Add Saved Object name to Kibana audit logging (#38307)

* Initial commit to add name to beats * adding PR * Output from go/mage commands? * changing test data * updating log offset * log offset of last event --------- Co-authored-by: Milton Hultgren <[email protected]> Co-authored-by: sharbuz <[email protected]>
elastic · Mar 19, 2024 · 51fb8b2 · 51fb8b2
1 parent c29075e
commit 51fb8b2
Show file tree

Hide file tree

Showing 6 changed files with 193 additions and 1 deletion.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -157,6 +157,7 @@ Setting environmental variable ELASTIC_NETINFO:false in Elastic Agent pod will d
 
 *Filebeat*
 
+- Adding Saved Object name field to Kibana audit logs {pull}38307[38307]
 - Update SQL input documentation regarding Oracle DSNs {pull}37590[37590]
 - add documentation for decode_xml_wineventlog processor field mappings.  {pull}32456[32456]
 - httpjson input: Add request tracing logger. {issue}32402[32402] {pull}32412[32412]

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -86793,6 +86793,17 @@ example: 6295bdd0-0a0e-11e7-825f-6748cda7d858
 
 --
 
+*`kibana.saved_object.name`*::
++
+--
+The name of the saved object associated with this event.
+
+type: keyword
+
+example: my-saved-object
+
+--
+
 *`kibana.add_to_spaces`*::
 +
 --

diff --git a/filebeat/module/kibana/_meta/fields.yml b/filebeat/module/kibana/_meta/fields.yml
@@ -27,6 +27,10 @@
           description: "The id of the saved object associated with this event."
           example: "6295bdd0-0a0e-11e7-825f-6748cda7d858"
           type: keyword
+        - name: saved_object.name
+          description: "The name of the saved object associated with this event."
+          example: "my-saved-object"
+          type: keyword
         - name: add_to_spaces
           description: "The set of space ids that a saved object was shared to."
           example: "['default', 'marketing']"

diff --git a/filebeat/module/kibana/audit/test/test-audit-814.log b/filebeat/module/kibana/audit/test/test-audit-814.log
@@ -0,0 +1,5 @@
+{"event":{"action":"saved_object_create","category":["database"],"outcome":"unknown","type":["access"]},"kibana":{"saved_object":{"id":"fleet-default-settings","type":"ingest_manager_settings"}},"labels":{"application":"elastic/fleet"},"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.6.1"},"@timestamp":"2023-06-19T15:18:47.298+00:00","message":"User is accessing ingest_manager_settings [id=fleet-default-settings]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":7},"trace":{"id":"809d3449277aba205a3ac539d23dbf7e"},"transaction":{"id":"49a38064b0f1dc1e"}}
+{"event":{"action":"saved_object_create","category":["database"],"outcome":"unknown","type":["access"]},"kibana":{"saved_object":{"id":"a09a5397-7b9a-5a73-a622-e29f4c635658","type":"ingest-outputs"}},"labels":{"application":"elastic/fleet"},"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.6.1"},"@timestamp":"2023-06-19T15:18:48.987+00:00","message":"User is accessing ingest-outputs [id=a09a5397-7b9a-5a73-a622-e29f4c635658]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":7},"trace":{"id":"809d3449277aba205a3ac539d23dbf7e"},"transaction":{"id":"49a38064b0f1dc1e"}}
+{"event":{"action":"saved_object_create","category":["database"],"outcome":"unknown","type":["access"]},"kibana":{"saved_object":{"id":"synthetics","type":"epm-packages"}},"labels":{"application":"elastic/fleet"},"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.6.1"},"@timestamp":"2023-06-19T15:18:53.426+00:00","message":"User is accessing epm-packages [id=synthetics]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":7},"trace":{"id":"809d3449277aba205a3ac539d23dbf7e"},"transaction":{"id":"49a38064b0f1dc1e"}}
+{"event":{"action":"http_request","category":["web"],"outcome":"unknown"},"http":{"request":{"method":"get"}},"url":{"domain":"kibana","path":"/api/features","port":5601,"scheme":"http"},"user":{"name":"elastic","roles":["superuser"]},"kibana":{"space_id":"default"},"trace":{"id":"e2792f3f-4cf1-4f6d-b4eb-5b491724c295"},"client":{"ip":"172.22.0.2"},"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.6.1"},"@timestamp":"2023-06-19T15:19:18.882+00:00","message":"User is requesting [/api/features] endpoint","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":7},"transaction":{"id":"cf44f52888b9ec5a"}}
+{"event":{"action":"saved_object_create","category":["database"],"outcome":"unknown","type":["access"]},"kibana":{"saved_object":{"id":"abcde-fghijk","type":"ingest_manager_settings","name":"fleet-object-name"}},"labels":{"application":"elastic/fleet"},"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.6.1"},"@timestamp":"2023-06-19T16:18:47.298+00:00","message":"User is accessing ingest_manager_settings [id=fleet-default-settings]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":7},"trace":{"id":"809d3449277aba205a3ac539d23dbf7e"},"transaction":{"id":"49a38064b0f1dc1e"}}
diff --git a/filebeat/module/kibana/audit/test/test-audit-814.log-expected.json b/filebeat/module/kibana/audit/test/test-audit-814.log-expected.json
@@ -0,0 +1,171 @@
+[
+    {
+        "@timestamp": "2023-06-19T15:18:47.298+00:00",
+        "event.action": "saved_object_create",
+        "event.category": [
+            "database"
+        ],
+        "event.dataset": "kibana.audit",
+        "event.kind": "event",
+        "event.module": "kibana",
+        "event.outcome": "unknown",
+        "event.timezone": "-02:00",
+        "event.type": [
+            "access"
+        ],
+        "fileset.name": "audit",
+        "input.type": "log",
+        "kibana.saved_object.id": "fleet-default-settings",
+        "kibana.saved_object.type": "ingest_manager_settings",
+        "labels.application": "elastic/fleet",
+        "log.level": "INFO",
+        "log.logger": "plugins.security.audit.ecs",
+        "log.offset": 0,
+        "message": "User is accessing ingest_manager_settings [id=fleet-default-settings]",
+        "process.pid": 7,
+        "service.node.roles": [
+            "background_tasks",
+            "ui"
+        ],
+        "service.type": "kibana",
+        "trace.id": "809d3449277aba205a3ac539d23dbf7e",
+        "transaction.id": "49a38064b0f1dc1e"
+    },
+    {
+        "@timestamp": "2023-06-19T15:18:48.987+00:00",
+        "event.action": "saved_object_create",
+        "event.category": [
+            "database"
+        ],
+        "event.dataset": "kibana.audit",
+        "event.kind": "event",
+        "event.module": "kibana",
+        "event.outcome": "unknown",
+        "event.timezone": "-02:00",
+        "event.type": [
+            "access"
+        ],
+        "fileset.name": "audit",
+        "input.type": "log",
+        "kibana.saved_object.id": "a09a5397-7b9a-5a73-a622-e29f4c635658",
+        "kibana.saved_object.type": "ingest-outputs",
+        "labels.application": "elastic/fleet",
+        "log.level": "INFO",
+        "log.logger": "plugins.security.audit.ecs",
+        "log.offset": 616,
+        "message": "User is accessing ingest-outputs [id=a09a5397-7b9a-5a73-a622-e29f4c635658]",
+        "process.pid": 7,
+        "service.node.roles": [
+            "background_tasks",
+            "ui"
+        ],
+        "service.type": "kibana",
+        "trace.id": "809d3449277aba205a3ac539d23dbf7e",
+        "transaction.id": "49a38064b0f1dc1e"
+    },
+    {
+        "@timestamp": "2023-06-19T15:18:53.426+00:00",
+        "event.action": "saved_object_create",
+        "event.category": [
+            "database"
+        ],
+        "event.dataset": "kibana.audit",
+        "event.kind": "event",
+        "event.module": "kibana",
+        "event.outcome": "unknown",
+        "event.timezone": "-02:00",
+        "event.type": [
+            "access"
+        ],
+        "fileset.name": "audit",
+        "input.type": "log",
+        "kibana.saved_object.id": "synthetics",
+        "kibana.saved_object.type": "epm-packages",
+        "labels.application": "elastic/fleet",
+        "log.level": "INFO",
+        "log.logger": "plugins.security.audit.ecs",
+        "log.offset": 1242,
+        "message": "User is accessing epm-packages [id=synthetics]",
+        "process.pid": 7,
+        "service.node.roles": [
+            "background_tasks",
+            "ui"
+        ],
+        "service.type": "kibana",
+        "trace.id": "809d3449277aba205a3ac539d23dbf7e",
+        "transaction.id": "49a38064b0f1dc1e"
+    },
+    {
+        "@timestamp": "2023-06-19T15:19:18.882+00:00",
+        "client.ip": "172.22.0.2",
+        "event.action": "http_request",
+        "event.category": [
+            "web"
+        ],
+        "event.dataset": "kibana.audit",
+        "event.kind": "event",
+        "event.module": "kibana",
+        "event.outcome": "unknown",
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "http.request.method": "get",
+        "input.type": "log",
+        "kibana.space_id": "default",
+        "log.level": "INFO",
+        "log.logger": "plugins.security.audit.ecs",
+        "log.offset": 1812,
+        "message": "User is requesting [/api/features] endpoint",
+        "process.pid": 7,
+        "related.user": [
+            "elastic"
+        ],
+        "service.node.roles": [
+            "background_tasks",
+            "ui"
+        ],
+        "service.type": "kibana",
+        "trace.id": "e2792f3f-4cf1-4f6d-b4eb-5b491724c295",
+        "transaction.id": "cf44f52888b9ec5a",
+        "url.domain": "kibana",
+        "url.path": "/api/features",
+        "url.port": 5601,
+        "url.scheme": "http",
+        "user.name": "elastic",
+        "user.roles": [
+            "superuser"
+        ]
+    },
+    {
+        "@timestamp": "2023-06-19T16:18:47.298+00:00",
+        "event.action": "saved_object_create",
+        "event.category": [
+            "database"
+        ],
+        "event.dataset": "kibana.audit",
+        "event.kind": "event",
+        "event.module": "kibana",
+        "event.outcome": "unknown",
+        "event.timezone": "-02:00",
+        "event.type": [
+            "access"
+        ],
+        "fileset.name": "audit",
+        "input.type": "log",
+        "kibana.saved_object.id": "abcde-fghijk",
+        "kibana.saved_object.type": "ingest_manager_settings",
+        "kibana.saved_object.name": "fleet-object-name",
+        "labels.application": "elastic/fleet",
+        "log.level": "INFO",
+        "log.logger": "plugins.security.audit.ecs",
+        "log.offset": 2466,
+        "message": "User is accessing ingest_manager_settings [id=fleet-default-settings]",
+        "process.pid": 7,
+        "service.node.roles": [
+            "background_tasks",
+            "ui"
+        ],
+        "service.type": "kibana",
+        "trace.id": "809d3449277aba205a3ac539d23dbf7e",
+        "transaction.id": "49a38064b0f1dc1e"
+    }
+]
diff --git a/filebeat/module/kibana/fields.go b/filebeat/module/kibana/fields.go