Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] Decode hex values in auditd log messages #14471

Merged
merged 3 commits into from
Nov 12, 2019
Merged

[Filebeat] Decode hex values in auditd log messages #14471

merged 3 commits into from
Nov 12, 2019

Conversation

leehinman
Copy link
Contributor

@leehinman leehinman commented Nov 11, 2019
edited by andrewkroh
Loading

convert auditd pipeline to yaml and decode hex values listed in auditd source code.

Fixes #14290.

@leehinman
Convert auditd pipeline to yaml
8429c2f 
- changed pipeline from json to yaml so it will be easier to see diffs
  in the painless script
@leehinman
hex decode value fields in auditd module (elastic#14290)
feab9bb 
- Added keys that were listed as escaped in auparse/typetab.h
  to the list of possible keys that might need to be decoded.

- changed convertHexToString in pipeline to use carat notation
  for control character (tab, delete, new line, etc)

- chnaged convertHexToString to return original hex string if one
  of the character that trigger encoding in the auditd package
  isn't found.  In this case data should probably remain as hex.
@leehinman leehinman requested a review from andrewkroh November 11, 2019 22:38
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@leehinman leehinman added the Filebeat Filebeat label Nov 11, 2019
@andrewkroh andrewkroh requested a review from adriansr November 12, 2019 03:00
andrewkroh
andrewkroh reviewed Nov 12, 2019
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The painless logic looks good to me. This seems like it's ready to come out of draft status. It does need an entry added to the changelog (in CHANGELOG.next.asciidoc under the bugfix/filebeat section).

@leehinman leehinman marked this pull request as ready for review November 12, 2019 15:20
@leehinman leehinman requested a review from a team as a code owner November 12, 2019 15:20
andrewkroh
andrewkroh approved these changes Nov 12, 2019
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. 🥇 First PR 🍾

This will need to be backported to the 7.x branch after merging. We have a script do help with this (ping me about it). I'll add the needs_backport label.

@andrewkroh andrewkroh added the needs_backport PR is waiting to be backported to other branches. label Nov 12, 2019
@andrewkroh andrewkroh changed the title 14290 auditd decode [Filebeat] Decode hex values in auditd log messages Nov 12, 2019
@andrewkroh
Copy link
Member

I recommend including Fixes #14290 in your commit message. The issue with auto-close on merge of that commit. You can just insert that into the message when you "Squash and merge" from this page.

adriansr
adriansr approved these changes Nov 12, 2019
View reviewed changes
Copy link
Contributor

@adriansr adriansr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Nice first PR, I like the control-character encoding logic you added.

@leehinman leehinman merged commit f693d2d into elastic:master Nov 12, 2019
@leehinman leehinman deleted the 14290_auditd_decode branch November 12, 2019 20:51
leehinman added a commit to leehinman/beats that referenced this pull request Nov 13, 2019
@leehinman
[Filebeat] Decode hex values in auditd log messages (elastic#14471)
6e5b02d 
* Convert auditd pipeline to yaml
  - changed pipeline from json to yaml so it will be easier to see diffs
     in the painless script
* hex decode value fields in auditd module (elastic#14290)
   - Added keys that were listed as escaped in auparse/typetab.h
      to the list of possible keys that might need to be decoded.
   - changed convertHexToString in pipeline to use carat notation
      for control character (tab, delete, new line, etc)
   - changed convertHexToString to return original hex string if one
      of the character that trigger encoding in the auditd package
      isn't found.  In this case data should probably remain as hex.
* Add CHANGELOG entry for decoding hex values in auditd module

Fixes elastic#14290

(cherry picked from commit f693d2d)
@leehinman leehinman mentioned this pull request Nov 13, 2019
Closed
@leehinman leehinman added v7.6.0 and removed needs_backport PR is waiting to be backported to other branches. labels Nov 13, 2019
leehinman added a commit to leehinman/beats that referenced this pull request Nov 13, 2019
@leehinman
[Filebeat] Decode hex values in auditd log messages (elastic#14471)
061734c 
* Convert auditd pipeline to yaml
  - changed pipeline from json to yaml so it will be easier to see diffs
     in the painless script
* hex decode value fields in auditd module (elastic#14290)
   - Added keys that were listed as escaped in auparse/typetab.h
      to the list of possible keys that might need to be decoded.
   - changed convertHexToString in pipeline to use carat notation
      for control character (tab, delete, new line, etc)
   - changed convertHexToString to return original hex string if one
      of the character that trigger encoding in the auditd package
      isn't found.  In this case data should probably remain as hex.
* Add CHANGELOG entry for decoding hex values in auditd module

Fixes elastic#14290

(cherry picked from commit f693d2d)
@leehinman leehinman mentioned this pull request Nov 13, 2019
Merged
leehinman added a commit that referenced this pull request Nov 14, 2019
@leehinman
[Filebeat] Decode hex values in auditd log messages (#14471) (#14504)
d405956 
* Convert auditd pipeline to yaml
  - changed pipeline from json to yaml so it will be easier to see diffs
     in the painless script
* hex decode value fields in auditd module (#14290)
   - Added keys that were listed as escaped in auparse/typetab.h
      to the list of possible keys that might need to be decoded.
   - changed convertHexToString in pipeline to use carat notation
      for control character (tab, delete, new line, etc)
   - changed convertHexToString to return original hex string if one
      of the character that trigger encoding in the auditd package
      isn't found.  In this case data should probably remain as hex.
* Add CHANGELOG entry for decoding hex values in auditd module

Fixes #14290

(cherry picked from commit f693d2d)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adriansr adriansr adriansr approved these changes

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
Filebeat Filebeat review v7.6.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Filebeat] auditd module not hex decoding data field
4 participants
@leehinman @elasticmachine @andrewkroh @adriansr