x-pack/filebeat/module/rabbitmq: add handling of authentication data

CHANGELOG.next.asciidoc

@@ -105,6 +105,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]
 - Add template helper function for hashing strings. {issue}31613[31613] {pull}31630[31630]
 - Add extended okta.debug_context.debug_data handling. {pull}31676[31676]
 - Add `auth.oauth2.google.jwt_json` option to `httpjson` input. {pull}31750[31750]
+- Add authentication fields to RabbitMQ module documents. {issue}31159[31159] {pull}31680[31680]
 
 *Auditbeat*
 

x-pack/filebeat/module/rabbitmq/log/ingest/pipeline.yml

@@ -13,6 +13,54 @@ processors:
     - "%{DATESTAMP:timestamp} \\[%{WORD:log.level}\\] %{ERL_PID:rabbitmq.log.pid}
       %{GREEDYMULTILINE:message}"
     ignore_missing: true
+- grok:
+    field: message
+    patterns:
+    - "user '%{WORD:user.name}' %{ALLOWED:event.action}"
+    - "%{DENIED:event.action}: user '%{WORD:user.name}'"
+    - "%{CLOSING:event.action}%{GREEDYDATA}user: '%{WORD:user.name}'"
+    pattern_definitions:
+      ALLOWED: "authenticated and granted access"
+      DENIED: "access denied"
+      CLOSING: "closing"
+    ignore_missing: true
+    ignore_failure: true
+- set:
+    field: event.action
+    value: logged-in
+    if: 'ctx.event?.action == "authenticated and granted access"'
+- set:
+    field: event.action
+    value: close-connection
+    if: 'ctx.event?.action == "closing"'
+- set:
+    field: event.outcome
+    value: success
+    if: "ctx?.event?.action != null && ['logged-in', 'close-connection'].contains(ctx.event.action)"
+- set:
+    field: event.action
+    value: logon-failed
+    if: 'ctx.event?.action == "access denied"'
+- set:
+    field: event.outcome
+    value: failure
+    if: 'ctx.event?.action == "logon-failed"'
+- append:
+    field: event.category
+    value: authentication
+    if: "ctx?.event?.action != null && ['logged-in', 'logon-failed'].contains(ctx.event.action)"
+- append:
+    field: event.type
+    value:
+      - start
+      - access
+    if: "ctx?.event?.action != null && ['logged-in', 'logon-failed'].contains(ctx.event.action)"
+- append:
+    field: event.type
+    value:
+      - end
+      - access
+    if: ctx?.event?.action == 'close-connection'
 - date:
     if: "ctx.event.timezone == null"
     field: timestamp

x-pack/filebeat/module/rabbitmq/log/test/test.log

@@ -76,3 +76,4 @@
                                                                  163]
 2019-04-12 10:19:14.450 [info] <0.1902.0> Closing connection <0.1345.0> because <<240,159,145,139,240,159,143,190,240,159,144,135,240,159,164,163>>
 2019-04-12 10:19:14.451 [info] <0.1345.0> closing AMQP connection <0.1345.0> (127.0.0.1:64875 -> 127.0.0.1:5672, vhost: '/', user: 'guest')
+2021-11-22 17:48:20.003 [warning] <0.8084.263> HTTP access denied: user 'guest' - Not monitor user

x-pack/filebeat/module/rabbitmq/log/test/test.log-expected.json

@@ -310,17 +310,27 @@
     },
     {
         "@timestamp": "2019-04-12T10:11:15.101-02:00",
+        "event.action": "logged-in",
+        "event.category": [
+            "authentication"
+        ],
         "event.dataset": "rabbitmq.log",
         "event.kind": "event",
         "event.module": "rabbitmq",
+        "event.outcome": "success",
         "event.timezone": "-02:00",
+        "event.type": [
+            "access",
+            "start"
+        ],
         "fileset.name": "log",
         "input.type": "log",
         "log.level": "info",
         "log.offset": 3420,
         "message": "connection <0.1345.0> (127.0.0.1:64875 -> 127.0.0.1:5672): user 'guest' authenticated and granted access to vhost '/'",
         "rabbitmq.log.pid": "<0.1345.0>",
-        "service.type": "rabbitmq"
+        "service.type": "rabbitmq",
+        "user.name": "guest"
     },
     {
         "@timestamp": "2019-04-12T10:19:14.450-02:00",
@@ -355,16 +365,47 @@
     },
     {
         "@timestamp": "2019-04-12T10:19:14.451-02:00",
+        "event.action": "close-connection",
         "event.dataset": "rabbitmq.log",
         "event.kind": "event",
         "event.module": "rabbitmq",
+        "event.outcome": "success",
         "event.timezone": "-02:00",
+        "event.type": [
+            "access",
+            "end"
+        ],
         "fileset.name": "log",
         "input.type": "log",
         "log.level": "info",
         "log.offset": 4359,
         "message": "closing AMQP connection <0.1345.0> (127.0.0.1:64875 -> 127.0.0.1:5672, vhost: '/', user: 'guest')",
         "rabbitmq.log.pid": "<0.1345.0>",
-        "service.type": "rabbitmq"
+        "service.type": "rabbitmq",
+        "user.name": "guest"
+    },
+    {
+        "@timestamp": "2021-11-22T17:48:20.003-02:00",
+        "event.action": "logon-failed",
+        "event.category": [
+            "authentication"
+        ],
+        "event.dataset": "rabbitmq.log",
+        "event.kind": "event",
+        "event.module": "rabbitmq",
+        "event.outcome": "failure",
+        "event.timezone": "-02:00",
+        "event.type": [
+            "access",
+            "start"
+        ],
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.level": "warning",
+        "log.offset": 4499,
+        "message": "HTTP access denied: user 'guest' - Not monitor user",
+        "rabbitmq.log.pid": "<0.8084.263>",
+        "service.type": "rabbitmq",
+        "user.name": "guest"
     }
 ]