Not a new question as I see it as it is tightly related to the previous posts in this thread.
And my bad for being lazy and not formatting the couple lines of code
Assuming you have extracted key_value fields wither with and extractor or in a pipeline rule that is in a previous stage (all rules within a stage generally run synchronously) the field you are looking for in your
when part of your rule would be
auditid_id-auditlog ? It’s not clear.
I have not extracted any fields yet - that’s what I’m trying to achieve with the rule+pipeline combo
So, in essence I have auditd log lines coming in on my beats input / filebeat collector with this config:
# Needed for Graylog
- type: filestream
Here’s an example log entry from the stream that is attached to this Beats input:
First, in GUI:
Here are the contents of the “message” field from above screendump:
type=SYSCALL msg=audit(1659700716.423:14983737): arch=c000003e syscall=41 success=yes exit=14 a0=2 a1=2 a2=0 a3=561ffb9438b0 items=0 ppid=1 pid=593 auid=4294967295 uid=107 gid=112 euid=107 suid=107 fsuid=107 egid=112 sgid=112 fsgid=112 tty=(none) ses=4294967295 comm=“snmpd” exe=“/usr/sbin/snmpd” subj==unconfined key="mdatp"ARCH=x86_64 SYSCALL=socket AUID=“unset” UID=“Debian-snmp” GID=“Debian-snmp” EUID=“Debian-snmp” SUID=“Debian-snmp” FSUID=“Debian-snmp” EGID=“Debian-snmp” SGID=“Debian-snmp” FSGID=“Debian-snmp”
On my mission to break off this entire message into fields I have then created a pipeline, connected it to the stream that receives audit log data from my Beats input, and created just a single rule which is supposed to break up key values into fields and prefix these with “auditd_”.
The rule looks like this:
// extract all key-value from "message" and prefix it with auditd_
As you can see I’ve used the keyword “type” in the has_field condition, as it seems that “type=” is present in the beginning of every auditd log message, but this configuration somehow does not match any messages (throughput=0).
I’ve then done a bit of trial and error and tried to use fields set in the filebeat collector for the has_field condition (have tried id-auditlog, audit_log, audit_log: true) but to no avail.
Any help with getting this thing working would be much appreciated…