-
Notifications
You must be signed in to change notification settings - Fork 4.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Audit messages may contain spaces when the value is quoted, so let the kv processor know how to deal with this case. (cherry picked from commit f5054f7) Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
- Loading branch information
1 parent
6c31bf8
commit 6400b56
Showing
4 changed files
with
36 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| type=ANOM_ABEND msg=audit(1605431420.026:123): auid=12345 uid=123 gid=123 ses=123456789 pid=1234 comm="extproc" reason="memory violation" sig=6 |
32 changes: 32 additions & 0 deletions
32
filebeat/module/auditd/log/test/audit-rhel7_2.log-expected.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| [ | ||
| { | ||
| "@timestamp": "2020-11-15T09:10:20.026Z", | ||
| "auditd.log.reason": "memory violation", | ||
| "auditd.log.record_type": "ANOM_ABEND", | ||
| "auditd.log.sequence": 123, | ||
| "auditd.log.ses": "123456789", | ||
| "auditd.log.sig": "6", | ||
| "event.action": [ | ||
| "crashed-program" | ||
| ], | ||
| "event.category": [ | ||
| "process" | ||
| ], | ||
| "event.dataset": "auditd.log", | ||
| "event.kind": "event", | ||
| "event.module": "auditd", | ||
| "event.original": "type=ANOM_ABEND msg=audit(1605431420.026:123): auid=12345 uid=123 gid=123 ses=123456789 pid=1234 comm=\"extproc\" reason=\"memory violation\" sig=6", | ||
| "event.type": [ | ||
| "end" | ||
| ], | ||
| "fileset.name": "log", | ||
| "input.type": "log", | ||
| "log.offset": 0, | ||
| "process.name": "extproc", | ||
| "process.pid": 1234, | ||
| "service.type": "auditd", | ||
| "user.audit.id": "12345", | ||
| "user.group.id": "123", | ||
| "user.id": "123" | ||
| } | ||
| ] |