Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Filebeat] Add module for Kibana audit logs #22696
[Filebeat] Add module for Kibana audit logs #22696
Changes from 4 commits
d3cafc4
d2b4417
73eac90
0ce4a0c
e35d4d6
9d75015
fdfe726
7f9c699
af03003
4cf5c38
d21c8af
0964db0
4d0b219
607ff8a
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this something we should log from Kibana instead?
If we want to update to a later version of ECS that should be controlled by Kibana, not the Filebeat module.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good question; I think this would make sense for Kibana to log instead of Filebeat. I copied this over from the ES config, but it probably doesn't make sense for us to follow suit here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cool, I'll create a PR to log that in Kibana: elastic/kibana#85390
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I came across this when testing. It appears that Filebeat is expecting that it'll set an explicit version itself:
beats/filebeat/tests/system/test_modules.py
Line 104 in 4dd8061
I worked around this, but I don't know if that's "ok" or not 😕
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm a bit worried about picking fields within
kibana
manually since it's supposed to be possible for plugin developer to add whatever fields they need and I would expect that to be ingested using the Filebeat module.https:/elastic/kibana/blob/master/x-pack/plugins/security/server/audit/audit_events.ts#L50-L53
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm torn on this too. On one hand, it would be great if this module "just worked" whenever a new field was added. On the other hand, unknown fields will be dynamically mapped, which might not be what we want. @P1llus are there recommendations on how filesets should handle dynamic fields? Should we accept them so they are mapped dynamically, or should we attempt to keep the mapping in sync with changes in Kibana going forward?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The general way we approach it, is ensuring that all fields coming from filebeat modules would be appended under
modulename.filesetname.*
.I usually copy the whole event under the correct field root first (in this case
kibana.audit
), then rename the ones that are moved to ECS while keeping the rest underkibana.audit
In terms of dynamic mapping, I would recommend to map as many fields as possible, however if you know that there is certain fields with complex or everchanging field names, you can apply the "
flattened
" type to the top field for that usecase, though please don't set the root fieldkibana.audit
as flattened, you could also have a specific field if you want, in which you put all custom data.Hope that makes sense @legrego @thomheymann
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not a fan of changing the JSON structure from what's logged since it is already in the format that we want and it would be super confusing for users otherwise.
I'm starting to think that it then might be better to restrict the ECS schema in Kibana so that only known fields are allowed to be logged which we can map manually in the Filebeat pipeline.
Is there a way of defining this pipeline using an npm module in the Kibana repository or can we publish a Go module from within Kibana? I'm a bit worried about these things being dislocated and going out of sync. (Developers adding fields without updating Filebeat pipeline)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
++ I think this is the safest approach for now too, until we get to the point where we actually require dynamic fields that can't be known ahead of time.
I wonder if there's something we could do within Kibana to enforce this. If we had the audit logger run alongside the functional test suites, we could inspect it to ensure that it's not capturing anything unexpected.
If it wouldn't be so expensive to do, we could do a runtime enforcement, but I don't think that's worth the overhead at this point.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've typed the
kibana
namespace in elastic/kibana#85451