diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 554aae69eeea..c4bf507c66d6 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -466,6 +466,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add max_number_of_messages config into s3 input. {pull}21993[21993] - Update Okta documentation for new stateful restarts. {pull}22091[22091] - Add SSL option to checkpoint module {pull}19560[19560] +- Added support for MySQL Enterprise audit logs. {pull}22273[22273] - Rename googlecloud module to gcp module. {pull}22214[22214] - Rename awscloudwatch input to aws-cloudwatch. {pull}22228[22228] - Rename google-pubsub input to gcp-pubsub. {pull}22213[22213] diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index e42132a41ab9..5b3baca7f99d 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -59,6 +59,7 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> * <> @@ -98260,6 +98261,257 @@ alias to: source.ip -- +[[exported-fields-mysqlenterprise]] +== MySQL Enterprise fields + +MySQL Enterprise Audit module + + + +[float] +=== mysqlenterprise + +Fields from MySQL Enterprise Logs + + + +[float] +=== audit + +Module for parsing MySQL Enterprise Audit Logs + + + +*`mysqlenterprise.audit.class`*:: ++ +-- +A string representing the event class. The class defines the type of event, when taken together with the event item that specifies the event subclass. + + +type: keyword + +-- + +*`mysqlenterprise.audit.connection_id`*:: ++ +-- +An integer representing the client connection identifier. This is the same as the value returned by the CONNECTION_ID() function within the session. + + +type: keyword + +-- + +*`mysqlenterprise.audit.id`*:: ++ +-- +An unsigned integer representing an event ID. + + +type: keyword + +-- + +*`mysqlenterprise.audit.connection_data.connection_type`*:: ++ +-- +The security state of the connection to the server. Permitted values are tcp/ip (TCP/IP connection established without encryption), ssl (TCP/IP connection established with encryption), socket (Unix socket file connection), named_pipe (Windows named pipe connection), and shared_memory (Windows shared memory connection). + + +type: keyword + +-- + +*`mysqlenterprise.audit.connection_data.status`*:: ++ +-- +An integer representing the command status: 0 for success, nonzero if an error occurred. + + +type: long + +-- + +*`mysqlenterprise.audit.connection_data.db`*:: ++ +-- +A string representing a database name. For connection_data, it is the default database. For table_access_data, it is the table database. + + +type: keyword + +-- + +*`mysqlenterprise.audit.connection_data.connection_attributes`*:: ++ +-- +Connection attributes that might be passed by different MySQL Clients. + + +type: flattened + +-- + +*`mysqlenterprise.audit.general_data.command`*:: ++ +-- +A string representing the type of instruction that generated the audit event, such as a command that the server received from a client. + + +type: keyword + +-- + +*`mysqlenterprise.audit.general_data.sql_command`*:: ++ +-- +A string that indicates the SQL statement type. + + +type: keyword + +-- + +*`mysqlenterprise.audit.general_data.query`*:: ++ +-- +A string representing the text of an SQL statement. The value can be empty. Long values may be truncated. The string, like the audit log file itself, is written using UTF-8 (up to 4 bytes per character), so the value may be the result of conversion. + + +type: keyword + +-- + +*`mysqlenterprise.audit.general_data.status`*:: ++ +-- +An integer representing the command status: 0 for success, nonzero if an error occurred. This is the same as the value of the mysql_errno() C API function. + + +type: long + +-- + +*`mysqlenterprise.audit.login.user`*:: ++ +-- +A string representing the information indicating how a client connected to the server. + + +type: keyword + +-- + +*`mysqlenterprise.audit.login.proxy`*:: ++ +-- +A string representing the proxy user. The value is empty if user proxying is not in effect. + + +type: keyword + +-- + +*`mysqlenterprise.audit.shutdown_data.server_id`*:: ++ +-- +An integer representing the server ID. This is the same as the value of the server_id system variable. + + +type: keyword + +-- + +*`mysqlenterprise.audit.startup_data.server_id`*:: ++ +-- +An integer representing the server ID. This is the same as the value of the server_id system variable. + + +type: keyword + +-- + +*`mysqlenterprise.audit.startup_data.mysql_version`*:: ++ +-- +An integer representing the server ID. This is the same as the value of the server_id system variable. + + +type: keyword + +-- + +*`mysqlenterprise.audit.table_access_data.db`*:: ++ +-- +A string representing a database name. For connection_data, it is the default database. For table_access_data, it is the table database. + + +type: keyword + +-- + +*`mysqlenterprise.audit.table_access_data.table`*:: ++ +-- +A string representing a table name. + + +type: keyword + +-- + +*`mysqlenterprise.audit.table_access_data.query`*:: ++ +-- +A string representing the text of an SQL statement. The value can be empty. Long values may be truncated. The string, like the audit log file itself, is written using UTF-8 (up to 4 bytes per character), so the value may be the result of conversion. + + +type: keyword + +-- + +*`mysqlenterprise.audit.table_access_data.sql_command`*:: ++ +-- +A string that indicates the SQL statement type. + + +type: keyword + +-- + +*`mysqlenterprise.audit.account.user`*:: ++ +-- +A string representing the user that the server authenticated the client as. This is the user name that the server uses for privilege checking. + + +type: keyword + +-- + +*`mysqlenterprise.audit.account.host`*:: ++ +-- +A string representing the client host name. + + +type: keyword + +-- + +*`mysqlenterprise.audit.login.os`*:: ++ +-- +A string representing the external user name used during the authentication process, as set by the plugin used to authenticate the client. + + +type: keyword + +-- + [[exported-fields-nats]] == NATS fields diff --git a/filebeat/docs/modules/mysqlenterprise.asciidoc b/filebeat/docs/modules/mysqlenterprise.asciidoc new file mode 100644 index 000000000000..a7bc62f3f54e --- /dev/null +++ b/filebeat/docs/modules/mysqlenterprise.asciidoc @@ -0,0 +1,81 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-mysqlenterprise]] +[role="xpack"] + +:modulename: mysqlenterprise +:has-dashboards: false + + +== MySQL Enterprise module +beta[] + +This is a module for different types of MySQL logs. Currently focusing on data from the MySQL Enterprise Audit Plugin in JSON format. + +To configure the the Enterprise Audit Plugin to output in JSON format please follow the directions in the https://dev.mysql.com/doc/refman/8.0/en/audit-log-file-formats.html[MySQL Documentation.] + + +include::../include/gs-link.asciidoc[] + + +[float] +=== Compatibility + +This module has been tested against MySQL Enterprise 5.7.x and 8.0.x + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: audit + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `audit` fileset settings + +Example config: + +[source,yaml] +---- +- module: mysqlenterprise + audit: + var.input: file + var.paths: /home/user/mysqlauditlogs/audit.*.log +---- + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[mysqlenterprise-audit]`. + +[float] +==== MySQL Enterprise ECS Fields + +MySQL Enterprise Audit fields are mapped to ECS in the following way: + +[options="header"] +|============================================================== +| MySQL Enterprise Fields | ECS Fields | +| account.user | server.user.name | +| account.host | client.domain | +| login.os | client.user.name | +| login.ip | client.ip | +| startup_data.os_version | host.os.full | +| startup_data.args | process.args | +| connection_attributes._pid | process.pid | +| timestamp | @timestamp | +|============================================================== + +:modulename!: + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index d3a02fee8629..b0b123a54062 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -40,6 +40,7 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> * <> * <> * <> @@ -109,6 +110,7 @@ include::modules/misp.asciidoc[] include::modules/mongodb.asciidoc[] include::modules/mssql.asciidoc[] include::modules/mysql.asciidoc[] +include::modules/mysqlenterprise.asciidoc[] include::modules/nats.asciidoc[] include::modules/netflow.asciidoc[] include::modules/netscout.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 64c3406ba1b2..b13271ff0293 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1340,6 +1340,19 @@ filebeat.modules: # can be added under this section. #input: +#--------------------------- MySQL Enterprise Module --------------------------- +- module: mysqlenterprise + audit: + enabled: true + + # Sets the input type. Currently only supports file + #var.input: file + + # Set paths for the log files when file input is used. + # Should only be used together with file input + # var.paths: + # - /home/user/mysqlauditlogs/audit.*.log + #--------------------------------- NATS Module --------------------------------- - module: nats # All logs diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 48ff49e7aa93..086e96d2de26 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -39,6 +39,7 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/microsoft" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/misp" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/mssql" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/mysqlenterprise" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/netflow" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/netscout" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/o365" diff --git a/x-pack/filebeat/module/mysqlenterprise/_meta/config.yml b/x-pack/filebeat/module/mysqlenterprise/_meta/config.yml new file mode 100644 index 000000000000..a4350a0ac608 --- /dev/null +++ b/x-pack/filebeat/module/mysqlenterprise/_meta/config.yml @@ -0,0 +1,11 @@ +- module: mysqlenterprise + audit: + enabled: true + + # Sets the input type. Currently only supports file + #var.input: file + + # Set paths for the log files when file input is used. + # Should only be used together with file input + # var.paths: + # - /home/user/mysqlauditlogs/audit.*.log diff --git a/x-pack/filebeat/module/mysqlenterprise/_meta/docs.asciidoc b/x-pack/filebeat/module/mysqlenterprise/_meta/docs.asciidoc new file mode 100644 index 000000000000..64aad8e92bbf --- /dev/null +++ b/x-pack/filebeat/module/mysqlenterprise/_meta/docs.asciidoc @@ -0,0 +1,68 @@ +[role="xpack"] + +:modulename: mysqlenterprise +:has-dashboards: false + + +== MySQL Enterprise module +beta[] + +This is a module for different types of MySQL logs. Currently focusing on data from the MySQL Enterprise Audit Plugin in JSON format. + +To configure the the Enterprise Audit Plugin to output in JSON format please follow the directions in the https://dev.mysql.com/doc/refman/8.0/en/audit-log-file-formats.html[MySQL Documentation.] + + +include::../include/gs-link.asciidoc[] + + +[float] +=== Compatibility + +This module has been tested against MySQL Enterprise 5.7.x and 8.0.x + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: audit + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `audit` fileset settings + +Example config: + +[source,yaml] +---- +- module: mysqlenterprise + audit: + var.input: file + var.paths: /home/user/mysqlauditlogs/audit.*.log +---- + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[mysqlenterprise-audit]`. + +[float] +==== MySQL Enterprise ECS Fields + +MySQL Enterprise Audit fields are mapped to ECS in the following way: + +[options="header"] +|============================================================== +| MySQL Enterprise Fields | ECS Fields | +| account.user | server.user.name | +| account.host | client.domain | +| login.os | client.user.name | +| login.ip | client.ip | +| startup_data.os_version | host.os.full | +| startup_data.args | process.args | +| connection_attributes._pid | process.pid | +| timestamp | @timestamp | +|============================================================== + +:modulename!: diff --git a/x-pack/filebeat/module/mysqlenterprise/_meta/fields.yml b/x-pack/filebeat/module/mysqlenterprise/_meta/fields.yml new file mode 100644 index 000000000000..b65680853f83 --- /dev/null +++ b/x-pack/filebeat/module/mysqlenterprise/_meta/fields.yml @@ -0,0 +1,10 @@ +- key: mysqlenterprise + title: MySQL Enterprise + description: > + MySQL Enterprise Audit module + fields: + - name: mysqlenterprise + type: group + description: > + Fields from MySQL Enterprise Logs + fields: diff --git a/x-pack/filebeat/module/mysqlenterprise/audit/_meta/fields.yml b/x-pack/filebeat/module/mysqlenterprise/audit/_meta/fields.yml new file mode 100644 index 000000000000..dc7b74a40626 --- /dev/null +++ b/x-pack/filebeat/module/mysqlenterprise/audit/_meta/fields.yml @@ -0,0 +1,121 @@ +- name: audit + type: group + release: beta + default_field: false + description: > + Module for parsing MySQL Enterprise Audit Logs + fields: + - name: class + type: keyword + description: > + A string representing the event class. The class defines the type of event, when taken together with the event item that specifies the event subclass. + + - name: connection_id + type: keyword + description: > + An integer representing the client connection identifier. This is the same as the value returned by the CONNECTION_ID() function within the session. + + - name: id + type: keyword + description: > + An unsigned integer representing an event ID. + + - name: connection_data.connection_type + type: keyword + description: > + The security state of the connection to the server. Permitted values are tcp/ip (TCP/IP connection established without encryption), ssl (TCP/IP connection established with encryption), socket (Unix socket file connection), named_pipe (Windows named pipe connection), and shared_memory (Windows shared memory connection). + + - name: connection_data.status + type: long + description: > + An integer representing the command status: 0 for success, nonzero if an error occurred. + + - name: connection_data.db + type: keyword + description: > + A string representing a database name. For connection_data, it is the default database. For table_access_data, it is the table database. + + - name: connection_data.connection_attributes + type: flattened + description: > + Connection attributes that might be passed by different MySQL Clients. + + - name: general_data.command + type: keyword + description: > + A string representing the type of instruction that generated the audit event, such as a command that the server received from a client. + + - name: general_data.sql_command + type: keyword + description: > + A string that indicates the SQL statement type. + + - name: general_data.query + type: keyword + description: > + A string representing the text of an SQL statement. The value can be empty. Long values may be truncated. The string, like the audit log file itself, is written using UTF-8 (up to 4 bytes per character), so the value may be the result of conversion. + + - name: general_data.status + type: long + description: > + An integer representing the command status: 0 for success, nonzero if an error occurred. This is the same as the value of the mysql_errno() C API function. + + - name: login.user + type: keyword + description: > + A string representing the information indicating how a client connected to the server. + + - name: login.proxy + type: keyword + description: > + A string representing the proxy user. The value is empty if user proxying is not in effect. + + - name: shutdown_data.server_id + type: keyword + description: > + An integer representing the server ID. This is the same as the value of the server_id system variable. + + - name: startup_data.server_id + type: keyword + description: > + An integer representing the server ID. This is the same as the value of the server_id system variable. + + - name: startup_data.mysql_version + type: keyword + description: > + An integer representing the server ID. This is the same as the value of the server_id system variable. + + - name: table_access_data.db + type: keyword + description: > + A string representing a database name. For connection_data, it is the default database. For table_access_data, it is the table database. + + - name: table_access_data.table + type: keyword + description: > + A string representing a table name. + + - name: table_access_data.query + type: keyword + description: > + A string representing the text of an SQL statement. The value can be empty. Long values may be truncated. The string, like the audit log file itself, is written using UTF-8 (up to 4 bytes per character), so the value may be the result of conversion. + + - name: table_access_data.sql_command + type: keyword + description: > + A string that indicates the SQL statement type. + + - name: account.user + type: keyword + description: > + A string representing the user that the server authenticated the client as. This is the user name that the server uses for privilege checking. + + - name: account.host + type: keyword + description: > + A string representing the client host name. + + - name: login.os + type: keyword + description: > + A string representing the external user name used during the authentication process, as set by the plugin used to authenticate the client. diff --git a/x-pack/filebeat/module/mysqlenterprise/audit/config/config.yml b/x-pack/filebeat/module/mysqlenterprise/audit/config/config.yml new file mode 100644 index 000000000000..ec1ee8b09035 --- /dev/null +++ b/x-pack/filebeat/module/mysqlenterprise/audit/config/config.yml @@ -0,0 +1,16 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_locale: ~ + - add_fields: + target: '' + fields: + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/mysqlenterprise/audit/ingest/pipeline.yml b/x-pack/filebeat/module/mysqlenterprise/audit/ingest/pipeline.yml new file mode 100644 index 000000000000..477b948a074d --- /dev/null +++ b/x-pack/filebeat/module/mysqlenterprise/audit/ingest/pipeline.yml @@ -0,0 +1,161 @@ +description: Pipeline for parsing MySQL Enterprise Audit logs +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- json: + field: message + target_field: mysqlenterprise.audit +- set: + field: event.kind + value: event +- append: + field: event.category + value: database +- append: + field: event.category + value: network + if: ctx?.mysqlenterprise?.audit?.event == 'connect' +- append: + field: event.category + value: iam + if: '["create_user", "delete_user", "grant", "flush_privileges"].contains(ctx.mysqlenterprise.audit?.general_data?.sql_command)' +- append: + field: event.type + value: access + if: ctx?.mysqlenterprise?.audit?.class != 'audit' +- append: + field: event.type + value: connection + if: ctx?.mysqlenterprise?.audit?.class != 'audit' +- append: + field: event.type + value: start + if: ctx?.mysqlenterprise?.audit?.event == 'connect' +- append: + field: event.type + value: end + if: ctx?.mysqlenterprise?.audit?.event == 'disconnect' +- set: + field: event.outcome + value: success + if: ctx?.mysqlenterprise?.audit?.connection_data?.status != null && ctx?.mysqlenterprise?.audit?.connection_data?.status == 0 || ctx?.mysqlenterprise?.audit?.general_data?.status != null && ctx?.mysqlenterprise?.audit?.general_data?.status == 0 +- set: + field: event.outcome + value: failure + if: ctx?.mysqlenterprise?.audit?.connection_data?.status != null && ctx?.mysqlenterprise?.audit?.connection_data?.status > 0 || ctx?.mysqlenterprise?.audit?.general_data?.status != null && ctx?.mysqlenterprise?.audit?.general_data?.status > 0 +- set: + field: event.outcome + value: unknown + if: ctx?.event?.outcome == null +- set: + field: event.action + value: mysql-{{ mysqlenterprise.audit.event }} + if: ctx?.mysqlenterprise?.audit?.event != null +- script: + lang: painless + if: ctx?.mysqlenterprise?.audit != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v instanceof String && v.isEmpty() == true); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); +- rename: + field: mysqlenterprise.audit.account.user + target_field: server.user.name + ignore_missing: true +- rename: + field: mysqlenterprise.audit.account.host + target_field: client.domain + ignore_missing: true +- rename: + field: mysqlenterprise.audit.login.os + target_field: client.user.name + ignore_missing: true +- rename: + field: mysqlenterprise.audit.login.ip + target_field: client.ip + ignore_missing: true +- rename: + field: mysqlenterprise.audit.startup_data.os_version + target_field: host.os.full + ignore_missing: true +- rename: + field: mysqlenterprise.audit.startup_data.mysql_version + target_field: service.version + ignore_missing: true +- rename: + field: mysqlenterprise.audit.startup_data.server_id + target_field: service.id + ignore_missing: true +- rename: + field: mysqlenterprise.audit.startup_data.args + target_field: process.args + ignore_missing: true +- set: + field: process.name + value: mysqld +- join: + field: process.args + target_field: process.command_line + separator: " " + ignore_failure: true +- script: + lang: painless + if: ctx?.process?.args != null + source: | + ctx.process.args_count = ctx.process.args.length; + if (ctx.process.args.length > 0) { + ctx.process.executable = ctx.process.args[0]; + } + +# Attributes starting with _ is only supported by MySQL 8.0.19 and above. +- convert: + field: mysqlenterprise.audit.connection_data.connection_attributes._pid + target_field: process.pid + type: long + ignore_missing: true +- append: + field: related.user + value: '{{server.user.name}}' + if: ctx?.server?.user?.name != null +- append: + field: related.user + value: '{{client.user.name}}' + if: ctx?.client?.user?.name != null +- append: + field: related.ip + value: '{{client.ip}}' + if: ctx?.client?.ip != null +- date: + field: mysqlenterprise.audit.timestamp + formats: + - YYYY-MM-DD HH:mm:ss + if: ctx?.mysqlenterprise?.audit?.timestamp != null +- remove: + field: + - message + - mysqlenterprise.audit.event + - mysqlenterprise.audit.timestamp + - mysqlenterprise.audit.connection_data.connection_attributes._pid + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/mysqlenterprise/audit/manifest.yml b/x-pack/filebeat/module/mysqlenterprise/audit/manifest.yml new file mode 100644 index 000000000000..e6341e1da266 --- /dev/null +++ b/x-pack/filebeat/module/mysqlenterprise/audit/manifest.yml @@ -0,0 +1,11 @@ +module_version: 1.0 + +var: + - name: tags + default: [mysqlenterprise-audit] + - name: input + default: file + +ingest_pipeline: + - ingest/pipeline.yml +input: config/config.yml diff --git a/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log b/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log new file mode 100644 index 000000000000..2bf3e31f37b9 --- /dev/null +++ b/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log @@ -0,0 +1,31 @@ +{ "timestamp": "2020-10-19 19:21:33", "id": 0, "class": "audit", "event": "startup", "connection_id": 0, "account": { "user": "skip-grants user", "host": "" }, "login": { "user": "", "os": "", "ip": "", "proxy": "" }, "startup_data": { "server_id": 1, "os_version": "x86_64-Linux", "mysql_version": "8.0.22-commercial", "args": ["/usr/local/mysql/bin/mysqld", "--loose-audit-log-format=JSON", "--log-error=log.err", "--pid-file=mysqld.pid", "--port=3306" ] } }, +{ "timestamp": "2020-10-19 19:25:51", "id": 0, "class": "connection", "event": "connect", "connection_id": 13, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "connection_data": { "connection_type": "socket", "status": 0, "db": "", "connection_attributes": { "_pid": "33038", "_platform": "x86_64", "_os": "Linux", "_client_name": "libmysql", "os_user": "root", "_client_version": "8.0.22" } } }, +{ "timestamp": "2020-10-19 19:25:51", "id": 1, "class": "general", "event": "status", "connection_id": 13, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "select", "query": "select @@version_comment limit 1", "status": 0 } }, +{ "timestamp": "2020-10-19 19:25:52", "id": 0, "class": "connection", "event": "disconnect", "connection_id": 13, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "connection_data": { "connection_type": "socket" } }, +{ "timestamp": "2020-10-19 19:27:45", "id": 0, "class": "connection", "event": "connect", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "connection_data": { "connection_type": "socket", "status": 0, "db": "", "connection_attributes": { "_pid": "33197", "_platform": "x86_64", "_os": "Linux", "_client_name": "libmysql", "os_user": "root", "_client_version": "8.0.22" } } }, +{ "timestamp": "2020-10-19 19:27:45", "id": 1, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "select", "query": "select @@version_comment limit 1", "status": 0 } }, +{ "timestamp": "2020-10-19 19:27:50", "id": 0, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "grant", "query": "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'password'", "status": 1064 } }, +{ "timestamp": "2020-10-19 19:28:04", "id": 0, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "grant", "query": "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'password'", "status": 1064 } }, +{ "timestamp": "2020-10-19 19:28:27", "id": 0, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "grant", "query": "GRANT ALL PRIVILEGES ON *.* TO 'root'@'hades.home' IDENTIFIED BY 'password'", "status": 1064 } }, +{ "timestamp": "2020-10-19 19:28:54", "id": 0, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "grant", "query": "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%'", "status": 1410 } }, +{ "timestamp": "2020-10-19 19:29:36", "id": 0, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "create_user", "query": "CREATE USER 'audit_test_user'@'localhost' IDENTIFIED BY ", "status": 1396 } }, +{ "timestamp": "2020-10-19 19:30:00", "id": 0, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "create_user", "query": "CREATE USER 'audit_test_user2'@'hades.home' IDENTIFIED BY ", "status": 0 } }, +{ "timestamp": "2020-10-19 19:30:18", "id": 0, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "grant", "query": "GRANT ALL PRIVILEGES ON *.* TO ‘audit_test_user2’@’hades.home’", "status": 1410 } }, +{ "timestamp": "2020-10-19 19:30:32", "id": 0, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "grant", "query": "GRANT ALL PRIVILEGES ON *.* TO 'audit_test_user'@'hades.home'", "status": 1410 } }, +{ "timestamp": "2020-10-19 19:30:49", "id": 0, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "grant", "query": "GRANT ALL PRIVILEGES ON *.* TO 'audit_test_user'@'hades.home'", "status": 1410 } }, +{ "timestamp": "2020-10-19 19:31:01", "id": 0, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "grant", "query": "GRANT ALL PRIVILEGES ON *.* TO 'audit_test_user2'@'hades.home'", "status": 0 } }, +{ "timestamp": "2020-10-19 19:31:25", "id": 0, "class": "connection", "event": "connect", "connection_id": 16, "account": { "user": "audit_test_user2", "host": "hades.home" }, "login": { "user": "audit_test_user2", "os": "", "ip": "192.168.2.5", "proxy": "" }, "connection_data": { "connection_type": "ssl", "status": 0, "db": "", "connection_attributes": { "_os": "Linux", "_client_name": "libmysql", "_pid": "394499", "_client_version": "5.7.30", "_platform": "x86_64" } } }, +{ "timestamp": "2020-10-19 19:31:25", "id": 1, "class": "general", "event": "status", "connection_id": 16, "account": { "user": "audit_test_user2", "host": "hades.home" }, "login": { "user": "audit_test_user2", "os": "", "ip": "192.168.2.5", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "select", "query": "select @@version_comment limit 1", "status": 0 } }, +{ "timestamp": "2020-10-19 19:31:31", "id": 0, "class": "general", "event": "status", "connection_id": 16, "account": { "user": "audit_test_user2", "host": "hades.home" }, "login": { "user": "audit_test_user2", "os": "", "ip": "192.168.2.5", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "create_db", "query": "create database audit_test", "status": 0 } }, +{ "timestamp": "2020-10-19 19:31:40", "id": 0, "class": "general", "event": "status", "connection_id": 16, "account": { "user": "audit_test_user2", "host": "hades.home" }, "login": { "user": "audit_test_user2", "os": "", "ip": "192.168.2.5", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "select", "query": "SELECT DATABASE()", "status": 0 } }, +{ "timestamp": "2020-10-19 19:31:40", "id": 1, "class": "general", "event": "status", "connection_id": 16, "account": { "user": "audit_test_user2", "host": "hades.home" }, "login": { "user": "audit_test_user2", "os": "", "ip": "192.168.2.5", "proxy": "" }, "general_data": { "command": "Init DB", "sql_command": "error", "status": 0 } }, +{ "timestamp": "2020-10-19 19:31:40", "id": 2, "class": "general", "event": "status", "connection_id": 16, "account": { "user": "audit_test_user2", "host": "hades.home" }, "login": { "user": "audit_test_user2", "os": "", "ip": "192.168.2.5", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "show_databases", "query": "show databases", "status": 0 } }, +{ "timestamp": "2020-10-19 19:31:40", "id": 3, "class": "general", "event": "status", "connection_id": 16, "account": { "user": "audit_test_user2", "host": "hades.home" }, "login": { "user": "audit_test_user2", "os": "", "ip": "192.168.2.5", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "show_tables", "query": "show tables", "status": 0 } }, +{ "timestamp": "2020-10-19 19:31:47", "id": 0, "class": "general", "event": "status", "connection_id": 16, "account": { "user": "audit_test_user2", "host": "hades.home" }, "login": { "user": "audit_test_user2", "os": "", "ip": "192.168.2.5", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "create_table", "query": "CREATE TABLE audit_test_table (firstname VARCHAR(20), lastname VARCHAR(20))", "status": 0 } }, +{ "timestamp": "2020-10-19 19:31:57", "id": 0, "class": "table_access", "event": "insert", "connection_id": 16, "account": { "user": "audit_test_user2", "host": "hades.home" }, "login": { "user": "audit_test_user2", "os": "", "ip": "192.168.2.5", "proxy": "" }, "table_access_data": { "db": "audit_test", "table": "audit_test_table", "query": "INSERT INTO audit_test_table values ('John', 'Smith')", "sql_command": "insert" } }, +{ "timestamp": "2020-10-19 19:31:57", "id": 1, "class": "general", "event": "status", "connection_id": 16, "account": { "user": "audit_test_user2", "host": "hades.home" }, "login": { "user": "audit_test_user2", "os": "", "ip": "192.168.2.5", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "insert", "query": "INSERT INTO audit_test_table values ('John', 'Smith')", "status": 0 } }, +{ "timestamp": "2020-10-19 19:32:05", "id": 0, "class": "table_access", "event": "read", "connection_id": 16, "account": { "user": "audit_test_user2", "host": "hades.home" }, "login": { "user": "audit_test_user2", "os": "", "ip": "192.168.2.5", "proxy": "" }, "table_access_data": { "db": "audit_test", "table": "audit_test_table", "query": "select * from audit_test_table", "sql_command": "select" } }, +{ "timestamp": "2020-10-19 19:32:05", "id": 1, "class": "general", "event": "status", "connection_id": 16, "account": { "user": "audit_test_user2", "host": "hades.home" }, "login": { "user": "audit_test_user2", "os": "", "ip": "192.168.2.5", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "select", "query": "select * from audit_test_table", "status": 0 } }, +{ "timestamp": "2020-10-19 19:32:10", "id": 0, "class": "connection", "event": "disconnect", "connection_id": 16, "account": { "user": "audit_test_user2", "host": "hades.home" }, "login": { "user": "audit_test_user2", "os": "", "ip": "192.168.2.5", "proxy": "" }, "connection_data": { "connection_type": "ssl" } }, +{ "timestamp": "2020-10-19 19:32:12", "id": 0, "class": "connection", "event": "disconnect", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "connection_data": { "connection_type": "socket" } }, +{ "timestamp": "2020-10-19 19:32:16", "id": 0, "class": "audit", "event": "shutdown", "connection_id": 0, "shutdown_data": { "server_id": 1 } } diff --git a/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log-expected.json b/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log-expected.json new file mode 100644 index 000000000000..69a8bbc4e90d --- /dev/null +++ b/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log-expected.json @@ -0,0 +1,1211 @@ +[ + { + "@timestamp": "2020-10-01T19:21:33.000Z", + "event.action": "mysql-startup", + "event.category": [ + "database" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "unknown", + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.os.full": "x86_64-Linux", + "input.type": "log", + "log.offset": 0, + "mysqlenterprise.audit.class": "audit", + "mysqlenterprise.audit.connection_id": 0, + "mysqlenterprise.audit.id": 0, + "process.args": [ + "/usr/local/mysql/bin/mysqld", + "--loose-audit-log-format=JSON", + "--log-error=log.err", + "--pid-file=mysqld.pid", + "--port=3306" + ], + "process.args_count": 5, + "process.command_line": "/usr/local/mysql/bin/mysqld --loose-audit-log-format=JSON --log-error=log.err --pid-file=mysqld.pid --port=3306", + "process.executable": "/usr/local/mysql/bin/mysqld", + "process.name": "mysqld", + "related.user": [ + "skip-grants user" + ], + "server.user.name": "skip-grants user", + "service.id": 1, + "service.type": "mysqlenterprise", + "service.version": "8.0.22-commercial", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:25:51.000Z", + "client.domain": "localhost", + "event.action": "mysql-connect", + "event.category": [ + "database", + "network" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "success", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection", + "start" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 462, + "mysqlenterprise.audit.class": "connection", + "mysqlenterprise.audit.connection_data.connection_attributes._client_name": "libmysql", + "mysqlenterprise.audit.connection_data.connection_attributes._client_version": "8.0.22", + "mysqlenterprise.audit.connection_data.connection_attributes._os": "Linux", + "mysqlenterprise.audit.connection_data.connection_attributes._platform": "x86_64", + "mysqlenterprise.audit.connection_data.connection_attributes.os_user": "root", + "mysqlenterprise.audit.connection_data.connection_type": "socket", + "mysqlenterprise.audit.connection_data.status": 0, + "mysqlenterprise.audit.connection_id": 13, + "mysqlenterprise.audit.id": 0, + "mysqlenterprise.audit.login.user": "root", + "process.name": "mysqld", + "process.pid": 33038, + "related.user": [ + "root" + ], + "server.user.name": "root", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:25:51.000Z", + "client.domain": "localhost", + "event.action": "mysql-status", + "event.category": [ + "database" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "success", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 925, + "mysqlenterprise.audit.class": "general", + "mysqlenterprise.audit.connection_id": 13, + "mysqlenterprise.audit.general_data.command": "Query", + "mysqlenterprise.audit.general_data.query": "select @@version_comment limit 1", + "mysqlenterprise.audit.general_data.sql_command": "select", + "mysqlenterprise.audit.general_data.status": 0, + "mysqlenterprise.audit.id": 1, + "mysqlenterprise.audit.login.user": "root", + "process.name": "mysqld", + "related.user": [ + "root" + ], + "server.user.name": "root", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:25:52.000Z", + "client.domain": "localhost", + "event.action": "mysql-disconnect", + "event.category": [ + "database" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "unknown", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection", + "end" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 1271, + "mysqlenterprise.audit.class": "connection", + "mysqlenterprise.audit.connection_data.connection_type": "socket", + "mysqlenterprise.audit.connection_id": 13, + "mysqlenterprise.audit.id": 0, + "mysqlenterprise.audit.login.user": "root", + "process.name": "mysqld", + "related.user": [ + "root" + ], + "server.user.name": "root", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:27:45.000Z", + "client.domain": "localhost", + "event.action": "mysql-connect", + "event.category": [ + "database", + "network" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "success", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection", + "start" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 1553, + "mysqlenterprise.audit.class": "connection", + "mysqlenterprise.audit.connection_data.connection_attributes._client_name": "libmysql", + "mysqlenterprise.audit.connection_data.connection_attributes._client_version": "8.0.22", + "mysqlenterprise.audit.connection_data.connection_attributes._os": "Linux", + "mysqlenterprise.audit.connection_data.connection_attributes._platform": "x86_64", + "mysqlenterprise.audit.connection_data.connection_attributes.os_user": "root", + "mysqlenterprise.audit.connection_data.connection_type": "socket", + "mysqlenterprise.audit.connection_data.status": 0, + "mysqlenterprise.audit.connection_id": 15, + "mysqlenterprise.audit.id": 0, + "mysqlenterprise.audit.login.user": "root", + "process.name": "mysqld", + "process.pid": 33197, + "related.user": [ + "root" + ], + "server.user.name": "root", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:27:45.000Z", + "client.domain": "localhost", + "event.action": "mysql-status", + "event.category": [ + "database" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "success", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 2016, + "mysqlenterprise.audit.class": "general", + "mysqlenterprise.audit.connection_id": 15, + "mysqlenterprise.audit.general_data.command": "Query", + "mysqlenterprise.audit.general_data.query": "select @@version_comment limit 1", + "mysqlenterprise.audit.general_data.sql_command": "select", + "mysqlenterprise.audit.general_data.status": 0, + "mysqlenterprise.audit.id": 1, + "mysqlenterprise.audit.login.user": "root", + "process.name": "mysqld", + "related.user": [ + "root" + ], + "server.user.name": "root", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:27:50.000Z", + "client.domain": "localhost", + "event.action": "mysql-status", + "event.category": [ + "database", + "iam" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "failure", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 2362, + "mysqlenterprise.audit.class": "general", + "mysqlenterprise.audit.connection_id": 15, + "mysqlenterprise.audit.general_data.command": "Query", + "mysqlenterprise.audit.general_data.query": "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'password'", + "mysqlenterprise.audit.general_data.sql_command": "grant", + "mysqlenterprise.audit.general_data.status": 1064, + "mysqlenterprise.audit.id": 0, + "mysqlenterprise.audit.login.user": "root", + "process.name": "mysqld", + "related.user": [ + "root" + ], + "server.user.name": "root", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:28:04.000Z", + "client.domain": "localhost", + "event.action": "mysql-status", + "event.category": [ + "database", + "iam" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "failure", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 2744, + "mysqlenterprise.audit.class": "general", + "mysqlenterprise.audit.connection_id": 15, + "mysqlenterprise.audit.general_data.command": "Query", + "mysqlenterprise.audit.general_data.query": "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'password'", + "mysqlenterprise.audit.general_data.sql_command": "grant", + "mysqlenterprise.audit.general_data.status": 1064, + "mysqlenterprise.audit.id": 0, + "mysqlenterprise.audit.login.user": "root", + "process.name": "mysqld", + "related.user": [ + "root" + ], + "server.user.name": "root", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:28:27.000Z", + "client.domain": "localhost", + "event.action": "mysql-status", + "event.category": [ + "database", + "iam" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "failure", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 3126, + "mysqlenterprise.audit.class": "general", + "mysqlenterprise.audit.connection_id": 15, + "mysqlenterprise.audit.general_data.command": "Query", + "mysqlenterprise.audit.general_data.query": "GRANT ALL PRIVILEGES ON *.* TO 'root'@'hades.home' IDENTIFIED BY 'password'", + "mysqlenterprise.audit.general_data.sql_command": "grant", + "mysqlenterprise.audit.general_data.status": 1064, + "mysqlenterprise.audit.id": 0, + "mysqlenterprise.audit.login.user": "root", + "process.name": "mysqld", + "related.user": [ + "root" + ], + "server.user.name": "root", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:28:54.000Z", + "client.domain": "localhost", + "event.action": "mysql-status", + "event.category": [ + "database", + "iam" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "failure", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 3517, + "mysqlenterprise.audit.class": "general", + "mysqlenterprise.audit.connection_id": 15, + "mysqlenterprise.audit.general_data.command": "Query", + "mysqlenterprise.audit.general_data.query": "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%'", + "mysqlenterprise.audit.general_data.sql_command": "grant", + "mysqlenterprise.audit.general_data.status": 1410, + "mysqlenterprise.audit.id": 0, + "mysqlenterprise.audit.login.user": "root", + "process.name": "mysqld", + "related.user": [ + "root" + ], + "server.user.name": "root", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:29:36.000Z", + "client.domain": "localhost", + "event.action": "mysql-status", + "event.category": [ + "database", + "iam" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "failure", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 3874, + "mysqlenterprise.audit.class": "general", + "mysqlenterprise.audit.connection_id": 15, + "mysqlenterprise.audit.general_data.command": "Query", + "mysqlenterprise.audit.general_data.query": "CREATE USER 'audit_test_user'@'localhost' IDENTIFIED BY ", + "mysqlenterprise.audit.general_data.sql_command": "create_user", + "mysqlenterprise.audit.general_data.status": 1396, + "mysqlenterprise.audit.id": 0, + "mysqlenterprise.audit.login.user": "root", + "process.name": "mysqld", + "related.user": [ + "root" + ], + "server.user.name": "root", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:30:00.000Z", + "client.domain": "localhost", + "event.action": "mysql-status", + "event.category": [ + "database", + "iam" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "success", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 4260, + "mysqlenterprise.audit.class": "general", + "mysqlenterprise.audit.connection_id": 15, + "mysqlenterprise.audit.general_data.command": "Query", + "mysqlenterprise.audit.general_data.query": "CREATE USER 'audit_test_user2'@'hades.home' IDENTIFIED BY ", + "mysqlenterprise.audit.general_data.sql_command": "create_user", + "mysqlenterprise.audit.general_data.status": 0, + "mysqlenterprise.audit.id": 0, + "mysqlenterprise.audit.login.user": "root", + "process.name": "mysqld", + "related.user": [ + "root" + ], + "server.user.name": "root", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:30:18.000Z", + "client.domain": "localhost", + "event.action": "mysql-status", + "event.category": [ + "database", + "iam" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "failure", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 4645, + "mysqlenterprise.audit.class": "general", + "mysqlenterprise.audit.connection_id": 15, + "mysqlenterprise.audit.general_data.command": "Query", + "mysqlenterprise.audit.general_data.query": "GRANT ALL PRIVILEGES ON *.* TO \u2018audit_test_user2\u2019@\u2019hades.home\u2019", + "mysqlenterprise.audit.general_data.sql_command": "grant", + "mysqlenterprise.audit.general_data.status": 1410, + "mysqlenterprise.audit.id": 0, + "mysqlenterprise.audit.login.user": "root", + "process.name": "mysqld", + "related.user": [ + "root" + ], + "server.user.name": "root", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:30:32.000Z", + "client.domain": "localhost", + "event.action": "mysql-status", + "event.category": [ + "database", + "iam" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "failure", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 5031, + "mysqlenterprise.audit.class": "general", + "mysqlenterprise.audit.connection_id": 15, + "mysqlenterprise.audit.general_data.command": "Query", + "mysqlenterprise.audit.general_data.query": "GRANT ALL PRIVILEGES ON *.* TO 'audit_test_user'@'hades.home'", + "mysqlenterprise.audit.general_data.sql_command": "grant", + "mysqlenterprise.audit.general_data.status": 1410, + "mysqlenterprise.audit.id": 0, + "mysqlenterprise.audit.login.user": "root", + "process.name": "mysqld", + "related.user": [ + "root" + ], + "server.user.name": "root", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:30:49.000Z", + "client.domain": "localhost", + "event.action": "mysql-status", + "event.category": [ + "database", + "iam" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "failure", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 5408, + "mysqlenterprise.audit.class": "general", + "mysqlenterprise.audit.connection_id": 15, + "mysqlenterprise.audit.general_data.command": "Query", + "mysqlenterprise.audit.general_data.query": "GRANT ALL PRIVILEGES ON *.* TO 'audit_test_user'@'hades.home'", + "mysqlenterprise.audit.general_data.sql_command": "grant", + "mysqlenterprise.audit.general_data.status": 1410, + "mysqlenterprise.audit.id": 0, + "mysqlenterprise.audit.login.user": "root", + "process.name": "mysqld", + "related.user": [ + "root" + ], + "server.user.name": "root", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:31:01.000Z", + "client.domain": "localhost", + "event.action": "mysql-status", + "event.category": [ + "database", + "iam" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "success", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 5785, + "mysqlenterprise.audit.class": "general", + "mysqlenterprise.audit.connection_id": 15, + "mysqlenterprise.audit.general_data.command": "Query", + "mysqlenterprise.audit.general_data.query": "GRANT ALL PRIVILEGES ON *.* TO 'audit_test_user2'@'hades.home'", + "mysqlenterprise.audit.general_data.sql_command": "grant", + "mysqlenterprise.audit.general_data.status": 0, + "mysqlenterprise.audit.id": 0, + "mysqlenterprise.audit.login.user": "root", + "process.name": "mysqld", + "related.user": [ + "root" + ], + "server.user.name": "root", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:31:25.000Z", + "client.domain": "hades.home", + "client.ip": "192.168.2.5", + "event.action": "mysql-connect", + "event.category": [ + "database", + "network" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "success", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection", + "start" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 6160, + "mysqlenterprise.audit.class": "connection", + "mysqlenterprise.audit.connection_data.connection_attributes._client_name": "libmysql", + "mysqlenterprise.audit.connection_data.connection_attributes._client_version": "5.7.30", + "mysqlenterprise.audit.connection_data.connection_attributes._os": "Linux", + "mysqlenterprise.audit.connection_data.connection_attributes._platform": "x86_64", + "mysqlenterprise.audit.connection_data.connection_type": "ssl", + "mysqlenterprise.audit.connection_data.status": 0, + "mysqlenterprise.audit.connection_id": 16, + "mysqlenterprise.audit.id": 0, + "mysqlenterprise.audit.login.user": "audit_test_user2", + "process.name": "mysqld", + "process.pid": 394499, + "related.ip": [ + "192.168.2.5" + ], + "related.user": [ + "audit_test_user2" + ], + "server.user.name": "audit_test_user2", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:31:25.000Z", + "client.domain": "hades.home", + "client.ip": "192.168.2.5", + "event.action": "mysql-status", + "event.category": [ + "database" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "success", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 6638, + "mysqlenterprise.audit.class": "general", + "mysqlenterprise.audit.connection_id": 16, + "mysqlenterprise.audit.general_data.command": "Query", + "mysqlenterprise.audit.general_data.query": "select @@version_comment limit 1", + "mysqlenterprise.audit.general_data.sql_command": "select", + "mysqlenterprise.audit.general_data.status": 0, + "mysqlenterprise.audit.id": 1, + "mysqlenterprise.audit.login.user": "audit_test_user2", + "process.name": "mysqld", + "related.ip": [ + "192.168.2.5" + ], + "related.user": [ + "audit_test_user2" + ], + "server.user.name": "audit_test_user2", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:31:31.000Z", + "client.domain": "hades.home", + "client.ip": "192.168.2.5", + "event.action": "mysql-status", + "event.category": [ + "database" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "success", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 7020, + "mysqlenterprise.audit.class": "general", + "mysqlenterprise.audit.connection_id": 16, + "mysqlenterprise.audit.general_data.command": "Query", + "mysqlenterprise.audit.general_data.query": "create database audit_test", + "mysqlenterprise.audit.general_data.sql_command": "create_db", + "mysqlenterprise.audit.general_data.status": 0, + "mysqlenterprise.audit.id": 0, + "mysqlenterprise.audit.login.user": "audit_test_user2", + "process.name": "mysqld", + "related.ip": [ + "192.168.2.5" + ], + "related.user": [ + "audit_test_user2" + ], + "server.user.name": "audit_test_user2", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:31:40.000Z", + "client.domain": "hades.home", + "client.ip": "192.168.2.5", + "event.action": "mysql-status", + "event.category": [ + "database" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "success", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 7399, + "mysqlenterprise.audit.class": "general", + "mysqlenterprise.audit.connection_id": 16, + "mysqlenterprise.audit.general_data.command": "Query", + "mysqlenterprise.audit.general_data.query": "SELECT DATABASE()", + "mysqlenterprise.audit.general_data.sql_command": "select", + "mysqlenterprise.audit.general_data.status": 0, + "mysqlenterprise.audit.id": 0, + "mysqlenterprise.audit.login.user": "audit_test_user2", + "process.name": "mysqld", + "related.ip": [ + "192.168.2.5" + ], + "related.user": [ + "audit_test_user2" + ], + "server.user.name": "audit_test_user2", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:31:40.000Z", + "client.domain": "hades.home", + "client.ip": "192.168.2.5", + "event.action": "mysql-status", + "event.category": [ + "database" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "success", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 7766, + "mysqlenterprise.audit.class": "general", + "mysqlenterprise.audit.connection_id": 16, + "mysqlenterprise.audit.general_data.command": "Init DB", + "mysqlenterprise.audit.general_data.sql_command": "error", + "mysqlenterprise.audit.general_data.status": 0, + "mysqlenterprise.audit.id": 1, + "mysqlenterprise.audit.login.user": "audit_test_user2", + "process.name": "mysqld", + "related.ip": [ + "192.168.2.5" + ], + "related.user": [ + "audit_test_user2" + ], + "server.user.name": "audit_test_user2", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:31:40.000Z", + "client.domain": "hades.home", + "client.ip": "192.168.2.5", + "event.action": "mysql-status", + "event.category": [ + "database" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "success", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 8104, + "mysqlenterprise.audit.class": "general", + "mysqlenterprise.audit.connection_id": 16, + "mysqlenterprise.audit.general_data.command": "Query", + "mysqlenterprise.audit.general_data.query": "show databases", + "mysqlenterprise.audit.general_data.sql_command": "show_databases", + "mysqlenterprise.audit.general_data.status": 0, + "mysqlenterprise.audit.id": 2, + "mysqlenterprise.audit.login.user": "audit_test_user2", + "process.name": "mysqld", + "related.ip": [ + "192.168.2.5" + ], + "related.user": [ + "audit_test_user2" + ], + "server.user.name": "audit_test_user2", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:31:40.000Z", + "client.domain": "hades.home", + "client.ip": "192.168.2.5", + "event.action": "mysql-status", + "event.category": [ + "database" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "success", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 8476, + "mysqlenterprise.audit.class": "general", + "mysqlenterprise.audit.connection_id": 16, + "mysqlenterprise.audit.general_data.command": "Query", + "mysqlenterprise.audit.general_data.query": "show tables", + "mysqlenterprise.audit.general_data.sql_command": "show_tables", + "mysqlenterprise.audit.general_data.status": 0, + "mysqlenterprise.audit.id": 3, + "mysqlenterprise.audit.login.user": "audit_test_user2", + "process.name": "mysqld", + "related.ip": [ + "192.168.2.5" + ], + "related.user": [ + "audit_test_user2" + ], + "server.user.name": "audit_test_user2", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:31:47.000Z", + "client.domain": "hades.home", + "client.ip": "192.168.2.5", + "event.action": "mysql-status", + "event.category": [ + "database" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "success", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 8842, + "mysqlenterprise.audit.class": "general", + "mysqlenterprise.audit.connection_id": 16, + "mysqlenterprise.audit.general_data.command": "Query", + "mysqlenterprise.audit.general_data.query": "CREATE TABLE audit_test_table (firstname VARCHAR(20), lastname VARCHAR(20))", + "mysqlenterprise.audit.general_data.sql_command": "create_table", + "mysqlenterprise.audit.general_data.status": 0, + "mysqlenterprise.audit.id": 0, + "mysqlenterprise.audit.login.user": "audit_test_user2", + "process.name": "mysqld", + "related.ip": [ + "192.168.2.5" + ], + "related.user": [ + "audit_test_user2" + ], + "server.user.name": "audit_test_user2", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:31:57.000Z", + "client.domain": "hades.home", + "client.ip": "192.168.2.5", + "event.action": "mysql-insert", + "event.category": [ + "database" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "unknown", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 9273, + "mysqlenterprise.audit.class": "table_access", + "mysqlenterprise.audit.connection_id": 16, + "mysqlenterprise.audit.id": 0, + "mysqlenterprise.audit.login.user": "audit_test_user2", + "mysqlenterprise.audit.table_access_data.db": "audit_test", + "mysqlenterprise.audit.table_access_data.query": "INSERT INTO audit_test_table values ('John', 'Smith')", + "mysqlenterprise.audit.table_access_data.sql_command": "insert", + "mysqlenterprise.audit.table_access_data.table": "audit_test_table", + "process.name": "mysqld", + "related.ip": [ + "192.168.2.5" + ], + "related.user": [ + "audit_test_user2" + ], + "server.user.name": "audit_test_user2", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:31:57.000Z", + "client.domain": "hades.home", + "client.ip": "192.168.2.5", + "event.action": "mysql-status", + "event.category": [ + "database" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "success", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 9702, + "mysqlenterprise.audit.class": "general", + "mysqlenterprise.audit.connection_id": 16, + "mysqlenterprise.audit.general_data.command": "Query", + "mysqlenterprise.audit.general_data.query": "INSERT INTO audit_test_table values ('John', 'Smith')", + "mysqlenterprise.audit.general_data.sql_command": "insert", + "mysqlenterprise.audit.general_data.status": 0, + "mysqlenterprise.audit.id": 1, + "mysqlenterprise.audit.login.user": "audit_test_user2", + "process.name": "mysqld", + "related.ip": [ + "192.168.2.5" + ], + "related.user": [ + "audit_test_user2" + ], + "server.user.name": "audit_test_user2", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:32:05.000Z", + "client.domain": "hades.home", + "client.ip": "192.168.2.5", + "event.action": "mysql-read", + "event.category": [ + "database" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "unknown", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 10105, + "mysqlenterprise.audit.class": "table_access", + "mysqlenterprise.audit.connection_id": 16, + "mysqlenterprise.audit.id": 0, + "mysqlenterprise.audit.login.user": "audit_test_user2", + "mysqlenterprise.audit.table_access_data.db": "audit_test", + "mysqlenterprise.audit.table_access_data.query": "select * from audit_test_table", + "mysqlenterprise.audit.table_access_data.sql_command": "select", + "mysqlenterprise.audit.table_access_data.table": "audit_test_table", + "process.name": "mysqld", + "related.ip": [ + "192.168.2.5" + ], + "related.user": [ + "audit_test_user2" + ], + "server.user.name": "audit_test_user2", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:32:05.000Z", + "client.domain": "hades.home", + "client.ip": "192.168.2.5", + "event.action": "mysql-status", + "event.category": [ + "database" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "success", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 10509, + "mysqlenterprise.audit.class": "general", + "mysqlenterprise.audit.connection_id": 16, + "mysqlenterprise.audit.general_data.command": "Query", + "mysqlenterprise.audit.general_data.query": "select * from audit_test_table", + "mysqlenterprise.audit.general_data.sql_command": "select", + "mysqlenterprise.audit.general_data.status": 0, + "mysqlenterprise.audit.id": 1, + "mysqlenterprise.audit.login.user": "audit_test_user2", + "process.name": "mysqld", + "related.ip": [ + "192.168.2.5" + ], + "related.user": [ + "audit_test_user2" + ], + "server.user.name": "audit_test_user2", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:32:10.000Z", + "client.domain": "hades.home", + "client.ip": "192.168.2.5", + "event.action": "mysql-disconnect", + "event.category": [ + "database" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "unknown", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection", + "end" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 10889, + "mysqlenterprise.audit.class": "connection", + "mysqlenterprise.audit.connection_data.connection_type": "ssl", + "mysqlenterprise.audit.connection_id": 16, + "mysqlenterprise.audit.id": 0, + "mysqlenterprise.audit.login.user": "audit_test_user2", + "process.name": "mysqld", + "related.ip": [ + "192.168.2.5" + ], + "related.user": [ + "audit_test_user2" + ], + "server.user.name": "audit_test_user2", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:32:12.000Z", + "client.domain": "localhost", + "event.action": "mysql-disconnect", + "event.category": [ + "database" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "unknown", + "event.timezone": "-02:00", + "event.type": [ + "access", + "connection", + "end" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 11204, + "mysqlenterprise.audit.class": "connection", + "mysqlenterprise.audit.connection_data.connection_type": "socket", + "mysqlenterprise.audit.connection_id": 15, + "mysqlenterprise.audit.id": 0, + "mysqlenterprise.audit.login.user": "root", + "process.name": "mysqld", + "related.user": [ + "root" + ], + "server.user.name": "root", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2020-10-01T19:32:16.000Z", + "event.action": "mysql-shutdown", + "event.category": [ + "database" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.outcome": "unknown", + "event.timezone": "-02:00", + "fileset.name": "audit", + "input.type": "log", + "log.offset": 11486, + "mysqlenterprise.audit.class": "audit", + "mysqlenterprise.audit.connection_id": 0, + "mysqlenterprise.audit.id": 0, + "mysqlenterprise.audit.shutdown_data.server_id": 1, + "process.name": "mysqld", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/mysqlenterprise/fields.go b/x-pack/filebeat/module/mysqlenterprise/fields.go new file mode 100644 index 000000000000..dfc66a5c1cf7 --- /dev/null +++ b/x-pack/filebeat/module/mysqlenterprise/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package mysqlenterprise + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "mysqlenterprise", asset.ModuleFieldsPri, AssetMysqlenterprise); err != nil { + panic(err) + } +} + +// AssetMysqlenterprise returns asset data. +// This is the base64 encoded gzipped contents of module/mysqlenterprise. +func AssetMysqlenterprise() string { + return "eJzsWMGO20YPvucpeNwFnM1/+A+FDwWCTQIskCZbdIMejbFEScRKMwrJsVd9+oIzsldeu1m7TYy2qQ6GNTMckh+H5Dd6Cfc4zKEb5HOLXpF7JsEXAEra4hx+Gn75+T28nc6UKAVTrxT8HH58AQB7q+B1LEmhC2VsTaQibEuZp7UvwbsOD6m0R4ce51BziP04ckCdPe/SllBx6PbVvw+1jCunqqfqnVm4HT2k2B7GFp3gHJaobjJeYuViq4u0+xwq1249+ILNCaqECVSBoXcs5Os/Qm/ixCFHps4UrRPZmdk4dI/DOnD5ZO4L9tnzGkTZLGPsGQW92os2CLhCr1ndFdw1mP8aHORR0hLTC6HKS2ewbtCDunv7DTVqgwxr0mayHSl2oI1TkB4LqmjcKc9KXGZ9WzMPQxC8x8I8WtBTd/8KFB7IK9bI+2AULSU0tpqBSpuuCNnQIQHKnojrEFz+v3JtRGDUyB5LWA5p9Prjhw9vr+9uPn5Y3Ly5uIQq+rylYUU+74IiFPwzQHxl76MXqs3QgzA4P0bp5s3x8SmduqvJuxn49Wy+S0gVkUkHEHWaTmOK12OgNIyI8spidYvckSqWOToCjhG06F9RDxd317evbm6n0ijqli1Jg2WKT4gK6AseklGXMxBpj5F7IhSKe1S4+OTpYfNSUTu1+3KW0CwXPfUIF7+SL8Na8hiksZ21zpcgjWMsFx12gYdHkTwM4/BE6sQwGsDxcOlpg6+/YrKFrkv+JIVz+F8qoRKLAkVm4IP/DTkAVelMMgeGUBSRGcsTXSqX37qSOjBFSyeYTLiCd4GfmjED0k35GLvNVioL2FnChUsA7ImkyUeBP52bTpVpGRUPx7hqnSp6PBGW68eceFSQW0BHdaOwROidSK6PJVUVslWZ3CmvU919riHU6JFdu/EonZ5ztMhN/yMvynEsN+ZZNsiKjC1L/GPTJCUWjfUHtz3mSeKxRAFjgbTCMhMeN/aeUyCQz+3i28GQ7CVfUuF0bN8WqlR/OwudKTnF3M8ReThLvPBBLV7O71qc+U3u1oXzdiSx63W4gvfB15tG0bnBZpSjN8/LLJV1zaCle5xEuw11ruikgm01s2RdszUeDzFRwU93717+ABextw71f1gOBmaPDEXj2BWKnBrFhEhsDGiMU4hViVBZQq+QjyALuyfkn1DLn+FVY6tPl4sFMvtwcQnX8Pr2ZkupnoGkDTX5qyjI5zh95KvAncvsMaePTTVhvU3yTXm2wrFDW47xo+fwcJY0SorAYJsmDklOGoulzeVlJkMCPljJAKwqLJ4rZdJELcN6wzoSAGcj+mMNvnlz5OnbmgcyiF1uVo7JGvJzTqpjjf3342NO07FU/bv83GNn3yGv3McgjXx7GLKVCYNTLfyPd5yDd+zj/venp64oQvR6NmqQ+uXTe4CL2tiaYnuRGEmCk92ClqTN8L0toqDk749MK2qxRigaLO7J10ci0ATRcyAwumbqjknmzHjCeT6EPiiyd+0E52jX1TLyZskkVMbueg6Z3joBQd18+OvbWJPPwhp24jvB4OrF7wEAAP//fI8HHA==" +} diff --git a/x-pack/filebeat/module/mysqlenterprise/module.yml b/x-pack/filebeat/module/mysqlenterprise/module.yml new file mode 100644 index 000000000000..ed97d539c095 --- /dev/null +++ b/x-pack/filebeat/module/mysqlenterprise/module.yml @@ -0,0 +1 @@ +--- diff --git a/x-pack/filebeat/modules.d/mysqlenterprise.yml.disabled b/x-pack/filebeat/modules.d/mysqlenterprise.yml.disabled new file mode 100644 index 000000000000..37e10d0eb734 --- /dev/null +++ b/x-pack/filebeat/modules.d/mysqlenterprise.yml.disabled @@ -0,0 +1,14 @@ +# Module: mysqlenterprise +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-mysqlenterprise.html + +- module: mysqlenterprise + audit: + enabled: true + + # Sets the input type. Currently only supports file + #var.input: file + + # Set paths for the log files when file input is used. + # Should only be used together with file input + # var.paths: + # - /home/user/mysqlauditlogs/audit.*.log