April 4, 2017

Brewing in Beats: Collecting auditd logs

By Monica Sarbu

Welcome to Brewing in Beats! With this weekly series, we're keeping you up to date with what's new in Beats, including the latest commits and releases.

Filebeat module for auditd logs

The audit fileset is added to the system module of Filebeat to be able to parse the Linux auditd logs. It parses the audit event type, unix epoch time, audit event counter, and the arbitrary key/value pairs that follow. It also gives you the Geo location of the audit event addresses in case of remote logins. This is currently merged in master only (6.0).

kibana-system-audit.png

Collect performance counters from Windows

The community (more precisely, maddin2016) added the windows module in Metricbeat with the `perfmon` metricset to collect performance counters from Windows. It uses the PDH functions to collect performance data. The module is a migration of the Perfmonbeat into Metricbeat. Currently, this is merged in master and planned for 6.0.

Moving to govendor

For a while now we weren’t happy with the tool we used to manage the Go dependencies, to the point that most of us preffered doing the vendoring work manually. As we were waiting for a new standard tool to emerge, we avoided switching tools. All this changed with a community PR by @vjsamuel, which showed us that govendor actually fits our needs and workflow much better.

All changes in the beats repositories

Libbeat (All beats)

Changes in 5.x:

  • Print error when downloading dashboards #3805
  • Fix Elasticsearch URL parsing #3671

Changes in master:

  • @timestamp doesn't get printed when specified in message codec #3721
Filebeat

Changes in master:

  • Allow - in Apache access log byte count #3863
  • Refactor input.Event similar to outputs.Data #3823
  • Remove deprecated config options force_close_files and close_older #3768
  • Add fileset for parsing Linux auditd logs #3750
Metricbeat

Changes in 5.x:

  • Make HTTP fields in HAProxy optional to improve compatibility with 1.5 #3788
  • Make Metricbeat reloading beta instead of experimental #3841

Changes in master:

Packetbeat

Changes in master:

  • Second stage of topology cleanup #3818
Documentation

Changes in 5.3:

  • Add docs about loading Heartbeat dashboard #3804
  • Add link to topic about configuration file format #3822
  • Fix configuration keys and Nginx logs path in doc #3859
  • Wrong start command for Debian distribution#3855

Changes in master:

  • Fix doc build for conf-file-permissions #3875
  • Add step to change file ownership on mac #3870
  • Clarify docs around setting the index and @metadata fields #3866
  • Add newline to end of windows perfmon config #3829
  • Update docs about how to create a Beat from Metricbeat #3890
Packaging

Changes in 5.3:

  • Fix modules yml files permission on Deb #3879
  • Fix packaging which broke because of asciidocs comments #3825
Infrastructure

Changes in master:

  • Moving from glide to govendor #3851
  • Ignore .vscode in project root path #3885
  • Add codecov config for commit status #3878
  • Fixing govendor sync #3864
  • Enhancements of the cherrypick PRs script #3848
  • Move removal of files to clean #3726