-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Filebeat][New Module] Adding support for Oracle Audit logs #21991
Conversation
Pinging @elastic/siem (Team:SIEM) |
Pinging @elastic/integrations-services (Team:Services) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good.
Do you think we can add ECS categorization fields?
...acle/database_audit/test/ORCLCDB_j002_28264_20201007122838056263426565.aud.log-expected.json
Outdated
Show resolved
Hide resolved
...acle/database_audit/test/ORCLCDB_j002_28264_20201007122838056263426565.aud.log-expected.json
Outdated
Show resolved
Hide resolved
…d fixing some null value fields not being removed
@leehinman For ECS Categorization I added event.type, event.cateogry, event.outcome and event.action. At this moment they really need to be static as there is no good way to differentiate the intent (is it a change, access, deletion etc). The rest of the comments should also have been resolved with minor tweaks of the pipeline :) |
💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes LGTM
might want to set event.kind = event
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd change all database_audit
mentions to audit_logs
for example or simply audit
. Maybe it's just me but the word database
there feels redundant Maybe I'm missing that there are more type of audit logs and we are specifying which ones are those? Like the database_audit
but you also have the server_audit
and the user_audit
? I don't know
Much appreciated feedback, thanks @sayden ! 👍 I think I agree with most of the field name changes, I was unsure if we wanted to keep the original names or not, because once we start renaming fields we have to ensure that any new fields that comes up at a later date does not conflict with the current ones. On the topic of database_audit, we unfortunately have to keep some sort of reference to database here, as there is sooo many Oracle products, and a large amount of their portfolio has audit functionality, so we need to differentiate somewhat between products here I would say? |
The convention on Beats is to prettify everything with some exceptions in some specific fields (none that comes to my memory right now). It's not that I agree a lot, I think I'd prefer to maintain original names but this "prettifycation" is what you'll find in most Beats modules, so it's good for Beats users to maintain that familiarity between modules. About the |
…syslog for now, as it won't be possible to use at this moment
Should hopefully be good now @sayden . Always open for more changes if needed 👍 |
Good work with the module! |
…22556) Oracle module, with a audit log fileset (cherry picked from commit 8af7145) Co-authored-by: Marius Iversen <[email protected]>
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
What does this PR do?
This PR is the initial release of a Oracle module, with a audit log fileset.
Why is it important?
Adding support for more OOTB integrations
Checklist
CHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.