[Filebeat][New Module] Mysql Enterprise Audit log

filebeat/docs/fields.asciidoc

@@ -59,6 +59,7 @@ grouped in the following categories:
 * <<exported-fields-mongodb>>
 * <<exported-fields-mssql>>
 * <<exported-fields-mysql>>
+* <<exported-fields-mysql>>
 * <<exported-fields-nats>>
 * <<exported-fields-netflow>>
 * <<exported-fields-netscout>>
@@ -97685,6 +97686,257 @@ alias to: source.ip
 
 --
 
+[[exported-fields-mysql]]
+== mysql fields
+
+Some mysql module
+
+
+
+[float]
+=== mysql
+
+Fields from MySQL Logs
+
+
+
+[float]
+=== audit
+
+Module for parsing MySQL Enterprise Audit Logs
+
+
+
+*`mysql.audit.class`*::
++
+--
+A string representing the event class. The class defines the type of event, when taken together with the event item that specifies the event subclass.
+
+
+type: keyword
+
+--
+
+*`mysql.audit.connection_id`*::
++
+--
+An integer representing the client connection identifier. This is the same as the value returned by the CONNECTION_ID() function within the session.
+
+
+type: keyword
+
+--
+
+*`mysql.audit.id`*::
++
+--
+An unsigned integer representing an event ID.
+
+
+type: keyword
+
+--
+
+*`mysql.audit.connection_data.connection_type`*::
++
+--
+The security state of the connection to the server. Permitted values are tcp/ip (TCP/IP connection established without encryption), ssl (TCP/IP connection established with encryption), socket (Unix socket file connection), named_pipe (Windows named pipe connection), and shared_memory (Windows shared memory connection).
+
+
+type: keyword
+
+--
+
+*`mysql.audit.connection_data.status`*::
++
+--
+An integer representing the command status: 0 for success, nonzero if an error occurred.
+
+
+type: long
+
+--
+
+*`mysql.audit.connection_data.db`*::
++
+--
+A string representing a database name. For connection_data, it is the default database. For table_access_data, it is the table database.
+
+
+type: keyword
+
+--
+
+*`mysql.audit.connection_data.connection_attributes`*::
++
+--
+Connection attributes that might be passed by different MySQL Clients.
+
+
+type: flattened
+
+--
+
+*`mysql.audit.general_data.command`*::
++
+--
+A string representing the type of instruction that generated the audit event, such as a command that the server received from a client.
+
+
+type: keyword
+
+--
+
+*`mysql.audit.general_data.sql_command`*::
++
+--
+A string that indicates the SQL statement type.
+
+
+type: keyword
+
+--
+
+*`mysql.audit.general_data.query`*::
++
+--
+A string representing the text of an SQL statement. The value can be empty. Long values may be truncated. The string, like the audit log file itself, is written using UTF-8 (up to 4 bytes per character), so the value may be the result of conversion.
+
+
+type: keyword
+
+--
+
+*`mysql.audit.general_data.status`*::
++
+--
+An integer representing the command status: 0 for success, nonzero if an error occurred. This is the same as the value of the mysql_errno() C API function.
+
+
+type: long
+
+--
+
+*`mysql.audit.login.user`*::
++
+--
+A string representing the text of an SQL statement. The value can be empty. Long values may be truncated. The string, like the audit log file itself, is written using UTF-8 (up to 4 bytes per character), so the value may be the result of conversion.
+
+
+type: keyword
+
+--
+
+*`mysql.audit.login.proxy`*::
++
+--
+A string representing the proxy user. The value is empty if user proxying is not in effect.
+
+
+type: keyword
+
+--
+
+*`mysql.audit.shutdown_data.server_id`*::
++
+--
+An integer representing the server ID. This is the same as the value of the server_id system variable.
+
+
+type: keyword
+
+--
+
+*`mysql.audit.startup_data.server_id`*::
++
+--
+An integer representing the server ID. This is the same as the value of the server_id system variable.
+
+
+type: keyword
+
+--
+
+*`mysql.audit.startup_data.mysql_version`*::
++
+--
+An integer representing the server ID. This is the same as the value of the server_id system variable.
+
+
+type: keyword
+
+--
+
+*`mysql.audit.table_access_data.db`*::
++
+--
+A string representing a database name. For connection_data, it is the default database. For table_access_data, it is the table database.
+
+
+type: keyword
+
+--
+
+*`mysql.audit.table_access_data.table`*::
++
+--
+A string representing a table name.
+
+
+type: keyword
+
+--
+
+*`mysql.audit.table_access_data.query`*::
++
+--
+A string representing the text of an SQL statement. The value can be empty. Long values may be truncated. The string, like the audit log file itself, is written using UTF-8 (up to 4 bytes per character), so the value may be the result of conversion.
+
+
+type: keyword
+
+--
+
+*`mysql.audit.table_access_data.sql_command`*::
++
+--
+A string that indicates the SQL statement type.
+
+
+type: keyword
+
+--
+
+*`mysql.audit.account.user`*::
++
+--
+A string representing the user that the server authenticated the client as. This is the user name that the server uses for privilege checking.
+
+
+type: keyword
+
+--
+
+*`mysql.audit.account.host`*::
++
+--
+A string representing the client host name.
+
+
+type: keyword
+
+--
+
+*`mysql.audit.login.os`*::
++
+--
+A string representing the external user name used during the authentication process, as set by the plugin used to authenticate the client.
+
+
+type: keyword
+
+--
+
 [[exported-fields-nats]]
 == NATS fields
 

x-pack/filebeat/filebeat.reference.yml

@@ -1258,6 +1258,18 @@ filebeat.modules:
     # can be added under this section.
     #input:
 
+#-------------------------------- Mysql Module --------------------------------
+- module: mysql
+  audit:
+    enabled: true
+
+    # Sets the input type. Currently only supports file
+    #var.input: file
+
+    # Set paths for the log files when file input is used.
+    # Should only be used together with file input
+    # var.paths: /home/user/mysqlauditlogs/audit.*.log
+
 #--------------------------------- NATS Module ---------------------------------
 - module: nats
   # All logs

x-pack/filebeat/module/mysql/_meta/config.yml

@@ -0,0 +1,10 @@
+- module: mysql
+  audit:
+    enabled: true
+
+    # Sets the input type. Currently only supports file
+    #var.input: file
+
+    # Set paths for the log files when file input is used.
+    # Should only be used together with file input
+    # var.paths: /home/user/mysqlauditlogs/audit.*.log

x-pack/filebeat/module/mysql/_meta/docs.asciidoc

@@ -0,0 +1,67 @@
+[role="xpack"]
+
+:modulename: mysql
+:has-dashboards: false
+
+
+== MySQL module
+beta[]
+
+This is a module for different types of MySQL logs. Currently focusing on data from the MySQL Enterprise Audit Plugin in JSON format.
+
+To configure the the Enterprise Audit Plugin to output in JSON format please follow the directions in the https://dev.mysql.com/doc/refman/8.0/en/audit-log-file-formats.html[MySQL Documentation]
+
+
+include::../include/gs-link.asciidoc[]
+
+
+[float]
+=== Compatibility
+
+This module has been tested against MySQL Enterprise 5.7.x and 8.0.x
+
+include::../include/configuring-intro.asciidoc[]
+
+:fileset_ex: audit
+
+include::../include/config-option-intro.asciidoc[]
+
+[float]
+==== `audit` fileset settings
+
+Example config:
+
+[source,yaml]
+----
+- module: mysql
+  audit:
+    var.input: file
+    var.paths: /home/user/mysqlauditlogs/audit.*.log
+----
+
+include::../include/var-paths.asciidoc[]
+
+*`var.tags`*::
+
+A list of tags to include in events. Including `forwarded` indicates that the
+events did not originate on this host and causes `host.name` to not be added to
+events. Defaults to `[mysql-audit]`.
+
+[float]
+==== MySQL ECS Fields
+
+MySQL Enterprise Audit fields are mapped to ECS in the following way:
+[options="header"]
+|==============================================================
+| Check Point Fields         | ECS Fields                     |
+| account.user               | server.user.name               |
+| account.host               | client.domain                  |
+| login.os                   | client.user.name               |
+| login.ip                   | client.ip                      |
+| startup_data.os_version    | host.os.full                   |
+| startup_data.args          | process.args                   |
+| onnection_attributes._pid  | process.pid                    |
+| timestamp                  | @timestamp                     |
+|==============================================================
+
+:modulename!:

x-pack/filebeat/module/mysql/_meta/fields.yml

@@ -0,0 +1,10 @@
+- key: mysql
+  title: mysql
+  description: >
+    Some mysql module
+  fields:
+    - name: mysql
+      type: group
+      description: >
+        Fields from MySQL Logs
+      fields: