Initial start on parsing PAM messages by opoplawski · Pull Request #8756 · elastic/beats

opoplawski · 2018-10-25T21:38:50Z

Is this a reasonable approach?

elasticmachine · 2018-10-25T21:38:51Z

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

opoplawski · 2018-10-25T22:46:55Z

Need to figure out how to make the mappings...

jsoriano

Thanks @opoplawski for this contribution! This is looking good, could you also add some example logs for testing?

filebeat/module/system/auth/_meta/fields.yml

jsoriano · 2018-10-26T10:24:53Z

filebeat/module/system/auth/ingest/pipeline.json

Could you also add some examples of the log lines these patterns are parsing? If you add them to filebeat/module/system/auth/test they will be used on testing.

I'm adding them to test.log, hope that's right.

As I mention in the other comment, you can also add them to an specific file.

jsoriano · 2018-10-26T10:26:10Z

filebeat/module/system/auth/_meta/fields.yml

What is this logname? maybe it'd be good to add an example here too.

filebeat/module/system/auth/_meta/fields.yml

jsoriano · 2018-10-26T10:28:35Z

filebeat/module/system/auth/_meta/fields.yml

These fields could be remote.user and remote.ip.

jsoriano · 2018-10-26T10:37:46Z

filebeat/module/system/auth/_meta/fields.yml

You may want to index error message for full text search with type: text.

opoplawski · 2018-10-27T19:21:20Z

At this point I can figure out what isn't matching in expected.json output.

jsoriano · 2018-10-28T14:00:28Z

@opoplawski thanks for adding the test entries, they will be very helpful! You can also add them to a new file instead of using the existing one, all files that exist in test directories with a corresponding expected.json file are used in tests.

Completing the expected.json file can be a bit tricky, there is an option that helps on that, if you run the test with GENERATE=1 it will automatically complete the existing expected json files.
To run this test, the easy way is to run make system-tests, but this runs all tests and can take a while. Alternatively you can start the testing scenario with make start-environment from the filebeat directory, and then run only this specific test with:

make python-env
make filebeat.test
source build/python-env/bin/activate
GENERATE=1 INTEGRATION_TESTS=1 TEST_MODULES=haproxy BEAT_STRICT_PERMS=false ES_HOST=<easticsearch ip> nosetest tests/system/test_module.py

If you have problems with this let me know and I think we can leave it for another PR.

jsoriano · 2018-10-28T14:07:55Z

filebeat/module/system/auth/_meta/fields.yml

type: text also for error.message?

jsoriano · 2018-10-28T14:10:54Z

filebeat/module/system/auth/_meta/fields.yml

remote.user and remote.host instead of ruser and rhost? Just proposing, I am ok also with ruser and rhost if they are usual names for these values in the PAM context 🙂

ruflin · 2018-10-29T09:51:29Z

This will need a changelog entry

ruflin · 2018-10-29T09:53:30Z

filebeat/module/system/auth/ingest/pipeline.json

@original-brownbear I wonder if there are any recommendations from the ES ingest side on how we should handle that many ingest pipelines to make sure they stay performant.

@ruflin I'm not sure I understand the question 100% but:

The number of configured ingest pipelines should not affect performance in and of itself I think.

@jakelandis merge per processor stats in ingest: processor stats elasticsearch#34202 so that's incoming as a tool to measure the impact of the various individual GROK configs that may help you?

Is that what you're looking for? :)

Sorry, I should have mentioned "multiple grok patterns" affect perfomance as we use many different grok patterns above.

Looking forward to the stats.

@ruflin ah got it :) So I think you don't have to worry about this too much.
Grok compiles all the patterns into a single Regex for matching. So it's more a question of what the individual Regex pieces look like than how many you have.
For non-backtracking Regex things should scale better than linear with the length of the single Regex we compile.

botelastic · 2020-07-08T18:17:26Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

opoplawski · 2020-07-08T23:20:02Z

It may make sense to just start over, but I'll try to poke at this some more

elasticmachine · 2020-07-08T23:22:08Z

❕ Build Aborted

The PR is not allowed to run in the CI yet

Expand to view the summary

Build stats

Build Cause: [Branch indexing]
Reason: The PR is not allowed to run in the CI yet
Start Time: 2020-07-13T13:43:07.669+0000
Duration: 6 min 38 sec
Commit: 5b9c78f

Steps errors

Expand to view the steps failures

Name: Error signal
- Description: githubPrCheckApproved: The PR is not allowed to run in the CI yet. (Only users with write permission
- Duration: 0 min 0 sec
- Start Time: 2020-07-13T13:47:41.015+0000
- log

Log output

Expand to view the last 100 lines of log output

[2020-07-13T13:48:03.377Z] Stage "Elastic Agent x-pack" skipped due to earlier failure(s)
[2020-07-13T13:48:03.453Z] Stage "Elastic Agent x-pack Windows" skipped due to earlier failure(s)
[2020-07-13T13:48:03.483Z] Stage "Elastic Agent Mac OS X" skipped due to earlier failure(s)
[2020-07-13T13:48:03.569Z] Stage "Filebeat oss" skipped due to earlier failure(s)
[2020-07-13T13:48:03.630Z] Stage "Filebeat x-pack" skipped due to earlier failure(s)
[2020-07-13T13:48:03.646Z] Stage "Filebeat Mac OS X" skipped due to earlier failure(s)
[2020-07-13T13:48:03.679Z] Stage "Filebeat x-pack Mac OS X" skipped due to earlier failure(s)
[2020-07-13T13:48:03.748Z] Stage "Filebeat Windows" skipped due to earlier failure(s)
[2020-07-13T13:48:03.776Z] Stage "Filebeat x-pack Windows" skipped due to earlier failure(s)
[2020-07-13T13:48:03.807Z] Stage "Heartbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:03.856Z] Stage "Auditbeat oss Linux" skipped due to earlier failure(s)
[2020-07-13T13:48:03.879Z] Stage "Auditbeat crosscompile" skipped due to earlier failure(s)
[2020-07-13T13:48:03.919Z] Stage "Auditbeat oss Mac OS X" skipped due to earlier failure(s)
[2020-07-13T13:48:03.959Z] Stage "Auditbeat oss Windows" skipped due to earlier failure(s)
[2020-07-13T13:48:04.022Z] Stage "Auditbeat x-pack" skipped due to earlier failure(s)
[2020-07-13T13:48:04.063Z] Stage "Auditbeat x-pack Mac OS X" skipped due to earlier failure(s)
[2020-07-13T13:48:04.109Z] Stage "Auditbeat x-pack Windows" skipped due to earlier failure(s)
[2020-07-13T13:48:04.134Z] Stage "Libbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:04.169Z] Stage "Libbeat x-pack" skipped due to earlier failure(s)
[2020-07-13T13:48:04.184Z] Stage "Metricbeat OSS Unit tests" skipped due to earlier failure(s)
[2020-07-13T13:48:04.214Z] Stage "Metricbeat OSS Integration tests" skipped due to earlier failure(s)
[2020-07-13T13:48:04.239Z] Stage "Metricbeat Python integration tests" skipped due to earlier failure(s)
[2020-07-13T13:48:04.338Z] Stage "Metricbeat x-pack" skipped due to earlier failure(s)
[2020-07-13T13:48:04.349Z] Stage "Metricbeat crosscompile" skipped due to earlier failure(s)
[2020-07-13T13:48:04.365Z] Stage "Metricbeat Mac OS X" skipped due to earlier failure(s)
[2020-07-13T13:48:04.403Z] Stage "Metricbeat x-pack Mac OS X" skipped due to earlier failure(s)
[2020-07-13T13:48:04.423Z] Stage "Metricbeat Windows" skipped due to earlier failure(s)
[2020-07-13T13:48:04.448Z] Stage "Metricbeat x-pack Windows" skipped due to earlier failure(s)
[2020-07-13T13:48:04.514Z] Stage "Packetbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:04.522Z] Stage "dockerlogbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:04.539Z] Stage "Winlogbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:04.557Z] Stage "Winlogbeat Windows x-pack" skipped due to earlier failure(s)
[2020-07-13T13:48:04.586Z] Stage "Functionbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:04.618Z] Stage "Journalbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:04.634Z] Stage "Generators" skipped due to earlier failure(s)
[2020-07-13T13:48:04.671Z] Stage "Kubernetes" skipped due to earlier failure(s)
[2020-07-13T13:48:05.701Z] Stage "Heartbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:05.732Z] Stage "Libbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:05.813Z] Stage "Metricbeat x-pack" skipped due to earlier failure(s)
[2020-07-13T13:48:05.844Z] Stage "Packetbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:05.859Z] Stage "dockerlogbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:05.896Z] Stage "Winlogbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:05.935Z] Stage "Functionbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:05.960Z] Stage "Journalbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:06.015Z] Stage "Generators" skipped due to earlier failure(s)
[2020-07-13T13:48:13.737Z] Failed in branch Elastic Agent x-pack
[2020-07-13T13:48:13.782Z] Failed in branch Elastic Agent x-pack Windows
[2020-07-13T13:48:13.796Z] Failed in branch Elastic Agent Mac OS X
[2020-07-13T13:48:13.858Z] Failed in branch Filebeat oss
[2020-07-13T13:48:13.881Z] Failed in branch Filebeat x-pack
[2020-07-13T13:48:13.895Z] Failed in branch Filebeat Mac OS X
[2020-07-13T13:48:13.920Z] Failed in branch Filebeat x-pack Mac OS X
[2020-07-13T13:48:13.945Z] Failed in branch Filebeat Windows
[2020-07-13T13:48:13.961Z] Failed in branch Filebeat x-pack Windows
[2020-07-13T13:48:13.978Z] Failed in branch Auditbeat oss Linux
[2020-07-13T13:48:14.017Z] Failed in branch Auditbeat crosscompile
[2020-07-13T13:48:14.116Z] Failed in branch Auditbeat oss Mac OS X
[2020-07-13T13:48:14.206Z] Failed in branch Auditbeat oss Windows
[2020-07-13T13:48:14.252Z] Failed in branch Auditbeat x-pack
[2020-07-13T13:48:14.264Z] Failed in branch Auditbeat x-pack Mac OS X
[2020-07-13T13:48:14.275Z] Failed in branch Auditbeat x-pack Windows
[2020-07-13T13:48:14.294Z] Failed in branch Libbeat x-pack
[2020-07-13T13:48:14.319Z] Failed in branch Metricbeat OSS Unit tests
[2020-07-13T13:48:14.344Z] Failed in branch Metricbeat OSS Integration tests
[2020-07-13T13:48:14.359Z] Failed in branch Metricbeat Python integration tests
[2020-07-13T13:48:14.445Z] Failed in branch Metricbeat crosscompile
[2020-07-13T13:48:14.540Z] Failed in branch Metricbeat Mac OS X
[2020-07-13T13:48:14.572Z] Failed in branch Metricbeat x-pack Mac OS X
[2020-07-13T13:48:14.587Z] Failed in branch Metricbeat Windows
[2020-07-13T13:48:14.628Z] Failed in branch Metricbeat x-pack Windows
[2020-07-13T13:48:14.650Z] Failed in branch Winlogbeat Windows x-pack
[2020-07-13T13:48:14.680Z] Failed in branch Kubernetes
[2020-07-13T13:48:18.448Z] Stage "Heartbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:18.469Z] Stage "Libbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:18.480Z] Stage "Metricbeat x-pack" skipped due to earlier failure(s)
[2020-07-13T13:48:18.496Z] Stage "Winlogbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:18.512Z] Stage "Functionbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:18.543Z] Stage "Generators" skipped due to earlier failure(s)
[2020-07-13T13:48:22.498Z] Failed in branch Packetbeat
[2020-07-13T13:48:22.530Z] Failed in branch dockerlogbeat
[2020-07-13T13:48:22.584Z] Failed in branch Journalbeat
[2020-07-13T13:48:27.061Z] Stage "Heartbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:27.107Z] Stage "Libbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:27.124Z] Stage "Functionbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:27.332Z] Stage "Generators" skipped due to earlier failure(s)
[2020-07-13T13:48:28.172Z] Failed in branch Metricbeat x-pack
[2020-07-13T13:48:28.206Z] Failed in branch Winlogbeat
[2020-07-13T13:48:31.025Z] Failed in branch Heartbeat
[2020-07-13T13:48:31.046Z] Failed in branch Libbeat
[2020-07-13T13:48:31.061Z] Failed in branch Functionbeat
[2020-07-13T13:48:31.062Z] Stage "Generators" skipped due to earlier failure(s)
[2020-07-13T13:48:32.466Z] Failed in branch Generators
[2020-07-13T13:48:42.496Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats_PR-8756
[2020-07-13T13:48:42.840Z] [INFO] getVaultSecret: Getting secrets
[2020-07-13T13:48:43.127Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-07-13T13:48:45.751Z] + chmod 755 generate-build-data.sh
[2020-07-13T13:48:45.751Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-8756/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-8756/runs/1 ABORTED 337759
[2020-07-13T13:48:45.751Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-8756/runs/1/steps/?limit=10000 -o steps-info.json
[2020-07-13T13:48:47.100Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-8756/runs/1/tests/?status=FAILED -o tests-errors.json
[2020-07-13T13:48:47.100Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-8756/runs/1/log/ -o pipeline-log.txt

elasticmachine · 2020-07-16T18:45:51Z

Pinging @elastic/integrations-services (Team:Services)

botelastic · 2020-08-15T19:08:22Z

Hi!
We just realized that we haven't looked into this PR in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it in as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

jsoriano · 2020-08-21T09:27:23Z

Hey @opoplawski, I think we can go on with this change, but could you update the branch with master and run mage fmt update? There is a conflict.

We should review if it would make sense to use ECS for some of the fields, for example system.auth.pid could be moved to process.pid, and system.auth.pam.user to user.name. Take a look to the reference to check the available fields: https://www.elastic.co/guide/en/ecs/1.6/ecs-field-reference.html

Also this will need a changelog entry.

elasticmachine · 2020-08-21T09:27:45Z

Pinging @elastic/siem (Team:SIEM)

botelastic · 2020-09-20T09:36:04Z

Hi!
We just realized that we haven't looked into this PR in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it in as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

botelastic · 2020-10-20T09:36:19Z

Hi!
This PR has been stale for a while and we're going to close it as part of our cleanup procedure.
We appreciate your contribution and would like to apologize if we have not been able to review it, due to the current heavy load of the team.
Feel free to re-open this PR if you think it should stay open and is worth rebasing.
Thank you for your contribution!

jsoriano added enhancement module Filebeat Filebeat labels Oct 26, 2018

jsoriano reviewed Oct 26, 2018

View reviewed changes

jsoriano reviewed Oct 28, 2018

View reviewed changes

ruflin reviewed Oct 29, 2018

View reviewed changes

botelastic bot added Stalled needs_team Indicates that the issue/PR needs a Team:* label labels Jul 8, 2020

Initial start on parsing PAM messages

5b9c78f

opoplawski force-pushed the pam branch from 6ffdc03 to 5b9c78f Compare July 8, 2020 23:17

botelastic bot removed the Stalled label Jul 8, 2020

andresrc added the Team:Services (Deprecated) Label for the former Integrations-Services team label Jul 16, 2020

botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jul 16, 2020

botelastic bot added the Stalled label Aug 15, 2020

andresrc requested a review from jsoriano August 17, 2020 14:25

botelastic bot removed the Stalled label Aug 17, 2020

jsoriano added the Team:SIEM label Aug 21, 2020

jsoriano requested a review from a team August 21, 2020 09:29

botelastic bot added the Stalled label Sep 20, 2020

botelastic bot closed this Oct 20, 2020

Conversation

opoplawski commented Oct 25, 2018

Uh oh!

elasticmachine commented Oct 25, 2018

Uh oh!

opoplawski commented Oct 25, 2018

Uh oh!

jsoriano left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

opoplawski commented Oct 27, 2018

Uh oh!

jsoriano commented Oct 28, 2018

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

ruflin commented Oct 29, 2018

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

botelastic bot commented Jul 8, 2020

Uh oh!

opoplawski commented Jul 8, 2020

Uh oh!

elasticmachine commented Jul 8, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

❕ Build Aborted

Build stats

Steps errors

Log output

Uh oh!

elasticmachine commented Jul 16, 2020

Uh oh!

botelastic bot commented Aug 15, 2020

Uh oh!

jsoriano commented Aug 21, 2020

Uh oh!

elasticmachine commented Aug 21, 2020

Uh oh!

botelastic bot commented Sep 20, 2020

Uh oh!

botelastic bot commented Oct 20, 2020

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

elasticmachine commented Jul 8, 2020 •

edited

Loading