From 35add21533a8b4047bfbedf3fed99f885b67af63 Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Fri, 7 Feb 2020 15:45:57 -0600 Subject: [PATCH] Add ECS categorization fields to activemq module - event.kind (audit, log) - event.type (audit, log) - user.name (audit) Closes #16151 --- CHANGELOG.next.asciidoc | 1 + .../module/activemq/audit/ingest/pipeline.yml | 17 ++++++++++ .../audit/test/audit.log-expected.json | 20 +++++++++--- .../module/activemq/log/ingest/pipeline.yml | 13 ++++++++ .../log/test/activemq.log-expected.json | 32 +++++++++++++++++++ 5 files changed, 79 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index b398ee329e7..5ed22f52672 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -120,6 +120,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add ingress nginx controller fileset {pull}16197[16197] - move create-[module,fileset,fields] to mage and enable in x-pack/filebeat {pull}15836[15836] - Add ECS tls and categorization fields to apache module. {issue}16032[16032] {pull}16121[16121] +- Add ECS categorization fields to activemq module. {issue}16151[16151] {pull}16201[16201] *Heartbeat* diff --git a/x-pack/filebeat/module/activemq/audit/ingest/pipeline.yml b/x-pack/filebeat/module/activemq/audit/ingest/pipeline.yml index 30be66e8bb9..5540cdf6d76 100644 --- a/x-pack/filebeat/module/activemq/audit/ingest/pipeline.yml +++ b/x-pack/filebeat/module/activemq/audit/ingest/pipeline.yml @@ -9,6 +9,23 @@ processors: patterns: - "%{LOGLEVEL:log.level}%{SPACE}\\|%{SPACE}%{WORD:activemq.user}%{SPACE}%{NOPIPEGREEDYDATA:message}%{SPACE}\\|%{SPACE}%{THREAD_NAME:activemq.thread}" ignore_missing: true + - set: + field: event.kind + value: event + - set: + if: "ctx?.activemq?.user != null" + field: user.name + value: "{{activemq.user}}" + - script: + if: "ctx?.log?.level != null" + lang: painless + source: >- + def err_levels = ["FATAL", "ERROR", "WARN"]; + if (err_levels.contains(ctx.log.level)) { + ctx.event.type = "error"; + } else { + ctx.event.type = "info"; + } on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/activemq/audit/test/audit.log-expected.json b/x-pack/filebeat/module/activemq/audit/test/audit.log-expected.json index d31c06c061e..918c5a40eee 100644 --- a/x-pack/filebeat/module/activemq/audit/test/audit.log-expected.json +++ b/x-pack/filebeat/module/activemq/audit/test/audit.log-expected.json @@ -3,48 +3,60 @@ "activemq.thread": "qtp443290224-47", "activemq.user": "anonymous", "event.dataset": "activemq.audit", + "event.kind": "event", "event.module": "activemq", + "event.type": "info", "fileset.name": "audit", "input.type": "log", "log.level": "INFO", "log.offset": 0, "message": "called org.apache.activemq.broker.jmx.QueueView.retryMessages[] at 27-11-2019 08:45:57,213", - "service.type": "activemq" + "service.type": "activemq", + "user.name": "anonymous" }, { "activemq.thread": "qtp443290224-45", "activemq.user": "admin", "event.dataset": "activemq.audit", + "event.kind": "event", "event.module": "activemq", + "event.type": "info", "fileset.name": "audit", "input.type": "log", "log.level": "INFO", "log.offset": 127, "message": "called org.apache.activemq.broker.jmx.QueueView.retryMessages[] at 27-11-2019 08:45:57,229", - "service.type": "activemq" + "service.type": "activemq", + "user.name": "admin" }, { "activemq.thread": "qtp12205619-39", "activemq.user": "admin", "event.dataset": "activemq.audit", + "event.kind": "event", "event.module": "activemq", + "event.type": "error", "fileset.name": "audit", "input.type": "log", "log.level": "WARN", "log.offset": 250, "message": "requested /admin/createDestination.action [JMSDestination='test' JMSDestinationType='queue' secret='4eb0bc3e-9d7a-4256-844c-24f40fda98f1' ] from 127.0.0.1", - "service.type": "activemq" + "service.type": "activemq", + "user.name": "admin" }, { "activemq.thread": "qtp12205619-36", "activemq.user": "guest", "event.dataset": "activemq.audit", + "event.kind": "event", "event.module": "activemq", + "event.type": "info", "fileset.name": "audit", "input.type": "log", "log.level": "INFO", "log.offset": 436, "message": "requested /admin/purgeDestination.action [JMSDestination='test' JMSDestinationType='queue' secret='eff6a932-1b58-45da-a64a-1b30b246cfc9' ] from 127.0.0.1", - "service.type": "activemq" + "service.type": "activemq", + "user.name": "guest" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/activemq/log/ingest/pipeline.yml b/x-pack/filebeat/module/activemq/log/ingest/pipeline.yml index 9fe12c1aa76..3f94887b95b 100644 --- a/x-pack/filebeat/module/activemq/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/activemq/log/ingest/pipeline.yml @@ -24,6 +24,19 @@ processors: - remove: field: - timestamp + - set: + field: event.kind + value: event + - script: + if: "ctx?.log?.level != null" + lang: painless + source: >- + def err_levels = ["FATAL", "ERROR", "WARN"]; + if (err_levels.contains(ctx.log.level)) { + ctx.event.type = "error"; + } else { + ctx.event.type = "info"; + } on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/activemq/log/test/activemq.log-expected.json b/x-pack/filebeat/module/activemq/log/test/activemq.log-expected.json index 710b7e53089..3c861831ab3 100644 --- a/x-pack/filebeat/module/activemq/log/test/activemq.log-expected.json +++ b/x-pack/filebeat/module/activemq/log/test/activemq.log-expected.json @@ -5,8 +5,10 @@ "activemq.log.stack_trace": "", "activemq.thread": "main", "event.dataset": "activemq.log", + "event.kind": "event", "event.module": "activemq", "event.timezone": "-02:00", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.level": "INFO", @@ -20,8 +22,10 @@ "activemq.log.stack_trace": "", "activemq.thread": "main", "event.dataset": "activemq.log", + "event.kind": "event", "event.module": "activemq", "event.timezone": "-02:00", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.level": "INFO", @@ -35,8 +39,10 @@ "activemq.log.stack_trace": "", "activemq.thread": "KahaDB Index Free Page Recovery", "event.dataset": "activemq.log", + "event.kind": "event", "event.module": "activemq", "event.timezone": "-02:00", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.level": "INFO", @@ -50,8 +56,10 @@ "activemq.log.stack_trace": "", "activemq.thread": "main", "event.dataset": "activemq.log", + "event.kind": "event", "event.module": "activemq", "event.timezone": "-02:00", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.level": "INFO", @@ -65,8 +73,10 @@ "activemq.log.stack_trace": "at org.apache.activemq.util.IOExceptionSupport.create(IOExceptionSupport.java:28)[activemq-client-5.15.9.jar:5.15.9]\n\tat org.apache.activemq.broker.BrokerService.registerConnectorMBean(BrokerService.java:2264)[activemq-broker-5.15.9.jar:5.15.9]\n\tat org.apache.activemq.broker.BrokerService.startTransportConnector(BrokerService.java:2744)[activemq-broker-5.15.9.jar:5.15.9]\n\tat org.apache.activemq.broker.BrokerService.startAllConnectors(BrokerService.java:2640)[activemq-broker-5.15.9.jar:5.15.9]\n\tat org.apache.activemq.broker.BrokerService.doStartBroker(BrokerService.java:771)[activemq-broker-5.15.9.jar:5.15.9]\n\tat org.apache.activemq.broker.BrokerService.startBroker(BrokerService.java:733)[activemq-broker-5.15.9.jar:5.15.9]\n\tat org.apache.activemq.broker.BrokerService.start(BrokerService.java:636)[activemq-broker-5.15.9.jar:5.15.9]\n\tat org.apache.activemq.xbean.XBeanBrokerService.afterPropertiesSet(XBeanBrokerService.java:73)[activemq-spring-5.15.9.jar:5.15.9]\n\tat sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)[:1.8.0_212]\n\tat sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)[:1.8.0_212]\n\tat sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)[:1.8.0_212]\n\tat java.lang.reflect.Method.invoke(Method.java:498)[:1.8.0_212]\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanFactory.java:1763)[spring-beans-4.3.18.RELEASE.jar:4.3.18.RELEASE]\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1700)[spring-beans-4.3.18.RELEASE.jar:4.3.18.RELEASE]", "activemq.thread": "main", "event.dataset": "activemq.log", + "event.kind": "event", "event.module": "activemq", "event.timezone": "-02:00", + "event.type": "error", "fileset.name": "log", "input.type": "log", "log.flags": [ @@ -83,8 +93,10 @@ "activemq.log.stack_trace": "", "activemq.thread": "main", "event.dataset": "activemq.log", + "event.kind": "event", "event.module": "activemq", "event.timezone": "-02:00", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.level": "INFO", @@ -98,8 +110,10 @@ "activemq.log.stack_trace": "", "activemq.thread": "main", "event.dataset": "activemq.log", + "event.kind": "event", "event.module": "activemq", "event.timezone": "-02:00", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.level": "INFO", @@ -113,8 +127,10 @@ "activemq.log.stack_trace": "", "activemq.thread": "main", "event.dataset": "activemq.log", + "event.kind": "event", "event.module": "activemq", "event.timezone": "-02:00", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.level": "INFO", @@ -128,8 +144,10 @@ "activemq.log.stack_trace": "", "activemq.thread": "main", "event.dataset": "activemq.log", + "event.kind": "event", "event.module": "activemq", "event.timezone": "-02:00", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.level": "INFO", @@ -143,8 +161,10 @@ "activemq.log.stack_trace": "", "activemq.thread": "main", "event.dataset": "activemq.log", + "event.kind": "event", "event.module": "activemq", "event.timezone": "-02:00", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.level": "INFO", @@ -158,8 +178,10 @@ "activemq.log.stack_trace": "", "activemq.thread": "main", "event.dataset": "activemq.log", + "event.kind": "event", "event.module": "activemq", "event.timezone": "-02:00", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.level": "INFO", @@ -173,8 +195,10 @@ "activemq.log.stack_trace": "", "activemq.thread": "main", "event.dataset": "activemq.log", + "event.kind": "event", "event.module": "activemq", "event.timezone": "-02:00", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.level": "INFO", @@ -188,8 +212,10 @@ "activemq.log.stack_trace": "", "activemq.thread": "main", "event.dataset": "activemq.log", + "event.kind": "event", "event.module": "activemq", "event.timezone": "-02:00", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.level": "INFO", @@ -203,8 +229,10 @@ "activemq.log.stack_trace": "", "activemq.thread": "main", "event.dataset": "activemq.log", + "event.kind": "event", "event.module": "activemq", "event.timezone": "-02:00", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.level": "INFO", @@ -218,8 +246,10 @@ "activemq.log.stack_trace": "", "activemq.thread": "main", "event.dataset": "activemq.log", + "event.kind": "event", "event.module": "activemq", "event.timezone": "-02:00", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.level": "INFO", @@ -233,8 +263,10 @@ "activemq.log.stack_trace": "", "activemq.thread": "main", "event.dataset": "activemq.log", + "event.kind": "event", "event.module": "activemq", "event.timezone": "-02:00", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.level": "INFO",