From 9f57ea8e3696f1a37f56a5524dbddb4bd062a528 Mon Sep 17 00:00:00 2001 From: Tiago Queiroz Date: Fri, 11 Oct 2024 13:04:59 -0400 Subject: [PATCH] move grok step to a separated pipeline --- filebeat/module/system/auth/ingest/files.yml | 13 ++----------- .../system/auth/ingest/grok-auth-messages.yml | 14 ++++++++++++++ .../module/system/auth/ingest/journald.yml | 19 ++++++++----------- filebeat/module/system/auth/manifest.yml | 1 + 4 files changed, 25 insertions(+), 22 deletions(-) create mode 100644 filebeat/module/system/auth/ingest/grok-auth-messages.yml diff --git a/filebeat/module/system/auth/ingest/files.yml b/filebeat/module/system/auth/ingest/files.yml index c89ef94b28a7..39611f484a82 100644 --- a/filebeat/module/system/auth/ingest/files.yml +++ b/filebeat/module/system/auth/ingest/files.yml @@ -18,18 +18,9 @@ processors: TIMESTAMP: (?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP}) patterns: - '^%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?:%{SPACE}%{GREEDYMULTILINE:_temp.message}$' - - grok: + - pipeline: description: Grok specific auth messages. - tag: grok-specific-messages - field: _temp.message - ignore_missing: true - patterns: - - '^%{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user)?%{DATA:user.name} from %{IPORHOST:source.address} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?' - - '^%{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.address}' - - '^Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}' - - '^%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}' - - '^new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}' - - '^new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$' + name: '{< IngestPipeline "grok-auth-messages" >}' on_failure: - rename: description: Leave the unmatched content in message. diff --git a/filebeat/module/system/auth/ingest/grok-auth-messages.yml b/filebeat/module/system/auth/ingest/grok-auth-messages.yml new file mode 100644 index 000000000000..fc09abbff5e7 --- /dev/null +++ b/filebeat/module/system/auth/ingest/grok-auth-messages.yml @@ -0,0 +1,14 @@ +description: Journald Pipeline for system/auth Filebeat module +processors: + - grok: + description: Grok specific auth messages. + tag: grok-specific-messages + field: _temp.message + ignore_missing: true + patterns: + - '^%{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user)?%{DATA:user.name} from %{IPORHOST:source.address} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?' + - '^%{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.address}' + - '^Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}' + - '^%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}' + - '^new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}' + - '^new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$' diff --git a/filebeat/module/system/auth/ingest/journald.yml b/filebeat/module/system/auth/ingest/journald.yml index 2789436f6f58..10e7ae96054e 100644 --- a/filebeat/module/system/auth/ingest/journald.yml +++ b/filebeat/module/system/auth/ingest/journald.yml @@ -6,19 +6,16 @@ processors: - rename: field: "journald.process.name" target_field: process.name - - grok: - description: Grok specific auth messages. - tag: grok-specific-messages + - rename: field: message - ignore_missing: true - patterns: - - '^%{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user)?%{DATA:user.name} from %{IPORHOST:source.address} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?' - - '^%{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.address}' - - '^Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}' - - '^%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}' - - '^new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}' - - '^new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$' + target_field: _temp.message + - pipeline: + description: Grok specific auth messages. + name: '{< IngestPipeline "grok-auth-messages" >}' ignore_failure: true + - rename: + field: _temp.message + target_field: message - grok: description: Grok usernames from PAM messages. tag: grok-pam-users diff --git a/filebeat/module/system/auth/manifest.yml b/filebeat/module/system/auth/manifest.yml index 857ad65f89df..4b99d6407b76 100644 --- a/filebeat/module/system/auth/manifest.yml +++ b/filebeat/module/system/auth/manifest.yml @@ -21,4 +21,5 @@ ingest_pipeline: - ingest/entrypoint.yml - ingest/files.yml - ingest/journald.yml + - ingest/grok-auth-messages.yml input: config/auth.yml