From 04dcba4143a7dbcf2359c9e802e92c300855e2a3 Mon Sep 17 00:00:00 2001
From: Dan Kortschak <dan.kortschak@elastic.co>
Date: Thu, 19 May 2022 16:38:28 +0930
Subject: [PATCH] x-pack/filebeat/module/rabbitmq: add handling of
 authentication data

---
 CHANGELOG.next.asciidoc                       |  1 +
 .../module/rabbitmq/log/ingest/pipeline.yml   | 48 +++++++++++++++++++
 .../module/rabbitmq/log/test/test.log         |  1 +
 .../rabbitmq/log/test/test.log-expected.json  | 45 ++++++++++++++++-
 4 files changed, 93 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index b29fb180c44..22168ec5ff7 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -117,6 +117,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]
 - Default value of `filebeat.registry.flush` increased from 0s to 1s. CPU and disk I/O usage are reduced because the registry is not written to disk for each ingested log line. {issue}30279[30279]
 - Cisco ASA/FTD: Add support for messages 434001 and 434003. {pull}31533[31533]
 - Change threatintel module from beta to GA. {pull}31693[31693]
+- Add authentication fields to RabbitMQ module documents. {issue}31159[31159] {pull}31680[31680]
 
 *Auditbeat*
 
diff --git a/x-pack/filebeat/module/rabbitmq/log/ingest/pipeline.yml b/x-pack/filebeat/module/rabbitmq/log/ingest/pipeline.yml
index e69402c6a95..9a3d30b7a41 100644
--- a/x-pack/filebeat/module/rabbitmq/log/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/rabbitmq/log/ingest/pipeline.yml
@@ -13,6 +13,54 @@ processors:
     - "%{DATESTAMP:timestamp} \\[%{WORD:log.level}\\] %{ERL_PID:rabbitmq.log.pid}
       %{GREEDYMULTILINE:message}"
     ignore_missing: true
+- grok:
+    field: message
+    patterns:
+    - "user '%{WORD:user.name}' %{ALLOWED:event.action}"
+    - "%{DENIED:event.action}: user '%{WORD:user.name}'"
+    - "%{CLOSING:event.action}%{GREEDYDATA}user: '%{WORD:user.name}'"
+    pattern_definitions:
+      ALLOWED: "authenticated and granted access"
+      DENIED: "access denied"
+      CLOSING: "closing"
+    ignore_missing: true
+    ignore_failure: true
+- set:
+    field: event.action
+    value: logged-in
+    if: 'ctx.event?.action == "authenticated and granted access"'
+- set:
+    field: event.action
+    value: close-connection
+    if: 'ctx.event?.action == "closing"'
+- set:
+    field: event.outcome
+    value: success
+    if: "ctx?.event?.action != null && ['logged-in', 'close-connection'].contains(ctx.event.action)"
+- set:
+    field: event.action
+    value: logon-failed
+    if: 'ctx.event?.action == "access denied"'
+- set:
+    field: event.outcome
+    value: failure
+    if: 'ctx.event?.action == "logon-failed"'
+- append:
+    field: event.category
+    value: authentication
+    if: "ctx?.event?.action != null && ['logged-in', 'logon-failed'].contains(ctx.event.action)"
+- append:
+    field: event.type
+    value:
+      - start
+      - access
+    if: "ctx?.event?.action != null && ['logged-in', 'logon-failed'].contains(ctx.event.action)"
+- append:
+    field: event.type
+    value:
+      - end
+      - access
+    if: ctx?.event?.action == 'close-connection'
 - date:
     if: "ctx.event.timezone == null"
     field: timestamp
diff --git a/x-pack/filebeat/module/rabbitmq/log/test/test.log b/x-pack/filebeat/module/rabbitmq/log/test/test.log
index 91a0d3a63e4..ccfa2277eab 100644
--- a/x-pack/filebeat/module/rabbitmq/log/test/test.log
+++ b/x-pack/filebeat/module/rabbitmq/log/test/test.log
@@ -76,3 +76,4 @@
                                                                  163]
 2019-04-12 10:19:14.450 [info] <0.1902.0> Closing connection <0.1345.0> because <<240,159,145,139,240,159,143,190,240,159,144,135,240,159,164,163>>
 2019-04-12 10:19:14.451 [info] <0.1345.0> closing AMQP connection <0.1345.0> (127.0.0.1:64875 -> 127.0.0.1:5672, vhost: '/', user: 'guest')
+2021-11-22 17:48:20.003 [warning] <0.8084.263> HTTP access denied: user 'guest' - Not monitor user
diff --git a/x-pack/filebeat/module/rabbitmq/log/test/test.log-expected.json b/x-pack/filebeat/module/rabbitmq/log/test/test.log-expected.json
index 0bdae14b894..d15252dfbbc 100644
--- a/x-pack/filebeat/module/rabbitmq/log/test/test.log-expected.json
+++ b/x-pack/filebeat/module/rabbitmq/log/test/test.log-expected.json
@@ -310,17 +310,27 @@
     },
     {
         "@timestamp": "2019-04-12T10:11:15.101-02:00",
+        "event.action": "logged-in",
+        "event.category": [
+            "authentication"
+        ],
         "event.dataset": "rabbitmq.log",
         "event.kind": "event",
         "event.module": "rabbitmq",
+        "event.outcome": "success",
         "event.timezone": "-02:00",
+        "event.type": [
+            "access",
+            "start"
+        ],
         "fileset.name": "log",
         "input.type": "log",
         "log.level": "info",
         "log.offset": 3420,
         "message": "connection <0.1345.0> (127.0.0.1:64875 -> 127.0.0.1:5672): user 'guest' authenticated and granted access to vhost '/'",
         "rabbitmq.log.pid": "<0.1345.0>",
-        "service.type": "rabbitmq"
+        "service.type": "rabbitmq",
+        "user.name": "guest"
     },
     {
         "@timestamp": "2019-04-12T10:19:14.450-02:00",
@@ -355,16 +365,47 @@
     },
     {
         "@timestamp": "2019-04-12T10:19:14.451-02:00",
+        "event.action": "close-connection",
         "event.dataset": "rabbitmq.log",
         "event.kind": "event",
         "event.module": "rabbitmq",
+        "event.outcome": "success",
         "event.timezone": "-02:00",
+        "event.type": [
+            "access",
+            "end"
+        ],
         "fileset.name": "log",
         "input.type": "log",
         "log.level": "info",
         "log.offset": 4359,
         "message": "closing AMQP connection <0.1345.0> (127.0.0.1:64875 -> 127.0.0.1:5672, vhost: '/', user: 'guest')",
         "rabbitmq.log.pid": "<0.1345.0>",
-        "service.type": "rabbitmq"
+        "service.type": "rabbitmq",
+        "user.name": "guest"
+    },
+    {
+        "@timestamp": "2021-11-22T17:48:20.003-02:00",
+        "event.action": "logon-failed",
+        "event.category": [
+            "authentication"
+        ],
+        "event.dataset": "rabbitmq.log",
+        "event.kind": "event",
+        "event.module": "rabbitmq",
+        "event.outcome": "failure",
+        "event.timezone": "-02:00",
+        "event.type": [
+            "access",
+            "start"
+        ],
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.level": "warning",
+        "log.offset": 4499,
+        "message": "HTTP access denied: user 'guest' - Not monitor user",
+        "rabbitmq.log.pid": "<0.8084.263>",
+        "service.type": "rabbitmq",
+        "user.name": "guest"
     }
 ]
\ No newline at end of file