Skip to content

Commit b54986e

Browse files
authored
Merge pull request #28 from wpoely86/bash
Fix pattern for bash history
2 parents 66af4e2 + 5a849a2 commit b54986e

File tree

8 files changed

+37
-23
lines changed

8 files changed

+37
-23
lines changed

files/bash

+1-1
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
BASH_MSG HISTORY: PID=%{INT:pid:int} UID=%{INT:uid:int} %{GREEDYDATA:command}
1+
BASH_MSG HISTORY: PID=%{INT:bash_pid} UID=%{INT:uid} %{GREEDYDATA:command}

tests/data/bash

+12-1
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,19 @@ data = [
66
"@source_host": "master01",
77
"program": "-bash",
88
"uid": 0,
9-
"pid": 23883,
9+
"bash_pid": 23883,
1010
"command": "echo boem",
1111
}
1212
},
13+
{
14+
"raw": "<14>1 2024-12-09T11:18:16.406259+01:00 storctrl02 -bash[1102070]: - -bash: HISTORY: PID=1102070 UID=4005 sudo cat /etc/cron.d/aad-*",
15+
"expected": {
16+
"@source_host": "storctrl02",
17+
"program": "-bash",
18+
"uid": 4005,
19+
"pid": 1102070,
20+
"bash_pid": 1102070,
21+
"command": "sudo cat /etc/cron.d/aad-*",
22+
}
23+
},
1324
]

tests/data/general_syslog

+1-1
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ data = [
2727
"@source_host": "login3",
2828
"appname": "python2",
2929
"program": "python2",
30-
"pid": "7245",
30+
"pid": 7245,
3131
}
3232
},
3333
]

tests/data/pixiu

+1-1
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,7 @@ data = [
5454
"expected": {
5555
"@source_host": "C4STO01-Node2",
5656
"program": "libstorage-iostat-enable",
57-
"pid": "1965645",
57+
"pid": 1965645,
5858
},
5959
},
6060
{

tests/data/singularity

+4-4
Original file line numberDiff line numberDiff line change
@@ -22,17 +22,17 @@ data = [
2222
"program": "Singularity",
2323
"username": "wapoelma",
2424
"image": "tensorflow:latest",
25-
"uid": "245890",
26-
"pid": "4131",
25+
"uid": 245890,
26+
"pid": 4131,
2727
"executable": "action-suid",
2828
},
2929
},
3030
{
3131
"raw": "<132>2017-11-22T11:09:29.204068+01:00 nic169 Singularity: action-suid (U=245890,P=13364)> Not mounting current directory: user bind control is disabled by system administrator",
3232
"expected" : {
3333
"program": "Singularity",
34-
"uid": "245890",
35-
"pid": "13364",
34+
"uid": 245890,
35+
"pid": 13364,
3636
"executable": "action-suid",
3737
"singularity_msg": "Not mounting current directory: user bind control is disabled by system administrator",
3838
},

tests/data/snoopy

+7-7
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ data = [
33
"raw": "<86>Apr 26 09:00:55 master2 snoopy[1301]: [uid:110 sid:8322 tty: cwd:/ filename:/bin/cut]: cut -d ; -f 4 ",
44
"expected" : {
55
"program": "snoopy",
6-
"pid": "1301",
6+
"pid": 1301,
77
"uid": 110,
88
"sid": 8322,
99
"command": "cut -d ; -f 4 ",
@@ -16,7 +16,7 @@ data = [
1616
"raw": "<86>1 2015-12-19T17:30:22.145124+01:00 gligar03 snoopy[27316]: - snoopy[27316]:: [uid:110 sid:9379 tty:(none) cwd:/ filename:/usr/lib64/nagios/plugins/hpc/check_ifutil.pl]: /usr/lib64/nagios/plugins/hpc/check_ifutil.pl -i em1.295 -w 90 -c 95 -p -b 10000m",
1717
"expected" : {
1818
"program": "snoopy",
19-
"pid": "27316",
19+
"pid": 27316,
2020
"uid": 110,
2121
"sid": 9379,
2222
"command": "/usr/lib64/nagios/plugins/hpc/check_ifutil.pl -i em1.295 -w 90 -c 95 -p -b 10000m",
@@ -30,7 +30,7 @@ data = [
3030
"raw": "<86>1 2015-12-20T09:59:40.844711+01:00 gligar03 snoopy[46513]: - snoopy[46513]:: [uid:2540337 sid:19403 tty:ERROR(ttyname_r->EUNKNOWN) cwd:/vscmnt/gent_vulpix/_/user/home/gent/vsc403/vsc40337/UCS_LABELLED_NEW/20000_to_30000 filename:/usr/bin/qsub]: qsub -l walltime=72:00:00 job7_21293_30000_doit",
3131
"expected" : {
3232
"program": "snoopy",
33-
"pid": "46513",
33+
"pid": 46513,
3434
"cwd": "/vscmnt/gent_vulpix/_/user/home/gent/vsc403/vsc40337/UCS_LABELLED_NEW/20000_to_30000",
3535
"uid": 2540337,
3636
"sid": 19403,
@@ -44,7 +44,7 @@ data = [
4444
"raw": "<86>1 2015-12-20T09:59:36.133039+01:00 master13 snoopy[36344]: [uid:0 sid:36288 tty: cwd:/ filename:/sbin/pidof]: pidof -c -o 36318 -o 36292 -o %PPID -x cdp-listend",
4545
"expected" : {
4646
"program": "snoopy",
47-
"pid": "36344",
47+
"pid": 36344,
4848
"cwd": "/",
4949
"uid": 0,
5050
"sid": 36288,
@@ -57,7 +57,7 @@ data = [
5757
"raw": "<86>1 2015-12-08T16:59:54.996042+01:00 gligar01 snoopy[30093]: - snoopy[30093]:: [uid:2540003 sid:29974 tty:/dev/pts/7 cwd:/vscmnt/gent_vulpix/_/user/home/gent/vsc400/vsc40003 filename:/user/home/gent/vsc400/vsc40003/easybuild_easyinstalled/bin/easy_install]: easy_install -U --prefix /user/home/gent/vsc400/vsc40003/easybuild_easyinstalled https://github.com/hpcugent/easybuild-framework/archive/develop.tar.gz",
5858
"expected" : {
5959
"program": "snoopy",
60-
"pid": "30093",
60+
"pid": 30093,
6161
"cwd": "/vscmnt/gent_vulpix/_/user/home/gent/vsc400/vsc40003",
6262
"uid": 2540003,
6363
"sid": 29974,
@@ -74,7 +74,7 @@ data = [
7474
'command':'tr [:lower:] [:upper:]',
7575
'cwd':'/home/wpoelman',
7676
'executable':'/usr/bin/tr',
77-
'pid':'12006',
77+
'pid':12006,
7878
'sid': 11944,
7979
'tty':'(none)',
8080
'uid': 2009,
@@ -89,7 +89,7 @@ data = [
8989
'command':'cut -d. -f2',
9090
'cwd':'/vscmnt/gent_vulpix/_/user/home/gent/vsc416/vsc41677/project/AAN/HF_6_31++Gdp/NBO',
9191
'executable':'/bin/cut',
92-
'pid':'43645',
92+
'pid':43645,
9393
'sid': 39946,
9494
'tty':'(none)',
9595
'uid': 2541677,

tests/data/ssh

+8-8
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ data = [
2424
"raw": "<86>Apr 26 11:25:44 node2104 sshd[44668]: Accepted publickey for vsc40000 from 172.24.13.2 port 43493 ssh2",
2525
"expected" : {
2626
'method': 'publickey',
27-
'pid': '44668',
27+
'pid': 44668,
2828
'port': 43493,
2929
'program': 'sshd',
3030
'status': 'Accepted',
@@ -37,7 +37,7 @@ data = [
3737
"raw": "<86>Apr 26 11:25:44 node2104 sshd[44558]: Received disconnect from 172.24.13.2: 11: disconnected by user",
3838
"expected" : {
3939
'ip': '172.24.13.2',
40-
'pid': '44558',
40+
'pid': 44558,
4141
'program': 'sshd',
4242
'reason': 'disconnected by user',
4343
},
@@ -62,7 +62,7 @@ data = [
6262
"raw": "<86>Apr 26 11:17:51 gligar02 sshd[11243]: input_userauth_request: invalid user vsc40000",
6363
"expected" : {
6464
'inputuserauth': 'invalid user vsc40000',
65-
'pid': '11243',
65+
'pid': 11243,
6666
'program': 'sshd',
6767
},
6868
},
@@ -73,31 +73,31 @@ data = [
7373
"raw": "2015-03-18T14:09:15.962645+01:00 node2432 sshd[26270]: Authentication refused: bad ownership or modes for file /vscmnt/gent_vulpix/_/user/home/gent/vsc404/vsc40479/.ssh/authorized_keys",
7474
"expected" : {
7575
'ownerpath': '/vscmnt/gent_vulpix/_/user/home/gent/vsc404/vsc40479/.ssh/authorized_keys',
76-
'pid': '26270',
76+
'pid': 26270,
7777
'program': 'sshd',
7878
},
7979
},
8080
{
8181
"raw": "<86>1 2015-03-24T15:16:09.252883+01:00 gligar01 sshd[48764]: - sshd[48764]:: input_userauth_request: invalid user vsc40001",
8282
"expected" : {
8383
'inputuserauth': 'invalid user vsc40001',
84-
'pid': '48764',
84+
'pid': 48764,
8585
'program': 'sshd',
8686
},
8787
},
8888
{
8989
"raw": "<86>1 2015-03-20T11:00:59.922704+01:00 gligar01 sshd[9215]: - sshd[9215]:: subsystem request for sftp",
9090
"expected" : {
9191
'program': 'sshd',
92-
'pid': '9215',
92+
'pid': 9215,
9393
'subsystem': 'sftp',
9494
},
9595
},
9696
{
9797
"raw": "<86>1 2015-03-19T10:53:18.185704+01:00 hyp105 sshd[5170]: - sshd[5170]:: Received disconnect from 10.141.2.11: 11: disconnected by user",
9898
"expected" : {
9999
'ip': '10.141.2.11',
100-
'pid': '5170',
100+
'pid': 5170,
101101
'program': 'sshd',
102102
'reason': 'disconnected by user',
103103
},
@@ -106,7 +106,7 @@ data = [
106106
"raw": "<86>1 2015-03-19T10:42:03.145881+01:00 hyp108 sshd[8245]: - sshd[8245]:: Accepted publickey for oneadmin from 10.141.2.11 port 55141 ssh2: DSA d0:a6:12:8f:48:50:c5:78:31:bd:5b:40:1b:78:fb:88",
107107
"expected" : {
108108
'method': 'publickey',
109-
'pid': '8245',
109+
'pid': 8245,
110110
'port': 55141,
111111
'program': 'sshd',
112112
'status': 'Accepted',

tests/logstash_7.6.2.conf

+3
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,9 @@ filter {
8989
"quota_space_limit" => "integer"
9090
"quota_used" => "integer"
9191
"quota_limit" => "integer"
92+
"pid" => "integer"
93+
"bash_pid" => "integer"
94+
"uid" => "integer"
9295
}
9396
}
9497
}

0 commit comments

Comments
 (0)