x-pack/filebeat/module/oracle - Added authentication messages parsing #35127
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
botelastic
bot
added
the
needs_team
|
This pull request does not have a backport label.
To fixup this pull request, you need to add the backport labels for the needed
|
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. 🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
botelastic
bot
removed
the
needs_team
|
Hello @jamiehynds can you run /test ? |
efd6
reviewed
Apr 19, 2023
x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml
Outdated
Show resolved
Hide resolved
x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml
Outdated
Show resolved
Hide resolved
|
This pull request is now in conflicts. Could you fix it? 🙏 |
Co-authored-by: Dan Kortschak <[email protected]>
Co-authored-by: Dan Kortschak <[email protected]>
|
@efd6 thanks for help. Seems I've fixed all problems. |
efd6
reviewed
Apr 20, 2023
There was a problem hiding this comment.
Please delete this and replace the yml rendering of the pipeline.
There was a problem hiding this comment.
What is wrong with json?
There was a problem hiding this comment.
Nothing, just that for pipelines in integrations we render as YAML.
There was a problem hiding this comment.
This has brought in a lot of diff noise. Ideally only the code that you are changing here should be reflected in the diff.
There was a problem hiding this comment.
I think this is the state that you wanted it in, but with only relevant changes. Please check and update.
description: Pipeline for parsing Oracle Audit logs
processors:
- set:
field: event.ingested
value: "{{_ingest.timestamp}}"
- set:
field: event.action
value: database_audit
- set:
field: event.kind
value: event
- set:
field: event.category
value: database
- set:
field: event.type
value: access
- set:
field: event.outcome
value: success
- grok:
field: message
patterns:
- "%{GREEDYDATA:tmp_timestamp}\\\nLENGTH : '%{GREEDYDATA:LENGTH}'\\\n(?m)%{GREEDYDATA:audit}"
- "%{GREEDYDATA:tmp_timestamp}\\\nLENGTH: \"%{GREEDYDATA:LENGTH}\"\\\n(?m)%{GREEDYDATA:auth}"
- gsub:
field: "auth"
pattern: "\"\\s"
replacement: "\"|"
ignore_missing: true
if: ctx.auth != null
- kv:
field: audit
field_split: "\\\n(?=[a-zA-Z])"
value_split: ":\\S\\d+\\S(?= ')"
trim_value: " '"
trim_key: " "
prefix: oracle.database_audit.
if: ctx.audit != null
- grok:
field: log.file.path
patterns:
- "%{BASE10NUM:process.pid}\\_%{BASE10NUM}\\.aud(\\.log)?$"
# All field names are uppercase by default, converts them to lowercase
- script:
source: "ctx.oracle.database_audit = ctx.oracle.database_audit.entrySet().stream().collect(Collectors.toMap(entry -> entry.getKey().toLowerCase(), Map.Entry::getValue));"
lang: painless
if: ctx.oracle?.database_audit != null
# Replace all field names that has spaces in them with _
- script:
lang: painless
source: "ctx.oracle.database_audit = ctx.oracle?.database_audit.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace(' ', '_'), e -> e.getValue()));"
if: ctx.oracle?.database_audit != null
- gsub:
field: "oracle.database_audit.action"
pattern: "\\n"
replacement: ""
if: ctx.oracle?.database_audit != null
- gsub:
field: "oracle.database_audit.action"
pattern: "\\s{2,}"
replacement: " "
if: ctx.oracle?.database_audit != null
- trim:
field: "oracle.database_audit.action_number"
ignore_missing: true
if: ctx.oracle?.database_audit != null
# Removes all null values from ctx.*
- script:
lang: painless
if: ctx?.oracle?.database_audit != null
source: |
void handleMap(Map map) {
for (def x : map.values()) {
if (x instanceof Map) {
handleMap(x);
} else if (x instanceof List) {
handleList(x);
}
}
map.values().removeIf(v -> v instanceof String && v.isEmpty() == true);
}
void handleList(List list) {
for (def x : list) {
if (x instanceof Map) {
handleMap(x);
} else if (x instanceof List) {
handleList(x);
}
}
}
handleMap(ctx);
- remove:
field:
- "@timestamp"
ignore_missing: true
- date:
field: tmp_timestamp
target_field: "@timestamp"
formats:
- EEE MMM [ d][dd] HH:mm:ss uuuu XXX
- grok:
field: tmp_timestamp
patterns:
- "%{ISO8601_TIMEZONE:event.timezone}$"
- rename:
field: oracle.database_audit.privilege
target_field: user.roles
ignore_missing: true
- rename:
field: LENGTH
target_field: oracle.database_audit.length
ignore_missing: true
- rename:
field: oracle.database_audit.client_user
target_field: client.user.name
ignore_missing: true
- rename:
field: oracle.database_audit.client_address
target_field: client.address
ignore_missing: true
- rename:
field: oracle.database_audit.userhost
target_field: server.address
ignore_missing: true
- rename:
field: oracle.database_audit.database_user
target_field: server.user.name
ignore_missing: true
- convert:
field: oracle.database_audit.length
type: long
ignore_missing: true
if: ctx.oracle?.database_audit != null
- grok:
field: client.address
patterns:
- "(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})"
ignore_failure: true
ignore_missing: true
- grok:
field: server.address
patterns:
- "(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})"
ignore_failure: true
ignore_missing: true
# Renaming certain fields for better data structure
- rename:
field: oracle.database_audit.sessionid
target_field: oracle.database_audit.session_id
ignore_missing: true
- rename:
field: oracle.database_audit.client_terminal
target_field: oracle.database_audit.client.terminal
ignore_missing: true
- rename:
field: oracle.database_audit.client_address
target_field: oracle.database_audit.client.address
ignore_missing: true
- rename:
field: oracle.database_audit.database_user
target_field: oracle.database_audit.database.user
ignore_missing: true
- rename:
field: oracle.database_audit.userhost
target_field: oracle.database_audit.database.host
ignore_missing: true
- rename:
field: oracle.database_audit.dbid
target_field: oracle.database_audit.database.id
ignore_missing: true
- rename:
field: oracle.database_audit.entry_id
target_field: oracle.database_audit.entry.id
ignore_missing: true
- geoip:
field: client.ip
target_field: client.geo
ignore_missing: true
- geoip:
target_field: client.as
properties:
- asn
- organization_name
ignore_missing: true
database_file: GeoLite2-ASN.mmdb
field: client.ip
- rename:
target_field: client.as.number
ignore_missing: true
field: client.as.asn
- rename:
field: client.as.organization_name
target_field: client.as.organization.name
ignore_missing: true
- geoip:
field: server.ip
target_field: server.geo
ignore_missing: true
- geoip:
target_field: server.as
properties:
- asn
- organization_name
ignore_missing: true
database_file: GeoLite2-ASN.mmdb
field: server.ip
- rename:
target_field: server.as.number
ignore_missing: true
field: server.as.asn
- rename:
field: server.as.organization_name
target_field: server.as.organization.name
ignore_missing: true
- geoip:
field: source.ip
target_field: source.geo
ignore_missing: true
- geoip:
target_field: source.as
properties:
- asn
- organization_name
ignore_missing: true
database_file: GeoLite2-ASN.mmdb
field: source.ip
- rename:
target_field: source.as.number
ignore_missing: true
field: source.as.asn
- rename:
field: source.as.organization_name
target_field: source.as.organization.name
ignore_missing: true
- append:
value: "{{source.ip}}"
if: ctx.source?.ip != null
allow_duplicates: false
field: related.ip
- append:
value: "{{client.ip}}"
if: ctx.client?.ip != null
allow_duplicates: false
field: related.ip
- append:
value: "{{server.ip}}"
if: ctx.server?.ip != null
allow_duplicates: false
field: related.ip
- append:
field: related.user
value: "{{client.user.name}}"
allow_duplicates: false
if: ctx.client?.user?.name != null && ctx.client.user.name != '/'
- append:
field: related.user
value: "{{server.user.name}}"
allow_duplicates: false
if: ctx.server?.user?.name != null && ctx.server.user.name != '/'
- append:
value: "{{server.domain}}"
if: ctx.server?.domain != null
allow_duplicates: false
field: related.hosts
- append:
value: "{{client.domain}}"
if: ctx.client?.domain != null
allow_duplicates: false
field: related.hosts
- remove:
field:
- tmp_timestamp
- audit
- message
- auth
ignore_missing: true
on_failure:
- set:
field: error.message
value: "{{ _ingest.on_failure_message }}"
efd6
reviewed
Apr 23, 2023
x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml
Outdated
Show resolved
Hide resolved
x-pack/filebeat/module/oracle/database_audit/ingest/pipeline.yml
Outdated
Show resolved
Hide resolved
Comment on lines
+37
to
+41
| replacement: "\"\\|" | ||
| ignore_missing: true | ||
| - kv: | ||
| field: auth | ||
| field_split: "\\|" |
There was a problem hiding this comment.
Are we confident that there is never a | in fields in auth?
Co-authored-by: Dan Kortschak <[email protected]>
Co-authored-by: Dan Kortschak <[email protected]>
|
/test |
leweafan
added a commit
to leweafan/beats
that referenced
this pull request
Apr 28, 2023
chrisberkhout
pushed a commit
that referenced
this pull request
Jun 1, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Adds authentication messages parsing
Why is it important?
Authentication messages important for SIEM.
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Author's Checklist
How to test this PR locally
Related issues
Use cases
Screenshots
Logs