diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 26f20739aad..25e145dc8bb 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -356,6 +356,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve ECS categorization field mappings for nginx module. {issue}16174[16174] {pull}17844[17844] - Improve ECS categorization field mappings for zeek module. {issue}16029[16029] {pull}17738[17738] - Improve ECS categorization field mappings for netflow module. {issue}16135[16135] {pull}18108[18108] +- Improve ECS categorization field mappings in system module. {issue}16031[16031] {pull}18065[18065] *Heartbeat* diff --git a/filebeat/module/system/auth/ingest/pipeline.json b/filebeat/module/system/auth/ingest/pipeline.json deleted file mode 100644 index 8df0a77e582..00000000000 --- a/filebeat/module/system/auth/ingest/pipeline.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "description": "Pipeline for parsing system authorisation/secure logs", - "processors": [ - { - "grok": { - "field": "message", - "ignore_missing": true, - "pattern_definitions" : { - "GREEDYMULTILINE" : "(.|\n)*", - "TIMESTAMP": "(?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP})" - }, - "patterns": [ - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.ip}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: \\s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.auth.message}" - ] - } - }, - { - "remove": { - "field": "message" - } - }, - { - "rename": { - "field": "system.auth.message", - "target_field": "message", - "ignore_missing": true - } - }, - { - "set": { - "field": "source.ip", - "value": "{{system.auth.ssh.dropped_ip}}", - "if": "ctx.containsKey('system') && ctx.system.containsKey('auth') && ctx.system.auth.containsKey('ssh') && ctx.system.auth.ssh.containsKey('dropped_ip')" - } - }, - { - "date": { - "if": "ctx.event.timezone == null", - "field": "system.auth.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "ISO8601" - ], - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "date": { - "if": "ctx.event.timezone != null", - "field": "system.auth.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "ISO8601" - ], - "timezone": "{{ event.timezone }}", - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "remove": { - "field": "system.auth.timestamp" - } - }, - { - "geoip": { - "field": "source.ip", - "target_field": "source.geo", - "ignore_failure": true - } - }, - { - "geoip": { - "database_file": "GeoLite2-ASN.mmdb", - "field": "source.ip", - "target_field": "source.as", - "properties": [ - "asn", - "organization_name" - ], - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.asn", - "target_field": "source.as.number", - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.organization_name", - "target_field": "source.as.organization.name", - "ignore_missing": true - } - }, - { - "script": { - "lang": "painless", - "ignore_failure": true, - "source": "if (ctx.system.auth.ssh.event == \"Accepted\") { if (!ctx.containsKey(\"event\")) { ctx.event = [:]; } ctx.event.type = \"authentication_success\"; ctx.event.category = \"authentication\"; ctx.event.action = \"ssh_login\"; ctx.event.outcome = \"success\"; } else if (ctx.system.auth.ssh.event == \"Invalid\" || ctx.system.auth.ssh.event == \"Failed\") { if (!ctx.containsKey(\"event\")) { ctx.event = [:]; } ctx.event.type = \"authentication_failure\"; ctx.event.category = \"authentication\"; ctx.event.action = \"ssh_login\"; ctx.event.outcome = \"failure\"; }" - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "{{ _ingest.on_failure_message }}" - } - }] -} diff --git a/filebeat/module/system/auth/ingest/pipeline.yml b/filebeat/module/system/auth/ingest/pipeline.yml new file mode 100644 index 00000000000..2cdd507f8cc --- /dev/null +++ b/filebeat/module/system/auth/ingest/pipeline.yml @@ -0,0 +1,145 @@ +description: Pipeline for parsing system authorisation/secure logs +processors: +- grok: + field: message + ignore_missing: true + pattern_definitions: + GREEDYMULTILINE: |- + (.| + )* + TIMESTAMP: (?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP}) + patterns: + - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: + %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user + )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} + ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?' + - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: + %{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.ip}' + - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: + Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}' + - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: + \s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} + ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}' + - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: + new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}' + - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: + new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, + home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$' + - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: + %{GREEDYMULTILINE:system.auth.message}' +- remove: + field: message +- rename: + field: system.auth.message + target_field: message + ignore_missing: true +- set: + field: source.ip + value: '{{system.auth.ssh.dropped_ip}}' + if: "ctx?.system?.auth?.ssh?.dropped_ip != null" +- date: + if: ctx.event.timezone == null + field: system.auth.timestamp + target_field: '@timestamp' + formats: + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + - ISO8601 + on_failure: + - append: + field: error.message + value: '{{ _ingest.on_failure_message }}' +- date: + if: ctx.event.timezone != null + field: system.auth.timestamp + target_field: '@timestamp' + formats: + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + - ISO8601 + timezone: '{{ event.timezone }}' + on_failure: + - append: + field: error.message + value: '{{ _ingest.on_failure_message }}' +- remove: + field: system.auth.timestamp +- geoip: + field: source.ip + target_field: source.geo + ignore_failure: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- set: + field: event.kind + value: event +- script: + lang: painless + ignore_failure: true + source: >- + if (ctx.system.auth.ssh.event == "Accepted") { + ctx.event.type = ["authentication_success", "info"]; + ctx.event.category = ["authentication"]; + ctx.event.action = "ssh_login"; + ctx.event.outcome = "success"; + } else if (ctx.system.auth.ssh.event == "Invalid" || ctx.system.auth.ssh.event == "Failed") { + ctx.event.type = ["authentication_failure", "info"]; + ctx.event.category = ["authentication"]; + ctx.event.action = "ssh_login"; + ctx.event.outcome = "failure"; + } + +- append: + field: event.category + value: iam + if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)" +- set: + field: event.outcome + value: success + if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)" +- append: + field: event.type + value: user + if: "ctx?.process?.name != null && ['useradd', 'userdel', 'usermod'].contains(ctx.process.name)" +- append: + field: event.type + value: group + if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod'].contains(ctx.process.name)" +- append: + field: event.type + value: creation + if: "ctx?.process?.name != null && ['useradd', 'groupadd'].contains(ctx.process.name)" +- append: + field: event.type + value: deletion + if: "ctx?.process?.name != null && ['userdel', 'groupdel'].contains(ctx.process.name)" +- append: + field: event.type + value: change + if: "ctx?.process?.name != null && ['usermod', 'groupmod'].contains(ctx.process.name)" +- append: + field: related.user + value: "{{user.name}}" + if: "ctx?.user?.name != null" +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/filebeat/module/system/auth/manifest.yml b/filebeat/module/system/auth/manifest.yml index ade9e03a69a..dd16ddafd65 100644 --- a/filebeat/module/system/auth/manifest.yml +++ b/filebeat/module/system/auth/manifest.yml @@ -11,5 +11,5 @@ var: - /var/log/secure.log* os.windows: [] -ingest_pipeline: ingest/pipeline.json +ingest_pipeline: ingest/pipeline.yml input: config/auth.yml diff --git a/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json b/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json index a7a3cee04e6..74654cb6dc1 100644 --- a/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json +++ b/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json @@ -1,6 +1,7 @@ [ { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -14,6 +15,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -21,6 +23,9 @@ "input.type": "log", "log.offset": 81, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-lhspyyxxlfzpytwsebjoegenjxyjombo; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675177.72-26828938879074/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675177.72-26828938879074/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", @@ -30,6 +35,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -42,6 +48,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -54,6 +61,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -67,6 +75,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -74,6 +83,9 @@ "input.type": "log", "log.offset": 736, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-xspkubktopzqiwiofvdhqaglconkrgwp; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675181.24-158548606882799/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675181.24-158548606882799/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", @@ -83,6 +95,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -95,6 +108,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -107,6 +121,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -120,6 +135,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -127,6 +143,9 @@ "input.type": "log", "log.offset": 1393, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-vxcrqvczsrjrrsjcokculalhrgfsxqzl; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675202.4-199750250589919/command; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675202.4-199750250589919/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", @@ -136,6 +155,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -148,6 +168,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -160,6 +181,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -173,6 +195,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -180,6 +203,9 @@ "input.type": "log", "log.offset": 2048, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-gruorqbeefuuhfprfoqzsftalatgwwvf; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675203.3-59927285912173/file; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675203.3-59927285912173/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", @@ -189,6 +215,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -201,6 +228,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -213,6 +241,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -226,6 +255,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -233,6 +263,9 @@ "input.type": "log", "log.offset": 2698, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-fnthqelgspkbnpnxlsknzcbyxbqqxpmt; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675204.07-135388534337396/command; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675204.07-135388534337396/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", @@ -242,6 +275,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -254,6 +288,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -266,6 +301,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -279,6 +315,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -291,6 +328,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -298,6 +336,9 @@ "input.type": "log", "log.offset": 3414, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-wagdvfiuqxtryvmyrqlfcwoxeqqrxejt; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675206.28-198308747142204/async_wrapper 321853834469 45 /home/vagrant/.ansible/tmp/ansible-tmp-1486675206.28-198308747142204/command /home/vagrant/.ansible/tmp/ansible-tmp-1486675206.28-198308747142204/arguments; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675206.28-198308747142204/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", @@ -307,6 +348,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -319,6 +361,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -331,6 +374,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -344,6 +388,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -351,6 +396,9 @@ "input.type": "log", "log.offset": 4249, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-lkgydmrwiywdfvxfoxmgntufiumtzpmq; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675212.66-81790186240643/command; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675212.66-81790186240643/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", @@ -360,6 +408,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -372,6 +421,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -384,6 +434,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -397,6 +448,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -404,6 +456,9 @@ "input.type": "log", "log.offset": 4904, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-mjsapklbglujaoktlsyytirwygexdily; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675218.96-234174787135180/command; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675218.96-234174787135180/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", @@ -413,6 +468,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -425,6 +481,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -437,6 +494,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -450,6 +508,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -457,6 +516,9 @@ "input.type": "log", "log.offset": 5561, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-kvmafqtdnnvnyfyqlnoovickcavkqwdy; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675219.83-99205535237718/setup; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675219.83-99205535237718/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", @@ -466,6 +528,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -478,6 +541,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -490,6 +554,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -503,6 +568,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -510,6 +576,9 @@ "input.type": "log", "log.offset": 6214, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-nhrnwbdpypmsmvcstuihfqfbcvpxrmys; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675224.58-12467498973476/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675224.58-12467498973476/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", @@ -519,6 +588,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -531,6 +601,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -543,6 +614,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -556,6 +628,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -563,6 +636,9 @@ "input.type": "log", "log.offset": 6869, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-buzartmsbrirxgcoibjpsqjkldihhexh; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675228.25-195852789001210/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675228.25-195852789001210/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", @@ -572,6 +648,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -584,6 +661,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -596,6 +674,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -609,6 +688,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -616,6 +696,9 @@ "input.type": "log", "log.offset": 7526, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-swwkpvmnxhcuduxerfbgclhsmgbhwzie; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675247.78-128146395950020/command; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675247.78-128146395950020/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", @@ -625,6 +708,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -637,6 +721,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -649,6 +734,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -662,6 +748,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -669,6 +756,9 @@ "input.type": "log", "log.offset": 8183, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-raffykohamlcbnpxzipksbvfpjbfpagy; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675250.82-190689706060358/apt; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675250.82-190689706060358/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", @@ -678,6 +768,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -690,6 +781,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -702,6 +794,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -715,6 +808,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -722,6 +816,9 @@ "input.type": "log", "log.offset": 8836, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-dfoxiractbmtavfiwfnhzfkftipjumph; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675251.6-137767038423665/apt; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675251.6-137767038423665/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", @@ -731,6 +828,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -743,6 +841,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -755,6 +854,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -768,6 +868,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -775,6 +876,9 @@ "input.type": "log", "log.offset": 9487, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-jveaoynmhsmeodakzfhhaodihyroxobu; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675261.29-208287411335817/file; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675261.29-208287411335817/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", @@ -784,6 +888,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -796,6 +901,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -808,6 +914,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -815,6 +922,9 @@ "input.type": "log", "log.offset": 10060, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-lwzhcvorajmjyxsrqydafzapoeescwaf; rc=flag; [ -r /etc/metricbeat/metricbeat.yml ] || rc=2; [ -f /etc/metricbeat/metricbeat.yml ] || rc=1; [ -d /etc/metricbeat/metricbeat.yml ] && rc=3; python -V 2>/dev/null || rc=4; [ x\"$rc\" != \"xflag\" ] && echo \"${rc} \"/etc/metricbeat/metricbeat.yml && exit 0; (python -c 'import hashlib; BLOCKSIZE = 65536; hasher = hashlib.sha1();#012afile = open(\"'/etc/metricbeat/metricbeat.yml'\", \"rb\")#012buf = afile.read(BLOCKSIZE)#012while len(buf) > 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2>/dev/null) || (python -c 'import sha; BLOCKSIZE = 65536; hasher = sha.sha();#012afile = open(\"'/etc/metricbeat/metricbeat.yml'\", \"rb\")#012buf = afile.read(BLOCKSIZE)#012while len(buf) > 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2>/dev/null) || (echo '0 ", "system.auth.sudo.pwd": "/home/vagrant", @@ -824,6 +934,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -836,6 +947,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -848,6 +960,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -860,6 +973,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -873,6 +987,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -886,6 +1001,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -893,6 +1009,9 @@ "input.type": "log", "log.offset": 11548, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-yesyhegdrhiolusidthffdemrxphqdfm; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675262.15-83340738940485/copy; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675262.15-83340738940485/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", @@ -902,6 +1021,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -914,6 +1034,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -926,6 +1047,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -939,6 +1061,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -946,6 +1069,9 @@ "input.type": "log", "log.offset": 12200, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-vqbyiylfjufyxlwvxcwusklrtmiekpia; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675263.16-15325827909434/service; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675263.16-15325827909434/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", @@ -955,6 +1081,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -967,6 +1094,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -979,6 +1107,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -992,6 +1121,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -999,6 +1129,9 @@ "input.type": "log", "log.offset": 12855, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-osrbplljwskuafamtjuanhwfxqdxmfbj; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675264.47-179299683847940/wait_for; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675264.47-179299683847940/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", @@ -1008,6 +1141,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1020,6 +1154,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1032,6 +1167,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1045,6 +1181,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1052,6 +1189,9 @@ "input.type": "log", "log.offset": 13513, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-xqypdfdxashhaekghbfnpdlcgsmfarmy; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675265.39-273766954542007/service; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675265.39-273766954542007/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", @@ -1061,6 +1201,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1073,6 +1214,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1085,6 +1227,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1098,6 +1241,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1105,6 +1249,9 @@ "input.type": "log", "log.offset": 14170, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-ktkmpxhjivossxngupfgrqfobhopruzp; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675266.58-47565152594552/apt; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675266.58-47565152594552/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", @@ -1114,6 +1261,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1126,6 +1274,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1138,6 +1287,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1151,6 +1301,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1158,6 +1309,9 @@ "input.type": "log", "log.offset": 14821, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-erpqyqrmifxazcclvbqytjwxgdplhtpy; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675275.74-155140815824587/file; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675275.74-155140815824587/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", @@ -1167,6 +1321,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1179,6 +1334,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1191,6 +1347,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1204,6 +1361,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1211,6 +1369,9 @@ "input.type": "log", "log.offset": 15475, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-cfqjebskszjdqpksprlbjpbttastwzyp; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675276.62-248748589735433/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675276.62-248748589735433/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", @@ -1220,6 +1381,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1232,6 +1394,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1244,6 +1407,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1257,6 +1421,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1264,6 +1429,9 @@ "input.type": "log", "log.offset": 16132, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-oxbowrzvfhsebemuiblilqwvdxvnwztv; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675280.28-272460786101534/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675280.28-272460786101534/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", @@ -1273,6 +1441,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1285,6 +1454,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1297,6 +1467,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1310,6 +1481,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1317,6 +1489,9 @@ "input.type": "log", "log.offset": 16789, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-ohlhhhazvtawqawluadjlxglowwenmyc; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675302.51-201837201796085/command; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675302.51-201837201796085/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", diff --git a/filebeat/module/system/auth/test/secure-rhel7.log-expected.json b/filebeat/module/system/auth/test/secure-rhel7.log-expected.json index 331294ad81d..5242ff398d9 100644 --- a/filebeat/module/system/auth/test/secure-rhel7.log-expected.json +++ b/filebeat/module/system/auth/test/secure-rhel7.log-expected.json @@ -1,18 +1,30 @@ [ { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 0, "process.name": "sshd", "process.pid": 2738, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -30,6 +42,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -43,18 +56,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 209, "process.name": "sshd", "process.pid": 2738, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -72,6 +97,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -85,18 +111,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 418, "process.name": "sshd", "process.pid": 2738, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -114,6 +152,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -127,6 +166,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -140,6 +180,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -153,6 +194,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -166,6 +208,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -179,18 +222,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 1105, "process.name": "sshd", "process.pid": 2742, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -208,6 +263,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -221,18 +277,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 1314, "process.name": "sshd", "process.pid": 2742, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -250,6 +318,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -263,18 +332,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 1523, "process.name": "sshd", "process.pid": 2742, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -292,6 +373,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -305,18 +387,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 1732, "process.name": "sshd", "process.pid": 2742, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -334,6 +428,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -347,18 +442,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 1941, "process.name": "sshd", "process.pid": 2742, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -376,6 +483,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -389,6 +497,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -402,6 +511,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -415,6 +525,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -428,6 +539,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -441,6 +553,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -454,6 +567,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -467,18 +581,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 2889, "process.name": "sshd", "process.pid": 2754, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -496,6 +622,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -509,18 +636,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 3098, "process.name": "sshd", "process.pid": 2758, + "related.ip": [ + "116.31.116.27" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 134764, "source.as.organization.name": "CHINANET Guangdong province network", @@ -538,6 +677,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -551,18 +691,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 3306, "process.name": "sshd", "process.pid": 2754, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -580,6 +732,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -593,18 +746,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 3515, "process.name": "sshd", "process.pid": 2758, + "related.ip": [ + "116.31.116.27" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 134764, "source.as.organization.name": "CHINANET Guangdong province network", @@ -622,6 +787,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -635,18 +801,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 3723, "process.name": "sshd", "process.pid": 2754, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -664,6 +842,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -677,18 +856,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 3932, "process.name": "sshd", "process.pid": 2758, + "related.ip": [ + "116.31.116.27" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 134764, "source.as.organization.name": "CHINANET Guangdong province network", @@ -706,6 +897,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -719,6 +911,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -732,18 +925,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 4259, "process.name": "sshd", "process.pid": 2754, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -761,6 +966,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -774,18 +980,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 4468, "process.name": "sshd", "process.pid": 2754, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -803,6 +1021,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -816,6 +1035,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -829,6 +1049,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -842,6 +1063,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -855,6 +1077,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -868,18 +1091,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 5155, "process.name": "sshd", "process.pid": 2762, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -897,6 +1132,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -910,18 +1146,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 5364, "process.name": "sshd", "process.pid": 2762, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -939,6 +1187,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -952,18 +1201,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 5573, "process.name": "sshd", "process.pid": 2762, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -981,6 +1242,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -994,18 +1256,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 5782, "process.name": "sshd", "process.pid": 2762, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -1023,6 +1297,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1036,18 +1311,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 5991, "process.name": "sshd", "process.pid": 2762, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -1065,6 +1352,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1078,6 +1366,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1091,6 +1380,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1104,6 +1394,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1117,6 +1408,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1130,18 +1422,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 6678, "process.name": "sshd", "process.pid": 2766, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -1159,6 +1463,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1172,18 +1477,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 6887, "process.name": "sshd", "process.pid": 2766, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -1201,6 +1518,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1214,18 +1532,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 7096, "process.name": "sshd", "process.pid": 2766, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -1243,6 +1573,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1256,18 +1587,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 7305, "process.name": "sshd", "process.pid": 2766, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -1285,6 +1628,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1298,18 +1642,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 7514, "process.name": "sshd", "process.pid": 2766, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -1327,6 +1683,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1340,6 +1697,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1353,6 +1711,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1366,6 +1725,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1379,6 +1739,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1392,18 +1753,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 8199, "process.name": "sshd", "process.pid": 2778, + "related.ip": [ + "116.31.116.27" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 134764, "source.as.organization.name": "CHINANET Guangdong province network", @@ -1421,6 +1794,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1434,18 +1808,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 8407, "process.name": "sshd", "process.pid": 2778, + "related.ip": [ + "116.31.116.27" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 134764, "source.as.organization.name": "CHINANET Guangdong province network", @@ -1463,6 +1849,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1476,18 +1863,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 8615, "process.name": "sshd", "process.pid": 2778, + "related.ip": [ + "116.31.116.27" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 134764, "source.as.organization.name": "CHINANET Guangdong province network", @@ -1505,6 +1904,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1518,6 +1918,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1531,6 +1932,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1544,6 +1946,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1557,18 +1960,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 9205, "process.name": "sshd", "process.pid": 2785, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -1586,6 +2001,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1599,18 +2015,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 9414, "process.name": "sshd", "process.pid": 2785, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -1628,6 +2056,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1641,18 +2070,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 9623, "process.name": "sshd", "process.pid": 2785, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -1670,6 +2111,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1683,18 +2125,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 9832, "process.name": "sshd", "process.pid": 2785, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -1712,6 +2166,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1725,18 +2180,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 10041, "process.name": "sshd", "process.pid": 2785, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -1754,6 +2221,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1767,6 +2235,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1780,6 +2249,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1793,6 +2263,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1806,6 +2277,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -1819,18 +2291,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 10728, "process.name": "sshd", "process.pid": 2797, + "related.ip": [ + "202.109.143.106" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", @@ -1848,6 +2332,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", diff --git a/filebeat/module/system/auth/test/test.log-expected.json b/filebeat/module/system/auth/test/test.log-expected.json index 5a2cf8fa0a2..0203b1a1f3b 100644 --- a/filebeat/module/system/auth/test/test.log-expected.json +++ b/filebeat/module/system/auth/test/test.log-expected.json @@ -1,18 +1,30 @@ [ { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "success", "event.timezone": "-02:00", - "event.type": "authentication_success", + "event.type": [ + "authentication_success", + "info" + ], "fileset.name": "auth", "host.hostname": "localhost", "input.type": "log", "log.offset": 0, "process.name": "sshd", "process.pid": 3402, + "related.ip": [ + "10.0.2.2" + ], + "related.user": [ + "vagrant" + ], "service.type": "system", "source.ip": "10.0.2.2", "source.port": 63673, @@ -23,18 +35,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "success", "event.timezone": "-02:00", - "event.type": "authentication_success", + "event.type": [ + "authentication_success", + "info" + ], "fileset.name": "auth", "host.hostname": "localhost", "input.type": "log", "log.offset": 152, "process.name": "sshd", "process.pid": 7483, + "related.ip": [ + "192.168.33.1" + ], + "related.user": [ + "vagrant" + ], "service.type": "system", "source.ip": "192.168.33.1", "source.port": 58803, @@ -44,18 +68,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "localhost", "input.type": "log", "log.offset": 254, "process.name": "sshd", "process.pid": 3430, + "related.ip": [ + "10.0.2.2" + ], + "related.user": [ + "test" + ], "service.type": "system", "source.ip": "10.0.2.2", "system.auth.ssh.event": "Invalid", @@ -63,18 +99,30 @@ }, { "event.action": "ssh_login", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.outcome": "failure", "event.timezone": "-02:00", - "event.type": "authentication_failure", + "event.type": [ + "authentication_failure", + "info" + ], "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", "log.offset": 324, "process.name": "sshd", "process.pid": 5774, + "related.ip": [ + "116.31.116.24" + ], + "related.user": [ + "root" + ], "service.type": "system", "source.as.number": 134764, "source.as.organization.name": "CHINANET Guangdong province network", @@ -92,6 +140,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -99,6 +148,9 @@ "input.type": "log", "log.offset": 420, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/ls", "system.auth.sudo.pwd": "/home/vagrant", @@ -108,6 +160,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -116,6 +169,9 @@ "log.offset": 522, "process.name": "sshd", "process.pid": 18406, + "related.ip": [ + "123.57.245.163" + ], "service.type": "system", "source.as.number": 37963, "source.as.organization.name": "Hangzhou Alibaba Advertising Co.,Ltd.", @@ -131,6 +187,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -138,6 +195,9 @@ "input.type": "log", "log.offset": 617, "process.name": "sudo", + "related.user": [ + "vagrant" + ], "service.type": "system", "system.auth.sudo.command": "/bin/cat /var/log/secure", "system.auth.sudo.pwd": "/home/vagrant", @@ -147,6 +207,7 @@ }, { "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -154,6 +215,9 @@ "input.type": "log", "log.offset": 736, "process.name": "sudo", + "related.user": [ + "tsg" + ], "service.type": "system", "system.auth.sudo.command": "/bin/ls", "system.auth.sudo.error": "user NOT in sudoers", @@ -163,9 +227,18 @@ "user.name": "tsg" }, { + "event.category": [ + "iam" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", + "event.outcome": "success", "event.timezone": "-02:00", + "event.type": [ + "group", + "creation" + ], "fileset.name": "auth", "group.id": "48", "group.name": "apache", @@ -177,9 +250,18 @@ "service.type": "system" }, { + "event.category": [ + "iam" + ], "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", + "event.outcome": "success", "event.timezone": "-02:00", + "event.type": [ + "user", + "creation" + ], "fileset.name": "auth", "group.id": "48", "host.hostname": "localhost", @@ -187,6 +269,9 @@ "log.offset": 934, "process.name": "useradd", "process.pid": 6995, + "related.user": [ + "apache" + ], "service.type": "system", "system.auth.useradd.home": "/usr/share/httpd", "system.auth.useradd.shell": "/sbin/nologin", diff --git a/filebeat/module/system/auth/test/timestamp.log-expected.json b/filebeat/module/system/auth/test/timestamp.log-expected.json index 80c07d4e9a8..8903b63e89e 100644 --- a/filebeat/module/system/auth/test/timestamp.log-expected.json +++ b/filebeat/module/system/auth/test/timestamp.log-expected.json @@ -2,6 +2,7 @@ { "@timestamp": "2019-06-14T10:40:20.912-02:00", "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", @@ -16,6 +17,7 @@ { "@timestamp": "2019-06-14T09:31:15.412-02:00", "event.dataset": "system.auth", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", diff --git a/filebeat/module/system/syslog/ingest/pipeline.json b/filebeat/module/system/syslog/ingest/pipeline.json deleted file mode 100644 index 0c614b8a957..00000000000 --- a/filebeat/module/system/syslog/ingest/pipeline.json +++ /dev/null @@ -1,71 +0,0 @@ -{ - "description": "Pipeline for parsing Syslog messages.", - "processors": [ - { - "grok": { - "field": "message", - "patterns": [ - "%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.syslog.message}", - "%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}", - "%{TIMESTAMP_ISO8601:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.syslog.message}" - ], - "pattern_definitions" : { - "GREEDYMULTILINE" : "(.|\n)*" - }, - "ignore_missing": true - } - }, - { - "remove": { - "field": "message" - } - }, - { - "rename": { - "field": "system.syslog.message", - "target_field": "message", - "ignore_missing": true - } - }, - { - "date": { - "if": "ctx.event.timezone == null", - "field": "system.syslog.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "MMM d HH:mm:ss", - "ISO8601" - ], - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "date": { - "if": "ctx.event.timezone != null", - "field": "system.syslog.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "MMM d HH:mm:ss", - "ISO8601" - ], - "timezone": "{{ event.timezone }}", - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "remove": { - "field": "system.syslog.timestamp" - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "{{ _ingest.on_failure_message }}" - } - }] -} diff --git a/filebeat/module/system/syslog/ingest/pipeline.yml b/filebeat/module/system/syslog/ingest/pipeline.yml new file mode 100644 index 00000000000..e0c80b9aad6 --- /dev/null +++ b/filebeat/module/system/syslog/ingest/pipeline.yml @@ -0,0 +1,57 @@ +description: Pipeline for parsing Syslog messages. +processors: +- grok: + field: message + patterns: + - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: + %{GREEDYMULTILINE:system.syslog.message}' + - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}' + - '%{TIMESTAMP_ISO8601:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: + %{GREEDYMULTILINE:system.syslog.message}' + pattern_definitions: + GREEDYMULTILINE: |- + (.| + )* + ignore_missing: true +- remove: + field: message +- rename: + field: system.syslog.message + target_field: message + ignore_missing: true +- date: + if: ctx.event.timezone == null + field: system.syslog.timestamp + target_field: '@timestamp' + formats: + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + - MMM d HH:mm:ss + - ISO8601 + on_failure: + - append: + field: error.message + value: '{{ _ingest.on_failure_message }}' +- date: + if: ctx.event.timezone != null + field: system.syslog.timestamp + target_field: '@timestamp' + formats: + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + - MMM d HH:mm:ss + - ISO8601 + timezone: '{{ event.timezone }}' + on_failure: + - append: + field: error.message + value: '{{ _ingest.on_failure_message }}' +- remove: + field: system.syslog.timestamp +- set: + field: event.type + value: event +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/filebeat/module/system/syslog/manifest.yml b/filebeat/module/system/syslog/manifest.yml index fa0ec049135..39a34e56ca3 100644 --- a/filebeat/module/system/syslog/manifest.yml +++ b/filebeat/module/system/syslog/manifest.yml @@ -9,5 +9,5 @@ var: - /var/log/system.log* os.windows: [] -ingest_pipeline: ingest/pipeline.json +ingest_pipeline: ingest/pipeline.yml input: config/syslog.yml diff --git a/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json b/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json index 5b1165078bc..5a164aef94f 100644 --- a/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json +++ b/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json @@ -3,6 +3,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -19,6 +20,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -32,6 +34,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "input.type": "log", "log.offset": 1176, diff --git a/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json b/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json index fc057403a39..45d44816cd1 100644 --- a/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json +++ b/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json @@ -3,6 +3,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -16,6 +17,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -32,6 +34,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -45,6 +48,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -58,6 +62,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -74,6 +79,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -87,6 +93,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -100,6 +107,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -116,6 +124,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -129,6 +138,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -142,6 +152,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -155,6 +166,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -168,6 +180,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -181,6 +194,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -194,6 +208,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -207,6 +222,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -220,6 +236,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -233,6 +250,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -246,6 +264,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -259,6 +278,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -272,6 +292,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -285,6 +306,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -298,6 +320,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -314,6 +337,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -327,6 +351,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -343,6 +368,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -356,6 +382,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -369,6 +396,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -382,6 +410,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -395,6 +424,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -408,6 +438,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -421,6 +452,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -434,6 +466,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -450,6 +483,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -463,6 +497,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -479,6 +514,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -492,6 +528,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -505,6 +542,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -518,6 +556,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -531,6 +570,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -543,6 +583,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -556,6 +597,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -569,6 +611,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -582,6 +625,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -594,6 +638,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -606,6 +651,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -619,6 +665,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -631,6 +678,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -644,6 +692,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -657,6 +706,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -669,6 +719,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -682,6 +733,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -695,6 +747,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -708,6 +761,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -720,6 +774,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -733,6 +788,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -745,6 +801,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -758,6 +815,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -770,6 +828,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -783,6 +842,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -796,6 +856,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -809,6 +870,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -821,6 +883,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -834,6 +897,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -846,6 +910,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -859,6 +924,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -872,6 +938,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -885,6 +952,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -897,6 +965,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -910,6 +979,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -923,6 +993,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -935,6 +1006,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -948,6 +1020,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -961,6 +1034,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -973,6 +1047,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -986,6 +1061,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -999,6 +1075,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1011,6 +1088,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1024,6 +1102,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1036,6 +1115,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1049,6 +1129,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1061,6 +1142,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1074,6 +1156,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1087,6 +1170,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1100,6 +1184,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1113,6 +1198,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1125,6 +1211,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1138,6 +1225,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1151,6 +1239,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1163,6 +1252,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1176,6 +1266,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1189,6 +1280,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1201,6 +1293,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1214,6 +1307,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1226,6 +1320,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1239,6 +1334,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1252,6 +1348,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1265,6 +1362,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1277,6 +1375,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1290,6 +1389,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", diff --git a/filebeat/module/system/syslog/test/suse-syslog.log-expected.json b/filebeat/module/system/syslog/test/suse-syslog.log-expected.json index 0230189feaf..f517557a26e 100644 --- a/filebeat/module/system/syslog/test/suse-syslog.log-expected.json +++ b/filebeat/module/system/syslog/test/suse-syslog.log-expected.json @@ -3,6 +3,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "linux-sqrz", "input.type": "log", @@ -16,6 +17,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "linux-sqrz", "input.type": "log", diff --git a/filebeat/module/system/syslog/test/tz-offset.log-expected.json b/filebeat/module/system/syslog/test/tz-offset.log-expected.json index 154e256b2ba..f2e167a1fd7 100644 --- a/filebeat/module/system/syslog/test/tz-offset.log-expected.json +++ b/filebeat/module/system/syslog/test/tz-offset.log-expected.json @@ -4,6 +4,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "rmbkmonitor04", "input.type": "log", @@ -19,6 +20,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "rmbkmonitor04", "input.type": "log", @@ -33,6 +35,7 @@ "event.dataset": "system.syslog", "event.module": "system", "event.timezone": "-02:00", + "event.type": "event", "fileset.name": "syslog", "host.hostname": "localhost", "input.type": "log",