, `pb`, `eib`, and `eb`.
*`file.max_file_size`*:: The maximum size of a file in bytes for which
{beatname_uc} will compute hashes. Files larger than this size will not be
hashed. The default value is 100 MiB. For convenience units can be specified as
a suffix to the value. The supported units are `b` (default), `kib`, `kb`, `mib`,
`mb`, `gib`, `gb`, `tib`, `tb`, `pib`, `pb`, `eib`, and `eb`.
*`file.hash_types`*:: A list of hash types to compute when the file changes.
The supported hash types are md5, sha1, sha224, sha256, sha384, sha512,
sha512_224, sha512_256, sha3_224, sha3_256, sha3_384 and sha3_512. The default value is sha1.

124
vendor/github.com/elastic/beats/auditbeat/module/audit/file/_meta/fields.yml generated vendored
View File

@ -1,124 +0,0 @@
- name: file
type: group
description: >
The file metricset generates events when a file changes on disk.
fields:
- name: path
type: text
description: The path to the file.
multi_fields:
- name: raw
type: keyword
description: >
The path to the file. This is an non-analyzed field that is useful
for aggregations.
- name: target_path
type: keyword
description: The target path for symlinks.
- name: action
type: keyword
example: attributes_modified
description: >
Action describes the change that triggered the event. The possible
values are: attributes_modified, created, deleted, updated, moved, and
config_change.
- name: type
type: keyword
description: The file type (file, dir, or symlink).
- name: inode
type: keyword
description: The inode representing the file in the filesystem.
- name: uid
type: keyword
description: The user ID (UID) of the file owner.
- name: owner
type: keyword
description: The file owner's username.
- name: gid
type: keyword
description: The primary group ID (GID) of the file.
- name: group
type: keyword
description: The primary group name of the file.
- name: sid
type: keyword
description: The security identifier (SID) of the file owner (Windows only).
- name: mode
type: keyword
example: 0640
description: The mode of the file in octal representation.
- name: size
type: long
description: The file size in bytes (field is only added when `type` is `file`).
- name: mtime
type: date
description: The last modified time of the file (time when content was modified).
- name: ctime
type: date
description: The last change time of the file (time when metadata was changed).
- name: hashed
type: boolean
description: >
Boolean indicating if the event includes any file hashes.
- name: md5
type: keyword
description: MD5 hash of the file.
- name: sha1
type: keyword
description: SHA1 hash of the file.
- name: sha224
type: keyword
description: SHA224 hash of the file.
- name: sha256
type: keyword
description: SHA256 hash of the file.
- name: sha384
type: keyword
description: SHA384 hash of the file.
- name: sha3_224
type: keyword
description: SHA3_224 hash of the file.
- name: sha3_256
type: keyword
description: SHA3_256 hash of the file.
- name: sha3_384
type: keyword
description: SHA3_384 hash of the file.
- name: sha3_512
type: keyword
description: SHA3_512 hash of the file.
- name: sha512
type: keyword
description: SHA512 hash of the file.
- name: sha512_224
type: keyword
description: SHA512/224 hash of the file.
- name: sha512_256
type: keyword
description: SHA512/256 hash of the file.

120
vendor/github.com/elastic/beats/auditbeat/module/audit/file/config.go generated vendored
View File

@ -1,120 +0,0 @@
package file
import (
"path/filepath"
"sort"
"strings"
"github.com/dustin/go-humanize"
"github.com/joeshaw/multierror"
"github.com/pkg/errors"
)
// HashType identifies a cryptographic algorithm.
type HashType string
// Unpack unpacks a string to a HashType for config parsing.
func (t *HashType) Unpack(v string) error {
*t = HashType(v)
return nil
}
var validHashes = []HashType{MD5, SHA1, SHA224, SHA256, SHA384, SHA3_224, SHA3_256, SHA3_384, SHA3_512, SHA512, SHA512_224, SHA512_256}
// Enum of hash types.
const (
MD5 HashType = "md5"
SHA1 HashType = "sha1"
SHA224 HashType = "sha224"
SHA256 HashType = "sha256"
SHA384 HashType = "sha384"
SHA3_224 HashType = "sha3_224"
SHA3_256 HashType = "sha3_256"
SHA3_384 HashType = "sha3_384"
SHA3_512 HashType = "sha3_512"
SHA512 HashType = "sha512"
SHA512_224 HashType = "sha512_224"
SHA512_256 HashType = "sha512_256"
)
// Config contains the configuration parameters for the file integrity
// metricset.
type Config struct {
Paths []string `config:"file.paths" validate:"required"`
HashTypes []HashType `config:"file.hash_types"`
MaxFileSize string `config:"file.max_file_size"`
MaxFileSizeBytes uint64 `config:",ignore"`
ScanAtStart bool `config:"file.scan_at_start"`
ScanRatePerSec string `config:"file.scan_rate_per_sec"`
ScanRateBytesPerSec uint64 `config:",ignore"`
// Recursive enables recursive monitoring of directories.
// XXX: This feature is only implemented in the scanner. It needs to be
// implemented in the fsnotify code. Don't use it yet.
Recursive bool `config:"file.recursive"`
}
// Validate validates the config data and return an error explaining all the
// problems with the config. This method modifies the given config.
func (c *Config) Validate() error {
// Resolve symlinks.
for i, p := range c.Paths {
if evalPath, err := filepath.EvalSymlinks(p); err == nil {
c.Paths[i] = evalPath
}
}
// Sort and deduplicate.
sort.Strings(c.Paths)
c.Paths = deduplicate(c.Paths)
var errs multierror.Errors
var err error
nextHash:
for _, ht := range c.HashTypes {
ht = HashType(strings.ToLower(string(ht)))
for _, validHash := range validHashes {
if ht == validHash {
continue nextHash
}
}
errs = append(errs, errors.Errorf("invalid file.hash_types value '%v'", ht))
}
c.MaxFileSizeBytes, err = humanize.ParseBytes(c.MaxFileSize)
if err != nil {
errs = append(errs, errors.Wrap(err, "invalid file.max_file_size value"))
} else if c.MaxFileSizeBytes <= 0 {
errs = append(errs, errors.Errorf("file.max_file_size value (%v) must be positive", c.MaxFileSize))
}
c.ScanRateBytesPerSec, err = humanize.ParseBytes(c.ScanRatePerSec)
if err != nil {
errs = append(errs, errors.Wrap(err, "invalid file.scan_rate_per_sec value"))
}
return errs.Err()
}
// deduplicate deduplicates the given sorted string slice. The returned slice
// reuses the same backing array as in (so don't use in after calling this).
func deduplicate(in []string) []string {
var lastValue string
out := in[:0]
for _, value := range in {
if value == lastValue {
continue
}
out = append(out, value)
lastValue = value
}
return out
}
var defaultConfig = Config{
HashTypes: []HashType{SHA1},
MaxFileSize: "100 MiB",
MaxFileSizeBytes: 100 * 1024 * 1024,
ScanAtStart: true,
ScanRatePerSec: "50 MiB",
}

238
vendor/github.com/elastic/beats/auditbeat/module/audit/file/event_test.go generated vendored
View File

@ -1,238 +0,0 @@
package file
import (
"encoding/hex"
"fmt"
"io/ioutil"
"os"
"testing"
"time"
"github.com/stretchr/testify/assert"
)
var testEventTime = time.Now().UTC()
func testEvent() *Event {
return &Event{
Timestamp: testEventTime,
Path: "/home/user",
Source: SourceScan,
Action: ConfigChange,
Info: &Metadata{
Type: FileType,
Inode: 123,
UID: 500,
GID: 500,
Mode: 0600,
CTime: testEventTime,
MTime: testEventTime,
},
Hashes: map[HashType][]byte{
SHA1: mustDecodeHex("abcd"),
SHA256: mustDecodeHex("1234"),
},
}
}
func TestDiffEvents(t *testing.T) {
t.Run("nil values", func(t *testing.T) {
_, changed := diffEvents(nil, nil)
assert.False(t, changed)
})
t.Run("no change", func(t *testing.T) {
e := testEvent()
_, changed := diffEvents(e, e)
assert.False(t, changed)
})
t.Run("new file", func(t *testing.T) {
action, changed := diffEvents(nil, testEvent())
assert.True(t, changed)
assert.EqualValues(t, Created, action)
})
t.Run("deleted", func(t *testing.T) {
action, changed := diffEvents(testEvent(), nil)
assert.True(t, changed)
assert.EqualValues(t, Deleted, action)
})
t.Run("moved", func(t *testing.T) {
e := testEvent()
e.Path += "_new"
action, changed := diffEvents(testEvent(), e)
assert.True(t, changed)
assert.EqualValues(t, Moved, action)
})
t.Run("updated metadata", func(t *testing.T) {
e := testEvent()
e.Info.Mode = 0644
action, changed := diffEvents(testEvent(), e)
assert.True(t, changed)
assert.EqualValues(t, AttributesModified, action, "action: %v", action)
})
t.Run("missing metadata", func(t *testing.T) {
e := testEvent()
e.Info = nil
action, changed := diffEvents(testEvent(), e)
assert.True(t, changed)
assert.EqualValues(t, AttributesModified, action)
})
t.Run("more hashes", func(t *testing.T) {
e := testEvent()
e.Hashes["md5"] = mustDecodeHex("5678")
action, changed := diffEvents(testEvent(), e)
assert.True(t, changed)
assert.EqualValues(t, ConfigChange, action)
})
t.Run("subset of hashes", func(t *testing.T) {
e := testEvent()
delete(e.Hashes, "sha256")
action, changed := diffEvents(testEvent(), e)
assert.False(t, changed)
assert.Zero(t, action)
})
t.Run("different hash values", func(t *testing.T) {
e := testEvent()
e.Hashes = map[HashType][]byte{
SHA1: mustDecodeHex("ef"),
SHA256: mustDecodeHex("1234"),
}
action, changed := diffEvents(testEvent(), e)
assert.True(t, changed)
assert.EqualValues(t, Updated, action)
})
t.Run("updated hashes and metadata", func(t *testing.T) {
e := testEvent()
e.Hashes = map[HashType][]byte{
SHA1: mustDecodeHex("ef"),
SHA256: mustDecodeHex("1234"),
}
e.Info.MTime = time.Now()
action, changed := diffEvents(testEvent(), e)
assert.True(t, changed)
assert.EqualValues(t, Updated, action)
})
}
func TestHashFile(t *testing.T) {
t.Run("valid hashes", func(t *testing.T) {
// Computed externally.
expectedHashes := map[HashType][]byte{
MD5: mustDecodeHex("c897d1410af8f2c74fba11b1db511e9e"),
SHA1: mustDecodeHex("f951b101989b2c3b7471710b4e78fc4dbdfa0ca6"),
SHA224: mustDecodeHex("d301812e62eec9b1e68c0b861e62f374e0d77e8365f5ddd6cccc8693"),
SHA256: mustDecodeHex("ecf701f727d9e2d77c4aa49ac6fbbcc997278aca010bddeeb961c10cf54d435a"),
SHA384: mustDecodeHex("ec8d147738b2e4bf6f5c5ac50a9a7593fb1ee2de01474d6f8a6c7fdb7ac945580772a5225a4c7251a7c0697acb7b8405"),
SHA512: mustDecodeHex("f5408390735bf3ef0bb8aaf66eff4f8ca716093d2fec50996b479b3527e5112e3ea3b403e9e62c72155ac1e08a49b476f43ab621e1a5fc2bbb0559d8258a614d"),
SHA512_224: mustDecodeHex("fde054253f43a95559f1b6eeb8e2edba4124957b43b85d7fcb4d20d5"),
SHA512_256: mustDecodeHex("3380f6a625aac19cbdddc598ab07aea195bae000f8d4c8cd6bb8870ac25df15d"),
SHA3_224: mustDecodeHex("62e3515dae95bbd0e105bee840b7dc3b47f6d6bc772c259dbc0da31a"),
SHA3_256: mustDecodeHex("3cb5385a2987ca45888d7877fbcf92b4854f7155ae19c96cecc7ea1300c6f5a4"),
SHA3_384: mustDecodeHex("f19539818b4f29fa0ee599db4113fd81b77cd1119682e6d799a052849d2e40ef0dad84bc947ba2dee742d9731f1b9e9b"),
SHA3_512: mustDecodeHex("f0a2c0f9090c1fd6dedf211192e36a6668d2b3c7f57a35419acb1c4fc7dfffc267bbcd90f5f38676caddcab652f6aacd1ed4e0ad0a8e1e4b98f890b62b6c7c5c"),
}
f, err := ioutil.TempFile("", "input.txt")
if err != nil {
t.Fatal(err)
}
defer os.Remove(f.Name())
f.WriteString("hello world!\n")
f.Sync()
f.Close()
hashes, err := hashFile(f.Name(), validHashes...)
if err != nil {
t.Fatal(err)
}
for _, hashType := range validHashes {
if hash, found := hashes[hashType]; !found {
t.Errorf("%v not found", hashType)
} else {
delete(hashes, hashType)
expected, ok := expectedHashes[hashType]
if !ok {
t.Fatalf("hash type not found in expected hashes: %v", hashType)
}
assert.Equal(t, expected, hash, "%v hash incorrect", hashType)
}
}
assert.Len(t, hashes, 0)
})
t.Run("no hashes", func(t *testing.T) {
hashes, err := hashFile("anyfile.txt")
assert.Nil(t, hashes)
assert.NoError(t, err)
})
t.Run("invalid hash", func(t *testing.T) {
hashes, err := hashFile("anyfile.txt", "md4")
assert.Nil(t, hashes)
assert.Error(t, err)
})
t.Run("invalid file", func(t *testing.T) {
hashes, err := hashFile("anyfile.txt", "md5")
assert.Nil(t, hashes)
assert.Error(t, err)
})
}
func BenchmarkHashFile(b *testing.B) {
f, err := ioutil.TempFile("", "hash")
if err != nil {
b.Fatal(err)
}
defer os.Remove(f.Name())
zeros := make([]byte, 100)
iterations := 1024 * 1024 // 100 MiB
for i := 0; i < iterations; i++ {
if _, err = f.Write(zeros); err != nil {
b.Fatal(err)
}
}
b.Logf("file size: %v bytes", len(zeros)*iterations)
f.Sync()
f.Close()
b.ResetTimer()
for _, hashType := range validHashes {
b.Run(string(hashType), func(b *testing.B) {
for i := 0; i < b.N; i++ {
_, err = hashFile(f.Name(), hashType)
if err != nil {
b.Fatal(err)
}
}
})
}
}
func mustDecodeHex(v string) []byte {
data, err := hex.DecodeString(v)
if err != nil {
panic(fmt.Errorf("invalid hex value: %v", err))
}
return data
}

107
vendor/github.com/elastic/beats/auditbeat/module/audit/file/metricset_test.go generated vendored
View File

@ -1,107 +0,0 @@
package file
import (
"io/ioutil"
"os"
"path/filepath"
"testing"
"time"
"github.com/stretchr/testify/assert"
"github.com/elastic/beats/auditbeat/datastore"
"github.com/elastic/beats/libbeat/paths"
mbtest "github.com/elastic/beats/metricbeat/mb/testing"
)
func TestData(t *testing.T) {
defer setup(t)()
dir, err := ioutil.TempDir("", "audit-file")
if err != nil {
t.Fatal(err)
}
defer os.RemoveAll(dir)
go func() {
time.Sleep(100 * time.Millisecond)
file := filepath.Join(dir, "file.data")
ioutil.WriteFile(file, []byte("hello world"), 0600)
}()
ms := mbtest.NewPushMetricSet(t, getConfig(dir))
events, errs := mbtest.RunPushMetricSet(time.Second, ms)
if len(errs) > 0 {
t.Fatalf("received errors: %+v", errs)
}
if len(events) == 0 {
t.Fatal("received no events")
}
fullEvent := mbtest.CreateFullEvent(ms, events[len(events)-1])
mbtest.WriteEventToDataJSON(t, fullEvent)
}
func getConfig(path string) map[string]interface{} {
return map[string]interface{}{
"module": "audit",
"metricsets": []string{"file"},
"file.paths": []string{path},
}
}
func TestDetectDeletedFiles(t *testing.T) {
defer setup(t)()
bucket, err := datastore.OpenBucket(bucketName)
if err != nil {
t.Fatal(err)
}
defer bucket.Close()
dir, err := ioutil.TempDir("", "audit-file")
if err != nil {
t.Fatal(err)
}
defer os.RemoveAll(dir)
dir, err = filepath.EvalSymlinks(dir)
if err != nil {
t.Fatal(err)
}
e := &Event{
Timestamp: time.Now().UTC(),
Path: filepath.Join(dir, "ghost.file"),
Action: Created,
}
if err = store(bucket, e); err != nil {
t.Fatal(err)
}
ms := mbtest.NewPushMetricSet(t, getConfig(dir))
events, errs := mbtest.RunPushMetricSet(time.Second, ms)
if len(errs) > 0 {
t.Fatalf("received errors: %+v", errs)
}
if !assert.Len(t, events, 2) {
return
}
event := events[0]
assert.Equal(t, dir, event["path"])
assert.Equal(t, "created", event["action"])
event = events[1]
assert.Equal(t, e.Path, event["path"])
assert.Equal(t, "deleted", event["action"])
}
func setup(t testing.TB) func() {
// path.data should be set so that the DB is written to a predictable location.
var err error
paths.Paths.Data, err = ioutil.TempDir("", "beat-data-dir")
if err != nil {
t.Fatal()
}
return func() { os.RemoveAll(paths.Paths.Data) }
}

45
vendor/github.com/elastic/beats/auditbeat/module/audit/kernel/_meta/data.json generated vendored
View File

@ -1,45 +0,0 @@
{
"@timestamp": "2017-04-22T21:25:01.818Z",
"audit": {
"kernel": {
"action": "logged-in",
"actor": {
"attrs": {
"auid": "unset",
"uid": "root"
},
"primary": "unset",
"secondary": "(invalid user)"
},
"category": "user-login",
"data": {
"acct": "(invalid user)",
"addr": "179.38.151.221",
"exe": "/usr/sbin/sshd",
"op": "login",
"pid": "12635",
"terminal": "sshd"
},
"how": "/usr/sbin/sshd",
"record_type": "user_login",
"result": "fail",
"sequence": 19955,
"session": "unset",
"thing": {
"primary": "sshd",
"secondary": "179.38.151.221",
"what": "user-session"
}
}
},
"beat": {
"hostname": "host.example.com",
"name": "host.example.com"
},
"metricset": {
"module": "audit",
"name": "kernel",
"rtt": 115
},
"type": "metricsets"
}

452
vendor/github.com/elastic/beats/auditbeat/module/audit/kernel/audit_linux.go generated vendored
View File

@ -1,452 +0,0 @@
package kernel
import (
"os"
"strconv"
"strings"
"syscall"
"time"
"github.com/pkg/errors"
"github.com/elastic/beats/libbeat/common"
"github.com/elastic/beats/libbeat/common/cfgwarn"
"github.com/elastic/beats/libbeat/logp"
"github.com/elastic/beats/libbeat/monitoring"
"github.com/elastic/beats/metricbeat/mb"
"github.com/elastic/beats/metricbeat/mb/parse"
"github.com/elastic/go-libaudit"
"github.com/elastic/go-libaudit/aucoalesce"
"github.com/elastic/go-libaudit/auparse"
)
const (
metricsetName = "audit.kernel"
logPrefix = "[" + metricsetName + "]"
)
var (
debugf = logp.MakeDebug(metricsetName)
auditMetrics = monitoring.Default.NewRegistry(metricsetName)
lostMetric = monitoring.NewInt(auditMetrics, "lost")
)
func init() {
if err := mb.Registry.AddMetricSet("audit", "kernel", New, parse.EmptyHostParser); err != nil {
panic(err)
}
}
// MetricSet listens for audit messages from the Linux kernel using a netlink
// socket. It buffers the messages to ensure ordering and then streams the
// output. MetricSet implements the mb.PushMetricSet interface, and therefore
// does not rely on polling.
type MetricSet struct {
mb.BaseMetricSet
config Config
client *libaudit.AuditClient
}
// New constructs a new MetricSet.
func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
cfgwarn.Beta("The %v metricset is a beta feature", metricsetName)
config := defaultConfig
if err := base.Module().UnpackConfig(&config); err != nil {
return nil, errors.Wrap(err, "failed to unpack the audit.kernel config")
}
_, _, kernel, _ := kernelVersion()
debugf("the metricset is running as euid=%v on kernel=%v", os.Geteuid(), kernel)
client, err := newAuditClient(&config)
if err != nil {
return nil, errors.Wrap(err, "failed to create audit.kernel client")
}
lostMetric.Set(0)
return &MetricSet{
BaseMetricSet: base,
client: client,
config: config,
}, nil
}
func newAuditClient(c *Config) (*libaudit.AuditClient, error) {
hasMulticast := hasMulticastSupport()
switch c.SocketType {
// Attempt to determine the optimal socket_type.
case "":
// Use multicast only when no rules are present. Specifying rules
// implies you want control over the audit framework so you should be
// using unicast.
if rules, _ := c.rules(); len(rules) == 0 && hasMulticast {
c.SocketType = "multicast"
logp.Info("%v kernel.socket_type=multicast will be used.", logPrefix)
}
case "multicast":
if !hasMulticast {
logp.Warn("%v kernel.socket_type is set to multicast "+
"but based on the kernel version multicast audit subscriptions "+
"are not supported. unicast will be used instead.", logPrefix)
c.SocketType = "unicast"
}
}
switch c.SocketType {
case "multicast":
return libaudit.NewMulticastAuditClient(nil)
default:
c.SocketType = "unicast"
return libaudit.NewAuditClient(nil)
}
}
// Run initializes the audit client and receives audit messages from the
// kernel until the reporter's done channel is closed.
func (ms *MetricSet) Run(reporter mb.PushReporter) {
defer ms.client.Close()
if err := ms.addRules(reporter); err != nil {
reporter.Error(err)
logp.Err("%v %v", logPrefix, err)
return
}
out, err := ms.receiveEvents(reporter.Done())
if err != nil {
reporter.Error(err)
logp.Err("%v %v", logPrefix, err)
return
}
for {
select {
case <-reporter.Done():
return
case msgs := <-out:
event, err := buildMapStr(msgs, ms.config)
if err != nil {
reporter.ErrorWith(err, event)
} else {
reporter.Event(event)
}
}
}
}
func (ms *MetricSet) addRules(reporter mb.PushReporter) error {
rules, err := ms.config.rules()
if err != nil {
return errors.Wrap(err, "failed to add rules")
}
if len(rules) == 0 {
logp.Info("%v No audit kernel.rules were specified.", logPrefix)
return nil
}
client, err := libaudit.NewAuditClient(nil)
if err != nil {
return errors.Wrap(err, "failed to create audit client for adding rules")
}
defer client.Close()
// Delete existing rules.
n, err := client.DeleteRules()
if err != nil {
return errors.Wrap(err, "failed to delete existing rules")
}
logp.Info("%v Deleted %v pre-existing audit rules.", logPrefix, n)
// Add rules from config.
var failCount int
for _, rule := range rules {
if err = client.AddRule(rule.data); err != nil {
// Treat rule add errors as warnings and continue.
err = errors.Wrapf(err, "failed to add kernel rule '%v'", rule.flags)
reporter.Error(err)
logp.Warn("%v %v", logPrefix, err)
failCount++
}
}
logp.Info("%v Successfully added %d of %d kernel audit rules.",
logPrefix, len(rules)-failCount, len(rules))
return nil
}
func (ms *MetricSet) initClient() error {
if ms.config.SocketType == "multicast" {
// This request will fail with EPERM if this process does not have
// CAP_AUDIT_CONTROL, but we will ignore the response. The user will be
// required to ensure that auditing is enabled if the process is only
// given CAP_AUDIT_READ.
err := ms.client.SetEnabled(true, libaudit.NoWait)
return errors.Wrap(err, "failed to enable auditing in the kernel")
}
// Unicast client initialization (requires CAP_AUDIT_CONTROL and that the
// process be in initial PID namespace).
status, err := ms.client.GetStatus()
if err != nil {
return errors.Wrap(err, "failed to get audit status")
}
debugf("audit status from kernel at start: status=%+v", status)
if fm, _ := ms.config.failureMode(); status.Failure != fm {
if err = ms.client.SetFailure(libaudit.FailureMode(fm), libaudit.NoWait); err != nil {
return errors.Wrap(err, "failed to set audit failure mode in kernel")
}
}
if status.RateLimit != ms.config.RateLimit {
if err = ms.client.SetRateLimit(ms.config.RateLimit, libaudit.NoWait); err != nil {
return errors.Wrap(err, "failed to set audit rate limit in kernel")
}
}
if status.BacklogLimit != ms.config.BacklogLimit {
if err = ms.client.SetBacklogLimit(ms.config.BacklogLimit, libaudit.NoWait); err != nil {
return errors.Wrap(err, "failed to set audit backlog limit in kernel")
}
}
if status.Enabled == 0 {
if err = ms.client.SetEnabled(true, libaudit.NoWait); err != nil {
return errors.Wrap(err, "failed to enable auditing in the kernel")
}
}
if err := ms.client.SetPID(libaudit.NoWait); err != nil {
return errors.Wrap(err, "failed to set audit PID")
}
return nil
}
func (ms *MetricSet) receiveEvents(done <-chan struct{}) (<-chan []*auparse.AuditMessage, error) {
if err := ms.initClient(); err != nil {
return nil, err
}
out := make(chan []*auparse.AuditMessage, ms.config.StreamBufferQueueSize)
reassembler, err := libaudit.NewReassembler(int(ms.config.ReassemblerMaxInFlight), ms.config.ReassemblerTimeout, &stream{done, out})
if err != nil {
return nil, errors.Wrap(err, "failed to create Reassembler")
}
go maintain(done, reassembler)
go func() {
defer close(out)
defer reassembler.Close()
for {
raw, err := ms.client.Receive(false)
if err != nil {
continue
}
if filterRecordType(raw.Type) {
continue
}
if err := reassembler.Push(raw.Type, raw.Data); err != nil {
debugf("dropping message record_type=%v message='%v': ",
raw.Type, string(raw.Data), err)
continue
}
}
}()
return out, nil
}
// maintain periodically evicts timed-out events from the Reassembler. This
// function will block until the done channel is closed or the Reassembler is
// closed.
func maintain(done <-chan struct{}, reassembler *libaudit.Reassembler) {
tick := time.NewTicker(500 * time.Millisecond)
defer tick.Stop()
for {
select {
case <-done:
return
case <-tick.C:
if err := reassembler.Maintain(); err != nil {
return
}
}
}
}
func filterRecordType(typ auparse.AuditMessageType) bool {
// Messages from 1300-2999 are valid audit message types.
if typ < auparse.AUDIT_USER_AUTH || typ > auparse.AUDIT_LAST_USER_MSG2 {
return true
}
return false
}
func buildMapStr(msgs []*auparse.AuditMessage, config Config) (common.MapStr, error) {
event, err := aucoalesce.CoalesceMessages(msgs)
if err != nil {
// Add messages on error so that it's possible to debug the problem.
m := common.MapStr{}
addMessages(msgs, m)
return m, err
}
if config.ResolveIDs {
aucoalesce.ResolveIDs(event)
}
m := common.MapStr{
"@timestamp": event.Timestamp,
"sequence": event.Sequence,
"category": event.Category.String(),
"record_type": strings.ToLower(event.Type.String()),
"result": event.Result,
"session": event.Session,
"data": event.Data,
}
if event.Subject.Primary != "" {
m.Put("actor.primary", event.Subject.Primary)
}
if event.Subject.Secondary != "" {
m.Put("actor.secondary", event.Subject.Secondary)
}
if len(event.Subject.Attributes) > 0 {
m.Put("actor.attrs", event.Subject.Attributes)
}
if len(event.Subject.SELinux) > 0 {
m.Put("actor.selinux", event.Subject.SELinux)
}
if event.Object.Primary != "" {
m.Put("thing.primary", event.Object.Primary)
}
if event.Object.Secondary != "" {
m.Put("thing.secondary", event.Object.Secondary)
}
if event.Object.What != "" {
m.Put("thing.what", event.Object.What)
}
if len(event.Object.SELinux) > 0 {
m.Put("thing.selinux", event.Object.SELinux)
}
if event.Action != "" {
m.Put("action", event.Action)
}
if event.How != "" {
m.Put("how", event.How)
}
if event.Key != "" {
m.Put("key", event.Key)
}
if len(event.Paths) > 0 {
m.Put("paths", event.Paths)
}
if len(event.Socket) > 0 {
m.Put("socket", event.Socket)
}
if config.Warnings && len(event.Warnings) > 0 {
warnings := make([]string, 0, len(event.Warnings))
for _, err := range event.Warnings {
warnings = append(warnings, err.Error())
}
m.Put("warnings", warnings)
addMessages(msgs, m)
}
if config.RawMessage {
addMessages(msgs, m)
}
return m, nil
}
func addMessages(msgs []*auparse.AuditMessage, m common.MapStr) {
_, added := m["messages"]
if !added && len(msgs) > 0 {
rawMsgs := make([]string, 0, len(msgs))
for _, msg := range msgs {
rawMsgs = append(rawMsgs, "type="+msg.RecordType.String()+" msg="+msg.RawData)
}
m["messages"] = rawMsgs
}
}
// stream type
// stream receives callbacks from the libaudit.Reassmbler for completed events
// or lost events that are detected by gaps in sequence numbers.
type stream struct {
done <-chan struct{}
out chan<- []*auparse.AuditMessage
}
func (s *stream) ReassemblyComplete(msgs []*auparse.AuditMessage) {
select {
case <-s.done:
return
case s.out <- msgs:
}
}
func (s *stream) EventsLost(count int) {
lostMetric.Inc()
}
func hasMulticastSupport() bool {
// Check the kernel version because 3.16+ should have multicast
// support.
major, minor, _, err := kernelVersion()
if err != nil {
// Assume not supported.
return false
}
switch {
case major > 3,
major == 3 && minor >= 16:
return true
}
return false
}
func kernelVersion() (major, minor int, full string, err error) {
var uname syscall.Utsname
if err := syscall.Uname(&uname); err != nil {
return 0, 0, "", err
}
data := make([]byte, len(uname.Release))
for i, v := range uname.Release {
if v == 0 {
break
}
data[i] = byte(v)
}
release := string(data)
parts := strings.SplitN(release, ".", 3)
if len(parts) < 2 {
return 0, 0, release, errors.Errorf("failed to parse uname release '%v'", release)
}
major, err = strconv.Atoi(parts[0])
if err != nil {
return 0, 0, release, errors.Wrapf(err, "failed to parse major version from '%v'", release)
}
minor, err = strconv.Atoi(parts[1])
if err != nil {
return 0, 0, release, errors.Wrapf(err, "failed to parse minor version from '%v'", release)
}
return major, minor, release, nil
}

126
vendor/github.com/elastic/beats/auditbeat/module/audit/kernel/audit_linux_test.go generated vendored
View File

@ -1,126 +0,0 @@
package kernel
import (
"flag"
"fmt"
"os"
"os/exec"
"testing"
"time"
"github.com/stretchr/testify/assert"
mbtest "github.com/elastic/beats/metricbeat/mb/testing"
"github.com/elastic/go-libaudit"
)
// Specify the -audit flag when running these tests to interact with the real
// kernel instead of mocks. If running in Docker this requires being in the
// host PID namespace (--pid=host) and having CAP_AUDIT_CONTROL and
// CAP_AUDIT_WRITE (so use --privileged).
var audit = flag.Bool("audit", false, "interact with the real audit framework")
var userLoginMsg = `type=USER_LOGIN msg=audit(1492896301.818:19955): pid=12635 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=179.38.151.221 terminal=sshd res=failed'`
func TestData(t *testing.T) {
// Create a mock netlink client that provides the expected responses.
mock := NewMock().
// Get Status response for initClient
returnACK().returnStatus().
// Send a single audit message from the kernel.
returnMessage(userLoginMsg)
// Replace the default AuditClient with a mock.
ms := mbtest.NewPushMetricSet(t, getConfig())
auditMetricSet := ms.(*MetricSet)
auditMetricSet.client.Close()
auditMetricSet.client = &libaudit.AuditClient{Netlink: mock}
events, errs := mbtest.RunPushMetricSet(time.Second, ms)
if len(errs) > 0 {
t.Fatalf("received errors: %+v", errs)
}
if len(events) == 0 {
t.Fatal("received no events")
}
fullEvent := mbtest.CreateFullEvent(ms, events[0])
mbtest.WriteEventToDataJSON(t, fullEvent)
}
func getConfig() map[string]interface{} {
return map[string]interface{}{
"module": "audit",
"metricsets": []string{"kernel"},
"kernel.failure_mode": "log",
"kernel.socket_type": "unicast",
}
}
func TestMulticastClient(t *testing.T) {
if !*audit {
t.Skip("-audit was not specified")
}
if !hasMulticastSupport() {
t.Skip("no multicast support")
}
c := map[string]interface{}{
"module": "audit",
"metricsets": []string{"kernel"},
"kernel.socket_type": "multicast",
"kernel.audit_rules": fmt.Sprintf(`
-a always,exit -F arch=b64 -F ppid=%d -S execve -k exec
`, os.Getpid()),
}
// Any commands executed by this process will generate events due to the
// PPID filter we applied to the rule.
time.AfterFunc(time.Second, func() { exec.Command("cat", "/proc/self/status").Output() })
ms := mbtest.NewPushMetricSet(t, c)
events, errs := mbtest.RunPushMetricSet(5*time.Second, ms)
if len(errs) > 0 {
t.Fatalf("received errors: %+v", errs)
}
// The number of events is non-deterministic so there is no validation.
t.Logf("received %d messages via multicast", len(events))
}
func TestUnicastClient(t *testing.T) {
if !*audit {
t.Skip("-audit was not specified")
}
c := map[string]interface{}{
"module": "audit",
"metricsets": []string{"kernel"},
"kernel.socket_type": "unicast",
"kernel.audit_rules": fmt.Sprintf(`
-a always,exit -F arch=b64 -F ppid=%d -S execve -k exec
`, os.Getpid()),
}
// Any commands executed by this process will generate events due to the
// PPID filter we applied to the rule.
time.AfterFunc(time.Second, func() { exec.Command("cat", "/proc/self/status").Output() })
ms := mbtest.NewPushMetricSet(t, c)
events, errs := mbtest.RunPushMetricSet(5*time.Second, ms)
if len(errs) > 0 {
t.Fatalf("received errors: %+v", errs)
}
t.Log(events)
assert.Len(t, events, 1)
}
func TestKernelVersion(t *testing.T) {
major, minor, full, err := kernelVersion()
if err != nil {
t.Fatal(err)
}
t.Logf("major=%v, minor=%v, full=%v", major, minor, full)
}

21
vendor/github.com/elastic/beats/auditbeat/module/audit/kernel/audit_unsupported.go generated vendored
View File

@ -1,21 +0,0 @@
// +build !linux
package kernel
import (
"errors"
"github.com/elastic/beats/metricbeat/mb"
"github.com/elastic/beats/metricbeat/mb/parse"
)
func init() {
if err := mb.Registry.AddMetricSet("audit", "kernel", New, parse.EmptyHostParser); err != nil {
panic(err)
}
}
// New constructs a new MetricSet.
func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
return nil, errors.New("the audit.kernel metricset is only supported on linux")
}

3
vendor/github.com/elastic/beats/auditbeat/module/audit/kernel/doc.go generated vendored
View File

@ -1,3 +0,0 @@
// Package kernel is a metricset that subscribes to the Linux Audit Framework
// to receive audit events from the the kernel.
package kernel

12
vendor/github.com/elastic/beats/auditbeat/module/audit/module.yml generated vendored
View File

@ -1,12 +0,0 @@
dashboards:
- id: AV0tXkjYg1PYniApZbKP
file: auditbeat-file-integrity.json
- id: c0ac2c00-c1c0-11e7-8995-936807a28b16
file: auditbeat-kernel-overview.json
- id: 7de391b0-c1ca-11e7-8995-936807a28b16
file: auditbeat-kernel-executions.json
- id: 693a5f40-c243-11e7-8692-232bd1143e8a
file: auditbeat-kernel-sockets.json

78
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/accept.json generated vendored Normal file
View File

@ -0,0 +1,78 @@
{
"auditd": {
"data": {
"a0": "3",
"a1": "7ffd0dc80040",
"a2": "7ffd0dc7ffd0",
"a3": "0",
"arch": "x86_64",
"exit": "5",
"socket": {
"addr": "72.83.230.100",
"family": "ipv4",
"port": "58140"
},
"syscall": "accept",
"tty": "(none)"
},
"result": "success",
"sequence": 8832,
"session": "unset",
"summary": {
"actor": {
"primary": "unset",
"secondary": "root"
},
"how": "/usr/sbin/sshd",
"object": {
"primary": "72.83.230.100",
"secondary": "58140",
"type": "socket"
}
}
},
"event": {
"action": "accepted-connection-from",
"category": "audit-rule",
"module": "auditd",
"type": "syscall"
},
"network": {
"direction": "incoming"
},
"process": {
"exe": "/usr/sbin/sshd",
"name": "sshd",
"pid": "1663",
"ppid": "1",
"title": "(sshd)"
},
"source": {
"ip": "72.83.230.100",
"port": "58140"
},
"tags": [
"net"
],
"user": {
"auid": "unset",
"egid": "0",
"euid": "0",
"fsgid": "0",
"fsuid": "0",
"gid": "0",
"name_map": {
"egid": "root",
"euid": "root",
"fsgid": "root",
"fsuid": "root",
"gid": "root",
"sgid": "root",
"suid": "root",
"uid": "root"
},
"sgid": "0",
"suid": "0",
"uid": "0"
}
}

40
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/config.yml.tpl generated vendored Normal file
View File

@ -0,0 +1,40 @@
{{ if eq .goos "linux" -}}
{{ if .reference -}}
# The auditd module collects events from the audit framework in the Linux
# kernel. You need to specify audit rules for the events that you want to audit.
{{ end -}}
- module: auditd
{{ if .reference -}}
resolve_ids: true
failure_mode: silent
backlog_limit: 8196
rate_limit: 0
include_raw_message: false
include_warnings: false
{{ end -}}
audit_rules: |
## Define audit rules here.
## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
## examples or add your own rules.
## If you are on a 64 bit platform, everything should be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
#-a always,exit -F arch=b32 -S all -F key=32bit-abi
## Executions.
#-a always,exit -F arch=b64 -S execve,execveat -k exec
## External access (warning: these can be expensive to audit).
#-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
## Identity changes.
#-w /etc/group -p wa -k identity
#-w /etc/passwd -p wa -k identity
#-w /etc/gshadow -p wa -k identity
## Unauthorized access attempts.
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
{{ end -}}

46
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/data.json generated vendored Normal file
View File

@ -0,0 +1,46 @@
{
"@timestamp": "2017-10-12T08:05:34.853Z",
"auditd": {
"data": {
"acct": "(invalid user)",
"op": "login",
"terminal": "sshd"
},
"result": "fail",
"sequence": 19955,
"session": "unset",
"summary": {
"actor": {
"primary": "unset",
"secondary": "(invalid user)"
},
"how": "/usr/sbin/sshd",
"object": {
"primary": "sshd",
"secondary": "179.38.151.221",
"type": "user-session"
}
}
},
"beat": {
"hostname": "host.example.com",
"name": "host.example.com"
},
"event": {
"action": "logged-in",
"category": "user-login",
"module": "auditd",
"type": "user_login"
},
"process": {
"exe": "/usr/sbin/sshd",
"pid": "12635"
},
"user": {
"auid": "unset",
"name_map": {
"uid": "root"
},
"uid": "0"
}
}

58
vendor/github.com/elastic/beats/auditbeat/module/audit/kernel/_meta/docs.asciidoc → vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/docs.asciidoc generated vendored
View File

@ -1,33 +1,33 @@
=== Audit kernel metricset
== Auditd Module
The `kernel` metricset receives audit events from the Linux Audit Framework that
The `auditd` module receives audit events from the Linux Audit Framework that
is a part of the Linux kernel.
This metricset is available only for Linux.
This module is available only for Linux.
[float]
=== How it works
This metricset establishes a subscription to the kernel to receive the events
as they occur. So unlike most other metricsets, the `period` configuration
This module establishes a subscription to the kernel to receive the events
as they occur. So unlike most other modules, the `period` configuration
option is unused because it is not implemented using polling.
The Linux Audit Framework can send multiple messages for a single auditable
event. For example, a `rename` syscall causes the kernel to send eight separate
messages. Each message describes a different aspect of the activity that is
occurring (the syscall itself, file paths, current working directory, process
title). This metricset will combine all of the data from each of the messages
title). This module will combine all of the data from each of the messages
into a single event.
Messages for one event can be interleaved with messages from another event. This
metricset will buffer the messages in order to combine related messages into a
module will buffer the messages in order to combine related messages into a
single event even if they arrive interleaved or out of order.
[float]
=== Useful commands
When running {beatname_uc} with the `kernel` metricset enabled, you might find
that other monitoring systems interfere with {beatname_uc}.
When running {beatname_uc} with the `auditd` module enabled, you might find
that other monitoring tools interfere with {beatname_uc}.
For example, you might encounter errors if another process, such as `auditd`, is
registered to receive data from the Linux Audit Framework. You can use these
@ -66,22 +66,21 @@ systemctl mask systemd-journald-audit.socket
[float]
=== Configuration options
This metricset has some configuration options for tuning its behavior. The
This module has some configuration options for tuning its behavior. The
following example shows all configuration options with their default values.
[source,yaml]
----
- module: audit
metricsets: ["kernel"]
kernel.resolve_ids: true
kernel.failure_mode: silent
kernel.backlog_limit: 8196
kernel.rate_limit: 0
kernel.include_raw_message: false
kernel.include_warnings: false
- module: auditd
resolve_ids: true
failure_mode: silent
backlog_limit: 8196
rate_limit: 0
include_raw_message: false
include_warnings: false
----
*`kernel.socket_type`*:: This optional setting controls the type of
*`socket_type`*:: This optional setting controls the type of
socket that {beatname_uc} uses to receive events from the kernel. The two
options are `unicast` and `multicast`.
+
@ -99,10 +98,10 @@ than 3.16 {beatname_uc} will automatically revert to `unicast`.
By default {beatname_uc} will use `multicast` if the kernel version is 3.16 or
newer and no rules have been defined. Otherwise `unicast` will be used.
*`kernel.resolve_ids`*:: This boolean setting enables the resolution of UIDs and
*`resolve_ids`*:: This boolean setting enables the resolution of UIDs and
GIDs to their associated names. The default value is true.
*`kernel.failure_mode`*:: This determines the kernel's behavior on critical
*`failure_mode`*:: This determines the kernel's behavior on critical
failures such as errors sending events to {beatname_uc}, the backlog limit was
exceeded, the kernel ran out of memory, or the rate limit was exceeded. The
options are `silent`, `log`, or `panic`. `silent` basically makes the kernel
@ -110,28 +109,28 @@ ignore the errors, `log` makes the kernel write the audit messages using
`printk` so they show up in system's syslog, and `panic` causes the kernel to
panic to prevent use of the machine. {beatname_uc}'s default is `silent`.
*`kernel.backlog_limit`*:: This controls the maximum number of audit messages
*`backlog_limit`*:: This controls the maximum number of audit messages
that will be buffered by the kernel.
*`kernel.rate_limit`*:: This sets a rate limit on the number of messages/sec
*`rate_limit`*:: This sets a rate limit on the number of messages/sec
delivered by the kernel. The default is 0, which disables rate limiting.
Changing this value to anything other than zero can cause messages to be lost.
The preferred approach to reduce the messaging rate is be more selective in the
audit ruleset.
*`kernel.include_raw_message`*:: This boolean setting causes {beatname_uc} to
*`include_raw_message`*:: This boolean setting causes {beatname_uc} to
include each of the raw messages that contributed to the event in the document
as a field called `messages`. The default value is false. This setting is
primarily used for development and debugging purposes.
*`kernel.include_warnings`*:: This boolean setting causes {beatname_uc} to
*`include_warnings`*:: This boolean setting causes {beatname_uc} to
include as warnings any issues that were encountered while parsing the raw
messages. The default value is false. When this setting is enabled the raw
messages will be included in the event regardless of the
`kernel.include_raw_message` config setting. This setting is primarily used for
`include_raw_message` config setting. This setting is primarily used for
development and debugging purposes.
*`kernel.audit_rules`*:: A string containing the audit rules that should be
*`audit_rules`*:: A string containing the audit rules that should be
installed to the kernel. There should be one rule per line. Comments can be
embedded in the string using `#` as a prefix. The format for rules is the same
used by the Linux `auditctl` utility. {beatname_uc} supports adding file watches
@ -162,9 +161,8 @@ Therefore it is unnecessary and unsupported to include a `-D` (delete all) rule.
["source","sh",subs="attributes"]
----
{beatname_lc}.modules:
- module: audit
metricsets: ["kernel"]
kernel.audit_rules: |
- module: auditd
audit_rules: |
# Things that affect identity.
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity

95
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/execve.json generated vendored Normal file
View File

@ -0,0 +1,95 @@
{
"auditd": {
"data": {
"a0": "10812c8",
"a1": "1070208",
"a2": "1152008",
"a3": "59a",
"arch": "x86_64",
"argc": "2",
"exit": "0",
"syscall": "execve",
"tty": "pts0"
},
"paths": [
{
"dev": "08:01",
"inode": "155",
"item": "0",
"mode": "0100755",
"name": "/bin/uname",
"nametype": "NORMAL",
"ogid": "0",
"ouid": "0",
"rdev": "00:00"
},
{
"dev": "08:01",
"inode": "1923",
"item": "1",
"mode": "0100755",
"name": "/lib64/ld-linux-x86-64.so.2",
"nametype": "NORMAL",
"ogid": "0",
"ouid": "0",
"rdev": "00:00"
}
],
"result": "success",
"sequence": 8972,
"session": "11",
"summary": {
"actor": {
"primary": "1001",
"secondary": "1001"
},
"how": "/bin/uname",
"object": {
"primary": "/bin/uname",
"type": "file"
}
}
},
"event": {
"action": "executed",
"category": "audit-rule",
"module": "auditd",
"type": "syscall"
},
"file": {
"device": "00:00",
"gid": "0",
"group": "root",
"inode": "155",
"mode": "0755",
"owner": "root",
"path": "/bin/uname",
"uid": "0"
},
"process": {
"args": [
"uname",
"-a"
],
"cwd": "/home/andrew_kroh",
"exe": "/bin/uname",
"name": "uname",
"pid": "10043",
"ppid": "10027",
"title": "uname -a"
},
"tags": [
"user_commands"
],
"user": {
"auid": "1001",
"egid": "1002",
"euid": "1001",
"fsgid": "1002",
"fsuid": "1001",
"gid": "1002",
"sgid": "1002",
"suid": "1001",
"uid": "1001"
}
}

444
vendor/github.com/elastic/beats/auditbeat/module/audit/kernel/_meta/fields.yml → vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/fields.yml generated vendored
View File

@ -1,82 +1,171 @@
- name: kernel
- key: auditd
title: Auditd
description: These are the fields generated by the auditd module.
fields:
- name: event
type: group
description: >
The kernel metricset distributes audit events received from the Linux
Audit Framework that is a part of the Linux kernel.
fields:
- name: action
type: keyword
example: logged-in
description: A description of the action taken by the user.
- name: actor
type: group
description: The actor is the user that triggered the audit event.
fields:
- name: attrs
type: group
description: Attributes of the actor.
fields:
- name: auid
type: keyword
description: login user ID
- name: uid
type: keyword
description: user ID
- name: euid
type: keyword
description: effective user ID
- name: fsuid
type: keyword
description: file system user ID
- name: suid
type: keyword
description: sent user ID
- name: gid
type: keyword
description: group ID
- name: egid
type: keyword
description: effective group ID
- name: sgid
type: keyword
description: set group ID
- name: fsgid
type: keyword
description: file system group ID
- name: primary
type: keyword
description: >
The primary identity of the actor. This is the actor's original login
ID. It will not change even if the user changes to another account.
- name: secondary
type: keyword
description: The secondary identity of the actor. This is typically
the same as the primary, except for when the user has used `su`.
- name: selinux
type: group
description: The SELinux identity of the actor.
fields:
- name: user
type: keyword
description: account submitted for authentication
- name: role
type: keyword
description: user's SELinux role
- name: domain
type: keyword
description: The actor's SELinux domain or type.
- name: level
type: keyword
example: s0
description: The actor's SELinux level.
- name: category
type: keyword
description: The actor's SELinux category or compartments.
- name: category
type: keyword
example: audit-rule
description: >
The event's category is a value derived from the `record_type`.
- name: type
type: keyword
description: The audit record's type.
- name: user
type: group
fields:
- name: auid
type: keyword
description: login user ID
- name: uid
type: keyword
description: user ID
- name: euid
type: keyword
description: effective user ID
- name: fsuid
type: keyword
description: file system user ID
- name: suid
type: keyword
description: sent user ID
- name: gid
type: keyword
description: group ID
- name: egid
type: keyword
description: effective group ID
- name: sgid
type: keyword
description: set group ID
- name: fsgid
type: keyword
description: file system group ID
- name: name_map
type: group
description: >
If `resolve_ids` is set to true in the configuration then `name_map`
will contain a mapping of uid field names to the resolved name
(e.g. auid -> root).
fields:
- name: auid
type: keyword
description: login user name
- name: uid
type: keyword
description: user name
- name: euid
type: keyword
description: effective user name
- name: fsuid
type: keyword
description: file system user name
- name: suid
type: keyword
description: sent user name
- name: gid
type: keyword
description: group name
- name: egid
type: keyword
description: effective group name
- name: sgid
type: keyword
description: set group name
- name: fsgid
type: keyword
description: file system group name
- name: selinux
type: group
description: The SELinux identity of the actor.
fields:
- name: user
type: keyword
description: account submitted for authentication
- name: role
type: keyword
description: user's SELinux role
- name: domain
type: keyword
description: The actor's SELinux domain or type.
- name: level
type: keyword
example: s0
description: The actor's SELinux level.
- name: category
type: keyword
description: The actor's SELinux category or compartments.
- name: process
type: group
description: Process attributes.
fields:
- name: pid
type: keyword
description: Process ID.
- name: ppid
type: keyword
description: Parent process ID.
- name: name
type: keyword
description: Process name (comm).
- name: title
type: keyword
description: Process title or command line parameters (proctitle).
- name: exe
type: keyword
description: Absolute path of the executable.
- name: cwd
type: keyword
description: The current working directory.
- name: args
type: keyword
description: The process arguments as a list.
- name: source
type: group
description: Source that triggered the event.
fields:
- name: ip
type: ip
description: The remote address.
- name: port
type: keyword
description: The port number.
- name: hostname
type: keyword
description: Hostname of the source.
- name: path
type: keyword
description: This is the path associated with a unix socket.
- name: destination
type: group
description: Destination address that triggered the event.
fields:
- name: ip
type: ip
description: The remote address.
- name: port
type: keyword
description: The port number.
- name: hostname
type: keyword
description: Hostname of the source.
- name: path
type: keyword
description: This is the path associated with a unix socket.
- name: network.direction
type: keyword
description: Direction of the network traffic (`incoming` or `outgoing`).
- name: auditd
type: group
fields:
- name: sequence
type: long
description: >
@ -87,6 +176,49 @@
description: >
The session ID assigned to a login. All events related to a login
session will have the same value.
- name: result
type: keyword
example: success or fail
description: The result of the audited operation (success/fail).
- name: summary
type: group
fields:
- name: actor
type: group
description: The actor is the user that triggered the audit event.
fields:
- name: primary
type: keyword
description: >
The primary identity of the actor. This is the actor's original login
ID. It will not change even if the user changes to another account.
- name: secondary
type: keyword
description: The secondary identity of the actor. This is typically
the same as the primary, except for when the user has used `su`.
- name: object
type: group
description: >
This is the thing or object being acted upon in the event.
fields:
- name: type
type: keyword
description: >
A description of the what the "thing" is (e.g. file, socket,
user-session).
- name: primary
type: keyword
description: ""
- name: secondary
type: keyword
description: ""
- name: how
type: keyword
description: >
This describes how the action was performed. Usually this is the exe
or command that was being executed that triggered the event.
- name: paths
type: group
description: List of paths associated with the event.
@ -133,74 +265,7 @@
- name: name
type: keyword
description: file name in avcs
- name: record_type
type: keyword
description: The audit record's type.
- name: socket
type: group
description: Socket data from sockaddr messages.
fields:
- name: port
type: keyword
description: The port number.
- name: saddr
type: keyword
description: The raw socket address structure.
- name: addr
type: keyword
description: The remote address.
- name: family
type: keyword
example: unix
description: The socket family (unix, ipv4, ipv6, netlink).
- name: path
type: keyword
description: This is the path associated with a unix socket.
- name: thing
type: group
description: >
This is the thing or object being acted upon in the event.
fields:
- name: what
type: keyword
description: >
A description of the what the "thing" is (e.g. file, socket,
user-session).
- name: primary
type: keyword
description: ""
- name: secondary
type: keyword
description: ""
- name: selinux
type: group
description: The SELinux identity of the object.
fields:
- name: user
type: keyword
description: The owner of the object.
- name: role
type: keyword
description: The object's SELinux role.
- name: domain
type: keyword
description: The object's SELinux domain or type.
- name: level
type: keyword
example: s0
description: The object's SELinux level.
- name: how
type: keyword
description: >
This describes how the action was performed. Usually this is the exe
or command that was being executed that triggered the event.
- name: key
type: keyword
description: The key assigned to the audit rule that triggered the event.
- name: result
type: keyword
example: success or fail
description: The result of the audited operation (success/fail).
- name: data
type: group
description: The data from the audit messages.
@ -253,18 +318,9 @@
- name: terminal
type: keyword
description: terminal name the user is running programs on
- name: comm
type: keyword
description: command line program name
- name: exe
type: keyword
description: executable name
- name: grantors
type: keyword
description: pam modules approving the action
- name: pid
type: keyword
description: process ID
- name: direction
type: keyword
description: direction of crypto operation
@ -274,9 +330,6 @@
- name: tty
type: keyword
description: tty udevice the user is running programs on
- name: proctitle
type: keyword
description: process title and command line parameters
- name: syscall
type: keyword
description: syscall number in effect when the event occurred
@ -307,24 +360,15 @@
- name: a3
type: keyword
description: ""
- name: cwd
type: keyword
description: the current working directory
- name: hostname
type: keyword
description: the hostname that the user is connecting from
- name: lport
type: keyword
description: local network port
- name: ppid
type: keyword
description: parent process ID
- name: rport
type: keyword
description: remote port number
- name: cmdline
type: keyword
description: The full command line from the execve message.
- name: exit
type: keyword
description: syscall exit code
@ -481,9 +525,6 @@
- name: obj
type: keyword
description: lspp object context string
- name: a[[:digit:]+]\[.*\]
type: keyword
description: the arguments to the execve syscall
- name: ipid
type: keyword
description: IP datagram fragment identifier
@ -817,12 +858,31 @@
- name: removed
type: keyword
description: number of deleted files
- name: socket
type: group
fields:
- name: port
type: keyword
description: The port number.
- name: saddr
type: keyword
description: The raw socket address structure.
- name: addr
type: keyword
description: The remote address.
- name: family
type: keyword
example: unix
description: The socket family (unix, ipv4, ipv6, netlink).
- name: path
type: keyword
description: This is the path associated with a unix socket.
- name: messages
type: text
description: >
An ordered list of the raw messages received from the kernel that
were used to construct this document. This field is present if an error
occurred processing the data or if `kernel.include_raw_message` is set
occurred processing the data or if `include_raw_message` is set
in the config.
- name: warnings
type: keyword
@ -830,30 +890,30 @@
The warnings generated by the Beat during the construction of the event.
These are disabled by default and are used for development and debug
purposes only.
- name: geoip
type: group
description: >
Contains GeoIP information gathered based on the `os_events.audit.addr`
field. Only present if the GeoIP Elasticsearch plugin is available and
used.
fields:
- name: continent_name
type: keyword
description: >
The name of the continent.
- name: city_name
type: keyword
description: >
The name of the city.
- name: region_name
type: keyword
description: >
The name of the region.
- name: country_iso_code
type: keyword
description: >
Country ISO code.
- name: location
type: geo_point
description: >
The longitude and latitude.
- name: geoip
type: group
description: >
The geoip fields are defined as a convenience in case you decide to
enrich the data using a geoip filter in Logstash or Ingest Node.
fields:
- name: continent_name
type: keyword
description: >
The name of the continent.
- name: city_name
type: keyword
description: >
The name of the city.
- name: region_name
type: keyword
description: >
The name of the region.
- name: country_iso_code
type: keyword
description: >
Country ISO code.
- name: location
type: geo_point
description: >
The longitude and latitude.

13
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/dashboard/7de391b0-c1ca-11e7-8995-936807a28b16.json generated vendored Normal file
View File

@ -0,0 +1,13 @@
{
"hits": 0,
"timeRestore": false,
"description": "",
"title": "[Auditbeat Auditd] Executions",
"uiStateJSON": "{}",
"panelsJSON": "[{\"col\":1,\"id\":\"2efac370-c1ca-11e7-8995-936807a28b16\",\"panelIndex\":1,\"row\":1,\"size_x\":4,\"size_y\":4,\"type\":\"visualization\"},{\"col\":5,\"id\":\"20a8e8d0-c1c8-11e7-8995-936807a28b16\",\"panelIndex\":2,\"row\":1,\"size_x\":4,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"columns\":[\"beat.hostname\",\"process.args\",\"auditd.summary.actor.primary\",\"auditd.summary.actor.secondary\",\"process.exe\"],\"id\":\"d382f5b0-c1c6-11e7-8995-936807a28b16\",\"panelIndex\":4,\"row\":5,\"size_x\":12,\"size_y\":5,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"},{\"size_x\":4,\"size_y\":4,\"panelIndex\":5,\"type\":\"visualization\",\"id\":\"AWECQyrvI1bE2ipp1pSa\",\"col\":9,\"row\":1}]",
"optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[{\"query\":{\"match_all\":{}}}],\"highlightAll\":true,\"version\":true}"
}
}

13
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/dashboard/AWECRPCcI1bE2ipp1pU6.json generated vendored Normal file
View File

@ -0,0 +1,13 @@
{
"hits": 0,
"timeRestore": false,
"description": "Summary of socket related syscall events.",
"title": "[Auditbeat Auditd] Sockets",
"uiStateJSON": "{\"P-3\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-4\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-5\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}",
"panelsJSON": "[{\"col\":1,\"id\":\"b21e0c70-c252-11e7-8692-232bd1143e8a\",\"panelIndex\":1,\"row\":1,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"faf882f0-c242-11e7-8692-232bd1143e8a\",\"panelIndex\":3,\"row\":4,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"ea483730-c246-11e7-8692-232bd1143e8a\",\"panelIndex\":4,\"row\":7,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"ceb91de0-c250-11e7-8692-232bd1143e8a\",\"panelIndex\":5,\"row\":7,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"AWECSCC-I1bE2ipp1pZj\",\"panelIndex\":6,\"row\":4,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"}]",
"optionsJSON": "{\"darkTheme\":false}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[{\"query\":{\"match_all\":{}}}],\"highlightAll\":true,\"version\":true}"
}
}

13
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/dashboard/c0ac2c00-c1c0-11e7-8995-936807a28b16.json generated vendored Normal file
View File

@ -0,0 +1,13 @@
{
"hits": 0,
"timeRestore": false,
"description": "Summary of Linux kernel audit events.",
"title": "[Auditbeat Auditd] Overview",
"uiStateJSON": "{}",
"panelsJSON": "[{\"col\":1,\"id\":\"97680df0-c1c0-11e7-8995-936807a28b16\",\"panelIndex\":1,\"row\":1,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"col\":7,\"id\":\"08679220-c25a-11e7-8692-232bd1143e8a\",\"panelIndex\":2,\"row\":1,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"columns\":[\"beat.hostname\",\"auditd.summary.actor.primary\",\"auditd.summary.actor.secondary\",\"event.action\",\"auditd.summary.object.type\",\"auditd.summary.object.primary\",\"auditd.summary.object.secondary\",\"auditd.summary.how\",\"auditd.result\"],\"id\":\"0f10c430-c1c3-11e7-8995-936807a28b16\",\"panelIndex\":3,\"row\":5,\"size_x\":12,\"size_y\":6,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"}]",
"optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[{\"query\":{\"match_all\":{}}}],\"highlightAll\":true,\"version\":true}"
}
}

24
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/search/0f10c430-c1c3-11e7-8995-936807a28b16.json generated vendored Normal file
View File

@ -0,0 +1,24 @@
{
"sort": [
"@timestamp",
"desc"
],
"hits": 0,
"description": "",
"title": "Audit Event Table [Auditbeat Auditd]",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"highlightAll\": true,\n \"version\": true,\n \"filter\": [\n {\n \"meta\": {\n \"negate\": false,\n \"index\": \"auditbeat-*\",\n \"type\": \"phrase\",\n \"key\": \"event.module\",\n \"value\": \"auditd\",\n \"params\": {\n \"query\": \"auditd\",\n \"type\": \"phrase\"\n },\n \"disabled\": false,\n \"alias\": null\n },\n \"query\": {\n \"match\": {\n \"event.module\": {\n \"query\": \"auditd\",\n \"type\": \"phrase\"\n }\n }\n },\n \"$state\": {\n \"store\": \"appState\"\n }\n }\n ]\n}"
},
"columns": [
"beat.hostname",
"auditd.summary.actor.primary",
"auditd.summary.actor.secondary",
"event.action",
"auditd.summary.object.type",
"auditd.summary.object.primary",
"auditd.summary.object.secondary",
"auditd.summary.how",
"auditd.result"
]
}

22
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/search/5438b030-c246-11e7-8692-232bd1143e8a.json generated vendored Normal file
View File

@ -0,0 +1,22 @@
{
"sort": [
"@timestamp",
"desc"
],
"hits": 0,
"description": "",
"title": "Socket Connects [Auditbeat Auditd]",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"highlightAll\": true,\n \"version\": true,\n \"filter\": [\n {\n \"$state\": {\n \"store\": \"appState\"\n },\n \"meta\": {\n \"alias\": null,\n \"disabled\": false,\n \"index\": \"auditbeat-*\",\n \"key\": \"event.module\",\n \"negate\": false,\n \"params\": {\n \"query\": \"auditd\",\n \"type\": \"phrase\"\n },\n \"type\": \"phrase\",\n \"value\": \"auditd\"\n },\n \"query\": {\n \"match\": {\n \"event.module\": {\n \"query\": \"auditd\",\n \"type\": \"phrase\"\n }\n }\n }\n },\n {\n \"meta\": {\n \"negate\": false,\n \"index\": \"auditbeat-*\",\n \"type\": \"phrase\",\n \"key\": \"event.action\",\n \"value\": \"connected-to\",\n \"params\": {\n \"query\": \"connected-to\",\n \"type\": \"phrase\"\n },\n \"disabled\": false,\n \"alias\": null\n },\n \"query\": {\n \"match\": {\n \"event.action\": {\n \"query\": \"connected-to\",\n \"type\": \"phrase\"\n }\n }\n },\n \"$state\": {\n \"store\": \"appState\"\n }\n },\n {\n \"meta\": {\n \"index\": \"auditbeat-*\",\n \"negate\": false,\n \"disabled\": false,\n \"alias\": null,\n \"type\": \"exists\",\n \"key\": \"auditd.summary.object.primary\",\n \"value\": \"exists\"\n },\n \"exists\": {\n \"field\": \"auditd.summary.object.primary\"\n },\n \"$state\": {\n \"store\": \"appState\"\n }\n }\n ]\n}"
},
"columns": [
"beat.hostname",
"auditd.summary.how",
"auditd.summary.object.primary",
"auditd.summary.object.secondary",
"auditd.data.socket.family",
"auditd.result",
"auditd.data.exit"
]
}

21
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/search/b4c93470-c240-11e7-8692-232bd1143e8a.json generated vendored Normal file
View File

@ -0,0 +1,21 @@
{
"sort": [
"@timestamp",
"desc"
],
"hits": 0,
"description": "",
"title": "Socket Binds [Auditbeat Auditd]",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"highlightAll\": true,\n \"version\": true,\n \"filter\": [\n {\n \"$state\": {\n \"store\": \"appState\"\n },\n \"meta\": {\n \"alias\": null,\n \"disabled\": false,\n \"index\": \"auditbeat-*\",\n \"key\": \"event.module\",\n \"negate\": false,\n \"params\": {\n \"query\": \"auditd\",\n \"type\": \"phrase\"\n },\n \"type\": \"phrase\",\n \"value\": \"auditd\"\n },\n \"query\": {\n \"match\": {\n \"event.module\": {\n \"query\": \"auditd\",\n \"type\": \"phrase\"\n }\n }\n }\n },\n {\n \"meta\": {\n \"index\": \"auditbeat-*\",\n \"negate\": false,\n \"disabled\": false,\n \"alias\": null,\n \"type\": \"phrase\",\n \"key\": \"auditd.data.syscall\",\n \"value\": \"bind\",\n \"params\": {\n \"query\": \"bind\",\n \"type\": \"phrase\"\n }\n },\n \"query\": {\n \"match\": {\n \"auditd.data.syscall\": {\n \"query\": \"bind\",\n \"type\": \"phrase\"\n }\n }\n },\n \"$state\": {\n \"store\": \"appState\"\n }\n },\n {\n \"meta\": {\n \"negate\": true,\n \"index\": \"auditbeat-*\",\n \"type\": \"phrase\",\n \"key\": \"auditd.data.socket.family\",\n \"value\": \"netlink\",\n \"params\": {\n \"query\": \"netlink\",\n \"type\": \"phrase\"\n },\n \"disabled\": false,\n \"alias\": null\n },\n \"query\": {\n \"match\": {\n \"auditd.data.socket.family\": {\n \"query\": \"netlink\",\n \"type\": \"phrase\"\n }\n }\n },\n \"$state\": {\n \"store\": \"appState\"\n }\n }\n ]\n}"
},
"columns": [
"beat.hostname",
"auditd.summary.how",
"auditd.summary.object.primary",
"auditd.summary.object.secondary",
"auditd.data.socket.family",
"auditd.result"
]
}

20
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/search/d382f5b0-c1c6-11e7-8995-936807a28b16.json generated vendored Normal file
View File

@ -0,0 +1,20 @@
{
"sort": [
"@timestamp",
"desc"
],
"hits": 0,
"description": "",
"title": "Process Executions [Auditbeat Auditd]",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"highlightAll\": true,\n \"version\": true,\n \"filter\": [\n {\n \"$state\": {\n \"store\": \"appState\"\n },\n \"meta\": {\n \"alias\": null,\n \"disabled\": false,\n \"index\": \"auditbeat-*\",\n \"key\": \"event.module\",\n \"negate\": false,\n \"params\": {\n \"query\": \"auditd\",\n \"type\": \"phrase\"\n },\n \"type\": \"phrase\",\n \"value\": \"auditd\"\n },\n \"query\": {\n \"match\": {\n \"event.module\": {\n \"query\": \"auditd\",\n \"type\": \"phrase\"\n }\n }\n }\n },\n {\n \"$state\": {\n \"store\": \"appState\"\n },\n \"meta\": {\n \"alias\": null,\n \"disabled\": false,\n \"index\": \"auditbeat-*\",\n \"key\": \"event.action\",\n \"negate\": false,\n \"params\": {\n \"query\": \"executed\",\n \"type\": \"phrase\"\n },\n \"type\": \"phrase\",\n \"value\": \"executed\"\n },\n \"query\": {\n \"match\": {\n \"event.action\": {\n \"query\": \"executed\",\n \"type\": \"phrase\"\n }\n }\n }\n }\n ]\n}"
},
"columns": [
"beat.hostname",
"process.args",
"auditd.summary.actor.primary",
"auditd.summary.actor.secondary",
"process.exe"
]
}

21
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/search/e8734160-c24c-11e7-8692-232bd1143e8a.json generated vendored Normal file
View File

@ -0,0 +1,21 @@
{
"sort": [
"@timestamp",
"desc"
],
"hits": 0,
"description": "",
"title": "Socket Accept / Recvfrom [Auditbeat Auditd]",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"highlightAll\": true,\n \"version\": true,\n \"filter\": [\n {\n \"$state\": {\n \"store\": \"appState\"\n },\n \"meta\": {\n \"alias\": null,\n \"disabled\": false,\n \"index\": \"auditbeat-*\",\n \"key\": \"event.module\",\n \"negate\": false,\n \"params\": {\n \"query\": \"auditd\",\n \"type\": \"phrase\"\n },\n \"type\": \"phrase\",\n \"value\": \"auditd\"\n },\n \"query\": {\n \"match\": {\n \"event.module\": {\n \"query\": \"auditd\",\n \"type\": \"phrase\"\n }\n }\n }\n },\n {\n \"meta\": {\n \"negate\": false,\n \"index\": \"auditbeat-*\",\n \"type\": \"phrase\",\n \"key\": \"auditd.summary.object.type\",\n \"value\": \"socket\",\n \"params\": {\n \"query\": \"socket\",\n \"type\": \"phrase\"\n },\n \"disabled\": false,\n \"alias\": null\n },\n \"query\": {\n \"match\": {\n \"auditd.summary.object.type\": {\n \"query\": \"socket\",\n \"type\": \"phrase\"\n }\n }\n },\n \"$state\": {\n \"store\": \"appState\"\n }\n },\n {\n \"meta\": {\n \"index\": \"auditbeat-*\",\n \"negate\": false,\n \"disabled\": false,\n \"alias\": null,\n \"type\": \"exists\",\n \"key\": \"auditd.summary.object.primary\",\n \"value\": \"exists\"\n },\n \"exists\": {\n \"field\": \"auditd.summary.object.primary\"\n },\n \"$state\": {\n \"store\": \"appState\"\n }\n },\n {\n \"query\": {\n \"terms\": {\n \"auditd.data.syscall\": [\n \"accept\",\n \"accept4\",\n \"recvfrom\",\n \"recvmsg\"\n ]\n }\n },\n \"meta\": {\n \"negate\": false,\n \"index\": \"auditbeat-*\",\n \"disabled\": false,\n \"alias\": null,\n \"type\": \"custom\",\n \"key\": \"query\",\n \"value\": \"{\\\"terms\\\":{\\\"auditd.data.syscall\\\":[\\\"accept\\\",\\\"accept4\\\",\\\"recvfrom\\\",\\\"recvmsg\\\"]}}\"\n },\n \"$state\": {\n \"store\": \"appState\"\n }\n }\n ]\n}"
},
"columns": [
"beat.hostname",
"auditd.summary.how",
"auditd.summary.object.primary",
"auditd.summary.object.secondary",
"auditd.data.socket.family",
"event.action"
]
}

11
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/visualization/08679220-c25a-11e7-8692-232bd1143e8a.json generated vendored Normal file
View File

@ -0,0 +1,11 @@
{
"visState": "{\n \"title\": \"Event Categories [Auditbeat Auditd]\",\n \"type\": \"pie\",\n \"params\": {\n \"type\": \"pie\",\n \"addTooltip\": true,\n \"addLegend\": true,\n \"legendPosition\": \"right\",\n \"isDonut\": true\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"event.category\",\n \"size\": 5,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Category\"\n }\n },\n {\n \"id\": \"3\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"event.action\",\n \"size\": 20,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Action\"\n }\n }\n ]\n}",
"description": "",
"title": "Event Categories [Auditbeat Auditd]",
"uiStateJSON": "{}",
"version": 1,
"savedSearchId": "0f10c430-c1c3-11e7-8995-936807a28b16",
"kibanaSavedObjectMeta": {
"searchSourceJSON": ""
}
}

11
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/visualization/20a8e8d0-c1c8-11e7-8995-936807a28b16.json generated vendored Normal file
View File

@ -0,0 +1,11 @@
{
"visState": "{\n \"title\": \"Error Codes [Auditbeat Auditd Executions]\",\n \"type\": \"pie\",\n \"params\": {\n \"type\": \"pie\",\n \"addTooltip\": true,\n \"addLegend\": true,\n \"legendPosition\": \"right\",\n \"isDonut\": true\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"auditd.data.exit\",\n \"exclude\": \"0\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\"\n }\n }\n ]\n}",
"description": "",
"title": "Error Codes [Auditbeat Auditd Executions]",
"uiStateJSON": "{}",
"version": 1,
"savedSearchId": "d382f5b0-c1c6-11e7-8995-936807a28b16",
"kibanaSavedObjectMeta": {
"searchSourceJSON": ""
}
}

11
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/visualization/2efac370-c1ca-11e7-8995-936807a28b16.json generated vendored Normal file
View File

@ -0,0 +1,11 @@
{
"visState": "{\n \"title\": \"Exe Name Tag Cloud [Auditbeat Auditd Executions]\",\n \"type\": \"tagcloud\",\n \"params\": {\n \"scale\": \"linear\",\n \"orientation\": \"single\",\n \"minFontSize\": 14,\n \"maxFontSize\": 45\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"process.exe\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\"\n }\n }\n ]\n}",
"description": "",
"title": "Exe Name Tag Cloud [Auditbeat Auditd Executions]",
"uiStateJSON": "{}",
"version": 1,
"savedSearchId": "d382f5b0-c1c6-11e7-8995-936807a28b16",
"kibanaSavedObjectMeta": {
"searchSourceJSON": ""
}
}

10
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/visualization/97680df0-c1c0-11e7-8995-936807a28b16.json generated vendored Normal file
View File

@ -0,0 +1,10 @@
{
"visState": "{\n \"title\": \"Event Actions [Auditbeat Auditd Overview]\",\n \"type\": \"metrics\",\n \"params\": {\n \"id\": \"61ca57f0-469d-11e7-af02-69e470af7417\",\n \"type\": \"timeseries\",\n \"series\": [\n {\n \"id\": \"61ca57f1-469d-11e7-af02-69e470af7417\",\n \"color\": \"#68BC00\",\n \"split_mode\": \"terms\",\n \"metrics\": [\n {\n \"id\": \"6b9fb2d0-c1bc-11e7-938f-ab0645b6c431\",\n \"type\": \"count\"\n }\n ],\n \"seperate_axis\": 0,\n \"axis_position\": \"right\",\n \"formatter\": \"number\",\n \"chart_type\": \"line\",\n \"line_width\": 1,\n \"point_size\": 1,\n \"fill\": 0.5,\n \"stacked\": \"none\",\n \"terms_field\": \"event.action\",\n \"label\": \"Actions\"\n }\n ],\n \"time_field\": \"@timestamp\",\n \"index_pattern\": \"auditbeat-*\",\n \"interval\": \"auto\",\n \"axis_position\": \"left\",\n \"axis_formatter\": \"number\",\n \"show_legend\": 1,\n \"show_grid\": 1,\n \"filter\": \"event.module:auditd\",\n \"background_color_rules\": [\n {\n \"id\": \"58c95a20-c1bd-11e7-938f-ab0645b6c431\"\n }\n ],\n \"bar_color_rules\": [\n {\n \"id\": \"5bfc71a0-c1bd-11e7-938f-ab0645b6c431\"\n }\n ],\n \"gauge_color_rules\": [\n {\n \"id\": \"5d20a650-c1bd-11e7-938f-ab0645b6c431\"\n }\n ],\n \"gauge_width\": 10,\n \"gauge_inner_width\": 10,\n \"gauge_style\": \"half\",\n \"legend_position\": \"left\"\n },\n \"aggs\": []\n}",
"description": "",
"title": "Event Actions [Auditbeat Auditd Overview]",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
}
}

10
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/visualization/AWECQyrvI1bE2ipp1pSa.json generated vendored Normal file
View File

@ -0,0 +1,10 @@
{
"visState": "{\"title\":\"Primary Username Tag Cloud [Auditbeat Auditd]\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"type\":\"tagcloud\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"auditd.summary.actor.primary\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
"description": "",
"title": "Primary Username Tag Cloud [Auditbeat Auditd]",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"query\":{\"match_all\":{}},\"filter\":[]}"
}
}

10
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/visualization/AWECSCC-I1bE2ipp1pZj.json generated vendored Normal file
View File

@ -0,0 +1,10 @@
{
"visState": "{\"title\":\"Socket Families [Auditbeat Auditd]\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"left\",\"isDonut\":true,\"type\":\"pie\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"auditd.data.socket.family\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Family\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"auditd.data.syscall\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Syscall\"}}],\"listeners\":{}}",
"description": "",
"title": "Socket Families [Auditbeat Auditd]",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"query\":{\"match_all\":{}},\"filter\":[]}"
}
}

10
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/visualization/b21e0c70-c252-11e7-8692-232bd1143e8a.json generated vendored Normal file
View File

@ -0,0 +1,10 @@
{
"visState": "{\n \"title\": \"Socket Syscalls Time Series [Auditbeat Auditd]\",\n \"type\": \"metrics\",\n \"params\": {\n \"id\": \"61ca57f0-469d-11e7-af02-69e470af7417\",\n \"type\": \"timeseries\",\n \"series\": [\n {\n \"id\": \"61ca57f1-469d-11e7-af02-69e470af7417\",\n \"color\": \"#68BC00\",\n \"split_mode\": \"terms\",\n \"metrics\": [\n {\n \"id\": \"61ca57f2-469d-11e7-af02-69e470af7417\",\n \"type\": \"count\"\n }\n ],\n \"seperate_axis\": 0,\n \"axis_position\": \"right\",\n \"formatter\": \"number\",\n \"chart_type\": \"line\",\n \"line_width\": 1,\n \"point_size\": 1,\n \"fill\": 0.5,\n \"stacked\": \"none\",\n \"terms_field\": \"auditd.data.syscall\",\n \"label\": \"syscall\"\n }\n ],\n \"time_field\": \"@timestamp\",\n \"index_pattern\": \"auditbeat-*\",\n \"interval\": \"auto\",\n \"axis_position\": \"left\",\n \"axis_formatter\": \"number\",\n \"show_legend\": 1,\n \"show_grid\": 1,\n \"filter\": \"auditd.summary.object.type:socket\",\n \"legend_position\": \"left\",\n \"bar_color_rules\": [\n {\n \"id\": \"2cebb0c0-c252-11e7-8a68-93ffe9ec5950\"\n }\n ],\n \"gauge_color_rules\": [\n {\n \"id\": \"6c891740-c252-11e7-8a68-93ffe9ec5950\"\n }\n ],\n \"gauge_width\": 10,\n \"gauge_inner_width\": 10,\n \"gauge_style\": \"half\",\n \"background_color_rules\": [\n {\n \"id\": \"95b603d0-c252-11e7-8a68-93ffe9ec5950\"\n }\n ]\n },\n \"aggs\": []\n}",
"description": "",
"title": "Socket Syscalls Time Series [Auditbeat Auditd]",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
}
}

11
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/visualization/ceb91de0-c250-11e7-8692-232bd1143e8a.json generated vendored Normal file
View File

@ -0,0 +1,11 @@
{
"visState": "{\n \"title\": \"Accept / Recvfrom Unique Address Table [Auditbeat Auditd]\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showPartialRows\": false,\n \"showMeticsAtAllLevels\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"cardinality\",\n \"schema\": \"metric\",\n \"params\": {\n \"field\": \"auditd.summary.object.primary\",\n \"customLabel\": \"Unique Addresses\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"process.exe\",\n \"size\": 50,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Exe\"\n }\n },\n {\n \"id\": \"3\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"auditd.data.syscall\",\n \"size\": 5,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Syscall\"\n }\n }\n ]\n}",
"description": "",
"title": "Accept / Recvfrom Unique Address Table [Auditbeat Auditd]",
"uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n },\n \"spy\": {\n \"mode\": {\n \"name\": null,\n \"fill\": false\n }\n }\n}",
"version": 1,
"savedSearchId": "e8734160-c24c-11e7-8692-232bd1143e8a",
"kibanaSavedObjectMeta": {
"searchSourceJSON": ""
}
}

11
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/visualization/ea483730-c246-11e7-8692-232bd1143e8a.json generated vendored Normal file
View File

@ -0,0 +1,11 @@
{
"visState": "{\n \"title\": \"Connect [Auditbeat Auditd]\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showPartialRows\": false,\n \"showMeticsAtAllLevels\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"process.exe\",\n \"size\": 50,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Exe\"\n }\n },\n {\n \"id\": \"3\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"auditd.summary.object.primary\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Address\"\n }\n },\n {\n \"id\": \"4\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"auditd.summary.object.secondary\",\n \"size\": 5,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Port\"\n }\n }\n ]\n}",
"description": "",
"title": "Connect [Auditbeat Auditd]",
"uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}",
"version": 1,
"savedSearchId": "5438b030-c246-11e7-8692-232bd1143e8a",
"kibanaSavedObjectMeta": {
"searchSourceJSON": ""
}
}

11
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/5/visualization/faf882f0-c242-11e7-8692-232bd1143e8a.json generated vendored Normal file
View File

@ -0,0 +1,11 @@
{
"visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Exe\",\"field\":\"auditd.summary.how\",\"order\":\"desc\",\"orderBy\":\"_term\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Address\",\"field\":\"auditd.summary.object.primary\",\"order\":\"desc\",\"orderBy\":\"_term\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Port\",\"field\":\"auditd.summary.object.secondary\",\"order\":\"desc\",\"orderBy\":\"_term\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\"},\"title\":\"Bind (non-ephemeral) [Auditbeat Auditd]\",\"type\":\"table\"}",
"description": "",
"title": "Bind (non-ephemeral) [Auditbeat Auditd]",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"savedSearchId": "b4c93470-c240-11e7-8692-232bd1143e8a",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
}
}

99
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/6/dashboard/auditbeat-kernel-executions.json generated vendored Normal file
View File

@ -0,0 +1,99 @@
{
"objects": [
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\n \"filter\": [],\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n }\n}"
},
"savedSearchId": "d382f5b0-c1c6-11e7-8995-936807a28b16",
"title": "Error Codes [Auditbeat Auditd Executions]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\n \"title\": \"Error Codes [Auditbeat Auditd Executions]\",\n \"type\": \"pie\",\n \"params\": {\n \"type\": \"pie\",\n \"addTooltip\": true,\n \"addLegend\": true,\n \"legendPosition\": \"right\",\n \"isDonut\": true\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"auditd.data.exit\",\n \"exclude\": \"0\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\"\n }\n }\n ]\n}"
},
"id": "20a8e8d0-c1c8-11e7-8995-936807a28b16",
"type": "visualization",
"updated_at": "2018-01-16T22:10:23.921Z",
"version": 4
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"filter\": [],\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n }\n}"
},
"title": "Primary Username Tag Cloud [Auditbeat Auditd]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\n \"title\": \"Primary Username Tag Cloud [Auditbeat Auditd]\",\n \"type\": \"tagcloud\",\n \"params\": {\n \"scale\": \"linear\",\n \"orientation\": \"single\",\n \"minFontSize\": 18,\n \"maxFontSize\": 45\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"auditd.summary.actor.primary\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\"\n }\n }\n ]\n}"
},
"id": "f81a6de0-c1c1-11e7-8995-936807a28b16",
"type": "visualization",
"updated_at": "2018-01-16T22:12:18.730Z",
"version": 3
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchId": "d382f5b0-c1c6-11e7-8995-936807a28b16",
"title": "Exe Name Tag Cloud [Auditbeat Auditd Executions]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Exe Name Tag Cloud [Auditbeat Auditd Executions]\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":45},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"process.exe\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"
},
"id": "2efac370-c1ca-11e7-8995-936807a28b16",
"type": "visualization",
"updated_at": "2018-01-16T22:57:41.411Z",
"version": 4
},
{
"attributes": {
"columns": [
"beat.hostname",
"process.args",
"auditd.summary.actor.primary",
"auditd.summary.actor.secondary",
"process.exe"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"auditbeat-*\",\"key\":\"event.module\",\"negate\":false,\"params\":{\"query\":\"auditd\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"auditd\"},\"query\":{\"match\":{\"event.module\":{\"query\":\"auditd\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"auditbeat-*\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"executed\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"executed\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"executed\",\"type\":\"phrase\"}}}}]}"
},
"sort": [
"@timestamp",
"desc"
],
"title": "Process Executions [Auditbeat Auditd]",
"version": 1
},
"id": "d382f5b0-c1c6-11e7-8995-936807a28b16",
"type": "search",
"updated_at": "2018-01-16T22:26:35.050Z",
"version": 5
},
{
"attributes": {
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}"
},
"optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}",
"panelsJSON": "[{\"gridData\":{\"h\":3,\"i\":\"1\",\"w\":4,\"x\":4,\"y\":0},\"id\":\"20a8e8d0-c1c8-11e7-8995-936807a28b16\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"7.0.0-alpha1-SNAPSHOT\"},{\"gridData\":{\"h\":3,\"i\":\"3\",\"w\":4,\"x\":8,\"y\":0},\"id\":\"f81a6de0-c1c1-11e7-8995-936807a28b16\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"7.0.0-alpha1-SNAPSHOT\"},{\"gridData\":{\"h\":3,\"i\":\"5\",\"w\":4,\"x\":0,\"y\":0},\"id\":\"2efac370-c1ca-11e7-8995-936807a28b16\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"7.0.0-alpha1-SNAPSHOT\"},{\"gridData\":{\"h\":5,\"i\":\"6\",\"w\":12,\"x\":0,\"y\":3},\"id\":\"d382f5b0-c1c6-11e7-8995-936807a28b16\",\"panelIndex\":\"6\",\"type\":\"search\",\"version\":\"7.0.0-alpha1-SNAPSHOT\"}]",
"timeRestore": false,
"title": "[Auditbeat Auditd] Executions",
"version": 1
},
"id": "7de391b0-c1ca-11e7-8995-936807a28b16",
"type": "dashboard",
"updated_at": "2018-01-16T22:58:11.243Z",
"version": 5
}
],
"version": "7.0.0-alpha1-SNAPSHOT"
}

86
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/6/dashboard/auditbeat-kernel-overview.json generated vendored Normal file
View File

@ -0,0 +1,86 @@
{
"objects": [
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"title": "Event Actions [Auditbeat Auditd Overview]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\n \"title\": \"Event Actions [Auditbeat Auditd Overview]\",\n \"type\": \"metrics\",\n \"params\": {\n \"id\": \"61ca57f0-469d-11e7-af02-69e470af7417\",\n \"type\": \"timeseries\",\n \"series\": [\n {\n \"id\": \"61ca57f1-469d-11e7-af02-69e470af7417\",\n \"color\": \"#68BC00\",\n \"split_mode\": \"terms\",\n \"metrics\": [\n {\n \"id\": \"6b9fb2d0-c1bc-11e7-938f-ab0645b6c431\",\n \"type\": \"count\"\n }\n ],\n \"seperate_axis\": 0,\n \"axis_position\": \"right\",\n \"formatter\": \"number\",\n \"chart_type\": \"line\",\n \"line_width\": 1,\n \"point_size\": 1,\n \"fill\": 0.5,\n \"stacked\": \"none\",\n \"terms_field\": \"event.action\",\n \"label\": \"Actions\"\n }\n ],\n \"time_field\": \"@timestamp\",\n \"index_pattern\": \"auditbeat-*\",\n \"interval\": \"auto\",\n \"axis_position\": \"left\",\n \"axis_formatter\": \"number\",\n \"show_legend\": 1,\n \"show_grid\": 1,\n \"filter\": \"event.module:auditd\",\n \"background_color_rules\": [\n {\n \"id\": \"58c95a20-c1bd-11e7-938f-ab0645b6c431\"\n }\n ],\n \"bar_color_rules\": [\n {\n \"id\": \"5bfc71a0-c1bd-11e7-938f-ab0645b6c431\"\n }\n ],\n \"gauge_color_rules\": [\n {\n \"id\": \"5d20a650-c1bd-11e7-938f-ab0645b6c431\"\n }\n ],\n \"gauge_width\": 10,\n \"gauge_inner_width\": 10,\n \"gauge_style\": \"half\",\n \"legend_position\": \"left\"\n },\n \"aggs\": []\n}"
},
"id": "97680df0-c1c0-11e7-8995-936807a28b16",
"type": "visualization",
"updated_at": "2018-01-16T22:11:01.438Z",
"version": 3
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"filter\": [],\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n }\n}"
},
"savedSearchId": "0f10c430-c1c3-11e7-8995-936807a28b16",
"title": "Event Categories [Auditbeat Auditd]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\n \"title\": \"Event Categories [Auditbeat Auditd]\",\n \"type\": \"pie\",\n \"params\": {\n \"type\": \"pie\",\n \"addTooltip\": true,\n \"addLegend\": true,\n \"legendPosition\": \"right\",\n \"isDonut\": true\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"event.category\",\n \"size\": 5,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Category\"\n }\n },\n {\n \"id\": \"3\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"event.action\",\n \"size\": 20,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Action\"\n }\n }\n ]\n}"
},
"id": "08679220-c25a-11e7-8692-232bd1143e8a",
"type": "visualization",
"updated_at": "2018-01-16T22:54:10.330Z",
"version": 4
},
{
"attributes": {
"columns": [
"beat.hostname",
"auditd.summary.actor.primary",
"auditd.summary.actor.secondary",
"event.action",
"auditd.summary.object.type",
"auditd.summary.object.primary",
"auditd.summary.object.secondary",
"auditd.summary.how",
"auditd.result"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"index\":\"auditbeat-*\",\"type\":\"phrase\",\"key\":\"event.module\",\"value\":\"auditd\",\"params\":{\"query\":\"auditd\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"event.module\":{\"query\":\"auditd\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"
},
"sort": [
"@timestamp",
"desc"
],
"title": "Audit Event Table [Auditbeat Auditd]",
"version": 1
},
"id": "0f10c430-c1c3-11e7-8995-936807a28b16",
"type": "search",
"updated_at": "2018-01-16T22:51:24.572Z",
"version": 4
},
{
"attributes": {
"description": "Summary of Linux kernel audit events.",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}"
},
"optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}",
"panelsJSON": "[{\"gridData\":{\"h\":3,\"i\":\"1\",\"w\":7,\"x\":0,\"y\":0},\"id\":\"97680df0-c1c0-11e7-8995-936807a28b16\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"7.0.0-alpha1-SNAPSHOT\"},{\"gridData\":{\"h\":3,\"i\":\"4\",\"w\":5,\"x\":7,\"y\":0},\"id\":\"08679220-c25a-11e7-8692-232bd1143e8a\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"version\":\"7.0.0-alpha1-SNAPSHOT\"},{\"gridData\":{\"h\":5,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":3},\"id\":\"0f10c430-c1c3-11e7-8995-936807a28b16\",\"panelIndex\":\"5\",\"type\":\"search\",\"version\":\"7.0.0-alpha1-SNAPSHOT\"}]",
"timeRestore": false,
"title": "[Auditbeat Auditd] Overview",
"version": 1
},
"id": "c0ac2c00-c1c0-11e7-8995-936807a28b16",
"type": "dashboard",
"updated_at": "2018-01-16T22:55:17.775Z",
"version": 5
}
],
"version": "7.0.0-alpha1-SNAPSHOT"
}

188
vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/kibana/6/dashboard/auditbeat-kernel-sockets.json generated vendored Normal file
View File

@ -0,0 +1,188 @@
{
"objects": [
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\n \"filter\": [\n {\n \"meta\": {\n \"index\": \"auditbeat-*\",\n \"negate\": true,\n \"type\": \"phrase\",\n \"key\": \"auditd.summary.object.secondary\",\n \"value\": \"0\",\n \"params\": {\n \"query\": \"0\",\n \"type\": \"phrase\"\n },\n \"disabled\": false,\n \"alias\": null,\n \"apply\": true\n },\n \"query\": {\n \"match\": {\n \"auditd.summary.object.secondary\": {\n \"query\": \"0\",\n \"type\": \"phrase\"\n }\n }\n },\n \"$state\": {\n \"store\": \"appState\"\n }\n }\n ],\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n }\n}"
},
"savedSearchId": "b4c93470-c240-11e7-8692-232bd1143e8a",
"title": "Bind (non-ephemeral) [Auditbeat Auditd]",
"uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}",
"version": 1,
"visState": "{\n \"title\": \"Bind (non-ephemeral) [Auditbeat Auditd]\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showPartialRows\": false,\n \"showMeticsAtAllLevels\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"auditd.summary.how\",\n \"size\": 50,\n \"order\": \"desc\",\n \"orderBy\": \"_term\",\n \"customLabel\": \"Exe\"\n }\n },\n {\n \"id\": \"3\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"auditd.summary.object.primary\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"_term\",\n \"customLabel\": \"Address\"\n }\n },\n {\n \"id\": \"4\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"auditd.summary.object.secondary\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"_term\",\n \"customLabel\": \"Port\"\n }\n }\n ]\n}"
},
"id": "faf882f0-c242-11e7-8692-232bd1143e8a",
"type": "visualization",
"updated_at": "2018-01-16T22:08:02.522Z",
"version": 3
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\n \"filter\": [],\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n }\n}"
},
"savedSearchId": "5438b030-c246-11e7-8692-232bd1143e8a",
"title": "Connect [Auditbeat Auditd]",
"uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}",
"version": 1,
"visState": "{\n \"title\": \"Connect [Auditbeat Auditd]\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showPartialRows\": false,\n \"showMeticsAtAllLevels\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"process.exe\",\n \"size\": 50,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Exe\"\n }\n },\n {\n \"id\": \"3\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"auditd.summary.object.primary\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Address\"\n }\n },\n {\n \"id\": \"4\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"auditd.summary.object.secondary\",\n \"size\": 5,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Port\"\n }\n }\n ]\n}"
},
"id": "ea483730-c246-11e7-8692-232bd1143e8a",
"type": "visualization",
"updated_at": "2018-01-16T23:24:16.851Z",
"version": 4
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\n \"filter\": [],\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n }\n}"
},
"savedSearchId": "e8734160-c24c-11e7-8692-232bd1143e8a",
"title": "Accept / Recvfrom Unique Address Table [Auditbeat Auditd]",
"uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n },\n \"spy\": {\n \"mode\": {\n \"name\": null,\n \"fill\": false\n }\n }\n}",
"version": 1,
"visState": "{\n \"title\": \"Accept / Recvfrom Unique Address Table [Auditbeat Auditd]\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showPartialRows\": false,\n \"showMeticsAtAllLevels\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"cardinality\",\n \"schema\": \"metric\",\n \"params\": {\n \"field\": \"auditd.summary.object.primary\",\n \"customLabel\": \"Unique Addresses\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"process.exe\",\n \"size\": 50,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Exe\"\n }\n },\n {\n \"id\": \"3\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"auditd.data.syscall\",\n \"size\": 5,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Syscall\"\n }\n }\n ]\n}"
},
"id": "ceb91de0-c250-11e7-8692-232bd1143e8a",
"type": "visualization",
"updated_at": "2018-01-16T22:16:51.535Z",
"version": 5
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"title": "Socket Syscalls Time Series [Auditbeat Auditd]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\n \"title\": \"Socket Syscalls Time Series [Auditbeat Auditd]\",\n \"type\": \"metrics\",\n \"params\": {\n \"id\": \"61ca57f0-469d-11e7-af02-69e470af7417\",\n \"type\": \"timeseries\",\n \"series\": [\n {\n \"id\": \"61ca57f1-469d-11e7-af02-69e470af7417\",\n \"color\": \"#68BC00\",\n \"split_mode\": \"terms\",\n \"metrics\": [\n {\n \"id\": \"61ca57f2-469d-11e7-af02-69e470af7417\",\n \"type\": \"count\"\n }\n ],\n \"seperate_axis\": 0,\n \"axis_position\": \"right\",\n \"formatter\": \"number\",\n \"chart_type\": \"line\",\n \"line_width\": 1,\n \"point_size\": 1,\n \"fill\": 0.5,\n \"stacked\": \"none\",\n \"terms_field\": \"auditd.data.syscall\",\n \"label\": \"syscall\"\n }\n ],\n \"time_field\": \"@timestamp\",\n \"index_pattern\": \"auditbeat-*\",\n \"interval\": \"auto\",\n \"axis_position\": \"left\",\n \"axis_formatter\": \"number\",\n \"show_legend\": 1,\n \"show_grid\": 1,\n \"filter\": \"auditd.summary.object.type:socket\",\n \"legend_position\": \"left\",\n \"bar_color_rules\": [\n {\n \"id\": \"2cebb0c0-c252-11e7-8a68-93ffe9ec5950\"\n }\n ],\n \"gauge_color_rules\": [\n {\n \"id\": \"6c891740-c252-11e7-8a68-93ffe9ec5950\"\n }\n ],\n \"gauge_width\": 10,\n \"gauge_inner_width\": 10,\n \"gauge_style\": \"half\",\n \"background_color_rules\": [\n {\n \"id\": \"95b603d0-c252-11e7-8a68-93ffe9ec5950\"\n }\n ]\n },\n \"aggs\": []\n}"
},
"id": "b21e0c70-c252-11e7-8692-232bd1143e8a",
"type": "visualization",
"updated_at": "2018-01-16T22:13:38.857Z",
"version": 3
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"filter\": [],\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n }\n}"
},
"title": "Socket Families [Auditbeat Auditd]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\n \"title\": \"Socket Families [Auditbeat Auditd]\",\n \"type\": \"pie\",\n \"params\": {\n \"type\": \"pie\",\n \"addTooltip\": true,\n \"addLegend\": true,\n \"legendPosition\": \"left\",\n \"isDonut\": true\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"auditd.data.socket.family\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Socket Family\"\n }\n },\n {\n \"id\": \"3\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"auditd.data.syscall\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Syscall\"\n }\n }\n ]\n}"
},
"id": "a8e20450-c256-11e7-8692-232bd1143e8a",
"type": "visualization",
"updated_at": "2018-01-16T22:12:51.655Z",
"version": 3
},
{
"attributes": {
"columns": [
"beat.hostname",
"auditd.summary.how",
"auditd.summary.object.primary",
"auditd.summary.object.secondary",
"auditd.data.socket.family",
"auditd.result"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"auditbeat-*\",\"key\":\"event.module\",\"negate\":false,\"params\":{\"query\":\"auditd\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"auditd\"},\"query\":{\"match\":{\"event.module\":{\"query\":\"auditd\",\"type\":\"phrase\"}}}},{\"meta\":{\"index\":\"auditbeat-*\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"auditd.data.syscall\",\"value\":\"bind\",\"params\":{\"query\":\"bind\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"auditd.data.syscall\":{\"query\":\"bind\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"negate\":true,\"index\":\"auditbeat-*\",\"type\":\"phrase\",\"key\":\"auditd.data.socket.family\",\"value\":\"netlink\",\"params\":{\"query\":\"netlink\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"auditd.data.socket.family\":{\"query\":\"netlink\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"
},
"sort": [
"@timestamp",
"desc"
],
"title": "Socket Binds [Auditbeat Auditd]",
"version": 1
},
"id": "b4c93470-c240-11e7-8692-232bd1143e8a",
"type": "search",
"updated_at": "2018-01-16T23:05:58.935Z",
"version": 5
},
{
"attributes": {
"columns": [
"beat.hostname",
"auditd.summary.how",
"auditd.summary.object.primary",
"auditd.summary.object.secondary",
"auditd.data.socket.family",
"auditd.result",
"auditd.data.exit"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"auditbeat-*\",\"key\":\"event.module\",\"negate\":false,\"params\":{\"query\":\"auditd\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"auditd\"},\"query\":{\"match\":{\"event.module\":{\"query\":\"auditd\",\"type\":\"phrase\"}}}},{\"meta\":{\"negate\":false,\"index\":\"auditbeat-*\",\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"connected-to\",\"params\":{\"query\":\"connected-to\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"event.action\":{\"query\":\"connected-to\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"index\":\"auditbeat-*\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"exists\",\"key\":\"auditd.summary.object.primary\",\"value\":\"exists\"},\"exists\":{\"field\":\"auditd.summary.object.primary\"},\"$state\":{\"store\":\"appState\"}}]}"
},
"sort": [
"@timestamp",
"desc"
],
"title": "Socket Connects [Auditbeat Auditd]",
"version": 1
},
"id": "5438b030-c246-11e7-8692-232bd1143e8a",
"type": "search",
"updated_at": "2018-01-16T23:09:43.937Z",
"version": 5
},
{
"attributes": {
"columns": [
"beat.hostname",
"auditd.summary.how",
"auditd.summary.object.primary",
"auditd.summary.object.secondary",
"auditd.data.socket.family",
"event.action"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"auditbeat-*\",\"key\":\"event.module\",\"negate\":false,\"params\":{\"query\":\"auditd\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"auditd\"},\"query\":{\"match\":{\"event.module\":{\"query\":\"auditd\",\"type\":\"phrase\"}}}},{\"meta\":{\"negate\":false,\"index\":\"auditbeat-*\",\"type\":\"phrase\",\"key\":\"auditd.summary.object.type\",\"value\":\"socket\",\"params\":{\"query\":\"socket\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"auditd.summary.object.type\":{\"query\":\"socket\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"index\":\"auditbeat-*\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"exists\",\"key\":\"auditd.summary.object.primary\",\"value\":\"exists\"},\"exists\":{\"field\":\"auditd.summary.object.primary\"},\"$state\":{\"store\":\"appState\"}},{\"query\":{\"terms\":{\"auditd.data.syscall\":[\"accept\",\"accept4\",\"recvfrom\",\"recvmsg\"]}},\"meta\":{\"negate\":false,\"index\":\"auditbeat-*\",\"disabled\":false,\"alias\":null,\"type\":\"custom\",\"key\":\"query\",\"value\":\"{\\\"terms\\\":{\\\"auditd.data.syscall\\\":[\\\"accept\\\",\\\"accept4\\\",\\\"recvfrom\\\",\\\"recvmsg\\\"]}}\"},\"$state\":{\"store\":\"appState\"}}]}"
},
"sort": [
"@timestamp",
"desc"
],
"title": "Socket Accept / Recvfrom [Auditbeat Auditd]",
"version": 1
},
"id": "e8734160-c24c-11e7-8692-232bd1143e8a",
"type": "search",
"updated_at": "2018-01-16T23:20:51.403Z",
"version": 4
},
{
"attributes": {
"description": "Summary of socket related syscall events.",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[],\"highlightAll\":true,\"version\":true}"
},
"optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}",
"panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":4,\"i\":\"1\",\"w\":6,\"x\":6,\"y\":3},\"id\":\"faf882f0-c242-11e7-8692-232bd1143e8a\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"7.0.0-alpha1-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":5,\"i\":\"2\",\"w\":6,\"x\":0,\"y\":7},\"id\":\"ea483730-c246-11e7-8692-232bd1143e8a\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"7.0.0-alpha1-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":5,\"i\":\"3\",\"w\":6,\"x\":6,\"y\":7},\"id\":\"ceb91de0-c250-11e7-8692-232bd1143e8a\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"7.0.0-alpha1-SNAPSHOT\"},{\"gridData\":{\"h\":3,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"id\":\"b21e0c70-c252-11e7-8692-232bd1143e8a\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"version\":\"7.0.0-alpha1-SNAPSHOT\"},{\"gridData\":{\"h\":4,\"i\":\"5\",\"w\":6,\"x\":0,\"y\":3},\"id\":\"a8e20450-c256-11e7-8692-232bd1143e8a\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"7.0.0-alpha1-SNAPSHOT\"}]",
"timeRestore": false,
"title": "[Auditbeat Auditd] Sockets",
"version": 1
},
"id": "693a5f40-c243-11e7-8692-232bd1143e8a",
"type": "dashboard",
"updated_at": "2018-01-16T23:24:37.521Z",
"version": 4
}
],
"version": "7.0.0-alpha1-SNAPSHOT"
}

665
vendor/github.com/elastic/beats/auditbeat/module/auditd/audit_linux.go generated vendored Normal file
View File

@ -0,0 +1,665 @@
package auditd
import (
"fmt"
"os"
"strconv"
"strings"
"syscall"
"time"
"github.com/pkg/errors"
"github.com/elastic/beats/libbeat/common"
"github.com/elastic/beats/libbeat/logp"
"github.com/elastic/beats/libbeat/monitoring"
"github.com/elastic/beats/metricbeat/mb"
"github.com/elastic/beats/metricbeat/mb/parse"
"github.com/elastic/go-libaudit"
"github.com/elastic/go-libaudit/aucoalesce"
"github.com/elastic/go-libaudit/auparse"
)
const (
namespace = "auditd"
auditLocked = 2
unicast = "unicast"
multicast = "multicast"
)
var (
auditdMetrics = monitoring.Default.NewRegistry(moduleName)
lostMetric = monitoring.NewInt(auditdMetrics, "lost")
)
func init() {
mb.Registry.MustAddMetricSet(moduleName, metricsetName, New,
mb.DefaultMetricSet(),
mb.WithHostParser(parse.EmptyHostParser),
mb.WithNamespace(namespace),
)
}
// MetricSet listens for audit messages from the Linux kernel using a netlink
// socket. It buffers the messages to ensure ordering and then streams the
// output. MetricSet implements the mb.PushMetricSet interface, and therefore
// does not rely on polling.
type MetricSet struct {
mb.BaseMetricSet
config Config
client *libaudit.AuditClient
log *logp.Logger
}
// New constructs a new MetricSet.
func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
config := defaultConfig
if err := base.Module().UnpackConfig(&config); err != nil {
return nil, errors.Wrap(err, "failed to unpack the auditd config")
}
log := logp.NewLogger(moduleName)
_, _, kernel, _ := kernelVersion()
log.Infof("auditd module is running as euid=%v on kernel=%v", os.Geteuid(), kernel)
client, err := newAuditClient(&config, log)
if err != nil {
return nil, errors.Wrap(err, "failed to create audit client")
}
lostMetric.Set(0)
return &MetricSet{
BaseMetricSet: base,
client: client,
config: config,
log: log,
}, nil
}
func newAuditClient(c *Config, log *logp.Logger) (*libaudit.AuditClient, error) {
var err error
c.SocketType, err = determineSocketType(c, log)
if err != nil {
return nil, err
}
log.Infof("socket_type=%s will be used.", c.SocketType)
if c.SocketType == multicast {
return libaudit.NewMulticastAuditClient(nil)
}
return libaudit.NewAuditClient(nil)
}
// Run initializes the audit client and receives audit messages from the
// kernel until the reporter's done channel is closed.
func (ms *MetricSet) Run(reporter mb.PushReporterV2) {
defer ms.client.Close()
if err := ms.addRules(reporter); err != nil {
reporter.Error(err)
ms.log.Errorw("Failure adding audit rules", "error", err)
return
}
out, err := ms.receiveEvents(reporter.Done())
if err != nil {
reporter.Error(err)
ms.log.Errorw("Failure receiving audit events", "error", err)
return
}
for {
select {
case <-reporter.Done():
return
case msgs := <-out:
reporter.Event(buildMetricbeatEvent(msgs, ms.config))
}
}
}
func (ms *MetricSet) addRules(reporter mb.PushReporterV2) error {
rules, err := ms.config.rules()
if err != nil {
return errors.Wrap(err, "failed to add rules")
}
if len(rules) == 0 {
ms.log.Info("No audit_rules were specified.")
return nil
}
client, err := libaudit.NewAuditClient(nil)
if err != nil {
return errors.Wrap(err, "failed to create audit client for adding rules")
}
defer client.Close()
// Don't attempt to change configuration if audit rules are locked (enabled == 2).
// Will result in EPERM.
status, err := client.GetStatus()
if err != nil {
err = errors.Wrap(err, "failed to get audit status before adding rules")
reporter.Error(err)
return err
}
if status.Enabled == auditLocked {
return errors.New("Skipping rule configuration: Audit rules are locked")
}
// Delete existing rules.
n, err := client.DeleteRules()
if err != nil {
return errors.Wrap(err, "failed to delete existing rules")
}
ms.log.Infof("Deleted %v pre-existing audit rules.", n)
// Add rules from config.
var failCount int
for _, rule := range rules {
if err = client.AddRule(rule.data); err != nil {
// Treat rule add errors as warnings and continue.
err = errors.Wrapf(err, "failed to add audit rule '%v'", rule.flags)
reporter.Error(err)
ms.log.Warnw("Failure adding audit rule", "error", err)
failCount++
}
}
ms.log.Infof("Successfully added %d of %d audit rules.",
len(rules)-failCount, len(rules))
return nil
}
func (ms *MetricSet) initClient() error {
if ms.config.SocketType == "multicast" {
// This request will fail with EPERM if this process does not have
// CAP_AUDIT_CONTROL, but we will ignore the response. The user will be
// required to ensure that auditing is enabled if the process is only
// given CAP_AUDIT_READ.
err := ms.client.SetEnabled(true, libaudit.NoWait)
return errors.Wrap(err, "failed to enable auditing in the kernel")
}
// Unicast client initialization (requires CAP_AUDIT_CONTROL and that the
// process be in initial PID namespace).
status, err := ms.client.GetStatus()
if err != nil {
return errors.Wrap(err, "failed to get audit status")
}
ms.log.Infow("audit status from kernel at start", "audit_status", status)
if status.Enabled == auditLocked {
return errors.New("failed to configure: The audit system is locked")
}
if fm, _ := ms.config.failureMode(); status.Failure != fm {
if err = ms.client.SetFailure(libaudit.FailureMode(fm), libaudit.NoWait); err != nil {
return errors.Wrap(err, "failed to set audit failure mode in kernel")
}
}
if status.RateLimit != ms.config.RateLimit {
if err = ms.client.SetRateLimit(ms.config.RateLimit, libaudit.NoWait); err != nil {
return errors.Wrap(err, "failed to set audit rate limit in kernel")
}
}
if status.BacklogLimit != ms.config.BacklogLimit {
if err = ms.client.SetBacklogLimit(ms.config.BacklogLimit, libaudit.NoWait); err != nil {
return errors.Wrap(err, "failed to set audit backlog limit in kernel")
}
}
if status.Enabled == 0 {
if err = ms.client.SetEnabled(true, libaudit.NoWait); err != nil {
return errors.Wrap(err, "failed to enable auditing in the kernel")
}
}
if err := ms.client.WaitForPendingACKs(); err != nil {
return errors.Wrap(err, "failed to wait for ACKs")
}
if err := ms.client.SetPID(libaudit.WaitForReply); err != nil {
if errno, ok := err.(syscall.Errno); ok && errno == syscall.EEXIST && status.PID != 0 {
return fmt.Errorf("failed to set audit PID. An audit process is already running (PID %d)", status.PID)
}
return errors.Wrapf(err, "failed to set audit PID (current audit PID %d)", status.PID)
}
return nil
}
func (ms *MetricSet) receiveEvents(done <-chan struct{}) (<-chan []*auparse.AuditMessage, error) {
if err := ms.initClient(); err != nil {
return nil, err
}
out := make(chan []*auparse.AuditMessage, ms.config.StreamBufferQueueSize)
reassembler, err := libaudit.NewReassembler(int(ms.config.ReassemblerMaxInFlight), ms.config.ReassemblerTimeout, &stream{done, out})
if err != nil {
return nil, errors.Wrap(err, "failed to create Reassembler")
}
go maintain(done, reassembler)
go func() {
defer close(out)
defer reassembler.Close()
for {
raw, err := ms.client.Receive(false)
if err != nil {
continue
}
if filterRecordType(raw.Type) {
continue
}
if err := reassembler.Push(raw.Type, raw.Data); err != nil {
ms.log.Debugw("Dropping audit message",
"record_type", raw.Type,
"message", string(raw.Data),
"error", err)
continue
}
}
}()
return out, nil
}
// maintain periodically evicts timed-out events from the Reassembler. This
// function will block until the done channel is closed or the Reassembler is
// closed.
func maintain(done <-chan struct{}, reassembler *libaudit.Reassembler) {
tick := time.NewTicker(500 * time.Millisecond)
defer tick.Stop()
for {
select {
case <-done:
return
case <-tick.C:
if err := reassembler.Maintain(); err != nil {
return
}
}
}
}
func filterRecordType(typ auparse.AuditMessageType) bool {
// Messages from 1300-2999 are valid audit message types.
if typ < auparse.AUDIT_USER_AUTH || typ > auparse.AUDIT_LAST_USER_MSG2 {
return true
}
return false
}
func buildMetricbeatEvent(msgs []*auparse.AuditMessage, config Config) mb.Event {
auditEvent, err := aucoalesce.CoalesceMessages(msgs)
if err != nil {
// Add messages on error so that it's possible to debug the problem.
out := mb.Event{MetricSetFields: common.MapStr{}}
addMessages(msgs, out.MetricSetFields)
return out
}
if config.ResolveIDs {
aucoalesce.ResolveIDs(auditEvent)
}
out := mb.Event{
Timestamp: auditEvent.Timestamp,
RootFields: common.MapStr{
"event": common.MapStr{
"category": auditEvent.Category.String(),
"type": strings.ToLower(auditEvent.Type.String()),
"action": auditEvent.Summary.Action,
},
},
ModuleFields: common.MapStr{
"sequence": auditEvent.Sequence,
"result": auditEvent.Result,
"session": auditEvent.Session,
"data": createAuditdData(auditEvent.Data),
},
}
// Add root level fields.
addUser(auditEvent.User, out.RootFields)
addProcess(auditEvent.Process, out.RootFields)
addFile(auditEvent.File, out.RootFields)
addAddress(auditEvent.Source, "source", out.RootFields)
addAddress(auditEvent.Dest, "destination", out.RootFields)
addNetwork(auditEvent.Net, out.RootFields)
if len(auditEvent.Tags) > 0 {
out.RootFields.Put("tags", auditEvent.Tags)
}
// Add module fields.
m := out.ModuleFields
if auditEvent.Summary.Actor.Primary != "" {
m.Put("summary.actor.primary", auditEvent.Summary.Actor.Primary)
}
if auditEvent.Summary.Actor.Secondary != "" {
m.Put("summary.actor.secondary", auditEvent.Summary.Actor.Secondary)
}
if auditEvent.Summary.Object.Primary != "" {
m.Put("summary.object.primary", auditEvent.Summary.Object.Primary)
}
if auditEvent.Summary.Object.Secondary != "" {
m.Put("summary.object.secondary", auditEvent.Summary.Object.Secondary)
}
if auditEvent.Summary.Object.Type != "" {
m.Put("summary.object.type", auditEvent.Summary.Object.Type)
}
if auditEvent.Summary.How != "" {
m.Put("summary.how", auditEvent.Summary.How)
}
if len(auditEvent.Paths) > 0 {
m.Put("paths", auditEvent.Paths)
}
if config.Warnings && len(auditEvent.Warnings) > 0 {
warnings := make([]string, 0, len(auditEvent.Warnings))
for _, err := range auditEvent.Warnings {
warnings = append(warnings, err.Error())
}
m.Put("warnings", warnings)
addMessages(msgs, m)
}
if config.RawMessage {
addMessages(msgs, m)
}
return out
}
func addUser(u aucoalesce.User, m common.MapStr) {
user := make(common.MapStr, len(u.IDs))
m.Put("user", user)
for id, value := range u.IDs {
user[id] = value
if len(u.SELinux) > 0 {
user["selinux"] = u.SELinux
}
if len(u.Names) > 0 {
user["name_map"] = u.Names
}
}
}
func addProcess(p aucoalesce.Process, m common.MapStr) {
if p.IsEmpty() {
return
}
process := common.MapStr{}
m.Put("process", process)
if p.PID != "" {
process["pid"] = p.PID
}
if p.PPID != "" {
process["ppid"] = p.PPID
}
if p.Title != "" {
process["title"] = p.Title
}
if p.Name != "" {
process["name"] = p.Name
}
if p.Exe != "" {
process["exe"] = p.Exe
}
if p.CWD != "" {
process["cwd"] = p.CWD
}
if len(p.Args) > 0 {
process["args"] = p.Args
}
}
func addFile(f *aucoalesce.File, m common.MapStr) {
if f == nil {
return
}
file := common.MapStr{}
m.Put("file", file)
if f.Path != "" {
file["path"] = f.Path
}
if f.Device != "" {
file["device"] = f.Device
}
if f.Inode != "" {
file["inode"] = f.Inode
}
if f.Mode != "" {
file["mode"] = f.Mode
}
if f.UID != "" {
file["uid"] = f.UID
}
if f.GID != "" {
file["gid"] = f.GID
}
if f.Owner != "" {
file["owner"] = f.Owner
}
if f.Group != "" {
file["group"] = f.Group
}
if len(f.SELinux) > 0 {
file["selinux"] = f.SELinux
}
}
func addAddress(addr *aucoalesce.Address, key string, m common.MapStr) {
if addr == nil {
return
}
address := common.MapStr{}
m.Put(key, address)
if addr.Hostname != "" {
address["hostname"] = addr.Hostname
}
if addr.IP != "" {
address["ip"] = addr.IP
}
if addr.Port != "" {
address["port"] = addr.Port
}
if addr.Path != "" {
address["path"] = addr.Path
}
}
func addNetwork(net *aucoalesce.Network, m common.MapStr) {
if net == nil {
return
}
network := common.MapStr{
"direction": net.Direction,
}
m.Put("network", network)
}
func addMessages(msgs []*auparse.AuditMessage, m common.MapStr) {
_, added := m["messages"]
if !added && len(msgs) > 0 {
rawMsgs := make([]string, 0, len(msgs))
for _, msg := range msgs {
rawMsgs = append(rawMsgs, "type="+msg.RecordType.String()+" msg="+msg.RawData)
}
m["messages"] = rawMsgs
}
}
func createAuditdData(data map[string]string) common.MapStr {
out := make(common.MapStr, len(data))
for key, v := range data {
if strings.HasPrefix(key, "socket_") {
out.Put("socket."+key[7:], v)
continue
}
out.Put(key, v)
}
return out
}
// stream type
// stream receives callbacks from the libaudit.Reassembler for completed events
// or lost events that are detected by gaps in sequence numbers.
type stream struct {
done <-chan struct{}
out chan<- []*auparse.AuditMessage
}
func (s *stream) ReassemblyComplete(msgs []*auparse.AuditMessage) {
select {
case <-s.done:
return
case s.out <- msgs:
}
}
func (s *stream) EventsLost(count int) {
lostMetric.Inc()
}
func hasMulticastSupport() bool {
// Check the kernel version because 3.16+ should have multicast
// support.
major, minor, _, err := kernelVersion()
if err != nil {
// Assume not supported.
return false
}
switch {
case major > 3,
major == 3 && minor >= 16:
return true
}
return false
}
func kernelVersion() (major, minor int, full string, err error) {
var uname syscall.Utsname
if err := syscall.Uname(&uname); err != nil {
return 0, 0, "", err
}
length := len(uname.Release)
data := make([]byte, length)
for i, v := range uname.Release {
if v == 0 {
length = i
break
}
data[i] = byte(v)
}
release := string(data[:length])
parts := strings.SplitN(release, ".", 3)
if len(parts) < 2 {
return 0, 0, release, errors.Errorf("failed to parse uname release '%v'", release)
}
major, err = strconv.Atoi(parts[0])
if err != nil {
return 0, 0, release, errors.Wrapf(err, "failed to parse major version from '%v'", release)
}
minor, err = strconv.Atoi(parts[1])
if err != nil {
return 0, 0, release, errors.Wrapf(err, "failed to parse minor version from '%v'", release)
}
return major, minor, release, nil
}
func determineSocketType(c *Config, log *logp.Logger) (string, error) {
client, err := libaudit.NewAuditClient(nil)
if err != nil {
if c.SocketType == "" {
return "", errors.Wrap(err, "failed to create audit client")
}
// Ignore errors if a socket type has been specified. It will fail during
// further setup and its necessary for unit tests to pass
return c.SocketType, nil
}
defer client.Close()
status, err := client.GetStatus()
if err != nil {
if c.SocketType == "" {
return "", errors.Wrap(err, "failed to get audit status")
}
return c.SocketType, nil
}
rules, _ := c.rules()
isLocked := status.Enabled == auditLocked
hasMulticast := hasMulticastSupport()
hasRules := len(rules) > 0
const useAutodetect = "Remove the socket_type option to have auditbeat " +
"select the most suitable subscription method."
switch c.SocketType {
case unicast:
if isLocked {
log.Errorf("requested unicast socket_type is not available "+
"because audit configuration is locked in the kernel "+
"(enabled=2). %s", useAutodetect)
return "", errors.New("unicast socket_type not available")
}
return c.SocketType, nil
case multicast:
if hasMulticast {
if hasRules {
log.Warn("The audit rules specified in the configuration " +
"cannot be applied when using a multicast socket_type.")
}
return c.SocketType, nil
}
log.Errorf("socket_type is set to multicast but based on the "+
"kernel version, multicast audit subscriptions are not supported. %s",
useAutodetect)
return "", errors.New("multicast socket_type not available")
default:
// attempt to determine the optimal socket_type
if hasMulticast {
if hasRules {
if isLocked {
log.Warn("Audit rules specified in the configuration " +
"cannot be applied because the audit rules have been locked " +
"in the kernel (enabled=2). A multicast audit subscription " +
"will be used instead, which does not support setting rules")
return multicast, nil
}
return unicast, nil
}
return multicast, nil
}
if isLocked {
log.Errorf("Cannot continue: audit configuration is locked " +
"in the kernel (enabled=2) which prevents using unicast " +
"sockets. Multicast audit subscriptions are not available " +
"in this kernel. Disable locking the audit configuration " +
"to use auditbeat.")
return "", errors.New("no connection to audit available")
}
return unicast, nil
}
}

225
vendor/github.com/elastic/beats/auditbeat/module/auditd/audit_linux_test.go generated vendored Normal file
View File

@ -0,0 +1,225 @@
package auditd
import (
"encoding/json"
"flag"
"fmt"
"io/ioutil"
"os"
"os/exec"
"testing"
"time"
"github.com/stretchr/testify/assert"
"github.com/elastic/beats/auditbeat/core"
"github.com/elastic/beats/libbeat/logp"
mbtest "github.com/elastic/beats/metricbeat/mb/testing"
"github.com/elastic/go-libaudit"
"github.com/elastic/go-libaudit/auparse"
"github.com/elastic/procfs"
)
// Specify the -audit flag when running these tests to interact with the real
// kernel instead of mocks. If running in Docker this requires being in the
// host PID namespace (--pid=host) and having CAP_AUDIT_CONTROL and
// CAP_AUDIT_WRITE (so use --privileged).
var audit = flag.Bool("audit", false, "interact with the real audit framework")
var (
userLoginMsg = `type=USER_LOGIN msg=audit(1492896301.818:19955): pid=12635 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=179.38.151.221 terminal=sshd res=failed'`
execveMsgs = []string{
`type=SYSCALL msg=audit(1492752522.985:8972): arch=c000003e syscall=59 success=yes exit=0 a0=10812c8 a1=1070208 a2=1152008 a3=59a items=2 ppid=10027 pid=10043 auid=1001 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 tty=pts0 ses=11 comm="uname" exe="/bin/uname" key="key=user_commands"`,
`type=EXECVE msg=audit(1492752522.985:8972): argc=2 a0="uname" a1="-a"`,
`type=CWD msg=audit(1492752522.985:8972): cwd="/home/andrew_kroh"`,
`type=PATH msg=audit(1492752522.985:8972): item=0 name="/bin/uname" inode=155 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL`,
`type=PATH msg=audit(1492752522.985:8972): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=1923 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL`,
`type=PROCTITLE msg=audit(1492752522.985:8972): proctitle=756E616D65002D61`,
`type=EOE msg=audit(1492752522.985:8972):`,
}
acceptMsgs = []string{
`type=SYSCALL msg=audit(1492752520.441:8832): arch=c000003e syscall=43 success=yes exit=5 a0=3 a1=7ffd0dc80040 a2=7ffd0dc7ffd0 a3=0 items=0 ppid=1 pid=1663 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" key="key=net"`,
`type=SOCKADDR msg=audit(1492752520.441:8832): saddr=0200E31C4853E6640000000000000000`,
`type=PROCTITLE msg=audit(1492752520.441:8832): proctitle="(sshd)"`,
`type=EOE msg=audit(1492752520.441:8832):`,
}
)
func TestData(t *testing.T) {
logp.TestingSetup()
// Create a mock netlink client that provides the expected responses.
mock := NewMock().
// Get Status response for initClient
returnACK().returnStatus().
// Send expected ACKs for initialization
returnACK().returnACK().returnACK().returnACK().
// Send a single audit message from the kernel.
returnMessage(userLoginMsg)
// Replace the default AuditClient with a mock.
ms := mbtest.NewPushMetricSetV2(t, getConfig())
auditMetricSet := ms.(*MetricSet)
auditMetricSet.client.Close()
auditMetricSet.client = &libaudit.AuditClient{Netlink: mock}
events := mbtest.RunPushMetricSetV2(10*time.Second, 1, ms)
for _, e := range events {
if e.Error != nil {
t.Fatalf("received error: %+v", e.Error)
}
}
if len(events) == 0 {
t.Fatal("received no events")
}
beatEvent := mbtest.StandardizeEvent(ms, events[0], core.AddDatasetToEvent)
mbtest.WriteEventToDataJSON(t, beatEvent)
}
func getConfig() map[string]interface{} {
return map[string]interface{}{
"module": "auditd",
"failure_mode": "log",
"socket_type": "unicast",
}
}
func TestUnicastClient(t *testing.T) {
if !*audit {
t.Skip("-audit was not specified")
}
logp.TestingSetup()
FailIfAuditdIsRunning(t)
c := map[string]interface{}{
"module": "auditd",
"socket_type": "unicast",
"audit_rules": fmt.Sprintf(`
-a always,exit -F arch=b64 -F ppid=%d -S execve -k exec
`, os.Getpid()),
}
// Any commands executed by this process will generate events due to the
// PPID filter we applied to the rule.
time.AfterFunc(time.Second, func() { exec.Command("cat", "/proc/self/status").Output() })
ms := mbtest.NewPushMetricSetV2(t, c)
events := mbtest.RunPushMetricSetV2(5*time.Second, 0, ms)
for _, e := range events {
t.Log(e)
if e.Error != nil {
t.Errorf("received error: %+v", e.Error)
}
}
for _, e := range events {
v, err := e.MetricSetFields.GetValue("thing.primary")
if err == nil {
if exe, ok := v.(string); ok && exe == "/bin/cat" {
return
}
}
}
assert.Fail(t, "expected an execve event for /bin/cat")
}
func TestMulticastClient(t *testing.T) {
if !*audit {
t.Skip("-audit was not specified")
}
if !hasMulticastSupport() {
t.Skip("no multicast support")
}
logp.TestingSetup()
FailIfAuditdIsRunning(t)
c := map[string]interface{}{
"module": "auditd",
"socket_type": "multicast",
"audit_rules": fmt.Sprintf(`
-a always,exit -F arch=b64 -F ppid=%d -S execve -k exec
`, os.Getpid()),
}
// Any commands executed by this process will generate events due to the
// PPID filter we applied to the rule.
time.AfterFunc(time.Second, func() { exec.Command("cat", "/proc/self/status").Output() })
ms := mbtest.NewPushMetricSetV2(t, c)
events := mbtest.RunPushMetricSetV2(5*time.Second, 0, ms)
for _, e := range events {
if e.Error != nil {
t.Fatalf("received error: %+v", e.Error)
}
}
// The number of events is non-deterministic so there is no validation.
t.Logf("received %d messages via multicast", len(events))
}
func TestKernelVersion(t *testing.T) {
major, minor, full, err := kernelVersion()
if err != nil {
t.Fatal(err)
}
t.Logf("major=%v, minor=%v, full=%v", major, minor, full)
}
func FailIfAuditdIsRunning(t testing.TB) {
t.Helper()
procs, err := procfs.AllProcs()
if err != nil {
t.Fatal(err)
}
for _, proc := range procs {
comm, err := proc.Comm()
if err != nil {
t.Error(err)
continue
}
if comm == "auditd" {
t.Fatalf("auditd is running (pid=%d). This test cannot run while "+
"auditd is running.", proc.PID)
}
}
}
func TestBuildMetricbeatEvent(t *testing.T) {
if f := flag.Lookup("data"); f != nil && f.Value.String() == "false" {
t.Skip("skip data generation tests")
}
buildSampleEvent(t, acceptMsgs, "_meta/accept.json")
buildSampleEvent(t, execveMsgs, "_meta/execve.json")
}
func buildSampleEvent(t testing.TB, lines []string, filename string) {
var msgs []*auparse.AuditMessage
for _, txt := range lines {
m, err := auparse.ParseLogLine(txt)
if err != nil {
t.Fatal(err)
}
msgs = append(msgs, m)
}
e := buildMetricbeatEvent(msgs, defaultConfig)
beatEvent := e.BeatEvent(moduleName, metricsetName, core.AddDatasetToEvent)
output, err := json.MarshalIndent(&beatEvent.Fields, "", " ")
if err != nil {
t.Fatal(err)
}
if err := ioutil.WriteFile(filename, output, 0644); err != nil {
t.Fatal(err)
}
}

22
vendor/github.com/elastic/beats/auditbeat/module/auditd/audit_unsupported.go generated vendored Normal file
View File

@ -0,0 +1,22 @@
// +build !linux
package auditd
import (
"github.com/pkg/errors"
"github.com/elastic/beats/metricbeat/mb"
"github.com/elastic/beats/metricbeat/mb/parse"
)
func init() {
mb.Registry.MustAddMetricSet(metricsetName, metricsetName, New,
mb.DefaultMetricSet(),
mb.WithHostParser(parse.EmptyHostParser),
)
}
// New constructs a new MetricSet.
func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
return nil, errors.Errorf("the %v module is only supported on Linux", metricsetName)
}

35
vendor/github.com/elastic/beats/auditbeat/module/audit/kernel/config.go → vendor/github.com/elastic/beats/auditbeat/module/auditd/config.go generated vendored
View File

@ -1,4 +1,4 @@
package kernel
package auditd
import (
"bufio"
@ -13,21 +13,26 @@ import (
"github.com/elastic/go-libaudit/rule/flags"
)
const (
moduleName = "auditd"
metricsetName = "auditd"
)
// Config defines the kernel metricset's possible configuration options.
type Config struct {
ResolveIDs bool `config:"kernel.resolve_ids"` // Resolve UID/GIDs to names.
FailureMode string `config:"kernel.failure_mode"` // Failure mode for the kernel (silent, log, panic).
BacklogLimit uint32 `config:"kernel.backlog_limit"` // Max number of message to buffer in the kernel.
RateLimit uint32 `config:"kernel.rate_limit"` // Rate limit in messages/sec of messages from kernel.
RawMessage bool `config:"kernel.include_raw_message"` // Include the list of raw audit messages in the event.
Warnings bool `config:"kernel.include_warnings"` // Include warnings in the event (for dev/debug purposes only).
RulesBlob string `config:"kernel.audit_rules"` // Audit rules. One rule per line.
SocketType string `config:"kernel.socket_type"` // Socket type to use with the kernel (unicast or multicast).
ResolveIDs bool `config:"resolve_ids"` // Resolve UID/GIDs to names.
FailureMode string `config:"failure_mode"` // Failure mode for the kernel (silent, log, panic).
BacklogLimit uint32 `config:"backlog_limit"` // Max number of message to buffer in the auditd.
RateLimit uint32 `config:"rate_limit"` // Rate limit in messages/sec of messages from auditd.
RawMessage bool `config:"include_raw_message"` // Include the list of raw audit messages in the event.
Warnings bool `config:"include_warnings"` // Include warnings in the event (for dev/debug purposes only).
RulesBlob string `config:"audit_rules"` // Audit rules. One rule per line.
SocketType string `config:"socket_type"` // Socket type to use with the kernel (unicast or multicast).
// Tuning options (advanced, use with care)
ReassemblerMaxInFlight uint32 `config:"kernel.reassembler.max_in_flight"`
ReassemblerTimeout time.Duration `config:"kernel.reassembler.timeout"`
StreamBufferQueueSize uint32 `config:"kernel.reassembler.queue_size"`
ReassemblerMaxInFlight uint32 `config:"reassembler.max_in_flight"`
ReassemblerTimeout time.Duration `config:"reassembler.timeout"`
StreamBufferQueueSize uint32 `config:"reassembler.queue_size"`
}
type auditRule struct {
@ -51,7 +56,7 @@ func (c *Config) Validate() error {
switch c.SocketType {
case "", "unicast", "multicast":
default:
errs = append(errs, errors.Errorf("invalid kernel.socket_type "+
errs = append(errs, errors.Errorf("invalid socket_type "+
"'%v' (use unicast, multicast, or don't set a value)", c.SocketType))
}
@ -97,7 +102,7 @@ func (c Config) rules() ([]auditRule, error) {
}
if len(errs) > 0 {
return nil, errors.Wrap(errs.Err(), "invalid kernel.audit_rules")
return nil, errors.Wrap(errs.Err(), "invalid audit_rules")
}
return auditRules, nil
}
@ -111,7 +116,7 @@ func (c Config) failureMode() (uint32, error) {
case "panic":
return 2, nil
default:
return 0, errors.Errorf("invalid kernel.failure_mode '%v' (use silent, log, or panic)", c.FailureMode)
return 0, errors.Errorf("invalid failure_mode '%v' (use silent, log, or panic)", c.FailureMode)
}
}

8
vendor/github.com/elastic/beats/auditbeat/module/audit/kernel/config_linux_test.go → vendor/github.com/elastic/beats/auditbeat/module/auditd/config_linux_test.go generated vendored
View File

@ -1,4 +1,4 @@
package kernel
package auditd
import (
"testing"
@ -10,7 +10,7 @@ import (
func TestConfigValidate(t *testing.T) {
data := `
kernel.audit_rules: |
audit_rules: |
# Comments and empty lines are ignored.
-w /etc/passwd -p wa -k auth
@ -32,7 +32,7 @@ kernel.audit_rules: |
func TestConfigValidateWithError(t *testing.T) {
data := `
kernel.audit_rules: |
audit_rules: |
-x bad -F flag
-a always,exit -w /etc/passwd
-a always,exit -F arch=b64 -S fake -k exec`
@ -46,7 +46,7 @@ kernel.audit_rules: |
func TestConfigValidateWithDuplicates(t *testing.T) {
data := `
kernel.audit_rules: |
audit_rules: |
-w /etc/passwd -p rwxa -k auth
-w /etc/passwd -k auth`

3
vendor/github.com/elastic/beats/auditbeat/module/auditd/doc.go generated vendored Normal file
View File

@ -0,0 +1,3 @@
// Package auditd is a metricset that subscribes to the Linux Audit Framework
// to receive audit events from the the kernel.
package auditd

2
vendor/github.com/elastic/beats/auditbeat/module/audit/kernel/mock_linux_test.go → vendor/github.com/elastic/beats/auditbeat/module/auditd/mock_linux_test.go generated vendored
View File

@ -1,4 +1,4 @@
package kernel
package auditd
import (
"bytes"

Some files were not shown because too many files have changed in this diff Show More