Filebeat and fields with dots in name

marcomusso · September 9, 2019, 7:37am

Hi all,

I found that the issue discussed in:

is still relevant in 2019 using the default audit output in JSON (ref: log4j2.properties for Elasticsearch 7.x) which is:

appender.audit_rolling.layout.pattern = {\
                "@timestamp":"%d{ISO8601}"\
                %varsNotEmpty{, "node.name":"%enc{%map{node.name}}{JSON}"}\
                %varsNotEmpty{, "node.id":"%enc{%map{node.id}}{JSON}"}\
                %varsNotEmpty{, "host.name":"%enc{%map{host.name}}{JSON}"}\
                %varsNotEmpty{, "host.ip":"%enc{%map{host.ip}}{JSON}"}\
                %varsNotEmpty{, "event.type":"%enc{%map{event.type}}{JSON}"}\
                %varsNotEmpty{, "event.action":"%enc{%map{event.action}}{JSON}"}\
                %varsNotEmpty{, "user.name":"%enc{%map{user.name}}{JSON}"}\
                %varsNotEmpty{, "user.run_by.name":"%enc{%map{user.run_by.name}}{JSON}"}\
                %varsNotEmpty{, "user.run_as.name":"%enc{%map{user.run_as.name}}{JSON}"}\
                %varsNotEmpty{, "user.realm":"%enc{%map{user.realm}}{JSON}"}\
                %varsNotEmpty{, "user.run_by.realm":"%enc{%map{user.run_by.realm}}{JSON}"}\
                %varsNotEmpty{, "user.run_as.realm":"%enc{%map{user.run_as.realm}}{JSON}"}\
                %varsNotEmpty{, "user.roles":%map{user.roles}}\
                %varsNotEmpty{, "origin.type":"%enc{%map{origin.type}}{JSON}"}\
                %varsNotEmpty{, "origin.address":"%enc{%map{origin.address}}{JSON}"}\
                %varsNotEmpty{, "realm":"%enc{%map{realm}}{JSON}"}\
                %varsNotEmpty{, "url.path":"%enc{%map{url.path}}{JSON}"}\
                %varsNotEmpty{, "url.query":"%enc{%map{url.query}}{JSON}"}\
                %varsNotEmpty{, "request.method":"%enc{%map{request.method}}{JSON}"}\
                %varsNotEmpty{, "request.body":"%enc{%map{request.body}}{JSON}"}\
                %varsNotEmpty{, "request.id":"%enc{%map{request.id}}{JSON}"}\
                %varsNotEmpty{, "action":"%enc{%map{action}}{JSON}"}\
                %varsNotEmpty{, "request.name":"%enc{%map{request.name}}{JSON}"}\
                %varsNotEmpty{, "indices":%map{indices}}\
                %varsNotEmpty{, "opaque_id":"%enc{%map{opaque_id}}{JSON}"}\
                %varsNotEmpty{, "x_forwarded_for":"%enc{%map{x_forwarded_for}}{JSON}"}\
                %varsNotEmpty{, "transport.profile":"%enc{%map{transport.profile}}{JSON}"}\
                %varsNotEmpty{, "rule":"%enc{%map{rule}}{JSON}"}\
                %varsNotEmpty{, "event.category":"%enc{%map{event.category}}{JSON}"}\
                }%n

will generate a document like this:

{"@timestamp":"2019-08-28T07:20:26,164", "node.name":"dev-data-4-instance-1", "node.id":"ZJl7IaozQNSe3bvvfQk2iw", "event.type":"transport", " **event.action** ":"access_granted", " user.name ":"logstash", "user.realm":"native", "user.roles":["logstash"], " origin.type ":"local_node", "origin.address":"10.66.41.223:9301", "request.id":"0OHMnG9GSRWzcAwrCgFDNg", "action":"indices:data/write/bulk[s][r]", "request.name":"BulkShardRequest", "indices":["myindex-7d-2019.08.28"]}

Which is impossible to filter with a valid processor config (tested on 5.x and 6.x) like this:

processors:
      - drop_event:
        when:
          - equals:
            user.name: logstash

or

processors:

- drop_event.when.equals.user.name: 'logstash'

In the end I filtered at the source by putting in elasticsearch.yml:

xpack.security.audit.logfile.events.ignore_filters:
        filter_unwanted_users:
          users = [ ...]

But that of course will need a rolling restart and it's kind of less nice than just use filebeat (of course it has the advantage of not even writing to the disk).

tudor · September 17, 2019, 9:52pm

Hi,

This syntax seemed to work for me in a quick test:

 - drop_event:
     when.equals:
       "user.name": logstash

The quotes make the YAML parser pass that as a single key. Let me know if that doesn't work for you.

marcomusso · September 18, 2019, 7:39am

Thanks for the reply, I'm pretty sure I tried but it's worth retrying again, maybe I used single quotes? Can't remember right now. I'll let you know asap.

marcomusso · September 18, 2019, 8:19am

Well, this doesn't work for me (filebeat-5.6.11):

---
filebeat:
  prospectors:
    - input_type: log
      paths:
        - /var/log/elasticsearch/instance-1/*_audit.json
      encoding: plain
      fields_under_root: false
      document_type: elastic-audit
      scan_frequency: 10s
      harvester_buffer_size: 16384
      max_bytes: 10485760
      processors:
      - drop_event:
        when.equals:
            "user.name": kibana

marcomusso · September 18, 2019, 9:26am

It might also be something related to the puppet module and/or the yaml syntax.
The important thing is that the syntax with double quote is supported and working for you (and possibly for everyone getting here for the same problem).
I'm not sure right now that this is a widespread problem.

marcomusso · September 18, 2019, 2:26pm

We are following up this behavior on a support ticket, will update the discussion with our findings.

system · October 16, 2019, 2:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat issue with json logs from ES audit Beats filebeat	1	439	March 16, 2022
Filebeat 7.9.1 parsing http_json data Beats filebeat	10	1435	October 30, 2020
Filebeat is not sending Json data to Elasticsearch Beats filebeat	5	1746	November 9, 2017
Filebeat issue with "cannot index event - dropping event" Beats beats-module , filebeat	1	689	March 21, 2022
How to send Json logs to Elastic Search using File Beats without extra fields Beats filebeat	5	4016	August 6, 2020

Filebeat and fields with dots in name

Related Topics