JBOSS EAP 6 Admin Audit Logging

josh_jacques · November 2, 2017, 9:43pm

I'm looking for a little help here, who am I kidding, I am looking for a lot of help here and if my inquiry has already been asked, I apologize in advance.

Looking at the following two log entries, I'd like to take some of the values underneath ops to form the actual jboss command that was ran...we'll put that in a separate field titled jboss_command.

Log Entry 1:
2017-11-01 15:44:34 - {
"type" : "core",
"r/o" : false,
"booting" : false,
"version" : "6.4.16.GA",
"user" : "eap-dc",
"domainUUID" : "fa136abb-08fc-4a9d-a488-f059276af9f2",
"access" : "NATIVE",
"remote-address" : "10.1.2.3/10.1.2.3",
"success" : true,
"ops" : [{
"address" : [
{
"core-service" : "management"
},
{
"access" : "audit"
},
{
"logger" : "audit-log"
}
],
"operation" : "write-attribute",
"name" : "log-read-only",
"value" : true,
"operation-headers" : {
"access-mechanism" : "NATIVE",
"domain-uuid" : "fa136abb-08fc-4a9d-a488-f059276af9f2",
"execute-for-coordinator" : true
}
}]
}
For this message, I'd like the jboss_command field to have a value of...
/core-service=management/access=audit/logger=audit-log:write-attribute(name=log-read-only, value=true)

Log Entry 2:
2017-11-01 15:44:57 - {
"type" : "core",
"r/o" : true,
"booting" : false,
"version" : "6.4.16.GA",
"user" : null,
"domainUUID" : null,
"access" : null,
"remote-address" : null,
"success" : true,
"ops" : [{
"operation" : "clean-obsolete-content",
"address" : []
}]
}
The command for this should read...
:clean-obsolete-content

Now I was able to use the grok and json filters to actually consume the data, but now I'm stuck with how can I put it in the format I am requesting. I also know, I don't have a jboss_command field in my examples, but that's only because that's what I'm looking to gather.

Anyhow, any help would be greatly appreciated.

Thanks

warkolm · November 3, 2017, 12:39am

What's the reasoning for this? Why not have these as separate fields?

josh_jacques · November 3, 2017, 1:29pm

Mark,
I don't know if I have a real good reason for this other than it feeling more natural to look at. With the messages in the fashion I'm proposing, this is exactly how the command would look when typed in via the management cli.

Unfortunately, there are not any options to change the format of those logs, so that's what I'm currently stuck working with.

Thanks

warkolm · November 3, 2017, 11:09pm

From an analysis point of view it would make sense to be able to filter on these as individual values, not aggregated. But then is also makes sense to have them aggregated to be more inline with the command. Good thing is you can do both

Ok, so what does that config and output look like now?

josh_jacques · November 6, 2017, 4:06pm

Mark,
I appreciate options.
Here is the logstash config, complete with my commented ramblings...


input {
  beats {
    port => 5044
  }
}

filter {
  # Grab the timestamp and the whole json message and store them in separate fields
  grok {
    match => { "message" => "%{TIMESTAMP_ISO8601:log_timestamp_tmp} - %{GREEDYDATA:json_message}" }
  }

  # Turn the log_timestamp_tmp into an actual date type and assign it to @log_timestamp
  date {
    match => [ "log_timestamp_tmp", "yyyy-MM-dd HH:mm:ss" ]
    target => "@log_timestamp"
    remove_field => [ "log_timestamp_tmp" ]
  }

  # Suck up the json data in json_message
  json {
    source => "json_message"
    remove_field => [ "json_message" ]
  }

  # Use Standardized field names
  mutate {
    rename => { "type" => "EventType" }
#    rename => { "r/o" => "EventType" }
#    rename => { "booting" => "EventType" }
    rename => { "version" => "DeviceVersion" }
    rename => { "user" => "SourceUserName" }
    rename => { "domainUUID" => "EventExternalId" }
    rename => { "access" => "DeviceVirtualSystem" }
#    rename => { "remote-address" => "SourceIPAddress" }
    rename => { "success" => "DeviceActionResult" }
#    rename => { "ops" => "DeviceAction" }
  }

  # Grab out just one of the two duplicate IP addresses
  grok {
    match => { "remote-address" => "%{IP:SourceIPAddress}" }
    remove_field => [ "remote-address" ]
  }

}

output {
  stdout {
    codec => rubydebug
  }
}

This is what the output of Log Entry 1 (from above) looks like after going through the logstash parsing.


{
                "message" => "2017-11-01 15:44:34 - {\n\"type\" : \"core\",\n\"r/o\" : false,\n\"booting\" : false,\n\"version\" : \"6.4.16.GA\",\n\"user\" : \"eap-dc\",\n\"domainUUID\" : \"fa136abb-08fc-4a9d-a488-f059276af9f2\",\n\"access\" : \"NATIVE\",\n\"remote-address\" : \"10.1.2.3/10.1.2.3\",\n\"success\" : true,\n\"ops\" : [{\n\"address\" : [\n{\n\"core-service\" : \"management\"\n},\n{\n\"access\" : \"audit\"\n},\n{\n\"logger\" : \"audit-log\"\n}\n],\n\"operation\" : \"write-attribute\",\n\"name\" : \"log-read-only\",\n\"value\" : true,\n\"operation-headers\" : {\n\"access-mechanism\" : \"NATIVE\",\n\"domain-uuid\" : \"fa136abb-08fc-4a9d-a488-f059276af9f2\",\n\"execute-for-coordinator\" : true\n}\n}]\n}",
               "@version" => "1",
             "@timestamp" => "2017-11-06T16:03:35.625Z",
                 "source" => "",
                 "offset" => 0,
             "input_type" => "stdin",
                   "beat" => {
            "name" => "adm-d-logstash.domain.com",
        "hostname" => "adm-d-logstash.domain.com",
         "version" => "5.6.3"
    },
                   "host" => "adm-d-logstash.domain.com",
                   "tags" => [
        [0] "beats_input_codec_plain_applied"
    ],
         "@log_timestamp" => "2017-11-01T15:44:34.000Z",
                    "r/o" => false,
                "booting" => false,
                    "ops" => [
        [0] {
                      "address" => [
                [0] {
                    "core-service" => "management"
                },
                [1] {
                    "access" => "audit"
                },
                [2] {
                    "logger" => "audit-log"
                }
            ],
                    "operation" => "write-attribute",
                         "name" => "log-read-only",
                        "value" => true,
            "operation-headers" => {
                       "access-mechanism" => "NATIVE",
                            "domain-uuid" => "fa136abb-08fc-4a9d-a488-f059276af9f2",
                "execute-for-coordinator" => true
            }
        }
    ],
              "EventType" => "core",
          "DeviceVersion" => "6.4.16.GA",
         "SourceUserName" => "eap-dc",
        "EventExternalId" => "fa136abb-08fc-4a9d-a488-f059276af9f2",
    "DeviceVirtualSystem" => "NATIVE",
     "DeviceActionResult" => true,
        "SourceIPAddress" => "10.1.2.3"
}

Here is another log entry after it's gone through logstash.


{
                "message" => "2017-10-23 15:12:24 - {\n    \"type\" : \"core\",\n    \"r/o\" : true,\n    \"booting\" : false,\n    \"version\" : \"6.4.16.GA\",\n    \"user\" : \"$local\",\n    \"domainUUID\" : null,\n    \"access\" : \"NATIVE\",\n    \"remote-address\" : \"10.2.3.4/10.2.3.4\",\n    \"success\" : true,\n    \"ops\" : [{\n        \"address\" : [\n            {\n                \"host\" : \"master\"\n            },\n            {\n                \"core-service\" : \"management\"\n            },\n            {\n                \"access\" : \"audit\"\n            },\n            {\n                \"server-logger\" : \"audit-log\"\n            }\n        ],\n        \"operation\" : \"read-operation-description\",\n        \"name\" : \"write-attribute\",\n        \"operation-headers\" : {\n            \"caller-type\" : \"user\",\n            \"access-mechanism\" : \"NATIVE\"\n        }\n    }]\n}",
               "@version" => "1",
             "@timestamp" => "2017-11-06T16:01:54.505Z",
             "input_type" => "stdin",
                   "beat" => {
            "name" => "adm-d-logstash.domain.com",
        "hostname" => "adm-d-logstash.domain.com",
         "version" => "5.6.3"
    },
                 "source" => "",
                 "offset" => 0,
                   "host" => "adm-d-logstash.domain.com",
                   "tags" => [
        [0] "beats_input_codec_plain_applied"
    ],
         "@log_timestamp" => "2017-10-23T15:12:24.000Z",
                    "r/o" => true,
                "booting" => false,
                    "ops" => [
        [0] {
                      "address" => [
                [0] {
                    "host" => "master"
                },
                [1] {
                    "core-service" => "management"
                },
                [2] {
                    "access" => "audit"
                },
                [3] {
                    "server-logger" => "audit-log"
                }
            ],
                    "operation" => "read-operation-description",
                         "name" => "write-attribute",
            "operation-headers" => {
                     "caller-type" => "user",
                "access-mechanism" => "NATIVE"
            }
        }
    ],
              "EventType" => "core",
          "DeviceVersion" => "6.4.16.GA",
         "SourceUserName" => "$local",
        "EventExternalId" => nil,
    "DeviceVirtualSystem" => "NATIVE",
     "DeviceActionResult" => true,
        "SourceIPAddress" => "10.2.3.4"
}

Let me know if I missed anything.

Thanks

josh_jacques · November 13, 2017, 2:12pm

I don't want to sound buggy here, but do you have any further ideas for this specific case?

Learning ruby is probably important as I'm thinking a ruby filter will probably need to be used...I just don't know how/where to get started.

Thanks

warkolm · November 14, 2017, 5:09am

Now you need to do an add_field within you configuration and create these merged fields.

Something like;

add_field  => {
      "jboss_command" => "%{[address][host]}/%{[address][core-service]}"
}

And so on.

josh_jacques · November 14, 2017, 6:29pm

With most logs, your sample above would make complete sense, but with the following, I'm still struggling to wrap my head around it.


           "ops" => [
        [0] {
                      "address" => [
                [0] {
                    "core-service" => "management"
                },
                [1] {
                    "access" => "audit"
                },
                [2] {
                    "logger" => "audit-log"
                }
            ],
                    "operation" => "write-attribute",
                         "name" => "log-read-only",
                        "value" => true,
            "operation-headers" => {
                       "access-mechanism" => "NATIVE",
                            "domain-uuid" => "fa136abb-08fc-4a9d-a488-f059276af9f2",
                "execute-for-coordinator" => true
            }
        }
    ],

This is a snippet of what is being returned after being parsed by logstash.

I don't understand, based on your sample above, how I can utilize that with this returned data. Would I use something like...

 %{[ops][0][address][0]}

At this point, I'm not sure how to "loop" through all of the field names and their values to string together the appropriate command.

Thanks again

warkolm · November 14, 2017, 7:54pm

It should be just %{[ops][address]}, the [0] is added by the rubydebug codec to make it easier to see the values in an array.

So take that and then use it with the add_field example above

system · December 12, 2017, 7:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.