23 August 2018

Brewing in Beats: Filtering file integrity events with Auditbeat

By Monica Sarbu

Welcome to Brewing in Beats! With these weekly series, we're keeping you up to date with what's new in Beats, including the latest commits and releases.

Did you know that Beats 6.4 is already available? Try it and let us know what you think. 

TLS expiration checks added to Heartbeat

With PR #7545, Heartbeat now records TLS certificate expiration times with all checks to TLS endpoints. This means you can now set up a watch to alert some time before a TLS cert expires. In addition to this, Heartbeat now saves the TLS certificate chain encountered during its connection. This is useful for security audits and other introspection.

Auditbeat: filtering file integrity events

Auditbeat’s file integrity module has been enhanced to allow for filtering of the events that are generated upon the inaugural run. The first time you run Auditbeat it sends an event for each file and some user’s requested to be able to control this behavior. The new `event.action` field value is initial_scan, and you can use the drop_event filter to drop these events. The trade-off for filtering these events is that you don’t have a centralized index of all your files’ metadata, but this might be acceptable if you practice immutable infrastructure.

All changes

Repository: elastic/beats

Metricbeat

Changes in master:

  • Add details to windows/service metricset test failures #8008
  • Test metricbeat kafka module with kafka 2.0.0 #7992
  • Adding xpack code for ES cluster stats metricset #7810
  • Add oplog metricset to mongodb module #7604
Packetbeat

Changes in 6.x:

  • Add fcntl64 to the default seccomp policy for 32-bit binaries #7840
Filebeat

Changes in master:

  • Fix date format in Mongodb Ingest pipeline #7974
  • Make docker input check if container strings are empty #7960

Changes in 6.x:

  • Fix date format in Mongodb Ingest pipeline #7974
Heartbeat

Changes in master/6.5:

  1. Heartbeat TLS metadata #7545
Winlogbeat

Changes in master:

  • Use unique event log for Winlogbeat system tests #8006
Auditbeat

Changes in master:

  • Auditbeat: `initial_scan` action for new paths #7954
Testing

Changes in master:

  • Replace libcompose by a docker compose wrapper #7822

Changes in 6.x:

  • Replace libcompose by a docker compose wrapper #7822
Documentation

Changes in 6.4:

  • Add safeguard related statements for max_backoff setting #7889
  • Add docs about append_fields #7903
  • Fix processor autodiscovery docs for Filebeat #7937
  • Minor fixes to attributes in module docs #7949)

Changes in master:

  • Update links to match changed filenames #7982
  • Improve Jolokia docs and remove proxy restriction #7969
  • Recommend that users avoid harvesting symlinks when files are rotated #7950
  • Minor fixes to attributes in module docs #7949
  • Fix processor autodiscovery docs for Filebeat #7937
  • Add document for beat export dashboard #7696