Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filebeat feature request for auditd event merging and enrichment #6484

Closed
gwsales opened this issue Feb 27, 2018 · 4 comments
Closed

Filebeat feature request for auditd event merging and enrichment #6484

gwsales opened this issue Feb 27, 2018 · 4 comments
Labels
enhancement Filebeat Filebeat Stalled

Comments

@gwsales
Copy link

gwsales commented Feb 27, 2018
edited by zube bot
Loading

Requesting a new prospector type in filebeat that uses go-libaudit to parse and enrich data, basically need to read auditd logs and build json output like auditbeats for environments that are stuck using auditd and not able to use the muticast socket type due to older kernal versions

#6477
@andrewkroh
Copy link
Member

andrewkroh commented Mar 8, 2018
edited
Loading

The auparse utility in go-libaudit is an example of how to implement this. Filebeat would do that same thing which basically is:

  • Read lines the auditd log
  • Parses the individual line with auparse.ParseLogLine
  • Writes the parsed line to a libaudit.Reassembler to combine the related messages in order. Message written by auditd can be interleaved and out of order.
  • Periodically call Flush on the Reassembler
  • Call aucoalesce.CoalesceMessages to create a single event from the related messages that come out of the Reassembler

This would replace the ingest pipeline (and painless scripting) in the current auditd Filebeat module.

This was referenced Mar 18, 2020
Closed
Merged
@botelastic
Copy link

botelastic bot commented Jul 9, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added Stalled needs_team Indicates that the issue/PR needs a Team:* label labels Jul 9, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot removed needs_team Indicates that the issue/PR needs a Team:* label Stalled labels Jul 13, 2020
@botelastic
Copy link

botelastic bot commented Jun 13, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the Stalled label Jun 13, 2021
@botelastic botelastic bot closed this as completed Jul 13, 2021
@andrewkroh andrewkroh mentioned this issue Jun 28, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Filebeat Filebeat Stalled
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ruflin @andrewkroh @elasticmachine @gwsales