I have enabled the system module and loaded the ingest pipeline using the filebeat setup command.
The resulting events se]eem a bit odd to me and I wonder if this is current normal behaviour of the module, or abnormal behaviour be cause of misconfiguration on my side.
Here are a few fields from a few documents from the filebeat system module, from auth.log
Time message log.file.path process.name service.type fileset.name
Jul 13, 2020 @ 16:27:12.000 pam_unix(sudo:session): session closed for user root /var/log/auth.log sudo system auth
Jul 13, 2020 @ 16:27:10.000 - /var/log/auth.log sudo system auth
Jul 13, 2020 @ 16:27:10.000 pam_unix(sudo:session): session opened for user root by user(uid=0) /var/log/auth.log sudo system auth
Jul 13, 2020 @ 16:27:06.000 Connection from ip port 52188 on ip port 22 /var/log/auth.log sshd system auth
Jul 13, 2020 @ 16:27:06.000 Accepted key RSA key found at /home/user/.ssh/authorized_keys:2 /var/log/auth.log sshd system auth
Jul 13, 2020 @ 16:27:06.000 - /var/log/auth.log sshd system auth
Jul 13, 2020 @ 16:27:06.000 Accepted key RSA key found at /home/user/.ssh/authorized_keys:2 /var/log/auth.log sshd system auth
Jul 13, 2020 @ 16:27:06.000 - /var/log/auth.log sshd system auth
-
First thing that seems odd to me is line 2 and 6 in my example documents, where the message consists of a dash. It looks like a bug.
-
Also is it normal the documents don't parse the logs with more specificity ?
For example when i use the haproxy module, a lot of specific variables are mapped to ES fields, like all the timers, the cookies status and all.
With system I though some log variables would be parsed into ES fields, like the IP, the user, the pid for auth.log. -
I am missing all sudo lines from auth.log. The lines like :
sudo: user : TTY=pts/1 ; PWD=/home/user ; USER=root ; COMMAND=my_command
I use filebeat 7.6.2 and ELK 7.6.2 on Debian 10, both.