beats icon indicating copy to clipboard operation
beats copied to clipboard

Published 20 hours ago verified publisher icon elastic

auditd pipeline grok pattern does not handle a space between AUDIT_NODE and AUDIT_TYPE

Open seang-es opened this issue 3 years ago • 1 comments

Issue found in version 7.17.6, exists in other releases.

The current GROK pattern is as follows:

"grok" : { "field" : "message", "pattern_definitions" : { "ANY" : ".*", "AUDIT_TYPE" : "type=%{NOTSPACE:auditd.log.record_type}", "AUDIT_NODE" : "node=%{IPORHOST:auditd.log.node} ", "AUDIT_PREFIX" : "^(?:%{AUDIT_NODE})?%{AUDIT_TYPE} msg=audit\(%{NUMBER:auditd.log.epoch}:%{NUMBER:auditd.log.sequence}\):(%{DATA})?", "AUDIT_KEY_VALUES" : "%{WORD}=%{GREEDYDATA}" }, "patterns" : [ "%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:auditd.log.kv} old auid=%{NUMBER:auditd.log.old_auid} new auid=%{NUMBER:auditd.log.new_auid} old ses=%{NUMBER:auditd.log.old_ses} new ses=%{NUMBER:auditd.log.new_ses}", "%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:auditd.log.kv} msg='"](file://s%29/)?%{ANY:auditd.log.sub_kv}['"]", "%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:auditd.log.kv}", "%{AUDIT_PREFIX}", "%{AUDIT_TYPE} %{AUDIT_KEY_VALUES:auditd.log.kv}" ] }

However, when using this pattern with auditd, the AUDIT_PREFIX value is not working properly in the case that there is a space in between the AUDIT_NODE and AUDIT_TYPE.

Example incoming prefix: node=host.domain.com type=SYSCALL Note: There is a space between the node and type.

To fix this, the new AUDIT_PREFIX grok pattern is as follows:

"AUDIT_PREFIX" : "^(?:%{AUDIT_NODE})\s*?%{AUDIT_TYPE} msg=audit\(%{NUMBER:auditd.log.epoch}:%{NUMBER:auditd.log.sequence}\):(%{DATA})?"

The fix is specifically between the AUDIT_NODE and AUDIT_TYPE where we input: \s* This will work for zero or more spaces, so should not impact existing functionality at all, but will let the parser work when a space is present.

seang-es avatar Oct 06 '22 02:10 seang-es

This issue doesn't have a Team:<team> label.

botelastic[bot] avatar Oct 06 '22 02:10 botelastic[bot]

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

botelastic[bot] avatar Oct 06 '23 03:10 botelastic[bot]