When using logstash output sends only limited information. Any other output, no problem

syunusic · September 8, 2021, 3:33pm

If I use auditbeat (I guess is the same with other beats) and configure elasticsearch or file output I see all information I need.
In this example I modify /etc/sudoers' attributes, then I modify it, and then I modify its attributes again. This is what I see if file output is configured:

{"@timestamp":"2021-09-08T15:11:28.412Z","@metadata":{"beat":"auditbeat","type":"_doc","version":"7.14.0"},"event":{"dataset":"file","category":["file"],"type":["change"],"action":["attributes_modified"],"kind":"event","module":"file_integrity"},"service":{"type":"file_integrity"},"file":{"ctime":"2021-09-08T15:11:28.408Z","mode":"0640","group":"root","path":"/etc/sudoers","inode":"3163160","size":3269,"type":"file","uid":"0","owner":"root","hash":{"sha1":"b5ec859e00290bc0ff3ca12d6c5828382f22b5dd"},"mtime":"2021-09-08T15:09:56.780Z","gid":"0"},"hash":{"sha1":"b5ec859e00290bc0ff3ca12d6c5828382f22b5dd"},"tags":["akainix","linux"],"ecs":{"version":"1.10.0"},"host":{"name":"pruebasuse.novalocal"},"agent":{"type":"auditbeat","version":"7.14.0","hostname":"pruebasuse.novalocal","ephemeral_id":"7023cb1c-274f-46d0-8d7c-96a5a8e5b6b7","id":"ecc5d2d3-e5a2-4c8f-ad6c-9e97599ab0b0","name":"pruebasuse.novalocal"}}
{"@timestamp":"2021-09-08T15:11:28.412Z","@metadata":{"beat":"auditbeat","type":"_doc","version":"7.14.0"},"file":{"gid":"0","mode":"0640","group":"root","uid":"0","owner":"root","path":"/etc/sudoers","mtime":"2021-09-08T15:11:28.408Z","type":"file","inode":"3163160","hash":{"sha1":"b5ec859e00290bc0ff3ca12d6c5828382f22b5dd"},"ctime":"2021-09-08T15:11:28.408Z","size":3269},"hash":{"sha1":"b5ec859e00290bc0ff3ca12d6c5828382f22b5dd"},"tags":["akainix","linux"],"ecs":{"version":"1.10.0"},"host":{"name":"pruebasuse.novalocal"},"agent":{"ephemeral_id":"7023cb1c-274f-46d0-8d7c-96a5a8e5b6b7","id":"ecc5d2d3-e5a2-4c8f-ad6c-9e97599ab0b0","name":"pruebasuse.novalocal","type":"auditbeat","version":"7.14.0","hostname":"pruebasuse.novalocal"},"event":{"kind":"event","category":["file"],"type":["change"],"module":"file_integrity","dataset":"file","action":["attributes_modified"]},"service":{"type":"file_integrity"}}
{"@timestamp":"2021-09-08T15:11:28.413Z","@metadata":{"beat":"auditbeat","type":"_doc","version":"7.14.0"},"host":{"name":"pruebasuse.novalocal"},"agent":{"hostname":"pruebasuse.novalocal","ephemeral_id":"7023cb1c-274f-46d0-8d7c-96a5a8e5b6b7","id":"ecc5d2d3-e5a2-4c8f-ad6c-9e97599ab0b0","name":"pruebasuse.novalocal","type":"auditbeat","version":"7.14.0"},"hash":{"sha1":"b5ec859e00290bc0ff3ca12d6c5828382f22b5dd"},"event":{"kind":"event","module":"file_integrity","dataset":"file","category":["file"],"type":["change"],"action":["attributes_modified"]},"service":{"type":"file_integrity"},"file":{"type":"file","uid":"0","owner":"root","path":"/etc/sudoers","mode":"0440","group":"root","hash":{"sha1":"b5ec859e00290bc0ff3ca12d6c5828382f22b5dd"},"mtime":"2021-09-08T15:11:28.408Z","ctime":"2021-09-08T15:11:28.412Z","size":3269,"gid":"0","inode":"3163160"},"tags":["akainix","linux"],"ecs":{"version":"1.10.0"}}

If I configure logstash as output this is what I get:

2021-09-08T15:09:56.780Z {name=pruebasuse.novalocal} %{message}
2021-09-08T15:09:56.780Z {name=pruebasuse.novalocal} %{message}
2021-09-08T15:09:56.781Z {name=pruebasuse.novalocal} %{message}

Configuration in auditbeat (relevant part):

output.logstash:
  hosts: ["172.16.233.64:5045"]

And the input part of logstash's:

input
{
	beats { port => 5045  }
}

I'm using logstash and auditbeat 7.14.

andrewkroh · September 8, 2021, 5:22pm

What's the output config of your Logstash that gives this?

syunusic · September 10, 2021, 12:40pm

This is it:

output
{
if [agent][type] == "auditbeat" or [agent][type] == "winlogbeat" or [agent][type] == "metricbeat"
		{
---
			else if "XXXXXXXX" in [tags]
			{
				file { path => "/...path.../%{[agent][type]}/%{[host][name]}.json" codec => "line" }
			}
            }
}

Maybe you need the whole configuration of auditbeat:

auditbeat.modules:
- module: auditd
  audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
  audit_rules: |
- module: file_integrity
  paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc
- module: system
  datasets:
  - host
  - login
  - process
  - user
  state.period: 12h
  user.detect_password_changes: true
  login.wtmp_file_pattern: /var/log/wtmp*
  login.btmp_file_pattern: /var/log/btmp*
tags: ["XXXXXXX"]
output.logstash:
  hosts: ["_logstash_ip_:5045"]

And also I've to note this: some events are logged correctly, like logons and so on. This is what the file written by logstash looks like:

2021-09-10T12:37:43.994Z {name=pruebasuse.novalocal} Login by user root (UID: 0) on pts/1 (PID: 16694) from 172.16.233.64 (IP: 172.16.233.64)
2021-09-10T12:37:45.252Z {name=pruebasuse.novalocal} Process bash (PID: 16694) by user root STARTED
2021-09-10T12:37:45.252Z {name=pruebasuse.novalocal} Process sshd (PID: 16692) by user root STARTED
2021-09-10T12:40:35.088Z {name=pruebasuse.novalocal} %{message}
2021-09-10T12:40:35.088Z {name=pruebasuse.novalocal} %{message}

The ones that contain stuff like an administrator running an elevated privileges command appears with "%{message}".

andrewkroh · September 10, 2021, 2:33pm

Try using the json_lines codec here and see if that makes a difference.

syunusic · September 10, 2021, 2:59pm

Nope.. same thing. I also tried with no explicit codec... no difference.

2021-09-10T14:58:55.877Z {name=pruebasuse.novalocal} %{message}
2021-09-10T14:58:55.878Z {name=pruebasuse.novalocal} %{message}
2021-09-10T14:58:55.877Z {name=pruebasuse.novalocal} %{message}

leandrojmp · September 10, 2021, 4:29pm

Try to remove the codec from the file output, this will make logstash write the entire event in a json format.

This way it will be possible to see if the event has the message field or not, as the presence of %{message} could indicate that the message field does not exist in that event.

andrewkroh · September 10, 2021, 5:10pm

Many of Auditbeat's events do not have a message. Only a few of the system module datasets create a message describing what happened, but the auditd and FIM datasets have not message.

syunusic · September 13, 2021, 1:24pm

I'd agree on this, but as you can see in the original post, I show the same event with two outputs: with file (and the same with elasticsearch as output) you can see the file attribute's modification. With logstash, doing the same (modifying /etc/sudoers) it doesn't show anything, just the "%{message}" thing.

syunusic · September 13, 2021, 1:24pm

I already try that. Same result.

leandrojmp · September 13, 2021, 1:45pm

If you removed the codec option from the file output, then your output will be a json document, if it is not a json document then something could be wrong in your configuration.

How are you running logstash? Are you running it as a service or using the command line? Are you pointing to config files or directory with multiple config files?

Can you share your full pipeline configuration?

syunusic · September 13, 2021, 2:17pm

You are totally right. I just did it again.. and worked fine. I would swear I did it without the codec but I guess I was wrong.
I took off the codec part and that did the trick.
Thank you very much for your help!

system · October 11, 2021, 4:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.