Heka Select Events with Principal Attributes

This modules provides a generic interface to specify a list of events to match that contain information relevant to an action being undertaken by a principal (user). When an event is matched, fields are extracted per the event configuration and a normalized table is returned containing the relavent details from the event.

1. Functions

1.1. match

The match function can be called from with process_event to attempt to match the event against the event configuration. The first event category where select_field matches select_match will be parsed and a table structure will be returned, which will also include the category of the event that matched.

For an event to successfully match, the subject_field, object_field, and sourceip_field must be present in the message.

object_static can be specified instead of object_field in order to place a static object value into the returned table instead of doing a field lookup to obtain the value.

If the subject_map configuration option is used in an event configuration, the value extracted for the subject will be converted according to the subject_map table before being returned.

The aux configuration within a given event category can be used to have the matcher return additional extracted message fields in the returned table, but are not specifically required and will be nil if they were not present in the event.

Arguments

  • None

Return

  • result (table, nil) - normalized table containing event fields, or nil of no match

2. Configuration examples

heka_selprinc = {
    events = {
        ssh = {
            select_field     = "Fields[programname]",
            select_match     = "^sshd$",
            subject_field    = "Fields[user]",
            object_field     = "Hostname",
            -- object_static = "Ten Forward",
            sourceip_field   = "Fields[ssh_remote_ipaddr]",

            aux = {
                { "geocity", "Fields[ssh_remote_ipaddr_city]" },
                { "geocountry", "Fields[ssh_remote_ipaddr_country]" }
            }
        },
        awsconsole = {
            select_field     = "Fields[eventType]",
            select_match     = "^AwsConsoleSignIn$",
            subject_field    = "Fields[userIdentity.userName]",
            object_field     = "Fields[recipientAccountId]",
            sourceip_field   = "Fields[sourceIPAddress]",
            subject_map = {
                ["An admin user"]   = "admin",
                ["Commander Riker"] = "riker"
            }
        }
    }
}

source code: selprinc.lua

results matching ""

    No results matching ""