Skip to content

[Platform Observability] Create initial PO package for ingesting kibana ECS formatted logs #3622

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 18 commits into from
Jul 26, 2022
Merged

[Platform Observability] Create initial PO package for ingesting kibana ECS formatted logs #3622

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
ba764cb
create package for ingesting kibana ECS formatted logs
crespocarlos Jun 29, 2022
f91647a
changelog fix
crespocarlos Jun 29, 2022
2da545b
update test expected result
crespocarlos Jun 30, 2022
a8e4920
adds a filebeat processor alternative
crespocarlos Jul 4, 2022
b171f93
clean up poc code
crespocarlos Jul 6, 2022
d6cacfd
fix json identation
crespocarlos Jul 6, 2022
a3bd0c0
Align ingest pipeline approach and improve README.md
crespocarlos Jul 12, 2022
6e781a3
Improve README.md; Fix package folder name; Document ECS fields
crespocarlos Jul 14, 2022
0b03ec6
Fix supported kibana version on readme
crespocarlos Jul 18, 2022
33f32eb
Remove experimental attribute from manifest; Fix changelog PR; Fix mi…
crespocarlos Jul 18, 2022
8e47160
Support current and old model for license
crespocarlos Jul 18, 2022
3e74c73
Fix manifest
crespocarlos Jul 18, 2022
14dc44f
Add event.ingested field; Improve Kibana audit fields documentation
crespocarlos Jul 18, 2022
21524e8
Fix pipeline test
crespocarlos Jul 18, 2022
8cb34da
Extract ECS processor into a new file; Fix kibana logo; Add event.* f…
crespocarlos Jul 19, 2022
55c80e8
Simplify ingest pipeline and clean-ups
crespocarlos Jul 20, 2022
5dcc1fe
Fix json format
crespocarlos Jul 20, 2022
27a23aa
Align default log file name with kibana docs
crespocarlos Jul 22, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/CODEOWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,3 +168,4 @@
/packages/zscaler @elastic/security-external-integrations
/packages/zscaler_zia @elastic/security-external-integrations
/packages/zscaler_zpa @elastic/security-external-integrations
/packages/platform_observability @elastic/infra-monitoring-ui
3 changes: 3 additions & 0 deletions packages/platform_observability/_dev/build/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
dependencies:
ecs:
reference: [email protected]
23 changes: 23 additions & 0 deletions packages/platform_observability/_dev/build/docs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Platform Observability

## Compatibility

This package works with Kibana 8.0.0 and later.

## Kibana logs

The Kibana integration collects logs from [Kibana](https://www.elastic.co/guide/en/kibana/current/introduction.html) instance.

### Logs

#### Audit

Configure `Path` pointing to the location where audit logs will be created, based on the [Kibana Audit logging settings](https://www.elastic.co/guide/en/kibana/current/security-settings-kb.html#audit-logging-settings) in `kibana.yml`

{{fields "kibana_audit"}}

#### Log

Configure `Path` pointing to the location where the logs will be created, based on the [Kibana logging settings](https://www.elastic.co/guide/en/kibana/current/logging-configuration.html#logging-appenders) in `kibana.yml`

{{fields "kibana_log"}}
6 changes: 6 additions & 0 deletions packages/platform_observability/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# newer versions go on top
- version: "0.0.1"
changes:
- description: Initial draft of the package
type: enhancement
link: https://github.com/elastic/integrations/pull/1
1 change: 1 addition & 0 deletions ...form_observability/data_stream/kibana_audit/_dev/test/pipeline/test-kibana-audit-logs.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{"event":{"action":"http_request","category":["web"],"outcome":"unknown"},"http":{"request":{"method":"get"}},"url":{"domain":"localhost","path":"/internal/security/session","port":5601,"scheme":"http"},"user":{"name":"elastic","roles":["superuser"]},"kibana":{"space_id":"default","session_id":"ccZ0sbxrmmJwo+/y2Mn1tmGIrKOuZYaF8voUh0SkA/k="},"trace":{"id":"1c8c5808-d2d6-41fc-8cb7-998aa8996be9"},"ecs":{"version":"8.0.0"},"@timestamp":"2022-06-29T12:05:03.742+00:00","message":"User is requesting [/internal/security/session] endpoint","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":7},"transaction":{"id":"f8863d86567119e6"}}
58 changes: 58 additions & 0 deletions ...lity/data_stream/kibana_audit/_dev/test/pipeline/test-kibana-audit-logs.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
{
"expected": [
{
"@timestamp": "2022-06-29T12:05:03.742+00:00",
"data_stream": {
"dataset": "kibana-audit-log",
"namespace": "platform-observability",
"type": "logs"
},
"ecs": {
"version": "8.0.0"
},
"event": {
"action": "http_request",
"category": [
"web"
],
"dataset": "kibana-audit-log",
"outcome": "unknown"
},
"http": {
"request": {
"method": "get"
}
},
"kibana": {
"session_id": "ccZ0sbxrmmJwo+/y2Mn1tmGIrKOuZYaF8voUh0SkA/k=",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jkakavas this feels like it could be risky to log (from a audit kibana log sample). Do you know if we should chase it down, or with whom? Or maybe if you know it's safe already?

Copy link
Contributor Author

@crespocarlos crespocarlos Jul 21, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why would it be risky in your opinion? By looking at the docs, it seems that it's an id associated with the current login.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, thanks that helps.

At least this is nothing new so if it's an issue we don't have to fix it in this PR.

I just get a little nervous whenever I see a base64 string in a log stream. Too many occasions when they turned out to be access-providing tokens (like JWT). Hopefully this is just an encoded UUID. 😅

"space_id": "default"
},
"log": {
"level": "INFO",
"logger": "plugins.security.audit.ecs"
},
"message": "User is requesting [/internal/security/session] endpoint",
"process": {
"pid": 7
},
"trace": {
"id": "1c8c5808-d2d6-41fc-8cb7-998aa8996be9"
},
"transaction": {
"id": "f8863d86567119e6"
},
"url": {
"domain": "localhost",
"path": "/internal/security/session",
"port": 5601,
"scheme": "http"
},
"user": {
"name": "elastic",
"roles": [
"superuser"
]
}
}
]
}
8 changes: 8 additions & 0 deletions packages/platform_observability/data_stream/kibana_audit/agent/stream/log.yml.hbs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
paths:
{{#each paths}}
- {{this}}
{{/each}}
{{#if processors}}
processors:
{{processors}}
{{/if}}
69 changes: 69 additions & 0 deletions ...platform_observability/data_stream/kibana_audit/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
---
description: Pipeline for parsing Kibana Audit ECS formatted logs
processors:
- remove:
field: data_stream.dataset
ignore_missing: true
- remove:
field: event.dataset
ignore_missing: true
- set:
description: Uses event.dataset as a default for data_stream.dataset if the latter is not set.
field: data_stream.dataset
copy_from: event.dataset
if: ctx.event?.dataset instanceof String && ctx.event.dataset.length() > 1
override: false
- script:
source: |
ctx.data_stream.dataset = /[\/*?"<>|, #:-]/.matcher(ctx.data_stream.dataset).replaceAll('_')
if: ctx.data_stream?.dataset != null
- script:
source: |
ctx.data_stream.namespace = /[\/*?"<>|, #:]/.matcher(ctx.data_stream.namespace).replaceAll('_')
if: ctx.data_stream?.namespace != null
- set:
field: data_stream.type
value: logs
- set:
field: data_stream.dataset
value: kibana-audit-log
override: false
- set:
field: data_stream.namespace
value: platform-observability
override: false
- set:
field: event.dataset
copy_from: data_stream.dataset
- rename:
field: message
target_field: _ecs_json_message
if: |-
def message = ctx.message;
return message != null
&& message.startsWith('{')
&& message.endsWith('}')
&& message.contains('"@timestamp"')
ignore_missing: true
- json:
field: _ecs_json_message
add_to_root: true
add_to_root_conflict_strategy: merge
allow_duplicate_keys: true
if: ctx.containsKey('_ecs_json_message')
on_failure:
- rename:
field: _ecs_json_message
target_field: message
ignore_missing: true
- set:
field: error.message
value: Error while parsing JSON
override: false
- remove:
field: _ecs_json_message
ignore_missing: true
on_failure:
- set:
field: error.message
value: "{{ _ingest.on_failure_message }}"
12 changes: 12 additions & 0 deletions packages/platform_observability/data_stream/kibana_audit/fields/base-fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
- name: data_stream.type
type: constant_keyword
description: Data stream type.
- name: data_stream.dataset
type: constant_keyword
description: Data stream dataset.
- name: data_stream.namespace
type: constant_keyword
description: Data stream namespace.
- name: "@timestamp"
type: date
description: Event timestamp.
6 changes: 6 additions & 0 deletions packages/platform_observability/data_stream/kibana_audit/fields/beats.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
- name: kibana.session_id
description: The ID of the user session associated with this event. Each login attempt results in a unique session id
type: keyword
- name: kibana.space_id
description: The id of the space associated with this event.
type: keyword
31 changes: 31 additions & 0 deletions packages/platform_observability/data_stream/kibana_audit/fields/ecs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# only used for tests
- name: ecs.version
external: ecs
- name: http.request.method
external: ecs
- name: log.level
external: ecs
- name: log.logger
external: ecs
- name: message
external: ecs
- name: process.pid
external: ecs
- name: trace.id
external: ecs
- name: transaction.id
external: ecs
- name: url.domain
external: ecs
- name: url.path
external: ecs
- name: url.port
external: ecs
- name: url.query
external: ecs
- name: url.scheme
external: ecs
- name: user.name
external: ecs
- name: user.roles
external: ecs
17 changes: 17 additions & 0 deletions packages/platform_observability/data_stream/kibana_audit/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
type: logs
title: Platform Observability Kibana audit logs
release: experimental
streams:
- input: logfile
vars:
- name: paths
type: text
title: Paths
multi: true
required: true
show_user: true
default:
- /var/log/kibana/*_audit.json
template_path: log.yml.hbs
title: Kibana audit logs
description: Collect Kibana audit logs
3 changes: 3 additions & 0 deletions ...ges/platform_observability/data_stream/kibana_log/_dev/test/pipeline/test-kibana-logs.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{"ecs":{"version":"8.0.0"},"@timestamp":"2022-06-29T11:24:17.898+00:00","message":"Trying to authenticate user request to /login.","log":{"level":"DEBUG","logger":"plugins.security.http"},"process":{"pid":7},"trace":{"id":"e6e1c25936546ec690b11a3b78b2a8db"},"transaction":{"id":"3be6994d7f6d5465"}}
{"http":{"request":{"id":"unknownId","method":"GET"},"response":{"body":{"bytes":118},"status_code":200}},"url":{"path":"/_nodes","query":"filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip"},"ecs":{"version":"8.0.0"},"@timestamp":"2022-07-14T10:35:25.366+00:00","message":"200 - 118.0B\nGET /_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip","log":{"level":"DEBUG","logger":"elasticsearch.query.data"},"process":{"pid":7},"trace":{"id":"0cd8dd5a3483159a43c07e9205432775"},"transaction":{"id":"6301eca88fba8d99"}}
{"_tag":"Right","right":"update_aliases_succeeded","ecs":{"version":"8.0.0"},"@timestamp":"2022-07-04T09:17:38.611+00:00","message":"[.kibana] MARK_VERSION_INDEX_READY RESPONSE","log":{"level":"DEBUG","logger":"savedobjects-service"},"process":{"pid":7},"trace":{"id":"a167d1124764379d4121b357e20baee2"},"transaction":{"id":"14717ae6e3b30d5a"}}
104 changes: 104 additions & 0 deletions ...bservability/data_stream/kibana_log/_dev/test/pipeline/test-kibana-logs.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
{
"expected": [
{
"@timestamp": "2022-06-29T11:24:17.898+00:00",
"data_stream": {
"dataset": "kibana-logs",
"namespace": "platform-observability",
"type": "logs"
},
"ecs": {
"version": "8.0.0"
},
"event": {
"dataset": "kibana-logs"
},
"log": {
"level": "DEBUG",
"logger": "plugins.security.http"
},
"message": "Trying to authenticate user request to /login.",
"process": {
"pid": 7
},
"trace": {
"id": "e6e1c25936546ec690b11a3b78b2a8db"
},
"transaction": {
"id": "3be6994d7f6d5465"
}
},
{
"@timestamp": "2022-07-14T10:35:25.366+00:00",
"data_stream": {
"dataset": "kibana-logs",
"namespace": "platform-observability",
"type": "logs"
},
"ecs": {
"version": "8.0.0"
},
"event": {
"dataset": "kibana-logs"
},
"http": {
"request": {
"id": "unknownId",
"method": "GET"
},
"response": {
"body": {
"bytes": 118
},
"status_code": 200
}
},
"log": {
"level": "DEBUG",
"logger": "elasticsearch.query.data"
},
"message": "200 - 118.0B\nGET /_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip",
"process": {
"pid": 7
},
"trace": {
"id": "0cd8dd5a3483159a43c07e9205432775"
},
"transaction": {
"id": "6301eca88fba8d99"
},
"url": {
"path": "/_nodes",
"query": "filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip"
}
},
{
"@timestamp": "2022-07-04T09:17:38.611+00:00",
"data_stream": {
"dataset": "kibana-logs",
"namespace": "platform-observability",
"type": "logs"
},
"ecs": {
"version": "8.0.0"
},
"event": {
"dataset": "kibana-logs"
},
"log": {
"level": "DEBUG",
"logger": "savedobjects-service"
},
"message": "[.kibana] MARK_VERSION_INDEX_READY RESPONSE",
"process": {
"pid": 7
},
"trace": {
"id": "a167d1124764379d4121b357e20baee2"
},
"transaction": {
"id": "14717ae6e3b30d5a"
}
}
]
}
8 changes: 8 additions & 0 deletions packages/platform_observability/data_stream/kibana_log/agent/stream/log.yml.hbs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
paths:
{{#each paths}}
- {{this}}
{{/each}}
{{#if processors}}
processors:
{{processors}}
{{/if}}
Loading