Filebeat has a lot of modules and I like it but I can see that its approach to log parsing is chaotic. Almost all tests I can find for testing ingest pipelines on github missing example of messages about successful or failed user authentication and messages about logout too. However all applications have such messages and if elastic wants its SIEM be useful it should be able to recognize these messages and parse it appropriately.
Let’s take an oracle module for example. If you use Oracle you will not get SIEM notification that someone bruteforce your database and these messages will not be parsed, tagged or categorized. (Filebeat Oracle ingest pipeline can't parse some messages described in oracle docs · Issue #30975 · elastic/beats · GitHub)
If you think that oracle module is exception check Juniper, Postgres or MSSQL module (Filebeat MSSQL ingest pipeline can't parse authentication messages · Issue #31933 · elastic/beats · GitHub)
Seems like current filebeat module tests a bunch of random messages.
Beat tests doesn’t have information about application version that has been tested or it’s compatibility.
“Criticise if you disagree, suggest if you criticise, do/act if you suggest, take responsibility if you do!”
My suggestion is improve tests and documentation by adding authentication tests and its results.
Module documentation should inform users is it parsing login/failed login/logout actions or not cause it’s a core for SIEM. Also these message types should be tagged and categorized appropriately (Filebeat module RabbitMQ - add ECS authentication fields for SIEM · Issue #31159 · elastic/beats · GitHub)
IMHO it’s not a big deal to cover authentication messages for popular apps like Jira/Confluence/Gitlab/Jenkins/Nexus/ESXi/vCenter/Asterisk/Zabbix/ or hardware like Mikrotik/NetApp/PDU/… at least we made it in one company for all apps and hardware.
We will be glad to share our patterns if someone willing to help us made filebeat modules cause we use logstash.
P.S. When I decided to use oracle module I have been stunned when got an error message and discovered that it’s failed cause my date has 2 digits instead of one like in tests (Oct 7). Thanks to ishleenk17 this issue has been fixed (Filebeat Oracle ingest pipeline can't parse date if it's represented by two digit month day · Issue #30974 · elastic/beats · GitHub) I’m still wondering how is it possible that for more than one year it hasn’t been discovered.
P.P.S My respect to the elastic team and their work! A lot done and more to do.