Upgrade to ecs 1.8 (#23961)

elastic · Feb 11, 2021 · b050cd0 · b050cd0
1 parent 35b196b
commit b050cd0
Show file tree

Hide file tree

Showing 7 changed files with 759 additions and 144 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -844,6 +844,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Upgrade juniper/srx to ecs 1.8.0. {issue}23118[23118] {pull}23936[23936]
 - Update mysqlenterprise module to ECS 1.8. {issue}23118[23118] {pull}23978[23978]
 - Upgrade sophos/xg fileset to ECS 1.8.0. {issue}23118[23118] {pull}23967[23967]
+- Upgrade system/auth to ECS 1.8 {issue}23118[23118] {pull}23961[23961]
 
 *Heartbeat*
 

diff --git a/filebeat/module/system/auth/config/auth.yml b/filebeat/module/system/auth/config/auth.yml
@@ -12,4 +12,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/filebeat/module/system/auth/ingest/pipeline.yml b/filebeat/module/system/auth/ingest/pipeline.yml
@@ -36,6 +36,44 @@ processors:
     field: system.auth.message
     target_field: message
     ignore_missing: true
+    if: ctx?.system?.auth?.message != null && ctx?.system?.auth?.message != ""
+- grok:
+    field: message
+    ignore_missing: true
+    ignore_failure: true
+    patterns:
+    - 'for user \"?%{DATA:_temp.foruser}\"? by \"?%{DATA:_temp.byuser}\"?(?:\(uid=%{NUMBER:_temp.byuid}\))?$'
+    - 'for user \"?%{DATA:_temp.foruser}\"?$'
+    - 'by user \"?%{DATA:_temp.byuser}\"?$'
+    if: ctx?.message != null && ctx?.message != ""
+- rename:
+    field: _temp.byuser
+    target_field: user.name
+    ignore_missing: true
+    ignore_failure: true
+- rename:
+    field: _temp.byuid
+    target_field: user.id
+    ignore_missing: true
+    ignore_failure: true
+- rename:
+    field: _temp.foruser
+    target_field: user.name
+    ignore_missing: true
+    ignore_failure: true
+    if: ctx?.user?.name == null || ctx?.user?.name == ""
+- rename:
+    field: _temp.foruser
+    target_field: user.effective.name
+    ignore_missing: true
+    ignore_failure: true
+    if: ctx?.user?.name != null
+- convert:
+    field: system.auth.sudo.user
+    target_field: user.effective.name
+    type: string
+    ignore_failure: true
+    if: ctx?.system?.auth?.sudo?.user != null
 - set:
     field: source.ip
     value: '{{system.auth.ssh.dropped_ip}}'
@@ -96,7 +134,7 @@ processors:
     source: >-
       if (ctx.system.auth.ssh.event == "Accepted") {
         ctx.event.type = ["authentication_success", "info"];
-        ctx.event.category = ["authentication"];
+        ctx.event.category = ["authentication","session"];
         ctx.event.action = "ssh_login";
         ctx.event.outcome = "success";
       } else if (ctx.system.auth.ssh.event == "Invalid" || ctx.system.auth.ssh.event == "Failed") {
@@ -137,16 +175,23 @@ processors:
 - append:
     field: related.user
     value: "{{user.name}}"
-    if: "ctx?.user?.name != null"
+    allow_duplicates: false
+    if: "ctx?.user?.name != null && ctx.user?.name != ''"
+- append:
+    field: related.user
+    value: "{{user.effective.name}}"
+    allow_duplicates: false
+    if: "ctx?.user?.effective?.name != null && ctx.user?.effective?.name != ''"
 - append:
     field: related.ip
     value: "{{source.ip}}"
-    if: "ctx?.source?.ip != null"
+    allow_duplicates: false
+    if: "ctx?.source?.ip != null && ctx.source?.ip != ''"
 - append:
     field: related.hosts
     value: "{{host.hostname}}"
-    if: "ctx.host?.hostname != null && ctx.host?.hostname != ''"
     allow_duplicates: false
+    if: "ctx.host?.hostname != null && ctx.host?.hostname != ''"
 on_failure:
 - set:
     field: error.message