Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Auditbeat] Add script processor from libbeat #29269

Closed
a03nikki opened this issue Dec 3, 2021 · 1 comment · Fixed by #29752
Closed

[Auditbeat] Add script processor from libbeat #29269

a03nikki opened this issue Dec 3, 2021 · 1 comment · Fixed by #29752
Labels
Auditbeat :Processors

Comments

@a03nikki
Copy link

a03nikki commented Dec 3, 2021

Describe the enhancement:

The other Beats (Filebeat, Winlogbeat, Metriceat, etc.) have a script processor from libbeat, however Auditbeat does not. It would be useful if it was included with this Beat as well.

https://www.elastic.co/guide/en/beats/filebeat/current/processor-script.html

Script Processor

The script processor executes Javascript code to process an event. The processor uses a pure Go implementation of ECMAScript 5.1 and has no external dependencies. This can be useful in situations where one of the other processors doesn’t provide the functionality you need to filter events.

The error that happens when you try to use it is

$ sudo auditbeat
Exiting: error initializing processors: the processor action script does not exist. Valid actions: drop_event, truncate_fields, add_host_metadata, add_process_metadata, dns, add_labels, detect_mime_type, add_id, add_locale, extract_array, fingerprint, add_network_direction, drop_fields, include_fields, rename, add_observer_metadata, add_docker_metadata, add_nomad_metadata, decode_base64_field, convert, decode_xml, dissect, registered_domain, add_cloudfoundry_metadata, decompress_gzip_field, add_kubernetes_metadata, replace, copy_fields, decode_json_fields, community_id, rate_limit, urldecode, add_tags, add_cloud_metadata, decode_xml_wineventlog, add_fields

Describe a specific use case for the enhancement or feature:

This fills the gaps if the other processors do not have the options desired. Such as being able to compare the values of two different fields. For example, being able to set a field indicating if values match or not. For example process names not matching file names or source and destination IPs matching.

This came up in the discuss forums as well at https://discuss.elastic.co/t/extracting-some-fields-from-an-array-item-and-renaming-them-with-auditbeats-processors/265408/2.
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Dec 3, 2021
This was referenced Dec 3, 2021
Closed
Closed
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Dec 9, 2021
legoguy1000 added a commit to legoguy1000/beats that referenced this issue Jan 9, 2022
@legoguy1000
elastic#29269: Add script processor to all beats
71ae79a
@legoguy1000 legoguy1000 mentioned this issue Jan 9, 2022
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Auditbeat :Processors
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[libbeat] Add script processor to all beats legoguy1000/beats
3 participants
@jsoriano @a03nikki @elasticmachine