Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filebeat auditd ingest pipeline fails at kv processor when field value contains whitespaces #22587

Closed
simioa opened this issue Nov 16, 2020 · 7 comments · Fixed by #34069
Closed

Filebeat auditd ingest pipeline fails at kv processor when field value contains whitespaces #22587

simioa opened this issue Nov 16, 2020 · 7 comments · Fixed by #34069

Comments

@simioa
Copy link
Contributor

simioa commented Nov 16, 2020

  • Version: 7.9.2
  • Operating System: RHEL 7.9

Some auditd messages contain a reason field which contains informations on why a specific event was logged. This field can contain whitespaces. This whitespaces are interpreted by the kv ingest processor as a field split which causes the kv processor to fail.

beats/filebeat/module/auditd/log/ingest/pipeline.yml

Lines 22 to 26 in b6896ee

- kv:
field: auditd.log.kv
field_split: "\\s+"
value_split: "="
target_field: auditd.log

  • Steps to Reproduce:

    • Issue the following request against the pipeline simulation api:
POST _ingest/pipeline/filebeat-7.9.2-auditd-log-pipeline/_simulate
{
  "docs": [
    {
      "_source": {
        "message": "type=ANOM_ABEND msg=audit(1605431420.026:123): auid=12345 uid=123 gid=123 ses=123456789 pid=1234 comm=\"extproc\" reason=\"memory violation\" sig=6"
      }
    }
  ]
}
  • The Ingest pipeline fails because of the "reason" Field with the following error:
...
          "error" : {
            "message" : "field [auditd.log.kv] does not contain value_split [=]"
          }
...
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Nov 16, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Nov 16, 2020
@simioa
Copy link
Contributor Author

simioa commented Nov 18, 2020
edited
Loading

elastic/elasticsearch#31786 looks related.
Using field_split and value_split patterns from elastic/elasticsearch#31786 (comment) seems to work but I only tested it with the message provided in the issue description, I did not test if this works with every other combination of possible messages.

@gyterpena
Copy link

it fails because of space in "reason="memory violation""

@botelastic
Copy link

botelastic bot commented Dec 15, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the Stalled label Dec 15, 2021
@botelastic botelastic bot closed this as completed Jan 14, 2022
@jaijhala jaijhala reopened this Nov 10, 2022
@botelastic botelastic bot removed the Stalled label Nov 10, 2022
@jaijhala
Copy link

I believe this is still an issue. The workaround mentioned here does seem to work but would be good to fix this as part of the auditd integration?

@jamiehynds
Copy link

@efd6 would you mind taking a look at this one when you get a chance? Curious is the workaround mentioned in elastic/elasticsearch#31786 (comment) could be applied to our Auditd pipelines or if the bug within the kb processor needs to be addressed first?

This was referenced Dec 16, 2022
Merged
Merged
@efd6
Copy link
Contributor

efd6 commented Dec 16, 2022

@jamiehynds Fixes for the beats pipeline and the integration pipeline have been sent.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

filebeat/module/auditd: teach kv about quoted spaces efd6/beats
7 participants
@andresrc @elasticmachine @jaijhala @simioa @gyterpena @jamiehynds @efd6