Filebeat - Kibana module not parsing the auditlog correctly - missing null safe

[hungnguyen-elastic]

Please post all questions and issues on https://discuss.elastic.co/c/beats before opening a Github Issue. Your questions will reach a wider audience there, and if we confirm that there is a bug, then you can open a new issue.

For security vulnerabilities please only send reports to security@elastic.co. See https://www.elastic.co/community/security for more information.

Please include configurations and logs if available. FIlebeat kibana pipeline filebeat-%{agent.version}-kibana-audit-pipeline not parsing data correctly. Some of the if statements miss null-safe operators causing the pipeline to not finish

Log sample:

{"type":"log","@timestamp":"2021-06-30T14:31:10+00:00","tags":["info","plugins","security","audit","saved_objects_authorization_success"],"pid":949,"eventType":"saved_objects_authorization_success","username":"john.doe@elastic.co","action":"update","types":["siem-detection-engine-rule-status"],"spaceIds":["default"],"args":{"type":"siem-detection-engine-rule-status","id":"5dd55fa0-d983-11eb-ace0-e9ab7d7990d9","attributes":{"alertId":"5f718fad-d924-11eb-8684-956512015c29","statusDate":"2021-06-30T14:31:10.219Z","status":"partial failure","lastFailureAt":"2021-06-30T14:26:08.229Z","lastSuccessAt":"2021-06-30T14:31:10.219Z","lastFailureMessage":"An error occurred during rule execution: message: \"index_not_found_exception\" name: \"Suspicious Execution - Short Program Name\" id: \"5f718fad-d924-11eb-8684-956512015c29\" rule id: \"17c7f6a5-5bc9-4e1f-92bf-13632d24384d\" signals index: \".siem-signals-default\"","lastSuccessMessage":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index pattern\" section of the rule definition, however no index matching: [\"winlogbeat-*\",\"logs-endpoint.events.*\",\"logs-windows.*\"] was found. This warning will continue to appear until a matching index is created or this rule is de-activated.","gap":null,"bulkCreateTimeDurations":[],"searchAfterTimeDurations":[]},"options":{}},"message":"john.doe@elastic.co authorized to [update] [siem-detection-engine-rule-status] in [default]"}

For confirmed bugs, please report:

• Version: 7.13.2
• Operating System:
• Discuss Forum URL:
• Steps to Reproduce:

[elasticmachine]

Pinging @elastic/ingest-management (Team:Ingest Management)

[elasticmachine]

Pinging @elastic/integrations (Team:Integrations)

[legoguy1000]

Does this still need to be worked?

[FlorianHeigl]

maybe, I dfon't have understanding of what it means, but came here due to what appears the same issue. One thing I can hint: I had been trying to reduce the event volume by turning off some events, so maybe the index is missing. I would have the assumption that if I'm offered (luckily) that option then it should not result in such error messages under the hood.

kibana                        | [2023-06-06T19:00:05.674+00:00][WARN ][plugins.securitySolution.ruleExecution] Changing rule status to "partial failure". This rule is attempting to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, however no index matching: ["winlogbeat-*","logs-system.*","logs-windows.*"] was found. This warning will continue to appear until a matching index is created or this rule is disabled. [siem.eqlRule][Potential Credential Access via DCSync][rule id 3310ccf0-e9a8-11ed-bad0-51b565f4b15e][rule uuid 9f962927-1a4f-45f3-a57b-287f2c7029c1][exec id 04e550af-60a1-478d-8799-233b0db6aa7e][space default]