Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make file integrity path field analyzed #5625

Merged
merged 2 commits into from
Nov 20, 2017

Conversation

andrewkroh
Copy link
Member

@andrewkroh andrewkroh commented Nov 17, 2017

  • Use a multi-field for the audit.file.path field in order to make the path searchable and aggregatable.
  • Update the file integrity dashboard to use audit.file.path.raw for aggs.
  • Modify the file integrity dashboard
    • Replace most active agent viz with number of world-writable files.
    • Add a table summarizing the number of events from each host.
    • Add a saved search viz showing the raw events.
  • Fix an issue where audit.file.type was not being sent for file (it was only send for dir and symlink).

auditbeat-file-integrity-overview-dashboard

- Use a multi-field for the `audit.file.path` field in order to make the path searchable and aggregatable.
- Update the file integrity dashboard to use `audit.file.path.raw` for aggs.
- Modify the file integrity dashboard
  - Replace most active agent viz with number of world-writable files.
  - Add a table summarizing the number of events from each host.
  - Add a saved search viz showing the raw events.
- Fix an issue where `audit.file.type` was not being sent for `file` (it was only send fir dir and symlink).
TypeFile = 0
TypeDir = 1
TypeSymlink = 2
TypeUnknown = 0

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

exported const TypeUnknown should have comment (or a comment on this block) or be unexported

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dear houndci-bot, this is generated code. Take it up with the flatbuffer compiler.


The path to the file.

[float]
=== `audit.file.path.raw`
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want these to show up in the docs? I added code here to do it, but I'm on the fence.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am OK to have it in the doc since its useful for aggregation.
Even if we don't display it in our doc it will still be accessible in the UI :)

@andrewkroh
Copy link
Member Author

There's a test failure that I'm investigating.

Copy link
Contributor

@ph ph left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The failling tests seem related to the change in flatbuffer. You might want to take a look @andrewkroh ?

Error:		Not equal: file.Metadata{Inode:0x7b, UID:0x1f4, GID:0x1f4, SID:"", Owner:"", Group:"", Size:0x0, MTime:time.Time{wall:0x28499d28, ext:63646489003, loc:(*time.Location)(nil)}, CTime:time.Time{wall:0x28499d28, ext:63646489003, loc:(*time.Location)(nil)}, Type:0x0, Mode:0x180} (expected)
		        != file.Metadata{Inode:0x7b, UID:0x1f4, GID:0x1f4, SID:"", Owner:"", Group:"", Size:0x0, MTime:time.Time{wall:0x0, ext:62135596800, loc:(*time.Location)(nil)}, CTime:time.Time{wall:0x0, ext:62135596800, loc:(*time.Location)(nil)}, Type:0x0, Mode:0x180} (actual)


The path to the file.

[float]
=== `audit.file.path.raw`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am OK to have it in the doc since its useful for aggregation.
Even if we don't display it in our doc it will still be accessible in the UI :)

if "multi_fields" in field:
for subfield in field["multi_fields"]:
document_field(output, subfield, path + "." + subfield["name"])

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good catch.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@simitt Mentioning you here as apm-server uses multi fields as far as I remember. Not really a bug but just in case you are surprised why the docs are update with the most recent beats version.

@@ -18,6 +18,8 @@ https://github.com/elastic/beats/compare/v6.0.0-beta2...master[Check the HEAD di

*Auditbeat*

- Changed `audit.file.path` to be a multi-field so that path is searchable. {pull}nnnn[nnnn]

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

update with PR number

@andrewkroh
Copy link
Member Author

@ph It should be fixed now. Attempts to debug after midnight are futile. It was much easier to debug after resting 🛌 .

Copy link
Contributor

@ruflin ruflin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ph Want to take another look?

Copy link
Contributor

@ph ph left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ph ph merged commit 4327e35 into elastic:master Nov 20, 2017
andrewkroh added a commit to andrewkroh/beats that referenced this pull request Dec 21, 2017
Somewhere in the Auditbeat module refactoring this multi-field got dropped.

This was originally added in elastic#5625.
ph pushed a commit that referenced this pull request Dec 22, 2017
Somewhere in the Auditbeat module refactoring this multi-field got dropped.

This was originally added in #5625.
@andrewkroh andrewkroh deleted the feature/ab/audit-file-path-multi-field branch January 17, 2018 16:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants