Fix auditd logs using Filebeat

Filebeat auditd module only works by using Ingest which means that the dashboards are broken when using Logstash. This patch adds some basic information in order for the dashboard to become functional. Change-Id: I18283354ea49b26e1716dcab1f6452948e52845f
2018-09-27 18:03:33 -04:00 · 2018-09-27 18:03:33 -04:00 · e5b3b6e688
commit e5b3b6e688
parent 3b8961beca
1 changed files with 37 additions and 0 deletions
--- a/elk_metrics_6x/templates/logstash-pipelines.yml.j2
+++ b/elk_metrics_6x/templates/logstash-pipelines.yml.j2
@ -43,6 +43,43 @@
          add_tag => ["syslog"]
        }
      }
+
+      # NOTE(mnaser): Filebeat doesn't support shipping to different outputs
+      #               which means we need to parse `auditd` fileset here rather
+      #               than rely on ingest.
+      if [fileset][module] == "auditd" {
+        grok {
+          break_on_match => false
+          match => {
+            message => [
+              "type=%{WORD:[auditd][log][record_type]}",
+              "msg=audit\(%{NUMBER:timestamp}:%{NUMBER:[auditd][log][sequence]}\)",
+              "a0=\"%{DATA:[auditd][log][a0]}\"",
+              "acct=\"%{DATA:[auditd][log][acct]}\"",
+              "addr=%{IPORHOST:[auditd][log][addr]}"
+            ]
+          }
+        }
+
+        date {
+          match => [ "timestamp", "UNIX" ]
+          remove_field => "timestamp"
+        }
+
+        if [auditd][log][addr] {
+          geoip {
+            source => "[auditd][log][addr]"
+            target => "[auditd][geoip]"
+          }
+        }
+
+        # NOTE(mnaser): We don't match all fields so `grok` thinks that we
+        #               failed.
+        mutate {
+          remove_tag => ["_grokparsefailure"]
+        }
+      }
+
      if [@metadata][source_type] == "beats" or [@metadata][source_type] == "syslog" {
        if [systemd_slice] {
          mutate {