Cherry-pick #10137 to 6.x: Teach elasticsearch/audit fileset to parse out some more fields

CHANGELOG.next.asciidoc

@@ -143,6 +143,7 @@ https://github.com/elastic/beats/compare/v6.6.0...6.x[Check the HEAD diff]
 - Add support for MariaDB in the `slowlog` fileset of `mysql` module. {pull}9731[9731]
 - Add convert_timezone to nginx module. {issue}9839[9839] {pull}10148[10148]
 - Add support for Percona in the `slowlog` fileset of `mysql` module. {issue}6665[6665] {pull}10227[10227]
+- Teach elasticsearch/audit fileset to parse out some more fields. {issue}10134[10134] {pull}10137[10137]
 
 *Heartbeat*
 - Made monitors.d configuration part of the default config. {pull}9004[9004]

filebeat/docs/fields.asciidoc

@@ -1074,6 +1074,26 @@ The principal (username) that failed authentication
 
 --
 
+*`elasticsearch.audit.realm`*::
++
+--
+type: keyword
+
+The authentication realm
+
+--
+
+*`elasticsearch.audit.roles`*::
++
+--
+type: keyword
+
+example: ['kibana_user', 'beats_admin']
+
+Roles to which the principal belongs
+
+--
+
 *`elasticsearch.audit.action`*::
 +
 --
@@ -1096,6 +1116,17 @@ The REST endpoint URI
 
 --
 
+*`elasticsearch.audit.indices`*::
++
+--
+type: keyword
+
+example: ['foo-2019.01.04', 'foo-2019.01.03', 'foo-2019.01.06']
+
+Indices accessed by action
+
+--
+
 *`elasticsearch.audit.request`*::
 +
 --

filebeat/module/elasticsearch/audit/_meta/fields.yml

@@ -22,6 +22,14 @@
       description: "The principal (username) that failed authentication"
       example: "_anonymous"
       type: keyword
+    - name: realm
+      description: "The authentication realm"
+      example": "active_directory"
+      type: keyword
+    - name: roles
+      description: "Roles to which the principal belongs"
+      example: [ "kibana_user", "beats_admin" ]
+      type: keyword
     - name: action
       description: "The name of the action that was executed"
       example: "cluster:monitor/main"
@@ -30,6 +38,10 @@
       description: "The REST endpoint URI"
       example: /_xpack/security/_authenticate
       type: keyword
+    - name: indices
+      description: "Indices accessed by action"
+      example: [ "foo-2019.01.04", "foo-2019.01.03", "foo-2019.01.06" ]
+      type: keyword
     - name: request
       description: "The type of request that was executed"
       example: "ClearScrollRequest"

filebeat/module/elasticsearch/audit/ingest/pipeline.json

@@ -18,16 +18,45 @@
                     "ES_AUDIT_ORIGIN_TYPE": "(origin_type\\=\\[%{WORD:elasticsearch.audit.origin_type}\\])?",
                     "ES_AUDIT_ORIGIN_ADDRESS": "(origin_address\\=\\[%{IPORHOST:elasticsearch.audit.origin_address}\\])?",
                     "ES_AUDIT_PRINCIPAL": "(principal\\=\\[%{WORD:elasticsearch.audit.principal}\\])?",
-                    "ES_AUDIT_ACTION": "(action\\=\\[%{DATA:elasticsearch.audit.action}\\])?",
+                    "ES_AUDIT_REALM": "(realm\\=\\[%{WORD:elasticsearch.audit.realm}\\])?",
+                    "ES_AUDIT_ROLES": "(roles\\=\\[%{DATA:elasticsearch.audit.roles}\\])?",
+                    "ES_AUDIT_ACTION": "(action\\=\\[%{DATA:elasticsearch.audit.action}(\\[%{DATA:elasticsearch.audit.sub_action}\\])?\\])?",
                     "ES_AUDIT_URI": "(uri=\\[%{DATA:elasticsearch.audit.uri\\])?",
+                    "ES_AUDIT_INDICES": "(indices\\=\\[%{DATA:elasticsearch.audit.indices}\\])?",
                     "ES_AUDIT_REQUEST": "(request\\=\\[%{WORD:elasticsearch.audit.request}\\])?",
                     "ES_AUDIT_REQUEST_BODY": "(request_body\\=\\[%{DATA:elasticsearch.audit.request_body}\\])?"
                 },
                 "patterns": [
-                    "%{ES_TIMESTAMP}\\s*%{ES_NODE_NAME}\\s*%{ES_AUDIT_LAYER}\\s*%{ES_AUDIT_EVENT_TYPE}\\s*%{ES_AUDIT_ORIGIN_TYPE},?\\s*%{ES_AUDIT_ORIGIN_ADDRESS},?\\s*%{ES_AUDIT_PRINCIPAL},?\\s*%{ES_AUDIT_ACTION},?\\s*%{ES_AUDIT_URI},?\\s*%{ES_AUDIT_REQUEST},?\\s*%{ES_AUDIT_REQUEST_BODY},?"
+                    "%{ES_TIMESTAMP}\\s*%{ES_NODE_NAME}\\s*%{ES_AUDIT_LAYER}\\s*%{ES_AUDIT_EVENT_TYPE}\\s*%{ES_AUDIT_ORIGIN_TYPE},?\\s*%{ES_AUDIT_ORIGIN_ADDRESS},?\\s*%{ES_AUDIT_PRINCIPAL},?\\s*%{ES_AUDIT_REALM},?\\s*%{ES_AUDIT_ROLES},?\\s*%{ES_AUDIT_ACTION},?\\s*%{ES_AUDIT_INDICES},?\\s*%{ES_AUDIT_URI},?\\s*%{ES_AUDIT_REQUEST},?\\s*%{ES_AUDIT_REQUEST_BODY},?"
                 ]
             }
         },
+        {
+            "split": {
+                "field": "elasticsearch.audit.roles",
+                "separator": ",",
+                "ignore_missing": true
+            }
+        },
+        {
+            "split": {
+                "field": "elasticsearch.audit.indices",
+                "separator": ",",
+                "ignore_missing": true
+            }
+        },
+        {
+            "script": {
+                "lang": "painless",
+                "source": "if (ctx.elasticsearch.audit.sub_action != null) { ctx.elasticsearch.audit.action += '[' + ctx.elasticsearch.audit.sub_action + ']' }"
+            }
+        },
+        {
+            "remove": {
+                "field": "elasticsearch.audit.sub_action",
+                "ignore_missing": true
+            }
+        },
         {
             "date": {
                 "field": "elasticsearch.audit.timestamp",

filebeat/module/elasticsearch/audit/test/test.log-expected.json

@@ -114,10 +114,26 @@
     },
     {
         "@timestamp": "2019-01-08T14:15:02.011Z",
+        "elasticsearch.audit.action": "indices:data/read/search[free_context]",
+        "elasticsearch.audit.indices": [
+            "foo-2019.01.04",
+            "foo-2019.01.03",
+            "foo-2019.01.06",
+            "foo-2019.01.05",
+            "foo-2019.01.08",
+            "servicelog-2019.01.07"
+        ],
         "elasticsearch.audit.layer": "transport",
         "elasticsearch.audit.origin_address": "192.168.2.1",
         "elasticsearch.audit.origin_type": "transport",
         "elasticsearch.audit.principal": "username",
+        "elasticsearch.audit.realm": "active_directory",
+        "elasticsearch.audit.request": "SearchFreeContextRequest",
+        "elasticsearch.audit.roles": [
+            "kibana_user",
+            "my_custom_role_1",
+            "foo_reader"
+        ],
         "elasticsearch.node.name": "NodeName-0",
         "event.dataset": "elasticsearch.audit",
         "event.type": "access_granted",