Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Auditbeat] Include the error message with auditd module events #30009

Merged
merged 1 commit into from
Jan 27, 2022

Conversation

andrewkroh
Copy link
Member

What does this PR do?

Auditbeat adds event.original when there is a parse failure, but it wasn't
including the error message. Having the error helps you understand what
went wrong.

Example output:

{"@timestamp":"2022-01-26T00:15:20.241Z","@metadata":{"beat":"auditbeat","type":"_doc","version":"8.1.0"},"error":{"message":"missing syscall message in compound event"},"event":{"original":["type=UNKNOWN[1333] msg=audit(1643156118.179:545): op=freq old=36792303616000 new=-176298262528000","type=UNKNOWN[1333] msg=audit(1643156118.179:545): op=tick old=9977 new=10000"],"module":"auditd"},"service":{"type":"auditd"},"host":{"name":"ubuntu-impish"},"agent":{"version":"8.1.0","ephemeral_id":"a6dd5138-f1b2-437a-8b83-324ec09bbaa3","id":"c127e0a1-be4b-4f9f-a5e4-97496699f75e","name":"ubuntu-impish","type":"auditbeat"},"ecs":{"version":"8.0.0"}}

Why is it important?

So you don't lose error details and can correct processing issues.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Jan 26, 2022
@mergify
Copy link
Contributor

mergify bot commented Jan 26, 2022

This pull request does not have a backport label. Could you fix it @andrewkroh? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-v./d./d./d is the label to automatically backport to the 7./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

@andrewkroh andrewkroh force-pushed the bugfix/ab/auditd-error-msg branch from d4eb069 to 2f86381 Compare January 26, 2022 01:09
@mergify mergify bot added the backport-skip Skip notification from the automated backport with mergify label Jan 26, 2022
Auditbeat adds event.original when there is a parse failure, but it wasn't
including the error message. Having the error helps you understand what
went wrong.

Example output:

{"@timestamp":"2022-01-26T00:15:20.241Z","@metadata":{"beat":"auditbeat","type":"_doc","version":"8.1.0"},"error":{"message":"missing syscall message in compound event"},"event":{"original":["type=UNKNOWN[1333] msg=audit(1643156118.179:545): op=freq old=36792303616000 new=-176298262528000","type=UNKNOWN[1333] msg=audit(1643156118.179:545): op=tick old=9977 new=10000"],"module":"auditd"},"service":{"type":"auditd"},"host":{"name":"ubuntu-impish"},"agent":{"version":"8.1.0","ephemeral_id":"a6dd5138-f1b2-437a-8b83-324ec09bbaa3","id":"c127e0a1-be4b-4f9f-a5e4-97496699f75e","name":"ubuntu-impish","type":"auditbeat"},"ecs":{"version":"8.0.0"}}
@andrewkroh andrewkroh force-pushed the bugfix/ab/auditd-error-msg branch from 2f86381 to 05001d8 Compare January 26, 2022 01:10
@elasticmachine
Copy link
Collaborator

elasticmachine commented Jan 26, 2022

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-01-27T01:48:46.513+0000

  • Duration: 21 min 41 sec

  • Commit: 05001d8

❕ Flaky test report

No test was executed to be analysed.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@andrewkroh
Copy link
Member Author

/test

@andrewkroh
Copy link
Member Author

/test

@andrewkroh andrewkroh merged commit e691b6e into elastic:master Jan 27, 2022
v1v added a commit to v1v/beats that referenced this pull request Jan 31, 2022
…k-version-after-8-0-creation

* upstream/master: (69 commits)
  Update stale config following (elastic#30082)
  Make include_matches backwards compatible with 7.x config (elastic#30032)
  [Filebeat] Update handling of elasticsearch server logs (elastic#30018)
  Remove SSL3 support from libbeat and its documentation. (elastic#30071)
  Revert "Packaging: rename arm64 suffix to aarch64 in the tar.gz artifacts ONLY (elastic#28813)" (elastic#30083)
  [libbeat] Add script processor to all beats (elastic#29752)
  Add fonts to support more different types of characters for multiple languages (elastic#29861)
  libbeat/reader: Fix messge conversion to beat.Event (elastic#30057)
  probot[stale]: ignore issues with the tag flaky-test (elastic#30065)
  [DOCS] Add redirect for GSuite module (elastic#30034)
  [Automation] Update elastic stack version to 8.1.0-aa69d697 for testing (elastic#30012)
  Remove msitools install for windows build, using the latest docker image with msitools preinstalled (elastic#30040)
  filebeat/generator/fields: fix dropped error (elastic#29943)
  Include the error message with auditd module events (elastic#30009)
  [Metricbeat] gcp: add firestore metricset (elastic#29918)
  probot: update stale dates (elastic#29997)
  Metricbeat enterprise search module: add xpack.enabled support (elastic#29871)
  x-pack/packetbeat: install Npcap at start-up when required (elastic#29112)
  [Filebeat] Fix panic in decode_cef when recovering from invalid data (elastic#30038)
  Correctly fixe how selected packages are defined (elastic#30039)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Auditbeat backport-skip Skip notification from the automated backport with mergify v8.1.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants