Today we are pleased to announce that Beats 5.4.0 was released. This is the latest stable version, and it comes with support for gathering JMX metrics from your Java applications, and Filebeat modules for collecting auditd and authentication logs.
Gather JMX metrics from your Java applications
The Metricbeat 5.4 release comes with the Jolokia module to monitor Java applications. Jolokia provides REST-like access to JMX with JSON over HTTP, and allows easy access to JMX MBeans from everywhere.
Here is an example of the configuration file:
- module: jolokia metricsets: ["jmx"] enabled: true period: 1s hosts: ["localhost:8778"] namespace: "metrics" jmx.mappings: - mbean: 'java.lang:type=Runtime' attributes: - attr: Uptime field: uptime - mbean: 'java.lang:type=GarbageCollector,name=ConcurrentMarkSweep' attributes: - attr: CollectionTime field: gc.cms_collection_time - attr: CollectionCount field: gc.cms_collection_count - mbean: 'java.lang:type=Memory' attributes: - attr: HeapMemoryUsage field: memory.heap_usage - attr: NonHeapMemoryUsage field: memory.non_heap_usage
The jmx metricset collects metrics from each Jolokia instance that is defined in the mappings section. To define an instance, you specify an MBean ObjectName and an array of attributes. Each attribute specifies the name of the attribute to collect and the event field where the value is exported.
Linux auditd logs
Linux Audit has been part of the Kernel since 2.6.14. It consists of a kernel component to hook and monitor syscalls and a userspace daemon to log these syscall events. Auditd can, for example, write a log line every time a user accesses a file, starts a process, or connects to a socket.
In Filebeat 5.4, we’ve introduced the auditd Filebeat module to collect, parse, and visualize the logs created by auditd.
The auditd module parses the audit event type, unix epoch time, audit event counter, and the arbitrary key/value pairs that follow. It also gives you the Geo location of the audit event addresses for remote logins.
Linux System authentication logs
With the addition of the
system.auth fileset in the system module, Filebeat 5.4 brings the ability to parse the system authentication logs. System authentication logs are typically available on Linux systems under
/var/log/secure for Centos/Redhat, and they contain logs for things like:
- SSH login attempts
- Commands executed with sudo
- New users or groups created
Monitoring authentication failures is useful for intrusion detection. For example, every time user logs in via ssh, the authentication log records details like: the user’s IP address, the GeoIP information, the status of the ssh login, and whether the user used a public key or password.
When a sudo command is executed, the authentication logs contain information about the sudo command, the username and the password of the target user, and the execution status.
Also, when a new user is created, you can get details like the username, the user ID, the group ID where the user was created, or the home folder of the user.
For more details about these logs, see the Grokking the Linux authorization logs blog post.