Closed BenB196 closed 1 year ago
Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
Adding another note that a similar issue can happen with EACCES
. Here is an example of this:
[2022-12-21T16:55:32,093][WARN ][logstash.outputs.elasticsearch][elastic-agent][elastic_agent_elasticsearch_output] Could not index event to Elasticsearch. {:status=>400, :action=>["create", {:_id=>nil, :_index=>"logs-auditd_manager.auditd-private.linux.production", :routing=>nil}, {"process"=>{"title"=>"/usr/sbin/httpd -f /usr/local/pf/var/conf/httpd.conf.d/httpd.webservices -DFOREGROUND -Drhel", "executable"=>"/usr/sbin/httpd", "working_directory"=>"/", "pid"=>24046, "parent"=>{"pid"=>24271}, "name"=>"/usr/sbin/httpd"}, "agent"=>{"version"=>"8.4.2", "ephemeral_id"=>"39eba0af-1129-4736-994d-29b4a8229f01", "id"=>"7cae2d9b-0929-49bc-a831-337c31e3d452", "name"=>"server", "type"=>"auditbeat"}, "@timestamp"=>2022-12-21T16:55:28.426Z, "ecs"=>{"version"=>"8.0.0"}, "tags"=>["access", "auditd_manager-auditd", "beats_input_raw_event"], "auditd"=>{"result"=>"fail", "summary"=>{"actor"=>{"primary"=>"unset", "secondary"=>"pf"}, "object"=>{"primary"=>"/tmp/.UUID_STATE", "type"=>"file"}, "how"=>"/usr/sbin/httpd"}, "message_type"=>"syscall", "paths"=>[{"cap_fver"=>"0", "ogid"=>"0", "cap_fe"=>"0", "dev"=>"fd:00", "rdev"=>"00:00", "inode"=>"33615106", "cap_fi"=>"0000000000000000", "name"=>"/tmp/.UUID_STATE", "cap_fp"=>"0000000000000000", "ouid"=>"0", "mode"=>"0100644", "objtype"=>"NORMAL", "item"=>"0"}, {"cap_fe"=>"0", "cap_fver"=>"0", "dev"=>"fd:00", "ogid"=>"0", "rdev"=>"00:00", "inode"=>"33576377", "cap_fi"=>"0000000000000000", "cap_fp"=>"0000000000000000", "name"=>"/tmp/", "ouid"=>"0", "mode"=>"041777", "objtype"=>"PARENT", "item"=>"1"}], "data"=>{"a1"=>"241", "a0"=>"7f6da50312c2", "syscall"=>"open", "a2"=>"1b6", "tty"=>"(none)", "a3"=>"24", "exit"=>"EACCES", "arch"=>"x86_64"}, "sequence"=>28785433}, "service"=>{"type"=>"auditd"}, "host"=>{"name"=>"server"}, "user"=>{"name"=>"pf", "group"=>{"id"=>"988", "name"=>"pf"}, "id"=>"992", "saved"=>{"group"=>{"id"=>"988", "name"=>"pf"}, "id"=>"992", "name"=>"pf"}, "filesystem"=>{"group"=>{"id"=>"988", "name"=>"pf"
}, "id"=>"992", "name"=>"pf"}}, "event"=>{"action"=>"opened-file", "category"=>["file"], "dataset"=>"auditd_manager.auditd", "kind"=>"event", "module"=>"auditd", "type"=>["info"], "outcome"=>"failure"}, "elastic_agent"=>{"version"=>"8.4.2", "snapshot"=>false, "id"=>"7cae2d9b-0929-49bc-a831-337c31e3d452"}, "@version"=>"1", "file"=>{"device"=>"00:00", "gid"=>"0", "owner"=>"root", "mode"=>"0644", "group"=>"root", "inode"=>"33615106", "uid"=>"0", "path"=>"/tmp/.UUID_STATE"}, "data_stream"=>{"namespace"=>"private.linux.production", "dataset"=>"auditd_manager.auditd", "type"=>"logs"}}], :response=>{"create"=>{"_index"=>".ds-logs-auditd_manager.auditd-private.linux.production-2022.12.18-000001", "_id"=>"tAKcNYUBviT9ZTSwk8hC", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [auditd.data.exit] of type [long] in document with id 'tAKcNYUBviT9ZTSwk8hC'. Preview of field's value: 'EACCES'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"For input string: \"EACCES\""}}}}}
Context
Elastic Stack 8.4.2
Deploy the Auditd Manager integration with the following audit rules (all other settings left as default).
Observer the following error:
Full event log
The process flow for this is: Fleet Managed Elastic Agent -> Logstash Pipeline -> Elasticsearch