diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 1cd8999245b8..f494dd0eaf7c 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -157,6 +157,7 @@ Setting environmental variable ELASTIC_NETINFO:false in Elastic Agent pod will d *Filebeat* +- Adding Saved Object name field to Kibana audit logs {pull}38307[38307] - Update SQL input documentation regarding Oracle DSNs {pull}37590[37590] - add documentation for decode_xml_wineventlog processor field mappings. {pull}32456[32456] - httpjson input: Add request tracing logger. {issue}32402[32402] {pull}32412[32412] diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index ddc887d246f2..4cf4b99b5e74 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -86793,6 +86793,17 @@ example: 6295bdd0-0a0e-11e7-825f-6748cda7d858 -- +*`kibana.saved_object.name`*:: ++ +-- +The name of the saved object associated with this event. + +type: keyword + +example: my-saved-object + +-- + *`kibana.add_to_spaces`*:: + -- diff --git a/filebeat/module/kibana/_meta/fields.yml b/filebeat/module/kibana/_meta/fields.yml index d4e664ade58d..aed9252122c8 100644 --- a/filebeat/module/kibana/_meta/fields.yml +++ b/filebeat/module/kibana/_meta/fields.yml @@ -27,6 +27,10 @@ description: "The id of the saved object associated with this event." example: "6295bdd0-0a0e-11e7-825f-6748cda7d858" type: keyword + - name: saved_object.name + description: "The name of the saved object associated with this event." + example: "my-saved-object" + type: keyword - name: add_to_spaces description: "The set of space ids that a saved object was shared to." example: "['default', 'marketing']" diff --git a/filebeat/module/kibana/audit/test/test-audit-814.log b/filebeat/module/kibana/audit/test/test-audit-814.log new file mode 100644 index 000000000000..97127ddcbf0e --- /dev/null +++ b/filebeat/module/kibana/audit/test/test-audit-814.log @@ -0,0 +1,5 @@ +{"event":{"action":"saved_object_create","category":["database"],"outcome":"unknown","type":["access"]},"kibana":{"saved_object":{"id":"fleet-default-settings","type":"ingest_manager_settings"}},"labels":{"application":"elastic/fleet"},"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.6.1"},"@timestamp":"2023-06-19T15:18:47.298+00:00","message":"User is accessing ingest_manager_settings [id=fleet-default-settings]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":7},"trace":{"id":"809d3449277aba205a3ac539d23dbf7e"},"transaction":{"id":"49a38064b0f1dc1e"}} +{"event":{"action":"saved_object_create","category":["database"],"outcome":"unknown","type":["access"]},"kibana":{"saved_object":{"id":"a09a5397-7b9a-5a73-a622-e29f4c635658","type":"ingest-outputs"}},"labels":{"application":"elastic/fleet"},"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.6.1"},"@timestamp":"2023-06-19T15:18:48.987+00:00","message":"User is accessing ingest-outputs [id=a09a5397-7b9a-5a73-a622-e29f4c635658]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":7},"trace":{"id":"809d3449277aba205a3ac539d23dbf7e"},"transaction":{"id":"49a38064b0f1dc1e"}} +{"event":{"action":"saved_object_create","category":["database"],"outcome":"unknown","type":["access"]},"kibana":{"saved_object":{"id":"synthetics","type":"epm-packages"}},"labels":{"application":"elastic/fleet"},"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.6.1"},"@timestamp":"2023-06-19T15:18:53.426+00:00","message":"User is accessing epm-packages [id=synthetics]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":7},"trace":{"id":"809d3449277aba205a3ac539d23dbf7e"},"transaction":{"id":"49a38064b0f1dc1e"}} +{"event":{"action":"http_request","category":["web"],"outcome":"unknown"},"http":{"request":{"method":"get"}},"url":{"domain":"kibana","path":"/api/features","port":5601,"scheme":"http"},"user":{"name":"elastic","roles":["superuser"]},"kibana":{"space_id":"default"},"trace":{"id":"e2792f3f-4cf1-4f6d-b4eb-5b491724c295"},"client":{"ip":"172.22.0.2"},"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.6.1"},"@timestamp":"2023-06-19T15:19:18.882+00:00","message":"User is requesting [/api/features] endpoint","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":7},"transaction":{"id":"cf44f52888b9ec5a"}} +{"event":{"action":"saved_object_create","category":["database"],"outcome":"unknown","type":["access"]},"kibana":{"saved_object":{"id":"abcde-fghijk","type":"ingest_manager_settings","name":"fleet-object-name"}},"labels":{"application":"elastic/fleet"},"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.6.1"},"@timestamp":"2023-06-19T16:18:47.298+00:00","message":"User is accessing ingest_manager_settings [id=fleet-default-settings]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":7},"trace":{"id":"809d3449277aba205a3ac539d23dbf7e"},"transaction":{"id":"49a38064b0f1dc1e"}} diff --git a/filebeat/module/kibana/audit/test/test-audit-814.log-expected.json b/filebeat/module/kibana/audit/test/test-audit-814.log-expected.json new file mode 100644 index 000000000000..9ab233fea606 --- /dev/null +++ b/filebeat/module/kibana/audit/test/test-audit-814.log-expected.json @@ -0,0 +1,171 @@ +[ + { + "@timestamp": "2023-06-19T15:18:47.298+00:00", + "event.action": "saved_object_create", + "event.category": [ + "database" + ], + "event.dataset": "kibana.audit", + "event.kind": "event", + "event.module": "kibana", + "event.outcome": "unknown", + "event.timezone": "-02:00", + "event.type": [ + "access" + ], + "fileset.name": "audit", + "input.type": "log", + "kibana.saved_object.id": "fleet-default-settings", + "kibana.saved_object.type": "ingest_manager_settings", + "labels.application": "elastic/fleet", + "log.level": "INFO", + "log.logger": "plugins.security.audit.ecs", + "log.offset": 0, + "message": "User is accessing ingest_manager_settings [id=fleet-default-settings]", + "process.pid": 7, + "service.node.roles": [ + "background_tasks", + "ui" + ], + "service.type": "kibana", + "trace.id": "809d3449277aba205a3ac539d23dbf7e", + "transaction.id": "49a38064b0f1dc1e" + }, + { + "@timestamp": "2023-06-19T15:18:48.987+00:00", + "event.action": "saved_object_create", + "event.category": [ + "database" + ], + "event.dataset": "kibana.audit", + "event.kind": "event", + "event.module": "kibana", + "event.outcome": "unknown", + "event.timezone": "-02:00", + "event.type": [ + "access" + ], + "fileset.name": "audit", + "input.type": "log", + "kibana.saved_object.id": "a09a5397-7b9a-5a73-a622-e29f4c635658", + "kibana.saved_object.type": "ingest-outputs", + "labels.application": "elastic/fleet", + "log.level": "INFO", + "log.logger": "plugins.security.audit.ecs", + "log.offset": 616, + "message": "User is accessing ingest-outputs [id=a09a5397-7b9a-5a73-a622-e29f4c635658]", + "process.pid": 7, + "service.node.roles": [ + "background_tasks", + "ui" + ], + "service.type": "kibana", + "trace.id": "809d3449277aba205a3ac539d23dbf7e", + "transaction.id": "49a38064b0f1dc1e" + }, + { + "@timestamp": "2023-06-19T15:18:53.426+00:00", + "event.action": "saved_object_create", + "event.category": [ + "database" + ], + "event.dataset": "kibana.audit", + "event.kind": "event", + "event.module": "kibana", + "event.outcome": "unknown", + "event.timezone": "-02:00", + "event.type": [ + "access" + ], + "fileset.name": "audit", + "input.type": "log", + "kibana.saved_object.id": "synthetics", + "kibana.saved_object.type": "epm-packages", + "labels.application": "elastic/fleet", + "log.level": "INFO", + "log.logger": "plugins.security.audit.ecs", + "log.offset": 1242, + "message": "User is accessing epm-packages [id=synthetics]", + "process.pid": 7, + "service.node.roles": [ + "background_tasks", + "ui" + ], + "service.type": "kibana", + "trace.id": "809d3449277aba205a3ac539d23dbf7e", + "transaction.id": "49a38064b0f1dc1e" + }, + { + "@timestamp": "2023-06-19T15:19:18.882+00:00", + "client.ip": "172.22.0.2", + "event.action": "http_request", + "event.category": [ + "web" + ], + "event.dataset": "kibana.audit", + "event.kind": "event", + "event.module": "kibana", + "event.outcome": "unknown", + "event.timezone": "-02:00", + "fileset.name": "audit", + "http.request.method": "get", + "input.type": "log", + "kibana.space_id": "default", + "log.level": "INFO", + "log.logger": "plugins.security.audit.ecs", + "log.offset": 1812, + "message": "User is requesting [/api/features] endpoint", + "process.pid": 7, + "related.user": [ + "elastic" + ], + "service.node.roles": [ + "background_tasks", + "ui" + ], + "service.type": "kibana", + "trace.id": "e2792f3f-4cf1-4f6d-b4eb-5b491724c295", + "transaction.id": "cf44f52888b9ec5a", + "url.domain": "kibana", + "url.path": "/api/features", + "url.port": 5601, + "url.scheme": "http", + "user.name": "elastic", + "user.roles": [ + "superuser" + ] + }, + { + "@timestamp": "2023-06-19T16:18:47.298+00:00", + "event.action": "saved_object_create", + "event.category": [ + "database" + ], + "event.dataset": "kibana.audit", + "event.kind": "event", + "event.module": "kibana", + "event.outcome": "unknown", + "event.timezone": "-02:00", + "event.type": [ + "access" + ], + "fileset.name": "audit", + "input.type": "log", + "kibana.saved_object.id": "abcde-fghijk", + "kibana.saved_object.type": "ingest_manager_settings", + "kibana.saved_object.name": "fleet-object-name", + "labels.application": "elastic/fleet", + "log.level": "INFO", + "log.logger": "plugins.security.audit.ecs", + "log.offset": 2466, + "message": "User is accessing ingest_manager_settings [id=fleet-default-settings]", + "process.pid": 7, + "service.node.roles": [ + "background_tasks", + "ui" + ], + "service.type": "kibana", + "trace.id": "809d3449277aba205a3ac539d23dbf7e", + "transaction.id": "49a38064b0f1dc1e" + } +] diff --git a/filebeat/module/kibana/fields.go b/filebeat/module/kibana/fields.go index 504d1f6283ec..fce968bbf78d 100644 --- a/filebeat/module/kibana/fields.go +++ b/filebeat/module/kibana/fields.go @@ -32,5 +32,5 @@ func init() { // AssetKibana returns asset data. // This is the base64 encoded zlib format compressed contents of module/kibana. func AssetKibana() string { - return "eJy8ls9ymzAQxu9+ih1ffCmM7fhffMilzaHT6a23TodZowVUC4lIi928fUfguGBj4rhpOe7ut/v7hJAIYEvPa9jKDWocALBkRWsY1oHhAMCSInS0htTnBbnYyoKl0Wt4GADAQQtfjSgVDQASSUq4dZULQGNOa3BkdzKmUBtBoTWKXJUG4OeC1p5hb6xoSY5If8pSa8riEOkA8U9NAYmxUKB1UqfwpeZTJnXhoa6J2MZ0ThodSXFMnUz6lhF8/gQmAc4ISkf2RQTonIklMgnYS86AM+mAdqQ5hEeMM08gNSAz5QWDJVcqduBDUGr5VNKxlRRhA4B+YV5Ub2UyvaPZfLEMaHW/CSZTcRfgbL4IZtPFYjKbLGfj8XjYUJ6vbsttgTH1eB16s1K8mK3K+1wOO5kFJVgqfgMW7khEZvOTYg59aS+fLzgSeiXUyhtA0WUbg1bciHr9Qv4V5mJ6P98IMQ7GOKZgMqFlsJrOk2CxnK1igUuxmq+ud4BCRGyi6t26Xn5H7A3Uu0AKB5whA7bd7NGBy9CSADYXDHwfHbbE6AOMcrRbYqnT0Y/roQUpYooSa/J3JbeUGx/yjf8ZPJackWYZo0eMCmt2UpDtddDWwIvmbPPg4Yzp2z8bdDKe3Mz76gd5ibX6UG8GvpnXEqq8F/hRoWMZO0IbZ6f4lbzqDPtMxhkkpUqkUiSuYtfIckfXwytjtmXxZuhadoD9P5zpWW3zdj6DfmgkoHElg5KaXPO2O72bm2MZU9dKXOJ8laBNkfr/BN887BzrGJneb+7H0lrSXLf1J1MN0j07J8bO0fW5dZKqg1E33MX+oaWnMCMUZLuXN1H+r0WT6GvhrmzxOwAA//+jaglP" + return "eJy8ls1y2kAMx+88hYYLl9oDhK9wyKXNodPprbdOxyO8sr1lvevsytC8fWdtQm0wDqFpOUr6Sz8tQiiALT2vYSs3qHEAwJIVrWFYG4YDAEuK0NEaUu8X5GIrC5ZGr+FhAAAHLXw1olQ0AEgkKeHWlS8AjTmtwZHdyZhCbQSF1ihylRuAnwtae4a9saIlOSL9CUutKYuDpQPEf2oKSIyFAq2TOoUvNZ8yqQsPcU3ENqZz0uhIiqPrpNK3jODzJzAJcEZQOrIvIkDnTCyRScBecgacSQe0I80hPGKceQKpAZkpLxgsuVKxA2+CUsunko6ppAgbAPQL86L6VibTO5rNF8uAVvebYDIVdwHO5otgNl0sJrPJcjYej4cN5fnrtrotMKaeXoe+WSlemq3C+7ocdjILSrBU/AYs3JGIzOYnxRz60F4+H3Ak9EqolTeAoss2Bq24EfX6h/wrzMX0fr4RYhyMcUzBZELLYDWdJ8FiOVvFApdiNV/d2IE39fbgA96ni/w5qBIEdYLrgVGIiE1UDaPrhXXEnrUeWykccIYM2AbfowOXoSUBbC6wfh8dZnj0AUY52i2x1Onox/XQghQxRYk1+buSW8qNN/nE/wweS85Is4zRI0aFNTspyPZ20NbAi+ZsTvCwFPtGZYNOxpObeV/dIJdYq81yM/DNvJZQ5b3Ajwody9gR2jg7xa/k9Q91n8k4g6RUiVSKxFXsGlnu6Hp4Zcy2LN4MXcsOsP+HMz2LbZ4TZ9APDQc0bghQUpNr/j2fHhPNsoypazkucb5K0KZI/WHjk4edZR0j0/vV/VhaS5rrtH4z1SDdtXNi7Cxd760TV22MuuEu5g8tPYUZoSDb/byJ8meWJtGXwl2Z4ncAAAD//zz3P1Q=" }