Add generated youtubebeat files

This commit is contained in:
Gabriel Augendre 2018-11-18 11:08:38 +01:00
commit 38fd446535
7857 changed files with 1826857 additions and 0 deletions

27
.editorconfig Normal file
View file

@ -0,0 +1,27 @@
# See: http://editorconfig.org
root = true
[*]
charset = utf-8
end_of_line = lf
insert_final_newline = true
trim_trailing_whitespace = true
[*.json]
indent_size = 4
indent_style = space
[*.py]
indent_style = space
indent_size = 4
[*.yml]
indent_style = space
indent_size = 2
[Makefile]
indent_style = tab
[Vagrantfile]
indent_size = 2
indent_style = space

7
.gitignore vendored Normal file
View file

@ -0,0 +1,7 @@
/.idea
/build
.DS_Store
/youtubebeat
/youtubebeat.test
*.pyc

44
.travis.yml Normal file
View file

@ -0,0 +1,44 @@
sudo: required
dist: trusty
services:
- docker
language: go
go:
- 1.10.3
os:
- linux
- osx
env:
matrix:
- TARGETS="check"
- TARGETS="testsuite"
global:
# Cross-compile for amd64 only to speed up testing.
- GOX_FLAGS="-arch amd64"
addons:
apt:
packages:
- python-virtualenv
before_install:
- umask 022
# Redo the travis setup but with the elastic/libbeat path. This is needed so the package path is correct
- mkdir -p $HOME/gopath/src/github.com/Crocmagnon/youtubebeat/
- rsync -az ${TRAVIS_BUILD_DIR}/ $HOME/gopath/src/github.com/Crocmagnon/youtubebeat/
- export TRAVIS_BUILD_DIR=$HOME/gopath/src/github.com/Crocmagnon/youtubebeat/
- cd $HOME/gopath/src/github.com/Crocmagnon/youtubebeat/
install:
- true
script:
- make $TARGETS
after_success:
# Copy full.cov to coverage.txt because codecov.io requires this file

0
CONTRIBUTING.md Normal file
View file

13
LICENSE.txt Normal file
View file

@ -0,0 +1,13 @@
Copyright (c) 2018 Gabriel Augendre
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

38
Makefile Normal file
View file

@ -0,0 +1,38 @@
BEAT_NAME=youtubebeat
BEAT_PATH=github.com/Crocmagnon/youtubebeat
BEAT_GOPATH=$(firstword $(subst :, ,${GOPATH}))
SYSTEM_TESTS=false
TEST_ENVIRONMENT=false
ES_BEATS?=./vendor/github.com/elastic/beats
GOPACKAGES=$(shell govendor list -no-status +local)
GOBUILD_FLAGS=-i -ldflags "-X $(BEAT_PATH)/vendor/github.com/elastic/beats/libbeat/version.buildTime=$(NOW) -X $(BEAT_PATH)/vendor/github.com/elastic/beats/libbeat/version.commit=$(COMMIT_ID)"
MAGE_IMPORT_PATH=${BEAT_PATH}/vendor/github.com/magefile/mage
# Path to the libbeat Makefile
-include $(ES_BEATS)/libbeat/scripts/Makefile
# Initial beat setup
.PHONY: setup
setup: copy-vendor git-init update git-add
# Copy beats into vendor directory
.PHONY: copy-vendor
copy-vendor:
mkdir -p vendor/github.com/elastic
cp -R ${BEAT_GOPATH}/src/github.com/elastic/beats vendor/github.com/elastic/
rm -rf vendor/github.com/elastic/beats/.git vendor/github.com/elastic/beats/x-pack
mkdir -p vendor/github.com/magefile
cp -R ${BEAT_GOPATH}/src/github.com/elastic/beats/vendor/github.com/magefile/mage vendor/github.com/magefile
.PHONY: git-init
git-init:
git init
.PHONY: git-add
git-add:
git add -A
git commit -m "Add generated youtubebeat files"
# Collects all dependencies and then calls update
.PHONY: collect
collect:

5
NOTICE.txt Normal file
View file

@ -0,0 +1,5 @@
youtubebeat
Copyright 2018 Gabriel Augendre
This product includes software developed by The Apache Software
Foundation (http://www.apache.org/).

117
README.md Normal file
View file

@ -0,0 +1,117 @@
# Youtubebeat
Welcome to Youtubebeat.
Ensure that this folder is at the following location:
`${GOPATH}/src/github.com/Crocmagnon/youtubebeat`
## Getting Started with Youtubebeat
### Requirements
* [Golang](https://golang.org/dl/) 1.7
### Init Project
To get running with Youtubebeat and also install the
dependencies, run the following command:
```
make setup
```
It will create a clean git history for each major step. Note that you can always rewrite the history if you wish before pushing your changes.
To push Youtubebeat in the git repository, run the following commands:
```
git remote set-url origin https://github.com/Crocmagnon/youtubebeat
git push origin master
```
For further development, check out the [beat developer guide](https://www.elastic.co/guide/en/beats/libbeat/current/new-beat.html).
### Build
To build the binary for Youtubebeat run the command below. This will generate a binary
in the same directory with the name youtubebeat.
```
make
```
### Run
To run Youtubebeat with debugging output enabled, run:
```
./youtubebeat -c youtubebeat.yml -e -d "*"
```
### Test
To test Youtubebeat, run the following command:
```
make testsuite
```
alternatively:
```
make unit-tests
make system-tests
make integration-tests
make coverage-report
```
The test coverage is reported in the folder `./build/coverage/`
### Update
Each beat has a template for the mapping in elasticsearch and a documentation for the fields
which is automatically generated based on `fields.yml` by running the following command.
```
make update
```
### Cleanup
To clean Youtubebeat source code, run the following commands:
```
make fmt
make simplify
```
To clean up the build directory and generated artifacts, run:
```
make clean
```
### Clone
To clone Youtubebeat from the git repository, run the following commands:
```
mkdir -p ${GOPATH}/src/github.com/Crocmagnon/youtubebeat
git clone https://github.com/Crocmagnon/youtubebeat ${GOPATH}/src/github.com/Crocmagnon/youtubebeat
```
For further development, check out the [beat developer guide](https://www.elastic.co/guide/en/beats/libbeat/current/new-beat.html).
## Packaging
The beat frameworks provides tools to crosscompile and package your beat for different platforms. This requires [docker](https://www.docker.com/) and vendoring as described above. To build packages of your beat, run the following command:
```
make release
```
This will fetch and create all images required for the build process. The whole process to finish can take several minutes.

7
_meta/beat.yml Normal file
View file

@ -0,0 +1,7 @@
################### Youtubebeat Configuration Example #########################
############################# Youtubebeat ######################################
youtubebeat:
# Defines how often an event is sent to the output
period: 1s

9
_meta/fields.yml Normal file
View file

@ -0,0 +1,9 @@
- key: youtubebeat
title: youtubebeat
description:
fields:
- name: counter
type: long
required: true
description: >
PLEASE UPDATE DOCUMENTATION

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long

71
beater/youtubebeat.go Normal file
View file

@ -0,0 +1,71 @@
package beater
import (
"fmt"
"time"
"github.com/elastic/beats/libbeat/beat"
"github.com/elastic/beats/libbeat/common"
"github.com/elastic/beats/libbeat/logp"
"github.com/Crocmagnon/youtubebeat/config"
)
// Youtubebeat configuration.
type Youtubebeat struct {
done chan struct{}
config config.Config
client beat.Client
}
// New creates an instance of youtubebeat.
func New(b *beat.Beat, cfg *common.Config) (beat.Beater, error) {
c := config.DefaultConfig
if err := cfg.Unpack(&c); err != nil {
return nil, fmt.Errorf("Error reading config file: %v", err)
}
bt := &Youtubebeat{
done: make(chan struct{}),
config: c,
}
return bt, nil
}
// Run starts youtubebeat.
func (bt *Youtubebeat) Run(b *beat.Beat) error {
logp.Info("youtubebeat is running! Hit CTRL-C to stop it.")
var err error
bt.client, err = b.Publisher.Connect()
if err != nil {
return err
}
ticker := time.NewTicker(bt.config.Period)
counter := 1
for {
select {
case <-bt.done:
return nil
case <-ticker.C:
}
event := beat.Event{
Timestamp: time.Now(),
Fields: common.MapStr{
"type": b.Info.Name,
"counter": counter,
},
}
bt.client.Publish(event)
logp.Info("Event sent")
counter++
}
}
// Stop stops youtubebeat.
func (bt *Youtubebeat) Stop() {
bt.client.Close()
close(bt.done)
}

13
cmd/root.go Normal file
View file

@ -0,0 +1,13 @@
package cmd
import (
"github.com/Crocmagnon/youtubebeat/beater"
cmd "github.com/elastic/beats/libbeat/cmd"
)
// Name of this beat
var Name = "youtubebeat"
// RootCmd to handle beats cli
var RootCmd = cmd.GenRootCmd(Name, "", beater.New)

14
config/config.go Normal file
View file

@ -0,0 +1,14 @@
// Config is put into a different package to prevent cyclic imports in case
// it is needed in several locations
package config
import "time"
type Config struct {
Period time.Duration `config:"period"`
}
var DefaultConfig = Config{
Period: 1 * time.Second,
}

3
config/config_test.go Normal file
View file

@ -0,0 +1,3 @@
// +build !integration
package config

445
docs/fields.asciidoc Normal file
View file

@ -0,0 +1,445 @@
////
This file is generated! See _meta/fields.yml and scripts/generate_field_docs.py
////
[[exported-fields]]
= Exported fields
[partintro]
--
This document describes the fields that are exported by youtubebeat. They are
grouped in the following categories:
* <<exported-fields-beat>>
* <<exported-fields-cloud>>
* <<exported-fields-docker-processor>>
* <<exported-fields-host-processor>>
* <<exported-fields-kubernetes-processor>>
* <<exported-fields-youtubebeat>>
--
[[exported-fields-beat]]
== Beat fields
Contains common beat fields available in all event types.
*`beat.name`*::
+
--
The name of the Beat sending the log messages. If the Beat name is set in the configuration file, then that value is used. If it is not set, the hostname is used. To set the Beat name, use the `name` option in the configuration file.
--
*`beat.hostname`*::
+
--
The hostname as returned by the operating system on which the Beat is running.
--
*`beat.timezone`*::
+
--
The timezone as returned by the operating system on which the Beat is running.
--
*`beat.version`*::
+
--
The version of the beat that generated this event.
--
*`@timestamp`*::
+
--
type: date
example: August 26th 2016, 12:35:53.332
format: date
required: True
The timestamp when the event log record was generated.
--
*`tags`*::
+
--
Arbitrary tags that can be set per Beat and per transaction type.
--
*`fields`*::
+
--
type: object
Contains user configurable fields.
--
[float]
== error fields
Error fields containing additional info in case of errors.
*`error.message`*::
+
--
type: text
Error message.
--
*`error.code`*::
+
--
type: long
Error code.
--
*`error.type`*::
+
--
type: keyword
Error type.
--
[[exported-fields-cloud]]
== Cloud provider metadata fields
Metadata from cloud providers added by the add_cloud_metadata processor.
*`meta.cloud.provider`*::
+
--
example: ec2
Name of the cloud provider. Possible values are ec2, gce, or digitalocean.
--
*`meta.cloud.instance_id`*::
+
--
Instance ID of the host machine.
--
*`meta.cloud.instance_name`*::
+
--
Instance name of the host machine.
--
*`meta.cloud.machine_type`*::
+
--
example: t2.medium
Machine type of the host machine.
--
*`meta.cloud.availability_zone`*::
+
--
example: us-east-1c
Availability zone in which this host is running.
--
*`meta.cloud.project_id`*::
+
--
example: project-x
Name of the project in Google Cloud.
--
*`meta.cloud.region`*::
+
--
Region in which this host is running.
--
[[exported-fields-docker-processor]]
== Docker fields
Docker stats collected from Docker.
*`docker.container.id`*::
+
--
type: keyword
Unique container id.
--
*`docker.container.image`*::
+
--
type: keyword
Name of the image the container was built on.
--
*`docker.container.name`*::
+
--
type: keyword
Container name.
--
*`docker.container.labels`*::
+
--
type: object
Image labels.
--
[[exported-fields-host-processor]]
== Host fields
Info collected for the host machine.
*`host.name`*::
+
--
type: keyword
Hostname.
--
*`host.id`*::
+
--
type: keyword
Unique host id.
--
*`host.architecture`*::
+
--
type: keyword
Host architecture (e.g. x86_64, arm, ppc, mips).
--
*`host.os.platform`*::
+
--
type: keyword
OS platform (e.g. centos, ubuntu, windows).
--
*`host.os.version`*::
+
--
type: keyword
OS version.
--
*`host.os.family`*::
+
--
type: keyword
OS family (e.g. redhat, debian, freebsd, windows).
--
*`host.ip`*::
+
--
type: ip
List of IP-addresses.
--
*`host.mac`*::
+
--
type: keyword
List of hardware-addresses, usually MAC-addresses.
--
[[exported-fields-kubernetes-processor]]
== Kubernetes fields
Kubernetes metadata added by the kubernetes processor
*`kubernetes.pod.name`*::
+
--
type: keyword
Kubernetes pod name
--
*`kubernetes.pod.uid`*::
+
--
type: keyword
Kubernetes Pod UID
--
*`kubernetes.namespace`*::
+
--
type: keyword
Kubernetes namespace
--
*`kubernetes.node.name`*::
+
--
type: keyword
Kubernetes node name
--
*`kubernetes.labels`*::
+
--
type: object
Kubernetes labels map
--
*`kubernetes.annotations`*::
+
--
type: object
Kubernetes annotations map
--
*`kubernetes.container.name`*::
+
--
type: keyword
Kubernetes container name
--
*`kubernetes.container.image`*::
+
--
type: keyword
Kubernetes container image
--
[[exported-fields-youtubebeat]]
== youtubebeat fields
None
*`counter`*::
+
--
type: long
required: True
PLEASE UPDATE DOCUMENTATION
--

5
docs/index.asciidoc Normal file
View file

@ -0,0 +1,5 @@
= Youtubebeat Docs
Welcome to the Youtubebeat documentation.

225
fields.yml Normal file
View file

@ -0,0 +1,225 @@
- key: youtubebeat
title: youtubebeat
description:
fields:
- name: counter
type: long
required: true
description: >
PLEASE UPDATE DOCUMENTATION
- key: beat
title: Beat
description: >
Contains common beat fields available in all event types.
fields:
- name: beat.name
description: >
The name of the Beat sending the log messages. If the Beat name is
set in the configuration file, then that value is used. If it is not
set, the hostname is used. To set the Beat name, use the `name`
option in the configuration file.
- name: beat.hostname
description: >
The hostname as returned by the operating system on which the Beat is
running.
- name: beat.timezone
description: >
The timezone as returned by the operating system on which the Beat is
running.
- name: beat.version
description: >
The version of the beat that generated this event.
- name: "@timestamp"
type: date
required: true
format: date
example: August 26th 2016, 12:35:53.332
description: >
The timestamp when the event log record was generated.
- name: tags
description: >
Arbitrary tags that can be set per Beat and per transaction
type.
- name: fields
type: object
object_type: keyword
description: >
Contains user configurable fields.
- name: error
type: group
description: >
Error fields containing additional info in case of errors.
fields:
- name: message
type: text
description: >
Error message.
- name: code
type: long
description: >
Error code.
- name: type
type: keyword
description: >
Error type.
- key: cloud
title: Cloud provider metadata
description: >
Metadata from cloud providers added by the add_cloud_metadata processor.
fields:
- name: meta.cloud.provider
example: ec2
description: >
Name of the cloud provider. Possible values are ec2, gce, or digitalocean.
- name: meta.cloud.instance_id
description: >
Instance ID of the host machine.
- name: meta.cloud.instance_name
description: >
Instance name of the host machine.
- name: meta.cloud.machine_type
example: t2.medium
description: >
Machine type of the host machine.
- name: meta.cloud.availability_zone
example: us-east-1c
description: >
Availability zone in which this host is running.
- name: meta.cloud.project_id
example: project-x
description: >
Name of the project in Google Cloud.
- name: meta.cloud.region
description: >
Region in which this host is running.
- key: docker
title: Docker
description: >
Docker stats collected from Docker.
short_config: false
anchor: docker-processor
fields:
- name: docker
type: group
fields:
- name: container.id
type: keyword
description: >
Unique container id.
- name: container.image
type: keyword
description: >
Name of the image the container was built on.
- name: container.name
type: keyword
description: >
Container name.
- name: container.labels
type: object
object_type: keyword
description: >
Image labels.
- key: host
title: Host
description: >
Info collected for the host machine.
anchor: host-processor
fields:
- name: host
type: group
fields:
- name: name
type: keyword
description: >
Hostname.
- name: id
type: keyword
description: >
Unique host id.
- name: architecture
type: keyword
description: >
Host architecture (e.g. x86_64, arm, ppc, mips).
- name: os.platform
type: keyword
description: >
OS platform (e.g. centos, ubuntu, windows).
- name: os.version
type: keyword
description: >
OS version.
- name: os.family
type: keyword
description: >
OS family (e.g. redhat, debian, freebsd, windows).
- name: ip
type: ip
description: >
List of IP-addresses.
- name: mac
type: keyword
description: >
List of hardware-addresses, usually MAC-addresses.
- key: kubernetes
title: Kubernetes
description: >
Kubernetes metadata added by the kubernetes processor
short_config: false
anchor: kubernetes-processor
fields:
- name: kubernetes
type: group
fields:
- name: pod.name
type: keyword
description: >
Kubernetes pod name
- name: pod.uid
type: keyword
description: >
Kubernetes Pod UID
- name: namespace
type: keyword
description: >
Kubernetes namespace
- name: node.name
type: keyword
description: >
Kubernetes node name
- name: labels
type: object
description: >
Kubernetes labels map
- name: annotations
type: object
description: >
Kubernetes annotations map
- name: container.name
type: keyword
description: >
Kubernetes container name
- name: container.image
type: keyword
description: >
Kubernetes container image

35
include/fields.go Normal file
View file

@ -0,0 +1,35 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT.
package include
import (
"github.com/elastic/beats/libbeat/asset"
)
func init() {
if err := asset.SetFields("youtubebeat", "fields.yml", Asset); err != nil {
panic(err)
}
}
// Asset returns asset data
func Asset() string {
return "eJy0WFtz2zYTffev2MnT983InMZuPB09dOrankbTOPE09rOyAlYkahJgcLGs/voOQPBmUpQcqy8ZE5dzzgK7Z6GcwiNt57BVzroVrQjtCYAVNqeXg5wM06K0Qsn5CcBaUM6N/wvgFCQWNAemnLSkwxiA3ZY0h1zJNA5o+u6EJj4Hqx3FwS4s/BoHAe4+3Vx+vYGHu+vL+xu4/nL1cHvz+f7yfvHl88lJFN1X+/tQZsS7UtKikAaYKgolw76oH/AJRY6rnEBIwDwHeiJpg3aTdMLsxekBEv/ndAz3GYUNoNZgMwoKwZDkQqZhIFcpFGQMpmQSWHRWhW3CNFCGrBfo55mSa5E6jZ4O1iKnmR/3k2jhCXPnd4IzxAOmsP5TKtsFC1sgU8ZGprj+XgWqno6ZnwtD3/zntwZHhYh360qGh1Yz7j+4Rhsa0GSdlsRhtQ1UqiRPI1MwW2OpACVhkwmWtcI7Z6edlEKmI2qsKOgfJQ9QU6/8L9U8kTZCyf1i4sI6rUI6h8tPSXopxMFmwlSpnPRT991vPhRjsSjf9eqUo6WpOl0rXaDtraNnLEpfepcudcbC2YXN4Oyn9xczeH82P/8w/3CenJ+fHXa6QRJsqkSmWIa+QDQxpTls0LTxvQjKYmqmWS71SliNehvWVqfF0FtByPeSdHVRKHn4sBqlQWbb+6jO6QVx5Q69c1Srv4nVtVZ9LKuZR9pulObTQhuvcoZ0W1PeoCqyFwpIa9U33FQrV06T3PhNtQOyitHnL3Iu/FrMQci18pXN0AT/CjwmqZOhY/5dNdHMmvFak6Vn2xncIauVFnGSAQFTfIjeaTEHoXuQIbTHGkD37+wg9CpNYotiuXK87VFX/hNKrZ4EJx+mRY4Wx9vWbZyFtVZFhdRsNf6uWgtCzpdhwbKG9CsZGaP0zi7mlyZhV1LDvixsYnuq93OnvfUVJnCnjBE+cUNPMoCaPOAMUkYzUBq4SIXFXDFCmezUJqSxKBktxZ7SWcSFsLiuJfkmAgWyTMiXpTvGsL8zNRzdvn4YS1yw7ORZc872LCmIC1dMs99WECHFXkcenzkiF3a77LS8RoEzp4TGnr5ne4y0AwShI4q22wlTyRGmbXMTKRe8sbnVRkqcOX0+PPXiFq/lD6XSnKpK282uKd3bav8Ka/bFFwudK/YY6idW+nX9PQJezYGxaL395jkx37NDmVdzvmZNprRdVh1gDmvMjb80lCxTuuY7bap8x4u8kQWj/WGXj8eeQDoR/G2e+CDFd0ctIAg+5uoNXTHWPl7F2M2LAFe/TqMA/5BYOZFbUHJKSscMflDJVcPpsaa4clxRbgZsvbcETL8n9mhZhJOoeJqk9cncpuzH6msEZOEfA51E9V1uYD1tbvrxvZkZuV+Xl2+/k4/xZ8XwNo6U6ZVBjCQ5apYJS8w6fYQYenDwP0rSBJ5/uVhe/DwD1MUMypLNoBCl+f9QijJJmaP1T/q3KfnyFWqgqIGRtMrMwK2ctG4GGyG52uwQ0f/F8+MaIs4oxxoLkW/fTFHBxCA18QztDDitBMoZrDXRyvCpaEU5kNAbmmD/JIz1hra4O0XONRlDZkhQIHtbkDVNhppvUFNLNgNnHOb5Fm4vr7oaah95dCvSkiyZ1k3+7I6N0LbzzTO4/6ZtQaHrJdNtsd2014B6ouFVNlQqfoT20DmBUvHK20ap3FutqcN0pzg8LK6HRP5fUyI7XlAt4pDM/wI76gl6xB1HeGhzPYyoQoMCyyETSqls+P+vo9F1IMc5j/lg6fCy3ttlivYIT7ZR3gr33wAAAP//UV6dfg=="
}

111
magefile.go Normal file
View file

@ -0,0 +1,111 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
// +build mage
package main
import (
"context"
"fmt"
"time"
"github.com/magefile/mage/mg"
"github.com/magefile/mage/sh"
"github.com/elastic/beats/dev-tools/mage"
)
func init() {
mage.SetBuildVariableSources(mage.DefaultBeatBuildVariableSources)
mage.BeatDescription = "One sentence description of the Beat."
}
// Build builds the Beat binary.
func Build() error {
return mage.Build(mage.DefaultBuildArgs())
}
// GolangCrossBuild build the Beat binary inside of the golang-builder.
// Do not use directly, use crossBuild instead.
func GolangCrossBuild() error {
return mage.GolangCrossBuild(mage.DefaultGolangCrossBuildArgs())
}
// BuildGoDaemon builds the go-daemon binary (use crossBuildGoDaemon).
func BuildGoDaemon() error {
return mage.BuildGoDaemon()
}
// CrossBuild cross-builds the beat for all target platforms.
func CrossBuild() error {
return mage.CrossBuild()
}
// CrossBuildGoDaemon cross-builds the go-daemon binary using Docker.
func CrossBuildGoDaemon() error {
return mage.CrossBuildGoDaemon()
}
// Clean cleans all generated files and build artifacts.
func Clean() error {
return mage.Clean()
}
// Package packages the Beat for distribution.
// Use SNAPSHOT=true to build snapshots.
// Use PLATFORMS to control the target platforms.
func Package() {
start := time.Now()
defer func() { fmt.Println("package ran for", time.Since(start)) }()
mage.UseCommunityBeatPackaging()
mg.Deps(Update)
mg.Deps(CrossBuild, CrossBuildGoDaemon)
mg.SerialDeps(mage.Package, TestPackages)
}
// TestPackages tests the generated packages (i.e. file modes, owners, groups).
func TestPackages() error {
return mage.TestPackages()
}
// Update updates the generated files (aka make update).
func Update() error {
return sh.Run("make", "update")
}
// Fields generates a fields.yml for the Beat.
func Fields() error {
return mage.GenerateFieldsYAML()
}
// GoTestUnit executes the Go unit tests.
// Use TEST_COVERAGE=true to enable code coverage profiling.
// Use RACE_DETECTOR=true to enable the race detector.
func GoTestUnit(ctx context.Context) error {
return mage.GoTest(ctx, mage.DefaultGoTestUnitArgs())
}
// GoTestIntegration executes the Go integration tests.
// Use TEST_COVERAGE=true to enable code coverage profiling.
// Use RACE_DETECTOR=true to enable the race detector.
func GoTestIntegration(ctx context.Context) error {
return mage.GoTest(ctx, mage.DefaultGoTestIntegrationArgs())
}

15
main.go Normal file
View file

@ -0,0 +1,15 @@
package main
import (
"os"
"github.com/Crocmagnon/youtubebeat/cmd"
_ "github.com/Crocmagnon/youtubebeat/include"
)
func main() {
if err := cmd.RootCmd.Execute(); err != nil {
os.Exit(1)
}
}

27
main_test.go Normal file
View file

@ -0,0 +1,27 @@
package main
// This file is mandatory as otherwise the youtubebeat.test binary is not generated correctly.
import (
"flag"
"testing"
"github.com/Crocmagnon/youtubebeat/cmd"
)
var systemTest *bool
func init() {
systemTest = flag.Bool("systemTest", false, "Set to true when running system tests")
cmd.RootCmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("systemTest"))
cmd.RootCmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("test.coverprofile"))
}
// Test started when the test binary is started. Only calls main.
func TestSystem(t *testing.T) {
if *systemTest {
main()
}
}

11
make.bat Normal file
View file

@ -0,0 +1,11 @@
@echo off
REM Windows wrapper for Mage (https://magefile.org/) that installs it
REM to %GOPATH%\bin from the Beats vendor directory.
REM
REM After running this once you may invoke mage.exe directly.
WHERE mage
IF %ERRORLEVEL% NEQ 0 go install github.com/Crocmagnon/youtubebeat/vendor/github.com/magefile/mage
mage %*

View file

@ -0,0 +1,78 @@
################### Beat Configuration #########################
############################# Output ##########################################
# Configure what outputs to use when sending the data collected by the beat.
# You can enable one or multiple outputs by setting enabled option to true.
output:
### File as output
file:
# Enabling file output
enabled: true
# Path to the directory where to save the generated files. The option is mandatory.
path: {{ output_file_path|default(beat.working_dir + "/output") }}
# Name of the generated files. The default is `youtubebeat` and it generates
# files: `youtubebeat`, `youtubebeat.1`, `youtubebeat.2`, etc.
filename: {{ output_file_filename|default("youtubebeat") }}
# Maximum size in kilobytes of each file. When this size is reached, the files are
# rotated. The default value is 10 MB.
#rotate_every_kb: 10000
# Maximum number of files under path. When this number of files is reached, the
# oldest file is deleted and the rest are shifted from last to first. The default
# is 7 files.
#number_of_files: 7
############################# Beat #########################################
# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
# If this options is not defined, the hostname is used.
#name:
# The tags of the shipper are included in their own field with each
# transaction published. Tags make it easy to group servers by different
# logical properties.
#tags: ["service-X", "web-tier"]
############################# Logging #########################################
#logging:
# Send all logging output to syslog. On Windows default is false, otherwise
# default is true.
#to_syslog: true
# Write all logging output to files. Beats automatically rotate files if configurable
# limit is reached.
#to_files: false
# Enable debug output for selected components.
#selectors: []
# Set log level
#level: error
#files:
# The directory where the log files will written to.
#path: /var/log/youtubebeat
# The name of the files where the logs are written to.
#name: youtubebeat
# Configure log file size limit. If limit is reached, log file will be
# automatically rotated
#rotateeverybytes: 10485760 # = 10MB
# Number of rotated log files to keep. Oldest files will be deleted first.
#keepfiles: 7

View file

19
tests/system/test_base.py Normal file
View file

@ -0,0 +1,19 @@
from youtubebeat import BaseTest
import os
class Test(BaseTest):
def test_base(self):
"""
Basic test with exiting Youtubebeat normally
"""
self.render_config_template(
path=os.path.abspath(self.working_dir) + "/log/*"
)
youtubebeat_proc = self.start_beat()
self.wait_until(lambda: self.log_contains("youtubebeat is running"))
exit_code = youtubebeat_proc.kill_and_wait()
assert exit_code == 0

View file

@ -0,0 +1,13 @@
import os
import sys
sys.path.append('../../vendor/github.com/elastic/beats/libbeat/tests/system')
from beat.beat import TestCase
class BaseTest(TestCase):
@classmethod
def setUpClass(self):
self.beat_name = "youtubebeat"
self.beat_path = os.path.abspath(os.path.join(os.path.dirname(__file__), "../../"))
super(BaseTest, self).setUpClass()

31
vendor/github.com/elastic/beats/.editorconfig generated vendored Normal file
View file

@ -0,0 +1,31 @@
# See: http://editorconfig.org
root = true
[*]
charset = utf-8
end_of_line = lf
insert_final_newline = true
trim_trailing_whitespace = true
[.go]
indent_size = 4
indent_style = tab
[*.json]
indent_size = 4
indent_style = space
[*.py]
indent_style = space
indent_size = 4
[*.yml]
indent_style = space
indent_size = 2
[Makefile]
indent_style = tab
[Vagrantfile]
indent_size = 2
indent_style = space

6
vendor/github.com/elastic/beats/.gitattributes generated vendored Normal file
View file

@ -0,0 +1,6 @@
CHANGELOG.md merge=union
CHANGELOG.asciidoc merge=union
# Keep these file types as CRLF (Windows).
*.bat text eol=crlf
*.cmd text eol=crlf

View file

@ -0,0 +1,12 @@
Please post all questions and issues on https://discuss.elastic.co/c/beats
before opening a Github Issue. Your questions will reach a wider audience there,
and if we confirm that there is a bug, then you can open a new issue.
For security vulnerabilities please only send reports to security@elastic.co.
See https://www.elastic.co/community/security for more information.
For confirmed bugs, please report:
- Version:
- Operating System:
- Discuss Forum URL:
- Steps to Reproduce:

35
vendor/github.com/elastic/beats/.gitignore generated vendored Normal file
View file

@ -0,0 +1,35 @@
# Directories
/.vagrant
/.idea
/.vscode
/build
/*/data
/*/logs
/*/fields.yml
/*/*.template*.json
**/html_docs
/*/_meta/kibana.generated
# Files
.DS_Store
/beats.iml
*.dev.yml
*.generated.yml
coverage.out
.python-version
beat.db
*.keystore
# Editor swap files
*.swp
*.swo
*.swn
# Compiled Object files, Static and Dynamic libs (Shared Objects)
*.o
*.a
*.so
*.exe
*.test
*.prof
*.pyc

1
vendor/github.com/elastic/beats/.go-version generated vendored Normal file
View file

@ -0,0 +1 @@
1.10.3

13
vendor/github.com/elastic/beats/.pylintrc generated vendored Normal file
View file

@ -0,0 +1,13 @@
[MESSAGES CONTROL]
disable=too-many-lines,too-many-public-methods,too-many-statements
[BASIC]
method-rgx=[a-z_][a-z0-9_]{2,50}$
[FORMAT]
max-line-length=120

205
vendor/github.com/elastic/beats/.travis.yml generated vendored Normal file
View file

@ -0,0 +1,205 @@
sudo: required
dist: trusty
services:
- docker
language: go
# Make sure project can also be built on travis for clones of the repo
go_import_path: github.com/elastic/beats
env:
global:
# Cross-compile for amd64 only to speed up testing.
- GOX_FLAGS="-arch amd64"
- DOCKER_COMPOSE_VERSION=1.11.1
- GO_VERSION="$(cat .go-version)"
# Newer versions of minikube fail on travis, see: https://github.com/kubernetes/minikube/issues/2704
- TRAVIS_MINIKUBE_VERSION=v0.25.2
jobs:
include:
# General checks
- os: linux
env: TARGETS="check"
go: $GO_VERSION
stage: check
# Filebeat
- os: linux
env: TARGETS="-C filebeat testsuite"
go: $GO_VERSION
stage: test
- os: osx
env: TARGETS="TEST_ENVIRONMENT=0 -C filebeat testsuite"
go: $GO_VERSION
stage: test
# Heartbeat
- os: linux
env: TARGETS="-C heartbeat testsuite"
go: $GO_VERSION
stage: test
- os: osx
env: TARGETS="TEST_ENVIRONMENT=0 -C heartbeat testsuite"
go: $GO_VERSION
stage: test
# Auditbeat
- os: linux
env: TARGETS="-C auditbeat testsuite"
go: $GO_VERSION
stage: test
- os: osx
env: TARGETS="TEST_ENVIRONMENT=0 -C auditbeat testsuite"
go: $GO_VERSION
stage: test
- os: linux
env: TARGETS="-C auditbeat crosscompile"
go: $GO_VERSION
stage: test
# Libbeat
- os: linux
env: TARGETS="-C libbeat testsuite"
go: $GO_VERSION
stage: test
- os: linux
env: TARGETS="-C libbeat crosscompile"
go: $GO_VERSION
stage: test
- os: linux
env: STRESS_TEST_OPTIONS="-timeout=20m -race -v -parallel 1" TARGETS="-C libbeat stress-tests"
go: $GO_VERSION
stage: test
# Metricbeat
- os: linux
env: TARGETS="-C metricbeat testsuite"
go: $GO_VERSION
stage: test
- os: osx
env: TARGETS="TEST_ENVIRONMENT=0 -C metricbeat testsuite"
go: $GO_VERSION
stage: test
- os: linux
env: TARGETS="-C metricbeat crosscompile"
go: $GO_VERSION
stage: test
# Packetbeat
- os: linux
env: TARGETS="-C packetbeat testsuite"
go: $GO_VERSION
stage: test
# Winlogbeat
- os: linux
env: TARGETS="-C winlogbeat crosscompile"
go: $GO_VERSION
stage: test
# Journalbeat
- os: linux
env: TARGETS="-C journalbeat testsuite"
go: $GO_VERSION
stage: test
# Functionbeat
- os: linux
env: TARGETS="-C x-pack/functionbeat testsuite"
go: $GO_VERSION
stage: test
- os: osx
env: TARGETS="TEST_ENVIRONMENT=0 -C x-pack/functionbeat testsuite"
go: $GO_VERSION
stage: test
# Generators
- os: linux
env: TARGETS="-C generator/metricbeat test"
go: $GO_VERSION
stage: test
- os: linux
env: TARGETS="-C generator/beat test"
go: $GO_VERSION
stage: test
# Docs
- os: linux
env: TARGETS="docs"
go: $GO_VERSION
stage: test
# Kubernetes
- os: linux
install: deploy/kubernetes/.travis/setup.sh
env:
- TARGETS="-C deploy/kubernetes test"
- TRAVIS_K8S_VERSION=v1.8.0
stage: test
- os: linux
install: deploy/kubernetes/.travis/setup.sh
env:
- TARGETS="-C deploy/kubernetes test"
- TRAVIS_K8S_VERSION=v1.9.4
stage: test
- os: linux
install: deploy/kubernetes/.travis/setup.sh
env:
- TARGETS="-C deploy/kubernetes test"
- TRAVIS_K8S_VERSION=v1.10.0
stage: test
# TODO include 1.11 once minikube supports it
#- os: linux
# install: deploy/kubernetes/.travis/setup.sh
# env:
# - TARGETS="-C deploy/kubernetes test"
# - TRAVIS_K8S_VERSION=v1.11.0
# stage: test
addons:
apt:
update: true
packages:
- python-virtualenv
- libpcap-dev
- xsltproc
- libxml2-utils
- libsystemd-journal-dev
before_install:
- python --version
- umask 022
- chmod -R go-w $GOPATH/src/github.com/elastic/beats
# Docker-compose installation
- sudo rm /usr/local/bin/docker-compose || true
- curl -L https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m` > docker-compose
- chmod +x docker-compose
- sudo mv docker-compose /usr/local/bin
- if [ $TRAVIS_OS_NAME = osx ]; then pip install virtualenv; fi
# Skips installations step
install: true
script:
- make $TARGETS
notifications:
slack:
on_success: change
on_failure: always
on_pull_requests: false
rooms:
secure: "e25J5puEA31dOooTI4T+K+zrTs8XeWIGq2cgmiPt9u/g7eqWeQj1UJnVsr8GOu1RPDyuJZJHXqfrvuOYJTdHzXbwjD0JTbwwVVZMkkZW2SWZHG46HCXPiucjWXEr3hXJKBJDDpIx6VxrN7r17dejv1biQ8QuEFZfiB1H8kbH/ho="
after_success:
# Copy full.cov to coverage.txt because codecov.io requires this file
- test -f auditbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f auditbeat/build/coverage/full.cov
- test -f filebeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f filebeat/build/coverage/full.cov
- test -f heartbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f heartbeat/build/coverage/full.cov
- test -f libbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f libbeat/build/coverage/full.cov
- test -f metricbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f metricbeat/build/coverage/full.cov
- test -f packetbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f packetbeat/build/coverage/full.cov

View file

@ -0,0 +1,62 @@
// Use these for links to issue and pulls. Note issues and pulls redirect one to
// each other on Github, so don't worry too much on using the right prefix.
:issue: https://github.com/elastic/beats/issues/
:pull: https://github.com/elastic/beats/pull/
This changelog is intended for community Beat developers. It covers the major
breaking changes to the internal APIs in the official Beats and changes related
to developing a Beat like code generators or `fields.yml`. Only the major
changes will be covered in this changelog that are expected to affect community
developers. Each breaking change added here should have an explanation on how
other Beats should be migrated.
Note: This changelog was only started after the 6.3 release.
=== Beats version HEAD
https://github.com/elastic/beats/compare/v6.3.0..master[Check the HEAD diff]
The list below covers the major changes between 6.3.0 and master only.
==== Breaking changes
- The beat.Pipeline is now passed to cfgfile.RunnerFactory. Beats using libbeat for module reloading or autodiscovery need to be adapted. {pull}7018[7017]
- Moving of TLS helper functions and structs from `output/tls` to `tlscommon`. {pull}7054[7054]
- Port fields.yml collector to Golang {pull}6911[6911]
- Dashboards under _meta/kibana are expected to be decoded. See https://github.com/elastic/beats/pull/7224 for a conversion script. {pull}7265[7265]
- Constructor `(github.com/elastic/beats/libbeat/output/codec/json).New` expects a new `escapeHTML` parameter. {pull}7445[7445]
- Packaging has been refactored and updates are required. See the PR for migration details. {pull}7388[7388]
- `make fields` has been modified to use Mage (https://magefile.org/) in an effort to make
the building a Beat more cross-platform friendly (e.g. Windows). This requires that your Beat
has a magefile.go with a fields target. The `FIELDS_FILE_PATH` make variable is no longer
used because the value is specified in magefile.go. {pull}7670[7670]
- Renamed `-beat-name` CLI option used in `kibana_index_pattern.go` to `-beat` for consistency with other scripts in `dev-tools/cmd`. {pull}8615[8615]
==== Bugfixes
- Fix permissions of generated Filebeat filesets. {pull}7140[7140]
- Collect fields from _meta/fields.yml too. {pull}8397[8397]
- Fix issue on asset generation that could lead to different results in Windows. {pull}8464[8464]
==== Added
- Libbeat provides a global registry for beats developer that allow to register and retrieve plugin. {pull}7392[7392]
- Added more options to control required and optional fields in schema.Apply(), error returned is a plain nil if no error happened {pull}7335[7335]
- Packaging on MacOS now produces a .dmg file containing an installer (.pkg) and uninstaller for the Beat. {pull}7481[7481]
- Added mage targets `goTestUnit` and `goTestIntegration` for executing
'go test'. This captures the log to a file, summarizes the result, produces a
coverage profile (.cov), and produces an HTML coverage report. See
`mage -h goTestUnit`. {pull}7766[7766]
- Beats packaging now build non-oss binaries from code located in the x-pack folder. {issue}7783[7783]
- New function `AddTagsWithKey` is added, so `common.MapStr` can be enriched with tags with an arbitrary key. {pull}7991[7991]
- Libbeat provides a new function `cmd.GenRootCmdWithSettings` that should be preferred over deprecated functions
`cmd.GenRootCmd`, `cmd.GenRootCmdWithRunFlags`, and `cmd.GenRootCmdWithIndexPrefixWithRunFlags`. {pull}7850[7850]
- Set current year in generator templates. {pull}8396[8396]
- You can now override default settings of libbeat by using instance.Settings. {pull}8449[8449]
- Add `-space-id` option to `export_dashboards.go` script to support Kibana Spaces {pull}7942[7942]
- Add `-name` option to `asset.go` script to explicitly name the asset rather than using its filename. {pull}8693[8693]
- Add `-out` option to `kibana_index_pattern.go` to control the output dir to make it possible to write the generated output to `build/kibana` instead of `_meta/kibana.generated` (but the output dir remains unchanged at this point). {pull}8615[8615]
- Add `module_fields.go` for generated `fields.go` files for modules. {pull}8615[8615]
- Add `mage.GenerateModuleReferenceConfig` for generating reference config files that include configuration sections from the module directory. {pull}8615[8615]
- Add `mage.GenerateFieldsGo` for generating fields.go files. {pull}8615[8615]
- Add `mage.KibanaDashboards` for collecting Kibana dashboards and generating index patterns. {pull}8615[8615]
- Allow to disable config resolver using the `Settings.DisableConfigResolver` field when initializing libbeat. {pull}8769[8769]

3261
vendor/github.com/elastic/beats/CHANGELOG.asciidoc generated vendored Normal file

File diff suppressed because it is too large Load diff

17
vendor/github.com/elastic/beats/CONTRIBUTING.md generated vendored Normal file
View file

@ -0,0 +1,17 @@
Please post all questions and issues first on
[https://discuss.elastic.co/c/beats](https://discuss.elastic.co/c/beats)
before opening a Github Issue.
# Contributing to Beats
The Beats are open source and we love to receive contributions from our
community — you!
There are many ways to contribute, from writing tutorials or blog posts,
improving the documentation, submitting bug reports and feature requests or
writing code for implementing a whole new protocol.
If you want to contribute to the Beats project, you can start by reading
the [contributing guidelines](https://www.elastic.co/guide/en/beats/devguide/current/beats-contributing.html)
in the _Beats Developer Guide_.

13
vendor/github.com/elastic/beats/LICENSE.txt generated vendored Normal file
View file

@ -0,0 +1,13 @@
Source code in this repository is variously licensed under the Apache License
Version 2.0, an Apache compatible license, or the Elastic License. Outside of
the "x-pack" folder, source code in a given file is licensed under the Apache
License Version 2.0, unless otherwise noted at the beginning of the file or a
LICENSE file present in the directory subtree declares a separate license.
Within the "x-pack" folder, source code in a given file is licensed under the
Elastic License, unless otherwise noted at the beginning of the file or a
LICENSE file present in the directory subtree declares a separate license.
The build produces two sets of binaries - one set that falls under the Elastic
License and another set that falls under Apache License Version 2.0. The
binaries that contain `-oss` in the artifact name are licensed under the Apache
License Version 2.0.

178
vendor/github.com/elastic/beats/Makefile generated vendored Normal file
View file

@ -0,0 +1,178 @@
BUILD_DIR=$(CURDIR)/build
COVERAGE_DIR=$(BUILD_DIR)/coverage
BEATS?=auditbeat filebeat heartbeat journalbeat metricbeat packetbeat winlogbeat x-pack/functionbeat
PROJECTS=libbeat $(BEATS)
PROJECTS_ENV=libbeat filebeat metricbeat
PYTHON_ENV?=$(BUILD_DIR)/python-env
VIRTUALENV_PARAMS?=
FIND=find . -type f -not -path "*/vendor/*" -not -path "*/build/*" -not -path "*/.git/*"
GOLINT=golint
GOLINT_REPO=github.com/golang/lint/golint
REVIEWDOG=reviewdog
REVIEWDOG_OPTIONS?=-diff "git diff master"
REVIEWDOG_REPO=github.com/haya14busa/reviewdog/cmd/reviewdog
XPACK_SUFFIX=x-pack/
# Runs complete testsuites (unit, system, integration) for all beats with coverage and race detection.
# Also it builds the docs and the generators
.PHONY: testsuite
testsuite:
@$(foreach var,$(PROJECTS),$(MAKE) -C $(var) testsuite || exit 1;)
.PHONY: setup-commit-hook
setup-commit-hook:
@cp script/pre_commit.sh .git/hooks/pre-commit
@chmod 751 .git/hooks/pre-commit
stop-environments:
@$(foreach var,$(PROJECTS_ENV),$(MAKE) -C $(var) stop-environment || exit 0;)
# Runs unit and system tests without coverage and race detection.
.PHONY: test
test:
@$(foreach var,$(PROJECTS),$(MAKE) -C $(var) test || exit 1;)
# Runs unit tests without coverage and race detection.
.PHONY: unit
unit:
@$(foreach var,$(PROJECTS),$(MAKE) -C $(var) unit || exit 1;)
# Crosscompile all beats.
.PHONY: crosscompile
crosscompile:
@$(foreach var,filebeat winlogbeat metricbeat heartbeat auditbeat,$(MAKE) -C $(var) crosscompile || exit 1;)
.PHONY: coverage-report
coverage-report:
@mkdir -p $(COVERAGE_DIR)
@echo 'mode: atomic' > ./$(COVERAGE_DIR)/full.cov
@# Collects all coverage files and skips top line with mode
@$(foreach var,$(PROJECTS),tail -q -n +2 ./$(var)/$(COVERAGE_DIR)/*.cov >> ./$(COVERAGE_DIR)/full.cov || true;)
@go tool cover -html=./$(COVERAGE_DIR)/full.cov -o $(COVERAGE_DIR)/full.html
@echo "Generated coverage report $(COVERAGE_DIR)/full.html"
.PHONY: update
update: notice
@$(foreach var,$(PROJECTS),$(MAKE) -C $(var) update || exit 1;)
@$(MAKE) -C deploy/kubernetes all
.PHONY: clean
clean:
@rm -rf build
@$(foreach var,$(PROJECTS),$(MAKE) -C $(var) clean || exit 1;)
@$(MAKE) -C generator clean
@-mage -clean 2> /dev/null
# Cleans up the vendor directory from unnecessary files
# This should always be run after updating the dependencies
.PHONY: clean-vendor
clean-vendor:
@sh script/clean_vendor.sh
.PHONY: check
check: python-env
@$(foreach var,$(PROJECTS) dev-tools,$(MAKE) -C $(var) check || exit 1;)
@# Checks also python files which are not part of the beats
@$(FIND) -name *.py -exec $(PYTHON_ENV)/bin/autopep8 -d --max-line-length 120 {} \; | (! grep . -q) || (echo "Code differs from autopep8's style" && false)
@# Validate that all updates were committed
@$(MAKE) update
@$(MAKE) check-headers
@git diff | cat
@git update-index --refresh
@git diff-index --exit-code HEAD --
.PHONY: check-headers
check-headers:
@go get github.com/elastic/go-licenser
@go-licenser -d -exclude x-pack
@go-licenser -d -license Elastic x-pack
.PHONY: add-headers
add-headers:
@go get github.com/elastic/go-licenser
@go-licenser -exclude x-pack
@go-licenser -license Elastic x-pack
# Corrects spelling errors
.PHONY: misspell
misspell:
go get -u github.com/client9/misspell/cmd/misspell
# Ignore Kibana files (.json)
$(FIND) \
-not -path "*.json" \
-not -path "*.log" \
-name '*' \
-exec misspell -w {} \;
.PHONY: fmt
fmt: add-headers python-env
@$(foreach var,$(PROJECTS) dev-tools,$(MAKE) -C $(var) fmt || exit 1;)
@# Cleans also python files which are not part of the beats
@$(FIND) -name "*.py" -exec $(PYTHON_ENV)/bin/autopep8 --in-place --max-line-length 120 {} \;
.PHONY: lint
lint:
@go get $(GOLINT_REPO) $(REVIEWDOG_REPO)
$(REVIEWDOG) $(REVIEWDOG_OPTIONS)
# Builds the documents for each beat
.PHONY: docs
docs:
@$(foreach var,$(PROJECTS),BUILD_DIR=${BUILD_DIR} $(MAKE) -C $(var) docs || exit 1;)
sh ./script/build_docs.sh dev-guide github.com/elastic/beats/docs/devguide ${BUILD_DIR}
.PHONY: notice
notice: python-env
@echo "Generating NOTICE"
@$(PYTHON_ENV)/bin/python dev-tools/generate_notice.py .
# Sets up the virtual python environment
.PHONY: python-env
python-env:
@test -d $(PYTHON_ENV) || virtualenv $(VIRTUALENV_PARAMS) $(PYTHON_ENV)
@$(PYTHON_ENV)/bin/pip install -q --upgrade pip autopep8==1.3.5 six
@# Work around pip bug. See: https://github.com/pypa/pip/issues/4464
@find $(PYTHON_ENV) -type d -name dist-packages -exec sh -c "echo dist-packages > {}.pth" ';'
# Tests if apm works with the current code
.PHONY: test-apm
test-apm:
sh ./script/test_apm.sh
### Packaging targets ####
# Builds a snapshot release.
.PHONY: snapshot
snapshot:
@$(MAKE) SNAPSHOT=true release
# Builds a release.
.PHONY: release
release: beats-dashboards
@$(foreach var,$(BEATS),$(MAKE) -C $(var) release || exit 1;)
@$(foreach var,$(BEATS), \
test -d $(var)/build/distributions && test -n "$$(ls $(var)/build/distributions)" || exit 0; \
mkdir -p build/distributions/$(subst $(XPACK_SUFFIX),'',$(var)) && mv -f $(var)/build/distributions/* build/distributions/$(subst $(XPACK_SUFFIX),'',$(var))/ || exit 1;)
# Builds a snapshot release. The Go version defined in .go-version will be
# installed and used for the build.
.PHONY: release-manager-snapshot
release-manager-snapshot:
@$(MAKE) SNAPSHOT=true release-manager-release
# Builds a snapshot release. The Go version defined in .go-version will be
# installed and used for the build.
.PHONY: release-manager-release
release-manager-release:
./dev-tools/run_with_go_ver $(MAKE) release
# Installs the mage build tool from the vendor directory.
.PHONY: mage
mage:
@go install github.com/elastic/beats/vendor/github.com/magefile/mage
# Collects dashboards from all Beats and generates a zip file distribution.
.PHONY: beats-dashboards
beats-dashboards: mage update
@mage packageBeatDashboards

3335
vendor/github.com/elastic/beats/NOTICE.txt generated vendored Normal file

File diff suppressed because it is too large Load diff

79
vendor/github.com/elastic/beats/README.md generated vendored Normal file
View file

@ -0,0 +1,79 @@
[![Travis](https://travis-ci.org/elastic/beats.svg?branch=master)](https://travis-ci.org/elastic/beats)
[![GoReportCard](http://goreportcard.com/badge/elastic/beats)](http://goreportcard.com/report/elastic/beats)
[![codecov.io](https://codecov.io/github/elastic/beats/coverage.svg?branch=master)](https://codecov.io/github/elastic/beats?branch=master)
# Beats - The Lightweight Shippers of the Elastic Stack
The [Beats](https://www.elastic.co/products/beats) are lightweight data
shippers, written in Go, that you install on your servers to capture all sorts
of operational data (think of logs, metrics, or network packet data). The Beats
send the operational data to Elasticsearch, either directly or via Logstash, so
it can be visualized with Kibana.
By "lightweight", we mean that Beats have a small installation footprint, use
limited system resources, and have no runtime dependencies.
This repository contains
[libbeat](https://github.com/elastic/beats/tree/master/libbeat), our Go
framework for creating Beats, and all the officially supported Beats:
Beat | Description
--- | ---
[Auditbeat](https://github.com/elastic/beats/tree/master/auditbeat) | Collect your Linux audit framework data and monitor the integrity of your files.
[Filebeat](https://github.com/elastic/beats/tree/master/filebeat) | Tails and ships log files
[Heartbeat](https://github.com/elastic/beats/tree/master/heartbeat) | Ping remote services for availability
[Metricbeat](https://github.com/elastic/beats/tree/master/metricbeat) | Fetches sets of metrics from the operating system and services
[Packetbeat](https://github.com/elastic/beats/tree/master/packetbeat) | Monitors the network and applications by sniffing packets
[Winlogbeat](https://github.com/elastic/beats/tree/master/winlogbeat) | Fetches and ships Windows Event logs
In addition to the above Beats, which are officially supported by
[Elastic](https://elastic.co), the community has created a set of other Beats
that make use of libbeat but live outside of this Github repository. We maintain
a list of community Beats
[here](https://www.elastic.co/guide/en/beats/libbeat/master/community-beats.html).
## Documentation and Getting Started
You can find the documentation and getting started guides for each of the Beats
on the [elastic.co site](https://www.elastic.co/guide/):
* [Beats platform](https://www.elastic.co/guide/en/beats/libbeat/current/index.html)
* [Auditbeat](https://www.elastic.co/guide/en/beats/auditbeat/current/index.html)
* [Filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/index.html)
* [Heartbeat](https://www.elastic.co/guide/en/beats/heartbeat/current/index.html)
* [Metricbeat](https://www.elastic.co/guide/en/beats/metricbeat/current/index.html)
* [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/index.html)
* [Winlogbeat](https://www.elastic.co/guide/en/beats/winlogbeat/current/index.html)
## Getting Help
If you need help or hit an issue, please start by opening a topic on our
[discuss forums](https://discuss.elastic.co/c/beats). Please note that we
reserve GitHub tickets for confirmed bugs and enhancement requests.
## Downloads
You can download pre-compiled Beats binaries, as well as packages for the
supported platforms, from [this page](https://www.elastic.co/downloads/beats).
## Contributing
We'd love working with you! You can help make the Beats better in many ways:
report issues, help us reproduce issues, fix bugs, add functionality, or even
create your own Beat.
Please start by reading our [CONTRIBUTING](CONTRIBUTING.md) file.
If you are creating a new Beat, you don't need to submit the code to this
repository. You can simply start working in a new repository and make use of the
libbeat packages, by following our [developer
guide](https://www.elastic.co/guide/en/beats/libbeat/current/new-beat.html).
After you have a working prototype, open a pull request to add your Beat to the
list of [community
Beats](https://github.com/elastic/beats/blob/master/libbeat/docs/communitybeats.asciidoc).
## Building Beats from the Source
See our [CONTRIBUTING](CONTRIBUTING.md) file for information about setting up
your dev environment to build Beats from the source.

216
vendor/github.com/elastic/beats/Vagrantfile generated vendored Normal file
View file

@ -0,0 +1,216 @@
### Documentation
# This is a Vagrantfile for Beats development.
#
# Boxes
# =====
#
# win2012
# -------
# This box is used as a Windows development and testing environment for Beats.
#
# Usage and Features:
# - Two users exist: Administrator and Vagrant. Both have the password: vagrant
# - Use 'vagrant ssh' to open a Windows command prompt.
# - Use 'vagrant rdp' to open a Windows Remote Desktop session. Mac users must
# install the Microsoft Remote Desktop Client from the App Store.
# - There is a desktop shortcut labeled "Beats Shell" that opens a command prompt
# to C:\Gopath\src\github.com\elastic\beats where the code is mounted.
#
# solaris
# -------------------
# - Use gmake instead of make.
#
# freebsd and openbsd
# -------------------
# - Use gmake instead of make.
# - Folder syncing doesn't work well. Consider copying the files into the box or
# cloning the project inside the box.
GO_VERSION = File.read(File.join(File.dirname(__FILE__), ".go-version")).strip
# Provisioning for Windows PowerShell
$winPsProvision = <<SCRIPT
echo 'Creating github.com\elastic in the GOPATH'
New-Item -itemtype directory -path "C:\\Gopath\\src\\github.com\\elastic" -force
echo "Symlinking C:\\Vagrant to C:\\Gopath\\src\\github.com\\elastic"
cmd /c mklink /d C:\\Gopath\\src\\github.com\\elastic\\beats \\\\vboxsvr\\vagrant
echo "Installing gvm to manage go version"
[Net.ServicePointManager]::SecurityProtocol = "tls12"
Invoke-WebRequest -URI https://github.com/andrewkroh/gvm/releases/download/v0.0.5/gvm-windows-amd64.exe -Outfile C:\Windows\System32\gvm.exe
C:\Windows\System32\gvm.exe --format=powershell #{GO_VERSION} | Invoke-Expression
go version
echo "Configure environment variables"
[System.Environment]::SetEnvironmentVariable("GOROOT", "C:\\Users\\vagrant\\.gvm\\versions\\go#{GO_VERSION}.windows.amd64", [System.EnvironmentVariableTarget]::Machine)
[System.Environment]::SetEnvironmentVariable("PATH", "$env:GOROOT\\bin;$env:PATH", [System.EnvironmentVariableTarget]::Machine)
echo "Creating Beats Shell desktop shortcut"
$WshShell = New-Object -comObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut("$Home\\Desktop\\Beats Shell.lnk")
$Shortcut.TargetPath = "cmd.exe"
$Shortcut.Arguments = '/c "SET GOROOT=C:\\Users\\vagrant\\.gvm\\versions\\go#{GO_VERSION}.windows.amd64&PATH=C:\\Users\\vagrant\\.gvm\\versions\\go#{GO_VERSION}.windows.amd64\\bin;%PATH%" && START'
$Shortcut.WorkingDirectory = "C:\\Gopath\\src\\github.com\\elastic\\beats"
$Shortcut.Save()
echo "Disable automatic updates"
$AUSettings = (New-Object -com "Microsoft.Update.AutoUpdate").Settings
$AUSettings.NotificationLevel = 1
$AUSettings.Save()
SCRIPT
# Provisioning for Unix/Linux
$unixProvision = <<SCRIPT
echo 'Creating github.com/elastic in the GOPATH'
mkdir -p ~/go/src/github.com/elastic
echo 'Symlinking /vagrant to ~/go/src/github.com/elastic'
cd ~/go/src/github.com/elastic
if [ -d "/vagrant" ] && [ ! -e "beats" ]; then ln -s /vagrant beats; fi
SCRIPT
# Linux GVM
$linuxGvmProvision = <<SCRIPT
mkdir -p ~/bin
if [ ! -e "~/bin/gvm" ]; then
curl -sL -o ~/bin/gvm https://github.com/andrewkroh/gvm/releases/download/v0.0.5/gvm-linux-amd64
chmod +x ~/bin/gvm
echo 'export GOPATH=$HOME/go' >> ~/.bash_profile
echo 'export PATH=$HOME/bin:$GOPATH/bin:$PATH' >> ~/.bash_profile
echo 'eval "$(gvm #{GO_VERSION})"' >> ~/.bash_profile
fi
SCRIPT
Vagrant.configure(2) do |config|
# Windows Server 2012 R2
config.vm.define "win2012", primary: true do |win2012|
win2012.vm.box = "https://s3.amazonaws.com/beats-files/vagrant/beats-win2012-r2-virtualbox-2016-10-28_1224.box"
win2012.vm.guest = :windows
# Communicator for windows boxes
win2012.vm.communicator = "winrm"
# Port forward WinRM and RDP
win2012.vm.network :forwarded_port, guest: 22, host: 2222, id: "ssh", auto_correct: true
win2012.vm.network :forwarded_port, guest: 3389, host: 33389, id: "rdp", auto_correct: true
win2012.vm.network :forwarded_port, guest: 5985, host: 55985, id: "winrm", auto_correct: true
win2012.vm.provision "shell", inline: $winPsProvision
end
# Solaris 11.2
config.vm.define "solaris", primary: true do |solaris|
solaris.vm.box = "https://s3.amazonaws.com/beats-files/vagrant/beats-solaris-11.2-virtualbox-2016-11-02_1603.box"
solaris.vm.network :forwarded_port, guest: 22, host: 2223, id: "ssh", auto_correct: true
solaris.vm.provision "shell", inline: $unixProvision, privileged: false
end
# FreeBSD 11.0
config.vm.define "freebsd", primary: true do |freebsd|
freebsd.vm.box = "https://s3.amazonaws.com/beats-files/vagrant/beats-freebsd-11.0-virtualbox-2016-11-02_1638.box"
freebsd.vm.network :forwarded_port, guest: 22, host: 2224, id: "ssh", auto_correct: true
# Must use NFS to sync a folder on FreeBSD and this requires a host-only network.
# To enable the /vagrant folder, set disabled to false and uncomment the private_network.
config.vm.synced_folder ".", "/vagrant", id: "vagrant-root", :nfs => true, disabled: true
#config.vm.network "private_network", ip: "192.168.135.18"
freebsd.vm.hostname = "beats-tester"
freebsd.vm.provision "shell", inline: $unixProvision, privileged: false
end
# OpenBSD 5.9-stable
config.vm.define "openbsd", primary: true do |openbsd|
openbsd.vm.box = "https://s3.amazonaws.com/beats-files/vagrant/beats-openbsd-5.9-current-virtualbox-2016-11-02_2007.box"
openbsd.vm.network :forwarded_port, guest: 22, host: 2225, id: "ssh", auto_correct: true
config.vm.synced_folder ".", "/vagrant", type: "rsync", disabled: true
config.vm.provider :virtualbox do |vbox|
vbox.check_guest_additions = false
vbox.functional_vboxsf = false
end
openbsd.vm.provision "shell", inline: $unixProvision, privileged: false
end
config.vm.define "precise64", primary: true do |c|
c.vm.box = "ubuntu/precise64"
c.vm.network :forwarded_port, guest: 22, host: 2226, id: "ssh", auto_correct: true
c.vm.provision "shell", inline: $unixProvision, privileged: false
c.vm.provision "shell", inline: $linuxGvmProvision, privileged: false
c.vm.synced_folder ".", "/vagrant", type: "virtualbox"
end
config.vm.define "centos6", primary: true do |c|
c.vm.box = "bento/centos-6.9"
c.vm.network :forwarded_port, guest: 22, host: 2229, id: "ssh", auto_correct: true
c.vm.provision "shell", inline: $unixProvision, privileged: false
c.vm.provision "shell", inline: $linuxGvmProvision, privileged: false
c.vm.provision "shell", inline: "yum install -y make gcc python-pip python-virtualenv git"
c.vm.synced_folder ".", "/vagrant", type: "virtualbox"
end
config.vm.define "fedora27", primary: true do |c|
c.vm.box = "bento/fedora-27"
c.vm.network :forwarded_port, guest: 22, host: 2227, id: "ssh", auto_correct: true
c.vm.provision "shell", inline: $unixProvision, privileged: false
c.vm.provision "shell", inline: $linuxGvmProvision, privileged: false
c.vm.provision "shell", inline: "dnf install -y make gcc python-pip python-virtualenv git"
c.vm.synced_folder ".", "/vagrant", type: "virtualbox"
end
config.vm.define "archlinux", primary: true do |c|
c.vm.box = "archlinux/archlinux"
c.vm.network :forwarded_port, guest: 22, host: 2228, id: "ssh", auto_correct: true
c.vm.provision "shell", inline: $unixProvision, privileged: false
c.vm.provision "shell", inline: $linuxGvmProvision, privileged: false
c.vm.provision "shell", inline: "pacman -Sy && pacman -S --noconfirm make gcc python-pip python-virtualenv git"
c.vm.synced_folder ".", "/vagrant", type: "virtualbox"
end
config.vm.define "ubuntu1804", primary: true do |c|
c.vm.box = "ubuntu/bionic64"
c.vm.network :forwarded_port, guest: 22, host: 2229, id: "ssh", auto_correct: true
c.vm.provision "shell", inline: $unixProvision, privileged: false
c.vm.provision "shell", inline: $linuxGvmProvision, privileged: false
c.vm.provision "shell", inline: "apt-get update && apt-get install -y make gcc python-pip python-virtualenv git"
c.vm.synced_folder ".", "/vagrant", type: "virtualbox"
end
config.vm.define "sles12", primary: true do |c|
c.vm.box = "elastic/sles-12-x86_64"
c.vm.network :forwarded_port, guest: 22, host: 2230, id: "ssh", auto_correct: true
c.vm.provision "shell", inline: $unixProvision, privileged: false
c.vm.provision "shell", inline: $linuxGvmProvision, privileged: false
c.vm.provision "shell", inline: "pip install virtualenv"
c.vm.synced_folder ".", "/vagrant", type: "virtualbox"
end
# Windows Server 2016
config.vm.define "win2016", primary: true do |machine|
machine.vm.box = "elastic/windows-2016-x86_64"
machine.vm.provision "shell", inline: $winPsProvision
machine.vm.provider "virtualbox" do |v|
v.memory = 4096
end
end
end
# -*- mode: ruby -*-
# vi: set ft=ruby :

9
vendor/github.com/elastic/beats/auditbeat/.gitignore generated vendored Normal file
View file

@ -0,0 +1,9 @@
build
_meta/beat.yml
_meta/beat.reference.yml
module/*/_meta/config.yml
/auditbeat
/auditbeat.test
/docs/html_docs

17
vendor/github.com/elastic/beats/auditbeat/Dockerfile generated vendored Normal file
View file

@ -0,0 +1,17 @@
FROM golang:1.10.3
MAINTAINER Nicolas Ruflin <ruflin@elastic.co>
RUN set -x && \
apt-get update && \
apt-get install -y --no-install-recommends \
netcat python-pip virtualenv && \
apt-get clean
RUN pip install --upgrade setuptools
# Setup work environment
ENV AUDITBEAT_PATH /go/src/github.com/elastic/beats/auditbeat
RUN mkdir -p $AUDITBEAT_PATH/build/coverage
WORKDIR $AUDITBEAT_PATH
HEALTHCHECK CMD exit 0

38
vendor/github.com/elastic/beats/auditbeat/Makefile generated vendored Normal file
View file

@ -0,0 +1,38 @@
BEAT_NAME=auditbeat
BEAT_TITLE=Auditbeat
SYSTEM_TESTS=true
TEST_ENVIRONMENT?=true
GOX_OS?=linux windows ## @Building List of all OS to be supported by "make crosscompile".
DEV_OS?=linux
ES_BEATS?=..
# Path to the libbeat Makefile
include ${ES_BEATS}/libbeat/scripts/Makefile
# Collects all dependencies and then calls update
.PHONY: collect
collect: collect-docs configs kibana
# Collects all module configs
.PHONY: configs
configs: python-env
@cat ${ES_BEATS}/auditbeat/_meta/common.p1.yml \
<(go run scripts/generate_config.go -os ${DEV_OS} -concat) \
${ES_BEATS}/auditbeat/_meta/common.p2.yml > _meta/beat.yml
@cat ${ES_BEATS}/auditbeat/_meta/common.reference.yml \
<(go run scripts/generate_config.go -os ${DEV_OS} -ref -concat) > _meta/beat.reference.yml
# Collects all module docs
.PHONY: collect-docs
collect-docs: python-env
@rm -rf docs/modules
@mkdir -p docs/modules
@go run scripts/generate_config.go -os linux
@${PYTHON_ENV}/bin/python ${ES_BEATS}/auditbeat/scripts/docs_collector.py --beat ${BEAT_NAME}
# Collects all module dashboards
.PHONY: kibana
kibana:
@-rm -rf _meta/kibana.generated
@mkdir -p _meta/kibana.generated
@-cp -pr module/*/_meta/kibana/* _meta/kibana.generated

View file

@ -0,0 +1,12 @@
###################### Auditbeat Configuration Example #########################
# This is an example configuration file highlighting only the most common
# options. The auditbeat.reference.yml file from the same directory contains all
# the supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/auditbeat/index.html
#========================== Modules configuration =============================
auditbeat.modules:

View file

@ -0,0 +1,6 @@
#==================== Elasticsearch template setting ==========================
setup.template.settings:
index.number_of_shards: 3
#index.codec: best_compression
#_source.enabled: false

View file

@ -0,0 +1,31 @@
########################## Auditbeat Configuration #############################
# This is a reference configuration file documenting all non-deprecated options
# in comments. For a shorter configuration example that contains only the most
# common options, please see auditbeat.yml in the same directory.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/auditbeat/index.html
#============================ Config Reloading ================================
# Config reloading allows to dynamically load modules. Each file which is
# monitored must contain one or multiple modules as a list.
auditbeat.config.modules:
# Glob pattern for configuration reloading
path: ${path.config}/conf.d/*.yml
# Period on which files under path should be checked for changes
reload.period: 10s
# Set to true to enable config reloading
reload.enabled: false
# Maximum amount of time to randomly delay the start of a metricset. Use 0 to
# disable startup delay.
auditbeat.max_start_delay: 10s
#========================== Modules configuration =============================
auditbeat.modules:

View file

@ -0,0 +1,123 @@
- key: common
title: Common
description: >
Contains common fields available in all event types.
fields:
- name: event.module
description: >
The name of the module that generated the event.
- name: event.action
type: keyword
example: logged-in
description: >
Action describes the change that triggered the event.
For the file integrity module the possible values are:
attributes_modified, created, deleted, updated, moved, and config_change.
- name: file
type: group
description: File attributes.
fields:
- name: path
type: text
description: The path to the file.
multi_fields:
- name: raw
type: keyword
description: >
The path to the file. This is a non-analyzed field that is useful
for aggregations.
- name: target_path
type: keyword
description: The target path for symlinks.
- name: type
type: keyword
description: The file type (file, dir, or symlink).
- name: device
type: keyword
description: The device.
- name: inode
type: keyword
description: The inode representing the file in the filesystem.
- name: uid
type: keyword
description: >
The user ID (UID) or security identifier (SID) of the file owner.
- name: owner
type: keyword
description: The file owner's username.
- name: gid
type: keyword
description: The primary group ID (GID) of the file.
- name: group
type: keyword
description: The primary group name of the file.
- name: mode
type: keyword
example: 0640
description: The mode of the file in octal representation.
- name: setuid
type: boolean
example: true
description: Set if the file has the `setuid` bit set. Omitted otherwise.
- name: setgid
type: boolean
example: true
description: Set if the file has the `setgid` bit set. Omitted otherwise.
- name: size
type: long
description: The file size in bytes (field is only added when `type` is `file`).
- name: mtime
type: date
description: The last modified time of the file (time when content was modified).
- name: ctime
type: date
description: The last change time of the file (time when metadata was changed).
- name: origin
type: text
description: >
An array of strings describing a possible external origin for
this file. For example, the URL it was downloaded from. Only
supported in macOS, via the kMDItemWhereFroms attribute.
Omitted if origin information is not available.
multi_fields:
- name: raw
type: keyword
description: >
This is a non-analyzed field that is useful for aggregations on the
origin data.
- name: selinux
type: group
description: The SELinux identity of the file.
fields:
- name: user
type: keyword
description: The owner of the object.
- name: role
type: keyword
description: The object's SELinux role.
- name: domain
type: keyword
description: The object's SELinux domain or type.
- name: level
type: keyword
example: s0
description: The object's SELinux level.

File diff suppressed because it is too large Load diff

177
vendor/github.com/elastic/beats/auditbeat/auditbeat.yml generated vendored Normal file
View file

@ -0,0 +1,177 @@
###################### Auditbeat Configuration Example #########################
# This is an example configuration file highlighting only the most common
# options. The auditbeat.reference.yml file from the same directory contains all
# the supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/auditbeat/index.html
#========================== Modules configuration =============================
auditbeat.modules:
- module: auditd
# Load audit rules from separate files. Same format as audit.rules(7).
audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
audit_rules: |
## Define audit rules here.
## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
## examples or add your own rules.
## If you are on a 64 bit platform, everything should be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
#-a always,exit -F arch=b32 -S all -F key=32bit-abi
## Executions.
#-a always,exit -F arch=b64 -S execve,execveat -k exec
## External access (warning: these can be expensive to audit).
#-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
## Identity changes.
#-w /etc/group -p wa -k identity
#-w /etc/passwd -p wa -k identity
#-w /etc/gshadow -p wa -k identity
## Unauthorized access attempts.
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
#==================== Elasticsearch template setting ==========================
setup.template.settings:
index.number_of_shards: 3
#index.codec: best_compression
#_source.enabled: false
#================================ General =====================================
# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:
# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]
# Optional fields that you can specify to add additional information to the
# output.
#fields:
# env: staging
#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here, or by using the `-setup` CLI flag or the `setup` command.
#setup.dashboards.enabled: false
# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:
#============================== Kibana =====================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:
# Kibana Host
# Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
#host: "localhost:5601"
# Kibana Space ID
# ID of the Kibana Space into which the dashboards should be loaded. By default,
# the Default Space will be used.
#space.id:
#============================= Elastic Cloud ==================================
# These settings simplify using auditbeat with the Elastic Cloud (https://cloud.elastic.co/).
# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:
# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:
#================================ Outputs =====================================
# Configure what output to use when sending the data collected by the beat.
#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["localhost:9200"]
# Optional protocol and basic auth credentials.
#protocol: "https"
#username: "elastic"
#password: "changeme"
#----------------------------- Logstash output --------------------------------
#output.logstash:
# The Logstash hosts
#hosts: ["localhost:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
#================================ Procesors =====================================
# Configure processors to enhance or manipulate events generated by the beat.
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
#================================ Logging =====================================
# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug
# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]
#============================== Xpack Monitoring ===============================
# auditbeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
# reporting is disabled by default.
# Set to true to enable the monitoring reporter.
#xpack.monitoring.enabled: false
# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well. Any setting that is not set is
# automatically inherited from the Elasticsearch output configuration, so if you
# have the Elasticsearch output configured, you can simply uncomment the
# following line.
#xpack.monitoring.elasticsearch:

51
vendor/github.com/elastic/beats/auditbeat/cmd/root.go generated vendored Normal file
View file

@ -0,0 +1,51 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package cmd
import (
"github.com/spf13/cobra"
"github.com/spf13/pflag"
"github.com/elastic/beats/auditbeat/core"
"github.com/elastic/beats/libbeat/cmd"
"github.com/elastic/beats/metricbeat/beater"
"github.com/elastic/beats/metricbeat/mb/module"
)
// Name of the beat (auditbeat).
const Name = "auditbeat"
// RootCmd for running auditbeat.
var RootCmd *cmd.BeatsRootCmd
// ShowCmd to display extra information.
var ShowCmd = &cobra.Command{
Use: "show",
Short: "Show modules information",
}
func init() {
create := beater.Creator(
beater.WithModuleOptions(
module.WithEventModifier(core.AddDatasetToEvent),
),
)
var runFlags = pflag.NewFlagSet(Name, pflag.ExitOnError)
RootCmd = cmd.GenRootCmdWithRunFlags(Name, "", create, runFlags)
RootCmd.AddCommand(ShowCmd)
}

View file

@ -0,0 +1,33 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package core
import (
"github.com/elastic/beats/libbeat/common"
"github.com/elastic/beats/metricbeat/mb"
)
// AddDatasetToEvent adds dataset information to the event. In particular this
// adds the module name under dataset.module.
func AddDatasetToEvent(module, metricSet string, event *mb.Event) {
if event.RootFields == nil {
event.RootFields = common.MapStr{}
}
event.RootFields.Put("event.module", module)
}

View file

@ -0,0 +1,191 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package datastore
import (
"io"
"os"
"sync"
bolt "github.com/coreos/bbolt"
"github.com/elastic/beats/libbeat/paths"
)
var (
initDatastoreOnce sync.Once
ds *boltDatastore
)
// OpenBucket returns a new Bucket that stores data in {path.data}/beat.db.
// The returned Bucket must be closed when finished to ensure all resources
// are released.
func OpenBucket(name string) (Bucket, error) {
initDatastoreOnce.Do(func() {
ds = &boltDatastore{
path: paths.Resolve(paths.Data, "beat.db"),
mode: 0600,
}
})
return ds.OpenBucket(name)
}
// Datastore
type Datastore interface {
OpenBucket(name string) (Bucket, error)
}
type boltDatastore struct {
mutex sync.Mutex
useCount uint32
path string
mode os.FileMode
db *bolt.DB
}
func New(path string, mode os.FileMode) Datastore {
return &boltDatastore{path: path, mode: mode}
}
func (ds *boltDatastore) OpenBucket(bucket string) (Bucket, error) {
ds.mutex.Lock()
defer ds.mutex.Unlock()
// Initialize the Bolt DB.
if ds.db == nil {
var err error
ds.db, err = bolt.Open(ds.path, ds.mode, nil)
if err != nil {
return nil, err
}
}
// Ensure the name exists.
err := ds.db.Update(func(tx *bolt.Tx) error {
_, err := tx.CreateBucketIfNotExists([]byte(bucket))
return err
})
if err != nil {
return nil, err
}
return &boltBucket{ds, bucket}, nil
}
func (ds *boltDatastore) done() {
ds.mutex.Lock()
defer ds.mutex.Unlock()
if ds.useCount > 0 {
ds.useCount--
if ds.useCount == 0 {
ds.db.Close()
ds.db = nil
}
}
}
// Bucket
type Bucket interface {
io.Closer
Load(key string, f func(blob []byte) error) error
Store(key string, blob []byte) error
Delete(key string) error // Delete removes a key from the bucket. If the key does not exist then nothing is done and a nil error is returned.
DeleteBucket() error // Deletes and closes the bucket.
}
// BoltBucket is a Bucket that exposes some Bolt specific APIs.
type BoltBucket interface {
Bucket
View(func(tx *bolt.Bucket) error) error
Update(func(tx *bolt.Bucket) error) error
}
type boltBucket struct {
ds *boltDatastore
name string
}
func (b *boltBucket) Load(key string, f func(blob []byte) error) error {
return b.ds.db.View(func(tx *bolt.Tx) error {
b := tx.Bucket([]byte(b.name))
data := b.Get([]byte(key))
if data == nil {
return nil
}
return f(data)
})
}
func (b *boltBucket) Store(key string, blob []byte) error {
return b.ds.db.Update(func(tx *bolt.Tx) error {
b := tx.Bucket([]byte(b.name))
return b.Put([]byte(key), blob)
})
}
func (b *boltBucket) ForEach(f func(key string, blob []byte) error) error {
return b.ds.db.View(func(tx *bolt.Tx) error {
b := tx.Bucket([]byte(b.name))
return b.ForEach(func(k, v []byte) error {
return f(string(k), v)
})
})
}
func (b *boltBucket) Delete(key string) error {
return b.ds.db.Update(func(tx *bolt.Tx) error {
b := tx.Bucket([]byte(b.name))
return b.Delete([]byte(key))
})
}
func (b *boltBucket) DeleteBucket() error {
err := b.ds.db.Update(func(tx *bolt.Tx) error {
return tx.DeleteBucket([]byte(b.name))
})
b.Close()
return err
}
func (b *boltBucket) View(f func(*bolt.Bucket) error) error {
return b.ds.db.View(func(tx *bolt.Tx) error {
b := tx.Bucket([]byte(b.name))
return f(b)
})
}
func (b *boltBucket) Update(f func(*bolt.Bucket) error) error {
return b.ds.db.Update(func(tx *bolt.Tx) error {
b := tx.Bucket([]byte(b.name))
return f(b)
})
}
func (b *boltBucket) Close() error {
b.ds.done()
b.ds = nil
return nil
}

View file

@ -0,0 +1,38 @@
version: '2.1'
services:
beat:
build: ${PWD}/.
depends_on:
- proxy_dep
env_file:
- ${PWD}/build/test.env
working_dir: /go/src/github.com/elastic/beats/auditbeat
environment:
- KIBANA_HOST=kibana
- KIBANA_PORT=5601
volumes:
- ${PWD}/..:/go/src/github.com/elastic/beats/
command: make
privileged: true
pid: host
cap_add:
- AUDIT_CONTROL
- AUDIT_READ
# This is a proxy used to block beats until all services are healthy.
# See: https://github.com/docker/compose/issues/4369
proxy_dep:
image: busybox
depends_on:
elasticsearch: { condition: service_healthy }
kibana: { condition: service_healthy }
elasticsearch:
extends:
file: ../testing/environments/${TESTING_ENVIRONMENT}.yml
service: elasticsearch
kibana:
extends:
file: ../testing/environments/${TESTING_ENVIRONMENT}.yml
service: kibana

View file

@ -0,0 +1,6 @@
[[filtering-and-enhancing-data]]
== Filter and enhance the exported data
include::../../libbeat/docs/processors.asciidoc[]
include::../../libbeat/docs/processors-using.asciidoc[]

View file

@ -0,0 +1,7 @@
[[configuration-general-options]]
== Specify general settings
You can specify settings in the +{beatname_lc}.yml+ config file to control the
general behavior of {beatname_uc}.
include::../../libbeat/docs/generalconfig.asciidoc[]

View file

@ -0,0 +1,31 @@
[id="configuration-{beatname_lc}"]
== Specify which modules to run
To enable specific modules you add entries to the `auditbeat.modules` list in
the +{beatname_lc}.yml+ config file. Each entry in the list begins with a dash
(-) and is followed by settings for that module.
The following example shows a configuration that runs the `auditd` and
`file_integrity` moduled.
[source,yaml]
----
auditbeat.modules:
- module: auditd
audit_rules: |
-w /etc/passwd -p wa -k identity
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
----
The configuration details vary by module. See the
<<{beatname_lc}-modules,module documentation>> for more detail about configuring
the available modules.

View file

@ -0,0 +1,126 @@
[[auditbeat-breaking-changes]]
== Breaking changes in 6.2
As a general rule, we strive to keep backwards compatibility between minor
versions (e.g. 6.x to 6.y) so you can upgrade without any configuration file
changes, but there are breaking changes between the earlier beta releases and
the 6.2 GA release.
There are changes that affect both the configuration and the event schema.
[float]
=== Configuration Changes
The audit module has been renamed and is now two separate modules: the
<<auditbeat-module-auditd,auditd module>> and the
<<auditbeat-module-file_integrity,file_integrity module>>. You must update your
configuration to use these modules.
The `kernel` metricset has become the <<auditbeat-module-auditd,auditd module>>.
.Old Config
[source,yaml]
----
- module: audit
metricsets: ["kernel"]
kernel.resolve_ids: true
kernel.failure_mode: silent
kernel.backlog_limit: 8196
kernel.rate_limit: 0
kernel.include_raw_message: false
kernel.include_warnings: false
kernel.audit_rules: |
# Rules
----
.New Config
[source,yaml]
----
- module: auditd
resolve_ids: true
failure_mode: silent
backlog_limit: 8196
rate_limit: 0
include_raw_message: false
include_warnings: false
audit_rules: |
# Rules
----
The `file` metricset has become the
<<auditbeat-module-file_integrity,file_integrity module>>.
.Old Config
[source,yaml]
----
- module: audit
metricsets: [file]
file.paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
file.scan_at_start: true
file.scan_rate_per_sec: 50 MiB
file.max_file_size: 100 MiB
file.hash_types: [sha1]
----
.New Config
[source,yaml]
----
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
scan_at_start: true
scan_rate_per_sec: 50 MiB
max_file_size: 100 MiB
hash_types: [sha1]
recursive: false <1>
----
<1> `recursive` is a new option in 6.2 and is disabled by default. Set the value
to true to watch for changes in all sub-directories.
[float]
=== Event Schema Changes
Most field names were changed in 6.2. We wanted to rename the modules and use
common field names for similar data types across all the modules. The table
below provides a summary of the field changes.
In Kibana you need to <<load-kibana-dashboards,import>> the latest dashboards
that work with the new event format. The new dashboards will not work with data
produced by older versions of Auditbeat.
.Renamed Fields
[frame="topbot",options="header"]
|======================
|Old Field|New Field
|`metricset.module` |`event.module`
|`metricset.name` |_Removed_
|`audit.kernel.action` |`event.action`
|`audit.kernel.category` |`event.category`
|`audit.kernel.record_type`|`event.type`
|`audit.kernel.key` |`tags`
|`audit.kernel.actor.attrs`|`user`
|`audit.kernel.actor` |`auditd.summary.actor`
|`audit.kernel.thing` |`auditd.summary.object`
|`audit.kernel.how` |`auditd.summary.how`
|`audit.kernel.socket` |`auditd.data.socket`, `source`, `destination`
footnote:[Based on the syscall type either the `source` or `destination` may
also be populated.]
|`audit.kernel.data.*` |`process.*` footnote:[Fields related to a process
will be moved under the `process` namespace.]
|`audit.kernel.data.*` |`file.*` footnote:[Fields related to a file will be
moved under the `file` namespace.]
|`audit.kernel.data` |`auditd.data`
|`audit.file.action` |`event.action`
|`audit.file.hash` |`hash`
|`audit.file` |`file`
|======================

View file

@ -0,0 +1,82 @@
[id="configuring-howto-{beatname_lc}"]
= Configuring {beatname_uc}
[partintro]
--
Before modifying configuration settings, make sure you've completed the
<<{beatname_lc}-configuration,configuration steps>> in the Getting Started.
This section describes some common use cases for changing configuration options.
To configure {beatname_uc}, you edit the configuration file. For rpm and deb,
youll find the configuration file at +/etc/{beatname_lc}/{beatname_lc}.yml+.
There's also a full example configuration file at
+/etc/{beatname_lc}/{beatname_lc}.reference.yml+ that shows all non-deprecated
options. For mac and win, look in the archive that you extracted.
The {beatname_uc} configuration file uses http://yaml.org/[YAML] for its syntax.
See the {libbeat}/config-file-format.html[Config File Format] section of the
_Beats Platform Reference_ for more about the structure of the config file.
The following topics describe how to configure {beatname_uc}:
* <<configuration-{beatname_lc}>>
* <<configuration-general-options>>
* <<{beatname_lc}-configuration-reloading>>
* <<configuring-internal-queue>>
* <<configuring-output>>
* <<configuration-ssl>>
* <<filtering-and-enhancing-data>>
* <<configuring-ingest-node>>
* <<configuration-path>>
* <<setup-kibana-endpoint>>
* <<configuration-dashboards>>
* <<configuration-template>>
* <<configuration-logging>>
* <<using-environ-vars>>
* <<yaml-tips>>
* <<regexp-support>>
* <<http-endpoint>>
* <<{beatname_lc}-reference-yml>>
After changing configuration settings, you need to restart {beatname_uc} to
pick up the changes.
--
include::./auditbeat-modules-config.asciidoc[]
include::./auditbeat-general-options.asciidoc[]
include::./reload-configuration.asciidoc[]
:allplatforms:
include::../../libbeat/docs/queueconfig.asciidoc[]
include::../../libbeat/docs/outputconfig.asciidoc[]
include::../../libbeat/docs/shared-ssl-config.asciidoc[]
include::./auditbeat-filtering.asciidoc[]
include::../../libbeat/docs/shared-config-ingest.asciidoc[]
include::../../libbeat/docs/shared-path-config.asciidoc[]
include::../../libbeat/docs/shared-kibana-config.asciidoc[]
include::../../libbeat/docs/setup-config.asciidoc[]
include::../../libbeat/docs/loggingconfig.asciidoc[]
:standalone:
include::../../libbeat/docs/shared-env-vars.asciidoc[]
:standalone:
:allplatforms:
include::../../libbeat/docs/yaml.asciidoc[]
include::../../libbeat/docs/regexp.asciidoc[]
include::../../libbeat/docs/http-endpoint.asciidoc[]
include::../../libbeat/docs/reference-yml.asciidoc[]

View file

@ -0,0 +1,29 @@
[float]
[[ulimit]]
=== {beatname_uc} fails to watch folders because too many files are open?
Because of the way file monitoring is implemented on macOS, you may see a
warning similar to the following:
[source,shell]
----
eventreader_fsnotify.go:42: WARN [audit.file] Failed to watch /usr/bin: too many
open files (check the max number of open files allowed with 'ulimit -a')
----
To resolve this issue, run {beatname_uc} with the `ulimit` set to a larger
value, for example:
["source","sh",subs="attributes"]
----
sudo sh -c 'ulimit -n 8192 && ./{beatname_uc} -e
----
Or:
["source","sh",subs="attributes"]
----
sudo su
ulimit -n 8192
./{beatname_lc} -e
----

View file

@ -0,0 +1,12 @@
[[faq]]
== Frequently asked questions
This section contains frequently asked questions about {beatname_uc}. Also check
out the
https://discuss.elastic.co/c/beats/{beatname_lc}[{beatname_uc} discussion forum].
include::./faq-ulimit.asciidoc[]
include::../../libbeat/docs/faq-limit-bandwidth.asciidoc[]
include::../../libbeat/docs/shared-faq.asciidoc[]

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,272 @@
[id="{beatname_lc}-getting-started"]
== Getting started with {beatname_uc}
include::../../libbeat/docs/shared-getting-started-intro.asciidoc[]
* <<{beatname_lc}-installation>>
* <<{beatname_lc}-configuration>>
* <<{beatname_lc}-template>>
* <<load-kibana-dashboards>>
* <<{beatname_lc}-starting>>
* <<view-kibana-dashboards>>
* <<setup-repositories>>
[id="{beatname_lc}-installation"]
=== Step 1: Install {beatname_uc}
Install {beatname_uc} on all the servers you want to monitor.
include::../../libbeat/docs/shared-download-and-install.asciidoc[]
[[deb]]
*deb:*
ifeval::["{release-state}"=="unreleased"]
Version {stack-version} of {beatname_uc} has not yet been released.
endif::[]
ifeval::["{release-state}"!="unreleased"]
["source","sh",subs="attributes"]
------------------------------------------------
curl -L -O https://artifacts.elastic.co/downloads/beats/{beatname_lc}/{beatname_lc}-{version}-amd64.deb
sudo dpkg -i {beatname_lc}-{version}-amd64.deb
------------------------------------------------
endif::[]
[[rpm]]
*rpm:*
ifeval::["{release-state}"=="unreleased"]
Version {stack-version} of {beatname_uc} has not yet been released.
endif::[]
ifeval::["{release-state}"!="unreleased"]
["source","sh",subs="attributes"]
------------------------------------------------
curl -L -O https://artifacts.elastic.co/downloads/beats/{beatname_lc}/{beatname_lc}-{version}-x86_64.rpm
sudo rpm -vi {beatname_lc}-{version}-x86_64.rpm
------------------------------------------------
endif::[]
[[mac]]
*mac:*
ifeval::["{release-state}"=="unreleased"]
Version {stack-version} of {beatname_uc} has not yet been released.
endif::[]
ifeval::["{release-state}"!="unreleased"]
["source","sh",subs="attributes"]
------------------------------------------------
curl -L -O https://artifacts.elastic.co/downloads/beats/{beatname_lc}/{beatname_lc}-{version}-darwin-x86_64.tar.gz
tar xzvf {beatname_lc}-{version}-darwin-x86_64.tar.gz
------------------------------------------------
endif::[]
[[docker]]
*docker:*
ifeval::["{release-state}"=="unreleased"]
Version {stack-version} of {beatname_uc} has not yet been released.
endif::[]
ifeval::["{release-state}"!="unreleased"]
["source", "shell", subs="attributes"]
------------------------------------------------
docker pull {dockerimage}
------------------------------------------------
endif::[]
[[win]]
*win:*
ifeval::["{release-state}"=="unreleased"]
Version {stack-version} of {beatname_uc} has not yet been released.
endif::[]
ifeval::["{release-state}"!="unreleased"]
. Download the {beatname_uc} Windows zip file from the
https://www.elastic.co/downloads/beats/{beatname_lc}[downloads page].
. Extract the contents of the zip file into `C:\Program Files`.
. Rename the +{beatname_lc}-<version>-windows+ directory to +{beatname_uc}+.
. Open a PowerShell prompt as an Administrator (right-click the PowerShell icon
and select *Run As Administrator*).
. From the PowerShell prompt, run the following commands to install {beatname_uc}
as a Windows service:
+
["source","sh",subs="attributes"]
----------------------------------------------------------------------
PS > cd 'C:{backslash}Program Files{backslash}{beatname_uc}'
PS C:{backslash}Program Files{backslash}{beatname_uc}> .{backslash}install-service-{beatname_lc}.ps1
----------------------------------------------------------------------
NOTE: If script execution is disabled on your system, you need to set the
execution policy for the current session to allow the script to run. For
example: +PowerShell.exe -ExecutionPolicy UnRestricted -File
.\install-service-{beatname_lc}.ps1+.
endif::[]
Before starting {beatname_uc}, you should look at the configuration options in the
configuration file, for example +C:{backslash}Program Files{backslash}{beatname_uc}{backslash}{beatname_lc}.yml+.
For more information about these options, see
<<configuring-howto-{beatname_lc}>>.
[id="{beatname_lc}-configuration"]
=== Step 2: Configure {beatname_uc}
include::../../libbeat/docs/shared-configuring.asciidoc[]
To configure {beatname_uc}:
. Define the {beatname_uc} modules that you want to enable. {beatname_uc} uses
modules to collect the audit information. For each module, specify the
metricsets that you want to collect.
+
The following example shows the `file_integrity` module configured to generate
events whenever a file in one of the specified paths changes on disk:
+
["source","sh",subs="attributes"]
-------------------------------------
auditbeat.modules:
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
-------------------------------------
+
If you accept the default configuration without specifying additional modules,
{beatname_uc} uses a configuration that's tailored to the operating system where
{beatname_uc} is running.
+
See <<configuring-howto-{beatname_lc}>> for more details about configuring modules.
include::../../libbeat/docs/step-configure-output.asciidoc[]
include::../../libbeat/docs/step-configure-kibana-endpoint.asciidoc[]
include::../../libbeat/docs/step-configure-credentials.asciidoc[]
include::../../libbeat/docs/step-test-config.asciidoc[]
include::../../libbeat/docs/step-look-at-config.asciidoc[]
[id="{beatname_lc}-template"]
=== Step 3: Load the index template in {es}
:allplatforms:
include::../../libbeat/docs/shared-template-load.asciidoc[]
[[load-kibana-dashboards]]
=== Step 4: Set up the {kib} dashboards
:allplatforms:
include::../../libbeat/docs/dashboards.asciidoc[]
[id="{beatname_lc}-starting"]
=== Step 5: Start {beatname_uc}
Run {beatname_uc} by issuing the appropriate command for your platform. If you
are accessing a secured {es} cluster, make sure you've configured credentials as
described in <<{beatname_lc}-configuration>>.
NOTE: If you use an init.d script to start {beatname_uc} on deb or rpm, you can't
specify command line flags (see <<command-line-options>>). To specify flags,
start {beatname_uc} in the foreground.
*deb:*
["source","sh",subs="attributes"]
----------------------------------------------------------------------
sudo service {beatname_lc} start
----------------------------------------------------------------------
*rpm:*
["source","sh",subs="attributes"]
----------------------------------------------------------------------
sudo service {beatname_lc} start
----------------------------------------------------------------------
*mac:*
["source","sh",subs="attributes"]
----------------------------------------------------------------------
sudo chown root {beatname_lc}.yml <1>
sudo ./{beatname_lc} -e -c {beatname_lc}.yml -d "publish"
----------------------------------------------------------------------
<1> To monitor system files, you'll be running {beatname_uc} as root, so you
need to change ownership of the configuration file, or run {beatname_uc} with
`--strict.perms=false` specified. See
{libbeat}/config-file-permissions.html[Config File Ownership and Permissions]
in the _Beats Platform Reference_.
If you see a warning about too many open files, you need to increase the
`ulimit`. See the <<ulimit,FAQ>> for more details.
*win:*
["source","sh",subs="attributes"]
----------------------------------------------------------------------
PS C:{backslash}Program Files{backslash}{beatname_uc}> Start-Service {beatname_lc}
----------------------------------------------------------------------
By default the log files are stored in +C:{backslash}ProgramData{backslash}{beatname_lc}{backslash}Logs+.
==== Test the {beatname_uc} installation
To verify that your server's statistics are present in {es}, issue the following
command:
["source","sh",subs="attributes"]
----------------------------------------------------------------------
curl -XGET 'http://localhost:9200/{beatname_lc}-*/_search?pretty'
----------------------------------------------------------------------
Make sure that you replace `localhost:9200` with the address of your {es}
instance.
On Windows, if you don't have cURL installed, simply point your browser to the
URL.
[[view-kibana-dashboards]]
=== Step 6: View the sample {kib} dashboards
To make it easier for you to start auditing the activities of users and
processes on your system, we have created example {beatname_uc} dashboards.
You loaded the dashboards earlier when you ran the `setup` command.
include::../../libbeat/docs/opendashboards.asciidoc[]
The dashboards are provided as examples. We recommend that you
{kibana-ref}/dashboard.html[customize] them to meet your needs.
[role="screenshot"]
image:./images/auditbeat-file-integrity-dashboard.png[Auditbeat File Integrity Dashboard]

Binary file not shown.

After

Width:  |  Height:  |  Size: 257 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 133 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 133 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 218 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 90 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 48 KiB

View file

@ -0,0 +1,43 @@
= Auditbeat Reference
include::../../libbeat/docs/version.asciidoc[]
include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
:version: {stack-version}
:beatname_lc: auditbeat
:beatname_uc: Auditbeat
:beatname_pkg: {beatname_lc}
:github_repo_name: beats
:discuss_forum: beats/{beatname_lc}
:beat_default_index_prefix: {beatname_lc}
:has_ml_jobs: yes
include::../../libbeat/docs/shared-beats-attributes.asciidoc[]
include::./overview.asciidoc[]
include::./getting-started.asciidoc[]
include::../../libbeat/docs/repositories.asciidoc[]
include::./breaking.asciidoc[]
include::./setting-up-running.asciidoc[]
include::./configuring-howto.asciidoc[]
include::./modules.asciidoc[]
include::./fields.asciidoc[]
include::../../libbeat/docs/monitoring/monitoring-beats.asciidoc[]
include::../../libbeat/docs/shared-securing-beat.asciidoc[]
include::./troubleshooting.asciidoc[]
include::./faq.asciidoc[]
include::../../libbeat/docs/contributing-to-beats.asciidoc[]

View file

@ -0,0 +1,15 @@
[id="{beatname_lc}-modules"]
= Modules
[partintro]
--
This section contains detailed information about the metric collecting modules
contained in {beatname_uc}. More details about each module can be found under
the links below.
//pass macro block used here to remove Edit links from modules documentation because it is generated
pass::[<?edit_url?>]
include::modules_list.asciidoc[]

View file

@ -0,0 +1,301 @@
////
This file is generated! See scripts/docs_collector.py
////
[id="{beatname_lc}-module-auditd"]
== Auditd Module
The `auditd` module receives audit events from the Linux Audit Framework that
is a part of the Linux kernel.
This module is available only for Linux.
[float]
=== How it works
This module establishes a subscription to the kernel to receive the events
as they occur. So unlike most other modules, the `period` configuration
option is unused because it is not implemented using polling.
The Linux Audit Framework can send multiple messages for a single auditable
event. For example, a `rename` syscall causes the kernel to send eight separate
messages. Each message describes a different aspect of the activity that is
occurring (the syscall itself, file paths, current working directory, process
title). This module will combine all of the data from each of the messages
into a single event.
Messages for one event can be interleaved with messages from another event. This
module will buffer the messages in order to combine related messages into a
single event even if they arrive interleaved or out of order.
[float]
=== Useful commands
When running {beatname_uc} with the `auditd` module enabled, you might find
that other monitoring tools interfere with {beatname_uc}.
For example, you might encounter errors if another process, such as `auditd`, is
registered to receive data from the Linux Audit Framework. You can use these
commands to see if the `auditd` service is running and stop it:
* See if `auditd` is running:
+
[source,shell]
-----
service auditd status
-----
* Stop the `auditd` service:
+
[source,shell]
-----
service auditd stop
-----
* Disable `auditd` from starting on boot:
+
[source,shell]
-----
chkconfig auditd off
-----
To save CPU usage and disk space, you can use this command to stop `journald`
from listening to audit messages:
[source,shell]
-----
systemctl mask systemd-journald-audit.socket
-----
[float]
=== Inspect the kernel audit system status
{beatname_uc} provides useful commands to query the state of the audit system
in the Linux kernel.
* See the list of installed audit rules:
+
[source,shell]
-----
auditbeat show auditd-rules
-----
+
Prints the list of loaded rules, similar to `auditctl -l`:
+
[source,shell]
-----
-a never,exit -S all -F pid=26253
-a always,exit -F arch=b32 -S all -F key=32bit-abi
-a always,exit -F arch=b64 -S execve,execveat -F key=exec
-a always,exit -F arch=b64 -S connect,accept,bind -F key=external-access
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F key=access
-----
* See the status of the audit system:
+
[source,shell]
-----
auditbeat show auditd-status
-----
+
Prints the status of the kernel audit system, similar to `auditctl -s`:
+
[source,shell]
-----
enabled 1
failure 0
pid 0
rate_limit 0
backlog_limit 8192
lost 14407
backlog 0
backlog_wait_time 0
features 0xf
-----
[float]
=== Configuration options
This module has some configuration options for tuning its behavior. The
following example shows all configuration options with their default values.
[source,yaml]
----
- module: auditd
resolve_ids: true
failure_mode: silent
backlog_limit: 8192
rate_limit: 0
include_raw_message: false
include_warnings: false
backpressure_strategy: auto
----
*`socket_type`*:: This optional setting controls the type of
socket that {beatname_uc} uses to receive events from the kernel. The two
options are `unicast` and `multicast`.
+
`unicast` should be used when {beatname_uc} is the primary userspace daemon for
receiving audit events and managing the rules. Only a single process can receive
audit events through the "unicast" connection so any other daemons should be
stopped (e.g. stop `auditd`).
+
`multicast` can be used in kernel versions 3.16 and newer. By using `multicast`
{beatname_uc} will receive an audit event broadcast that is not exclusive to a
a single process. This is ideal for situations where `auditd` is running and
managing the rules. If `multicast` is specified, but the kernel version is less
than 3.16 {beatname_uc} will automatically revert to `unicast`.
+
By default {beatname_uc} will use `multicast` if the kernel version is 3.16 or
newer and no rules have been defined. Otherwise `unicast` will be used.
*`resolve_ids`*:: This boolean setting enables the resolution of UIDs and
GIDs to their associated names. The default value is true.
*`failure_mode`*:: This determines the kernel's behavior on critical
failures such as errors sending events to {beatname_uc}, the backlog limit was
exceeded, the kernel ran out of memory, or the rate limit was exceeded. The
options are `silent`, `log`, or `panic`. `silent` basically makes the kernel
ignore the errors, `log` makes the kernel write the audit messages using
`printk` so they show up in system's syslog, and `panic` causes the kernel to
panic to prevent use of the machine. {beatname_uc}'s default is `silent`.
*`backlog_limit`*:: This controls the maximum number of audit messages
that will be buffered by the kernel.
*`rate_limit`*:: This sets a rate limit on the number of messages/sec
delivered by the kernel. The default is 0, which disables rate limiting.
Changing this value to anything other than zero can cause messages to be lost.
The preferred approach to reduce the messaging rate is be more selective in the
audit ruleset.
*`include_raw_message`*:: This boolean setting causes {beatname_uc} to
include each of the raw messages that contributed to the event in the document
as a field called `messages`. The default value is false. This setting is
primarily used for development and debugging purposes.
*`include_warnings`*:: This boolean setting causes {beatname_uc} to
include as warnings any issues that were encountered while parsing the raw
messages. The default value is false. When this setting is enabled the raw
messages will be included in the event regardless of the
`include_raw_message` config setting. This setting is primarily used for
development and debugging purposes.
*`audit_rules`*:: A string containing the audit rules that should be
installed to the kernel. There should be one rule per line. Comments can be
embedded in the string using `#` as a prefix. The format for rules is the same
used by the Linux `auditctl` utility. {beatname_uc} supports adding file watches
(`-w`) and syscall rules (`-a` or `-A`).
*`audit_rule_files`*:: A list of files to load audit rules from. This files are
loaded after the rules declared in `audit_rules` are loaded. Wildcards are
supported and will expand in lexicographical order. The format is the same as
that of the `audit_rules` field.
*`backpressure_strategy`*:: Specifies the strategy that {beatname_uc} uses to
prevent backpressure from propagating to the kernel and impacting audited
processes.
+
--
The possible values are:
- `auto` (default): {beatname_uc} uses the `kernel` strategy, if supported, or
falls back to the `userspace` strategy.
- `kernel`: {beatname_uc} sets the `backlog_wait_time` in the kernel's
audit framework to 0. This causes events to be discarded in the kernel if
the audit backlog queue fills to capacity. Requires a 3.14 kernel or
newer.
- `userspace`: {beatname_uc} drops events when there is backpressure
from the publishing pipeline. If no `rate_limit` is set, {beatname_uc} sets a rate
limit of 5000. Users should test their setup and adjust the `rate_limit`
option accordingly.
- `both`: {beatname_uc} uses the `kernel` and `userspace` strategies at the same
time.
- `none`: No backpressure mitigation measures are enabled.
--
[float]
=== Audit rules
The audit rules are where you configure the activities that are audited. These
rules are configured as either syscalls or files that should be monitored. For
example you can track all `connect` syscalls or file system writes to
`/etc/passwd`.
Auditing a large number of syscalls can place a heavy load on the system so
consider carefully the rules you define and try to apply filters in the rules
themselves to be as selective as possible.
The kernel evaluates the rules in the order in which they were defined so place
the most active rules first in order to speed up evaluation.
You can assign keys to each rule for better identification of the rule that
triggered an event and easier filtering later in Elasticsearch.
Defining any audit rules in the config causes {beatname_uc} to purge all
existing audit rules prior to adding the rules specified in the config.
Therefore it is unnecessary and unsupported to include a `-D` (delete all) rule.
["source","sh",subs="attributes"]
----
{beatname_lc}.modules:
- module: auditd
audit_rules: |
# Things that affect identity.
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
# Unauthorized access attempts to files (unsuccessful).
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
----
[float]
=== Example configuration
The Auditd module supports the common configuration options that are
described under <<configuration-{beatname_lc},configuring {beatname_uc}>>. Here
is an example configuration:
[source,yaml]
----
auditbeat.modules:
- module: auditd
# Load audit rules from separate files. Same format as audit.rules(7).
audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
audit_rules: |
## Define audit rules here.
## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
## examples or add your own rules.
## If you are on a 64 bit platform, everything should be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
#-a always,exit -F arch=b32 -S all -F key=32bit-abi
## Executions.
#-a always,exit -F arch=b64 -S execve,execveat -k exec
## External access (warning: these can be expensive to audit).
#-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
## Identity changes.
#-w /etc/group -p wa -k identity
#-w /etc/passwd -p wa -k identity
#-w /etc/gshadow -p wa -k identity
## Unauthorized access attempts.
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
----

View file

@ -0,0 +1,132 @@
////
This file is generated! See scripts/docs_collector.py
////
[id="{beatname_lc}-module-file_integrity"]
== File Integrity Module
The `file_integrity` module sends events when a file is changed (created,
updated, or deleted) on disk. The events contain file metadata and hashes.
The module is implemented for Linux, macOS (Darwin), and Windows.
[float]
=== How it works
This module uses features of the operating system to monitor file changes in
realtime. When the module starts it creates a subscription with the OS to
receive notifications of changes to the specified files or directories. Upon
receiving notification of a change the module will read the file's metadata
and the compute a hash of the file's contents.
At startup this module will perform an initial scan of the configured files
and directories to generate baseline data for the monitored paths and detect
changes since the last time it was run. It uses locally persisted data in order
to only send events for new or modified files.
The operating system features that power this feature are as follows.
* Linux - `inotify` is used, and therefore the kernel must have inotify support.
Inotify was initially merged into the 2.6.13 Linux kernel.
* macOS (Darwin) - Uses the `FSEvents` API, present since macOS 10.5. This API
coalesces multiple changes to a file into a single event. {beatname_uc} translates
this coalesced changes into a meaningful sequence of actions. However,
in rare situations the reported events may have a different ordering than what
actually happened.
* Windows - `ReadDirectoryChangesW` is used.
The file integrity module should not be used to monitor paths on network file
systems.
[float]
=== Configuration options
This module has some configuration options for tuning its behavior. The
following example shows all configuration options with their default values for
Linux.
[source,yaml]
----
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
exclude_files:
- '(?i)\.sw[nop]$'
- '~$'
- '/\.git($|/)'
scan_at_start: true
scan_rate_per_sec: 50 MiB
max_file_size: 100 MiB
hash_types: [sha1]
recursive: false
----
*`paths`*:: A list of paths (directories or files) to watch. Globs are
not supported. The specified paths should exist when the metricset is started.
*`exclude_files`*:: A list of regular expressions used to filter out events
for unwanted files. The expressions are matched against the full path of every
file and directory. By default, no files are excluded. See <<regexp-support>>
for a list of supported regexp patterns. It is recommended to wrap regular
expressions in single quotation marks to avoid issues with YAML escaping
rules.
*`scan_at_start`*:: A boolean value that controls if {beatname_uc} scans
over the configured file paths at startup and send events for the files
that have been modified since the last time {beatname_uc} was running. The
default value is true.
+
This feature depends on data stored locally in `path.data` in order to determine
if a file has changed. The first time {beatname_uc} runs it will send an event
for each file it encounters.
*`scan_rate_per_sec`*:: When `scan_at_start` is enabled this sets an
average read rate defined in bytes per second for the initial scan. This
throttles the amount of CPU and I/O that {beatname_uc} consumes at startup.
The default value is "50 MiB". Setting the value to "0" disables throttling.
For convenience units can be specified as a suffix to the value. The supported
units are `b` (default), `kib`, `kb`, `mib`, `mb`, `gib`, `gb`, `tib`, `tb`,
`pib`, `pb`, `eib`, and `eb`.
*`max_file_size`*:: The maximum size of a file in bytes for which
{beatname_uc} will compute hashes. Files larger than this size will not be
hashed. The default value is 100 MiB. For convenience units can be specified as
a suffix to the value. The supported units are `b` (default), `kib`, `kb`, `mib`,
`mb`, `gib`, `gb`, `tib`, `tb`, `pib`, `pb`, `eib`, and `eb`.
*`hash_types`*:: A list of hash types to compute when the file changes.
The supported hash types are `blake2b_256`, `blake2b_384`, `blake2b_512`, `md5`,
`sha1`, `sha224`, `sha256`, `sha384`, `sha512`, `sha512_224`, `sha512_256`,
`sha3_224`, `sha3_256`, `sha3_384`, `sha3_512`, and `xxh64`. The default value is `sha1`.
*`recursive`*:: By default, the watches set to the paths specified in
`paths` are not recursive. This means that only changes to the contents
of this directories are watched. If `recursive` is set to `true`, the
`file_integrity` module will watch for changes on this directories and all
their subdirectories.
[float]
=== Example configuration
The File Integrity module supports the common configuration options that are
described under <<configuration-{beatname_lc},configuring {beatname_uc}>>. Here
is an example configuration:
[source,yaml]
----
auditbeat.modules:
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
----

View file

@ -0,0 +1,12 @@
////
This file is generated! See scripts/docs_collector.py
////
* <<{beatname_lc}-module-auditd,Auditd>>
* <<{beatname_lc}-module-file_integrity,File Integrity>>
--
include::modules/auditd.asciidoc[]
include::modules/file_integrity.asciidoc[]

View file

@ -0,0 +1,13 @@
[id="{beatname_lc}-overview"]
== {beatname_uc} overview
++++
<titleabbrev>Overview</titleabbrev>
++++
{beatname_uc} is a lightweight shipper that you can install on your servers to
audit the activities of users and processes on your systems. For example, you
can use {beatname_uc} to collect and centralize audit events from the Linux
Audit Framework. You can also use {beatname_uc} to detect changes to critical
files, like binaries and configuration files, and identify potential security
policy violations.

View file

@ -0,0 +1,47 @@
[id="{beatname_lc}-configuration-reloading"]
== Reload the configuration dynamically
beta[]
You can configure {beatname_uc} to dynamically reload configuration files when
there are changes. To do this, you specify a path
(https://golang.org/pkg/path/filepath/#Glob[glob]) to watch for module
configuration changes. When the files found by the glob change, new modules are
started/stopped according to changes in the configuration files.
To enable dynamic config reloading, you specify the `path` and `reload` options
in the main +{beatname_lc}.yml+ config file. For example:
["source","sh"]
------------------------------------------------------------------------------
auditbeat.config.modules:
path: ${path.config}/conf.d/*.yml
reload.enabled: true
reload.period: 10s
------------------------------------------------------------------------------
*`path`*:: A glob that defines the files to check for changes.
*`reload.enabled`*:: When set to `true`, enables dynamic config reload.
*`reload.period`*:: Specifies how often the files are checked for changes. Do not
set the `period` to less than 1s because the modification time of files is often
stored in seconds. Setting the `period` to less than 1s will result in
unnecessary overhead.
Each file found by the glob must contain a list of one or more module
definitions. For example:
[source,yaml]
------------------------------------------------------------------------------
- module: file_integrity
paths:
- /www/wordpress
- /www/wordpress/wp-admin
- /www/wordpress/wp-content
- /www/wordpress/wp-includes
------------------------------------------------------------------------------
NOTE: On systems with POSIX file permissions, all Beats configuration files are
subject to ownership and file permission checks. If you encounter config loading
errors related to file ownership, see {libbeat}/config-file-permissions.html.

View file

@ -0,0 +1,15 @@
include::../../libbeat/docs/shared-docker.asciidoc[]
[float]
==== Special requirements
Under Docker, {beatname_uc} runs as a non-root user, but requires some privileged
capabilities to operate correctly. Ensure that the +AUDIT_CONTROL+ and +AUDIT_READ+
capabilities are available to the container.
It is also essential to run {beatname_uc} in the host PID namespace.
["source","sh",subs="attributes"]
----
docker run --cap-add=AUDIT_CONTROL,AUDIT_READ --pid=host {dockerimage}
----

View file

@ -0,0 +1,34 @@
/////
// NOTE:
// Each beat has its own setup overview to allow for the addition of content
// that is unique to each beat.
/////
[[setting-up-and-running]]
== Setting up and running {beatname_uc}
Before reading this section, see the
<<{beatname_lc}-getting-started,getting started documentation>> for basic
installation instructions to get you started.
This section includes additional information on how to set up and run
{beatname_uc}, including:
* <<directory-layout>>
* <<command-line-options>>
* <<running-on-docker>>
//MAINTAINERS: If you add a new file to this section, make sure you update the bulleted list ^^ too.
include::../../libbeat/docs/shared-directory-layout.asciidoc[]
include::../../libbeat/docs/keystore.asciidoc[]
include::../../libbeat/docs/command-reference.asciidoc[]
include::./running-on-docker.asciidoc[]
include::../../libbeat/docs/shared-shutdown.asciidoc[]

View file

@ -0,0 +1,30 @@
[[troubleshooting]]
= Troubleshooting
[partintro]
--
If you have issues installing or running {beatname_uc}, read the
following tips:
* <<getting-help>>
* <<enable-{beatname_lc}-debugging>>
* <<faq>>
//sets block macro for getting-help.asciidoc included in next section
--
[[getting-help]]
== Get Help
include::../../libbeat/docs/getting-help.asciidoc[]
//sets block macro for debugging.asciidoc included in next section
[id="enable-{beatname_lc}-debugging"]
== Debug
include::../../libbeat/docs/debugging.asciidoc[]

File diff suppressed because one or more lines are too long

View file

@ -0,0 +1,25 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package include
import (
// Include all Auditbeat modules so that they register their
// factories with the global registry.
_ "github.com/elastic/beats/auditbeat/module/auditd"
_ "github.com/elastic/beats/auditbeat/module/file_integrity"
)

271
vendor/github.com/elastic/beats/auditbeat/magefile.go generated vendored Normal file
View file

@ -0,0 +1,271 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
// +build mage
package main
import (
"context"
"fmt"
"regexp"
"time"
"github.com/magefile/mage/mg"
"github.com/magefile/mage/sh"
"github.com/pkg/errors"
"github.com/elastic/beats/dev-tools/mage"
)
func init() {
mage.BeatDescription = "Audit the activities of users and processes on your system."
}
// Build builds the Beat binary.
func Build() error {
return mage.Build(mage.DefaultBuildArgs())
}
// GolangCrossBuild build the Beat binary inside of the golang-builder.
// Do not use directly, use crossBuild instead.
func GolangCrossBuild() error {
return mage.GolangCrossBuild(mage.DefaultGolangCrossBuildArgs())
}
// BuildGoDaemon builds the go-daemon binary (use crossBuildGoDaemon).
func BuildGoDaemon() error {
return mage.BuildGoDaemon()
}
// CrossBuild cross-builds the beat for all target platforms.
func CrossBuild() error {
return mage.CrossBuild()
}
// CrossBuildXPack cross-builds the beat with XPack for all target platforms.
func CrossBuildXPack() error {
return mage.CrossBuildXPack()
}
// CrossBuildGoDaemon cross-builds the go-daemon binary using Docker.
func CrossBuildGoDaemon() error {
return mage.CrossBuildGoDaemon()
}
// Clean cleans all generated files and build artifacts.
func Clean() error {
return mage.Clean()
}
// Package packages the Beat for distribution.
// Use SNAPSHOT=true to build snapshots.
// Use PLATFORMS to control the target platforms.
func Package() {
start := time.Now()
defer func() { fmt.Println("package ran for", time.Since(start)) }()
mage.UseElasticBeatPackaging()
customizePackaging()
mg.Deps(Update)
mg.Deps(makeConfigTemplates, CrossBuild, CrossBuildXPack, CrossBuildGoDaemon)
mg.SerialDeps(mage.Package, TestPackages)
}
// TestPackages tests the generated packages (i.e. file modes, owners, groups).
func TestPackages() error {
return mage.TestPackages()
}
// Update updates the generated files (aka make update).
func Update() error {
return sh.Run("make", "update")
}
// Fields generates a fields.yml for the Beat.
func Fields() error {
return mage.GenerateFieldsYAML("module")
}
// GoTestUnit executes the Go unit tests.
// Use TEST_COVERAGE=true to enable code coverage profiling.
// Use RACE_DETECTOR=true to enable the race detector.
func GoTestUnit(ctx context.Context) error {
return mage.GoTest(ctx, mage.DefaultGoTestUnitArgs())
}
// GoTestIntegration executes the Go integration tests.
// Use TEST_COVERAGE=true to enable code coverage profiling.
// Use RACE_DETECTOR=true to enable the race detector.
func GoTestIntegration(ctx context.Context) error {
return mage.GoTest(ctx, mage.DefaultGoTestIntegrationArgs())
}
// -----------------------------------------------------------------------------
// Customizations specific to Auditbeat.
// - Config files are Go templates.
const (
configTemplateGlob = "module/*/_meta/config*.yml.tmpl"
shortConfigTemplate = "build/auditbeat.yml.tmpl"
referenceConfigTemplate = "build/auditbeat.reference.yml.tmpl"
)
func makeConfigTemplates() error {
configFiles, err := mage.FindFiles(configTemplateGlob)
if err != nil {
return errors.Wrap(err, "failed to find config templates")
}
var shortIn []string
shortIn = append(shortIn, "_meta/common.p1.yml")
shortIn = append(shortIn, configFiles...)
shortIn = append(shortIn, "_meta/common.p2.yml")
shortIn = append(shortIn, "../libbeat/_meta/config.yml")
if !mage.IsUpToDate(shortConfigTemplate, shortIn...) {
fmt.Println(">> Building", shortConfigTemplate)
mage.MustFileConcat(shortConfigTemplate, 0600, shortIn...)
mage.MustFindReplace(shortConfigTemplate, regexp.MustCompile("beatname"), "{{.BeatName}}")
mage.MustFindReplace(shortConfigTemplate, regexp.MustCompile("beat-index-prefix"), "{{.BeatIndexPrefix}}")
}
var referenceIn []string
referenceIn = append(referenceIn, "_meta/common.reference.yml")
referenceIn = append(referenceIn, configFiles...)
referenceIn = append(referenceIn, "../libbeat/_meta/config.reference.yml")
if !mage.IsUpToDate(referenceConfigTemplate, referenceIn...) {
fmt.Println(">> Building", referenceConfigTemplate)
mage.MustFileConcat(referenceConfigTemplate, 0644, referenceIn...)
mage.MustFindReplace(referenceConfigTemplate, regexp.MustCompile("beatname"), "{{.BeatName}}")
mage.MustFindReplace(referenceConfigTemplate, regexp.MustCompile("beat-index-prefix"), "{{.BeatIndexPrefix}}")
}
return nil
}
// customizePackaging modifies the package specs to use templated config files
// instead of the defaults.
//
// Customizations specific to Auditbeat:
// - Include audit.rules.d directory in packages.
func customizePackaging() {
var (
shortConfig = mage.PackageFile{
Mode: 0600,
Source: "{{.PackageDir}}/auditbeat.yml",
Dep: generateShortConfig,
Config: true,
}
referenceConfig = mage.PackageFile{
Mode: 0644,
Source: "{{.PackageDir}}/auditbeat.reference.yml",
Dep: generateReferenceConfig,
}
)
archiveRulesDir := "audit.rules.d"
linuxPkgRulesDir := "/etc/{{.BeatName}}/audit.rules.d"
rulesSrcDir := "module/auditd/_meta/audit.rules.d"
sampleRules := mage.PackageFile{
Mode: 0644,
Source: rulesSrcDir,
Dep: func(spec mage.PackageSpec) error {
if spec.OS == "linux" {
params := map[string]interface{}{
"ArchBits": archBits,
}
rulesFile := spec.MustExpand(rulesSrcDir+"/sample-rules-linux-{{call .ArchBits .GOARCH}}bit.conf", params)
if err := mage.Copy(rulesFile, spec.MustExpand("{{.PackageDir}}/audit.rules.d/sample-rules.conf.disabled")); err != nil {
return errors.Wrap(err, "failed to copy sample rules")
}
}
return nil
},
}
for _, args := range mage.Packages {
pkgType := args.Types[0]
switch pkgType {
case mage.TarGz, mage.Zip:
args.Spec.ReplaceFile("{{.BeatName}}.yml", shortConfig)
args.Spec.ReplaceFile("{{.BeatName}}.reference.yml", referenceConfig)
case mage.Deb, mage.RPM, mage.DMG:
args.Spec.ReplaceFile("/etc/{{.BeatName}}/{{.BeatName}}.yml", shortConfig)
args.Spec.ReplaceFile("/etc/{{.BeatName}}/{{.BeatName}}.reference.yml", referenceConfig)
default:
panic(errors.Errorf("unhandled package type: %v", pkgType))
}
if args.OS == "linux" {
rulesDest := archiveRulesDir
if pkgType != mage.TarGz {
rulesDest = linuxPkgRulesDir
}
args.Spec.Files[rulesDest] = sampleRules
}
}
}
func generateReferenceConfig(spec mage.PackageSpec) error {
params := map[string]interface{}{
"Reference": true,
"ArchBits": archBits,
}
return spec.ExpandFile(referenceConfigTemplate,
"{{.PackageDir}}/auditbeat.reference.yml", params)
}
func generateShortConfig(spec mage.PackageSpec) error {
params := map[string]interface{}{
"Reference": false,
"ArchBits": archBits,
}
return spec.ExpandFile(shortConfigTemplate,
"{{.PackageDir}}/auditbeat.yml", params)
}
// archBits returns the number of bit width of the GOARCH architecture value.
// This function is used by the auditd module configuration templates to
// generate architecture specific audit rules.
func archBits(goarch string) int {
switch goarch {
case "386", "arm":
return 32
default:
return 64
}
}
// Configs generates the auditbeat.yml and auditbeat.reference.yml config files.
// Set DEV_OS and DEV_ARCH to change the target host for the generated configs.
// Defaults to linux/amd64.
func Configs() {
mg.Deps(makeConfigTemplates)
params := map[string]interface{}{
"GOOS": mage.EnvOr("DEV_OS", "linux"),
"GOARCH": mage.EnvOr("DEV_ARCH", "amd64"),
"ArchBits": archBits,
"Reference": false,
}
fmt.Printf(">> Building auditbeat.yml for %v/%v\n", params["GOOS"], params["GOARCH"])
mage.MustExpandFile(shortConfigTemplate, "auditbeat.yml", params)
params["Reference"] = true
fmt.Printf(">> Building auditbeat.reference.yml for %v/%v\n", params["GOOS"], params["GOARCH"])
mage.MustExpandFile(referenceConfigTemplate, "auditbeat.reference.yml", params)
}

37
vendor/github.com/elastic/beats/auditbeat/main.go generated vendored Normal file
View file

@ -0,0 +1,37 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package main
import (
"os"
"github.com/elastic/beats/auditbeat/cmd"
// Register modules.
_ "github.com/elastic/beats/auditbeat/module/auditd"
_ "github.com/elastic/beats/auditbeat/module/file_integrity"
// Register includes.
_ "github.com/elastic/beats/auditbeat/include"
)
func main() {
if err := cmd.RootCmd.Execute(); err != nil {
os.Exit(1)
}
}

43
vendor/github.com/elastic/beats/auditbeat/main_test.go generated vendored Normal file
View file

@ -0,0 +1,43 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package main
// This file is mandatory as otherwise the auditbeat.test binary is not generated correctly.
import (
"flag"
"testing"
"github.com/elastic/beats/auditbeat/cmd"
)
var systemTest *bool
func init() {
systemTest = flag.Bool("systemTest", false, "Set to true when running system tests")
cmd.RootCmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("systemTest"))
cmd.RootCmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("test.coverprofile"))
}
// Test started when the test binary is started. Only calls main.
func TestSystem(t *testing.T) {
if *systemTest {
main()
}
}

11
vendor/github.com/elastic/beats/auditbeat/make.bat generated vendored Normal file
View file

@ -0,0 +1,11 @@
@echo off
REM Windows wrapper for Mage (https://magefile.org/) that installs it
REM to %GOPATH%\bin from the Beats vendor directory.
REM
REM After running this once you may invoke mage.exe directly.
WHERE mage
IF %ERRORLEVEL% NEQ 0 go install github.com/elastic/beats/vendor/github.com/magefile/mage
mage %*

View file

@ -0,0 +1,78 @@
{
"auditd": {
"data": {
"a0": "3",
"a1": "7ffd0dc80040",
"a2": "7ffd0dc7ffd0",
"a3": "0",
"arch": "x86_64",
"exit": "5",
"socket": {
"addr": "72.83.230.100",
"family": "ipv4",
"port": "58140"
},
"syscall": "accept",
"tty": "(none)"
},
"result": "success",
"sequence": 8832,
"session": "unset",
"summary": {
"actor": {
"primary": "unset",
"secondary": "root"
},
"how": "/usr/sbin/sshd",
"object": {
"primary": "72.83.230.100",
"secondary": "58140",
"type": "socket"
}
}
},
"event": {
"action": "accepted-connection-from",
"category": "audit-rule",
"module": "auditd",
"type": "syscall"
},
"network": {
"direction": "incoming"
},
"process": {
"exe": "/usr/sbin/sshd",
"name": "sshd",
"pid": "1663",
"ppid": "1",
"title": "(sshd)"
},
"source": {
"ip": "72.83.230.100",
"port": "58140"
},
"tags": [
"net"
],
"user": {
"auid": "unset",
"egid": "0",
"euid": "0",
"fsgid": "0",
"fsuid": "0",
"gid": "0",
"name_map": {
"egid": "root",
"euid": "root",
"fsgid": "root",
"fsuid": "root",
"gid": "root",
"sgid": "root",
"suid": "root",
"uid": "root"
},
"sgid": "0",
"suid": "0",
"uid": "0"
}
}

View file

@ -0,0 +1,14 @@
## Executions.
-a always,exit -F arch=b32 -S execve,execveat -k exec
## External access (warning: these can be expensive to audit).
-a always,exit -F arch=b32 -S accept4,bind,connect -F key=external-access
## Identity changes.
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
## Unauthorized access attempts.
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access

View file

@ -0,0 +1,20 @@
## If you are on a 64 bit platform, everything should be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
-a always,exit -F arch=b32 -S all -F key=32bit-abi
## Executions.
-a always,exit -F arch=b64 -S execve,execveat -k exec
## External access (warning: these can be expensive to audit).
-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
## Identity changes.
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
## Unauthorized access attempts.
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access

View file

@ -0,0 +1,44 @@
{{ if eq .GOOS "linux" -}}
{{ if .Reference -}}
# The auditd module collects events from the audit framework in the Linux
# kernel. You need to specify audit rules for the events that you want to audit.
{{ end -}}
- module: auditd
{{ if .Reference -}}
resolve_ids: true
failure_mode: silent
backlog_limit: 8196
rate_limit: 0
include_raw_message: false
include_warnings: false
{{ end -}}
# Load audit rules from separate files. Same format as audit.rules(7).
audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
audit_rules: |
## Define audit rules here.
## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
## examples or add your own rules.
{{ if eq .GOARCH "amd64" -}}
## If you are on a 64 bit platform, everything should be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
#-a always,exit -F arch=b32 -S all -F key=32bit-abi
{{ end -}}
## Executions.
#-a always,exit -F arch=b{{call .ArchBits .GOARCH}} -S execve,execveat -k exec
## External access (warning: these can be expensive to audit).
#-a always,exit -F arch=b{{call .ArchBits .GOARCH}} -S accept,bind,connect -F key=external-access
## Identity changes.
#-w /etc/group -p wa -k identity
#-w /etc/passwd -p wa -k identity
#-w /etc/gshadow -p wa -k identity
## Unauthorized access attempts.
#-a always,exit -F arch=b{{call .ArchBits .GOARCH}} -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
#-a always,exit -F arch=b{{call .ArchBits .GOARCH}} -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
{{ end -}}

View file

@ -0,0 +1,52 @@
{
"@timestamp": "2017-10-12T08:05:34.853Z",
"auditd": {
"data": {
"acct": "(invalid user)",
"op": "login",
"terminal": "sshd"
},
"result": "fail",
"sequence": 19955,
"session": "unset",
"summary": {
"actor": {
"primary": "unset",
"secondary": "(invalid user)"
},
"how": "/usr/sbin/sshd",
"object": {
"primary": "sshd",
"secondary": "179.38.151.221",
"type": "user-session"
}
}
},
"beat": {
"hostname": "host.example.com",
"name": "host.example.com"
},
"event": {
"action": "logged-in",
"category": "user-login",
"module": "auditd",
"type": "user_login"
},
"network": {
"direction": "incoming"
},
"process": {
"exe": "/usr/sbin/sshd",
"pid": "12635"
},
"source": {
"ip": "179.38.151.221"
},
"user": {
"auid": "unset",
"name_map": {
"uid": "root"
},
"uid": "0"
}
}

View file

@ -0,0 +1,254 @@
== Auditd Module
The `auditd` module receives audit events from the Linux Audit Framework that
is a part of the Linux kernel.
This module is available only for Linux.
[float]
=== How it works
This module establishes a subscription to the kernel to receive the events
as they occur. So unlike most other modules, the `period` configuration
option is unused because it is not implemented using polling.
The Linux Audit Framework can send multiple messages for a single auditable
event. For example, a `rename` syscall causes the kernel to send eight separate
messages. Each message describes a different aspect of the activity that is
occurring (the syscall itself, file paths, current working directory, process
title). This module will combine all of the data from each of the messages
into a single event.
Messages for one event can be interleaved with messages from another event. This
module will buffer the messages in order to combine related messages into a
single event even if they arrive interleaved or out of order.
[float]
=== Useful commands
When running {beatname_uc} with the `auditd` module enabled, you might find
that other monitoring tools interfere with {beatname_uc}.
For example, you might encounter errors if another process, such as `auditd`, is
registered to receive data from the Linux Audit Framework. You can use these
commands to see if the `auditd` service is running and stop it:
* See if `auditd` is running:
+
[source,shell]
-----
service auditd status
-----
* Stop the `auditd` service:
+
[source,shell]
-----
service auditd stop
-----
* Disable `auditd` from starting on boot:
+
[source,shell]
-----
chkconfig auditd off
-----
To save CPU usage and disk space, you can use this command to stop `journald`
from listening to audit messages:
[source,shell]
-----
systemctl mask systemd-journald-audit.socket
-----
[float]
=== Inspect the kernel audit system status
{beatname_uc} provides useful commands to query the state of the audit system
in the Linux kernel.
* See the list of installed audit rules:
+
[source,shell]
-----
auditbeat show auditd-rules
-----
+
Prints the list of loaded rules, similar to `auditctl -l`:
+
[source,shell]
-----
-a never,exit -S all -F pid=26253
-a always,exit -F arch=b32 -S all -F key=32bit-abi
-a always,exit -F arch=b64 -S execve,execveat -F key=exec
-a always,exit -F arch=b64 -S connect,accept,bind -F key=external-access
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F key=access
-----
* See the status of the audit system:
+
[source,shell]
-----
auditbeat show auditd-status
-----
+
Prints the status of the kernel audit system, similar to `auditctl -s`:
+
[source,shell]
-----
enabled 1
failure 0
pid 0
rate_limit 0
backlog_limit 8192
lost 14407
backlog 0
backlog_wait_time 0
features 0xf
-----
[float]
=== Configuration options
This module has some configuration options for tuning its behavior. The
following example shows all configuration options with their default values.
[source,yaml]
----
- module: auditd
resolve_ids: true
failure_mode: silent
backlog_limit: 8192
rate_limit: 0
include_raw_message: false
include_warnings: false
backpressure_strategy: auto
----
*`socket_type`*:: This optional setting controls the type of
socket that {beatname_uc} uses to receive events from the kernel. The two
options are `unicast` and `multicast`.
+
`unicast` should be used when {beatname_uc} is the primary userspace daemon for
receiving audit events and managing the rules. Only a single process can receive
audit events through the "unicast" connection so any other daemons should be
stopped (e.g. stop `auditd`).
+
`multicast` can be used in kernel versions 3.16 and newer. By using `multicast`
{beatname_uc} will receive an audit event broadcast that is not exclusive to a
a single process. This is ideal for situations where `auditd` is running and
managing the rules. If `multicast` is specified, but the kernel version is less
than 3.16 {beatname_uc} will automatically revert to `unicast`.
+
By default {beatname_uc} will use `multicast` if the kernel version is 3.16 or
newer and no rules have been defined. Otherwise `unicast` will be used.
*`resolve_ids`*:: This boolean setting enables the resolution of UIDs and
GIDs to their associated names. The default value is true.
*`failure_mode`*:: This determines the kernel's behavior on critical
failures such as errors sending events to {beatname_uc}, the backlog limit was
exceeded, the kernel ran out of memory, or the rate limit was exceeded. The
options are `silent`, `log`, or `panic`. `silent` basically makes the kernel
ignore the errors, `log` makes the kernel write the audit messages using
`printk` so they show up in system's syslog, and `panic` causes the kernel to
panic to prevent use of the machine. {beatname_uc}'s default is `silent`.
*`backlog_limit`*:: This controls the maximum number of audit messages
that will be buffered by the kernel.
*`rate_limit`*:: This sets a rate limit on the number of messages/sec
delivered by the kernel. The default is 0, which disables rate limiting.
Changing this value to anything other than zero can cause messages to be lost.
The preferred approach to reduce the messaging rate is be more selective in the
audit ruleset.
*`include_raw_message`*:: This boolean setting causes {beatname_uc} to
include each of the raw messages that contributed to the event in the document
as a field called `messages`. The default value is false. This setting is
primarily used for development and debugging purposes.
*`include_warnings`*:: This boolean setting causes {beatname_uc} to
include as warnings any issues that were encountered while parsing the raw
messages. The default value is false. When this setting is enabled the raw
messages will be included in the event regardless of the
`include_raw_message` config setting. This setting is primarily used for
development and debugging purposes.
*`audit_rules`*:: A string containing the audit rules that should be
installed to the kernel. There should be one rule per line. Comments can be
embedded in the string using `#` as a prefix. The format for rules is the same
used by the Linux `auditctl` utility. {beatname_uc} supports adding file watches
(`-w`) and syscall rules (`-a` or `-A`).
*`audit_rule_files`*:: A list of files to load audit rules from. This files are
loaded after the rules declared in `audit_rules` are loaded. Wildcards are
supported and will expand in lexicographical order. The format is the same as
that of the `audit_rules` field.
*`backpressure_strategy`*:: Specifies the strategy that {beatname_uc} uses to
prevent backpressure from propagating to the kernel and impacting audited
processes.
+
--
The possible values are:
- `auto` (default): {beatname_uc} uses the `kernel` strategy, if supported, or
falls back to the `userspace` strategy.
- `kernel`: {beatname_uc} sets the `backlog_wait_time` in the kernel's
audit framework to 0. This causes events to be discarded in the kernel if
the audit backlog queue fills to capacity. Requires a 3.14 kernel or
newer.
- `userspace`: {beatname_uc} drops events when there is backpressure
from the publishing pipeline. If no `rate_limit` is set, {beatname_uc} sets a rate
limit of 5000. Users should test their setup and adjust the `rate_limit`
option accordingly.
- `both`: {beatname_uc} uses the `kernel` and `userspace` strategies at the same
time.
- `none`: No backpressure mitigation measures are enabled.
--
[float]
=== Audit rules
The audit rules are where you configure the activities that are audited. These
rules are configured as either syscalls or files that should be monitored. For
example you can track all `connect` syscalls or file system writes to
`/etc/passwd`.
Auditing a large number of syscalls can place a heavy load on the system so
consider carefully the rules you define and try to apply filters in the rules
themselves to be as selective as possible.
The kernel evaluates the rules in the order in which they were defined so place
the most active rules first in order to speed up evaluation.
You can assign keys to each rule for better identification of the rule that
triggered an event and easier filtering later in Elasticsearch.
Defining any audit rules in the config causes {beatname_uc} to purge all
existing audit rules prior to adding the rules specified in the config.
Therefore it is unnecessary and unsupported to include a `-D` (delete all) rule.
["source","sh",subs="attributes"]
----
{beatname_lc}.modules:
- module: auditd
audit_rules: |
# Things that affect identity.
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
# Unauthorized access attempts to files (unsuccessful).
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
----

View file

@ -0,0 +1,102 @@
{
"auditd": {
"data": {
"a0": "10812c8",
"a1": "1070208",
"a2": "1152008",
"a3": "59a",
"arch": "x86_64",
"argc": "2",
"exit": "0",
"syscall": "execve",
"tty": "pts0"
},
"paths": [
{
"dev": "08:01",
"inode": "155",
"item": "0",
"mode": "0100755",
"name": "/bin/uname",
"nametype": "NORMAL",
"ogid": "0",
"ouid": "0",
"rdev": "00:00"
},
{
"dev": "08:01",
"inode": "1923",
"item": "1",
"mode": "0100755",
"name": "/lib64/ld-linux-x86-64.so.2",
"nametype": "NORMAL",
"ogid": "0",
"ouid": "0",
"rdev": "00:00"
}
],
"result": "success",
"sequence": 8972,
"session": "11",
"summary": {
"actor": {
"primary": "ubuntu",
"secondary": "ubuntu"
},
"how": "/bin/uname",
"object": {
"primary": "/bin/uname",
"type": "file"
}
}
},
"event": {
"action": "executed",
"category": "audit-rule",
"module": "auditd",
"type": "syscall"
},
"file": {
"device": "00:00",
"gid": "0",
"group": "root",
"inode": "155",
"mode": "0755",
"owner": "root",
"path": "/bin/uname",
"uid": "0"
},
"process": {
"args": [
"uname",
"-a"
],
"cwd": "/home/andrew_kroh",
"exe": "/bin/uname",
"name": "uname",
"pid": "10043",
"ppid": "10027",
"title": "uname -a"
},
"tags": [
"user_commands"
],
"user": {
"auid": "1001",
"egid": "1002",
"euid": "1001",
"fsgid": "1002",
"fsuid": "1001",
"gid": "1002",
"name_map": {
"auid": "ubuntu",
"euid": "ubuntu",
"fsuid": "ubuntu",
"suid": "ubuntu",
"uid": "ubuntu"
},
"sgid": "1002",
"suid": "1001",
"uid": "1001"
}
}

View file

@ -0,0 +1,919 @@
- key: auditd
title: Auditd
description: These are the fields generated by the auditd module.
fields:
- name: event
type: group
fields:
- name: category
type: keyword
example: audit-rule
description: >
The event's category is a value derived from the `record_type`.
- name: type
type: keyword
description: The audit record's type.
- name: user
type: group
fields:
- name: auid
type: keyword
description: login user ID
- name: uid
type: keyword
description: user ID
- name: euid
type: keyword
description: effective user ID
- name: fsuid
type: keyword
description: file system user ID
- name: suid
type: keyword
description: sent user ID
- name: gid
type: keyword
description: group ID
- name: egid
type: keyword
description: effective group ID
- name: sgid
type: keyword
description: set group ID
- name: fsgid
type: keyword
description: file system group ID
- name: name_map
type: group
description: >
If `resolve_ids` is set to true in the configuration then `name_map`
will contain a mapping of uid field names to the resolved name
(e.g. auid -> root).
fields:
- name: auid
type: keyword
description: login user name
- name: uid
type: keyword
description: user name
- name: euid
type: keyword
description: effective user name
- name: fsuid
type: keyword
description: file system user name
- name: suid
type: keyword
description: sent user name
- name: gid
type: keyword
description: group name
- name: egid
type: keyword
description: effective group name
- name: sgid
type: keyword
description: set group name
- name: fsgid
type: keyword
description: file system group name
- name: selinux
type: group
description: The SELinux identity of the actor.
fields:
- name: user
type: keyword
description: account submitted for authentication
- name: role
type: keyword
description: user's SELinux role
- name: domain
type: keyword
description: The actor's SELinux domain or type.
- name: level
type: keyword
example: s0
description: The actor's SELinux level.
- name: category
type: keyword
description: The actor's SELinux category or compartments.
- name: process
type: group
description: Process attributes.
fields:
- name: pid
type: keyword
description: Process ID.
- name: ppid
type: keyword
description: Parent process ID.
- name: name
type: keyword
description: Process name (comm).
- name: title
type: keyword
description: Process title or command line parameters (proctitle).
- name: exe
type: keyword
description: Absolute path of the executable.
- name: cwd
type: keyword
description: The current working directory.
- name: args
type: keyword
description: The process arguments as a list.
- name: source
type: group
description: Source that triggered the event.
fields:
- name: ip
type: ip
description: The remote address.
- name: port
type: keyword
description: The port number.
- name: hostname
type: keyword
description: Hostname of the source.
- name: path
type: keyword
description: This is the path associated with a unix socket.
- name: destination
type: group
description: Destination address that triggered the event.
fields:
- name: ip
type: ip
description: The remote address.
- name: port
type: keyword
description: The port number.
- name: hostname
type: keyword
description: Hostname of the source.
- name: path
type: keyword
description: This is the path associated with a unix socket.
- name: network.direction
type: keyword
description: Direction of the network traffic (`incoming` or `outgoing`).
- name: auditd
type: group
fields:
- name: sequence
type: long
description: >
The sequence number of the event as assigned by the kernel. Sequence
numbers are stored as a uint32 in the kernel and can rollover.
- name: session
type: keyword
description: >
The session ID assigned to a login. All events related to a login
session will have the same value.
- name: result
type: keyword
example: success or fail
description: The result of the audited operation (success/fail).
- name: summary
type: group
fields:
- name: actor
type: group
description: The actor is the user that triggered the audit event.
fields:
- name: primary
type: keyword
description: >
The primary identity of the actor. This is the actor's original login
ID. It will not change even if the user changes to another account.
- name: secondary
type: keyword
description: The secondary identity of the actor. This is typically
the same as the primary, except for when the user has used `su`.
- name: object
type: group
description: >
This is the thing or object being acted upon in the event.
fields:
- name: type
type: keyword
description: >
A description of the what the "thing" is (e.g. file, socket,
user-session).
- name: primary
type: keyword
description: ""
- name: secondary
type: keyword
description: ""
- name: how
type: keyword
description: >
This describes how the action was performed. Usually this is the exe
or command that was being executed that triggered the event.
- name: paths
type: group
description: List of paths associated with the event.
fields:
- name: inode
type: keyword
description: inode number
- name: dev
type: keyword
description: device name as found in /dev
- name: obj_user
type: keyword
description: ""
- name: obj_role
type: keyword
description: ""
- name: obj_domain
type: keyword
description: ""
- name: obj_level
type: keyword
description: ""
- name: objtype
type: keyword
description: ""
- name: ouid
type: keyword
description: file owner user ID
- name: rdev
type: keyword
description: the device identifier (special files only)
- name: nametype
type: keyword
description: kind of file operation being referenced
- name: ogid
type: keyword
description: file owner group ID
- name: item
type: keyword
description: which item is being recorded
- name: mode
type: keyword
description: mode flags on a file
- name: name
type: keyword
description: file name in avcs
- name: data
type: group
description: The data from the audit messages.
fields:
- name: action
type: keyword
description: netfilter packet disposition
- name: minor
type: keyword
description: device minor number
- name: acct
type: keyword
description: a user's account name
- name: addr
type: keyword
description: the remote address that the user is connecting from
- name: cipher
type: keyword
description: name of crypto cipher selected
- name: id
type: keyword
description: during account changes
- name: entries
type: keyword
description: number of entries in the netfilter table
- name: kind
type: keyword
description: server or client in crypto operation
- name: ksize
type: keyword
description: key size for crypto operation
- name: spid
type: keyword
description: sent process ID
- name: arch
type: keyword
description: the elf architecture flags
- name: argc
type: keyword
description: the number of arguments to an execve syscall
- name: major
type: keyword
description: device major number
- name: unit
type: keyword
description: systemd unit
- name: table
type: keyword
description: netfilter table name
- name: terminal
type: keyword
description: terminal name the user is running programs on
- name: grantors
type: keyword
description: pam modules approving the action
- name: direction
type: keyword
description: direction of crypto operation
- name: op
type: keyword
description: the operation being performed that is audited
- name: tty
type: keyword
description: tty udevice the user is running programs on
- name: syscall
type: keyword
description: syscall number in effect when the event occurred
- name: data
type: keyword
description: TTY text
- name: family
type: keyword
description: netfilter protocol
- name: mac
type: keyword
description: crypto MAC algorithm selected
- name: pfs
type: keyword
description: perfect forward secrecy method
- name: items
type: keyword
description: the number of path records in the event
- name: a0
type: keyword
description: ""
- name: a1
type: keyword
description: ""
- name: a2
type: keyword
description: ""
- name: a3
type: keyword
description: ""
- name: hostname
type: keyword
description: the hostname that the user is connecting from
- name: lport
type: keyword
description: local network port
- name: rport
type: keyword
description: remote port number
- name: exit
type: keyword
description: syscall exit code
- name: fp
type: keyword
description: crypto key finger print
- name: laddr
type: keyword
description: local network address
- name: sport
type: keyword
description: local port number
- name: capability
type: keyword
description: posix capabilities
- name: nargs
type: keyword
description: the number of arguments to a socket call
- name: new-enabled
type: keyword
description: new TTY audit enabled setting
- name: audit_backlog_limit
type: keyword
description: audit system's backlog queue size
- name: dir
type: keyword
description: directory name
- name: cap_pe
type: keyword
description: process effective capability map
- name: model
type: keyword
description: security model being used for virt
- name: new_pp
type: keyword
description: new process permitted capability map
- name: old-enabled
type: keyword
description: present TTY audit enabled setting
- name: oauid
type: keyword
description: object's login user ID
- name: old
type: keyword
description: old value
- name: banners
type: keyword
description: banners used on printed page
- name: feature
type: keyword
description: kernel feature being changed
- name: vm-ctx
type: keyword
description: the vm's context string
- name: opid
type: keyword
description: object's process ID
- name: seperms
type: keyword
description: SELinux permissions being used
- name: seresult
type: keyword
description: SELinux AVC decision granted/denied
- name: new-rng
type: keyword
description: device name of rng being added from a vm
- name: old-net
type: keyword
description: present MAC address assigned to vm
- name: sigev_signo
type: keyword
description: signal number
- name: ino
type: keyword
description: inode number
- name: old_enforcing
type: keyword
description: old MAC enforcement status
- name: old-vcpu
type: keyword
description: present number of CPU cores
- name: range
type: keyword
description: user's SE Linux range
- name: res
type: keyword
description: result of the audited operation(success/fail)
- name: added
type: keyword
description: number of new files detected
- name: fam
type: keyword
description: socket address family
- name: nlnk-pid
type: keyword
description: pid of netlink packet sender
- name: subj
type: keyword
description: lspp subject's context string
- name: a[0-3]
type: keyword
description: the arguments to a syscall
- name: cgroup
type: keyword
description: path to cgroup in sysfs
- name: kernel
type: keyword
description: kernel's version number
- name: ocomm
type: keyword
description: object's command line name
- name: new-net
type: keyword
description: MAC address being assigned to vm
- name: permissive
type: keyword
description: SELinux is in permissive mode
- name: class
type: keyword
description: resource class assigned to vm
- name: compat
type: keyword
description: is_compat_task result
- name: fi
type: keyword
description: file assigned inherited capability map
- name: changed
type: keyword
description: number of changed files
- name: msg
type: keyword
description: the payload of the audit record
- name: dport
type: keyword
description: remote port number
- name: new-seuser
type: keyword
description: new SELinux user
- name: invalid_context
type: keyword
description: SELinux context
- name: dmac
type: keyword
description: remote MAC address
- name: ipx-net
type: keyword
description: IPX network number
- name: iuid
type: keyword
description: ipc object's user ID
- name: macproto
type: keyword
description: ethernet packet type ID field
- name: obj
type: keyword
description: lspp object context string
- name: ipid
type: keyword
description: IP datagram fragment identifier
- name: new-fs
type: keyword
description: file system being added to vm
- name: vm-pid
type: keyword
description: vm's process ID
- name: cap_pi
type: keyword
description: process inherited capability map
- name: old-auid
type: keyword
description: previous auid value
- name: oses
type: keyword
description: object's session ID
- name: fd
type: keyword
description: file descriptor number
- name: igid
type: keyword
description: ipc object's group ID
- name: new-disk
type: keyword
description: disk being added to vm
- name: parent
type: keyword
description: the inode number of the parent file
- name: len
type: keyword
description: length
- name: oflag
type: keyword
description: open syscall flags
- name: uuid
type: keyword
description: a UUID
- name: code
type: keyword
description: seccomp action code
- name: nlnk-grp
type: keyword
description: netlink group number
- name: cap_fp
type: keyword
description: file permitted capability map
- name: new-mem
type: keyword
description: new amount of memory in KB
- name: seperm
type: keyword
description: SELinux permission being decided on
- name: enforcing
type: keyword
description: new MAC enforcement status
- name: new-chardev
type: keyword
description: new character device being assigned to vm
- name: old-rng
type: keyword
description: device name of rng being removed from a vm
- name: outif
type: keyword
description: out interface number
- name: cmd
type: keyword
description: command being executed
- name: hook
type: keyword
description: netfilter hook that packet came from
- name: new-level
type: keyword
description: new run level
- name: sauid
type: keyword
description: sent login user ID
- name: sig
type: keyword
description: signal number
- name: audit_backlog_wait_time
type: keyword
description: audit system's backlog wait time
- name: printer
type: keyword
description: printer name
- name: old-mem
type: keyword
description: present amount of memory in KB
- name: perm
type: keyword
description: the file permission being used
- name: old_pi
type: keyword
description: old process inherited capability map
- name: state
type: keyword
description: audit daemon configuration resulting state
- name: format
type: keyword
description: audit log's format
- name: new_gid
type: keyword
description: new group ID being assigned
- name: tcontext
type: keyword
description: the target's or object's context string
- name: maj
type: keyword
description: device major number
- name: watch
type: keyword
description: file name in a watch record
- name: device
type: keyword
description: device name
- name: grp
type: keyword
description: group name
- name: bool
type: keyword
description: name of SELinux boolean
- name: icmp_type
type: keyword
description: type of icmp message
- name: new_lock
type: keyword
description: new value of feature lock
- name: old_prom
type: keyword
description: network promiscuity flag
- name: acl
type: keyword
description: access mode of resource assigned to vm
- name: ip
type: keyword
description: network address of a printer
- name: new_pi
type: keyword
description: new process inherited capability map
- name: default-context
type: keyword
description: default MAC context
- name: inode_gid
type: keyword
description: group ID of the inode's owner
- name: new-log_passwd
type: keyword
description: new value for TTY password logging
- name: new_pe
type: keyword
description: new process effective capability map
- name: selected-context
type: keyword
description: new MAC context assigned to session
- name: cap_fver
type: keyword
description: file system capabilities version number
- name: file
type: keyword
description: file name
- name: net
type: keyword
description: network MAC address
- name: virt
type: keyword
description: kind of virtualization being referenced
- name: cap_pp
type: keyword
description: process permitted capability map
- name: old-range
type: keyword
description: present SELinux range
- name: resrc
type: keyword
description: resource being assigned
- name: new-range
type: keyword
description: new SELinux range
- name: obj_gid
type: keyword
description: group ID of object
- name: proto
type: keyword
description: network protocol
- name: old-disk
type: keyword
description: disk being removed from vm
- name: audit_failure
type: keyword
description: audit system's failure mode
- name: inif
type: keyword
description: in interface number
- name: vm
type: keyword
description: virtual machine name
- name: flags
type: keyword
description: mmap syscall flags
- name: nlnk-fam
type: keyword
description: netlink protocol number
- name: old-fs
type: keyword
description: file system being removed from vm
- name: old-ses
type: keyword
description: previous ses value
- name: seqno
type: keyword
description: sequence number
- name: fver
type: keyword
description: file system capabilities version number
- name: qbytes
type: keyword
description: ipc objects quantity of bytes
- name: seuser
type: keyword
description: user's SE Linux user acct
- name: cap_fe
type: keyword
description: file assigned effective capability map
- name: new-vcpu
type: keyword
description: new number of CPU cores
- name: old-level
type: keyword
description: old run level
- name: old_pp
type: keyword
description: old process permitted capability map
- name: daddr
type: keyword
description: remote IP address
- name: old-role
type: keyword
description: present SELinux role
- name: ioctlcmd
type: keyword
description: The request argument to the ioctl syscall
- name: smac
type: keyword
description: local MAC address
- name: apparmor
type: keyword
description: apparmor event information
- name: fe
type: keyword
description: file assigned effective capability map
- name: perm_mask
type: keyword
description: file permission mask that triggered a watch event
- name: ses
type: keyword
description: login session ID
- name: cap_fi
type: keyword
description: file inherited capability map
- name: obj_uid
type: keyword
description: user ID of object
- name: reason
type: keyword
description: text string denoting a reason for the action
- name: list
type: keyword
description: the audit system's filter list number
- name: old_lock
type: keyword
description: present value of feature lock
- name: bus
type: keyword
description: name of subsystem bus a vm resource belongs to
- name: old_pe
type: keyword
description: old process effective capability map
- name: new-role
type: keyword
description: new SELinux role
- name: prom
type: keyword
description: network promiscuity flag
- name: uri
type: keyword
description: URI pointing to a printer
- name: audit_enabled
type: keyword
description: audit systems's enable/disable status
- name: old-log_passwd
type: keyword
description: present value for TTY password logging
- name: old-seuser
type: keyword
description: present SELinux user
- name: per
type: keyword
description: linux personality
- name: scontext
type: keyword
description: the subject's context string
- name: tclass
type: keyword
description: target's object classification
- name: ver
type: keyword
description: audit daemon's version number
- name: new
type: keyword
description: value being set in feature
- name: val
type: keyword
description: generic value associated with the operation
- name: img-ctx
type: keyword
description: the vm's disk image context string
- name: old-chardev
type: keyword
description: present character device assigned to vm
- name: old_val
type: keyword
description: current value of SELinux boolean
- name: success
type: keyword
description: whether the syscall was successful or not
- name: inode_uid
type: keyword
description: user ID of the inode's owner
- name: removed
type: keyword
description: number of deleted files
- name: socket
type: group
fields:
- name: port
type: keyword
description: The port number.
- name: saddr
type: keyword
description: The raw socket address structure.
- name: addr
type: keyword
description: The remote address.
- name: family
type: keyword
example: unix
description: The socket family (unix, ipv4, ipv6, netlink).
- name: path
type: keyword
description: This is the path associated with a unix socket.
- name: messages
type: text
description: >
An ordered list of the raw messages received from the kernel that
were used to construct this document. This field is present if an error
occurred processing the data or if `include_raw_message` is set
in the config.
- name: warnings
type: keyword
description: >
The warnings generated by the Beat during the construction of the event.
These are disabled by default and are used for development and debug
purposes only.
- name: geoip
type: group
description: >
The geoip fields are defined as a convenience in case you decide to
enrich the data using a geoip filter in Logstash or Ingest Node.
fields:
- name: continent_name
type: keyword
description: >
The name of the continent.
- name: city_name
type: keyword
description: >
The name of the city.
- name: region_name
type: keyword
description: >
The name of the region.
- name: country_iso_code
type: keyword
description: >
Country ISO code.
- name: location
type: geo_point
description: >
The longitude and latitude.

View file

@ -0,0 +1,13 @@
{
"hits": 0,
"timeRestore": false,
"description": "",
"title": "[Auditbeat Auditd] Executions",
"uiStateJSON": "{}",
"panelsJSON": "[{\"col\":1,\"id\":\"2efac370-c1ca-11e7-8995-936807a28b16\",\"panelIndex\":1,\"row\":1,\"size_x\":4,\"size_y\":4,\"type\":\"visualization\"},{\"col\":5,\"id\":\"20a8e8d0-c1c8-11e7-8995-936807a28b16\",\"panelIndex\":2,\"row\":1,\"size_x\":4,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"columns\":[\"beat.hostname\",\"process.args\",\"auditd.summary.actor.primary\",\"auditd.summary.actor.secondary\",\"process.exe\"],\"id\":\"d382f5b0-c1c6-11e7-8995-936807a28b16\",\"panelIndex\":4,\"row\":5,\"size_x\":12,\"size_y\":5,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"},{\"size_x\":4,\"size_y\":4,\"panelIndex\":5,\"type\":\"visualization\",\"id\":\"AWECQyrvI1bE2ipp1pSa\",\"col\":9,\"row\":1}]",
"optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[{\"query\":{\"match_all\":{}}}],\"highlightAll\":true,\"version\":true}"
}
}

View file

@ -0,0 +1,13 @@
{
"hits": 0,
"timeRestore": false,
"description": "Summary of socket related syscall events.",
"title": "[Auditbeat Auditd] Sockets",
"uiStateJSON": "{\"P-3\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-4\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-5\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}",
"panelsJSON": "[{\"col\":1,\"id\":\"b21e0c70-c252-11e7-8692-232bd1143e8a\",\"panelIndex\":1,\"row\":1,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"faf882f0-c242-11e7-8692-232bd1143e8a\",\"panelIndex\":3,\"row\":4,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"ea483730-c246-11e7-8692-232bd1143e8a\",\"panelIndex\":4,\"row\":7,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"ceb91de0-c250-11e7-8692-232bd1143e8a\",\"panelIndex\":5,\"row\":7,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"AWECSCC-I1bE2ipp1pZj\",\"panelIndex\":6,\"row\":4,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"}]",
"optionsJSON": "{\"darkTheme\":false}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[{\"query\":{\"match_all\":{}}}],\"highlightAll\":true,\"version\":true}"
}
}

View file

@ -0,0 +1,13 @@
{
"hits": 0,
"timeRestore": false,
"description": "Summary of Linux kernel audit events.",
"title": "[Auditbeat Auditd] Overview",
"uiStateJSON": "{}",
"panelsJSON": "[{\"col\":1,\"id\":\"97680df0-c1c0-11e7-8995-936807a28b16\",\"panelIndex\":1,\"row\":1,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"col\":7,\"id\":\"08679220-c25a-11e7-8692-232bd1143e8a\",\"panelIndex\":2,\"row\":1,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"columns\":[\"beat.hostname\",\"auditd.summary.actor.primary\",\"auditd.summary.actor.secondary\",\"event.action\",\"auditd.summary.object.type\",\"auditd.summary.object.primary\",\"auditd.summary.object.secondary\",\"auditd.summary.how\",\"auditd.result\"],\"id\":\"0f10c430-c1c3-11e7-8995-936807a28b16\",\"panelIndex\":3,\"row\":5,\"size_x\":12,\"size_y\":6,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"}]",
"optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[{\"query\":{\"match_all\":{}}}],\"highlightAll\":true,\"version\":true}"
}
}

View file

@ -0,0 +1,24 @@
{
"sort": [
"@timestamp",
"desc"
],
"hits": 0,
"description": "",
"title": "Audit Event Table [Auditbeat Auditd]",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"highlightAll\": true,\n \"version\": true,\n \"filter\": [\n {\n \"meta\": {\n \"negate\": false,\n \"index\": \"auditbeat-*\",\n \"type\": \"phrase\",\n \"key\": \"event.module\",\n \"value\": \"auditd\",\n \"params\": {\n \"query\": \"auditd\",\n \"type\": \"phrase\"\n },\n \"disabled\": false,\n \"alias\": null\n },\n \"query\": {\n \"match\": {\n \"event.module\": {\n \"query\": \"auditd\",\n \"type\": \"phrase\"\n }\n }\n },\n \"$state\": {\n \"store\": \"appState\"\n }\n }\n ]\n}"
},
"columns": [
"beat.hostname",
"auditd.summary.actor.primary",
"auditd.summary.actor.secondary",
"event.action",
"auditd.summary.object.type",
"auditd.summary.object.primary",
"auditd.summary.object.secondary",
"auditd.summary.how",
"auditd.result"
]
}

View file

@ -0,0 +1,22 @@
{
"sort": [
"@timestamp",
"desc"
],
"hits": 0,
"description": "",
"title": "Socket Connects [Auditbeat Auditd]",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"highlightAll\": true,\n \"version\": true,\n \"filter\": [\n {\n \"$state\": {\n \"store\": \"appState\"\n },\n \"meta\": {\n \"alias\": null,\n \"disabled\": false,\n \"index\": \"auditbeat-*\",\n \"key\": \"event.module\",\n \"negate\": false,\n \"params\": {\n \"query\": \"auditd\",\n \"type\": \"phrase\"\n },\n \"type\": \"phrase\",\n \"value\": \"auditd\"\n },\n \"query\": {\n \"match\": {\n \"event.module\": {\n \"query\": \"auditd\",\n \"type\": \"phrase\"\n }\n }\n }\n },\n {\n \"meta\": {\n \"negate\": false,\n \"index\": \"auditbeat-*\",\n \"type\": \"phrase\",\n \"key\": \"event.action\",\n \"value\": \"connected-to\",\n \"params\": {\n \"query\": \"connected-to\",\n \"type\": \"phrase\"\n },\n \"disabled\": false,\n \"alias\": null\n },\n \"query\": {\n \"match\": {\n \"event.action\": {\n \"query\": \"connected-to\",\n \"type\": \"phrase\"\n }\n }\n },\n \"$state\": {\n \"store\": \"appState\"\n }\n },\n {\n \"meta\": {\n \"index\": \"auditbeat-*\",\n \"negate\": false,\n \"disabled\": false,\n \"alias\": null,\n \"type\": \"exists\",\n \"key\": \"auditd.summary.object.primary\",\n \"value\": \"exists\"\n },\n \"exists\": {\n \"field\": \"auditd.summary.object.primary\"\n },\n \"$state\": {\n \"store\": \"appState\"\n }\n }\n ]\n}"
},
"columns": [
"beat.hostname",
"auditd.summary.how",
"auditd.summary.object.primary",
"auditd.summary.object.secondary",
"auditd.data.socket.family",
"auditd.result",
"auditd.data.exit"
]
}

Some files were not shown because too many files have changed in this diff Show more